In this, my first article, I would like to address the question of preparedness for a ‘cyber event’ which is a bit different from the usual message of passwords, firewalls etc. The key message will be that despite all your good efforts you may be subject to an official investigation with the resultant demands on your time, your staff’s time or the loss of functionality and reputation within your business, or indeed, the loss of your computer hardware/ infrastructure. I will base this on a real investigation that I conducted within Counter Terrorism, but will not reveal names / countries involved.
Everyone is familiar with the world wide web to some degree or other. What is perhaps less well understood is how this ‘web’ works. Behind the glossy front page viewed through a browser, such as Internet Explorer, Chrome etc., is the computer code that makes it all possible. When looking at a web site, the content can come from multiple sources, countries and organisations. i.e. audio from Japan, video from France etc.
When a web page is constructed there are certain bits of code which tell your web browser where to get and display the information. This information is viewable within the page. Consequently, someone can link to your web site without your permission or even knowledge.
Websites that provide chat rooms or provide library pictures have little immediate control over what their users do and the links they create.
Consider this. A terrorist or a sympathizer links to your website or service. It could be something as innocuous as an icon or emoticon.
Let me tell you from my experience that if an investigation is started on a terrorist suspect, every single little detail is examined and investigated.
This is done to:
- ascertain the truth
- prosecute the offenders
- gather intelligence to inform the bigger risk picture
- remove any possible defence they may advance.
The risk is that you will be subject to scrutiny and investigation. The least intrusive is that you will be contacted and have to expend your valuable time answering questions. Moving up, it may involve you providing access to log data and the hardware itself, again a time and resource intensive measure up to having your equipment seized for further detailed examination. There exists a real risk of operational disruption, and reputational risk perhaps, with catastrophic consequences. Considering this scenario should be part of your risk assessment process.
So, ‘It’s not my fault, but…’. As stated above, the first step is to consider that this may happen. Then conduct the risk assessment, calculate the potential impact and implement control measures in mitigation. Control measures may include such things as regularly checking the internet for references to your website, ensuring your site doesn’t link to other sites, unless you have a good reason to do so, and keeping logs. There are a number of free tools available to achieve this.
Fail to plan = Plan to Fail
An oft used expression, I know, but so very true. Your risk assessment and associated plans should be documented, planned, exercised and, very often forgotten, reviewed on a regular basis. The other consideration is the availability of your plans and actions. Do you keep them in paper form in a folder consigned to a dusty shelf; on a standalone computer to which someone forgets the password; or centrally accessible via a web service and available 24/7 to those having a role to play in the incident?
Did this Really Happen?
Yes, it did. The investigation centred on an individual who was ‘glorifying terrorism’. He had produced a video animation using still photographs obtained from the internet, as well as using a chat room where some of the participants had linked to a site providing images.
Using forensic and open source techniques, we ascertained the origin of the images as well as constructing a timeline of activity. Enquiries revealed these sites were located in other countries. International enquiries were made using the law enforcement and intelligence agencies of those countries. As a result, I travelled to those countries and conducted technical investigations of their systems and obtained the evidence available.
Possibility or Probability?
In these cases, the hosting companies were cooperative, professional and organised, which allowed the investigation to proceed without too much interruption to their core business activities. They endured the minimum level described which was the use of their time.
However, it could have all ended in tears as our contingency was to obtain court orders to seize hardware to preserve evidence and allow detained investigations.
The result was a lengthy prison sentence for the offender.
Is this an isolated incident? No, sadly not. Can you avoid an investigation? Again no, but you plan and prepare for that eventuality. In our digital world the possibility could soon become a probability.
My future articles on Prepareorfail will examine different areas of cyber vulnerability.