Human Resources SecurityPart 1 of 3

Benefits to Organizations

security awareness, training, and

education programs provide four major

benefits to organizations:

•improving employee behavior•increasing employee accountability•mitigating liability for employee behavior•complying with regulations and contractual obligations

The topic of security awareness, training, and education is mentioned prominently in a number of standards and standards-related documents, including ISO 27002 ( Code of Practice for Information Security Management )

Human Factors & Learning Continium

Table 17.1Comparative Framework

Awareness

seeks to inform and focus an employee's attention on security issues within the organization

aware of their responsibilities for maintaining security and the restrictions on their actions

users understand the importance of security for the well-being of the organization

promote enthusiasm and management buy-in

program must be tailored to the needs of the organization and target audience

must continually promote the security message to employees in a variety of ways

should provide a security awareness policy document to all employees

NIST SP 800-100 ( Information Security Handbook: A Guide for Managers ) describes the content of awareness programs, in general terms, as follows:

“Awareness tools are used to promote information security and inform users of threats and vulnerabilities that impact

their division or department and personal work environment by explaining the what but not the how of security, and communicating what is and what is not allowed. Awareness not only communicates information security policies and procedures that need to be followed, but also provides the foundation for any sanctions and disciplinary actions imposed for noncompliance. Awareness is used to explain the rules of behavior for using an agency’s information systems and information and establishes a level of expectation on the acceptable use of the information and information systems.”

Training•what people should do and how they should do it

designed to teach people the skills to perform their

IS-related tasks more securely

•focus is on good computer security practicesgeneral users

•develop a security mindset in the developer

programmers, developers, system

maintainers

•how to make tradeoffs involving security risks, costs, benefitsmanagers

•risk management goals, measurement, leadershipexecutives

Education

most in depth program

targeted at security professionals whose jobs require expertise in security

fits into employee career development category

often provided by outside sources college courses specialized training programs

Employment Practices and Policies

managing personnel with potential access is an essential part of information security

employee involvement: unwittingly aid in the commission of a

violation by failing to follow proper procedures

forgetting security considerations not realizing that they are creating a

vulnerability knowingly violate controls or procedures

Security in the Hiring Process

objective: “to ensure that employees, contractors and

third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities”

need appropriate background checks and screening investigate accuracy of details

for highly sensitive positions: have an investigation agency do a background

check criminal record and credit check

Employment Agreements

employees should agree to and sign

the terms and conditions of their

employment contract, which should

include:

I. employee and organizational

responsibilities for information

security

II. a confidentiality and non-

disclosure agreement

III. reference to the organization's

security policy

IV. acknowledgement that the

employee has reviewed and

agrees to abide by the policy

During Employment

objectives with respect to current employees: ensure that employees, contractors, and third-party users are

aware of information security threats and concerns and their responsibilities and liabilities with regard to information security

are equipped to support the organizational security policy in their work

reduce the risk of human error

two essential elements of personnel security during employment are: a comprehensive security policy document an ongoing awareness and training program

security principles: least privilege separation of duties limited reliance on key employees

Termination of Employment

termination security objectives: ensure employees, contractors, and third party

users exit organization or change employment in an orderly manner

the return of all equipment and the removal of all access rights are completed

critical actions:

• remove name from all authorized access lists• inform guards that ex-employee general access is not allowed• remove personal access codes, change physical locks and lock combinations, reprogram access card systems• recover all assets, including employee ID, documents, data storage devices• notify by memo or email appropriate departments

Email and Internet Use Policies

organizations are incorporating specific e-mail and Internet use policies into their security policy document

concerns for employers: work time consumed in non-work-related

activities computer and communications resources may

be consumed, compromising the mission that the IS resources are designed to support

risk of importing malware possibility of harm, harassment, inappropriate

online conduct

Suggested Policies

business use only

policy scope

content ownership

privacy standard of conduct

reasonable personal

use

unlawful activity

prohibited

security policy

company policy

company rights

disciplinary action

Security Incident Response

response procedures to incidents are an essential control for most organizations procedures need to reflect possible consequences of an

incident on the organization and allow for a suitable response

developing procedures in advance can help avoid panic

benefits of having incident response capability: systematic incident response quicker recovery to minimize loss, theft, disruption of

service use information gained during incident handling to better

prepare for future incidents dealing properly with legal issues that may arise during

incidents

Computer Security Incident Response Team (CSIRT)

CSIRTs are responsible for:

rapidly detecting incidents

minimizing loss and destruction

mitigating the weaknesses that were exploited

restoring computing services

Security Incidentunauthorized access to a systemaccessing information not authorized to seepassing information on to a person not authorized to see itattempting to circumvent the access mechanismsusing another person’s password and user id

unauthorized modification of information on the system• a

ttempting to corrupt information that may be of value

• attempting to modify information without authority

• processing information in an unauthorized manner

Detecting Incidents

incidents may be detected by users or administration staff staff should be encouraged to make reports of

system malfunctions or anomalous behaviors

automated tools system integrity verification tools log analysis tools network and host intrusion detection systems

(IDS) intrusion prevention systems

Triage Function

goal: ensure that all information destined for the incident

handling service is channeled through a single focal point commonly achieved by advertising the triage function as the

single point of contact for the whole incident handling service

responds to incoming information by: requesting additional information in order to categorize the

incident notifying the various parts of the enterprise or constituency

about the vulnerability and shares information about how to fix or mitigate the vulnerability

identifies the incident as either new or part of an ongoing incident and passes this information on to the incident handling response function

Responding to Incidents

must have documented procedures to respond to incidents

procedures should:detail how to identify the cause

describe the action taken to recover from the incident

identify typical categories of

incidents and the approach taken to respond to them

identify management personnel responsible

for making critical decisions and how to

contact them

identify the circumstances when

security breaches should be reported to

third parties such as the police or relevant CERT

Incident Handling Life Cycle

Documenting Incidents

should immediately follow a response to an incident identify what vulnerability led to its

occurrence how this might be addressed to prevent the

incident in the future details of the incident and the response taken impact on the organization’s systems and

their risk profile

Table 17.3

Examples of Possible

Information Flow To and From the Incident

Handling Service

Security AuditingPart 2 of 3

Table 18.1Security Audit Terminology

RFC 2828

Security Audit

and Alarms Model

Security Auditing Functions

Event Definition

must define the set of events that are subject to audit

common criteria suggests:

introduction of objects deletion of objects distribution or revocation of access rights or capabilities changes to subject or object security attributes policy checks performed by the security software use of access rights to bypass a policy check use of identification and authentication functions security-related actions taken by an operator/user import/export of data from/to removable media

Implementation Guidelines

agree on requirements

with management

scope of checks agreed and controlled

checks limited to read-only access to software and

data

other access only for isolated copies of system files, then erased or given

appropriate protection

resources for performing the

checks should be explicitly identified and made available

requirements for special or additional

processing should be defined

all access should be

monitored and logged

document procedures,

requirements, responsibilities

person(s) doing audit

independent of activities

What to Collect

events related to the use of the auditing software

events related to the security mechanisms on the system

events that are collected for use by the various security detection and prevention mechanisms

events related to system management and operation

operating system access

application access for selected applications

remote access

Table18.2

Auditable

Items Suggest

ed in

X.816

Monitoring Areas Suggested

in ISO 27002

Figure 18.4 - Examples of Audit Trails

figure 18.4a is an example of a system-level audit trail on a UNIX system

figure 18.4b is an example of an application-level audit trail for a mail delivery system

figure 18.4c is an example of a user-level audit trail on a UNIX system

Physical Access Audit Trails

generated by equipment that controls physical access card-key systems, alarm systems

sent to central host for analysis and storage

data of interest: date/time/location/user of access attempt both valid and invalid access attempts attempts to add/modify/delete physical access

privileges may send violation messages to personnel

Protecting Audit Trail Data

read/write file on host• easy, least

resource intensive, instant access

• vulnerable to attack by intruder

write-once/read-many device• more secure but

less convenient• need steady supply

of recordable media

• access may be delayed and not available immediately

write-only device• provides paper trail• impractical for

capturing detailed audit data on large or networked systems

• useful when a permanent, immediately available log is required

must protect both integrity and confidentiality• encryption,

digital signatures, access controls

Implementing Logging

foundation of security auditing facility is the initial capture of the audit data

software must include hooks (capture points) that trigger data collection and storage as preselected events occur

dependent on the nature of the software varies depending on operating system and

applications involved

Windows Event Log

event is an entity that describes some interesting occurrence contains:

a numeric identification code a set of attributes optional user-supplied data

three types of event logs: system: system related apps and drivers application: user-level apps security: Windows LSA

Windows Event Categories

account logon events

account management

directory service access

logon eventsobject access

policy changes

privilege use

UNIX Syslog

elements:

syslog()

API referenced by several standard system utilities and

available to application programs

logger

command used to add single-line entries to the

system log

/etc/syslog.conf configuration file used to control the logging and

routing of system log events

syslogd

daemon to receive/route log events

UNIX's general-purpose logging mechanism found on all UNIX / Linux variants

Syslog Service

basic service provides:

a means

of captur

ing releva

nt events

extra add-on features may include:

robust filtering

Syslog Facilities and Severity Levels

(b) Syslog Severity Levels

(a) Syslog Facilities

Logging at Application Level

privileged applications present security issues may not be captured by system/user-level audit

data constitute a large percentage of reported

vulnerabilities

vulnerabilities exploited: lack of dynamic checks on input data errors in application logic

may be necessary to capture behavior of application beyond its access to system services and file systems

two approaches to collecting audit data: interposable libraries dynamic binary rewriting

Interposable Libraries

allows the generation of audit data without needing to recompile either the system libraries or the application

audit data can be generated without changing the system’s shared libraries or needing access to the source code for the executable

exploits the use of dynamic libraries in UNIX

statically linked libraries a separate copy of the linked library

function is loaded into the program’s virtual memory

statically linked shared libraries referenced shared object is

incorporated into the target executable at link time by the link loader

each object is assigned a fixed virtual address

link loader connects external referenced objects by assigning their virtual addresses when the executable is created

dynamically linked shared libraries the linking to shared library

routines is deferred until load time if changes are made to the library

prior to load time any program that references the library is unaffected

Use of an Interposa

ble Library

Example of Function in the Interposed Library

Dynamic Binary Rewriting

can be used with both statically and dynamically linked programs

postcompilation technique that directly changes the binary code of executables change is made at load time and modifies only the

memory image of a program does not require recompilation of the application binary

implemented on Linux using two modules: loadable kernel module monitoring daemon

loadable modules can be automatically loaded and unloaded on demand

Run-Time Environme

nt for Application

Auditing

Audit Trail Analysis

analysis programs and procedures vary widely

must understand context of log entries relevant information may reside in other

entries in the same logs, other logs, and nonlog sources

audit file formats contain mix of plain text and codes must decipher manually / automatically

ideally regularly review entries to gain understanding of baseline

Types of Audit Trail Analysis

audit trails can be used in multiple ways this depends in part on when done

possibilities include: audit trail review after an event

triggered by event to diagnose cause and remediate

focuses on the audit trail entries that are relevant to the specific event

periodic review of audit trail data review bulk data to identify problems and

behavior real-time audit analysis

part of an intrusion detection function

Audit Review

audit review capability provides administrator with information from selected audit records actions of one or more users actions on a specific object or resource all or a specified set of audited exceptions actions on a specific system / security attribute

may be filtered by time / source / frequency

used to provide system activity baseline

level of security related activity

Approaches to Data Analysis

basic alerting

• indicate interesting type of event has occurred

baselining

• define normal versus unusual events / patterns• compare with new data to detect changes• thresholding is the identification of data that exceed a particular baseline value

windowing

• detection of events within a given set of parameters

correlation

• seeks relationships among events

Integrated Approaches

volume of audit data means manual analysis and baselining is impractical

need a Security Information and Event Management (SIEM) system a centralized logging and analysis

package agentless or agent-based normalizes a variety of log formats analyzes combined data correlates events among the log entries identifies and prioritizes significant

events can initiate responses

Example: Cisco MARS

example of SIEM product

support a wide variety of systems

agentless with central dedicated server

wide array of analysis packages

an effective GUI

server collects, parses, normalizes, correlates and assesses events to then check for false positives, vulnerabilities, and profiling

Table 18.6

Suggested List of Events to Be

Audited

Legal and Ethical AspectsPart 3 of 3

Types of Computer Crime

the U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity:

computers as targets

involves an attack on data

integrity, system

integrity, data confidentiality

, privacy, or availability

computers as storage devices

using the computer to store stolen password lists,

credit card or calling card numbers,

proprietary corporate

information, pornographic image

files, or pirated commercial software

computers as communications tools

crimes that are committed online,

such as fraud, gambling, child

pornography, and the illegal sale of

prescription drugs, controlled

substances, alcohol, or guns

Table 19.1

Cybercrimes Cited

in the Conventio

n on Cybercrim

e

(page 1 of 2)

Table 19.1 - Cybercrimes Cited

in the Convention on Cybercrime (page 2 of 2)

Table 19.2

CERT 2007

E-Crime Watch Survey Results

Law Enforcement Challenges

Intellectual Property

intellectual property is defined as “any intangible asset that consists of human knowledge and ideas”.

infringement is “the invasion of the rights secured by copyrights, trademarks, and patents”.

Copyright

protects tangible or fixed expression of an idea but not the idea itself

creator can claim and file copyright at a national government copyright office if: proposed work is original

creator has put original idea in concrete form

Copyright Rights

copyright owner has these exclusive rights, protected against infringement: reproduction right modification right distribution right public-performance

right public-display right

examples of items that can be copyrighted include: literary works musical works dramatic works pantomimes and

choreographic works pictorial, graphic, and

sculptural works motion pictures and other

audiovisual works sound recordings architectural works software-related works

Patent

grant a property right to the inventor

“the right to exclude others from making, using, offering for sale, or selling” the invention in the United States or “importing” the invention into the United States

types:utility•any new and useful process, machine, article of manufacture, or composition of matter

design•new, original, and ornamental design for an article of manufacture

plant•discovers and asexually reproduces any distinct and new variety of plant

Trademark a word, name, symbol, or device

used in trade with goods indicates source of goods distinguishes them from goods of others

trademark rights may be used to:

prevent others from using a confusingly similar mark but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark

U.S. Digital Millennium Copyright ACT (DMCA)

signed into law in 1998

implements WIPO treaties to strengthen protections of digital copyrighted materials

encourages copyright owners to use technological measures to protect their copyrighted works measures that prevent access to the work measures that prevent copying of the work

prohibits attempts to bypass the measures both criminal and civil penalties apply to

attempts to circumvent

DMCA Exemptions certain actions are exempted from the

provisions of the DMCA and other copyright laws including:

considerable concern exists that DMCA inhibits legitimate security and encryption research feel that innovation and academic freedom is

stifled and open source software development is threatened

fair use

reverse

engineering

encryption resear

ch

security

testing

personal

privacy

Digital Rights Management (DRM)

systems and procedures that ensure that holders of digital rights are clearly identified and receive stipulated payment for their works may impose further restrictions such as

inhibiting printing or prohibiting further distribution

no single DRM standard or architecture

objective is to provide mechanisms for the complete content management life cycle

provide persistent content protection for a variety of digital content types / platforms / media

DRM Compone

nts

DRM System

Architecture

Privacy

overlaps with computer security

dramatic increase in scale of information collected and stored motivated by law enforcement, national

security, economic incentives

individuals have become increasingly aware of access and use of personal information and private details about their lives

concerns about extent of privacy compromise have led to a variety of legal and technical approaches to reinforcing privacy rights

European Union (EU) Data Protection Directive

adopted in 1998 to: ensure member states protect fundamental

privacy rights when processing personal information

prevent member states from restricting the free flow of personal information within EU

organized around principles of:

notice consent

consistency

access

United States Privacy Initiatives

Privacy Act of 1974

• dealt with personal information collected and used by federal agencies• permits individuals to determine records kept• permits individuals to forbid records being used for other purposes • permits individuals to obtain access to records and to correct and amend

records as appropriate• ensures agencies properly collect, maintain, and use personal information• creates a private right of action for individuals

Also have a range of other privacy laws

ISO 27002 states . . . “An organizational data protection and privacy policy

should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.”

Privacy and Data Surveilla

nce

Ethical Issues

many potential misuses and abuses of information and electronic communication that create privacy and security problems

basic ethical principles developed by civilizations apply unique considerations

surrounding computers and information systems

scale of activities not possible before

creation of new types of entities for which no agreed ethical rules have previously been formed

ethics:“a system of moral principles that relates to the benefits and harms of particular actions, and to the rightness and wrongness of motives and ends of those actions.”

Ethical Hierarchy

Ethical Issues Related to Computers and Information

Systems

some ethical issues from computer use: repositories and processors of

information producers of new forms and types of

assets instruments of acts symbols of intimidation and deception

those who understand, exploit technology, and have access permission, have power over these

Table 19.3Potential Ethical Dilemmas

Ethical Question Examples

whistle-blower when professional ethical duty conflicts with

loyalty to employer e.g. inadequately tested software product organizations and professional societies

should provide alternative mechanisms

potential conflict of interest e.g. consultant has financial interest in

vendor which should be revealed to client

Codes of Conduct

ethics are not precise laws or sets of facts

many areas may present ethical ambiguity

many professional societies have adopted ethical codes of conduct which can:

1 •be a positive stimulus and instill confidence

2 •be educational

3 •provide a measure of support

4 •be a means of deterrence and discipline

5 •enhance the profession's public image

ACM Code of Ethics and Professional Conduct

Revision

http://bit.ly/1GdTBVZ