A monthly newsletter focused on real-world issues and practical strategies for the professional involved in investigations, computer forensics, and incident readiness and response.

In This Issue:

	From the Investigator's Notebook: Social Networking Sites – Scourge to Information Security? Steps to Safeguard Sensitive Data From Employee Misconduct
	News & Events

From the Investigator's Notebook: Social Networking Sites – Scourge to Information Security? Steps to Safeguard Sensitive Data From Employee Misconduct

The staggeringly rapid evolution of technology has forced companies to respond to unprecedented challenges in protecting intellectual property, customer information, financial data and other vital information from data breaches. With millions of people receiving notices of data breaches regarding personal information, it is clear that threats to data security are growing in frequency, intensity and diversity. An emerging source of information security concerns are popular social networking sites such as Facebook, MySpace and Twitter. At first glance these sights appear unrelated to business but they have evolved as their use has skyrocketed. Companies must recognize that social networks represent a substantial information security risk that cannot be ignored.

Social networking sites present an information security risk for both accidental and deliberate information loss. It can be as simple as an employee on a social networking site who posts information regarding his or her activities and inadvertently provides non-public information to anyone with Internet access. A message like "Headed out to survey a potential acquisition" followed by a message stating "Just arrived in Austin" may effectively reveal who the acquisition candidate is. Discussion boards and blogs pose similar risks.

Moreover, the threat of malicious software (a.k.a. malware) attacks infiltrating a company's network is heightened when there is wide and uncontrolled access to social networking sites. These sites are increasingly targeted by sophisticated malware. In late 2008, a malware trojan called "Koobface" infected Facebook and several other social networking sites. Koobface operated by sending messages to the infected users' "friends" with a link that, once clicked, infected the friend's computer.

Malware from any source—including social networking sites—places company systems, networks and data at risk. The reality is that no anti-virus or anti-malware product identifies and stops 100 percent of malicious code utilized by technology-savvy perpetrators. In fact, industry experience shows that the most commonly used filtering packages do not detect all types of malware, and that manufacturers take varying amounts of time to develop and distribute updates that can reliably detect new forms.

A corporation can cost-effectively safeguard its data by implementing appropriate prevention, detection and control measures that protect against the total range of information security threats they face. New concerns, like social networking sites, join more traditional concerns, such as employee theft and system failures that directly attack a company's IT system. Appropriate measures to safeguard sensitive information include the following:

• Establish Internal Computer Use Policies. Companies must implement internal computer use policies. These policies, at a minimum, should: (1) establish employees' responsibility for the secure storage, use, protection and end-of-life destruction of information to prevent or mitigate the damaging effects of a data breach in the event one occurs; (2) govern when sensitive data can leave the physical premises of the corporation and what precautions should be taken when data is removed; and (3) specify whether employees can access social networking sites, discussion boards, blogs or instant messaging programs from company machines and what business-related information can—and cannot—be posted on these forums by employees from any access point.
• Ensure Employee Compliance With Computer Use Policies. The mere existence of a policy does not by itself ensure its effectiveness. Employees must be educated about the policy and sent enforcement reminders on a routine basis. To ensure policies are being followed, companies should conduct regular comprehensive policy compliance audits and take reasonable steps to monitor employee computer use.
• Leverage Logging Systems. Corporations should ensure an adequate logging system is in place to help avert a data breach. Key functions (e.g., which users are accessing a computer system, transactions performed or attempted, and data added or deleted from files) should be recorded in logging systems. Aggregating and proactively analyzing these logs to identify problems quickly can provide substantial value. Technical information in the form of firewall, proxy and other system-level logs can also be valuable, particularly if a log aggregation and analysis capability is in place.
• Utilize Password Protection and Encryption Where Appropriate. Installing strict mandatory password requirements on company equipment and encrypting sensitive data decreases the likelihood that an unauthorized person, external or internal, can gain access to valuable data. Passwords can be used to limit access to sensitive data to those personnel who require access. Of course, passwords can be written down or shared, so additional safeguards such as one-time password generators, biometrics or the like should be considered as an additional form of authentication for highly sensitive information.
• Assess Information Security Shortcomings. Companies must continuously assess the need for evolving information security policies and practices. Information security experts can often help companies pinpoint gaps in data security and remediate the risks posed. Information security assessments can include penetration testing exercises where a company's information security system is put to the test. Newly emerging areas of risk like social networking have to be understood both technically and in light of a particular organization's needs, and appropriate policies and technical safeguards must be decided on and implemented.
• Craft a Response Plan. Companies must establish an incident response plan in advance of a data breach. Trying to develop a plan in the middle of an actual crisis is a worst-case solution. The best solution is having a tested plan in place that can be easily executed during an incident. This permits better decision-making capabilities and ensures the right steps are taken. A response plan should cover who has what responsibility in a crisis. An appropriate working group that crafts and acts on the response plan should include senior management, counsel, public relations, HR, finance and IT representatives at a minimum. Third-party providers can also offer valuable services such as initial policy development and implementation and following a breach, assistance with remediation and a technical investigation to determine with forensic accuracy what did and did not occur. If a breach occurred, potentially thousands of computers may be infected with malware, and handling the subsequent notification tasks that state laws often require can be overwhelming to an organization's internal staff. Outside sources can also provide crisis communication assistance, including operating a call center to prevent a company's standard phone operations from being inundated. These services can be pre-contracted to avoid a frantic rush to identify and acquire assistance when a crisis occurs and should be a part of a company's information security policies.

Safeguarding sensitive company information is a key aspect of corporate governance in an age where information is often a company's most valuable asset. As risks evolve from new technologies such as social networking, no security plan is ever set in stone. Information security is an ever-changing process and companies must be proactive in protecting sensitive information. Implementing the security measures and policies discussed above will bring a significant return on investment by reducing the chance of costly data breaches and mitigating damages through facilitation of a timely cost-sensitive and appropriate response in the event a breach occurs.

Special thanks to Alan Brill, Senior Managing Director for Kroll Ontrack, for his contribution in writing this article. Mr. Brill specializes in information security issues and high-tech investigations and is an internationally recognized writer, speaker and instructor on technology security. He can be reached for questions or comments at abrill@krollontrack.com.

Back To Top

News & Events

Enhanced E-Discovery Certification Course Propels Litigation Teams to New Heights
Given the current economic conditions, corporate clients are being forced to cut back legal and IT budgets, while the threat of sanctions due to improper ESI handling continues to rise. Become an e-discovery expert to prevent your firm or corporation from becoming the next headline. Kroll Ontrack's 2009 E-Discovery Certification Course is ideal for legal and technical professionals of all levels, especially in-house counsel, law firm attorneys, litigation support professionals, paralegals, IT staff, and members of the judiciary. Upon completion of this program, you will be able to make informed decisions regarding ESI, be prepared to negotiate at the meet and confer and understand the most current e-discovery law. For more information about the October 29-30 course or to register for an upcoming course, visit www.krollontrack.com/certification-courses/.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

This newsletter was written by Kelly Kubacki, Kroll Ontrack Law Clerk, with assistance from Regina Jytyla, Kroll Ontrack Managing Staff Attorney. Ms. Kubacki can be contacted by writing to kkubacki@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.