ANS_Ch_06_Handouts.pdf

DILLA UNIVERSITY
COLLEGE OF ENGINEERING & TECHNOLOGY
School of Computing & Informatics
M. Sc in Computer Science & Networking
By
Chapter-06
Dr. Ananda Kumar K S M.Tech, Ph.D
Associate Professor, School of Comp & Info
Email: anandgdk@du.edu.et
COET, Dilla University 1
Course Number CN6122
Course Title Advanced Network Security

Advanced Network Security
CHAPTER-06
1. SECURE SYSTEM PLANNING , POLICIES
AND PROCEDURES
2. COMPUTER FORENSICS: LEGAL,
ETHICAL AND POLICY ISSUES

1. SECURE SYSTEM PLANNING ,
POLICIES AND PROCEDURES

• Creation of information security program includes:
– Creation of policies, standards, and practices,
selection or creation of information security
architecture and the development
– Use of a detailed information security blueprint
creates plan for future success
– Creation of contingency planning consisting of
incident response planning, disaster recovery
planning, and business continuity plans
• Without policy, blueprints, and planning, organization is
unable to meet information security needs of various
communities of interest
Introduction
4
COET, Dilla University

Information Security Policy, Standards
and Practices
• Communities of interest must consider
policies as basis for all information security
efforts
• Policies direct how issues should be
addressed and technologies used
• Security policies are least expensive controls
to execute but most difficult to implement
• Shaping policy is difficult
5

Shaping Policy Difficult
• Never conflict with laws
• Standup in court if challenged
• Be properly administered through
dissemination and documented acceptance
6

Policy
• Plan or course of action
• Convey instructions
• Organizational laws
• Dictate acceptable and unacceptable
behavior
7

Policy
• Define
– What is right
– The appeal process
– What are the penalties for violating policy
• Written to support the mission, vision and
strategic plan of organization
• For a policy to be effective, must be
properly disseminated, read, understood
and agreed to by all members of
organization
8

Standards
• Detail statements of what must be done to
comply with policy
• Types
– Informal – de facto standards
– Formal – de jure standards
9

Mission/Vision/Strategic Plan
• Mission – written statement of organization
purpose
• Vision – written statement of organization
goals
• Strategic Plan - written statement of moving
the organization toward its mission
10

Policies
• Security Policy – set of rules that protects
organization's assets
• Information security policy – set of rules that
protects an organization’s information assets
12

Enterprise Information Security Policy (EISP)
• General Information Security Document
• Shapes the philosophy of security in IT
• Executive-level document, usually drafted by
or with CIO of the organization, 2-10 pages
• Typically addresses compliance in two areas
– Ensure meeting requirements to establish
program
– Responsibilities assigned therein to various
organizational components
– Use of specified penalties and disciplinary action
13

Information Systems Security Policy (ISSP)
• Issue-Specific Security Policy
• Addresses specific areas of technology
• Requires frequent updates
• Contains a statement on the organization’s
position on a specific issue
14

3 Approaches to ISSP
• Create independent document tailored to a
specific issue
– Scattered approach
– Departmentalized
• Create single comprehensive document
covering all issues
– Centralized management and control
– Tend to over generalize the issue
15

Cont..
• Create a modular plan
– Unified policy creation and administration
– Maintain each specific issue’s requirements
16

Systems-Specific Policy (SysSP)
• SysSPs frequently codified as standards and
procedures
• used when configuring or maintaining
systems
• Systems-specific policies fall into two
groups
– Access control lists (ACLs)
– Configuration rules
17

ACL Policies
• Restrict access from anyone & anywhere
• Can regulate specific user, computer, time,
duration, file
• What regulated
– Who can use the system
– What authorization users can access
– When authorization users can access
– Where authorization users can access
18

ACL Policies
• Authorization determined by persons identity
• Can regulated specific computer equipment
• Regulate access to data
– Read
– Write
– Modify
– Copy
– Compare
19

Rule Policies
• Rule policies are more specific to operation of
a system than ACLs
• May or may not deal with user directly
• Many security systems require specific
configuration scripts telling systems what
actions to perform on each set of information
they process
20

Policy Management
• Must be managed as they constantly changed and grow
• Must be properly disseminated
• Must be properly managed
• Responsible individual
– Policy administrator
– manager
– Not necessarily a technically oriented person
21

Reviews
• Schedule
– Retain effectiveness in changing environment
– Periodically reviewed
– Should be defined and published
– Should be reviewed at least annually
• Procedures and practices
– Recommendations for change
– Reality one person draft
22

Document Configuration Management
• Include date of original
• Includes date of revision
• Include expiration date
23

Information Classification
• Classification of information is an important aspect
of policy
• Policies are classified, least for “internal use only”.
• A clean desk policy stipulates that at end of
business day, classified information must be
properly stored and secured
• In today’s open office environments, may be
beneficial to implement a clean desk policy
24

The Information Security Blueprint
• Security Blueprint is the basis for design, selection, and
implementation of
– all security policies,
– education and training programs, and
– technological controls
• More detailed version of security framework (outline of
overall information security strategy for organization)
• Should specify tasks to be accomplished and the order in
which they are to be realized
• One approach to selecting a methodology by which to
develop an information security blueprint is to adopt a
published model or framework for information security.
25

ISO 17799
• Information technology – code of practice for information
security management from
• ISO (International Organization for Standards)
• IEC (International Electro-technical Commission)
• One of the most widely referenced and often discussed
security models
• ISO/IEC 17799
– Purpose – “give recommendations for information security
management for use by those who are responsible for initiating,
implementing, or maintaining security in their organization.
– Provides a common basis
– Must pay for these
26

NIST Security Models
• Another possible approach described in
documents available from Computer Security
Resource Center of National Institute for
Standards and Technology (NIST)
• Publically available at no charge
• Several publications dealing with various
aspects
27

NIST Special Publication 800-14
• Security supports mission of organization is an
integral element of sound management
• Security should be cost-effective; owners have
security responsibilities outside their own
organizations
• Security responsibilities and accountability should
be made explicit; security requires a
comprehensive and integrated approach
• Security should be periodically reassessed;
security is constrained by societal factors
28

IETF Security Architecture
• Internet Engineering Task Force
• Security Area Working Group acts as advisory
board for protocols and areas developed and
promoted by the Internet Society
• RFC 2196: Site Security Handbook covers five
basic areas of security with detailed
discussions on development and
implementation
29

Key Technology Components
• SETA
– Security Education, Training and Awareness
– Employee errors among top threats
– Purpose
• Improve awareness of need to protect
• Develop skills and knowledge
• Build in-depth knowledge to design, implement, or
operate security programs
30

Security Education
• Everyone in an organization needs to be trained
and aware of information security; not every
member needs formal degree or certificate in
information security
• When formal education for individuals in security is
needed, an employee can identify curriculum
available from local institutions of higher learning
or continuing education
• A number of universities have formal coursework in
information security
31

Security Training
• Involves providing members of organization
with detailed information and hands-on
instruction designed to prepare them to
perform their duties securely
• Management of information security can
develop customized in-house training or
outsource the training program
32

Security Awareness
• One of least frequently implemented but most
beneficial programs is the security awareness
program
• Designed to keep information security at the
forefront of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented,
employees begin to “tune out” and risk of
employee accidents and failures increases
33

2. Computer forensics: Legal, ethical
and policy issues

What is Computer Forensics?
 Computer forensics (also known as
computer forensic science) is a branch of
digital forensic science pertaining to evidence
found in computers and digital storage media.
 The goal of computer forensics is to
examine digital media in a forensically sound
manner with the aim of identifying,
preserving, recovering, analyzing and
presenting facts and opinions about the digital
information.

Cont..
 Forensics is the process of using scientific
knowledge for collecting, analyzing, and
presenting evidence to the courts. (The word
forensics means “to bring to the court.”)
 Forensics deals primarily with the
recovery and analysis of evidence.
 Evidence can take many forms, from
fingerprints left on a window to DNA evidence
recovered from blood stains to the files on a
hard drive.

Cont..
 Because computer forensics is a new
discipline, there is little standardization and
consistency across the courts and industry.
 As a result, it is not yet recognized as a formal
“scientific” discipline.
 We define computer forensics as the
discipline that combines elements of law and
computer science to collect and analyze data
from computer systems, networks, wireless
communications, and storage devices in a way
that is admissible as evidence in a court of law.

Why is Computer Forensics Important?
 Adding the ability to practice sound computer
forensics will help you ensure the overall integrity and
survivability of your network infrastructure.
 You can help your organization if you consider
computer forensics as a new basic element in what is
known as a “defense-in-depth” (is a military strategy
that seeks to delay rather than prevent the advance of
an attacker)approach to network and computer
security.
 For instance, understanding the legal and technical
aspects of computer forensics will help you capture
vital information if your network is compromised and
will help you prosecute the case if the intruder is
caught.

What happens if you ignore computer
forensics?
 You risk destroying vital evidence or having
forensic evidence ruled inadmissible in a court of
law.
 Also, you or your organization may run
afoul(conflict) of new laws that mandate
regulatory compliance and assign liability if
certain types of data are not adequately
protected.
 Recent legislation makes it possible to hold
organizations liable in civil or criminal court if
they fail to protect customer data.

Cont..
 Computer forensics is also important because it
can save your organization money.
 Many managers are allocating a greater portion of
their information technology budgets for computer
and network security.
 International Data Corporation (IDC) reported that
the market for intrusion-detection and vulnerability-
assessment software will reached 1.45 billion dollars in
2006.
 In increasing numbers, organizations are deploying
network security devices such as intrusion detection
systems (IDS), firewalls, proxies, and the like, which all
report on the security status of networks.

Goal of computer forensics
From a technical standpoint, the main goal of
computer forensics is to identify, collect,
preserve, and analyze data in a way that
preserves the integrity of the evidence
collected so it can be used effectively in a legal
case.

What are some typical aspects of a
computer forensics investigation?
 First, those who investigate computers
have to understand the kind of potential
evidence they are looking for in order to
structure their search.
 Crimes involving a computer can range
across the spectrum of criminal activity, from
child pornography to theft of personal data to
destruction of intellectual property.

Cont..
 Second, the investigator must pick the
appropriate tools to use.
 Files may have been deleted, damaged, or
encrypted, and the investigator must be
familiar with an array of methods and
software to prevent further damage in the
recovery process.

Types of data are collected in computer
forensics.
 Two basic types of data are collected in
computer forensics.
 Persistent data is the data that is stored on a
local hard drive (or another medium) and is
preserved when the computer is turned off.
 Volatile data is any data that is stored in
memory, or exists in transit, that will be lost when
the computer loses power or is turned off.
 Volatile data resides in registries, cache, and
random access memory (RAM).
 Since volatile data is ephemeral, it is essential
an investigator knows reliable ways to capture it.

Legal Aspects of Computer Forensics
 Anyone overseeing network security must be
aware of the legal implications of forensic activity.
 Security professionals need to consider their
policy decisions and technical actions in the
context of existing laws.
 For instance, you must have authorization
before you monitor and collect information
related to a computer intrusion.
 There are also legal ramifications to using
security monitoring tools.

Cont..
 Computer forensics is a relatively new
discipline to the courts and many of the existing
laws used to prosecute computer-related crimes,
legal precedents, and practices related to
computer forensics are in a state of flux.
 New court rulings are issued that affect how
computer forensics is applied.
 The best source of information in this area is
the United States Department of Justice’s Cyber
Crime web site.

Three areas of law related to computer
security
o The first is found in the United States
Constitution.
o The Fourth Amendment allows for protection
against unreasonable search and seizure, and the
Fifth Amendment allows for protection against
self-incrimination (law, the giving of evidence that
might tend to expose the witness to punishment
for crime).
o Although the amendments were written
before there were problems caused by people
misusing computers, the principles in them apply
to how computer forensics is practiced.

Cont..
Second, anyone concerned with computer
forensics must know how three U.S. Statutory
laws affect them
o Wiretap Act (18 U.S.C. 2510-22)
o Pen Registers and Trap and Trace Devices Statute (18 U.S.C.
3121-27)
o Stored Wired and Electronic Communication Act (18 U.S.C.
2701-120)

Cont..
 Third, the U.S. Federal rules of evidence
about hearsay, authentication, reliability, and
best evidence must be understood.
 In the U.S. there are two primary areas of
legal governance affecting cyber security actions
related to the collection of network data:
(1) authority to monitor and collect the data and
(2) the admissibility of the collection methods.
 Of the three areas above, the U.S.
Constitution and U.S. Statutory Laws primarily
govern the collection process, while the Federal
Rules of Evidence deal mostly with admissibility.

References
Reference Text Books:
1. Computer Forensics US-CERT Produced 2008
by US-CERT, a government organization.
2. C.Easttom, Computer Security Fundamentals,
Prentice Hall, May 2005.
3. D. Russell and G.T. Gangemi, Computer
Security Basics, OReilly& Associates, 1991.

THANK YOU

ANS_Ch_06_Handouts.pdf

More Related Content

Similar to ANS_Ch_06_Handouts.pdf

More from MeymunaMohammed1

Recently uploaded

ANS_Ch_06_Handouts.pdf