Organizations should have a mindset to be ready to response to all cyber threats, and be resilient.
‘Cybercrime’: it can be diverse and complex because this type of crime is committed on internet networks, making it more difficult to prevent. Various crimes include: email and internet fraud, hacking, theft and sale of corporate data, theft of personal information, creation of viruses etc.
A trained investigator can confirm if a cybercrime has indeed been committed and then uncover the source of the crime.
Runtime Asia can meet the need for a number of computer/digital forensics via our specialist capabilities, as follows.
At Runtime Asia we obviously have to be on top of things and have realised how crucial it is to be able to assist our clients regarding computer forensics and guarding against cyber crime, not least because of increasing digitalisation. Remote office setups, with cloud services and the use of various software and SaaS platforms, plus increasing work-from-home arrangements, all pose threats to the business activities’ data and security (although also being convenient, efficient and necessary business setups these days). Other examples can be suspected theft of personal information or intellectual property theft. There can also be a need for performing internal software audits and Runtime Asia can in connection to any merger and acquisition make the necessary audit of any owner/employee accounts and computers belonging to or being used for the conduct of the business.
Our team of experts provides our services throughout Thailand and can also travel in the Asia region, when so required.
Digital forensics includes the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence. Runtime Asia’s approach is all-encompassing, starting at protocols and interviews; digital evidence collection and preservation; and recovery of missing data. It continues with analysis and hosting, and culminates in preparing affidavits, depositions, reports, and testifying in court.
Computer forensics, also known as digital forensics, can inform everything about a certain file or document; such as openings information, if there are copies and how/if it was communicated and shared.
We use ‘EnCase Forensic imaging’ to make copies of entire hard drives. These copies can then be examined for any changes made as attempts to hide certain information.
Disaster recovery planning is something Runtime Asia recommends and can assist with, in terms of sourcing, recommending and implementing the best fit for your particular needs.
Data lost by malicious attack, user error or hardware malfunctions can often be very costly and in some cases disastrous. Be it computers and servers; mobile devices; and cloud-based platforms and applications, often the valuable – sometimes priceless and irreplaceable – information can be recovered through the use of computer forensics software. If you have suffered data loss without working data backups, Runtime Asia can still undertake the task of recovering lost data using alternate means. Based on initial assessment we evaluate whether or not we can retrieve the data with the help of our software or of we need to refer it to specialist provider.
As for Cybersecurity and legal protection, Thailand’s Cybersecurity Act, including prevention of network systems from being compromised. This law affirms that it has no relevance with the contents that are being circulated online. The Personal Data Protection Act is another legislation, which protects individual’s rights to the information in terms of consent to use personal data online.
Internal computer investigations
Electronically stored information (ESI) often contains confidential and proprietary data, forming an organisation’s intangible assets. In the context of legal and compliance issues, these sources of ESI also contain evidence that relates to a multitude of internal matters.
Supporting clients in protecting their company’s confidential data, Runtime Asia can as IT outsourcing provider also offer digital forensics services with the right expertise and capacity to capture information, information that could also be used in legal proceedings.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright cases), or authenticate documents.
Identifying and gathering digital evidence is key to successful litigation and dispute resolution.
The metadata of digital information is also a critical piece. It shows when information first appeared on a computer, when it was last touched, whether it was saved or printed, and even which user carried out which actions.
Runtime Asia can resurface hidden or deleted data, including emails, search terms, internet history, documents, and more.
As forensic examiner Runtime Asia will conduct analysis of the relevant ESI (based upon the scope of work and the facts of the case) from a variety of sources and devices including hard-drives, servers, laptops, smart-phones, networks and storage media by imaging these devices for further examination and evidence review. The investigation usually takes place in collaboration with the client’s internal team (typically from human resources, management, IT, compliance, and legal departments) to uncover facts related to the case.
All data gathering is done while strictly adhering to local rules and regulations. In case of privacy concerns, we are able to distinguish private data from company data using software in the first step, followed by human reviewing for borderline cases.
Examples what a cybercrime investigation can achieve: a) Connecting cyber communications to physical evidence of criminal activity b) Uncovering the tampering or deletion of digitally stored information c) Pinpointing premeditated criminal intent d) Tracking malicious online activity.
All findings are reported in a digitally signed format, which prevents unauthorized changes further down the line.
In case a company is involved in court litigation, Runtime Asia can assist with placing company data under “litigation hold”, to ensure nothing is deleted whether accidentally or intentionally. We can also put a litigation hold on specific users or company departments. This procedure can significantly reduce the cost of discovery and data gathering as part of a court order.
Investigation into any type of computer misuse (including websites and email)
As a digital forensics expert Runtime Asia focuses on preserving and analysing data from a variety of sources and devices. This includes but is not limited to email and website investigations and monitoring, and intrusion detection. Emails and the internet are the modern tools used by cyber-criminals and those intent on causing financial damage and disruption to legitimate businesses.
For email and internet use Runtime Asia uses a wide range of tools and methods to obtain information about cybercrime activity. In the analysis of such information vital clues about operators of websites and email senders can be presented, which could assist the task to locate and prosecute.
IT Background checks
Using both online research and traditional methods, RunTime can perform IT background checks to ensure a member of the staff has no questionable online past or criminal record.
In addition to investigating computer misuse Runtime Asia can offer services and solutions that support a company’s confidential data:
• Ensure that employees follow corporate policies on internet usage and ensure that the company keeps legally required logs of employees’ internet access.
• Introduce procedures for protecting electronic evidence in the event that an employee resigns or is dismissed.
If a employee has already left the company Runtime Asia will focus on analysing key activity such as file and network access, internet history, communications, data exfiltration, and data deletions.
Company data theft
Intellectual property (IP) is among a company’s most valuable assets and can include trade secrets, client data and marketing strategy. Data theft is the act of stealing information stored on corporate databases, devices, and servers. This form of corporate theft is a significant risk for businesses of all sizes and can originate both inside and outside an organization.
Data theft (also known as data exfiltration, data extrusion, data exportation or simply unauthorised transfer of data) is a widespread concern across all business industries and a growing phenomenon. This is mainly the case due to system administrators and office workers having access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information. The risk therefore keeps on increasing.
When an employee leaves a business to become a competitor the theft of proprietary data can give them a competitive edge. Remote access to data makes it easy for employees to break company data protection procedures by accessing transferring data to external and personal systems quickly and discretely.
It can also be an unintentional act, where for example a former employee takes home information on an unsecured flash drive or retain access to information after their contract has ended.
Runtime Asia’s forensic investigations can uncover digital evidence relating to suspected employee data theft. When employee data theft occurs, a company must act swiftly to protect its interests. The first step must then be to engage an independent digital forensics expert, such as Runtime Asia. An interrogation and analysis of any data retained must then be undertaken in order to uncover the actions relating to the data theft.
Data theft prevention relies on companies limiting access to their most critical data and resources, monitoring every data-related action employees take, and establishing cybersecurity policies that are accompanied by clear consequences for violations. To truly protect data from being stolen, businesses must implement a balanced action plan that decreases the risk of company theft.
Preventive actions can be: 1) Banning employees from sending work emails to their personal accounts. 2) Taking proactive measures in restricting access to data on any non-company owned devices. 3) Protecting access to your networks with robust, multi-factor authentication. 4) Assess, evaluate and clarify risk (conduct comprehensive risk assessment and map critical systems). 5) Deploy data loss prevention (DLP) tools and email gateways. 6) Monitor employee activity. 7) Limit access privileges only to the information and resources that each employee needs for their tasks, downgrade access rights for routine tasks. 8) Protect access points (business-critical resources need to be secured with enhanced data protection methods and technologies). 9 Create clear an explicit data security policy procedures that all employees must follow, focusing on data privacy, email usage, password protection, and mobile device usage. 10) Conduct periodic testing (to assess that the business’ systems meet integrity standards).
Usage of Malicious software
Much of today’s multifaceted malware has been developed to support increasingly organized, professional computer criminals. Such criminals are making extensive use of malware to control computers and steal personal, confidential, or otherwise proprietary information for personal, confidential, or otherwise proprietary information for profit.
Runtime Asia can identify malware on a computer system, examine malware to uncover its functionality and purpose, and determine malware’s impact on a subject system.
Unfortunately, digital investigators rarely are presented with the perfect digital crime scene. Many times the malware or attacker purposefully has destroyed evidence by deleting logs, overwriting files, or encrypting incriminating data. Often the digital investigator is called to an incident only after the victim has taken initial steps to remediate—and in the process, has either destroyed critical evidence, or worse, compounded the damage to the system by invoking additional hostile programs.
Before starting the malware analysis, we need to create the malware analysis environment such as VMware and Norton Ghost.
Employee Efficiency Monitoring
Using stealthy background software, Runtime Asia offers the possibility to monitor staff activity and productivity by gathering data, including screenshots and videos, on how much time is spent on various applications. Web browsing can also be categorized into working and leisurely web browsing.
Software license usage right compliance audits
Runtime Asia conducts both internal and external reviews, which can incorporate:
• Licensing compliance verification
• Quality assurance monitoring, industry standards compliance
• Legal requirements contentment.
Through our software audit services Runtime can determine the software installed on and end user’s computers and allow the customer to determine whether the end user has sufficient licenses for the software in question.
Via an internal audit you will be able to determine whether or not any trial license has been downloaded. You can then decide whether to remove the software or to purchase a license, should it prove necessary for the user to have it.
There are essentially two main reasons for such an internal audit: to reduce the number of inactive licenses and to ensure that you are maximising your current licenses (reassign the unused software, adjust usage). In addition, you can find problems before they can become licensing or regulatory issues in a third-party review.
Through a Software Assessment Management (SAM) tool both shortfalls as well as unnecessary spending on licences can be pinpointed. It can also provide accurate data proving where licences are in use and where money could potentially be saved by dropping inactive licenses. It is the optimal way to reject using an auditor’s tool.
Experienced in audits Runtime Asia also knows how to limit the information to the vendor/auditors.
It is recommended to conduct internal audits at least once a year, or more regularly if the software system is comprehensive.
Other cyber crime
Fraudulent vendor invoices and emails
Cybercriminals use Business Email Compromise (BEC) attacks, or Vendor Email Compromise (VEC) attacks, to gain access to a business email account in order to extort trusting individuals into taking a certain action. Their intent is usually to launch targeted email attacks and pretend to be the account owner to defraud the company and its employees, customers, or partners.
Attackers have usually researched their carefully chosen target and will know enough about the victim’s organisation to put together a convincing email.
Attackers know that trusted email is the most effective way of breaching an enterprise, as existing security controls cannot detect these attacks since they come from previously-established credible senders. Meanwhile, employees have a hard time spotting these attacks because they appear to come from trusted colleagues. Even highly trained security experts can’t spot them visually. The messages will contain highly convincing business information and personal details. Such emails are difficult for email security systems to identify as fraudulent, as they are often sent from legitimate email accounts, tailored to the recipient, and do not contain suspicious links.
A cybercriminal gain remote access to an email account or use an email address that appears legitimate and almost identical to the trusted business email address. The attacker then sends what appears to be a legitimate email requesting money or sensitive information.
Once attackers have compromised the credentials of business users, they get redirects of everything that comes into the inbox. They also gain access to all of the attachments and links used in the email correspondence, allowing them to create a fake invoice that looks entirely legitimate. As a result they can funnel the funds into their own wallets.
In the case of invoice and payment fraud, the BEC attack typically target employees with access to company finances or payroll data, and other personal identity information. Scammers will usually target a business’s finance department and pose as a vendor or senior management and will ask for a payment to be made to a fraudulent bank account. They change bank account details and rob the invoice amounts from the customer leaving the invoice unpaid with the supplier or business.
Companies that still rely on outdated invoice approval processes are vulnerable to teams of scammers conduct extensive research and build their BEC strategy around specific weaknesses. In the case of Invoice Redirection Fraud, the cybercriminal will send an invoice which includes new updated bank details so payments are redirected to the cybercriminal.
Organizations must pay more attention to protection against account takeovers. It is in their interest to prevent invoice and email fraud, as it can be very damaging to any business.
Runtime Asia is ready to assist in bringing awareness to fraud and ensuring that our client companies are as safeguarded as possible. Runtime Asia can supply its clients with all the recommendations to keep their business safe from Business Email Compromise (BEC) or Vendor Email Compromise (VEC) attacks.
The first step for any organisation is to raise awareness. Many staff members may not even know what invoice and payment fraud is or the techniques used by the attackers. Train your staff in how an attack could occur!
By safeguarding one can come a long way. 1. If you receive an email from an individual (for example senior management) asking for you to make a payment to an unknown destination call the individual and confirm it. You’ll want to look up any new vendors to make sure they’re legitimate before issuing payments. 2. Prohibit wire transfers from going out without an in-person conversation or phone call. Even with a phone call, take caution if the only contact information is that included in the potentially fraudulent email. 3. If you receive an invoice from a supplier then check the account details against a receipt of goods or purchase order. If you’re unsure about an invoice, or it doesn’t match the purchase order/receipt, then take contact. Always triple check information! Etc.
The first step in preventing an attack is detecting compromised business email accounts. Identity mapping determines the perceived identity of the sender, mapping the sender to a previously-established sender/organization or a broader classification.
The message is evaluated for anomalies relative to the expected sender behaviour, such as whether the sender has ever interacted with the recipient or whether the content of the message sent by the sender is expected.
The message identity is a combination of the features and indicators of the different steps that determines whether the attack is indeed originating from a compromised account.
It is important that your business takes the necessary steps to avoid being impersonated by a cybercriminal who may scam your customers, making it harder to get your invoice paid and risk eroding the trust of your customers. Contact Runtime Asia for assistance in how to prevent being impersonated by a cybercriminal.
Mismanagement and theft of intellectual property
A business’ intellectual property (or IP) encompasses all of the intangible assets that the company holds. An organization’s IP portfolio can drive value through revenue generating and cost saving opportunities. But when intellectual property is not managed effectively opportunities will be lost and resources wasted. Such mismanagement can lead to: inefficiencies throughout the value chain; wasted labour resources; unnecessary legal costs; data irregularity, inconsistency or incompleteness; lost revenue-generating opportunities; and decreased innovation output.
An intellectual property management solution can resolve these issues by automating parts or all of the process, removing bottlenecks and identifying wasted resources.
And businesses can protect their intellectual property either through registered intellectual property rights or by adopting best practices to maintain and protect the value of their key knowledge assets.
When suffering from intellectual property theft a business can encounter: ransomware demands; unexpected and steep data recovery costs; unexpected downtime; reputational damage and loss of business; potential lawsuits from customers whose data was exposed; and potential fines from any regulatory body.
See ‘Company data theft’ chapter for IP details and other preventive actions.
In protecting you company’s intellectual property protection policies and procedures should include:
- Frequently communicate internally what IP needs to be protected
- Equipment, cloud applications, file-sharing services
- Employees personal devices
- Any third-party systems your IP is shared with
- Making a risk and cost-benefit analysis
- Labelling confidential company information
- Physical and digital protection
- Educating employees about IP
- Using data loss prevention tools
Data recovery and IT forensics
Forensic IT investigations
In cases where disaster has already struck, we offer forensic investigation services to help you understand what went wrong, when it happened and who caused it. As part of a forensic IT investigation, we also offer to repair and recover what is possible to salvage and we provide detailed advice on how to avoid future incidents.
Recovery of accidentally deleted files
Recovery of data on physically damaged hard disks