Fraud in the Workplace

There are many surveys where American workers have been polled with results showing that they estimate their employers lose from 8 to 20 percent of every revenue-dollar to fraud in the workplace. Specific fraudulent acts were:

  • Theft of office items

  • Excessive expense accounts

  • Theft of inventory

  • Claiming extra hours that were not actually worked

  • Accepting kickbacks from suppliers

  • Embezzlement

  • Employers skimming untaxed and unaccounted money

  • Falsely representing financial information to stakeholders

Employees are likely to have an intimate knowledge of the organization's assets, disposition, procedures regarding accountability, and means by which such checks can be circumvented. They are members of the system and have the ability to plan and execute dishonest acts that can effectively remain undetected. Insidiously, workplace fraud uses the resources of the organization to steal from it.

Experience Note

Often, fraudsters maintain meticulous records of their misdeeds on the very workstations and servers owned by the victim of their crimes.

Fraud committed within the business is easily done through indirect means, and for that reason, it is extremely difficult to detect. Employees are trusted to make discretionary decisions in ways that auditing and management are unable to detect. For example, an accounts payable manager authorizes the purchase of supplies from a company owned by herself and her brother. Of course, she is not stealing directly from her employer, but the company is not likely receiving the best price for their money. The company loses money, the employee gains, and the misdeed is probably never going to be detected.

Experience Note

The spectrum of unlawful and unethical employee actions (committed by all levels of employees) is only limited by the employee's imagination.

Employee Fraud Controls

As in all matters concerning critical assets, prevention is much better than cure. Detecting fraud and punishing those responsible tends to be expensive and time consuming. Lying in wait for employees to commit some unlawful deed, then punishing them, is a procedure that destroys morale and disrupts legitimate business activities. Developing mechanisms and cultures to ensure that employees act ethically from the outset will go a long way in preventing fraud.

Management Functions in Fraud Control

Management sets the example of workplace behavior and fraud prevention. If managers do nothing to prevent, detect, and control fraud, no one else will either. The traditional methods of fraud control such as auditing and internal controls are capable of detecting only a portion of unlawful employee acts. Consequently, fraud prevention is an outgrowth of management conduct and perception. Managers are responsible for creating an organizational culture of integrity. If the rules are enforced equally with clear responsibilities, accountabilities, and adequate records, then the basic platform exists where employees are able to do the right thing, provided they want to do the right thing.

Experience Note

Locks exist to keep honest people honest.

There must be clear avenues for fraudulent acts to be reported. Whistleblowers must be supported to provide accurate and truthful information. Managers should draft policies and procedures where exposing fraud receives tangible bonuses, sending a clear message that fraud will be not be tolerated.


In business procedures, it is essential to identify the employee responsible for specific tasks and to whom the employee reports. Accordingly, the manager must be held accountable for her staff's performance. In this fashion, whether something goes right or goes wrong, the responsible employees are known.


Records are an important part of accountability. Organizations must have the requirement of maintaining adequate records of all significant acts permitting the reconstruction of decision processes. Unless such records are generated and maintained, it may not be clear who has performed certain actions, the criteria on which the action is based, and who is responsible. The existence of adequate records provides avenues for review and auditing as well as deterring employees who might otherwise regard themselves free from accountability.

Copyrights, Trademarks, Service Marks, Patents, and Trade Secrets Comprising Intellectual Property

Copyright protection is the means by which authors establish their rights of ownership in a fixed tangible medium of expression. Authors may transfer their ownership rights to third-party owners, or it is possible that authors do not establish ownership because of contractual arrangements where the work is created by an author but owned by someone else. By copyright, an owner has basically five exclusive rights of the copyrighted work including:

  1. Right of reproduction. The work's owner has the exclusive right to determine duplication, transcription, and imitations of the work.

  2. Right of modification. The work's owner has the exclusive right to modify the work, thereby creating a new work. Legally, a work that is a modification of an original work is known as a derivative work.

  3. Right of distribution. This is the right to determine the distribution of copies, including derivative works, to the public by sale, leasing, lending, or rental.

  4. Right of public performance. This is the right to play, dance, recite, act, or display the work at public places, and to transmit the work to the public. In the case of audiovisual works such as movies, showing a movie is considered a public display.

  5. There is a connected right called the Right of public display where the copyright owner has the right to control the showing of a copy of the work directly or by means of film or electronic transmission.

The copyright owner's rights are subject to a number of legal exceptions and limitations giving others the right to make limited use of a copyrighted item. Here are a few of the major exceptions:

  • Ideas and concepts. Copyright laws only protect against the taking of a protected work's "expression" in an unauthorized fashion. Copyright does not include the copyrighted work's processes, procedures, ideas, concepts, discoveries, and methods of operation.

  • Originality. A work's facts are not considered protected under copyright. Regardless of the measure of effort expended by the author or owner, copyright protects the work's originality only.

  • Separate and independent creation. Copyright does not protect a work where someone else working independently creates an exact duplicate of a copyrighted work. Independent creation of an analogous, exact duplicate, or similar work does not violate the owner's rights.

  • Fair use of copyrighted works. Using works under fair use is limited to criticism, news reporting, teaching, comment, scholarship, and research. Such use is not considered an infringement of the work's copyright. By virtue of the copyright, a work's owner is deemed to have consented to the use of their works by others within fair-use constraints.

Works that Can Be Copyrighted

Copyright laws protect the rights of ownership, grouping works into the following general categories:

  • Literary works, which may consist of novels, nonfiction works, poetry, newspaper articles, magazines and magazine articles, computer software, software documentation, applicable software manuals, catalogs, training manuals, manuals, advertisements, and brochures

  • Dramatic pieces such as plays, theater productions, and operas

  • Musical works such as songs and instrumentals

  • Movies and other audiovisual pieces, including movies, training films, documentaries, television programs, news programs, movie and television advertisements, video games, and interactive productions

  • Choreographic works such as ballet, dances, and mime

  • Graphic, pictorial, and sculptural works such as paintings, drawings, photographs, posters, works of fine art, display advertisements, graphic art productions, cartoon characters, statues, and toys

  • Architectural works including building designs, plans, drawings, and the building itself

Copyright Protection

Interestingly, copyright protection arises automatically when an original work is marked with a tangible medium of expression. Registering the work with the Copyright Office is optional but must be completed before an infringement suit is filed. Copyright marking may take any of these forms:

  • The symbol © followed by a date and name

  • The word "Copyright" followed by a date and name

  • The abbreviation "Copr" followed by a date and name

Duration of Copyright Protection

Currently, the effective term for copyrighted works created by individuals is the life of the author plus an additional 70 years. The period of copyright protection applying to works for hire is 95 years from the date of publication or 120 years from the date of first publication, whichever date is sooner.

Copyright Infringement

Copyright infringement is basically defined as violating any of the exclusive rights granted to the copyrighted work's owner. Copyright owners can recover actual and punitive damages resulting from infringement as well as reporting violations considered criminal. Federal district courts have the power to restrain infringers and order the seizure (impoundment) and destruction of illicit copies. Disputes over copyright ownership are civil matters and are settled through legal proceedings.

Criminal Actions in Copyright Cases

Federal criminal laws address copyright infringers, who may be prosecuted under 17 U.S. Code 506 and 18 U.S. Code 2319. Elements of these laws include any person infringing a copyright for the purpose of commercial or private gain by the reproduction or distribution of copyrighted works having a total retail value of more than $1,000.

Title 17, Section 506 specifies that evidence of a person involved in the reproduction or distribution of a copyrighted work is not sufficient to establish willful infringement.

Experience Note

Judging from the criminal matters that have been prosecuted and adjudicated, there appears to be a need for financial gain motive before prosecution will move forward.

Criminal Copyright Forfeiture

Individuals who are criminally convicted for copyright violations may suffer additional punishment under legal provisions, including the forfeiture and destruction or other disposition of all infringing copies (more statute information is available at and

Resolving copyright matters is accomplished by civilly suing the defendants with the objective of financial settlement and criminal prosecution.

Works that Cannot Be Copyrighted

Works created by federal government employees as part of their official duties cannot be protected by copyright. For this reason, policies, procedures, laws, discussions, presentations, and related items originating with government agencies are not protected as copyrighted works. Consequently, these works are usually considered part of the public domain. Federal government employees may copyright works they produce on their own time but not those done as part of their official duties. Further, employees of state and local governments may copyright works they produce as part of their official duties.

Trademarks and Service Marks Protection

Trademarks and service marks are words, symbols, or other unique devices used by manufacturers to identify their goods and services, distinguishing them from similar goods and services sold by others. Trademarks are customarily used for goods, while service marks are used for services. When registered, they may not be used or displayed without consent of the mark's owner.

Trademarks and service marks are protected under the federal trademark statute, known as the Lanham Act.

Criminal Prosecution for Trafficking in Counterfeit Goods or Services

Under the provisions of 18 U.S. Code 2320, it is prohibited for a person or persons to traffic in goods or services that are identified by identical or substantially indistinguishable marks registered with the U.S. Patent and Trademark Office. This law protects the mark's owners from those that would produce like or similar marks for their goods and services.

Anyone criminally convicted for this crime, depending on the facts and circumstances, could receive a maximum prison sentence of not more than 10 years and a fine of not more than $2 million; if there are defendants acting together other than an individual (such as a business), then the fine could go as high as $5 million.

Protected Works

There are many types of trademarks that can be protected; for example, "Dell" is a registered trademark of Dell Computer Corporation, "IBM" is the registered trademark for International Business Machines Corporation, etc. Sounds, jingles, and shapes can also be registered as trademarks; for example, the music introducing the "Today Show," the shape of the Coca Cola bottle, or the Bar and Shield logo for Harley-Davidson Motorcycles.

Trademark protection is extendable to words, names, symbols, or unique devices distinguishing the goods and services offered by an owner from those offered by others. Basically, a trademark identifying a class of goods or services distinguishing the class of goods or services is not going to qualify for protection. Trademarks and service marks must apply to specific goods or services and not general classes. For example, the word "fishing rods" describes a class of instrument used for catching fish, where "Browning fly-rod" distinguishes the manufacturer and type of fishing rod.

Trademark and Service Mark Protection

Trademark and service mark protection is obtained by filing a registration application with the U.S. Patent Office.

Protection under federal law is applicable to marks actually used, or intended to be used, in interstate commerce. In the case of federally registered trademarks or service marks, the use of public mark registration notice is optional. Registered trademark owners may provide symbolic or other type of notice indicating their trademark is registered by displaying the words, "Registered in the U.S. Patent and Trademark Office" or by merely displaying the ® symbol.

Trademark and service mark rights in the case of a federal registration can last indefinitely, provided the owner continues to use the mark on or in connection with goods or services and files the necessary documentation with the U.S. Patent and Trademark Office. Registration forms and filing times for marks are available at the U.S. Patent Office Web site.

Federal trademark and service mark registrations actually remain in effect for 10 years, on the condition that an affidavit of continued commercial use is filed with the U.S. Patent and Trademark Office in the sixth year of the registration. Mark registrations may be renewed for an indefinite amount of 10-year terms, provided the mark continues to be in commercial use.

Trademark and Service Mark Ownership

Owning a registered mark provides several protections to owners:

  • Exclusive commercial and private use of marks identifying specific goods and services as belonging to a particular organization or person

  • Notice to the public of the mark's ownership

  • Ability to enforce the mark's ownership through civil action in federal district court

  • Use of the federal registration as a basis to obtain registration in foreign countries

  • Use to file the U.S. registration with the U.S. Customs Service to prevent importation of infringing marks

Public Notification

Any time claims are made to a mark, the symbols TM or SM may be used to alert the public to the mark's claim, registered or not. However, the ® symbol may only be used after the mark is officially registered and only with goods and services listed in the federal trademark registration.

Internet Domain Names and Registered Marks

Domain names are the mechanism by which many private and open-ended computer systems function. Forming a computer network requires two basic elements: two or more computers connected together, and a common language or protocol allowing them to exchange information. Domain names are important to information providers because they deliver a user-easy name instead of the only-numbers method of connecting information seekers to information providers.

In short, regardless of the nature of the system, information cannot be exchanged easily through e-mail, newsgroups, instant messaging services, chat rooms, or the Web without domain names. Procuring a domain name for the Internet is as basic as contacting a registration authority (commonly known as a domain name registrar), determining that the desired domain name is not already registered, filing a domain name registration application, and paying the registration fee. Registration ensures that only one party can "own" the domain name at a time. And as long as the registrant pays the registration fees, he will continue to own that domain name indefinitely.

In the world of the Internet, if the information provider is a commercial entity, then its domain name will be significantly more effective if it is the same or similar to its registered marks. However, often it is discovered that someone has registered a domain name that corresponds to a business' trademark, preventing the business from owning it. What recourse does a business have when discovering that its domain name is unavailable for ownership or use? Should there be a regulation or law allowing the trademark owner to own a domain name corresponding to its trademark when it has been registered to someone else?

Acquiring exclusive trademark rights is as simple as using the trademark in commerce. Using trademarks or service marks, without registration, entitles users to common law trademark ownership. This type of trademark right extends only to the market boundaries where the mark's owner has actually used the mark.

Owners can obtain broader ownership rights by registering marks with the U.S. Patent and Trademark Office where the mark's exclusive use in a broad marketplace is guaranteed by federal registration.

Primarily, trademark rights are granted to protect the public from confusion about goods and services sold in the marketplace. Consequently, if it is discovered that someone other than the trademark's owner is using a trademark, causing confusion in the marketplace, the owner is able to file suit for infringement. An interesting case develops when similar trademarks are used for different goods or similar trademarks are used in separate geographical areas. Here, it is supposed there exists a small chance the public will be confused; consequently, both trademarks may be used simultaneously.

With the Internet, registered and unregistered marks change in a way that could not have existed a few years ago. Because the Internet allows virtually anyone to access goods, products, and services spanning all types of trade channels, it is possible there exists a significant degree of confusion between Porsche automobiles and Porsche umbrellas.


Enter the cybersquatters as factors in domain registration. These are people who register trademarks as a domain name for the purpose of selling it to the owner of the trademark. They have little, if any, intention of using the domain name in commerce. Many organizations and businesses have paid significant amounts of money to buy domain names containing their trademarks from cybersquatters who registered the domain name before the rightful owners were able to do so. Domain name registrars simply do not require registrants to show that there is any connection to the specific domain name. For example, in 1998, Compaq paid about $3 million for the domain name "" that was registered to someone other than Compaq, according to the Wall Street Journal, July 29, 1998.

Cybersquatting is generally identified by two basic elements:

  1. Presence of a unique and famous trademark

  2. Registration of a related domain name

In the event these cybersquatting elements are not present, a traditional trademark infringement assessment is pursued, looking at the uniqueness of the trademark to:

  • Determine if the domain name is being used as a trademark or service mark

  • Determine if the mark is legally protected

  • Determine if the registered domain name results in a likelihood of consumer confusion between the domain name and the mark

There are organizations and famous individuals that choose to fight rather than pay for their namesake. For example, Panavision International was one of the first companies to sue and successfully prevail against a cybersquatter for diluting their trademark (Panavision International, L.P. v. Toepen, 141 F.3d 1316, 9th Circuit, 1998).

Cybersquatter-Victim Protection

With potential confusion looming about domain names and mark owners, there are two avenues to address cybersquatters: the Anticybersquatting Consumer Protection Act, 15 U.S. Code 1125.

Administratively, domain name conflict resolutions can be affected through the ICANN (Internet Corporation for Assigned Names and Numbers) and their Uniform Domain Dispute Resolution Policy, available at

In the Anticybersquatting Act signed into law in November 1999, there is a means to predicate civil actions charging defendants with trademark infringement when domain names are in dispute. A mark's owner, the plaintiff, must prove that the cybersquatter registering the domain name infringed on the mark's owner and exhibited bad faith, intending to profit from the domain registration's sale. Elements that support bad faith on the part of the cybersquatter are:

  • Determine any intellectual property rights the domain name registrant has with regard to the domain name

  • Determine the use of the domain name in the sale of goods or services on the part of the registrant

  • Determine the domain name owner's intention to divert consumers from the plaintiff's Web site

  • Determine the domain name owner's intention to dilute or tarnish the value of the trademark by confusing consumers

  • Determine domain name registrant's efforts to sell or assign the domain name for financial gain without having used it for bona fide purposes

In 1999, ICANN approved the Uniform Domain Name Dispute Resolution Policy providing a procedure for resolving domain name disputes. This is an administrative procedure and not a judicial one. To be successful, complainants must:

  • Identify how the domain name is identical or sufficiently confusing with respect to the mark in question

  • Identify that the domain name owner has no legitimate interest in the name

  • Identify why the domain name should be considered as having been registered in bad faith

All domain name registration agencies are bound by this policy, and all registrants agree when applying to register a domain name or renewing a domain name registration. The domain name registrant warrants or agrees to the following:

  • Information made in the Registration Agreement is complete and accurate

  • Domain name registration will not infringe upon or otherwise violate the rights of any third party

  • Domain name is not being registered for any unlawful purpose

  • Domain name registration is not in violation of applicable laws or regulations

  • It is the responsibility of the registrant to determine if the domain name registration infringes or violates another's rights

The Uniform Domain Name Dispute Resolution Policy considers bad faith registration as the registration of the domain name primarily for the purpose of selling, renting, or transferring the domain name to the trademark's owner. Administration of this dispute policy is usually completed in roughly six weeks with fees approximating $1000. If the complainant is successful, the domain name registrar (domain name registration agency) will either disconnect the domain name or transfer it to the complainant.

Complainants must allege facts and circumstances focused in the following areas:

  • The domain name in question is identical or confusingly similar to a trademark or service mark in which the complainant has legitimate rights

  • The domain name registrant has no rights with respect to the domain name

  • The domain name has been registered and is being used in bad faith

Victims of cybersquatting can select between remedies based in federal civil law and those administered by ICANN. Actions filed under the Anticybersquatting Act permit victims to sue defendants for infringement, unfair competition, and mark dilution. Remedies available under this law include but are not limited to:

  • Actual damages

  • Punitive damages

  • Attorney's fees

  • Injunction against defendants pending the resolution of claims

ICANN's Domain Name Dispute Policy provides a measure of conflict resolution by canceling the registrant's domain name or transferring the domain name to the successful claimant. Of course, the resolution must be supported by evidence before the arbitration board. ICANN's policy process is significantly more economical and expedient than civil actions filed under the federal statute and yet does not preclude future legal action against the domain name registrant.

Patent Protections

Patents are issued only by the U.S. Patent and Trademark Office, as individual states are prohibited from granting them. Patents are basically property rights delivered to an invention's owner. In the language of the Patent Act is the grant of ownership providing for the ability to exclude others from making, using, offering for sale, or selling the invention in the United States or importing similar inventions to the United States.

Patent laws protecting inventions are known as utility patents, while ornamental designs for articles of manufacture are known as design patents. Utility patents include any new and useful processes, machine, manufacture, or composition of an item or any new useful improvement.

Inventions may be electrical, mechanical, biological, or chemical. Internet-related inventions such as interfaces, networking protocols, information retrieval methods, and encryption might be protected by utility patents.

Qualifications for Design Patents

In order to be granted a design patent, the invention must be new, original, and ornamental. Design patents are limited to the ornamental appearance of an item and little more.

Qualifications for Utility Patents

Utility patents are granted for inventions that are new, useful, and not obvious. To qualify for registration, the invention must be unknown or used by others in the United States before a patent may be granted. Utility patents are granted for unique devices that add to the public's knowledge and are useful to society. Inventions must be sufficiently distinct from currently existing technology and must not be obvious to a person of ordinary skill in the invention's field.

"Firstest with the Mostest"

The inventor who actually invents the claimed item, not the inventor who files first for the patent, becomes the patent owner. This is a significant departure from many other countries that have the first-to-patent rule granting the patent to the first inventor to file for an invention's patent.

Utility patents are difficult to obtain in the United States. If an invention meets the levels of uniqueness, usefulness, and lack of obviousness, a patent may not be granted if the invention was described more than a year before the actual patent application date. This also applies to inventions in public use or sale in the United States for more than one year before the patent application date.

Filing for Patent Protection

Before filing a patent, there are several considerations that should be made. Although individuals without specialized training and experience can file a patent application, the process is expensive and time consuming, generally taking upwards of two years or more. In applying for patents, it is highly recommended that patent attorneys and patent agents (persons who have passed Patent Office examinations) are used in the process to avoid pitfalls and unnecessary delays.

Patent Ownership

Patent owners have the right to exclude others from manufacturing, selling or offering for sale, using, or importing a similar item to the United States. This exclusive ownership has a term of the patent. Anyone who violates these ownership rights is deemed an infringer.

Patent Terms

Current laws allow utility patents to be granted for a period of 20 years from the date the patent's application was filed.

Patent Validity

Patents might be subject to legal challenges based on infringement allegations. Infringement suits question the patent's validity by alleging the patented invention was not sufficiently novel or not obvious or belongs to someone else.

Trade Secrets

Trade secrets are basically defined as information that is valuable and maintained as secret. To qualify as trade secrets, information must be preserved as secret by the owner having taken reasonable steps to keep it from general knowledge.

Protected Trade Secrets

These are some types of business and technical information that are protected by trade secret laws:

the term trade secret means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether (or how) stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.

— 18 U.S. Code 1839

There is also a necessity of being the trade secret's owner and taking reasonable steps in keeping the information a secret:

the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public; and (4) the term "owner," with respect to a trade secret, means the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed.

— 18 U.S. Code 1839

There are generally some factors that are considered to determine whether or not information qualifies as a trade secret:

  • Extent to which the secret is known outside the owner's business

  • Extent to which the secret is known by the owner's employees

  • Specific measures taken by the owner guarding the information's secrecy

  • Value of the secret to the secret's owner and the owner's competitors

  • Ease at which the secret could be acquired from the secret's owner

There are two federal criminal statutes that apply to the theft of trade secrets; one applies to the theft of trade secrets by a foreign government or its agents (18 U.S. Code 1831), and the other applies to the theft of trade secrets by individuals and their co-conspirators (18 U.S. Code 1832). In both statutes, the theft of trade secrets is contingent upon the following elements:

  • Whether the entity stealing the trade secret is a foreign government or an individual

  • Whether the trade secret is stolen by means of theft, copied, destroyed, etc.

  • Whether the trade secret is received by an individual or foreign government

  • In the case of trade secret theft (18 U.S. Code 1832), whether the trade secret is produced or included in a product placed in interstate or foreign commerce

Criminal Forfeiture

Individuals convicted of violating either of these trade secret criminal statutes can suffer the forfeiture of property connected with both of these laws (18 U.S. Code 1834):

The court, in imposing sentence on a person for a violation of this chapter, shall order, in addition to any other sentence imposed, that the person forfeit to the United States

  1. any property constituting, or derived from, any proceeds the person obtained, directly or indirectly, as the result of such violation; and

  2. any of the person's property used, or intended to be used, in any manner or part, to commit or facilitate the commission of such violation, if the court in its discretion so determines, taking into consideration the nature, scope, and proportionality of the use of the property in the offense.

  1. Property subject to forfeiture under this section, any seizure and disposition thereof, and any administrative or judicial proceeding in relation thereto, shall be governed by section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S. Code 853), except for subsections (d) and (j) of such section, which shall not apply to forfeitures under this section.

Obtaining Trade Secrets Protection

Trade secrets protection automatically attaches when the information belonging to the owner is kept secret. Secret owners are not required to register or notify anyone with regard to their information. Trade secrets' owners have the right to see that civil and criminal actions are leveled at misappropriating or unauthorized use of their trade secret. Trade secrets protection, under the law, lasts as long as the owner engages in security measures protecting it from general knowledge. However, the owner loses protection if she fails to take reasonable steps to keep the trade secret concealed.

Interestingly, discovery of trade secret information by means of independent research or by means of reverse engineering is not legally considered theft or misappropriation. On another note, if an employee leaves her employment with knowledge of trade secrets, and does not have any binding agreements barring her disclosure of the protected information, then she may disclose it to her new employer.

Common Types of Unlawful Acts

In many cases, computer crimes do not involve attacks in the popular sense. Most administrators tend to think of system attacks originating with someone gaining access to a system by breaching outside fortifications. The truth of the matter is that most successful attacks are "inside jobs." The exact numbers depend on the survey or data, but they all state that the most successful and devastating attacks originate within the target organization. Employees, contractors, and former employees use their knowledge of the employer's systems to gain unauthorized access and wreak havoc. Often these acts include theft or denial-of-service attacks, destruction or modification of sensitive data, trafficking in software piracy, and theft of trade secrets and intellectual property. Following is a list of terms with which you should be familiar:

Collection and analysis of illicitly obtained information.

Trade secret
Plan, concept, prototype, information, or property that has value by providing a business advantage over competitors who do not have the secret.

Corporate espionage
Theft of trade secrets for economic gain.

Intellectual property
Any product of the human intellect that is unique or novel, having some value in the marketplace. Patent, copyright, trademark, service mark, or trade secret protects intellectual property.

Cyber terrorism
Unlawful use of force against persons or property to intimidate a government or a civilian population in furtherance of political or social objectives. Acts of terrorism usually have the goal of disrupting the public's faith in their institutions.

Economic espionage
Illicit collection of information, sponsored by a foreign government for economic advantage.

CIRT Composition: What Kind of Skills and Talent Do I Need for a CIRT?

CIRT core membership should include the senior manager sponsor, IT security program manager, representatives from the legal counsel unit, public relations unit, human resources unit, and the CIRT manager. The CIRT manager should be someone who is a senior employee who has significant knowledge of the organization's operations as well as an employee capable of making sound business decisions.

The IT program manager is the head of the organization's IT security program and might double as the CIRT manager. In the case of a critical incident spanning regions or countries, one IT critical incident manager should be named for each office with all strategic efforts coordinated at the headquarters level. This representative will be responsible for tactical decisions, triage functions, and local resource deployment. It is the IT security program manager, with senior manager's approval, that is responsible for authorizing any release of information about the incident to the press. However, the program manager should not be the individual disclosing information to the press. A public relations unit employee should make contacts with the press. Delegating press responsibility relieves the program manager from having to evade sensitive questions or even having to lie to the press corps. Regardless, the public relations unit is going to be the place where the institutional knowledge and experience in this area is going to be found.

Legal Unit

Activating the CIRT requires an opinion from senior managers and specifically from the legal unit representative that is knowledgeable about the relevant laws dealing with the organization and its functions, intellectual property, information security, and privacy. In the case of CIRT deployment, it is the legal unit's responsibility to ensure that the CIRT does not violate laws and regulations while responding to a critical incident. Knowledgeable and experienced legal advise become particularly important when CIRTs are directed to follow attackers with the objectives of locating, identifying, assisting, apprehension, and prosecution. Legal representatives must be more than attorneys with general knowledge; they must possess a thorough understanding of information technology, business functions and civil, administrative and criminal matters. Through their participation on the CIRT core, they must initiate and develop relationships with law enforcement and regulatory authorities, professional support groups such as NIPC and Infragard. Often, this employee will serve as the primary contact for law enforcement.

Public Relations

Depending on the organization's size and funding, having a public relations unit representative is a decided advantage. This employee addresses all media requests for information and similarly handles authorized press releases. It is expected this employee will have developed relationships with media organizations as well as specific news agency representatives.

Human Resources Unit

A senior representative from the human resources unit must be part of the CIRT core. This person ensures that the CIRT team's response efforts do not violate employees' rights. Also, this person will make certain that appropriate disciplinary standards are applied should an employee be found to be the source of a critical incident. In the event an employee is an unwitting part of an attack, or if the employee is a victim, certain rights might be granted within the scope of their employment. The human resources unit representative is responsible for seeing that an employee's reasonable expectation of privacy is respected or knowing whether an employee is entitled to union representation in the event of an interview.

IT Investigative, Analysis, and Forensic Experts

These CIRT members ensure that the response is performed in a methodical and deliberate fashion, making certain all relevant evidence is properly collected, preserved, and introduced at legal proceedings. CIRTs require their members to participate in addressing crises on an as-needed basis. Key participants should consist of IT security officers, systems administrators, telecommunications equipment specialists, database managers, engineers/software developers, and of course, systems owners.

IT Security Officers

Most organizations have individuals assigned full- or part-time to ensuring the security of systems. Often this employee performs duties in support of auditors, making certain the IT units are in compliance with the organization's policies, procedures, and standards. This employee helps in addressing attacks by knowing how the system was installed and configured before the attack. She will also be the person who provides CIRT with access and interpretation of logs.

Systems Administrators

These employees are the "bread-and-butter" individuals responsible for the day-to-day operation of the system, including hardware, software, and employee interaction with the system. Systems administrators should have in-depth knowledge of the function of the system's hardware, operations, and configurations. Depending on the organization, its culture and function, the systems administrators can provide immeasurable assistance to the CIRT.

Telecommunications Specialists

These employees are the ones who are most knowledgeable about the integration of the various components of the telephone and network border systems, including installation, security, configuration, and operation. Systems administrators sometimes perform this function in smaller organizations. These employees have intimate knowledge of the interaction between the various hardware/software components, cabling, telephone lines, PBXs, terminal equipment, routers, firewalls, gateways, and protocols like X.25 or Frame Relay. They are usually responsible for developing relationships with communications carriers including the interaction between the organization and the carrier's equipment.

Database Managers

Most organizations dealing with substantial amounts of data will employ database managers and administrators. These are the employees who have the responsibility of maintaining the integrity of the database; assessing the impact of proposed changes; and in the event of an attack, determining the effects of deletions, modifications, or additions.

Engineers/Software Developers

These employees have knowledge of the system's platforms and applications and how they interact with the hardware. They are the employees that know if the system is running according to design specifications.

System Owners

It is imperative that the systems owners be part of the CIRT, as it is their responsibility to see that the system personnel, data, and facilities are functioning effectively and efficiently. Owners should know the emergency response/recovery plans and their execution. They will be fully aware of backup and restoration procedures as well as equipment redundancies. Ultimately, the owners are responsible to the other stake-holders and will have to answer questions regarding the attack, including its effect on critical assets.

CIRT Management Skills

Possessing well-developed management skills is the single-most desirable attribute the CIRT team leader can have. When a critical incident arrives, it is incumbent on the CIRT manager to ensure the team has the requisite skills, resources, training, experience, motivation, and attitude. Managing a CIRT is not really very different than managing any business unit that is populated by field-specific experts. CIRT managers do not need to have great technical proficiency, but on the other hand, they should have sufficient knowledge to make qualified decisions concerning team priorities and tactical deployments.

Technical Skills

Technical skills are absolutely essential in determining CIRT's efficiency and effectiveness. There is also a matter of the team's credibility. If the team does not earn a reputation for being able to handle emergencies, they will not be contacted for help and no one will listen to their warnings or advice. CIRT's technical skills should span relevant operating systems (UNIX, Linux, Windows, etc.); networking skills; programming languages such as C++, PERL, Java, XML, and HTML; and hardware equipment such as firewall appliances, routers, etc. Electrical engineering experience is a plus.

Staffing CIRTs with professionals that have skills in all relevant areas is extremely difficult and expensive. Such employees are going to command high salaries and are probably out of reach of most organizations. If this is not within the organization's budget, find individuals who have expertise in one or more areas and task them to work as a team. Teams, permanent and ad hoc, are composed of employees having key skills that mentor others in developing new skills. Foster a team culture of mutual dependence and spirit, it will pay dividends in the future.

Team Skills

These skills are vital in the CIRT's successful operation. Team skills are focused on:

  • Having a common vision of the job to be done

  • Division of responsibilities

  • Ability of seeing the next item to be done without prompting

  • Knowing when to tell and when to ask

  • Knowing when the task exceeds an individual's skills resulting in getting help from another team member

Developing team skills is a direct result of management skills, so good managers tend to engender good team skills.

Communication Skills

Team members must be able to cooperate and communicate with coworkers as well as write and deliver effective formal presentations. If there are not employees that have technical writing skills, consider hiring technical writers to supplement team skills. Communications skills are so vital to CIRT's success, that if they are absent it is very possible that no amount of technical ability will compensate.

People Skills

In the event of a critical incident response, people skills are some of the most vital skills in the tool bag. There must be a dedicated team spirit in a CIRT when responding to critical incidents. Tempers, egos, and poor judgment cannot coexist in this type of teamwork environment. Being able to get along with team members as well as serving constituents are key elements in successfully addressing emergencies. At times, technical experts gain reputations as being difficult to work with; consequently, gathering team members with people skills can be challenging. In the arena of responding to critical incidents, team members must be adept at soothing a manager's bruised ego or an embarrassed administrator as they go about their work. Casting disparaging remarks about the employees that are responsible for day-to-day system operation certainly does not gain respect.

Incident Reporting

Along with the policy that potential or suspected critical incidents must be reported to the function-point, organizations must develop a standard for reporting emergencies that must be formalized as part of their response procedure. This procedure should include a standard checklist where critical information is elicited from the person reporting the incident.

Experience Note

Do not get excited when fielding a complaint call. Do not request information that really does not have any bearing on the matter at hand; get to the point and collect enough information allowing a requirements assessment to take place and nothing more.

Here is an example of a proposed incident questionnaire:

  • Date of the report. Obtain from the person reporting the incident, the time, date, and place the incident was first noticed.

  • Duration of the incident. How long did the incident last and what were the indications that something had happened?

  • What was the name of the system being attacked?

  • Where is the system located?

  • What is the operating system and affected applications?

  • What was the data stored on the system?

  • What was the sensitivity level of the data?

  • Provide a detailed description of the incident.

  • How widespread is the knowledge of the attack and its details?

  • What are the implications of the incident, including adverse effects on the organization?

  • Incident reporter's identity, contact information, and emergency contact information for supervisor, senior manager, and system owner.

Incident reporting should be made directly to the organization's function-point that acts as the incident screener and information collector. This employee, or business unit, collects the basic information making a determination whether it should receive a formal CIRT response or be treated as a system anomaly. The information collection form might serve as the front-end of an incident database by tracking their frequency, systems affected, response posture, and improvements.

What Should I Do if I Have Been Hit?

What organizations do in the face of crisis is determined by:

  • Type of critical incident

  • Its impact

  • Anticipated legal actions

  • Best way to return to normal operations

In essence, there are two tracks to follow when responding to incidents, one requires careful and detailed coordination where evidence is collected and preserved. The other track is one guided by the overarching philosophy of "let's restore operations as soon as possible and do not worry about evidence."

Response Steps for Legal Actions

In following the "locate and prosecute to the Nth degree" track, these are the basic measures to follow:

  • Determine if the emergency is a real incident. This is the most important step for the employee acting as the function-point to take. If there truly is an attack under way, immediate and decisive action is warranted, but if there is merely something developed as a result of a user-error, then administrators should be told to take appropriate action.

  • If there is a qualified opinion made by the function-point, terminate attack immediately. The CIRT or a CIRT-directed effort must halt any further damage from occurring to the system's elements. There can be a lot of discussion regarding this step, but the CIRT's actions must be guided by three priorities: personnel, data, and physical facilities. Any attack affecting the confidentiality, integrity, or availability of critical assets must receive immediate attention. Given that terminating an attacker while engaged in a "live" attack will probably result in the loss of amounts of potential evidence, senior managers must decide to create policies that terminate attacks first preserving operations and worry about evidence collection as a secondary matter.

  • If there has been a decision to pursue the attacker, with advice of legal counsel, law enforcement authorities must be advised as soon as possible.

  • In most cases, law enforcement agencies will not assume responsibility for taking over the emergency. That obligation rests fully with the organization. Rather, officers will work with CIRT members in the investigation and collection of evidence necessary for criminal prosecutions. Depending on the agency and its policies, copies of evidence collected by officers may or may not be provided to the organization's CIRT. Make certain that there are no misunderstandings when officers arrive at the scene.

  • For many departments, copies of evidence collected by law officers cannot be provided to the CIRT as a matter of policy. There are many reasons for this policy:

    • Officers collecting evidence can be compelled to testify at civil and administrative hearings where the department does not have an interest.

    • Officers may provide testimony in these proceedings that could later be used to impeach their testimony at criminal proceedings.

    • Departments do not have the resources to provide copies to the organization.

  • The collection of evidence for the organization is their responsibility.

  • Any legal actions taken or anticipated on the part of the organization should be coordinated with law officers. Failure to do so may have a quelling effect on their criminal prosecution and result in damage to the law officer-organization relationship.

  • CIRTs must document each action taken, including the date, time, place, system name, application, operating system, and who participated. Experienced CIRT members often follow the two-employee rule.

  • Any action is observed and documented by at least two persons. The reason for the two-person rule is to lessen legal challenges. All notes are considered evidentiary and must be preserved as such.

  • Isolate compromised systems from the network. This is one of those initial steps limiting the proliferation of any damage. Taking systems offline is a judgment call on the part of senior managers. Depending on circumstances such as systems redundancy, equipment availability, program availability, and personnel resources, determine if this is a step where affected systems are forensically duplicated and returned to service or not. This is another one of those items to discuss with law enforcement officers as they may wish to collect the forensic copies themselves, and if the organization has qualified employees, they might be directed to create forensic copies and deliver them later to the officers.

  • Discover how the attacker gained access to the affected systems. Secure the attacker's access points on all unaffected systems first, then secure the affected systems as a matter of response priorities. It is imperative that the point of attack is discovered and closed. Many times the easiest way to detect the points of entry is to compare the affected systems with "clean" systems.

  • There are experts that insist on directing the attacker to a secure system where her attack process can be captured and studied. These processes are frequently known as "honeypots." While honeypots provide a lot of material for study and vulnerability analysis, their value must be weighed very carefully.

  • CIRTs must document the state of the compromised systems. Maintaining a system state log is important, memorializing whether the system is in production, offline, ready to be restored to production, or replaced by a redundant system.

  • Restore the victim-systems to productivity. After locating the point of entry, compare the attacked systems with the last known system-state unaffected by attacks.

    Experience Note

    Several years ago, attackers successfully invaded systems by exploiting documented vulnerabilities that were unpatched. On gaining unauthorized access, they installed backdoors, then downloaded and updated the systems. By doing this, they precluded others from invading the same systems. The organization was oblivious to the updates and the attack.

  • CIRTs should document their time, resource costs, and expenditures. The cost of responding, restoring, and business resumption can form the damage-basis for civil actions in the way of estimated damages along with the cost of the equipment, revenue losses, and employee-time losses. These accumulated costs can have a significant impact during criminal trials and sentencing. Many jurisdictions establish the degree of culpability, length of sentence, and victim restitution based on costs resulting from the defendant's actions.

  • CIRT members must secure all affected systems logs, audits, notes, documentation, and any other relevant evidence created or collected at the time of the incident. The evidence collection process actually has its beginning the moment the attack begins and does not cease until litigation is completed. All evidence must be documented as part of a chain of custody schedule with a copy of this document accompanying evidence-items at all times. Error on the side of caution, evidence should be catalogued on a chain of custody and even the chain of custody schedule is regarded as part of the evidence package.

  • After-action briefings. This is the presentation made to senior managers where they are briefed about the incident, effects, CIRT actions, legal actions, restoration, and current systems status. In this briefing, senior managers deliver their views about CIRT's efforts, expectations, and results. At this time, it is common for CIRT's constituents to have their say. This is not the place for injured egos and hurt feelings; CIRTs should consider any and all criticisms or praise in the spirit of accomplishment or improvement.

  • Postmortem. The CIRT members including full-timers, part-timers, and ad hoc members attend this meeting. Depending on the sensitivity of the discussions, outsiders who participated in the critical incident response should be in attendance. The purpose of this meeting is for CIRT members to critically analyze their performance and deliverables.

CIRT Success Metrics

The likelihood of totally eliminating attacks from outside or inside the organization is zero. CIRTs are similar to fire departments; they have significant support costs but, when activated, they are literally worth their weight in gold. Consequently, crafting a series of success metrics is usually one that is left to the very last minute. Here are a few suggestions that should be considered during the CIRT creation process:

  • How many incidents did the CIRT address in a given time period? (Time periods could be measured in months, quarters, or years.)

  • What were the estimated amounts of financial damage averted by CIRT intervention?

  • What has been the impression of CIRT's technical expertise with their constituency?

  • What is the average time and employee resources needed to address each specific incident type?

  • What is the documentation completed by individual CIRT members relative to the actions taken with each incident?

  • What recognition or awards were presented to the CIRT?

  • Postincident feedback from constituency. Basically, this mechanism is one where a questionnaire form is provided to the victim-business unit and the results compiled by the CIRT as part of their success metrics. Particular emphasis in these questionnaires should be placed on the anonymity of the person completing them, if so desired.

  • Were significant changes brought to the organization's policies and procedures suggested by the CIRT as a result of their intercession with a critical incident?

CIRT Development Life Cycle

In various forms, CIRTs have been in existence for more than 20 years. In some cases, they have performed magnificently and made substantial contributions to their organizations; while in other cases, they have foundered and sometimes failed. The levels of CIRT competence and success in the organization are tied to their development life cycle. Consequently, these are the stages of the CIRT life cycle:

  • Initiation and proposal. Here is the stage where it all begins. Usually, someone makes a proposal to senior managers testing the idea and follows with a written proposal containing:

    • Necessity studies

    • Plan

    • Resource requirements

    • Structure

    • Lines of reporting and authority

    • Staffing

    • Funding

    • Training needs

    • Deliverables

    • Success metrics

    Often the employee who will serve as the unit manager begins a small ad hoc CIRT team as a pilot program. This allows the organization time to get accustomed to the concept and its execution before submitting a formal proposal. Additionally, if immediate success is realized, it makes selling the proposal much easier if a good reputation is already earned. Most employees have not heard of CIRT in this phase and do not have any expectations, yet.

  • Developmental. This phase is marked by the formation of the CIRT. Much of their direction will be guided by what is done at this time. In this phase, staffing is selected or recruited, an infrastructure is created, an office site is established, equipment and tools are procured, funding is allocated, duty rosters are developed ensuring that the function-point is available to screen trouble calls at all hours, policies and procedures applicable to the CIRT are instituted, and the team is advertised as operational.

    At this stage, precedence and reputation are going to be earned. When the fledgling CIRT responds, literally every critical eye will be focused on how it performs, how it interacts with managers, and how it interacts with its constituents. Of all times, this is not the one for judgment errors or other failings. The future of the team hinges on its ability to respond quickly and bring the emergency under control with a satisfactory solution. Failing to define and obtain senior management's approval of operational requirements, drafting deficient policies and procedures, forming meaningless outside liaison contacts, and training is staff poorly can quickly spell doom for the team and its effectiveness. On the other hand, if successful the team can move on to the next stage of development.

  • Establishment. In this phase startup and development problems are resolved. Constituents know when they should notify the CIRT and know what its course of action is when it arrives. In some instances, CIRTs are loaned or contracted to other organizations to assist in critical incidents. Through contracts and mutual assistance agreements, CIRTs may be deployed at business sites belonging to other organizations on a value-added basis. In this fashion, the cost of their existence is somewhat defrayed.

    In this phase, senior managers have accepted the CIRT and formally recognized its efforts. At some time in this phase, the organization and team members realize the CIRT's existence is indefinite.

    Plans are made for team progress by developing an institutional knowledge base. Team members might be considered promotions, relocation, rotation, or other work assignments. Working with the human resources unit, well-qualified prospective candidates are located and incentives provided, motivating them to consider team membership. The CIRT manager is also anxiously engaged in providing mentors for employees to upgrade training and professional certifications for her employees.

  • Postestablishment. This phase includes the expansion of the team to include operations and requirements not part of any previous phases. Usually these activities include the CIRT providing constituency training, delivering presentations as guest-lecturers, authoring articles for peer-review publications, and substantial research and analysis.

Popular Posts