Students Again

Growing T Security importance and New Career Opportunities

• increased services to both vendors and employees create worlds of possibilities in satisfying customer needs, but …
• they also create risks to the confidentiality, integrity, and availability of confidential or sensitive data

Increasing Demand by Government and Private industry

• Higher demand for expertly trained individuals
• U.S. Bureau of Labor Statistics
• The security of computer networks will continue to increase in importance as more business is conducted over the internet Source: www.collegegrad.com/careers/manage30.shtml
• Computerworld expects security pay to continue to outperform the market Source: www.computerworld.com/careertopics/careers/story/0,10801,73893,00.html

Becoming an information Security Specialist

• Get the right certification - Such as:
• Certified information Systems Security Professional (CSSP)
• Cisco Certified Security Professional
• Global information Assurance Certification (GAC):www.giac.org
• increase your disaster recovery and risk management skills
• Get on a project working with strategic partners
• Consider an internship in S

Schools Are Responding to Demands

• Hundreds of community colleges, four-year universities, and post-graduate programs are offering degrees and certificates in emergency preparedness, counterterrorism, and security
• The National Security Agency Centers of Academic Excellence www.nsa.gov/ia/academia/caeiae.cfm

Multidisciplinary Approach

• Exposure to nontechnical areas gives NFOSEC professionals a greater ability to address and resolve the complex problems including probability and statistics, psychology, English, foreign languages, philosophy, ethics, history and so on
• A wide range of educational experiences is a good foundation for an NFOSEC career

Contextualizing information Security

• Information security draws upon the best practices and experiences from multiple domains

 

Contextualizing information Security (cont.)

• A view of a typical structure and context showing where NFOSEC fits within a typical large corporation

Information Security Careers Meet the Needs of Business

• To support large business operations a number of common positions and career opportunities are needed:
• Security administrators
• Access coordinators
• Security architects and network engineers
• Security consultants
• Security testers
• Policymakers and standards developers
• Compliance officers
• incident response team members
• Governance and vendor Managers

Summary

• The risks posed to networked systems remain vulnerable to attacks from within and without an organization
• The explosive growth of e-commerce and the pervasive personal and business uses of the internet have created a growing demand for NFOSEC specialists
• The principles, approaches, and concepts in NFOSEC should work together to provide the harmonious mix of risk and reward that modern business demands
• The explosive growth of e-commerce and the pervasive personal and business uses of the internet have created a growing demand for NFOSEC specialists
• The principles, approaches, and concepts in NFOSEC should work together to provide the harmonious mix of risk and reward that modern business demands

Introduction

• imperative to rely on principle-based analysis and decision making
• No two systems or situations are identical, and there are no cookbooks to consult on how to solve security problems

Information Security Principles:

#1 There s No Such Thing as Absolute Security

• Given enough time, tools, skills, and inclination, a hacker can break through any security measure

Information Security Principles:

#2 Three Security Goals (CA triad)

• Protect the confidentiality of data
• Confidentiality models are primarily intended to assure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible
• Preserve the integrity of data
• integrity models keep data pure and trustworthy by protecting system data from intentional and accidental changes
• Promote the availability of data for authorized use
• Availability models keep data and resources available for authorized use

Information Security Principles:

#3 Defenses in Depth as Strategy

• Defense in depth
• Security implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
• The weaknesses of one security layer are offset by the strengths of two or more layers

Information Security Principles:

#4 When Left on Their Own, People Tend to Make the Worst Security

Decisions

• Takes little to convince someone to give up their credentials in exchange for trivial or worthless goods
• Many people are easily convinced to double-click on the attachment

Subject: Here you have, ;o)

Message body: Hi: Check This!

Attachment: AnnaKournikova.jpg.vbs

Information Security Principles:

#5 Functional and Assurance Requirements

• Functional requirements
• Describe what a system should do
• Assurance requirements
• Describe how functional requirements should be implemented and tested

Does the system do the right things in the right way?

• Verification: the process of confirming that one or more predetermined requirements or specifications are met
• Validation: a determination of the correctness or quality of the mechanisms used in meeting the needs

Information Security Principles:

#6 Security through Obscurity Not an Answer

• Many people believe that if hackers don’t know how software is secured, security is better
• Although this seems logical, it’s actually untrue
• Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all

Information Security Principles:

#7 Security = Risk Management

• Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability
• Risk analysis and risk management are central themes to securing information systems
• Risk assessment and risk analysis are concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses
• Vulnerability
• A known problem within a system or program
• Exploit
• A program or a “cookbook” on how to take advantage of a specific vulnerability
• Attacker
• The link between a vulnerability and an exploit

Information Security Principles:

#8 Security Controls: Preventative,

Detective, and Responsive

• A security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it is happening or after it has been discovered

Information Security Principles:

#9 Complexity s the Enemy of Security

• The more complex a system gets, the harder it is to secure

Information Security Principles:

#10 Fears, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security

• information security managers must justify all investments in security using techniques of the trade
• When spending resources can be justified with good, solid business rationale, security requests are rarely denied

Information Security Principles:

#11 People, Process and Technology Are All Needed

• People, process, and technology controls are essential elements of security practices including operations security, applications development security, physical security, and cryptography

Information Security Principles:

#12 Open Disclosure of Vulnerabilities s Good for Security

• Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security
• The need to know trumps the need to keep secrets in order to give users the right to protect themselves

Summary

• Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security
• These principles are mixed and matched to describe why certain security functions and operations exist in the real world of T

Certification & information Security

• industry standards, ethics, and certification of information systems professionals and practitioners is critical to ensuring that a high standard of security is achieved
• Certification benefits both the employer and the employee
• Oversight and governance of the professional certification process is needed
• To help maintain its relevance and currency
• To aid professionals in networking with other professionals
• To meet that need, the SC2 organization was created

Certification & information Security...

• international information Systems Security Certification Consortium (SC2)
• Maintaining a CBK for information security
• Certifying industry professionals and practitioners
• Administering training and certification examinations
• Ensuring credentials are maintained
• Two primary certifications
• Certified information Systems Security Professional (CSSP)
• System Security Certified Practitioner (SSCP)

Information Security Common Body of Knowledge (CBK)

• The CBK is a compilation and distillation of all security information collected that is relevant to information security professionals
• CSSP certification includes a working knowledge of all 10 domains (www.isc2.org)

10 Domains

• Security Management Practices (Chap 4)
• Security Architecture and Models (Chap 5)
• Business Continuity Planning (Chap 6)
• Law, investigations, and Ethics (Chap 7)
• Physical Security (Chap 8)
• Operations Security (Chap 9)
• Access Control Systems and Methodology (Chap 10)
• Cryptography (Chap 11)
• Telecommunications, Network, and internet Security (Chap 12)
• Applications Development Security (Chap 13)

Other Certificate Programs

• Certified information Systems Auditor (CSA)
• Focuses more on business procedures than technology
• Certified information Security Manager (CSM)
• To assure that information security manager has the required knowledge and ability to provide effective security management and consulting
• Global information Assurance Certifications (GAC)
• intended primarily for practitioners or hands-on personnel such as system administrators and network engineers
• CompTIA Security+ Certification
• Tests the security knowledge mastery of an individual with two years on-the job networking security experience
• Vendor-Specific Certification Programs
• Check Point Certified Security Principles Associate
• Cisco Qualified Specialist Programs
• Such as Firewall, VPN, intrusion Protection, etc
• Cisco Certified Security Professional
• Cisco Certified internetwork Expert - Security Track (CCE Security Track)
• NFOSEC Professional
• Microsoft Certified Systems Engineer Security RSA Certified Systems Engineer
• Sun Certified Security Administrator for the Solaris Operating System
• Symantec Technology Architect

Summary

• The benefits of certification and immersion into the CBK are clear to both employers and professionals who commit to life-long learning and to the betterment of themselves and their careers

Introduction

Security Policies Set the Stage for Success

• Security Management is a broad set of executive support and management activities that define an T security programme
• T security programme
• Begins with statements of management’s intent
• Then translated into security policies
• Policies are the most crucial element in a corporate information security infrastructure and must be considered before security technology is acquired and deployed

Security Policies Set the Stage for Success cont.

• Effective policies
• can rectify many of the weaknesses from failures to understand the business direction and security mission
• can help to prevent or eliminate many of the faults and errors caused by a lack of security guidance
• ultimately result in the development and implementation of better computer security and better protection of systems and information

Typical Policies and Standards Library Structure

Four Types of Policies

• Programme-level policy
• Programme-framework policy
• sue-specific policy
• System-specific policy

Programme-Level Policies

• Establish a security programme
• Assign programme management responsibilities
• State an organization-wide computer security purpose and objectives
• Establish a basis for policy compliance

Programme-Level Policies cont.

• This high-level policy
• defines the purpose of the programme
• defines its scope within the organization
• assigns responsibilities for direct programme implementation as well as responsibilities to related offices
• addresses compliance issues

Programme-Framework Policies

• Provide an organization-wide direction for broad areas of programme implementation
• Define the organization’s security programme elements that form the foundation for the computer security programme
• Reflect information technology management’s decisions about priorities for protection, resource allocation, and assignment of responsibilities
• Examples of possible programme-framework policies
• Business continuity planning (BCP) framework (Chapter 6)
• Physical security requirements framework for data centers (Chapter 7)
• Application development security framework (Chapter 13)

Issue-Specific Policies

• Basic components
• issue statement defines a security issue, along with any relevant terms, distinctions, and conditions
• Statement of the organization’s position clearly states an organization’s position on the issue
• Applicability clearly states where, how, when, to whom, and to what a particular policy applies
• Roles and responsibilities assigns roles and responsibilities to the issue
• Compliance gives descriptions of the infractions and states the corresponding penalties
• Points of contact and supplementary information lists the names of the appropriate individuals to contact for further information and lists any applicable standards or guidelines
• May come from the head of the organization, the top management official, the chief information officer (CO), or the computer security programme manager (e.g., CSO)
• Examples
• E-mail acceptable use
• internet acceptable use
• Laptop security policy

System-Specific Policies

• State security objectives of a specific system
• Define how the system should be operated to achieve objectives
• Specify how the protections and features of the technology used to support or enforce the security objectives
• Normally issued by the manager or owner of the system but may originate from a high-level executive or official
• Examples
• Who is allowed to read or modify data in the system?
• Under what conditions can data be read or modified?
• Are users allowed to dial into the computer system from home or while on travel?

Development and Management of Security Policies

• Three-level model for system security policy
• Security objectives
• consist of a series of statements to describe meaningful actions about specific resources
• Operational security
• List the rules for operating a system.
• Policy implementation
• the organization must determine the role technology plays in enforcing or supporting the policy

Policy Support Documents

Provide levels of detail supporting the policy and explaining the system development, management, and operational requirements, including

Regulations: laws passed by regulators and lawmakers

Standards and baselines: topic-specific (standards) and system specific (baselines) documents that describe overall requirements for security

Guidelines: documentation that aids in compliance with standard considerations, hints, tips, and best practices in implementation

Procedures: step-by-step instructions on how to perform a specific security activity

Suggested Standards Taxonomy

• Standards are formal written documents that describe several security concepts that are fundamental to all successful programmes
• The highest level includes
• Asset and data classification
• Separation of duties
• Pre-employment hiring practices
• Education, awareness, and training
• Risk analysis and management
• Asset Classification
• Asset and data classification is needed by businesses and agencies to help determine how much security is needed for appropriate protection
• Separation of Duties
• Separating duties within a business or organization helps limit any individual’s ability to cause harm or perpetrate theft
• Preemployment Hiring Practices
• Policies, standards, and procedures issued by human resources should address internal information security processes and functions
• Education, Training, and Awareness
• Because people are the weakest link in any security-related process, it’s crucial that a security programme address user education, awareness, and training on policies and procedures
• Education must be driven top-down and must be comprehensive
• Training must be ongoing (at least annually) and also take place whenever policies change
• Risk Analysis and Management
• A risk analysis answers three fundamental questions:
• What is trying to protect?
• What is threatening my system?
• How much time, effort, and money are willing to spend?
• Two basic types of risk analysis
• Quantitative Risk Analysis
• Qualitative Risk Analysis

Quantitative Risk Analysis

• Attempts to establish and maintain an independent set of risk metrics and statistics
• Some of the calculations used for quantitative risk analysis
• Annualized loss expectancy (ALE): single loss expectancy multiplied by annualized rate of occurrence
• Probability: chance or likelihood that an event will occur
• Threat: an event, the occurrence of which could have an undesired impact
• Control: risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat
• Vulnerability: the absence or weakness of a risk-reducing safeguard

Qualitative Risk Analysis

• The most widely used approach to risk analysis
• Makes use of a number of interrelated elements:
• Threats: things that can go wrong or that can “attack” the system
• Vulnerabilities: make a system more prone to attack or make an attack more likely to have some success or impact
• Controls: the countermeasures for vulnerabilities
• A risk is real when there is a presence of threat, a vulnerability that the attacker can exploit, and a high likelihood that the attacker will carry out the threat

A Model of the Risk Analysis Process

Who s Responsible for Security?

• Everyone who uses information technology is responsible for maintaining the security and confidentiality of information resources and must comply with security policies and procedures
• Chief information security officer (CSO), information resources manager, information resources security officer, owners of information resources, custodians of information resources, technical managers (network and system administrators, internal auditors, and users

Summary

• Security Management Practices domain is most concerned with the establishment and ongoing operation of the organization’s security programme.
• This programme includes policies, standards, baselines, procedures, and guidance for compliance.

Defining the Trusted Computing Base

• Trusted Computing Base
• is the totality of protection mechanisms within a computer system including hardware, firmware, and software
• consists of one or more components that together enforce a unified security policy over a product or system
• describes the isolation of objects on which the protection is based, following the concept of the reference monitor

Defining the Trusted Computing Base cont.

• Reference Monitor
• a software model or abstract machine that mediates all access from any subject (user or other device) to any object (resource, data, and so forth) and cannot be bypassed
• security kernel is an implementation of a reference monitor for a specific hardware base such as Sun Solaris, Red Hat Linux, or Mac OS X

Rings of Trust

• Trust in a system moves from the outside to the inside in a unidirectional mode

Rings of Trust cont.

• Rings of trust in stand-alone systems

Rings of Trust cont.

• Rings of trust in networked environments

Protection Mechanisms in a Trusted Computing Base

• Process isolation
• is a design objective in which each process has its own distinct address space for its application code and data
• prevents data or information leakage and prevents modification of the data while it is memory
• Principle of least privilege
• dictates that a process (program) has no more privilege than what it really needs in order to perform its functions
• Hardware segmentation
• relates to the segmentation of memory into protected segments
• prevents user processes from being able to access both another process’s allocated memory and system memory

Protection Mechanisms in a Trusted Computing Base cont.

• Layering
• is a process operation that is divided into layers by function
• Abstraction
• is a process that defines a specific set of permissible values for an object and the operations that are permissible on that object

Protection Mechanisms in a Trusted Computing Base cont.

• Data hiding (also known as information hiding)
• is a mechanism to assure that information available at one processing level is not available in another, regardless of whether it is higher or lower
• information storage
• refers to the parts of a computer system that retain a physical state (information) for some interval of time, possibly even after electrical power to the computer is removed

Protection Mechanisms in a Trusted Computing Base cont.

• Closed System vs. Open System
• Closed systems are of a proprietary nature
• use specific operating systems and hardware to perform the task and generally lack standard interfaces to allow connection to other systems
• An open system is based on accepted standards and employs standard interfaces to allow connections between different systems
• promotes interoperability and allows the user to have full access to the total system capability

Protection Mechanisms in a Trusted Computing Base cont.

• Multitasking
• is a technique used by a system that is capable of running two or more tasks in a concurrent performance or interleaved execution
• Multiprogramming system
• allows for the interleaved execution of two or more programs on a processor

Protection Mechanisms in a Trusted Computing Base cont.

• Multiprocessing
• provides for simultaneous execution of two or more programs by a processor
• (CPU)
• Finite-state machine
• stores the status or state of something at a given time that can operate based on inputs to change the stored status and/or cause an action or output to take place

System Security Assurance Concepts

• Functional requirements
• Describe what a system should do
• Assurance requirements
• Describe how functional requirements should be implemented and tested

System Security Assurance Concepts cont.

• Security Testing
• t verifies that the functions designed to meet a security requirement operate as expected
• n addition, it validates that the implementation of the function is not flawed or haphazard

System Security Assurance Concepts cont.

• Formal Security Testing Models
• Trusted Computer System Evaluation Criteria (TCSEC)
• United States in the early 1980s
• information Technology Security Evaluation Criteria (TSEC)
• Europe in 1991 by the European Commission
• Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
• Canada in early 1993
• Federal Criteria for information Technology Security (FC)
• United States in early 1993
• Common Criteria
• Today’s standard

Trusted Computer Security Evaluation Criteria

• Division D: Minimal Protection
• Division C: Discretionary Protection
• Class C1: Discretionary Security Protection
• Class C2: Controlled Access Protection

Trusted Computer Security Evaluation Criteria cont.

• Division B: Mandatory Protection
• Class B1: Labeled Security Protection
• Class B2: Structured Protection
• Class B3: Security Domains
• Division A: Verified Protection
• Class A1: Verified Design

Information Technology Security Evaluation Criteria (TSEC)

• TSEC introduces the concept of the target of evaluation (TOE), which refers to the product or system under evaluation
• t also introduces the security target (ST), a written document that contains
• a system security policy
• required security enforcing functions
• required security mechanisms
• claimed ratings of minimum strength
• target evaluation levels, expressed as both functional and evaluation (F-xx and E-yy)

TSEC cont.

Comparing TSEC and TCSEC

Canadian Trusted Computer Product Evaluation Criteria

• t is somewhat more flexible than the TCSEC while maintaining fairly close compatibility with individual TCSEC requirements
• The CTCPEC and its approach to structure security functionality separate from assurance functionality influenced international standardization through the

Common Criteria

Federal Criteria for information Technology Security

• FC introduces the concept of a protection profile (PP) that empowers users or buyers of technology to specify their security requirements for hardware and software

Common Criteria

• CC provides a common language and structure to express T security requirements
• CC enables the creation of catalogs of standards broken down into components and packages
• CC breaks apart the functional and assurance requirements into distinct elements that users can select for customized security device implementation

Common Criteria cont.

• Using the CC framework, users and developers of T security products create protection profiles (PPs) as an implementation-independent collection of objectives and requirements for any given category of products or systems that must meet similar needs

Common Criteria cont.

• Protection Profile Organization
• introduction Section
• Target of evaluation description
• Security environment
• Assumptions
• Threats
• Organizational security policies

Common Criteria cont.

• Security Requirements and Classes
• Classes of functional requirements
• Classes of assurance requirements
• Evaluation Assurance Levels
• define a scale for measuring the criteria for evaluating PPs and STs
• provide an increasing scale that balances the levels of assurance claimed with the cost and feasibility of acquiring such assurance

Common Criteria cont.

• Common Evaluation Methodology (CEM)
• is focused on the actions that evaluators must take to determine that CC requirements for a TOE are present
• is a tool that is used by evaluation schemes to ensure consistent application of the requirements across multiple evaluations and multiple schemes

Security Criteria Compared

Confidentiality and integrity Models

• Security models are mathematical representations of abstract machines that describe how a reference monitor is designed to operate
• Commonly used models:
• Bell-LaPadula model
• Biba integrity model
• Clark and Wilson
• Noninterference
• State machine model
• Access matrix model
• information flow model

Confidentiality and integrity Models cont.

• Bell-LaPadula model
• is a confidentiality model intended to preserve the principle of least privilege
• Biba integrity model
• Uses a read up, write down approach. Subjects cannot read objects of lesser integrity and subjects cannot write to objects of higher integrity

Confidentiality and integrity Models cont.

• Clark and Wilson model
• requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties
• Noninterference model
• covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy
• State machine model
• is an abstract mathematical model consisting of state variables and transition functions

Confidentiality and integrity Models cont.

• Access matrix model
• is a state machine model for a discretionary access control environment
• information flow model
• simplifies analysis of covert channels

Summary

• The trusted computing base is the portion of a computer system that contains all elements of the system responsible for supporting the security policy and supporting the isolation of objects on which the protection is based
• Several evolving models of evaluation and assurance cover various aspects of confidentiality, integrity, and availability
• Common Criteria harmonizes the work of the various international efforts into a unified evaluation methodology that replaces the former methods

Overview of the Business Continuity Plan and Disaster Recovery Plan

• Business continuity planning and disaster recovery planning
• share the common goal of keeping a business running in the event of an emergency or interruptions

Overview of the Business Continuity Plan and Disaster Recovery Plan cont.

• Business continuity plan (BCP)
• describes the critical processes, procedures, and personnel that must be protected in the event of an emergency
• uses the business impact analysis (BA) to evaluate risks to the organization and to prioritize the systems in use for purposes of recovery

Overview of the Business Continuity Plan and Disaster Recovery Plan cont.

• Disaster recovery plan (DRP)
• describes the exact steps and procedures personnel in key departments
• should be followed in order to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations

Overview of the Business Continuity Plan and Disaster Recovery Plan cont.

• Steps for business continuity planning

1. Identify the scope and boundaries of the business continuity plan

• This step typically involves an audit analysis of the organization’s assets and a risk analysis

2. Create the business impact assessment

• The BA measures the operating and financial loss to the organization resulting from a disruption to critical business functions

Overview of the Business Continuity Plan and Disaster Recovery Plan cont.

3. Sell the concept of the BCP to key senior management and obtain organizational and financial commitment

4. Each department will need to understand its role in the plan and support and help maintain it

5. The BCP project team must implement the plan

Why the BCP is so important

• 80% of businesses without a recovery plan went bankrupt within 1 year of a major data loss
• 59% of companies cannot conduct business during unscheduled T downtime
• 40% of companies that cannot conduct business during a major T outage go out of business within 5 years
• 50% of companies in the World Trade Center went out of business after September 11, 2001 Source: AbleOne Systems, http://www.ableone.com

Types of Disruptive Events

• Natural events
• earthquakes, fires, floods, mudslides, snow, ice, lightning, hurricanes, tornadoes, and so forth
• explosions, chemical fires, hazardous waste spills, smoke and water damage
• power outages caused by utility failures, high heat and humidity, solar flares, and so forth

Types of Disruptive Events cont.

• Manmade events
• strikes, work stoppages, walkouts
• sabotage, burglary, and other forms of hostile activity
• massive failure of technology including utility and communication failure caused by human intervention or error

Defining the Scope of the Business Continuity Plan

• identifying critical business processes and requirements for continuing to operate in the event of an emergency
• Assessing risks to the business if critical services are discontinued – referred to as business impact analysis
• Prioritizing those processes and assigning a value to each process

Defining the Scope of the Business Continuity Plan cont.

• Determining the cost of continuous operation and the value ascribed to each service
• Establishing the priority of restoring critical services
• Once the BCP is approved, the BCP team must establish the rules of engagement

Creating the Business impact Analysis

• Prioritize the business processes, possibly using a scoring system to assign a weight or value to each process
• Determine how long each process can be down before business continuity is seriously compromised
• identify the resources required to support the most critical processes

Disaster Recovery Planning

• The goals of the DRP
• Keeping the computers running
• Meeting formal and informal service level agreements with customers and suppliers
• Being proactive rather than reactive

Identifying Recovery Strategies

• The BCP will identify the critical business processes that must be protected through the BA documents
• The function of the DRP is to identify the exact strategy for recovering those processes, specifically T systems and services that are struck by a disaster

Identifying Recovery Strategies cont.

• Shared-Site Agreements
• arrangements between companies with similar if not identical data processing centers
• Alternate Sites
• A company seeking DRP assistance can use a third-party vendor to provide emergency backup services
• Hot Site, Cold Site, and Warm Site
• Additional Arrangements
• Multiple centers, Service bureaus, and Mobile units

How to Test a Disaster Recovery Plan

• Walk-throughs
• Members of the key business units meet to trace their steps through the plan, looking for omissions and inaccuracies
• Simulations
• Critical personnel meet to perform a “dry run” of the emergency, mimicking the response to a true emergency as closely as possible
• Checklists
• A more passive type of testing and a first step toward a more comprehensive test

How to Test a Disaster Recovery Plan cont.

• Parallel testing
• The backup processing occurs in parallel with production services that never stop
• Full interruption
• Production systems are stopped as if a disaster had occurred to see how the backup services perform

Without the Walls and Within

• DRP should predict how employees will behave in the event of an emergency within its walls and consider how they will interact with external agents such as firemen, ambulance drivers, and policemen

Summary

• BCP and DRP are formal processes in any business that is concerned about maintaining its operation in the face of a disaster or interruption
• To implement its DRP, a company typically uses outside services
• The plan must be thoroughly tested using one or more of the five testing techniques

Introduction

• S specialists need to keep up with the latest:
• laws
• codes of ethics
• other rules governing the use of information technology
• The speed of technological change outstrips the speed at which our governing bodies can create applicable laws
• This gap makes the S specialist’s role even more critical

Types of Computer Crime

• CS/FB report revealed that
• The greatest financial loss ($55 million) came from virus attacks
• The second most prevalent crime ($26 million) was the Denial of Service (DoS) attack
• Only 20 percent of companies experiencing an attack reported it to the authorities—down 10 percent from 2003

Types of Computer Crime cont.

Types of Computer Crime cont.

• Major categories of computer crimes
• Military and intelligence attacks
• Business attacks
• Financial attacks
• Terrorist attacks
• Grudge attacks
• Thrill attacks

How Cyber Criminals Commit Crimes

• Most prevalent types of computer crimes
• Denial of Service (DoS) attacks
• Rogue code
• Software piracy
• Social engineering
• Dumpster diving
• Spoofing of internet Protocol addresses
• Emanation eavesdropping
• Embezzlement
• information warfare

The Computer and the Law

• Three branches of the legal system
• Legislative branch
• Statuary law, referred to as session law
• Administrative branch
• Administrative law, also referred to as natural justice
• Judicial branch
• Common law

The Computer and the Law cont.

• Three primary categories in common law
• Civil law: compensates individuals who were harmed through wrongful acts known as torts
• Criminal law: punishes those who violate government laws and harm an individual or group
• Regulatory law: regulates the behavior of administrative agencies of government

Intellectual Property Law

• Besides copyright protection, designed to protect the distribution and reproduction rights of the owner, intellectual property law includes several other categories:
• Patent law
• Patents grant an inventor the right to exclude others from producing or using the inventor’s discovery or invention for a limited period of time
• Trademarks
• Trademarks are any word, name, symbol, or device, or any combination thereof that the individual intends to use commercially and wants to distinguish as coming from a unique source
• Trade secrets
• A trade secret is a patent in process, an embryonic but unofficial and legally unprotected idea

Privacy and the Law

• Fair information Practices in the Electronic Marketplace (source: the Federal Trade Commission’s May 2000 report)
• Notice/awareness
• Web site should tell the user how it collects and handles user information
• Choice/consent
• Web sites must give consumers control over how their personally identifying information is used
• Access/participation
• Users would be able to review, correct, and in some cases delete personally identifying information on a particular Web site
• Security/integrity
• Web sites must implement policies, procedures, and tools that will prevent unauthorized access and hostile attacks against the site

Privacy and the Law cont.

• The international Safe Harbor Principles
• Notice
• Companies must notify individuals what personally identifying information they are collecting, why they are collecting it, and how to contact the collectors
• Choice
• individuals must be able to choose whether and how their personal information is used by, or disclosed to, third parties
• Onward transfer
• Third parties receiving personal information must provide the same level of privacy protection as the company from whom the information is obtained
• Security
• Companies housing personal information and sensitive data must secure the data

Privacy and the Law cont.

• The international Safe Harbor Principles cont.
• Data integrity
• Companies must be able to reassure individuals that their data is complete, accurate, current, and used for the stated purposes only
• Access
• individuals must have the right and ability to access their information and correct, modify, or delete any portion of it
• Enforcement
• Each company must adopt policies and practices that enforce the aforementioned privacy principles

Privacy and the Law cont.

• Privacy Laws in the United States
• 1970 U.S. Fair Credit Reporting Act: regulates the activities of credit bureaus
• 1986 U.S. Electronic Communications Act: protects the confidentiality of private message systems through unauthorized eavesdropping
• 1987 U.S. Computer Security Act
• 1996 U.S. Kennedy-Kassenbaum Health insurance and Portability Accountability Act (HPAA): protects the confidentiality and portability of personal health care information

Privacy and the Law cont.

• Privacy Laws in the United States cont.
• 2000 National Security Directive 42 (NSD-42): gives guidance on the security of national defense systems, among other roles
• 2001 U.S. Patriot Act HR 3162, a.k.a. “Uniting and Strengthening America by Providing Appropriate Tools Required to intercept and Obstruct Terrorism Act
• 2002 Federal information Security Management Act: defines the basic statutory requirements for protecting federal computer systems

Computer Forensics

• The National Data Conversion institute (NDC) makes a case for using expert investigative services to solve computer crimes
• Arguments for investigative services
• Successful litigation frequently depends on obtaining irrefutable computer evidence
• Your evidence may not be as good as the opposition’s if you are using less sophisticated data-detection techniques
• Your adversaries do not want you to obtain the data you need
• The technology used to create the data you need may have already disappeared. Time is of the essence.

The InfoSec Professional’s Code of Ethics

• SC2 Code of Ethics: four mandatory canons
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession

Other Ethics Standards

• Computer Ethics institute’s Ten Commandments of Computer Ethics
• internet Activities Board’s Ethics and the internet
• U.S. Department of Health, Education, and Welfare Code of Fair information Practices

Summary

• Laws, investigative principles, and professional ethics are as important to information security professionals as knowing how to design firewall architecture, which is a fundamental security technology