So why don't we pay attention to the detail necessary to secure our information?
By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Troy Media columnist
Cops have a pretty good set of rules and responses. They look for the good and bad actors. They question everything and have a response for most eventualities. “Move along buddy” solves a lot of problems, for example.
It turns out that Det. Const. Kenrick Bagnall, who handles computer cyber crime in Intelligence Services at Toronto Police Service, is no exception. His essay in the book Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management is a little longer than his title, and more explanatory. He starts with a great definition and turn of a phrase. About the Internet, he writes: “Many regulate it, no one owns it, and most of the planet’s population is connected to it.”
He also cites a legal definition from a Court of Appeal for Ontario case in 2012. “The Internet, as a global system of computer networks, has become an increasingly important tool for the exchange of information. Internet use for a variety of reasons is ubiquitous in today’s society. In many ways, the Internet has become the new library, shopping mall, theatre, meeting hall and enumerable other venues all rolled into a single global venue available at the user’s fingertips wherever he or she might be.”
It has often been said in the age of terrorism, that the terrorists only have to succeed once, but intelligence services must succeed every time. The detective constable/author then channels a version of this by writing that “[c]riminals have access to a boundless supply of victims, while at the same time, they are able to maintain a relatively high degree of anonymity.”
This sets the stage for cyber-crime very well. Just the facts m’am, as they say in cop lingo.
Interesting how far crime has come since possessing burglary tools was an offence in some jurisdictions. “…[W]hile not every criminal offence is a cybercrime, every criminal offence is likely to have some form of cyber component or digital footprint.” Traces of footprints can be found in things ranging from server logs, to header information contained in the backbones of emails, to usernames.
Unlike the burglary tools used the day of the break-in, many attackers spend months in your network before being detected or acting. This officer rightly wants evidence on which to act – “logs and tables from firewalls” and anything else to hand over to investigators. An organization may have also made itself vulnerable to the age-old inside job, with cyber criminals doing things under the auspices and identity of a trusted user on the company network.
We might just add a respectful footnote to the officer’s good advice. A criminal lawyer once told us that once you get the police in your lives, it’s hard to get them out. You may have done nothing wrong. You may have done something wrong in a far-off jurisdiction that you know nothing about, but which hosts your information on premises using a server, or in a cloud environment. Worse, this information may be hosted using a hybrid model, meaning that it’s housed on a server in a facility while simultaneously existing in multiple locations across the globe.
You may have improperly moved information through jurisdictions and not known it. You may have accessed the Internet at your local coffee shop using an unsecured wireless network – leaving you and your information vulnerable to review or access through what’s called a “man in the middle” attack.
Your employees may have done something wrong or have something wrong on their computers. A key logger could be working in the background on the victim’s computer, looking for specific pieces of information. A 16-character entry into a form, followed by another three entries likely means trouble for the company credit card or even their own – especially if checking online banking and completing transactions at work. The investigation to get to the bottom of how exactly someone’s credit card information just became complicated, and fast.
Other real-life cases involve pornography on company computers, of course, and even pornography on the computers of child welfare workers.
There’s something to be said about the fear most people have any time there’s a full-on investigation by police following an event. For the victim, the authorities’ very presence may offer a sense of comfort. The offender is a bit of a mixed bag. Police involvement may deter them from future activities or a deranged person could see it as motivation to move on to another job. It’s all part of the rush.
With this said, police live and breathe “the book,” ensuring policies, procedures, processes and legislation are followed. They do so knowing that the slightest deviation from what’s written down could lead to a dropped arrest or mistrial.
So why is it that the same attention to detail isn’t paid by those responsible for securing our information?
The answer may lie in the fact that there isn’t a global policy, procedure, resolution or declaration specific to securing networks.
It’s a sad reality but it’s a reality that may bring us the motivation we need to take action.
That’s why we need to get back to the basics: locking up systems. Newer cars automatically lock and arm their security systems when the owner isn’t present. Those who choose not to lock their cars or, worse yet, leave their keys in the ignition are just asking for trouble. Cases like this also consume a large chunk of time for the authorities.
It’s time to start putting some thought and effort into making information technology systems as simple and secure to operate. It would make us all a bit safer and save time.
Bring the police in when necessary. But work diligently to make sure it’s not necessary.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.