proving your case - computer security terrence p. maher abrahams kaslow & cassman...
TRANSCRIPT
Proving Your Case - Proving Your Case - Computer SecurityComputer Security
Terrence P. MaherTerrence P. Maher
Abrahams Kaslow & CassmanAbrahams Kaslow & Cassman
[email protected]@akclaw.com
Common Types of Computer Common Types of Computer CrimeCrime
Fraud by computer manipulationFraud by computer manipulation Computer forgeryComputer forgery Damage to or modifications of Damage to or modifications of
computer data or programscomputer data or programs Unauthorized access to computer Unauthorized access to computer
systems and servicesystems and service Unauthorized reproduction of Unauthorized reproduction of
computer programscomputer programs
Essential Components of Essential Components of SecuritySecurity
Administrative and organizational Administrative and organizational securitysecurity
Personnel securityPersonnel security Physical securityPhysical security Communications - electronic securityCommunications - electronic security Hardware and Software securityHardware and Software security Operations securityOperations security Contingency planningContingency planning
Administrative and Administrative and Organizational SecurityOrganizational Security
Development of procedures to identify Development of procedures to identify risksrisks
Definition of individual security duties and Definition of individual security duties and assignment of responsibilitiesassignment of responsibilities
Designation of restricted areasDesignation of restricted areas Establishment of authorization Establishment of authorization
proceduresprocedures Identification of external dependenciesIdentification of external dependencies Preparation of contingency plansPreparation of contingency plans
Personnel SecurityPersonnel Security
Specify security requirements in job Specify security requirements in job descriptionsdescriptions
Insure personnel meet the requirements - Insure personnel meet the requirements - background investigationsbackground investigations
Adequate security motivation and trainingAdequate security motivation and training Have adequate corporate policies in placeHave adequate corporate policies in place Remember to check contractors who are Remember to check contractors who are
provided access to premises or systemsprovided access to premises or systems
Personnel SecurityPersonnel Security
Supervising access to and control over Supervising access to and control over system resources through identification system resources through identification and authorization measures - and authorization measures - monitoringmonitoring
Enforce vacation policies and rotate Enforce vacation policies and rotate assignmentsassignments
Termination procedures Termination procedures Expect revenge from disgruntled Expect revenge from disgruntled
employees or ex-employeesemployees or ex-employees
Physical SecurityPhysical Security
Site planning - location and layout, building Site planning - location and layout, building construction, fencing and shieldingconstruction, fencing and shielding
Control of access - perimeter security, Control of access - perimeter security, visitor control, access devices and badges, visitor control, access devices and badges, guards and anti-intrusion devicesguards and anti-intrusion devices
Protection against physical damage and Protection against physical damage and environmental failuresenvironmental failures
Protection of media and suppliesProtection of media and supplies Random checks and testsRandom checks and tests
Communications-Electronic Communications-Electronic SecuritySecurity
Access control - passwords, password Access control - passwords, password controls, smart cards and biometric controls, smart cards and biometric devicesdevices
Physical security of network cabling Physical security of network cabling and telecommunications equipment and telecommunications equipment
Shielding of cablesShielding of cables FirewallsFirewalls EncryptionEncryption
Hardware and Software Hardware and Software SecuritySecurity
Identification measures to identify Identification measures to identify authorized usersauthorized users
Isolation features to restrict access to Isolation features to restrict access to unauthorized devices, software and dataunauthorized devices, software and data
Access control for selective sharing of Access control for selective sharing of system resourcessystem resources
Surveillance and detection measuresSurveillance and detection measures Response techniques to counter harm Response techniques to counter harm
Operations SecurityOperations Security
Identification of assets requiring Identification of assets requiring protectionprotection
Establishment of value of those Establishment of value of those assets assets
Identification of threats associated Identification of threats associated with each assetwith each asset
Identification of the vulnerability of Identification of the vulnerability of the system to such threatsthe system to such threats
Operations SecurityOperations Security
Assessment of the risk exposure Assessment of the risk exposure associated with each assetassociated with each asset
Selection and implementation of Selection and implementation of security measuressecurity measures
Testing of security measuresTesting of security measures Audit and refinement of security Audit and refinement of security
program on a continuing basisprogram on a continuing basis
Planning for Computer CrimePlanning for Computer Crime
Place various detection measures in Place various detection measures in place in order to quickly identify place in order to quickly identify when a crime occurswhen a crime occurs
Assemble a team who will respond to Assemble a team who will respond to incidentsincidents
Determine how the team will respond Determine how the team will respond to different types of intrusionsto different types of intrusions
Test and update the proceduresTest and update the procedures
Detection ToolsDetection Tools
Intrusion detection systems are not Intrusion detection systems are not designed to collect and protect the designed to collect and protect the integrity of the type of information integrity of the type of information required to conduct law enforcement required to conduct law enforcement investigationsinvestigations
There is a lack of guidance to There is a lack of guidance to employees as to how to respond to employees as to how to respond to intrusions and capture the required intrusions and capture the required informationinformation
Detection Tools - LogsDetection Tools - Logs
System logsSystem logs Audit logsAudit logs Application logsApplication logs Network management logsNetwork management logs Network traffic captureNetwork traffic capture Contemporaneous manual entriesContemporaneous manual entries Logs maintained by the intruder, an ISP Logs maintained by the intruder, an ISP
or telecommunications provideror telecommunications provider
Detection Tools - LogsDetection Tools - Logs
Logs may make little immediate sense Logs may make little immediate sense without training in the operation of the without training in the operation of the intrusion detection tool and understanding intrusion detection tool and understanding the principles upon which it operatesthe principles upon which it operates
Logs may lack sufficient detailLogs may lack sufficient detail Logs may not cover relevant time periodsLogs may not cover relevant time periods Logs may not be sufficient to permit Logs may not be sufficient to permit
comparison of normal vs. abnormal activitycomparison of normal vs. abnormal activity
Detection Tools - LogsDetection Tools - Logs
In real time detection, the detection In real time detection, the detection tool may not be sufficient to keep up tool may not be sufficient to keep up with network traffic or it may be with network traffic or it may be positioned on the network in a way positioned on the network in a way that it is unable to capture all relevant that it is unable to capture all relevant datadata
Logs may not identify the perpetrator Logs may not identify the perpetrator in any useful wayin any useful way
Logs may have been compromisedLogs may have been compromised
The Response TeamThe Response Team
Have the team formed ahead of Have the team formed ahead of timetime
Team members should include a Team members should include a manager, systems operator, manager, systems operator, auditor, investigator, technical auditor, investigator, technical advisor, and legal advisor, and legal
The Response TeamThe Response Team
ManagerManager• Team leader and decides on response Team leader and decides on response
to incidentto incident• Person should be able to assess the Person should be able to assess the
value of the compromised information value of the compromised information and the potential impact of the loss and the potential impact of the loss on the organizationon the organization
• Responsible for documenting all Responsible for documenting all events that have taken placeevents that have taken place
The Response TeamThe Response Team
System OperatorSystem Operator• May be a systems manager or systems May be a systems manager or systems
programmer must know his or her way programmer must know his or her way around the system(s) involvedaround the system(s) involved
• For crimes in progress, the systems operator For crimes in progress, the systems operator will track the criminal and monitor system will track the criminal and monitor system activity -For crimes which have taken place, activity -For crimes which have taken place, the systems operator will be responsible for the systems operator will be responsible for reconstructing what took place reconstructing what took place
• Responsible for documenting what happenedResponsible for documenting what happened
The Response TeamThe Response Team
AuditorAuditor• Help the systems operator follow the Help the systems operator follow the
trail of the crime using audit tools and trail of the crime using audit tools and audit trailsaudit trails
• Responsible for documenting the Responsible for documenting the economic impact of the incidenteconomic impact of the incident
• Includes tangible and intangible Includes tangible and intangible losses, as well as lost productive timelosses, as well as lost productive time
The Response TeamThe Response Team
InvestigatorInvestigator• Usually from the law enforcement agency Usually from the law enforcement agency
that has jurisdiction over the crimethat has jurisdiction over the crime• Duty is to make sure all evidence is Duty is to make sure all evidence is
collected using proper means and in collected using proper means and in accordance with legal requirementsaccordance with legal requirements
• Will be responsible for securing Will be responsible for securing appropriate judicial authorization for appropriate judicial authorization for search warrants and monitoring of search warrants and monitoring of communicationscommunications
The Response TeamThe Response Team
Technical AdvisorTechnical Advisor• Usually a technical expert who understands Usually a technical expert who understands
both technology and criminal investigation both technology and criminal investigation techniquestechniques
• Usually from the law enforcement agency Usually from the law enforcement agency which has jurisdiction over the crimewhich has jurisdiction over the crime
• Will work closely with the systems operator Will work closely with the systems operator to analyze system logs and other system to analyze system logs and other system activity that may explain the crime and activity that may explain the crime and identify the suspectidentify the suspect
The Response TeamThe Response Team
LegalLegal• Risk managementRisk management• Insurance recoveryInsurance recovery• Civil prosecutionCivil prosecution
ResponseResponse
Should you call in law enforcement?Should you call in law enforcement?• trap and trace devicestrap and trace devices• pen registerspen registers• dialed number recordersdialed number recorders• search warrants for third party and search warrants for third party and
intruder facilities, equipment, systems intruder facilities, equipment, systems and recordsand records
Interview witnesses and informantsInterview witnesses and informants
Evidence and Legal Evidence and Legal ProceedingsProceedings
Admissibility and Weight of EvidenceAdmissibility and Weight of Evidence Hearsay RuleHearsay Rule Business records exceptionBusiness records exception AuthenticationAuthentication Best EvidenceBest Evidence Reliability of witnessesReliability of witnesses Chain of possession Chain of possession
Evidence and Legal Evidence and Legal ProceedingsProceedings
DiscoveryDiscovery Protective OrdersProtective Orders TestimonyTestimony
Terrence P. MaherTerrence P. Maher
Abrahams Kaslow & CassmanAbrahams Kaslow & Cassman
8712 West Dodge Road 8712 West Dodge Road
Suite 300Suite 300
Omaha, Nebraska 68114Omaha, Nebraska 68114
[email protected]@akclaw.com