[ISN] On Trial - Prosecuting cybercrime puts your organization--and your security--on the hot seat.

Mon Oct 18 02:23:25 EDT 2004

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.html

By Carole Fennelly
October 2004

Attorney: Is it fair to say that, prior to March 24, 2000, you were 
not aware of [a] bug that allowed someone to enter the system?

Bloomberg: That's correct. It's not just someone. You would have to 
work pretty hard to do it and have to be reasonably competent to do 
it.

Attorney: Would it be fair to say that that bug was a dangerous threat 
to the security of your system?

Bloomberg: Absolutely. 

-Testimony of Michael Bloomberg, U.S. v. Zezev 

New York City Mayor Michael Bloomberg endured more than an hour of 
cross-examination during the 2003 criminal trial of Oleg Zezev, a 
Russian citizen later convicted of hacking Bloomberg LLP's network and 
making extortion demands. Bloomberg didn't make excuses for weaknesses 
in the company's digital infrastructure. He met the issue head-on. 

Is your CEO prepared to do that? 

Your company will undergo intense scrutiny if a case against a 
cybercrime suspect goes to trial. Your employees, from the IT staff to 
the corner office, will be cross-examined by defense attorneys, who 
will attack their competence, challenge their statements and attempt 
to discredit corporate polices and processes. Internal, often 
sensitive, documents and information may become part of the public 
record, and, if the case generates enough buzz, it's fair game for CNN 
and The New York Times. 

When your company takes the stand, you're asking for an open--and very 
public--security audit. Although you can't control everything that 
goes on in the courtroom, you can prepare your employees for the 
concentrated defense questioning. 

If your IT security policies are strong, and if you have solid 
incident response plans, you'll be ready for the onslaught. If not, 
your secrets and flaws may be exposed in the worst possible light. 

Fair Game

Prosecutors rely on corporate cooperation to convict cybercriminals, 
and most will try to limit the admissible evidence to avoid 
unnecessarily embarrassing the company or revealing sensitive 
information. Through the discovery process, the defense counsel has 
access to all seized evidence and can subpoena anything that may show 
negligence or weaken the case--possibly revealing holes in IT security 
policies, processes and infrastructure. If your security is weak, it's 
much more difficult to prove that a particular individual was 
responsible for the crime. 

Much of what happens in court is dependent on pretrial 
maneuverings--when admissibility is argued and judges rule on motions 
to suppress evidence. This is the stage at which you can try to avoid 
exposing sensitive corporate security data. 

"The company can communicate the big stuff that it doesn't want to 
come out--company trade secrets, information about response policies 
or vulnerabilities--to the [law enforcement] agent," says Richard 
Salgado, former senior counsel with the Computer Crime and 
Intellectual Property Section of the U.S. Department of Justice. "A 
motion may be made to exclude that kind of questioning." 

[...]