Privacy, Ethics and Computer Forensics

1
Privacy, Ethics and Computer Forensics

• Lecture 2

2
Where Are The Threats?
Open Source
Insider/Espionage
Terrorists
White Collar Crime
Today's World
Disasters
Theft
Scripts
ID Theft
3
Increase in Security Incidents

• Total Number of Incidents Reported from
  1988-2003 is 319,992
• Average Yearly Increase of 40

4
Security Risks Rising
900M
120,000
800M
Blended Threats (CodeRed, Nimda, Slammer)
100,000
700M
Denial of Service (Yahoo!, eBay)
80,000
600M
500M
Infection Attempts
60,000
Network Intrusion Attempts
Mass Mailer Viruses (Love Letter/Melissa)
400M
Malicious Code Infection Attempts
40,000
300M
Zombies
Network Intrusion Attempts
200M
20,000
Polymorphic Viruses (Tequila)
100M
0
0
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2002 estimated
Source CERT
5
Threats Evolution (Version B)

• 1991 Tequila 1st polymorphic virus
• 1992 DAME tool turns virus into polymorphic
  versions

• 1998 NASA Pentagon networks (Solar Sunrise)
• 1999
• Melissa macro virus
• 2000 I Love You

• 1994 Citibank broken into 10M stolen
• 1995 first Micro-virus to attack Word

• 2000 DDOS attack on yahoo, eBay, Amazon etc.
• 2001 Nimda Code Red
• 2002 Klez disables AV sw uses MS outlook

• 2002 DDOS Root DNS
• 2003 Slammer
• 2003 VISA Phishing SCAM

• 1988 Worm disables 6000 ARPANET computers
• 1990 ATT network crash Software Bug

6
Information Security Organizations
7
Major Security Product Launches

• 1983 Kerberos and Project Athena at MIT
• 1990 Haystack Labs introduces Stalker line of
  host-based intrusion detection systems.
• 1991 - Programmer Philip Zimmerman releases
  "Pretty Good Privacy" (PGP)
• 1991 Symantec releases Norton Antivirus
• 1991 DEC introduces first commercial firewall
  (Deployed at DuPont)
• 1993 DEC engineers went over to TIS and
  developed TIS FWTK under DARPA contract
• 1994 CancelMoosetm used cancelbots to
  cancel spam messages on Usenet.

8
Major Security Product Launches
U T O P I A
2003
Barracuda Anti Spam
2002
SonicWALL
Netscreen/Neoteris
2001
Archer Technologies Policy Management
2000
- RSA SecureID - Verisgn PKI
- Postini Pilot - PKEnable
1998
1999
- ESM Axent - Dynasoft BoKs
1997
- Netranger - SATAN
1995
- PGP Released - Oracle Password
1996
1994
Cyberguard
9
Security Software - New License Revenue
Compound Annual Growth Rate (CAGR) for 2000-2003
7.6
Source Gartner Worldwide Regional Security
Software Forecast Update 2002-2007 (Dec. 2003)
CAGR calculation was based on Gartner research
data of new licenses for security software.
10
CAGR Security Software (New Licenses
2000-2003)
Source Gartner Worldwide Regional Security
Software Forecast Update 2002-2007 (Dec.
2003) Note CAGR calculation was based on
Gartner research data of new licenses for
security software.
11
IT Security Spending and Staffing
Gartner CAGR for IT Security Spending
(2001-2003) 28
Source Gartner 2001 IT Spending and Staffing
Survey Results (September 19, 2001) Additional
Resource Gartner Press Release (June 3, 2003)
12
Privacy Regulations Environment

• Restrictive regulatory / Compliance environment
• Multinational Laws Regulations crossing
  multiple borders
• National Laws Regulations at federal levels
  supersede state provincial laws
• State Provincial Laws with limited boundaries
• Complex third party relationships
• Increased use of E-commerce, web based
  applications

13
U.S. Privacy Regulations
1974 US Privacy Act - Helps citizens gain access
to government records
1999 GLB Requires financial institutions to
disclose privacy policies allow client opt-out
of information sharing
1987 Computer Security Act Requires improving
information security privacy in government
agencies
1996 HIPAA - Prohibits sharing of health
information for non-health care reasons
2001 US Patriot Act Enhances law enforcement
investigative tools to deter punish terrorists
1978 RFPA - Provides confidentiality to
financial records their transfer
2002 Sarbanes-Oxley Requires certification of
corporate financial accounting
1997 CFR part 11 Creates criteria for
electronic record keeping in promoting public
health
1978 FCRA - Promotes accuracy in consumer
reporting ensures their privacy
1986 Electronic Communication Act Guards
against unlawful access to stored communications
1998 COPPA - Gives parents control over
information collected from their children on the
Internet
2003 CA 1386 Requires personal information
protection notification in case of compromise
14
International Privacy Regulations
15
Case Study

• Imagine that you are a senator in the US congress
  and you are proposing a privacy law to protect US
  citizens against possible terrorism.
• Detail what you will include in the law
• Include the reasons and to who will it apply
• Describe how would you go about implementing it
  and monitoring violations
• What type of violations would you be imposing
• ////// WE WILL REVISIT THIS CASE AGAIN //////