Privacy, Ethics and Computer Forensics

1
Privacy, Ethics and Computer Forensics

• Lecture 1

2
Setting course expectations

• Lectures from power point
• Case studies
• Hands on with security, computer forensics and
  privacy tools
• Guest speaker
• 2 exams
• A final paper
• Rules of the class
• Look at syllabus

3
Purpose Objective

• You care about information security and privacy
  because
• Information Security is a constant and a critical
  need
• Threats are becoming increasingly sophisticated
• Countermeasures are evolving to meet the threats
• You want to protect your asset and privacy
• You want to know what tools are there for
  protection and Because information security,
  information privacy and legal and compliance are
  inter-related we will cover
• You will learn about
• Information Security
• Information Privacy
• Ethics and Information Handling
• Investigations and Computer Forensics
• testing purposes

4
The World Future We Will Live In
ComputingMoores LawDoubles Every 18
months
CommunicationsFibre LawDoubles Every 9
months
StorageDisk LawDoubles Every 12 months
ContentCommunity Law2 n where n is of
people
Source John Seeley Brown, 14th Annual CIO
Innovation Conference
5
The World Trends

• Infrastructure
• Globalization means networks beyond the
  traditional national boundaries
• Increased B-2-B connection
• Legal and Compliance
• Uncharted legal landscape in the I-net space
• Privacy laws
• C.P.N.I or Customer Proprietary Network
  Information.
• Fair Credit Reporting Act (FCRA). Fair Credit
  Reporting Act)
• .Expanded wiretapping authority and other
  authority of law enforcement agencies to obtain
  personal data from organizations under the USA
  PATRIOT Act may also affect carriers.

• Environment
• Working from home
• Speed of technology advances
• Proliferation of Information
• Easy and readily available hacking tools
• E-Business Trends
• Client information collected rapidly by various
  businesses

6
What We Know About Future Customers...
Always-On Relationships With Customers
The 4 Ps have been replaced by the 4 Cs
4 Ps of Old Economy
4 Cs of Old Economy
1. Product2. Price3. Placement4. Promotion
1. Communication2. Customization3.
Collaboration4. Clairvoyance
Special Thanks to Rashi Glazer, UC-Berkeley
7
Technology-enabled Customer Relationship
Management
Old Economy
New Economy
The question Is NowWhat computer should I be?
The question used to beWhat computer should I
buy?
Special Thanks to Rashi Glazer, UC-Berkeley
8
Business Rationale

• Information security is a business issue.
• Without effective security controls, business
  managers are subject to operational risk and
  damage to reputation that can adversely impact
  mission critical assets
• Your success, prosperity, and viability are
  highly dependent on reliable and confidential
  information to
• Support business transactions
• Provide management and customers with timely and
  accurate information
• Maintain a competitive advantage.

9
Basic Security Components

• AUTHENTICATION
• How do we know who is using the service?
• ACCESS CONTROL
• Can we control what they do?
• CONFIDENTIALITY
• Can we ensure the privacy of information?
• DATA INTEGRITY
• Can we prevent unauthorized changes to
  information?

• NONREPUDIATION
• Can we provide for non-repudiation of a
  transaction?
• AUDITABILITY AVAILABILITY
• Do we know
• Whether there is a problem? Whether its soon
  enough to take appropriate action?
• How to minimize/contain the problem?
• How to prevent denial of service?

10
Principles of Security Architecture
11
A Balanced Security Architecture

• Single, unifying infrastructure that many
  applications can leverage
• A good security architecture
• Provides a core set of security services
• Is modular
• Provides uniformity of solutions
• Supports existing and new applications
• Contains technology as one component of a
  complete security program
• Incorporates policy and standards as well as
  people, process, and technology

Policy, Standards, and Process
People
Technology
12
Threats to Security

• Disclosure of information
• Unauthorized access to systems
• Loss of integrity
• Denial of service

13
Disclosure
14
Unauthorized Access
15
Loss of Integrity
16
Denial of Service
17
The Threat Tree
Threat
Unintentional
Natural
Intentional
software bugs

system overloads

fires

hardware failures

floods

poorly trained administrators

earthquakes

errors and accidents

hurricanes

uniformed, unmotivated

extreme heat

incompetent custodians
Outsider
extreme cold

Insider
hacker - spy fraud organized crime competitor
disgruntled employee

former employee

contract employee

18
Watch out for these folks

• Disgruntled Employee or Contract Employee in
  order to injure the institution
• Extortionists
• Organized Crime or Drug Cartel
• Fraud Criminals
• Insider Trading (merger and acquisitions)
• Cyber Criminal
• Information Resellers
• Competitors

• Kid Hackers
• Hackers who Beat the System
• Foreign Governments

19
You Can Say That A Simplistic View

• Connecting Networks is like connecting stereo
  components
• Basically it is a collection of input and output
• You always have a client , a server and a
  connection/communication pipe
• It resembles the human body
• Psychology is the vision, brain and security
  policy
• Physiology is the networks of cells that
  implement the communication and brains
• Anatomy is the servers, individual business lines
  and all other technology processes
• The complexity is in the business concept
  variation (e.g., someone wanting to charge a
  subscription with a credit card)

20
General Information Security Concepts The Theory

• General Information Security Concepts
• Theory

21
Information Security Control Areas

• Information Security Policies
• Information Security Organization
• Asset Classification and Handling
• Personal Security
• Physical Security
• System Operations Mgt Controls
• General Access Controls
• System Development Life Cycle
• Business Continuity
• Compliance, Legal Regulatory

22
Information Security Directives

• Information security policies, standards,
  guidelines, and procedures are collectively
  called information directives
• Information directives are instructions written
  for different purposes and varying degrees of
  technical sophistication

23
Roles Responsibilities

• It is the responsibility of corporate management
  to ensure clear direction, vision, support, and
  commitment to information security directives
• To accomplish this, management must continually
  monitor and update the state of security
  policies, controls, and processes as they relate
  to your information assets
• Organizational Responsibilities of the corporate
  information security team should be modeled as
  follows whenever possible

24
Asset Classification Definition

• Corporate assets are defined as any information,
  hardware, software, or equipment that is utilized
  for, and critical to, service delivery, business
  identification, classification, and appropriate
  handling objectives, and financial success
• Data Classification
• Is a fundamental element of a security program
  that defines of all critical corporate assets
• Is the process and associated methods to classify
  and handle data assets in order to mitigate a
  risk
• Classification is based on data value and use of
  data assets
• Classification must alert users to the potential
  impact of inappropriate data handling.

25
Data Classification

• Asset classification and handling
• Establishes clear accountability and ownership
  for critical assets.
• The information technology, operational, and
  business units should be responsible for
  managing, classifying and maintaining assigned
  assets
• Defines sensitivity levels and ownership
• Must be reviewed regularly
• Must denote sensitivity of the data and the
  classification level to determine the appropriate
  control and monitoring levels
• Examples of data classification include Public,
  Confidential, Secret, Private and For Your Eyes
  Only.

26
The Question is

• Do You Know Who You Are Hiring to Handle Your
  Credit Card Transactions?!

27
Personnel Security Employee Security

• Employee security is a fundamental component of
  an effective personnel security program
• It provides security that begins in the
  recruitment, full and temp hiring stages and
  continues through the conclusion of the your
  employee relationship
• All personnel that might handle credit card data
  and who are in any other sensitive position
  (business- or computer-related positions of
  trust) should first pass a background check that
  includes
• A nondisclosure agreement must be signed before
  newly hired personnel are granted access to any
  sensitive information
• New employees, contractors, and consultants
  should only be granted access to the information
  resources necessary for their defined job
  responsibilities
• Job descriptions should clearly define security
  responsibilities

28
Physical Security

• Your company has a significant investment in its
  employees and information processing assets
• A physical security program ensures that your
  employees and assets operate in a secure
  environment and are available and used for their
  intended purpose
• A physical security plan should be designed to
  obtain maximum protection at a cost that
  mitigates threats and risks

29
Physical Security

• You should periodically conduct a risk assessment
  to determine whether
• Physical assets are secured
• Sources of risk such as environmental, human, or
  technical are taken into account
• Probability of occurrence and costs of remedies
  are available to minimize exposure
• Perimeter Physical Security is adequate
• Environment Security is adequate
• Security of media is appropriate
• Asset inventory is accurate and updated

30
Systems Operations Management

• The goal for good Operations Management is to
  attain an efficient, reliable, and secure
  operating environment
• Operational policies and procedures should be
  documented and communicated to all appropriate
  parties
• Security planning, implementation, and monitoring
  must be an integral element of operations
  management and should include
• Coordination of security planning and
  implementation with your operational units
• Ensure that documented operating procedures
  include security directives
• Provide guidance as required to ensure
  operational effectiveness

31
Operating Procedures

• Operating procedures
• Consist of instructions necessary for the
  operation of a system, an application, or support
  services
• Change Control
• Change management and related controls make up
  processes that govern
• Infrastructure and applications
• Security and configuration implementation
• Upgrade, or enhancement
• Change management processes should take into
  account information security directives
• Incident Management
• Security incidents that could cause interruption
  or failure of operations may occur in spite of
  good security posture and practices
• Establish, document, and review policies that
  ensure timely and effective response to adverse
  incidents. This may include system intrusions,
  information compromise or destruction, or system
  failure

32
Operating Procedures

• Segregation of Duties
• Segregation of duties is the practice of
  separating operational or departmental functions
  to prevent intentional or unintentional
  activities that lead to or allow fraudulent
  activities or misuse to occur
• Segregation of duties generally involves making
  two or more individuals responsible for major
  functions such as development, implementation,
  operations, and monitoring
• Separation of Operational Environments
• Operational environments should be separated for
  much the same reasons that duties are separated
  throughout the development and production
  environment

33
System Planning and Acceptance

• Capacity Planning
• Capacity planning is accomplished through
  policies and practices that anticipate and plan
  for various system needs associated with
  processing power, storage, memory, or
  communications bandwidth that enable
  uninterrupted, responsive, and secure network
  performance
• Includes, at minimum, processing power,storage,
  memory and data space
• System Acceptance
• Before accepting any new information system
  upgrade, create a clear definition of acceptance
  criteria, including
• System capacity analysis
• Acceptance testing
• Training on new functionality.

34
Protection from Malicious Software

• Malicious software, such as viruses, consist of
  unauthorized pieces of code that can destroy
  information, damage files to be eliminated, and
  temporarily or permanently impair applications
  and networks
• Malicious software is a major threat to the
  operational efficiency, system availability, and
  integrity of customer information and internal
  data
• Detection and prevention are the most important
  controls in deterring the introduction of
  malicious software in the network environment
• Controls should be established to ensure a
  proactive approach to technology solutions as
  well as user awareness.

35
Protection from Malicious Software

• Install antivirus software on every desktop,
  server and laptop
• System hard drive must be scanned on regular
  basis with the frequency determined by the
  sensitivity of the data
• Each floppy disk placed into a computer must be
  scanned automatically
• Virus software must be updated on at least on a
  monthly basis
• Where feasible, diskless workstations should be
  considered to prevent unauthorized removal and
  entry of software and data through a workstation
  (e.g. for VPN access)

36
Backup Recovery

• Design and implement a realistic backup and
  recovery strategy for databases holding credit
  card account and transaction information
• Carefully assess backup needs, liability and log
  protection of backup vs. application and
  databases performance
• Backup frequently (daily, weekly and monthly)
  with clearly tested procedures
• Have a test of recovery done on regular basis
• Control of transport and security of vital
  records
• Cover backup of the workstation, server and other
  essential equipment needed for the operation
• Every backup should have an integrity check with
  time stamps of backup.

37
General Access Controls

• Physical and non-physical access controls should
  be collectively designed and implemented as part
  of overall information security protection
• Sound non-physical access controls should be used
  to protect information, information systems, and
  network devices
• Generic accounts (such as guest accounts)
  should be deleted or disabled at system
  installation
• Physical access controls (such as locked offices)
  must be used in conjunction with logical access
  controls
• A company-wide non-physical access control tool
  should be used to ease the administrative burden
  of managing user access
• This tool, however, should not decrease the
  effectiveness of any security measures.

38
General Access Controls User Access Management

• Logins should time out after a specific period of
  time
• Accurate time stamps should be configured or
  programmed into system logins
• Continuously review vendor and all third party
  access after every months
• Reasons for login failure should not be displayed
  to users
• System administrator access privileges, such as
  high-level technical support, system utilities,
  and security administration, that are capable of
  overriding system and application controls must
  abide by the following
• Privileged accounts should not be used for
  routine access
• They must be audited by an independent internal
  party, and the records must be retained for one
  year

39
General Access Controls Password Management

• Each user should follow a registration process
  before being granted access to a system or
  service
• The registration process should establish the
  persons identity and his or her allowed access
  to the systems in question
• Each user should be given a statement with his or
  her access rights, privileges, and liabilities
• Unique user identification and password are
  required
• The user ID should be a minimum of five
  characters
• At least five character passwords should be
  chosen and it must contain a combination of
  alpha-numeric characters
• Reuse of at least the five most recently used
  passwords should be discouraged.

40
General Access Control Network Access Control

• Network access controls should be flexible enough
  to allow the limiting of network usage by
• Workstation location
• Identification,
• Time of usage. 
• Whenever needed, network users should use network
  services in captive mode
• Gateways, routers, and firewalls must be used to
  secure all internal IP networks and connections
  to external networks hosting the your
  applications.
• Disable unnecessary services such as telnet and
  ftp and use proxy services if needed

41
General Access Control Network Access Control

• To the extent possible, the network should be
  separated into logical infrastructures to enhance
  access controls throughout the your network
• At the very least there should be three types of
  networks internal, external, and a hybrid (e.g.
  extranets with partners)
• All diagnostic ports on network devices and
  appliances should be securely controlled using a
  strong authentication mechanism, and there must
  be an audit trail for access
• All computers and network equipment connected to
  the internal network should always have the
  current time accurately reflected

42
General Access Controls Application Access
Controls

• It is essential that only authorized personnel
  are granted access to your system and business
  applications
• Personnel with access to business applications
  should be clearly identified and audited each
  time access is gained
• Whenever possible, all applications should
  provide a captive menu to control access to
  applications and databases
• Each application should have the ability to
  control finite rights for users, applications,
  and system administrators.

43
System Development Life Cycle

• System development life cycle (SDLC) refers to
  defined actions, tools and processes that guide
  development of new systems or applications
• SDLC serves as a framework to ensure that
  systems or applications are developed in a
  cost-effective manner that meets established
  timelines and user requirements
• A comprehensive SDLC life cycle includes
  requirement gathering, development, testing and
  production

44
Application Security Testing

• Only Test data should be used during the SDLC to
  test systems and conduct user acceptance. To
  ensure the quality of testing, test data must
• To the extent possible, match production data
• Be void of actual production data.
• Test environments and plans must
• Ensure that access controls applied to production
  systems are in place for test systems and data
• Require authorization of all events that migrate
  production data to a test application or system
  environment.
• Ensure appropriate disposal or deletion of
  production data when the test is completed
• Ensure that movement of production data to the
  test environment is done with appropriate audit
  trails and documentation in place

45
Case Study

• Imagine you are the manager of the RVCC help
  desk.
• How would you address information handling
• What do you think the biggest risk from an
  information management is to the college