Posted: November 29th, 2022

Internal Cyber Investigation

Internal Cyber Investigation:
CRJ626 Unusual VPN Activity Scenario
Review the CRJ626 Unusual VPN Activity Scenario as well as the CyberNav Privacy and Security Policy. You must support your statements throughout the paper with evidence from a minimum of 10 scholarly or professional sources in addition to your text

Problem One: Determining if the nefarious activity has indeed occurred.

Analyze the technical aspects pertinent to the scenario.
Explain a minimum of three methods that would Help the security personnel and information technology specialists to detect if a cybercrime has been committed.
Problem Two: Gathering necessary forensic evidence.

Examine methods of retrieving and analyzing data from the internal network in order to gather necessary information that might Help in the prosecution of any responsible parties.
Problem Three: Determining if an individual external or internal to the company caused the unusual VPN activity.

Evaluate legal issues that might arise in detecting cyber crimes committed by individuals external to the company.
Explain how the current policy addresses potential infractions by company employees.
Once you have addressed the identified problems noted above, review the CyberNav Privacy and Security Policy and draft suggested revisions to sections of the policy that will specifically address the issues presented in the CRJ626 Unusual VPN Activity Scenario.
Problem One: Determining if the nefarious activity has indeed occurred.
Analyze the technical aspects pertinent to the scenario.
CyberNav has affirmed that the security of their data, especially the sensitive information from unauthorized parties or entities, is paramount. Therefore, How we handle and protect Cybernav data is central to the security of our business and the privacy expectations of customers, employees, and partners. Notably, an analysis of the Unusual VPN activity scenario demonstrates that the safety of its sensitive information has been compromised. Several technical issues would be pointed out to establish the compromise.
The first nefarious activity was the unauthorized access of sensitive information remotely despite their clear rule that top-secret information is not to be accessed remotely. Its privacy and data security policy has stipulated that all VPN-only accessible materials are considered TOP SECRET. This TOP SECRET information is not to leave the premises of Cybernav or be accessed remotely, off the property. Therefore, the unusual amount of computer traffic via the VPN connection remotely and included essential documents and digital holdings was a breach of the protections given to highly confidential information. This was undoubtedly the unauthorized access to sensitive information needed only when one was within the organization. It is prudent to note that regardless of whether it was the executive management or employees accessing the data, this was sensitive information that needed to be accessed only when on the company’s premises. Hence, it was all an issue or unauthorized access.
Another technical issue is the unusual computer traffic identified by the network administrator. This would indicate the possibility of a cyber attack within the VPN Network. CyberNav uses the network to communicate with its relevant personnel. Sharing highly confidential and sensitive information that is considered top-secret industrial information is possible. According to Iannarelli & O’Shaughnessy (2014), the security of vital and proprietary information must be a priority to mitigate unnecessary risks. While there needs to be a security baseline, the more sensitive data needs a higher threshold. That is why CyberNav took up the mandate of asserting that whatever is considered top secret information should not be accessed remotely. This was important to know only the authorized parties can access the information, which could be quickly manned when the access is allowed only on-premises.
Methods To Be Used By Security personnel and Information technology Specialists Ton detect Cybercrime
One of the methods to be implemented is using an Intrusion Detection system, primarily a set of equipment or applications that monitor events happening within a computer network and detect the incidents that encompass violations of established usage and security policies. Regarding the scenario at CyberNav, the recommended type of IDS system is the Network Intrusion Detection System that analyzes the incoming network traffic, which is an issue that the network administrator identified. It is prudent to note that the IDS to be implemented should be designed to detect and adapt to unknown attacks. The detection approach utilizes machine learning for creating a defined model of trustworthy activity then compares the new traffic behavior against the trusted model.
The second method to detect cybercrime is through the operating system commands (Prasanthi & Aishwarya, 2015). The security experts will use particular operating system commands, specifically checking log files and comparing the outputs of similar programs. Typically, the system administrator uses the commands daily in searching for evidence that suggests the possibility of cybercrimes. For instance, the experts could collect the security logs then analyze them, looking for abnormal or suspicious activities. The security personnel looks through the credential login and the application executions on the VPN. They then follow the actual time when the materials protected by VPN were accessed to determine whether the access happened during the non-business hours. Similarly, collecting and analyzing the log files will permit these experts to identify the actual IP addresses of the devices used during the remote access. This information will be used to determine the culprit responsible for remotely accessing the confidential CyberNav information.
A third approach is configuration checking tools, also known as vulnerability assessment tools, for detecting insecure systems. While these tools are considered primarily preventive, they could be used for monitoring devices to avail evidence relating to cybercrimes (Prasanthi & Aishwarya, 2015). They check any suspicious patterns of system misconfigurations that are malicious. One way that the security experts could incorporate the tools is in the devices used by the system users. These devices will be configured for double-checking the IP address affiliated with domain names reported for the inbound traffic against that actual IP address included in the incoming traffic. When these two values are different, this becomes a definite indicator of spoofing to mean that suspicious activity has been happening (Littlejohn & Shinder, 2002). This kind of detection will typically trigger an alarm for suspicious activities even if it does not indicate the existence of an outright attack.
Problem Two: Gathering necessary forensic evidence.
In this scenario, handling cybercrimes will require collecting and analyzing digital evidence mainly from remote users’ devices in accessing the computer systems. One method for managing digital evidence is to capture the network data packers. This is attained by observing the users connected to the company network and through tools such as netstat and Wireshark. The security professionals will be in a position to collect valuable data. With the Wireshark tool, it is possible to take the raw data, which goes beyond obtaining the cache and cookies from the user to accessing the site which was opened to obtain information of the tab sources destination, protocol, length, and also the capture interface. Using the Cain & Abel tool allows the observation of detailed information in the connected users to the network, including their IP addresses, MAC addresses, the location of the site being opened, and authentication credentials such as usernames and passwords.
A second method is awakening the deleted data since malicious attackers are always looking for ways to conceal their crimes; hence will always choose to delete the data that is considered the most incriminating digital evidence. If the experts are using the FAT or NTFS file systems, then it will be possible for all the tools to recover the deleted files (Syambas & El Farisi, 2014). However, not all folders are recoverable, especially if they are not references to the file system. It is prudent to note that there are limitations in generating deleted data from memory. One of them is that the folder and file recovery tools will make assumptions that are at times not correct. For instance, during the recovery of a deleted file, numerous applications take the initial cluster and the file size to the folder entry and set the subsequent free cluster to be part of the sequential file. The assumptions are made with the initial cluster failure of a deleted file followed by the free cluster referring to a different file equally deleted. Some automated file recovery tools will not differentiate the directory entry from the deleted file regarding whether it was removed or overwritten. Nevertheless, these weaknesses are covered by applications that could undertake file carvings, such as PhotoRee and Scalpel.
The third collection approach solves the encryption and steganography file specifically for the protected individual files. Specialized tools such as PRTK and DNA from AccessData bypass passwords for recovery from numerous typ[es of files (Syambas & El Farisi, 2014). The tools could be limited concerning the hardware devices. There are, however, alternatives that would work faster, such as the combination of several computers, the Distributed Network Attack (DNA) could be used to brute-force 40-bit encryption of file types. Using a cluster of approximately 100 desktop supercomputers with the right applications will help try out every possible 40-bit key within a short period (Syambas & El Farisi, 2014). Regarding steganography, the investigators must be cautious with the large files that look suspicious. The investigator must manually search for the steganography software that a malicious party could hide information. If it already exists, the file could be opened with steganography software by using the passwords obtained from the encryption solution.
After using these techniques, the security expert initiates the write protection approach to preserve and protect digital evidence (NIST, 2004). It is recommended that the expert consider creating a known value for the subject evidence before acquiring the evidence, explicitly undertaking an independent cyclic redundancy check or hashing. When it comes to hardware, the respective write-protection device is installed then a system boot is being conducted with the examiner’s controlled operating system. Regarding the software write protection, a system boot is also conducted with the analyst’s controlled operating system then the write protection process is activated. All storage devices’ geometry should also be investigated to ensure that all space within them is accounted for, including the host-protected data areas (NIST, 2004). The electronic serial number of the drives and other user-accessible host-specific data should be captured. Also, the subject evidence should be acquired to the analyst’s storage device through the right software and hardware tools.
After the extraction of the forensic evidence, the information is to be analyzed via various approaches to determine their significance to this scenario. One of them is conducting a timeframe analysis determining when the computer network experienced unusual traffic and unauthorized access to information (NIST, 2004). These findings will guide in affiliating the usage of a computer by an individual with when the events occurred. The analyst could review the time and data stamps contained within the file system metadata then link the files of interest to the relevant timeframes to this scenario. The analyst could also choose to review the system and application logs present, such as the error logs, installation logs, connection logs, security logs, among others. Therefore, an examination of the security log could indicate when a particular username and password combination was used for logging into the system.
Another analysis approach is the data hiding analysis, considering that information can be hidden within the computer system. This approach is helpful to detect and recover concealed information, and it could point out the knowledge, ownership, and even the intent of the malicious party (NIST, 2004). In this approach, various strategies are included, such as correlating the file headers with the corresponding file extensions to identify any mismatches that indicate that the user intentionally concealed the data. The second strategy is to obtain access to the password, protected, and compressed files that could indicate the attempts of hiding data (Gubanov, 2012). Obtaining access to the host-protected area and finding any user-created data would reveal the attempts of concealing information.
Problem Three: Determining if an individual external or internal to the company caused the unusual VPN activity.
Determining whether an internal or external party did the unusual VPN activity will heavily rely on the analytic findings obtained from analyzing the digital forensic evidence. This analysis could also show the intent of the malicious party (Gercke, 2014). For instance, if an internal party was the reason for the suspicious activity, it is possible that the attacker acted purposely or recklessly. If it is an external party, there is a greater risk that they were acting purposely, considering that the traffic here contained the sensitive industrial information that was giving the company a competitive edge. Notably, both scenarios did cause a risk of harm to the company’s data in accessing it by unauthorized parties.
One legal issue that arises in detecting the cyber crimes done by the external parties is determining the level of their criminal culpability (Leukfeldt & Holt, 2019). Currently, there are distinct criminal culpability levels or criminal responsibility depending on the degree to which the illegal activity occurred. The intentional actions are categorized into the purposely or willfully committed levels, while the unintentional level is divided into the reckless or negligently committed. The purposely intent happened when the party committed the cybercrime intending to cause harm. The willfully intent means that the individual committing the crime knew that a particular action would cause harm but continues to commit the wrongdoing. An analysis of the unusual VPN activity shows that the remote unauthorized access happened consistently, yet the policy indicated that it was prohibited (Leukfeldt & Holt, 2019). The reckless action happens when the individual commits the cybercrime when they engage in an activity even though they know that it does have a substantial and unjustifiable risk of harm to others. The individual shows no regard for the indifference to the risk of harm. An individual acting negligent happens when the person is not aware of the negative effects of an action.
Another legal issue relates to the legislative instruments applied in the company, especially when the malicious attacker is an external party. An external party would include the parties not part of the domestic jurisdiction. Even with the international legislative instruments existing (Umutlu, 2021). The difference between the domestic and legal frameworks has proven to be a severe hindrance to criminal investigation and prosecution of cybercrime. This happens due to the incomplete transit of the foreign instruments into the domestic legislation. Therefore, while CyberNav may discover an external party was responsible for the infringements, it may find it challenging to follow through the criminal investigation process due to differences in the right legal frameworks to be applied.
The primary difference relates to how particular conduct is to be criminalized and the provisions for investigating the cybercrime and collecting the digital evidence. For instance, different measures and penalties across the different jurisdictions relate to combating the unauthorized access of sensitive information (Eurojust and Europol, 2019). The adaptation and alignment of legal instruments are normally time-consuming and challenging, especially due to the dynamic evolution in the cybercrime threat landscape. Case law is considered an insightful tool for compensating for the lack of clearer law. However, case laws remain limited, especially those handling new developments such as the criminal abuse of one’s user privileges, anonymization tools, and the different technology-driven criminal modus operandi. Also, the present operational processes in conjunction with the forensic-technical standards relating to the gathering and transit of digital evidence could gain from better harmonizing and streamlining.
CyberNav developed its privacy and data security policy to ensure that every information considered sensitive or top secret was protected. Understanding that the company employees formed the weakest link to the systems, it addressed the potential infractions. Employees were mandated to protect the highly confidential information, sensitive information, and the information for internal use only. Their mandate was to ensure that access to this information was never done remotely but on the company’s physical premises. The employees were also prohibited from disclosing this information to unauthorized parties, especially the outsiders, since it would be harmful to Cybernav operations. The employees needed to understand whether the information they interacted with was sensitive, highly confidential, or for internal purposes solely and act as per the right classifications.
The policy indicated that any breach of these policies by an employee, or reasonably known to have occurred by a fellow employee, must be reported immediately to the employee’s immediate superior. The failure to self-report or report the actions of others concerning highly confidential, sensitive, or internal use only may lead to criminal or civil liability. Suppose disclosure violating the above policies is reasonably believed to have occurred by a superior of an employee. In that case, the report must go to the Director of Human Resources for Cybernav. Due to the sensitive nature of the work conducted at Cybernav, both civil and criminal penalties may apply to the unauthorized release or any disclosure of information considered highly confidential, sensitive, or internal use only.

References
Eurojust and Europol. (2019). Common challenges in combating cybercrime: As identified by Eurojust and Europol. JOINT REPORT Europol and Eurojust Public Information. Retrieved from https://www.eurojust.europa.eu/sites/default/files/Publications/Reports/2019-06_Joint-Eurojust-Europol-report_Common-challenges-in-combating-cybercrime_EN.PDF.
Gercke, M. (2014). Understanding cybercrime: Phenomena, challenges and legal response purpose.
Gubanov, Y. (2012). Retrieving Digital Evidence: Methods, Techniques and Issues. ForensicFocus.
Iannarelli, J., & O’Shaughnessy, M. (2014). Information governance and security: protecting and managing your company’s proprietary information. Butterworth-Heinemann.
Leukfeldt, R., & Holt, T. J. (Eds.). (2019). The human factor of cybercrime. Routledge.
Littlejohn, D., & Shinder, E. T. (2002). Chapter 9: Implementing Cybercrime Detection Techniques. Scene of the Cybercrime. Computer Forensics Handbook.
National Institute of Standards and Technology (NIST), & United States of America. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
Prasanthi, M. L., & Ishwarya, T. A. S. K. (2015). Cyber Crime: Prevention & Detection. International journal of advanced research in computer and communication engineering, 4(3), 45-48.
Syambas, N. R., & El Farisi, N. (2014, October). Development of digital evidence collection methods in case of Digital Forensic using two step inject methods. In 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA) (pp. 1-6). IEEE.
ÜMÜTLÜ, A. Y. (2021). Understanding Cybercrime: Phenomena, Challenges and Legal Response. Cyberpolitik Journal, 6(11), 98-109.

Order | Check Discount

Tags: Internal Cyber Investigation