Protecting the Investigators

An article in the Harvard Journal of Law & Technology from the summer of 1997 issue (http://jol t.law.harvard.edu/articles/10hjolt465.html) warns that police may face attacks against their information systems in the 21^st century. As criminals become more sophisticated about information technology, the concern loses any hint of science fiction. Attacking the investigators may become a viable option, especially when one doesn’t even have to visit the police station.

In fact not only police face vulnerability. Private sector investigators working in the IT industry could also encounter technology-based attacks. Areas of mutual exposure include:

1. Database systems containing criminal history and intelligence files.
2. Communication systems including e-mail and cellular telephone transmissions.
3. 911 systems in the public sector; corporate emergency alert systems for the private sector.
4. Radio transmissions.
5. The personal infosphere (credit files, home telephone devices, public record databases, and so on) of investigators and police officers.
6. Security systems such as CCTV, alarms, access control devices, and auditing programs.

In addition, every corporate espionage trick such as wiretapping, dumpster diving, and eavesdropping on computer traffic will serve criminals in gathering intelligence. Information is a two-edged sword. The mere collection of facts for a good purpose doesn’t insure against someone converting the data for a bad purpose. Investigators need to protect their information resources and the data streams that feed those resources.

Mare D. Goodman’s article, "Why the Police Don’t Care About Computer Crime" suggests that law enforcement, with the exception of some high-tech crime units, does not understand the threat of computer crime. He feels that police largely focus on traditional law enforcement operations. What is becoming clear, though, is even conventional police operations could face serious disruptions from computer savvy criminals. The same goes for corporate security departments.

While considerable literature exists on investigative techniques regarding crime in general, including computer crime, discussion on protecting the investigative effort itself is at the early stages. We can’t always focus just on the benefits of information technology. Understanding the pitfalls may be key to survival.

What would happen to criminal justice if the AFIS (Automated Fingerprint Identification System) network was attacked and seriously degraded? What would be the consequences for your company if your business intelligence database were compromised?

Sound strategic thinking is necessary to protect investigative and security resources. A mere fortress mentality, however, may fail. In an environment filled with highly motivated and resourceful computer criminals, overconfidence may lead to disaster. So good protective strategy would include:

1. Adopting risk management techniques. These techniques include risk assessment, resource planning, and contingency planning. Web sites with information on risk management are:

1. Hall Associates http://www.techriskmgt.com/
2. Risks, Ltd. http://www.risksltd.com/
3. Risk Decisions http://www.risk-decisions.com/
4. ABS Group Inc. http://www.jbfa.com/
5. AMA Associates http://www.ama-assoc.co.uk/

2. Develop and use formal analytical tools to identify vulnerabilities and to measure risk. Two common methods are decision trees and root cause analysis. Traditional security surveys usually are just checklists. Formal analysis traces the pathways of critical information flows to uncover vulnerabilities not considered in routine checklists. Two good introductory web sites on these methods are:

1. Vanguard Software Corporation (http://www.vanguardsw.com/)
2. "Root Cause Leader" ABS Group Inc. (http://www.jbfa.com/)

Bruce Schneier’s method known as Attack Trees also deserves consideration at http://www.counterpane.com.

3. Maintain good intelligence on emerging threats. In an article on http://www.fcw.com "Report Slams DOE counterintelligence" (dated 6/28/2000), the real need for current, actionable intelligence arises from today’s headlines. (See also my article on Intelligence Gathering from Security Portal January 25, 2000.)
4. And, investigators need to strive to keep their own personal information profile low. Avoid releasing in-depth personal information in the press or on Web sites.

SecurityPortal is the world

’

s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.

The Focal Point for Security on the Net

™