human resources security part 1 of 3. benefits to organizations security awareness, training, and...
TRANSCRIPT
Human Resources SecurityPart 1 of 3
Benefits to Organizations
security awareness, training, and
education programs provide four major
benefits to organizations:
•improving employee behavior•increasing employee accountability•mitigating liability for employee behavior•complying with regulations and contractual obligations
The topic of security awareness, training, and education is mentioned prominently in a number of standards and standards-related documents, including ISO 27002 ( Code of Practice for Information Security Management )
Human Factors & Learning Continium
Table 17.1Comparative Framework
Awareness
seeks to inform and focus an employee's attention on security issues within the organization
aware of their responsibilities for maintaining security and the restrictions on their actions
users understand the importance of security for the well-being of the organization
promote enthusiasm and management buy-in
program must be tailored to the needs of the organization and target audience
must continually promote the security message to employees in a variety of ways
should provide a security awareness policy document to all employees
NIST SP 800-100 ( Information Security Handbook: A Guide for Managers ) describes the content of awareness programs, in general terms, as follows:
“Awareness tools are used to promote information security and inform users of threats and vulnerabilities that impact
their division or department and personal work environment by explaining the what but not the how of security, and communicating what is and what is not allowed. Awareness not only communicates information security policies and procedures that need to be followed, but also provides the foundation for any sanctions and disciplinary actions imposed for noncompliance. Awareness is used to explain the rules of behavior for using an agency’s information systems and information and establishes a level of expectation on the acceptable use of the information and information systems.”
Training•what people should do and how they should do it
designed to teach people the skills to perform their
IS-related tasks more securely
•focus is on good computer security practicesgeneral users
•develop a security mindset in the developer
programmers, developers, system
maintainers
•how to make tradeoffs involving security risks, costs, benefitsmanagers
•risk management goals, measurement, leadershipexecutives
Education
most in depth program
targeted at security professionals whose jobs require expertise in security
fits into employee career development category
often provided by outside sources college courses specialized training programs
Employment Practices and Policies
managing personnel with potential access is an essential part of information security
employee involvement: unwittingly aid in the commission of a
violation by failing to follow proper procedures
forgetting security considerations not realizing that they are creating a
vulnerability knowingly violate controls or procedures
Security in the Hiring Process
objective: “to ensure that employees, contractors and
third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities”
need appropriate background checks and screening investigate accuracy of details
for highly sensitive positions: have an investigation agency do a background
check criminal record and credit check
Employment Agreements
employees should agree to and sign
the terms and conditions of their
employment contract, which should
include:
I. employee and organizational
responsibilities for information
security
II. a confidentiality and non-
disclosure agreement
III. reference to the organization's
security policy
IV. acknowledgement that the
employee has reviewed and
agrees to abide by the policy
During Employment
objectives with respect to current employees: ensure that employees, contractors, and third-party users are
aware of information security threats and concerns and their responsibilities and liabilities with regard to information security
are equipped to support the organizational security policy in their work
reduce the risk of human error
two essential elements of personnel security during employment are: a comprehensive security policy document an ongoing awareness and training program
security principles: least privilege separation of duties limited reliance on key employees
Termination of Employment
termination security objectives: ensure employees, contractors, and third party
users exit organization or change employment in an orderly manner
the return of all equipment and the removal of all access rights are completed
critical actions:
• remove name from all authorized access lists• inform guards that ex-employee general access is not allowed• remove personal access codes, change physical locks and lock combinations, reprogram access card systems• recover all assets, including employee ID, documents, data storage devices• notify by memo or email appropriate departments
Email and Internet Use Policies
organizations are incorporating specific e-mail and Internet use policies into their security policy document
concerns for employers: work time consumed in non-work-related
activities computer and communications resources may
be consumed, compromising the mission that the IS resources are designed to support
risk of importing malware possibility of harm, harassment, inappropriate
online conduct
Suggested Policies
business use only
policy scope
content ownership
privacy standard of conduct
reasonable personal
use
unlawful activity
prohibited
security policy
company policy
company rights
disciplinary action
Security Incident Response
response procedures to incidents are an essential control for most organizations procedures need to reflect possible consequences of an
incident on the organization and allow for a suitable response
developing procedures in advance can help avoid panic
benefits of having incident response capability: systematic incident response quicker recovery to minimize loss, theft, disruption of
service use information gained during incident handling to better
prepare for future incidents dealing properly with legal issues that may arise during
incidents
Computer Security Incident Response Team (CSIRT)
CSIRTs are responsible for:
rapidly detecting incidents
minimizing loss and destruction
mitigating the weaknesses that were exploited
restoring computing services
Security Incidentunauthorized access to a systemaccessing information not authorized to seepassing information on to a person not authorized to see itattempting to circumvent the access mechanismsusing another person’s password and user id
unauthorized modification of information on the system• a
ttempting to corrupt information that may be of value
• attempting to modify information without authority
• processing information in an unauthorized manner
Detecting Incidents
incidents may be detected by users or administration staff staff should be encouraged to make reports of
system malfunctions or anomalous behaviors
automated tools system integrity verification tools log analysis tools network and host intrusion detection systems
(IDS) intrusion prevention systems
Triage Function
goal: ensure that all information destined for the incident
handling service is channeled through a single focal point commonly achieved by advertising the triage function as the
single point of contact for the whole incident handling service
responds to incoming information by: requesting additional information in order to categorize the
incident notifying the various parts of the enterprise or constituency
about the vulnerability and shares information about how to fix or mitigate the vulnerability
identifies the incident as either new or part of an ongoing incident and passes this information on to the incident handling response function
Responding to Incidents
must have documented procedures to respond to incidents
procedures should:detail how to identify the cause
describe the action taken to recover from the incident
identify typical categories of
incidents and the approach taken to respond to them
identify management personnel responsible
for making critical decisions and how to
contact them
identify the circumstances when
security breaches should be reported to
third parties such as the police or relevant CERT
Incident Handling Life Cycle
Documenting Incidents
should immediately follow a response to an incident identify what vulnerability led to its
occurrence how this might be addressed to prevent the
incident in the future details of the incident and the response taken impact on the organization’s systems and
their risk profile
Table 17.3
Examples of Possible
Information Flow To and From the Incident
Handling Service
Security AuditingPart 2 of 3
Table 18.1Security Audit Terminology
RFC 2828
Security Audit
and Alarms Model
Security Auditing Functions
Event Definition
must define the set of events that are subject to audit
common criteria suggests:
introduction of objects deletion of objects distribution or revocation of access rights or capabilities changes to subject or object security attributes policy checks performed by the security software use of access rights to bypass a policy check use of identification and authentication functions security-related actions taken by an operator/user import/export of data from/to removable media
Implementation Guidelines
agree on requirements
with management
scope of checks agreed and controlled
checks limited to read-only access to software and
data
other access only for isolated copies of system files, then erased or given
appropriate protection
resources for performing the
checks should be explicitly identified and made available
requirements for special or additional
processing should be defined
all access should be
monitored and logged
document procedures,
requirements, responsibilities
person(s) doing audit
independent of activities
What to Collect
events related to the use of the auditing software
events related to the security mechanisms on the system
events that are collected for use by the various security detection and prevention mechanisms
events related to system management and operation
operating system access
application access for selected applications
remote access
Table18.2
Auditable
Items Suggest
ed in
X.816
Monitoring Areas Suggested
in ISO 27002
Figure 18.4 - Examples of Audit Trails
figure 18.4a is an example of a system-level audit trail on a UNIX system
figure 18.4b is an example of an application-level audit trail for a mail delivery system
figure 18.4c is an example of a user-level audit trail on a UNIX system
Physical Access Audit Trails
generated by equipment that controls physical access card-key systems, alarm systems
sent to central host for analysis and storage
data of interest: date/time/location/user of access attempt both valid and invalid access attempts attempts to add/modify/delete physical access
privileges may send violation messages to personnel
Protecting Audit Trail Data
read/write file on host• easy, least
resource intensive, instant access
• vulnerable to attack by intruder
write-once/read-many device• more secure but
less convenient• need steady supply
of recordable media
• access may be delayed and not available immediately
write-only device• provides paper trail• impractical for
capturing detailed audit data on large or networked systems
• useful when a permanent, immediately available log is required
must protect both integrity and confidentiality• encryption,
digital signatures, access controls
Implementing Logging
foundation of security auditing facility is the initial capture of the audit data
software must include hooks (capture points) that trigger data collection and storage as preselected events occur
dependent on the nature of the software varies depending on operating system and
applications involved
Windows Event Log
event is an entity that describes some interesting occurrence contains:
a numeric identification code a set of attributes optional user-supplied data
three types of event logs: system: system related apps and drivers application: user-level apps security: Windows LSA
Windows Event Categories
account logon events
account management
directory service access
logon eventsobject access
policy changes
privilege use
UNIX Syslog
elements:
syslog()
API referenced by several standard system utilities and
available to application programs
logger
command used to add single-line entries to the
system log
/etc/syslog.conf configuration file used to control the logging and
routing of system log events
syslogd
daemon to receive/route log events
UNIX's general-purpose logging mechanism found on all UNIX / Linux variants
Syslog Service
basic service provides:
a means
of captur
ing releva
nt events
extra add-on features may include:
robust filtering
Syslog Facilities and Severity Levels
(b) Syslog Severity Levels
(a) Syslog Facilities
Logging at Application Level
privileged applications present security issues may not be captured by system/user-level audit
data constitute a large percentage of reported
vulnerabilities
vulnerabilities exploited: lack of dynamic checks on input data errors in application logic
may be necessary to capture behavior of application beyond its access to system services and file systems
two approaches to collecting audit data: interposable libraries dynamic binary rewriting
Interposable Libraries
allows the generation of audit data without needing to recompile either the system libraries or the application
audit data can be generated without changing the system’s shared libraries or needing access to the source code for the executable
exploits the use of dynamic libraries in UNIX
statically linked libraries a separate copy of the linked library
function is loaded into the program’s virtual memory
statically linked shared libraries referenced shared object is
incorporated into the target executable at link time by the link loader
each object is assigned a fixed virtual address
link loader connects external referenced objects by assigning their virtual addresses when the executable is created
dynamically linked shared libraries the linking to shared library
routines is deferred until load time if changes are made to the library
prior to load time any program that references the library is unaffected
Use of an Interposa
ble Library
Example of Function in the Interposed Library
Dynamic Binary Rewriting
can be used with both statically and dynamically linked programs
postcompilation technique that directly changes the binary code of executables change is made at load time and modifies only the
memory image of a program does not require recompilation of the application binary
implemented on Linux using two modules: loadable kernel module monitoring daemon
loadable modules can be automatically loaded and unloaded on demand
Run-Time Environme
nt for Application
Auditing
Audit Trail Analysis
analysis programs and procedures vary widely
must understand context of log entries relevant information may reside in other
entries in the same logs, other logs, and nonlog sources
audit file formats contain mix of plain text and codes must decipher manually / automatically
ideally regularly review entries to gain understanding of baseline
Types of Audit Trail Analysis
audit trails can be used in multiple ways this depends in part on when done
possibilities include: audit trail review after an event
triggered by event to diagnose cause and remediate
focuses on the audit trail entries that are relevant to the specific event
periodic review of audit trail data review bulk data to identify problems and
behavior real-time audit analysis
part of an intrusion detection function
Audit Review
audit review capability provides administrator with information from selected audit records actions of one or more users actions on a specific object or resource all or a specified set of audited exceptions actions on a specific system / security attribute
may be filtered by time / source / frequency
used to provide system activity baseline
level of security related activity
Approaches to Data Analysis
basic alerting
• indicate interesting type of event has occurred
baselining
• define normal versus unusual events / patterns• compare with new data to detect changes• thresholding is the identification of data that exceed a particular baseline value
windowing
• detection of events within a given set of parameters
correlation
• seeks relationships among events
Integrated Approaches
volume of audit data means manual analysis and baselining is impractical
need a Security Information and Event Management (SIEM) system a centralized logging and analysis
package agentless or agent-based normalizes a variety of log formats analyzes combined data correlates events among the log entries identifies and prioritizes significant
events can initiate responses
Example: Cisco MARS
example of SIEM product
support a wide variety of systems
agentless with central dedicated server
wide array of analysis packages
an effective GUI
server collects, parses, normalizes, correlates and assesses events to then check for false positives, vulnerabilities, and profiling
Table 18.6
Suggested List of Events to Be
Audited
Legal and Ethical AspectsPart 3 of 3
Types of Computer Crime
the U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity:
computers as targets
involves an attack on data
integrity, system
integrity, data confidentiality
, privacy, or availability
computers as storage devices
using the computer to store stolen password lists,
credit card or calling card numbers,
proprietary corporate
information, pornographic image
files, or pirated commercial software
computers as communications tools
crimes that are committed online,
such as fraud, gambling, child
pornography, and the illegal sale of
prescription drugs, controlled
substances, alcohol, or guns
Table 19.1
Cybercrimes Cited
in the Conventio
n on Cybercrim
e
(page 1 of 2)
Table 19.1 - Cybercrimes Cited
in the Convention on Cybercrime (page 2 of 2)
Table 19.2
CERT 2007
E-Crime Watch Survey Results
Law Enforcement Challenges
Intellectual Property
intellectual property is defined as “any intangible asset that consists of human knowledge and ideas”.
infringement is “the invasion of the rights secured by copyrights, trademarks, and patents”.
Copyright
protects tangible or fixed expression of an idea but not the idea itself
creator can claim and file copyright at a national government copyright office if: proposed work is original
creator has put original idea in concrete form
Copyright Rights
copyright owner has these exclusive rights, protected against infringement: reproduction right modification right distribution right public-performance
right public-display right
examples of items that can be copyrighted include: literary works musical works dramatic works pantomimes and
choreographic works pictorial, graphic, and
sculptural works motion pictures and other
audiovisual works sound recordings architectural works software-related works
Patent
grant a property right to the inventor
“the right to exclude others from making, using, offering for sale, or selling” the invention in the United States or “importing” the invention into the United States
types:utility•any new and useful process, machine, article of manufacture, or composition of matter
design•new, original, and ornamental design for an article of manufacture
plant•discovers and asexually reproduces any distinct and new variety of plant
Trademark a word, name, symbol, or device
used in trade with goods indicates source of goods distinguishes them from goods of others
trademark rights may be used to:
prevent others from using a confusingly similar mark but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark
U.S. Digital Millennium Copyright ACT (DMCA)
signed into law in 1998
implements WIPO treaties to strengthen protections of digital copyrighted materials
encourages copyright owners to use technological measures to protect their copyrighted works measures that prevent access to the work measures that prevent copying of the work
prohibits attempts to bypass the measures both criminal and civil penalties apply to
attempts to circumvent
DMCA Exemptions certain actions are exempted from the
provisions of the DMCA and other copyright laws including:
considerable concern exists that DMCA inhibits legitimate security and encryption research feel that innovation and academic freedom is
stifled and open source software development is threatened
fair use
reverse
engineering
encryption resear
ch
security
testing
personal
privacy
Digital Rights Management (DRM)
systems and procedures that ensure that holders of digital rights are clearly identified and receive stipulated payment for their works may impose further restrictions such as
inhibiting printing or prohibiting further distribution
no single DRM standard or architecture
objective is to provide mechanisms for the complete content management life cycle
provide persistent content protection for a variety of digital content types / platforms / media
DRM Compone
nts
DRM System
Architecture
Privacy
overlaps with computer security
dramatic increase in scale of information collected and stored motivated by law enforcement, national
security, economic incentives
individuals have become increasingly aware of access and use of personal information and private details about their lives
concerns about extent of privacy compromise have led to a variety of legal and technical approaches to reinforcing privacy rights
European Union (EU) Data Protection Directive
adopted in 1998 to: ensure member states protect fundamental
privacy rights when processing personal information
prevent member states from restricting the free flow of personal information within EU
organized around principles of:
notice consent
consistency
access
United States Privacy Initiatives
Privacy Act of 1974
• dealt with personal information collected and used by federal agencies• permits individuals to determine records kept• permits individuals to forbid records being used for other purposes • permits individuals to obtain access to records and to correct and amend
records as appropriate• ensures agencies properly collect, maintain, and use personal information• creates a private right of action for individuals
Also have a range of other privacy laws
ISO 27002 states . . . “An organizational data protection and privacy policy
should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.”
Privacy and Data Surveilla
nce
Ethical Issues
many potential misuses and abuses of information and electronic communication that create privacy and security problems
basic ethical principles developed by civilizations apply unique considerations
surrounding computers and information systems
scale of activities not possible before
creation of new types of entities for which no agreed ethical rules have previously been formed
ethics:“a system of moral principles that relates to the benefits and harms of particular actions, and to the rightness and wrongness of motives and ends of those actions.”
Ethical Hierarchy
Ethical Issues Related to Computers and Information
Systems
some ethical issues from computer use: repositories and processors of
information producers of new forms and types of
assets instruments of acts symbols of intimidation and deception
those who understand, exploit technology, and have access permission, have power over these
Table 19.3Potential Ethical Dilemmas
Ethical Question Examples
whistle-blower when professional ethical duty conflicts with
loyalty to employer e.g. inadequately tested software product organizations and professional societies
should provide alternative mechanisms
potential conflict of interest e.g. consultant has financial interest in
vendor which should be revealed to client
Codes of Conduct
ethics are not precise laws or sets of facts
many areas may present ethical ambiguity
many professional societies have adopted ethical codes of conduct which can:
1 •be a positive stimulus and instill confidence
2 •be educational
3 •provide a measure of support
4 •be a means of deterrence and discipline
5 •enhance the profession's public image
ACM Code of Ethics and Professional Conduct
Revision
http://bit.ly/1GdTBVZ