globalization aspect of the world

globalization aspect of the world

Introduction

Technology has intensified the globalization aspect of the world. As the internet has taken over the practice of interaction and doing business, data storage and security have been becoming a phenomenal area of consideration. These trends have led to the emergence of forensics, where governments have stepped in using policy to protect individuals and organizations against data breach, hacking and cyber-attacks. The government tends to achieve this through digital forensics. Digital forensics explain the process by which entities preserve, identify, extract and document computer evidence, which can be admissible in the court of law. As a science of finding evidence from digital media such as a mobile phone, computer, server, or network, it enables the forensic team with significant techniques and tools for solving complicated digital-related cases. The complications ultimately solved include analysing, inspecting, identifying, and preserving digital evidence, which goes a long way towards combating and apprehending perpetrators of cybercrime among other digital-related lawlessness.

This essay provides a proper understanding of the trends in digital forensics, governance and compliance. As such, the first stage explains a digital forensic case related to cybercrime. The discussion entails how the incident occurred, causes, and the possible damages caused. The second stage explains the potential damage caused to the organization. The explanation includes aspects of a data breach, confidentiality and what the perpetrators want or would have done with the data. The third stage explains how government agencies would investigate such an event. The last stage suggests possible policy changes to combat such occurrences in future in terms of apprehension and enabling the gathering of evidence towards the same. The essay concludes that in digital forensics, every organization that has gone digital is vulnerable. However, when their digital systems have back-up, encrypted password and login protection, and ability to trace usability to detect a breach, it becomes easy for digital forensics to gather the relevant data for evidence.

Digital forensics case – hacking

Due to increasing health risks the world over, governments are coming up with integrated health information systems (IHIS) as a way of collecting and storing patients health record in the process of their living. IHIS serves a significant part of ensuring health by giving medical practitioners useful information for patients before going ahead of required medication. However, such information is highly targeted by pharmaceutical companies to understand the common diseases of medical trends to align with their research and development in the manufacture of the drugs. As such, medical data protection has become a key concern, with millions of hacking happening across the globe. These practices expose the medical records of patients, which are used without their consent. Meanwhile, health insurance companies are also interested in such data for their insurance policy decision making.

In 2018, Amal Medical Hospital (not its real name), suffered one of the worst cyber-attack by hackers. The incident was a targeted and deliberate move, which was well planned. The commencement of the attack was orchestrated by an attack on the health facility’s front-end workstation. This workstation was infected with malware. It is through this malware that the attack was carried out as the hackers could gain access. This incident was manifested by unidentified state actors, whereby; personal data of 2 million patients, records of outpatient dispensed medicines for 200,000 patients were stolen. Apart from the medical records, also, personal data was obtained. The data include names, contact numbers, race, dates of birth, and gender of the patients who visited the facility was obtained. This information was maliciously accessed and copied. Besides, critical information that was copied relating to patients includes test results, patient diagnosis, and doctors’ notes.

It would have been not easy to detect that such information was obtained. However, the facility’s IHIS database administrators and the IT experts realized that there was unusual activity on the facility’s databases. On realizing that there was the unusual entry, the team created a precaution against further intrusion through enhancement of network traffic monitoring system. It is through this system that the team realized sequential attempted entry through login credentials that belonged to one of the employees at the facility. After the entry, the hackers created multiply login credentials, and they would change the passwords at will. This made it difficult for the IT team to enhance further security measures due to changes in the malware and manipulation of the system from the hackers’ end. For instance, it would be seen that the hospital managers were accessing, which led to no cause for alarm. However, in one incident, the manager was off his desk, but the IT department realized that he was still logged in. on a further investigation; the manager’s password was changed without his knowledge. It is at this point that the IHIS and IT team at the facility identified the magnitude of the malicious activity, including theft of essential data. However, no other data was erased or tampered with, but the team realized that some crucial data was obtained without authorization from the facility.

The potential damage caused to the organization

Cybercrime leads to both short-term and long-term effects on an affected organization. Whereas short-term effects are easy to quantify, long-terms ones are not easy to quantify. One of the damages caused to an organization due to cybercrime is reputation. According to the study by Ipsos MORI’s Reputation Council, companies are always afraid that the opinions of customers towards them are likely to change when it suffers a hack or data breach (Phillips, Writer-Davies & McGeoghegan 2017). For instance, the 2 million customers of Amal Hospital will change their opinion towards the ability of the hospital to secure their data. The study by Ipsos continues that customers who volunteer their data to be collected by companies, in turn, expect that the information is stored securely and used responsibly.

Contrary to this, customers perceive the organization as gone against their expectation, which leads to damage to reputation. When an organization damages its reputation in this context, customers tend to lose trust. According to Dominique and Patterson (2019), customer trust is a critical aspect that determines loyalty. In this sense, cybercrime as a threat to a company reputation may cause an affected organization to lose customers. A loss of customers is detrimental because it leads to loss of revenue hence profits. Meanwhile, such an organization faces legal charges due to the possible threat to customers whose data has gone to the wrong hands.

The second damage to the organization includes legal issues that affected people to spell against an organization. When customers trust organizations with their personal and sensitive data such as medical particulars, they usually enter a memorandum of data security by agreeing to terms and conditions. A breach of this agreement is a recipe for legal actions for damages. Therefore, the customers of Amal Hospital, whose data has been stolen, may launch a legal battle with the organization. According to the study by Porcedda and Wall (2019), many companies have suffered court fines and compensations for breach of such agreements. Such organizations end up losing a lot of money and spending a lot of time on court cases. With a multitude of 2 million customers affected, Amal Hospital is at risk of incurring massive amounts of fines and compensations where such an issue escalates to such dimensions. As a result, the financial implications are. As well, the affected organizations may take long to stabilize because there exist lone and organized crimes which are bound to happen. This unpredictability of such crimes exposes organizations to future financial uncertainties apart from court fines and compensations of affected parties.

Still, on financial implications, any organization that has been affected by any form of cybercrime such as hacking, phishing, or financial fraud, spend a lot of money maintaining their systems. According to the study by Phillips, Writer-Davies and McGeoghegan (2017), companies spend up to 20% of their revenue towards strengthening their systems against any crime. Such spending implies that they are incremental. As organizations intensify in digitizing their systems, so are the requirements for increased protection, stopping penetration, and continued updating of systems. Sometimes, organizations are forced to employ experts of outsourcing services to keep their systems safe. Besides, cybercrimes are increasingly becoming sophisticated. For instance, the study by Collier (2016) indicates that organizations usually suffer insider trading where employees who are compromised ethically share digital security details to the hackers. This trend is becoming a difficult one to deal with because it now requires either stricter company HR policies or systems that can detect such attempts. In the long-run, organizations end up spending a lot of money on digital systems and systems to protect the data as well as preventing employees from tampering with them.

How the event will be investigated

First of all, to investigate this issue, it is important to understand the type of crime the is meted on Amal Hospital’s digital system. Firstly, there is a lone hacker. Such a hacker is an individual, usually out of curiosity or out to get such data for ransom or selling for huge earnings (Leukfeldt & Holt, 2020). Usually, lone cybercrime masterminds are of less threat, and it is relatively easy to carry out forensics as they usually use less sophisticated hacking systems. As such, it is usually easy to trace their digital geospatial traffic, or their particulars such as the IPs of the digital devices they have used.

On the other hand, there is an organized cybercrime syndicate. Such usually are underground organized groups with highly trained and experienced IT experts, used by the big organization for illegal data mining and hacking digital systems of organizations (Stancu, 2018). Digital forensic studies of such organizations are usually challenging to find information and evidence traceable to them. Either way, digital forensic studies have achieved advanced systems and expertise that have been used to gather evidence of cybercrimes. Therefore, the following is the way the Amal Hospital incident will be investigated.

Based on the Locard principles, every contact leaves a trace (Erzsébet, 2016). As such, any information stored or transmitted in digital form can be traced, and this is enablement for recovering lost data and has forensic details for admissibility in a court of law. Therefore, one of the first steps to take is investigation initiation. To initiate the investigation, tools such as hardware and software are essential for performing computer forensics. Availability of these tools leads to a three-step course of action as explained below;

Drive imaging

Before beginning the investigation to analyse evidence from a source, the first step to be taken is imaging. Drive imaging is the forensic process where an analyst has to create a bit-for-bit duplicate of the affected drive. Therefore, there will be the need to image all the organization’s digital media so as evidence is retained for the investigation (Lone & Mir, 2019). A thing to note is that whereas the organization’s data may have been wiped, drives can retain recoverable data for identification and cataloguing. Through this process, it is possible to recover all the deleted files through forensic techniques. The essence of making the duplicate is that the forensic experts are required to work on the duplicate image and not the original media. This is essential in doing as little as possible, or absolutely nothing on the existing system to prevent a mix of connections in and outside the system’s content live memory (RAM). Therefore, to create the image for analysis, hardware called ‘white blocker’ will be used.

Harsh values

The result of the first step’s imaging process will generate cryptographic hash values (MD5, SHA-1). The hash values play a significant role in authenticating and ensuring the integrity of the image to become the actual duplicate of the original media (Raychaudhuri & Christopher, 2020). When admitting evidence in court, the hash values become critical based on the fact that where even a small bit of a hash value is altered; it cases an entirely new hash value. When a file is created or deleted in a computer, it creates a new hash value file. Special software will be used in allocating and retrieving such values deleted or created by the hackers. Such hash values must match the expected values for evidence to be admissible in court.

Chain of custody

After creating an image, sometimes it requires transfer from the client to the place where it is required. Documentation is crucial in keeping track of all transfers through the chain of custody (CoC) forms (Massover, Langerman & Tine, 2020). The CoC is also essential in capturing signatures and chronological orders of the handoff. The CoC paperwork is essential, as an artefact, to demonstrate that the image has been in authorized possession.

Repairing the digital systems

One of the repair processes of digital systems after a cyber-attack is configuration management. Configuration management is applied when establishing implementing and actively managing, such as tracking, reporting, and correcting the system’s security. After an attack, rigorous configuration management is required. This entails a change to control processes aimed to reduce security risks for information systems. One of the approaches has to do with the hardware and software versions. Based on the need to support security in the information life cycle management, keeping the hardware and software updated is the first consideration. The configuration of hardware and software needs a review as well as approval by the organization’s cybersecurity team. Such reviews are supposed to be regular to ensure the system is well configured to meet the challenges of identified threats.

Using risk-based security control, repairing the digital systems should apply the following stems.

Implementation of a robust change-control process – This is essential in controlling any changes or additions to the software. It entails verifying altered or unrecognized software versions via a comparison of hash values of files and their components. The rationale of this approach is based on the understanding that attackers tend to use known software versions to attack. Therefore, to identify compromised software, file has values used (Glantz et al., 2017).

Storing master images on servers that have been securely configured – This step ensures that master images are not accessed to copy the hash values. Therefore, there is the need to validate the security through integrity checks, and to use tools for continuous monitoring of the system, as well as effect change management. The rationale of this approach is making sure that changes to images are only made by authorized personnel (Glantz et al., 2017).

Integrity checking tools – Investing in integrity checking tools ensures that crucial system files like libraries, application executable, and sensitive sub-systems are intact. This is to make sure that any alterations to the system are automatically escalated to the concerned parties for action to be taken. Investing in an automatic reporting system ensures that routine and expected changes are documented to highlight unsuspected alterations (Martellini, Novossiolova & Malizia, 2017).

Policy changes

Technical

The law on cybercrime is, unfortunately, substantive. Based on the moral principle of nullum crimen sine lege, there is no crime without a law. This principle explains that a person is not punishable for an offence not proscribed by the law at the time the person is said to have committed the crime (Peters & Jordan, 2019). There exists a technical issue with the application of cybercrime laws. For instance, with an organized crime, the perpetrators usually work for other organizations with interest in the data that is obtained illegally. However, rarely are such organizations identified and punished for supporting criminal activities. Whereas such data is eventually found in the hands of organizations other than those that perpetrated the crime, they are seldom punished for possession of unauthorized data, as it happens with physical properties. Therefore, there is a need to amend this technical problem to combat crime by reducing the interest of concerned parties.

Administrative

The second policy changes are in Amal Hospital’s is in its administration perspective of managing its IT systems. There is a need for a policy change regarding the accessibility to the IT system and the protocol that is used by external IT experts and the internal personnel. This will avoid a lack of understanding of the chain of command and the possibility of insider trading. For instance, a substantial number of cybercrimes happen due to insider trading (Collier, 2016). Therefore, to prevent such possibilities, there is need for change in policy regarding employees’ accessibility in using and changing passwords, as well as activities such as installing and deleting software to the company’s computers and other digital devices.

Conclusion

This article provides a critical analysis of Amal Hospital’s cyber-attack, which was perpetrated by unknown attackers. The incident explains three crucial technical and administrative things about cybercrime. Firstly, the attackers accessed and obtained patients data without authority. Administratively, this went against the company policy, and contract with the patients regarding the protection of their personal information. Secondly, the incident exposed the company’s IT systems. This leads to two areas of concern. Firstly, it is whether the security systems of the hospital; IT was comprisable, and secondly, whether there was insider trading. The third area of concern is the legal implication regarding the policy changes in managing IT systems to prevent such future incidences.

The cybercrime perpetrated to Amal Hospital had potential damage to the organization. Firstly, it exposed the IT system to additional vulnerability. For instance, given that malware was used, it is difficult to detect and remove it exhaustively so that the attackers cannot use the same malware to commit future attacks. The second damage to the organization entails the need to either overhaul the current system or change it altogether. This also includes the third damage, which consists of the prohibited, controlled, or limited accessibility of the system by the employees. Therefore, to investigate this incident, the Locard principle has been used – that every contact leaves a trace. As such, drive imaging, hash values, and chains of custody stages have been used. In the process of repairing the IT system, implementation of the strong change-control process, storing master images on server securely configured, and integrity check tools have been proposed. Regarding policy changes, the essay proposes technical changes to the global cyber-security laws and organizational approach through structural changes in the IT systems management and accessibility.