Privacy, Ethics and Computer Forensics - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Privacy, Ethics and Computer Forensics

Description:

You care about information security and privacy because: ... the most important controls in deterring the introduction of malicious software ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 46
Provided by: SPo79
Category:

less

Transcript and Presenter's Notes

Title: Privacy, Ethics and Computer Forensics


1
Privacy, Ethics and Computer Forensics
  • Lecture 1

2
Setting course expectations
  • Lectures from power point
  • Case studies
  • Hands on with security, computer forensics and
    privacy tools
  • Guest speaker
  • 2 exams
  • A final paper
  • Rules of the class
  • Look at syllabus

3
Purpose Objective
  • You care about information security and privacy
    because
  • Information Security is a constant and a critical
    need
  • Threats are becoming increasingly sophisticated
  • Countermeasures are evolving to meet the threats
  • You want to protect your asset and privacy
  • You want to know what tools are there for
    protection and Because information security,
    information privacy and legal and compliance are
    inter-related we will cover
  • You will learn about
  • Information Security
  • Information Privacy
  • Ethics and Information Handling
  • Investigations and Computer Forensics
  • testing purposes

4
The World Future We Will Live In
ComputingMoores LawDoubles Every 18
months
CommunicationsFibre LawDoubles Every 9
months
StorageDisk LawDoubles Every 12 months
ContentCommunity Law2 n where n is of
people
Source John Seeley Brown, 14th Annual CIO
Innovation Conference
5
The World Trends
  • Infrastructure
  • Globalization means networks beyond the
    traditional national boundaries
  • Increased B-2-B connection
  • Legal and Compliance
  • Uncharted legal landscape in the I-net space
  • Privacy laws
  • C.P.N.I or Customer Proprietary Network
    Information.
  • Fair Credit Reporting Act (FCRA). Fair Credit
    Reporting Act)
  • .Expanded wiretapping authority and other
    authority of law enforcement agencies to obtain
    personal data from organizations under the USA
    PATRIOT Act may also affect carriers.
  • Environment
  • Working from home
  • Speed of technology advances
  • Proliferation of Information
  • Easy and readily available hacking tools
  • E-Business Trends
  • Client information collected rapidly by various
    businesses

6
What We Know About Future Customers...
Always-On Relationships With Customers
The 4 Ps have been replaced by the 4 Cs
4 Ps of Old Economy
4 Cs of Old Economy
1. Product2. Price3. Placement4. Promotion
1. Communication2. Customization3.
Collaboration4. Clairvoyance
Special Thanks to Rashi Glazer, UC-Berkeley
7
Technology-enabled Customer Relationship
Management
Old Economy
New Economy
The question Is NowWhat computer should I be?
The question used to beWhat computer should I
buy?
Special Thanks to Rashi Glazer, UC-Berkeley
8
Business Rationale
  • Information security is a business issue.
  • Without effective security controls, business
    managers are subject to operational risk and
    damage to reputation that can adversely impact
    mission critical assets
  • Your success, prosperity, and viability are
    highly dependent on reliable and confidential
    information to
  • Support business transactions
  • Provide management and customers with timely and
    accurate information
  • Maintain a competitive advantage.

9
Basic Security Components
  • AUTHENTICATION
  • How do we know who is using the service?
  • ACCESS CONTROL
  • Can we control what they do?
  • CONFIDENTIALITY
  • Can we ensure the privacy of information?
  • DATA INTEGRITY
  • Can we prevent unauthorized changes to
    information?
  • NONREPUDIATION
  • Can we provide for non-repudiation of a
    transaction?
  • AUDITABILITY AVAILABILITY
  • Do we know
  • Whether there is a problem? Whether its soon
    enough to take appropriate action?
  • How to minimize/contain the problem?
  • How to prevent denial of service?

10
Principles of Security Architecture
11
A Balanced Security Architecture
  • Single, unifying infrastructure that many
    applications can leverage
  • A good security architecture
  • Provides a core set of security services
  • Is modular
  • Provides uniformity of solutions
  • Supports existing and new applications
  • Contains technology as one component of a
    complete security program
  • Incorporates policy and standards as well as
    people, process, and technology

Policy, Standards, and Process
People
Technology
12
Threats to Security
  • Disclosure of information
  • Unauthorized access to systems
  • Loss of integrity
  • Denial of service

13
Disclosure
14
Unauthorized Access
15
Loss of Integrity
16
Denial of Service
17
The Threat Tree
Threat
Unintentional
Natural
Intentional
software bugs

system overloads

fires

hardware failures

floods

poorly trained administrators

earthquakes

errors and accidents

hurricanes

uniformed, unmotivated

extreme heat

incompetent custodians
Outsider
extreme cold

Insider
hacker - spy fraud organized crime competitor
disgruntled employee

former employee

contract employee

18
Watch out for these folks
  • Disgruntled Employee or Contract Employee in
    order to injure the institution
  • Extortionists
  • Organized Crime or Drug Cartel
  • Fraud Criminals
  • Insider Trading (merger and acquisitions)
  • Cyber Criminal
  • Information Resellers
  • Competitors
  • Kid Hackers
  • Hackers who Beat the System
  • Foreign Governments

19
You Can Say That A Simplistic View
  • Connecting Networks is like connecting stereo
    components
  • Basically it is a collection of input and output
  • You always have a client , a server and a
    connection/communication pipe
  • It resembles the human body
  • Psychology is the vision, brain and security
    policy
  • Physiology is the networks of cells that
    implement the communication and brains
  • Anatomy is the servers, individual business lines
    and all other technology processes
  • The complexity is in the business concept
    variation (e.g., someone wanting to charge a
    subscription with a credit card)

20
General Information Security Concepts The Theory
  • General Information Security Concepts
  • Theory

21
Information Security Control Areas
  • Information Security Policies
  • Information Security Organization
  • Asset Classification and Handling
  • Personal Security
  • Physical Security
  • System Operations Mgt Controls
  • General Access Controls
  • System Development Life Cycle
  • Business Continuity
  • Compliance, Legal Regulatory

22
Information Security Directives
  • Information security policies, standards,
    guidelines, and procedures are collectively
    called information directives
  • Information directives are instructions written
    for different purposes and varying degrees of
    technical sophistication

23
Roles Responsibilities
  • It is the responsibility of corporate management
    to ensure clear direction, vision, support, and
    commitment to information security directives
  • To accomplish this, management must continually
    monitor and update the state of security
    policies, controls, and processes as they relate
    to your information assets
  • Organizational Responsibilities of the corporate
    information security team should be modeled as
    follows whenever possible

24
Asset Classification Definition
  • Corporate assets are defined as any information,
    hardware, software, or equipment that is utilized
    for, and critical to, service delivery, business
    identification, classification, and appropriate
    handling objectives, and financial success
  • Data Classification
  • Is a fundamental element of a security program
    that defines of all critical corporate assets
  • Is the process and associated methods to classify
    and handle data assets in order to mitigate a
    risk
  • Classification is based on data value and use of
    data assets
  • Classification must alert users to the potential
    impact of inappropriate data handling.

25
Data Classification
  • Asset classification and handling
  • Establishes clear accountability and ownership
    for critical assets.
  • The information technology, operational, and
    business units should be responsible for
    managing, classifying and maintaining assigned
    assets
  • Defines sensitivity levels and ownership
  • Must be reviewed regularly
  • Must denote sensitivity of the data and the
    classification level to determine the appropriate
    control and monitoring levels
  • Examples of data classification include Public,
    Confidential, Secret, Private and For Your Eyes
    Only.

26
The Question is
  • Do You Know Who You Are Hiring to Handle Your
    Credit Card Transactions?!

27
Personnel Security Employee Security
  • Employee security is a fundamental component of
    an effective personnel security program
  • It provides security that begins in the
    recruitment, full and temp hiring stages and
    continues through the conclusion of the your
    employee relationship
  • All personnel that might handle credit card data
    and who are in any other sensitive position
    (business- or computer-related positions of
    trust) should first pass a background check that
    includes
  • A nondisclosure agreement must be signed before
    newly hired personnel are granted access to any
    sensitive information
  • New employees, contractors, and consultants
    should only be granted access to the information
    resources necessary for their defined job
    responsibilities
  • Job descriptions should clearly define security
    responsibilities

28
Physical Security
  • Your company has a significant investment in its
    employees and information processing assets
  • A physical security program ensures that your
    employees and assets operate in a secure
    environment and are available and used for their
    intended purpose
  • A physical security plan should be designed to
    obtain maximum protection at a cost that
    mitigates threats and risks

29
Physical Security
  • You should periodically conduct a risk assessment
    to determine whether
  • Physical assets are secured
  • Sources of risk such as environmental, human, or
    technical are taken into account
  • Probability of occurrence and costs of remedies
    are available to minimize exposure
  • Perimeter Physical Security is adequate
  • Environment Security is adequate
  • Security of media is appropriate
  • Asset inventory is accurate and updated

30
Systems Operations Management
  • The goal for good Operations Management is to
    attain an efficient, reliable, and secure
    operating environment
  • Operational policies and procedures should be
    documented and communicated to all appropriate
    parties
  • Security planning, implementation, and monitoring
    must be an integral element of operations
    management and should include
  • Coordination of security planning and
    implementation with your operational units
  • Ensure that documented operating procedures
    include security directives
  • Provide guidance as required to ensure
    operational effectiveness

31
Operating Procedures
  • Operating procedures
  • Consist of instructions necessary for the
    operation of a system, an application, or support
    services
  • Change Control
  • Change management and related controls make up
    processes that govern
  • Infrastructure and applications
  • Security and configuration implementation
  • Upgrade, or enhancement
  • Change management processes should take into
    account information security directives
  • Incident Management
  • Security incidents that could cause interruption
    or failure of operations may occur in spite of
    good security posture and practices
  • Establish, document, and review policies that
    ensure timely and effective response to adverse
    incidents. This may include system intrusions,
    information compromise or destruction, or system
    failure

32
Operating Procedures
  • Segregation of Duties
  • Segregation of duties is the practice of
    separating operational or departmental functions
    to prevent intentional or unintentional
    activities that lead to or allow fraudulent
    activities or misuse to occur
  • Segregation of duties generally involves making
    two or more individuals responsible for major
    functions such as development, implementation,
    operations, and monitoring
  • Separation of Operational Environments
  • Operational environments should be separated for
    much the same reasons that duties are separated
    throughout the development and production
    environment

33
System Planning and Acceptance
  • Capacity Planning
  • Capacity planning is accomplished through
    policies and practices that anticipate and plan
    for various system needs associated with
    processing power, storage, memory, or
    communications bandwidth that enable
    uninterrupted, responsive, and secure network
    performance
  • Includes, at minimum, processing power,storage,
    memory and data space
  • System Acceptance
  • Before accepting any new information system
    upgrade, create a clear definition of acceptance
    criteria, including
  • System capacity analysis
  • Acceptance testing
  • Training on new functionality.

34
Protection from Malicious Software
  • Malicious software, such as viruses, consist of
    unauthorized pieces of code that can destroy
    information, damage files to be eliminated, and
    temporarily or permanently impair applications
    and networks
  • Malicious software is a major threat to the
    operational efficiency, system availability, and
    integrity of customer information and internal
    data
  • Detection and prevention are the most important
    controls in deterring the introduction of
    malicious software in the network environment
  • Controls should be established to ensure a
    proactive approach to technology solutions as
    well as user awareness.

35
Protection from Malicious Software
  • Install antivirus software on every desktop,
    server and laptop
  • System hard drive must be scanned on regular
    basis with the frequency determined by the
    sensitivity of the data
  • Each floppy disk placed into a computer must be
    scanned automatically
  • Virus software must be updated on at least on a
    monthly basis
  • Where feasible, diskless workstations should be
    considered to prevent unauthorized removal and
    entry of software and data through a workstation
    (e.g. for VPN access)

36
Backup Recovery
  • Design and implement a realistic backup and
    recovery strategy for databases holding credit
    card account and transaction information
  • Carefully assess backup needs, liability and log
    protection of backup vs. application and
    databases performance
  • Backup frequently (daily, weekly and monthly)
    with clearly tested procedures
  • Have a test of recovery done on regular basis
  • Control of transport and security of vital
    records
  • Cover backup of the workstation, server and other
    essential equipment needed for the operation
  • Every backup should have an integrity check with
    time stamps of backup.

37
General Access Controls
  • Physical and non-physical access controls should
    be collectively designed and implemented as part
    of overall information security protection
  • Sound non-physical access controls should be used
    to protect information, information systems, and
    network devices
  • Generic accounts (such as guest accounts)
    should be deleted or disabled at system
    installation
  • Physical access controls (such as locked offices)
    must be used in conjunction with logical access
    controls
  • A company-wide non-physical access control tool
    should be used to ease the administrative burden
    of managing user access
  • This tool, however, should not decrease the
    effectiveness of any security measures.

38
General Access Controls User Access Management
  • Logins should time out after a specific period of
    time
  • Accurate time stamps should be configured or
    programmed into system logins
  • Continuously review vendor and all third party
    access after every months
  • Reasons for login failure should not be displayed
    to users
  • System administrator access privileges, such as
    high-level technical support, system utilities,
    and security administration, that are capable of
    overriding system and application controls must
    abide by the following
  • Privileged accounts should not be used for
    routine access
  • They must be audited by an independent internal
    party, and the records must be retained for one
    year

39
General Access Controls Password Management
  • Each user should follow a registration process
    before being granted access to a system or
    service
  • The registration process should establish the
    persons identity and his or her allowed access
    to the systems in question
  • Each user should be given a statement with his or
    her access rights, privileges, and liabilities
  • Unique user identification and password are
    required
  • The user ID should be a minimum of five
    characters
  • At least five character passwords should be
    chosen and it must contain a combination of
    alpha-numeric characters
  • Reuse of at least the five most recently used
    passwords should be discouraged.

40
General Access Control Network Access Control
  • Network access controls should be flexible enough
    to allow the limiting of network usage by
  • Workstation location
  • Identification,
  • Time of usage. 
  • Whenever needed, network users should use network
    services in captive mode
  • Gateways, routers, and firewalls must be used to
    secure all internal IP networks and connections
    to external networks hosting the your
    applications.
  • Disable unnecessary services such as telnet and
    ftp and use proxy services if needed

41
General Access Control Network Access Control
  • To the extent possible, the network should be
    separated into logical infrastructures to enhance
    access controls throughout the your network
  • At the very least there should be three types of
    networks internal, external, and a hybrid (e.g.
    extranets with partners)
  • All diagnostic ports on network devices and
    appliances should be securely controlled using a
    strong authentication mechanism, and there must
    be an audit trail for access
  • All computers and network equipment connected to
    the internal network should always have the
    current time accurately reflected

42
General Access Controls Application Access
Controls
  • It is essential that only authorized personnel
    are granted access to your system and business
    applications
  • Personnel with access to business applications
    should be clearly identified and audited each
    time access is gained
  • Whenever possible, all applications should
    provide a captive menu to control access to
    applications and databases
  • Each application should have the ability to
    control finite rights for users, applications,
    and system administrators.

43
System Development Life Cycle
  • System development life cycle (SDLC) refers to
    defined actions, tools and processes that guide
    development of new systems or applications
  • SDLC serves as a framework to ensure that
    systems or applications are developed in a
    cost-effective manner that meets established
    timelines and user requirements
  • A comprehensive SDLC life cycle includes
    requirement gathering, development, testing and
    production

44
Application Security Testing
  • Only Test data should be used during the SDLC to
    test systems and conduct user acceptance. To
    ensure the quality of testing, test data must
  • To the extent possible, match production data
  • Be void of actual production data.
  • Test environments and plans must
  • Ensure that access controls applied to production
    systems are in place for test systems and data
  • Require authorization of all events that migrate
    production data to a test application or system
    environment.
  • Ensure appropriate disposal or deletion of
    production data when the test is completed
  • Ensure that movement of production data to the
    test environment is done with appropriate audit
    trails and documentation in place

45
Case Study
  • Imagine you are the manager of the RVCC help
    desk.
  • How would you address information handling
  • What do you think the biggest risk from an
    information management is to the college
Write a Comment
User Comments (0)
About PowerShow.com