Dealing With Computer Abuse Without Digging Bigger Holes!

By Zaithyn Galter Published 06/10/2009 | Computer
When faced with staff accused of abusing computer systems, have you got adequate procedures for collecting, preserving and presenting the evidence?

Its a fairly safe bet that, in the past, you will have had to take action against someone accused of a breach of company policy with respect to their use of the organisations computer systems. There are two idioms that every corporate security officer lives by: "A backup is only as good as the last restore" and "Prevention is better than cure". In a perfect world there would be no computer failures, no lost data and certainly no abuse of computer systems. Unfortunately, we don't live in a perfect world and we have to face the very real prospect that corporate computer systems are woefully vulnerable to misuse and abuse.

"Computer abuse" is a phrase covering a multitude of sins, quite literally, from games playing to fraud, hacking and virus writing through inappropriate downloads and internet activity. The detection of such abuse falls squarely on the shoulders of the audit and security departments of any organisation, supported by adequate policy and procedures.

So, what exactly is "forensic auditing"? There are really two main components of the function, audit and computer forensics, which have the following primary aims:

         Detection of potential abuse

         Protection of the proof

         Adducing qualified evidence

         Presentation of the evidence

It may sound trite but in order to detect abuse within computer systems you must be looking for the right things. This where the audit role comes in. By using appropriate audit tools combined with a strategy to suit the organisation which is backed by well designed policy and procedures, it is remarkable easy to spot abuse of all kinds simply by viewing the audit data in the right way.

Most organisations fail to reap the true benefits of PC audit simply because they are focussed on the two gods of "asset management" and "corporate compliance". Using the right tools, the process of audit can reveal much more about an organisation than that. For example, while performing a PC audit it is possible to collect the contents of the internet browser cache found on all internet ready machines. Using one of the many cache browsers available, it is then a simple task to review the copied data to establish potential transgressions of corporate internet policy.

One such audit on 2000 computers took place with a view to establishing the presence of any "undesirable" image files. The results were shocking. Over 210,000 images were found, of which approximately 25% were questionable. Existing audit data was used, that had been collected during a licence compliance audit and the whole analysis added just 4 man days to the audit project.

From the clients perspective, this was a cost exercise but one which was extremely valuable. In fact, not only image files found, but also a range of undesirable software including copies of PGP (Pretty Good Privacy) where it was not appropriate for encryption to be used, mobile phone cloning software, Sky card cracking software and much, much more!

What was even more surprising was the fact that not only did the above organisation have a reasonable security policy and working set of procedures in place but they also believed that had things under control.

While the above case serves to illustrate the "hidden" power and value of audit data, it also begs the question of what action to take if (or when) you are faced with the knowledge that there is serious abuse within your systems. This is where the forensics part of forensic auditing comes in.

Elizabeth Sheldon is a director of Evidence Talks, One of the most highly regarded computer forensics consultancies in the UK, Evidence Talks lead the way with unique solutions to some of the problems faced by industry today. More information visit-