There has been a recent increase in cases involving white collar crime and intellectual property theft from corporations. Data theft causes major disruptions to companies and can become increasingly challenging if the investigation process isn’t managed properly. Outside of the obvious challenges of stolen information, data theft creates a complicated web of issues because it often requires additional steps, such as recovering and preserving data, determining the scope of the theft, and preserving the device the data was stolen from.
From a digital forensic investigator’s perspective, investigating these cases typically involves numerous moving parts spread over local and cloud systems. There are several methods available to organizations to help limit exposure of sensitive data. From my experience leading data theft investigations, here is what to do when you realize data is stolen and how to protect data moving forward.
My company data has been stolen! What should I do?
Once it’s clear data has been stolen, a company’s leadership may feel compelled to immediately investigate. However, this hasty action can diminish the chances of finding relevant data once forensic services are engaged because investigations can change, modify, and delete records of evidentiary value. Simply powering on machines can change system logs and other information that might help the case.
Instead of rushing to an in-house led investigation, first turn to forensic investigation experts. Forensic investigators can create a forensic image of the device to save and preserve data, while allowing the device to be repurposed for usage by an organization. Analysis can be conducted on the forensic images taken without changing and modifying data from the original device and normal business operations with the device may continue.
How do I protect my data and limit my company’s information from exposure?
There are two primary areas of exposure when it comes to company data: local storage and cloud storage or applications. There are a variety of protections that can be implemented across both configurations to impede data exfiltration attempts from a bad actor and further assist forensic investigators that are engaged after an incident. Organizations should employ sound information governance policies as a preventative measure against data loss, and to provide as much information as possible to an investigator engaged to examine an incident. Here are some examples of the kinds of features your IT team should be implementing across these two key areas.
Cloud: Many organizations utilize cloud storage through a variety of applications such as Google Drive, Microsoft OneDrive, Dropbox, and other platforms. Depending on the service level of the application, an administrator account is created, which allows access to an administrative console. From this console, administrators can set up rules and procedures that other users must follow to use the application’s features. Administrators can track user activity such as uploads, downloads, modifications, deletions, access, and many other actions, which can be vital when determining data theft. These features are not always enabled by default, so the administrator should manually check and enable them.
User privileges can be enforced on a group policy level and on a very granular individual level. Privileges for each user on a “least privilege” basis are recommended. These privileges give users access only to the functions needed to perform a job or task. If users need additional privileges, they can contact the administrator for approval. It’s better to require a request for additional permissions than allow too many privileges or privileges outside those of users’ roles. Enact policies that make it standard procedure for administrators to place holds on accounts when employees leave or are terminated from the organization, freezing their accounts’ contents and configurations exactly as they were at the time of the user’s separation from the company. It is also important to make sure departed employees’ access to all company systems has been revoked. This can be accomplished several ways. One of the simplest is to change the user’s account password and remove any two-factor recovery features that may be associated with a personal device.
Local: Many of the same principles employed with cloud applications can be applied to local systems’ policies, like Microsoft’s Group Policy and Active Directory. If your firm has a designated internal or external IT team, they can implement these settings to help limit your exposure to data exfiltration. The rule of least privilege applies here as well.
There are many privileges you can apply to limit employee use of external media devices (i.e. USB-connected drives) or to block access to cloud storage websites not permitted by the organization. For example, if the company has standardized on Google Drive as a file share repository, it would be wise to block access to comparable sites like Microsoft OneDrive or Dropbox.
An additional recommended governance policy is to implement rules to alert your IT resources when a user has activity that deviates from their job responsibilities or enacted user policies. This can include communication with outside sources, large data upload/downloads, and visiting suspect webpages. You can also implement a “block list” and “allow list” (formerly known as blacklist/whitelist) to restrict user access websites unrelated to individual employee job functions. This may also help improve employee productivity by restricting sites like social media.
These information governance recommendations will not eradicate the risk of incidents, but they can mitigate your risk exposure to data loss. If you discover that data has been stolen, remember that your best chance at preserving existing content and activity records, and eventually repurposing the device for future use, is to engage a forensic investigator. LOGICFORCE has a team of expert digital forensic investigators ready to help with your case. To learn more about our offerings, please contact us.
Donnie Tennant is an expert on LOGICFORCE’s Digital Forensics Team. Donnie has been practicing digital forensics since 2016, with an emphasis on mobile devices and cloud forensics through specialized training from industry leaders in the mobile forensics community.