Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman

Common Types of Computer Crime b Fraud by computer manipulation b Computer forgery b Damage to or modifications of computer data or programs b Unauthorized access to computer systems and service b Unauthorized reproduction of computer programs

Essential Components of Security b Administrative and organizational security b Personnel security b Physical security b Communications - electronic security b Hardware and Software security b Operations security b Contingency planning

Administrative and Organizational Security b Development of procedures to identify risks b Definition of individual security duties and assignment of responsibilities b Designation of restricted areas b Establishment of authorization procedures b Identification of external dependencies b Preparation of contingency plans

Personnel Security b Specify security requirements in job descriptions b Insure personnel meet the requirements - background investigations b Adequate security motivation and training b Have adequate corporate policies in place b Remember to check contractors who are provided access to premises or systems

Personnel Security b Supervising access to and control over system resources through identification and authorization measures - monitoring b Enforce vacation policies and rotate assignments b Termination procedures b Expect revenge from disgruntled employees or ex-employees

Physical Security b Site planning - location and layout, building construction, fencing and shielding b Control of access - perimeter security, visitor control, access devices and badges, guards and anti-intrusion devices b Protection against physical damage and environmental failures b Protection of media and supplies b Random checks and tests

Communications-Electronic Security b Access control - passwords, password controls, smart cards and biometric devices b Physical security of network cabling and telecommunications equipment b Shielding of cables b Firewalls b Encryption

Hardware and Software Security b Identification measures to identify authorized users b Isolation features to restrict access to unauthorized devices, software and data b Access control for selective sharing of system resources b Surveillance and detection measures b Response techniques to counter harm

Operations Security b Identification of assets requiring protection b Establishment of value of those assets b Identification of threats associated with each asset b Identification of the vulnerability of the system to such threats

Operations Security b Assessment of the risk exposure associated with each asset b Selection and implementation of security measures b Testing of security measures b Audit and refinement of security program on a continuing basis

Planning for Computer Crime b Place various detection measures in place in order to quickly identify when a crime occurs b Assemble a team who will respond to incidents b Determine how the team will respond to different types of intrusions b Test and update the procedures

Detection Tools b Intrusion detection systems are not designed to collect and protect the integrity of the type of information required to conduct law enforcement investigations b There is a lack of guidance to employees as to how to respond to intrusions and capture the required information

Detection Tools - Logs b System logs b Audit logs b Application logs b Network management logs b Network traffic capture b Contemporaneous manual entries b Logs maintained by the intruder, an ISP or telecommunications provider

Detection Tools - Logs b Logs may make little immediate sense without training in the operation of the intrusion detection tool and understanding the principles upon which it operates b Logs may lack sufficient detail b Logs may not cover relevant time periods b Logs may not be sufficient to permit comparison of normal vs. abnormal activity

Detection Tools - Logs b In real time detection, the detection tool may not be sufficient to keep up with network traffic or it may be positioned on the network in a way that it is unable to capture all relevant data b Logs may not identify the perpetrator in any useful way b Logs may have been compromised

The Response Team b Have the team formed ahead of time b Team members should include a manager, systems operator, auditor, investigator, technical advisor, and legal

The Response Team b Manager Team leader and decides on response to incidentTeam leader and decides on response to incident Person should be able to assess the value of the compromised information and the potential impact of the loss on the organizationPerson should be able to assess the value of the compromised information and the potential impact of the loss on the organization Responsible for documenting all events that have taken placeResponsible for documenting all events that have taken place

The Response Team b System Operator May be a systems manager or systems programmer must know his or her way around the system(s) involvedMay be a systems manager or systems programmer must know his or her way around the system(s) involved For crimes in progress, the systems operator will track the criminal and monitor system activity -For crimes which have taken place, the systems operator will be responsible for reconstructing what took placeFor crimes in progress, the systems operator will track the criminal and monitor system activity -For crimes which have taken place, the systems operator will be responsible for reconstructing what took place Responsible for documenting what happenedResponsible for documenting what happened

The Response Team b Auditor Help the systems operator follow the trail of the crime using audit tools and audit trailsHelp the systems operator follow the trail of the crime using audit tools and audit trails Responsible for documenting the economic impact of the incidentResponsible for documenting the economic impact of the incident Includes tangible and intangible losses, as well as lost productive timeIncludes tangible and intangible losses, as well as lost productive time

The Response Team b Investigator Usually from the law enforcement agency that has jurisdiction over the crimeUsually from the law enforcement agency that has jurisdiction over the crime Duty is to make sure all evidence is collected using proper means and in accordance with legal requirementsDuty is to make sure all evidence is collected using proper means and in accordance with legal requirements Will be responsible for securing appropriate judicial authorization for search warrants and monitoring of communicationsWill be responsible for securing appropriate judicial authorization for search warrants and monitoring of communications

The Response Team b Technical Advisor Usually a technical expert who understands both technology and criminal investigation techniquesUsually a technical expert who understands both technology and criminal investigation techniques Usually from the law enforcement agency which has jurisdiction over the crimeUsually from the law enforcement agency which has jurisdiction over the crime Will work closely with the systems operator to analyze system logs and other system activity that may explain the crime and identify the suspectWill work closely with the systems operator to analyze system logs and other system activity that may explain the crime and identify the suspect

The Response Team b Legal Risk managementRisk management Insurance recoveryInsurance recovery Civil prosecutionCivil prosecution

Response b Should you call in law enforcement? trap and trace devicestrap and trace devices pen registerspen registers dialed number recordersdialed number recorders search warrants for third party and intruder facilities, equipment, systems and recordssearch warrants for third party and intruder facilities, equipment, systems and records b Interview witnesses and informants

Evidence and Legal Proceedings b Admissibility and Weight of Evidence b Hearsay Rule b Business records exception b Authentication b Best Evidence b Reliability of witnesses b Chain of possession

Evidence and Legal Proceedings b Discovery b Protective Orders b Testimony

Terrence P. Maher Abrahams Kaslow & Cassman 8712 West Dodge Road Suite 300 Omaha, Nebraska