• You are here:  
  • Home
  • Blog
  • Security Investigations

So it has happened. The "thing" that most business professionals, and especially IT professionals, never like to deal with. There is suspicion of a security violation within your organization. Some information has appeared where it shouldn't have. Perhaps it was a confidential email found on a printer in an area where no one who received the email works. Perhaps it was an employee who made comments in a meeting that suggests they know information they shouldn't. Perhaps some internal memo was referenced in a damaging newspaper article.

Whatever it is, management has now come to you, the IT leader, to ask the questions: "Do we have a security breach?", "Is an employee reading our email?", "What is going on?" and so on. While many IT professionals have dealt with information security, it has most often been from a technical perspective. A virus outbreak. A hacked web server. The usual response is to clean up the damage and beef up technical security.

The need to conduct an investigation of an information leak is ... more complicated and more delicate by far. As any Human Resources professional will tell you, one needs to tread carefully when dealing with suspicions of wrong-doing that involve employees. For an IT leader, if the suspicion falls to people in his or her own area, it is even more delicate and complex. IT professionals, generally, by the very nature of their occupations, are empowered with the "keys to the kingdom." In this professional's opinion, trustworthiness is the number one criteria to work in IT.

So, now it is up to you to lead and direct such an investigation. How to proceed? First and foremost, do not act in a vacuum. As any such investigation proceeds, it should minimally involve an appropriate representative from Human Resources, quite possibly Legal, and appropriate level management from the area(s) of the employee(s) under suspicion. At the start you may know nothing more that that there is suspicion of a leak, so build the connections to HR and other areas as the investigation develops.

A good investigation starts like any other good problem solving effort in IT. Determine what you know. Consider possibilities about what might have happened. Devise methods to test the validity of the possibilities to eliminate those you can and, in doing so, expand what you know. An excellent systematic approach can be borrowed from a concept used in research, journalism, and criminal investigations. The "Five Ws" (or perhaps Five W's and one H) is the use of the common interrogatives in the English language to direct your investigation. The six basic questions are:

  • Who? Who was involved?
  • What? What happened?
  • When? When did it happen?
  • Where? Where did it happen?
  • Why? Why did it happen?
  • How? How did it happen?

Each of these questions should result in a factual answer: one that can be substantiated through some sort of forensic evidence - logs, witnesses, documents, etc. In most organizations, gathering the forensic evidence can range from tedious and time consuming to downright impossible. It all depends upon what is in place for logging on your organizations computer systems and what controls exists. Sadly, it is often the case that when such an investigation begins, the first thing that is discovered is that logging was never turned on for the email server or print server or etc. and hence there in nothing available during the time range of the suspected incident to look at for evidence. Under such circumstances, often the best that can be accomplished is - like in the case of a external breach - to clean up, establish logging policies, enable appropriate logs and controls, and have the evidence potentially available should a future incident occur.

If you are foresightful enough to have rich logging in place, logs alone will rarely provide definitive answers. Often computer forensics will need to be cross checked with good old-fashioned detective work. For example, logs may ultimately tell you that the confidential email was printed from workstation ID 1234 by user ABCD, but it may take some discrete human inquiries to identify whether ABDC was at their workstation at 10:22:32 AM or was on a coffee break and someone else walked up and went through their email.

PaulDupuis.com and its associates have extensive experience in electronic forensics and information security. Whether you're wisely taking precautionary steps to ensure you have sufficient logging in place before an incident occurs or need help investigating a breach or need advice on how to formulate electronic evidence requests in a litigation, we can bring value to specific your situation.