Your SlideShare is downloading. ×
0
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Strong Host Security Policies are Good Business

444

Published on

Inevitably, the actions of some clients create legal issues that need to be addressed by hosts quickly and cost effectively. It is essential to have good hosting policies and procedures in place to …

Inevitably, the actions of some clients create legal issues that need to be addressed by hosts quickly and cost effectively. It is essential to have good hosting policies and procedures in place to deal with the legal and regulatory issues arising from operating a hosting business. Failure to implement good hosting practices can be disruptive and expensive for both hosts and their clients. Hosts must deal with a variety of law enforcement issues over time, ranging from cyber-crime to potential law suits.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
444
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Strong Host Security Policies are GoodBusinessSan Diego, August 8th (HostingCon)Alex de Joode Security Officer / LeaseWebStephen E. Oakes Sup. Special Agent / F.B.I. (CIRFU)Shane McGee Partner / SNR Denton
  • 2. Events on June 21st
  • 3. A DigitalOne’s customer response• From the Instapaper blogpage: http://blog.instapaper.com/post/6830514157
  • 4. Summary• June 21st 2011, FBI raided a hosting facility in Reston, Va., used by DigitalOne, a dedicated hosting company• F.B.I. took 3 racks• F.B.I. was actively investigating the Lulz Security group and any affiliated hackers• DigitalOne the hoster stated: “The agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is equal to one server.”• src: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
  • 5. What can we learn ?• Downtime for innocent customers• Why ? • Trust / No Personal Relations ?• How can we solve this problem ?• F.B.I. perspective: • by Stephen E. Oakes, Supervisory Special Agent• Legal perspective: • by Shane McGee, partner SNR Denton• Host perspective: • by Alex de Joode, Security Officer LeaseWeb
  • 6. Thank youmailto: a.dejoode@leaseweb.com
  • 7. Good Host SecuritySan Diego, August 8th (HostingCon 2011)Alex de JoodeSecurity Officer, LeaseWeb
  • 8. Introduction• Alex de Joode • Security Officer • LeaseWeb (Global) • Abuse handling • Public & Regulatory Affairs • Legal Internet Affairs • Security
  • 9. LeaseWeb (Global)• LeaseWeb B.V. (as16265)(Netherlands)• LeaseWeb B.V. (as52146)(Belgium)• LeaseWeb GmbH (as28753)(Germany)• Leaseweb Inc. (as30366)(Unites States) (booth#645)
  • 10. LeaseWeb (some figures)• ~ 1% internet traffic generated (1Tbps=1000Gbps)• ~35.000 servers online (NL | BE | DE | US)• ~235 FTE
  • 11. F.B.I. & SNR Denton, summary• FBI wants to collaborate with Hosts • NCFTA – Cracking Down on Cyber Crime (http://www.ncfta.net)• SNR Denton: legal requirements to work with FBI/LEA if proper legal instrument is used • Hosts are prohibited from voluntarily disclosing any subscriber records or content to the government (unless an exception applies).
  • 12. How does LeaseWeb handle these issues ?• As a global company we have to deal with: Dutch, German and US Law Enforcement Agencies.• Dedicated Security Office • with qualified and experienced personel so we can: • minimize these issues • and correctly handle serious situations when they do arise• Smart Hoster’s View • Brand Protection • Protect customers and corporate interests and resources
  • 13. Conclusion With the proper protocols and operating procedures hosts can avoid DigitalOne type issues and ensure a successful hosting situation for your customers and a profitable environment for you as a host.
  • 14. Questions ?
  • 15. Thank you !mailto: a.dejoode@leaseweb.com
  • 16. Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding to Subpoenas, Court Orders, Warrants, National Security Letters and MoreShane M. McGee, Esq., CISSPPartnerT +1 202 408 9216shane.mcgee@snrdenton.comsnrdenton.com
  • 17. ECPA: What Is It?• Originally enacted in 1986 as first use of email and large data-processing began• Designed generally to protect the privacy of electronic records and communications stored with third parties.• Often referred to interchangeably as “SCA” (Stored Communications Act) or “ECPA” (Electronic Communications Privacy Act), though the SCA was an amendment to ECPA.• The SCA applies only to historical records, i.e., those available as of the date of the request.
  • 18. ECPA: What Does it Do?• Begins from assumption that, absent ECPA, service providers could freely disclose information about customers, and the government could compel disclosure of any record by issuing a subpoena• ECPA imposes limitations on this “default setting” • Limits the instances in which and the types of information that providers can voluntarily disclose • Defines the legal process the government must obtain to compel disclosure of certain information• Complicated statute that is difficult to apply • Archaic terminology • Strained application to newer subscriber services • Confusing distinctions between treatment of certain records • Inconsistent Court interpretations
  • 19. ECPA: How is it Structured?• Provides series of rules providing escalating privacy protection based on: • The type of information at issue • Who seeks the information (government or private entity) • Who holds the information (how the provider is characterized under the law)• The guiding principles • Content generally more protected than non- content • More limitations on voluntary disclosures to government, but they have more tools to compel
  • 20. ECPA: Who Does it Cover?• Covered entities defined in ECPA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) • ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” • Example: the web-based email service offered by many web hosts • RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” • “Provision to the public:” Anyone who wants to purchase hosting services can sign up (as opposed to private corporate email service) • Web hosting companies may be an ECS and/or RCS depending on the services being offered to that particular customer
  • 21. Three Categories of Information• The process the government is required to use depends on the type of information sought as follows: • Basic subscriber information • Subpoena • Transactional or other records • Court Order • Content of files or messages • Search Warrant
  • 22. Requests for Basic Subscriber Information • This is the most common request web hosting companies will receive. • The following information may be obtained through virtually any type of subpoena • name & address • local and long distance telephone connection records • telephone number or other account identifier • length & type of service provided • session times and duration • temporarily assigned network address (IP Address) • means and source of payment (cc# or bank acct)
  • 23. Requests for Transactional Records –2703(d) Order• Not content, not basic subscriber information -- everything in between • Email headers (if applicable) • Subscriber info not “basic subscriber information” • e.g., date of birth, social security number, etc• Articulable facts order • “specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation” • lower standard than warrant, but higher than pen register/trap & trace• May include a directive to provider not to disclose to subscriber
  • 24. Requests for Files or Contents ofCommunications• Generally speaking, a warrant is required.• ECPA contains a number of sub-categories of information when dealing with the contents of files or communications, each which requires a different process.• The courts disagree with how these sub-categories of information should be classified, leading to difficulties applying the law.• Some state laws treats all of these sub-categories of information the same, and apply a higher level of protection to all stored files and the contents of communications.
  • 25. Voluntary Disclosure• Web hosting companies are prohibited from voluntarily disclosing any subscriber records or content to the government unless an exception applies.• Exceptions for the release of subscriber records (not content) include: • Disclosure to anyone with the consent of the originator or addressee/intended recipient • Disclosure to an addressee or intended recipient • Disclosure to law enforcement if contents inadvertently obtained & pertain to commission of a crime • Disclosure to a person employed or authorized or whose facilities are used to forward such communication (within the scope of their work) • As necessary to protect the company’s rights and property • To NCMEC in child pornography report • Disclosure to the government if provider in good faith believes an emergency exists threatening death or serious physical injury
  • 26. National Security Letters - § 2709• Permits government to compel disclosure of “subscriber information and toll billing records information, or electronic communication transactional records”• Government must certify in writing that records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities• Look carefully for a nondisclosure requirements contained in the National Security Letters often prohibit the recipient from disclosing the existence or content of the National Security Letter to anyone other than those to whom such disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal assistance with respect to the request.
  • 27. Lawsuits for ECPA Violations• ECPA allows for a civil action for relief from improper disclosures • “person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate” 18 U.S.C. § 2707(a)• ECPA contains two defenses against this liability in sections 2703(e) and 2707(e), but they are not guaranteed to protect a web hosting company
  • 28. Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding to Subpoenas, Court Orders, Warrants, National Security Letters and MoreShane M. McGee, Esq., CISSPPartnerT +1 202 408 9216shane.mcgee@snrdenton.comsnrdenton.com
  • 29. 29
  • 30. FBI-CIRFU(Computer Intrusion and Research Fusion Unit) NCFTA(National Cyber Forensics and Training Alliance) 30
  • 31. Partnerships 31
  • 32. Collaboration Law Enforcement Academia SME’sFinancial NCFTA Merchants Telcos/ISP’s Pharmaceutical 32
  • 33. FBI Cyber Division: Threat Focus Process1. Define Problem2. Identify Subject Matter Expert (SME) Stakeholders3. Develop Threat Matrix4. Identify and Prioritize5. Initiate and Support Investigations 33
  • 34. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 34
  • 35. Perpetual BPHComplaint Cycle LE/Industry Criminal Client Sends Continues to Complaint Break the Law To COLO COLO BPH Notifies Notifies and Protects Customer Criminal Client (BPH) 35
  • 36. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 36
  • 37. SSA Stephen E. Oakes Federal Bureau of Investigation (FBI)Cyber Initiative and Resource Fusion Unit Cyber Division (CIRFU) Desk: 412-802-8000 x324 BB: 202-437-6555 Email: Stephen.Oakes@ic.fbi.gov 37

×