Strong Host Security Policies are GoodBusinessSan Diego, August 8th (HostingCon)Alex de Joode    Security Officer / LeaseW...
Events on June 21st
A DigitalOne’s customer response•   From the Instapaper blogpage:                                    http://blog.instapape...
Summary•   June 21st 2011, FBI raided a hosting facility in    Reston, Va., used by DigitalOne, a dedicated    hosting com...
What can we learn ?•   Downtime for innocent customers•   Why ?    •   Trust / No Personal Relations ?•   How can we solve...
Thank youmailto: a.dejoode@leaseweb.com
Good Host SecuritySan Diego, August 8th (HostingCon 2011)Alex de JoodeSecurity Officer, LeaseWeb
Introduction•   Alex de Joode    •   Security Officer         • LeaseWeb (Global)             • Abuse handling            ...
LeaseWeb (Global)•   LeaseWeb B.V. (as16265)(Netherlands)•   LeaseWeb B.V. (as52146)(Belgium)•   LeaseWeb GmbH (as28753)(G...
LeaseWeb (some figures)•   ~ 1% internet traffic generated (1Tbps=1000Gbps)•   ~35.000 servers online (NL | BE | DE | US)•...
F.B.I. & SNR Denton, summary•   FBI wants to collaborate with Hosts    •   NCFTA – Cracking Down on Cyber Crime        (ht...
How does LeaseWeb handle these issues ?•   As a global company we have to deal with:        Dutch, German and US Law Enfor...
Conclusion With the proper protocols and operating procedures hosts can avoid DigitalOne type issues and ensure a successf...
Questions ?
Thank you !mailto: a.dejoode@leaseweb.com
Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding        to Subpoenas, Court          Orders,...
ECPA: What Is It?•   Originally enacted in 1986 as first use of email and    large data-processing began•   Designed gener...
ECPA: What Does it Do?•   Begins from assumption that, absent ECPA, service providers    could freely disclose information...
ECPA: How is it Structured?•   Provides series of rules providing escalating privacy    protection based on:     • The typ...
ECPA: Who Does it Cover?•   Covered entities defined in ECPA are “Electronic    Communications Services” (ECS) and “Remote...
Three Categories of Information•   The process the government is required to use    depends on the type of information sou...
Requests for Basic Subscriber Information •   This is the most common request web hosting companies will     receive. •   ...
Requests for Transactional Records –2703(d) Order•   Not content, not basic subscriber information -- everything in    bet...
Requests for Files or Contents ofCommunications•   Generally speaking, a warrant is required.•   ECPA contains a number of...
Voluntary Disclosure•   Web hosting companies are prohibited from voluntarily disclosing    any subscriber records or cont...
National Security Letters - § 2709•   Permits government to compel disclosure of “subscriber    information and toll billi...
Lawsuits for ECPA Violations•   ECPA allows for a civil action for relief from improper    disclosures     •   “person agg...
Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding        to Subpoenas, Court          Orders,...
29
FBI-CIRFU(Computer Intrusion and Research Fusion Unit)                  NCFTA(National Cyber Forensics and Training Allian...
Partnerships               31
Collaboration                           Law                       Enforcement            Academia                  SME’sFi...
FBI Cyber Division:           Threat Focus Process1.   Define Problem2.   Identify Subject Matter Expert (SME) Stakeholder...
Basic BPH Model                  COLO 1                  Rogue                    BP                  Network     COLO 2  ...
Perpetual BPHComplaint Cycle                         LE/Industry       Criminal Client                           Sends    ...
Basic BPH Model                  COLO 1                  Rogue                    BP                  Network     COLO 2  ...
SSA Stephen E. Oakes                Federal Bureau of Investigation (FBI)Cyber Initiative and Resource Fusion Unit Cyber D...
Upcoming SlideShare
Loading in …5
×

Strong Host Security Policies are Good Business

732 views

Published on

Inevitably, the actions of some clients create legal issues that need to be addressed by hosts quickly and cost effectively. It is essential to have good hosting policies and procedures in place to deal with the legal and regulatory issues arising from operating a hosting business. Failure to implement good hosting practices can be disruptive and expensive for both hosts and their clients. Hosts must deal with a variety of law enforcement issues over time, ranging from cyber-crime to potential law suits.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Strong Host Security Policies are Good Business

  1. 1. Strong Host Security Policies are GoodBusinessSan Diego, August 8th (HostingCon)Alex de Joode Security Officer / LeaseWebStephen E. Oakes Sup. Special Agent / F.B.I. (CIRFU)Shane McGee Partner / SNR Denton
  2. 2. Events on June 21st
  3. 3. A DigitalOne’s customer response• From the Instapaper blogpage: http://blog.instapaper.com/post/6830514157
  4. 4. Summary• June 21st 2011, FBI raided a hosting facility in Reston, Va., used by DigitalOne, a dedicated hosting company• F.B.I. took 3 racks• F.B.I. was actively investigating the Lulz Security group and any affiliated hackers• DigitalOne the hoster stated: “The agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is equal to one server.”• src: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
  5. 5. What can we learn ?• Downtime for innocent customers• Why ? • Trust / No Personal Relations ?• How can we solve this problem ?• F.B.I. perspective: • by Stephen E. Oakes, Supervisory Special Agent• Legal perspective: • by Shane McGee, partner SNR Denton• Host perspective: • by Alex de Joode, Security Officer LeaseWeb
  6. 6. Thank youmailto: a.dejoode@leaseweb.com
  7. 7. Good Host SecuritySan Diego, August 8th (HostingCon 2011)Alex de JoodeSecurity Officer, LeaseWeb
  8. 8. Introduction• Alex de Joode • Security Officer • LeaseWeb (Global) • Abuse handling • Public & Regulatory Affairs • Legal Internet Affairs • Security
  9. 9. LeaseWeb (Global)• LeaseWeb B.V. (as16265)(Netherlands)• LeaseWeb B.V. (as52146)(Belgium)• LeaseWeb GmbH (as28753)(Germany)• Leaseweb Inc. (as30366)(Unites States) (booth#645)
  10. 10. LeaseWeb (some figures)• ~ 1% internet traffic generated (1Tbps=1000Gbps)• ~35.000 servers online (NL | BE | DE | US)• ~235 FTE
  11. 11. F.B.I. & SNR Denton, summary• FBI wants to collaborate with Hosts • NCFTA – Cracking Down on Cyber Crime (http://www.ncfta.net)• SNR Denton: legal requirements to work with FBI/LEA if proper legal instrument is used • Hosts are prohibited from voluntarily disclosing any subscriber records or content to the government (unless an exception applies).
  12. 12. How does LeaseWeb handle these issues ?• As a global company we have to deal with: Dutch, German and US Law Enforcement Agencies.• Dedicated Security Office • with qualified and experienced personel so we can: • minimize these issues • and correctly handle serious situations when they do arise• Smart Hoster’s View • Brand Protection • Protect customers and corporate interests and resources
  13. 13. Conclusion With the proper protocols and operating procedures hosts can avoid DigitalOne type issues and ensure a successful hosting situation for your customers and a profitable environment for you as a host.
  14. 14. Questions ?
  15. 15. Thank you !mailto: a.dejoode@leaseweb.com
  16. 16. Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding to Subpoenas, Court Orders, Warrants, National Security Letters and MoreShane M. McGee, Esq., CISSPPartnerT +1 202 408 9216shane.mcgee@snrdenton.comsnrdenton.com
  17. 17. ECPA: What Is It?• Originally enacted in 1986 as first use of email and large data-processing began• Designed generally to protect the privacy of electronic records and communications stored with third parties.• Often referred to interchangeably as “SCA” (Stored Communications Act) or “ECPA” (Electronic Communications Privacy Act), though the SCA was an amendment to ECPA.• The SCA applies only to historical records, i.e., those available as of the date of the request.
  18. 18. ECPA: What Does it Do?• Begins from assumption that, absent ECPA, service providers could freely disclose information about customers, and the government could compel disclosure of any record by issuing a subpoena• ECPA imposes limitations on this “default setting” • Limits the instances in which and the types of information that providers can voluntarily disclose • Defines the legal process the government must obtain to compel disclosure of certain information• Complicated statute that is difficult to apply • Archaic terminology • Strained application to newer subscriber services • Confusing distinctions between treatment of certain records • Inconsistent Court interpretations
  19. 19. ECPA: How is it Structured?• Provides series of rules providing escalating privacy protection based on: • The type of information at issue • Who seeks the information (government or private entity) • Who holds the information (how the provider is characterized under the law)• The guiding principles • Content generally more protected than non- content • More limitations on voluntary disclosures to government, but they have more tools to compel
  20. 20. ECPA: Who Does it Cover?• Covered entities defined in ECPA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) • ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” • Example: the web-based email service offered by many web hosts • RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” • “Provision to the public:” Anyone who wants to purchase hosting services can sign up (as opposed to private corporate email service) • Web hosting companies may be an ECS and/or RCS depending on the services being offered to that particular customer
  21. 21. Three Categories of Information• The process the government is required to use depends on the type of information sought as follows: • Basic subscriber information • Subpoena • Transactional or other records • Court Order • Content of files or messages • Search Warrant
  22. 22. Requests for Basic Subscriber Information • This is the most common request web hosting companies will receive. • The following information may be obtained through virtually any type of subpoena • name & address • local and long distance telephone connection records • telephone number or other account identifier • length & type of service provided • session times and duration • temporarily assigned network address (IP Address) • means and source of payment (cc# or bank acct)
  23. 23. Requests for Transactional Records –2703(d) Order• Not content, not basic subscriber information -- everything in between • Email headers (if applicable) • Subscriber info not “basic subscriber information” • e.g., date of birth, social security number, etc• Articulable facts order • “specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation” • lower standard than warrant, but higher than pen register/trap & trace• May include a directive to provider not to disclose to subscriber
  24. 24. Requests for Files or Contents ofCommunications• Generally speaking, a warrant is required.• ECPA contains a number of sub-categories of information when dealing with the contents of files or communications, each which requires a different process.• The courts disagree with how these sub-categories of information should be classified, leading to difficulties applying the law.• Some state laws treats all of these sub-categories of information the same, and apply a higher level of protection to all stored files and the contents of communications.
  25. 25. Voluntary Disclosure• Web hosting companies are prohibited from voluntarily disclosing any subscriber records or content to the government unless an exception applies.• Exceptions for the release of subscriber records (not content) include: • Disclosure to anyone with the consent of the originator or addressee/intended recipient • Disclosure to an addressee or intended recipient • Disclosure to law enforcement if contents inadvertently obtained & pertain to commission of a crime • Disclosure to a person employed or authorized or whose facilities are used to forward such communication (within the scope of their work) • As necessary to protect the company’s rights and property • To NCMEC in child pornography report • Disclosure to the government if provider in good faith believes an emergency exists threatening death or serious physical injury
  26. 26. National Security Letters - § 2709• Permits government to compel disclosure of “subscriber information and toll billing records information, or electronic communication transactional records”• Government must certify in writing that records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities• Look carefully for a nondisclosure requirements contained in the National Security Letters often prohibit the recipient from disclosing the existence or content of the National Security Letter to anyone other than those to whom such disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal assistance with respect to the request.
  27. 27. Lawsuits for ECPA Violations• ECPA allows for a civil action for relief from improper disclosures • “person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate” 18 U.S.C. § 2707(a)• ECPA contains two defenses against this liability in sections 2703(e) and 2707(e), but they are not guaranteed to protect a web hosting company
  28. 28. Subpoena Compliance and theNeed for Cooperation with LawEnforcement•Responding to Subpoenas, Court Orders, Warrants, National Security Letters and MoreShane M. McGee, Esq., CISSPPartnerT +1 202 408 9216shane.mcgee@snrdenton.comsnrdenton.com
  29. 29. 29
  30. 30. FBI-CIRFU(Computer Intrusion and Research Fusion Unit) NCFTA(National Cyber Forensics and Training Alliance) 30
  31. 31. Partnerships 31
  32. 32. Collaboration Law Enforcement Academia SME’sFinancial NCFTA Merchants Telcos/ISP’s Pharmaceutical 32
  33. 33. FBI Cyber Division: Threat Focus Process1. Define Problem2. Identify Subject Matter Expert (SME) Stakeholders3. Develop Threat Matrix4. Identify and Prioritize5. Initiate and Support Investigations 33
  34. 34. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 34
  35. 35. Perpetual BPHComplaint Cycle LE/Industry Criminal Client Sends Continues to Complaint Break the Law To COLO COLO BPH Notifies Notifies and Protects Customer Criminal Client (BPH) 35
  36. 36. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 36
  37. 37. SSA Stephen E. Oakes Federal Bureau of Investigation (FBI)Cyber Initiative and Resource Fusion Unit Cyber Division (CIRFU) Desk: 412-802-8000 x324 BB: 202-437-6555 Email: Stephen.Oakes@ic.fbi.gov 37

×