Cybersecurity Dangers and Their Analysis Essay

Propose a detailed analysis of the evidence

There has been a significant transformation in communication and how people work with the advancement in technology and networking skills. However, the technology has simplified various protocols and exposed multiple organizations to danger. The most considerable risk in networking has been the alteration or stealing of data using cybersecurity skills. A multinational organization has employed these skills to advance and improve its performance. With data being the primary subject in cybersecurity, both individuals and organizations are at risk of being attacked by either individuals or organizations. With these threats increasing, it has necessitated the states to pass bills aimed at reducing this crime. However, with the complexity surrounding this sector, they have not been able to end this crime. Despite the frustrations by the perpetrators, the technology companies are working towards ending these acts through the development of services that can be employed to close these loopholes.

Some of the primary threats in security include malware, emotet, denial of service, phishing, and password attack. These cybersecurity dangers are spread through the network, with each threat being performed and treated differently (I. Alghamdi, 2021). For example, malware can steal or alter data while other treats have unauthorized access, such as password attacks through a process known as hacking. Hacking can be used in three ways where one is authorized to penetrate systems. Some penetrate the system without permission but with good intentions, while others attack systems with bad intentions.

Consider a case where data is stolen from a big company by sending the malicious file to the senior officer. The officer clicks the file, and the malware attacks the system stealing the data and bypassing some security measures. However, the case was exposed a year later when the organization attacked has analyzed what might have happened. By accessing the data illegally, the hackers breached the laws which govern digital data under the cybersecurity law. Therefore, various approaches must be considered to achieve justice for this company.

Assessing federal rules for evidence in cyber investigation

At the state level, several states in the USA have passed acts requiring organizations running networked systems with confidential data to protect the data. This forces all the state organizations to put measures to protect them from cyber-attack. Bypassing this law, companies that fail to comply to protect the information given to them can be prosecuted (Holt et al., 2017). Thus, the company should have first been assessed for its efforts to protect data confidentiality and integrity.

Firstly, it is notable that the company has various data backups, but it is not explained if they are placed in a different location. As better data practices, the backups are always kept in a different location where they cannot be easily accessed by unauthorized personnel. However, they can be linked to the primary data system to correct real-time data such as emails and other hidden data. No information given if the intruders accessed the backup data shows that the company protected the data.

Secondly, the company has a system with active data collection through emails and other entries. The attackers sending the malicious email to the senior official shows that there are privileges assigned to that senior officer. This senior officer can access different data types and requires less restriction to get the information. The regulation is a good data policy that allows only a few personnel in an organization to access sensitive data despite working with the company.

Lastly, the data is protected through an integrated password system. Passwords are the most encouraging security features that limit unauthorized access to systems. Unfortunately, when the senior officer clicked the link bait, the hackers could access the password systems before downloading the data. From the company security team, they implemented some of the top security measures to protect the company data. Additionally, there was a two-factor authentication password protection that the hackers managed to bypass because they used the privileged computer to access the systems.

Despite the organization implementing applicable measures to protect the data, they fail to use recommended systems that help monitor and detect breaches whenever they occur. Federal or enterprise data centers are required by the state laws to use all measures that detect, prevent, mitigate incidents and monitor the data system network. The mitigation includes raising the alarm when an intrusion is detected, taking possible actions to stop the attack, and recovering the lost or altered data if the intruders manage to access the system before action is taken.

Various organizations have worked together to ensure that system security is up to date by monitoring the networks and system. The cyber security framework under the NIST is helping organizations to understand and manage cybersecurity. Its framework aims at training organizations through their staff to reduce the risks of cyber-attack. The NIST regularly informs companies of the updated cybersecurity policies and possible new attacks that need to be controlled or upgraded to mitigate the risks. With the orders from the president in 2013, the NIST was ordered to work with all relevant stakeholders and produce a voluntary framework on cybersecurity standards. The body was to base its framework on existing standards, practices, and the improvement of the infrastructures to ensure that cyber-attacks were reduced.

The NIST cybersecurity framework consists of 3 main components: the core, profile, and tires. The core guidelines help companies implement cybersecurity risk management by policies that complement the existing cybersecurity risk management protocols. The implementation tire depicts context on how organizations consider cybersecurity risk management. The tires help organizations assess the levels of the risks, assisting companies in evaluating their budgets and mission priorities. At the same time, a profile is the company’s unique alignment used to identify and prioritize guides to improve the organization’s cybersecurity. Thus the NIST has the authority to provide cybersecurity services that will detect, protect and respond to cybersecurity in an organization. Further, it helps an organization identify the attack and the attacker and recover the data that has been breached.

These regulations that require organizations to have measures to track the cyber systems have led to the rise of software opportunities. To manage the attacks, companies like Solarwinds work with NIST to develop software that manages networks, systems, and information infrastructures. By controlling the organization’s data systems, the software from Solarwinds can detect, protect, respond, identify and recover data in case of cyber-attack or any intrusion by unauthorized authorities. In addition, through the Solorwinds and beyond the platform, with the help of the NITS, the company is working on cybersecurity of software supply chains, which ensures that malicious software is not supplied to unsuspecting buyers. Like risk management, the NIST with its stakeholders ensures that the devices’ supply chain is not compromised, which will affect its security.

Some other States have authoritarian measures, such as the New York department, which requires the organizations to do continuous system tests. The test annual security tests such as penetration help in identifying the weaknesses. The organization depicted in this case study does not explain any of the regular security tests and upgrades. Therefore, it is faulted to have not complied with the set rules exposing itself to cyberattack risks.

Digital evidence

The digital evidence was presented after the innovation of computers where binary data was transmitted. Hence digital evidence is considered evidence retrieved, stored, and shared in binary for court presentations (Nikkel, 2017). The cyber intrusion, in this case, calls for intense digital evidence collection and handling. The data was stolen digitally, with the physical system untouched. With the development in digital data, there are many types and sources of digital data which can be used as evidence in federal law courts in cases of cyber-attack. Determining the correct type and source of data associated with the evidence collection will help one select the proper data analysis approaches for better results and increase the evidence admissibility.

The first type of digital data is the active data which includes all the files created by the organization’s information system. They include the website browser data, emails, and client data entered manually by the relevant authorities, online or direct to servers. This data must be visible to the systems, including documents such as images and all data accessible without modifications or reconstruction, thus excluding information that has not been stored in the local systems. In the case of the organization under reflection, they process active data emails and client entries files, and information that is readily available locally.

The second data type is the backup or archived data, a replica of the original data in the systems. Backing up data is a cybersecurity approach meant to reduce the risks of data attacks in case of illegal entry to the data system. Data backups are intended to maintain data integrity in case of any alteration or theft, as they can be used to retrieve the original data. To increase the security of these archived data, they are stored in different physical locations. Despite being part of the system, there is a leveled access to these data streams as an added data security measure. In the scenario presented, the organization has a well-kept data backup and archived data with a documented log activity that will help monitor data creation and alterations to improve the data and evidence integrity.

Confidential data are apparent and accessible to all users, with particular aspects of the data hidden. This data is vital in analyzing the evidence, especially in cases where one has to monitor the log activities during the attack. They include the Metadata, residual data, and replica data, whereby the Metadata defines the data by giving more information about the data. These are the additional information regarding the data being considered, such as the date of creation, modification, and file structures. The Metadata is provided in the scenario created through the archived activity logs. The activity log will help analyze the original data by determining the date of creation and differentiating it from the modified data in case the system and data backups were affected.

Handling of digital evidence

The advancement in technology has enabled the courts to use digital evidence to prosecute and judge offenders in e-crimes and other types of crime. This broad application of digital evidence makes handling fragile, necessitating experts to manage it for its admissibility (Prayudi et al., 2020). Digital evidence is delicate and volatile; thus, poor handling will lower its integrity. In the case study, the crime committed is an e-crime that must be supported with digital evidence. It involves access, collection, packaging, analysis, transfer, and storage; hence, these steps require volatility and fragility protocols. The evidence collection goes through 4 main stages: identification, collection acquisition, and preservation.

Digital Evidence identification

Identification is the first phase of evidence handling, where preliminary information regarding the offense is obtained. This phase is like the traditional phase where data is sorted during the investigation. The information sort in this scenario must explain those involved, the attack, when, where, and how the crime occurred. The attack was conducted by a group of international data criminals who are likely to have ties with states. Both the state, group of hackers and attacked organizations are not specified. These intruders illegally access unauthorized files by sending hidden malicious files to this senior official before breaking into the systems to steal data. The attack period is not specified, and it is notified after a year. The attack took place through the networks hence an e-crime.

At this phase, authorities use traditional investigation approaches to get the information. They rely on interviews, witnesses, victim, and suspect interviews before proceeding with the case. Before commencing the investigation, investigators must be specific about the information they are seeking. These will help them identify the type of data they are likely to correct, such as Metadata or multimedia. Further, it will prepare them for the analysis approaches to fasten the process while maintaining evidence integrity. In this scenario, the authorities must interview the senior employee who accessed the malicious email and question the witness if they noticed anomalies in the systems. Since the information needed is digital, the investigators should have tools to retrieve and monitor data, such as the NIST-powered software like the Solarwind and Beyond software supply chain. It will help retrieve data and keep track of the activity logs during the hacking.

Digital evidence collection

The cybercrime crime scene is not limited to the physical location where the attack was conducted or conducted from. Thus in the case study presented, the crime scene where data should be collected is not limited to the physical location of the organization and organization backup, but also the networks used to access the system. This lowered limitation is because cybercrime evidence must be digital, including the victim and attacker’s DNS and IP addresses. The data collection varies with the devices used in this case; the computer and networking systems are involved. The crime technicians and investigators must work together to collect evidence and reduce the risks of data compromise. All the volatile data, in this case, must be carefully stored because they alter the content of the digital devices.

Digital evidence acquisition

The devices involved in this case study are computers and networking devices. Thus their data acquisition should be conducted in the laboratory to ensure that the data is unaltered, including the activity logs and hidden files which will help in data analysis. In addition, other networking data such as network providers’ IP and DNS addresses will assist in physically locating both the hacker and the victim’s physical location. With the seized devices available, the cybersecurity and digital forensics experts will retrieve the evidence that confirms the intrusion of the systems. To acquire accurate data, the investigator must consider physical extraction on the available physical devices and logical extraction on the networking and log activity devices.

Digital evidence preservation

After collecting and acquiring data, investigators and technicians must protect the evidence from intrusion and modification. The evidence preservation of the presented scenario is done by those who investigated as the company steps aside and waits for court presentations. This expert must demonstrate that the digital information collected was not modified or accessed by unauthorized authorities. Through the chain of custody, the investigator must secure the crime devices, including the company backups.

Analysis and reporting

After collecting and preserving the digital evidence, investigators and technicians will analyze the information collected and interpret it for relevant authorities. After collecting the data from the given scenario, the investigators should examine the evidence for possible company breaches and other aids from the company that increased the attack risks. The interpretation will help senior management to prepare well for the case. Additionally, the analysis will help relevant authorities to weigh the magnitude of the case and prepare enough evidence.

Digital evidence admissibility

For the data to be accepted in court, it must meet technical and legal requirements. For the digital evidence to be received in courts of law, the court will assess the legal authority to conduct the investigation and collect data, the technology used, authenticity, integrity, and reliability of the data collected that was processed to evidence. Antwi-Boasiako and Venter (2017), in their study, developed criteria used to determine data admissibility, which is the Harmonized Model for Digital Evidence Admissibility Assessment (HM-DEAA). This model comprises three stages: evidence assessment, consideration, and determination.

Digital evidence assessment

At this level, the courts assess legal permissions given to investigators and technicians, such as search warranties, seizure of crime devices, and securing the crime scene. This assessment ensures that the correct procedures were followed during collection and preserving evidence to improve its integrity. In the case provided, being a government institution, such crimes must be handled by the law; hence various permission must have been given before the commencement of the investigation. In addition, the legal assessment requires the investigators and the court to access the data storage devices and other evidence collected during the study. In this case, data backups and the system’s instruments were presented and availed for the investigators to analyze them before submitting the evidence in court.

Digital evidence consideration

At this phase, the court examines the integrity of the evidence by considering the methods used in evidence collection and the technicality and expertise of those involved. An excellent digital investigation should be conducted by forensics experts who are considered more skilled that the organization’s cybersecurity team and hackers. With the case presenting a government organization under attack, the cybersecurity and forensics investigators are sourced from the expert state white hackers improving the evidence integrity. Further, these investigators are equipped with all skills and tools required to mine and analyze all the digital evidence in the case.

Digital evidence determination

At this phase, the court assesses the integrity, authenticity, and reliability of the evidence presented and determines if it can be used for the court proceeding. At this point, the organization or company that has been attacked does not influence the outcome. However, with the evidence presented showing that the systems were hacked into by an unknown group linked to a particular state, the seriousness of the situation will prompt the court to prioritize this case. If the evidence lacks integrity or is unreliable, the court will order fresh investigations.

Evidence delay implications

The evidence delay implications were due to uncertainty of the course of this case. The attack was not detected in time to stop or retrieve data immediately. Therefore, the late realization of the attack delayed the reporting and investigation. In addition, there was uncertainty about the attack as the attackers were not realized immediately and correctly identified. The uncertainty necessitated the delay in helping the authorities to gather enough evidence before forwarding the case to the law courts.

References

Antwi-Boasiako, A., & Venter, H. (2017). A model for digital evidence admissibility assessment.Advances in Digital Forensics XIII, 23-38.

Holt, T. J., Bossler, A. M., & Seigfried-Spellar, K. C. (2017). Technology and cybercrime.Cybercrime and Digital Forensics, 1-37.

I. Alghamdi, M. (2021). Digital forensics in cyber security—Recent trends, threats, and opportunities.Cybersecurity Threats with New Perspectives.

Nikkel, B. (2017). Registration data access protocol (RDAP) for digital forensic investigators. Digital Investigation, 22, 133-141.

Prayudi, Y., Ashari, A., & Priyambodo, T. K. (2020). The Framework to Support the Digital Evidence Handling: A Case Study of Procedures for the Management of Evidence in Indonesia. Journal of Cases on Information Technology, 22(3), 51-71.