Upload
nicholas-davis
View
40
Download
2
Embed Size (px)
Citation preview
Information Security 365/765Lecture 13 – Legal Regulations,
Industry Compliance and Forensic InvestigationsNovember 8, 2016
OverviewOverview• Computer crimes and computer
laws• Motives and profiles of attackers• Various types of evidence• Laws and acts to fight computer
crime• Computer crime investigation
process• Incident handling procedures• Ethics and best practices
05/02/23 UNIVERSITY OF WISCONSIN 2
Laws, Ethics and Laws, Ethics and InvestigationsInvestigations• Laws, ethics and investigations
are important parts of information security
• More attention needs to be paid to this area if society is serious about controlling crime
05/02/23 UNIVERSITY OF WISCONSIN 3
Laws, Ethics and Laws, Ethics and InvestigationsInvestigations• Laws are still in their infancy
• Few precedents to rely upon• Legal system is developing quickly• Hacking is often seen as a hobby.
This may change as punishments increase in severity.
• Security professionals should understand the laws, how they apply to the workplace and management
05/02/23 UNIVERSITY OF WISCONSIN 4
The EU and PrivacyThe EU and Privacy• The European Union (EU) has some
of the most stringent data privacy rules
• When it comes to data collection, the EU has six privacy principles which all countries and businesses within those countries must follow
05/02/23 UNIVERSITY OF WISCONSIN 5
European Privacy PrinciplesEuropean Privacy Principles1. The reason for gathering the information must be specified at the time of collection2. Data cannot be used for other purposes3. Un-necessary data should not be collected
05/02/23 UNIVERSITY OF WISCONSIN 6
European Privacy PrinciplesEuropean Privacy Principles4. Data should only be kept for as long as necessary to complete the stated task5. Only the necessary individuals who are require to accomplish the stated task should be allowed to access the data6. Whoever is responsible for securely storing the data should not allow the unintentional leaking of data
05/02/23 UNIVERSITY OF WISCONSIN 7
Privacy: The Need For Privacy: The Need For Better LawsBetter Laws
• Data aggregation and data retrieval technologies advancement -- Large data warehouses
• Loss of borders – Private data flows from country to country with ease
• Convergent technology advances – Gathering, mining and distributing information has become much easier
05/02/23 UNIVERSITY OF WISCONSIN 8
Laws, DirectivesLaws, Directivesand Regulationsand Regulations
Covers many different areas for many different reasons•Privacy•Computer Misuse•Software copyright•Data protection•Controls on cryptography
05/02/23 UNIVERSITY OF WISCONSIN 9
Laws, DirectivesLaws, Directivesand Regulationsand Regulations
• Laws, directives and regulations usually provide only broad guidance and not detailed instructions
• Environments are just too diverse to get specific in terms of the details of laws, directives and regulations
• Let’s look at some examples
05/02/23 UNIVERSITY OF WISCONSIN 10
Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.
05/02/23 UNIVERSITY OF WISCONSIN 11
HIPAAHIPAAHIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
05/02/23 UNIVERSITY OF WISCONSIN 12
GLB (GLBA)GLB (GLBA)The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
05/02/23 UNIVERSITY OF WISCONSIN 13
CFAACFAAThe Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.
05/02/23 UNIVERSITY OF WISCONSIN 14
Federal Privacy Act of 1974Federal Privacy Act of 1974The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
05/02/23 UNIVERSITY OF WISCONSIN 15
PCI-DSS (PCI)PCI-DSS (PCI)Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.
05/02/23 UNIVERSITY OF WISCONSIN 16
Carrying Out SecurityCarrying Out SecurityInvestigationsInvestigations
As computer related crime (and prosecutions) increase, it is becoming more and more important for IT professionals to learn how to carry out investigationsOften times an entire environment of a company is used in a detailed investigation
05/02/23 UNIVERSITY OF WISCONSIN 17
Security IncidentSecurity IncidentResponse TeamResponse Team
Every organization should have a an incident response team which is capable of:1.Determining the extent of the damage2.Stopping further damage from occuring3.Fixing the damage4.Preserving evidence5.Finding the responsible party05/02/23 UNIVERSITY OF WISCONSIN 18
Security Incident Security Incident Response Team - PlanResponse Team - Plan
• List of outside teams and resources to contact
• Roles and responsibilities outlined• A call/contact tree• A list of relevant items to always include
in the report for management and potential prosecution
• A description of how to treat different systems during an incident
05/02/23 UNIVERSITY OF WISCONSIN 19
Incident Response Incident Response ProceduresProcedures• Triage – learn what is wrong as
quickly as possible (initial assessment of problem)
• Reaction – containment, analysis, tracking
• Follow-up – Repair, recovery, prevention
05/02/23 UNIVERSITY OF WISCONSIN 20
Performing an IncidentPerforming an IncidentPost-MortemPost-Mortem
• What happened?• What did we learn?• What can we do better, next
time?
05/02/23 UNIVERSITY OF WISCONSIN 21
Decision to Involve, orDecision to Involve, orNot Involve Law Not Involve Law
EnforcementEnforcement• Company loses control over investigation• Secrecy, if sensitive data is compromised,
is not 100% assured• Effects on reputation need to be
considered• Evidence will be collected and may not be
available for a long period of time• In summary, agility and visibility of the
investigation take on a new dimension05/02/23 UNIVERSITY OF WISCONSIN 22
Collecting DigitalCollecting DigitalEvidence (Forensics)Evidence (Forensics)
Computer forensics specialists must know what to look for and how to collect it properly•Logs, timestamps, etc.•Keep powered up, or power down equipment•Making copies properly, so as not to disturb original
05/02/23 UNIVERSITY OF WISCONSIN 23
Digital Forensics PrinciplesDigital Forensics Principles1. When dealing with digital evidence,
all the general rules of physical evidence handling should still apply (chain of custody, security, etc.)
2. Upon seizing digital evidence, actions taken should not change that evidence
3. People who must access original evidence must be trained for the purpose
05/02/23 UNIVERSITY OF WISCONSIN 24
Digital Forensics PrinciplesDigital Forensics Principles4. All activity relating to the seizure, storage and transfer of digital evidence, bust be fully documented, preserved and available for review5. An individual is responsible for all actions taken while digital evidence is under their control6. Any agency responsible for the seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles05/02/23 UNIVERSITY OF WISCONSIN 25
Identifying Motive, Identifying Motive, OpportunityOpportunity
and Means (MOM Did It!)and Means (MOM Did It!)• Motive – The “who and why” of a crime
• Opportunity – The “Where and when” of a crime
• Means – The knowledge, skills and overall capability to carry out a crime
05/02/23 UNIVERSITY OF WISCONSIN 26
Three Different TypesThree Different Typesof Forensic Assessmentsof Forensic Assessments
• Network Analysis – Communications, log and path tracing
• Media Analysis – Disk imaging, Modify, Access, Create (MAC) analysis of files, content analysis, steganography, cryptography, etc.
• Software Analysis – Reverse engineering, Malicious Code Review, Exploit Review
05/02/23 UNIVERSITY OF WISCONSIN 27
Stages of Forensic Stages of Forensic InvestigationsInvestigations
• Identification• Preservation• Collection• Examination• Analysis• Presentation• Decision
05/02/23 UNIVERSITY OF WISCONSIN 28
Controlling theControlling theCrime SceneCrime Scene
• Only allow authorized individuals to access the scene
• Document who is at the crime scene (In court, the integrity of the evidence may be brought into question, if there were an uncontrollable amount of people at the crime scene)
• Document who were the last people to interact with the systems under consideration
05/02/23 UNIVERSITY OF WISCONSIN 29
Common Attack TypesCommon Attack TypesSalami AttackSalami Attack
A salami attack is when small attacks add up to one major attack that can go undetected due to the nature of this type of cyber crime. It also known as salami slicing.
05/02/23 UNIVERSITY OF WISCONSIN 30
Common Attack TypesCommon Attack TypesData DiddlingData Diddling
Data diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting documents used for data entry and exchanging valid disks and tapes with a modified replacement
05/02/23 UNIVERSITY OF WISCONSIN 31
Common Attack TypesCommon Attack TypesExcessive PrivilegeExcessive Privilege
When a rogue employee has access rights to various, and deep-lying parts of the business --most often due to employees being with the organization for a long period of time and changing roles as they go along-- access to other parts of the system remains
05/02/23 UNIVERSITY OF WISCONSIN 32
Common Attack TypesCommon Attack TypesPassword SnifferPassword Sniffer
A password sniffer is a software application that scans and records passwords that are used or broadcasted on a computer or network interface. It listens to all incoming and outgoing network traffic and records any instance of a data packet that contains a password.
05/02/23 UNIVERSITY OF WISCONSIN 33
Common Attack TypesCommon Attack TypesIP SpoofingIP Spoofing
IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network.
05/02/23 UNIVERSITY OF WISCONSIN 34
Common Attack TypesCommon Attack TypesDumpster DivingDumpster Diving
Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network
05/02/23 UNIVERSITY OF WISCONSIN 35
Common Attack TypesCommon Attack TypesEmanation CapturingEmanation Capturing
em·a·na·tion (eməˈnāSHən)Listening in on wireless broadcasts, or other electronic signals either intentionally or unintentionally generated by computer equipment
05/02/23 UNIVERSITY OF WISCONSIN 36
Common Attack TypesCommon Attack TypesWiretappingWiretapping
A form of eavesdropping involving physical connection to the communications channels to breach the confidentiality of communications. For example, many poorly-secured buildings have unprotected telephone wiring closets where intruders may connect unauthorized wires to listen in on phone conversations and data communications.
05/02/23 UNIVERSITY OF WISCONSIN 37
EthicsEthics• There are no firm rules for the ethics of
information systems professionals• Everything is open to interpretation,
morals, personal beliefs, etc.• However, if I had to pick an ethical model
to follow, I would suggest the ISC2 CISSP Code of Ethics, for information security professionals
05/02/23 UNIVERSITY OF WISCONSIN 38
ISC2 Code of EthicsISC2 Code of EthicsProtect society, the Protect society, the
commonwealth, and the commonwealth, and the infrastructureinfrastructure• Promote and preserve public trust
and confidence in information and systems.
• Promote the understanding and acceptance of prudent information security measures.
• Preserve and strengthen the integrity of the public infrastructure.
• Discourage unsafe practice.05/02/23 UNIVERSITY OF WISCONSIN 39
ISC2 Code of EthicsISC2 Code of EthicsAct honorably, honestly, justly, Act honorably, honestly, justly,
responsibly, and legallyresponsibly, and legally• Tell the truth; make all stakeholders aware of your
actions on a timely basis.• Observe all contracts and agreements, express or
implied.• Treat all members fairly. In resolving conflicts,
consider public safety and duties to principals, individuals, and the profession in that order.
• Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
• When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.
05/02/23 UNIVERSITY OF WISCONSIN 40
ISC2 Code of EthicsISC2 Code of EthicsProvide diligent and competent Provide diligent and competent
service to principalsservice to principals• Preserve the value of their systems,
applications, and information.• Respect their trust and the
privileges that they grant you.• Avoid conflicts of interest or the
appearance thereof.• Render only those services for which
you are fully competent and qualified.
05/02/23 UNIVERSITY OF WISCONSIN 41
05/02/23 UNIVERSITY OF WISCONSIN 42