Transcript Information Security Laws and Legal System (cont)

Business/Home
Information Security
Seminar
Presented by:
Jose R. Paloschavez
Candidate for Master of Science in Network Security
E-mail: [email protected]
Stafford Porter Library,
April 2, 2003,
7:00 P.M.-9:00 P.M.
1
Disclaimer:
-All information provided my Jose R.
Paloschavez in this seminar or made
available to the public is to provide
information for interested persons.
While Jose R. Paloschavez believes
the information is reliable, human or
mechanical error remains a
possibility. Therefore, Jose R.
Paloschavez does not guarantee the
accuracy, completeness, timeliness,
or correct sequencing of information.
Neither Jose. R. Paloschavez, nor any
of the sources of the information,
shall be responsible for any error or
omission or the use of, or the results
obtained from the use of this
information .
2
Agenda
Information Security
• History (Internet)
• Why Should We Care About Security?
• Problem – In Large
• Methods of Attack
• Attacker’s Process
• Malicious Mobile Code
• Laws and Legal System
3
Agenda (cont)
Information Security
• Privacy Issues and Civil Liberties
• Continuing Threats to Home Users
• Steps to Protect Personal Information
– Security Knowledge in Practice
• Important Resources
4
History
Information Security
• 1845 – Morse, first telegraph model working New
York
• 1881 – Telephone Scrambler
• 1920’s – Government Wiretap’s
• 1940’s – AEA Restricted Data Category
• 1980-s – Defense Authorization Act
– Onset of the Personal Computer
– More Corporate/Proprietary Data stored on
diskette in volatile space
– VIRUSES
5
History
(cont)
Information Security
• 1990’s – Increased quality of shared
applications
– Increasing dependence on resources
– International threats and risks
– Shrinking budgets forces less cut in Security
spending
– OPEN Systems
– Challenge of the decade before Y2K
6
Internet a.k.a. “the Net” “Web”
dub…dub…dub
Information Security
Definition
• Is a global network of
networks enabling computers
of all kinds to directly and
transparently communicate
and share services through
much of the world
–Internet Society
7
Information Security
Internet
• Who does it work?
(1 of 8)
8
Internet
Information Security
(cont)
• Who does it work?
(2 of 8)
9
Internet
Information Security
(cont)
• Who does it work?
(3 of 8)
10
Internet
Information Security
(cont)
• Who does it work?
(4 of 8)
11
Internet
Information Security
(cont)
• Who does it work?
(5 of 8)
12
Internet
Information Security
(cont)
• Who does it work?
(6 of 8)
13
Internet
Information Security
(cont)
• Who does it work?
(7 of 8)
14
Internet
Information Security
(cont)
• Who does it work?
(8 of 8)
15
Why Should We Care about
Computer Security? (Home)
Information Security
 The Internet has Become Indispensable to
Home Users…
• Banking Transactions
– Check financial records, pay bills, etc.
• On-line Shopping
– Electronics, home improvement, etc.
• Electronic Mail (e-mail)
• Chat
• Access Information Rapidly (24X7)
– News, Weather, etc.
16
Why Should We Care about
Computer Security? (Home)
Information Security
17
Why Should We Care about
Computer Security? (Home)
Information Security
18
Why Should We Care about
Computer Security? (Business)
Information Security
 The Internet has Become Indispensable to
Business…
• Conduct Electronic Commerce
• Provide Better Customer Service
• Collaborate with Partners
• Reduce Communication Costs
• Improve Internal Communications
• Access Critical Information Rapidly (24X7)
19
Why Should We Care about
Computer Security? (Business)
Information Security
Security Principles:
• Confidentiality
• Integrity
• Availability
• Authentication
• Non-Repudiation
20
The Problem – In Large
Information Security
 Statistics:
•
90% of respondents to Computer Security Institute/FBI
2002 survey reported security breaches (85% 2001, 70%,
2000; 62% 1999)*
– (223 organizations 44%) able to quantify financial loss
reported $445.8M (2002 survey)
– (186 organizations 35%) able to quantify financial loss
reported $377.8M (273 organizations [51%], $265.6M in 2000
survey)
• theft of proprietary information and financial fraud most
serious
– 70% cited their Internet connection as a frequent point of
attack (59% in 2000 survey)
– 90% acknowledge financial losses do to computer breaches
•
*Computer Crime and Security Survey, Computer Security Institute and the FBI, 2002,
http://www.gocsi.com/pdfs/fbi/FBI2002.pdf
•
*Computer Crime and Security Survey, Computer Security Institute and the FBI, 2001,
http://www.gocsi.com/prelea_000321.htm
21
Methods of Attack
Information Security
 Methods used to bypass access controls and
gain unauthorized access to information
•
Brute Force - persistent series of attacks, trying multiple
approaches, in an attempt to break into a computer system
•
Denial of Service - overloading a system through an online
connection to force it to shutdown
•
Social Engineering - deception of system personnel in order to
gain access
•
Spoofing - masquerading an ID or data to gain access to data or a
system
•
Dictionary Attack – a file that contains most dictionary works
that is used to guess a user’s password
22
Malicious Mobile Code
•
Information Security
Virus - persistent series of attacks, trying multiple
approaches, in an attempt to break into a computer
system
•
Worm - overloading a system through an online
connection to force it to shutdown
•
Trojan Horse - deception of system personnel in order to
gain access
•
Logic Bomb - masquerading an ID or data to gain access
to data or a system
23
The Attacker’s Process
Information Security
 Some ways an attacker can gain access or
exploit a system
•
Passive Reconnaissance – attacker must have some general
information (i.e. sniffing)
•
Active Reconnaissance – attacker has enough information to try
active probing or scanning against a site (i.e. services running,
ports, etc.)
•
Exploiting the System – compromise a system/user’s account to
gain access
•
Uploading Programs – once attacker has gained access,
uploading may take place
•
Downloading Data – attacker is usually after information (i.e.
personal, credit card)
24
Black Hats vs. White Hats
Terms:
Information Security
•
Black Hat - hacker (noun), hackers are capable of finding flaws on
their own; ultimately exploit system security breaches for their
nefarious ends…
– Dictionary.com
•
White Hat - hacker (noun), who person who enjoys exploring the
details of programmable systems and how strictly their capabilities,
as opposed to most users who prefer to only learn the minimum
necessity. persistent series of attacks, trying multiple approaches,
in an attempt to break into a computer system
– www.whitehat.org
25
Laws and Legal System
Information Security
 What You Need to Know…
• National Infrastructure Protection Center
- Mission is to “serve as the government’s focal point for threat
assessment, warning, investigation, and response to threats
or attacks against our nations critical infrastructures.”
• United States Code, Title 18
- Defines the federal crimes, court systems, and punishments of
the United States.
• Electronic Communications Privacy Act
- Makes it illegal to intercept or disclose private
communications and provides victims of such conduct a right
to sue anyone violating its mandate.
•
The Computer Fraud and Abuse Act (as amended 1994 and
1996)
- “…having knowingly accessed a computer without
authorization or exceeding authorized access, and by means
of such conduct having obtained information that has been
determined by the United States Government pursuant to an
Executive order or statute to require protection against
unauthorized disclosure for reasons of national defense or
26
foreign relations, or any restricted data..”
Laws and Legal System (cont)
Information Security
Computer Crime
• Breaches of physical security
- dumpster diving
- wiretapping
- eavesdropping
- denial or degradation of service
• Breaches of personnel security
- masquerading
- social engineering
- harassment
27
Laws and Legal System (cont)
Information Security
Computer Crime
• Breaches of communications and data
security
- data attacks
- software attacks
• Breaches of operating security
- data diddling
- IP spoofing
- password sniffing
- excess privileges
28
Laws and Legal System (cont)
Information Security
 Computer Crime Laws and Regulations
• Common law systems
- US, Canada, UK, Australia,
New Zealand
- Civil law systems
- France, Germany, Quebec
29
Laws and Legal System (cont)
Information Security
Computer Crime
• Criminal law – individual conduct which
violates state or federal laws which are
enacted for the protection of the public
• Civil law (tort)
- wrong against an individual or business
which results in damage or loss
- no prison time
- requires financial restitution
30
Laws and Legal System (cont)
Information Security
 Computer Crime
• Civil law (continued)
– Compensatory damages
- actual damages to victim
- attorneys fees
- lost profits
- investigation costs
– Punitive damages
- set by jury
- punish offender
– Statutory damages
- damages determined by law
- violation entitles victim
31
Laws and Legal System (cont)
Information Security
 Computer Crime
• Administrative/regulatory law - standards of
performance and conduct from government
agencies to organizations
• Intellectual property/information technology
related laws (SRV Theory 903.3)
- Patent
- grants owner a legally enforceable right to
exclude others from practicing the
invention covered
- protects novel, useful and non-obvious
inventions
32
Laws and Legal System (cont)
Information Security
Computer Crime
• Trademark
- any word, name, symbol, color, sound,
product shape or device or combination of
these used to identify goods and
distinguish them from those made or sold
by others
- Copyright
- covers the expression of ideas rather than
the ideas themselves “ original works of
authorship”
- Trade secret
- proprietary business or technical
information which is confidential and
protected as long as owner takes certain
security actions
33
Laws and Legal System
Information Security
 Computer Crime
•
Computer crime laws
-
computer related crimes and abuses
viruses
software piracy (“ software police”)
internet crossing jurisdiction problems
illegal content issues (child
pornography)
- wire fraud and mail fraud often used in
computer crime cases.
- various economic or financial crime
laws
34
Privacy and Civil Liberties (cont)
•
The term privacy stems from the Latin word privatus,
which literally means “apart from the public life.”
–
•
Information Security
Andrea Bacard Computer Privacy (1995)
Over one hundred years ago, Justice Louis D. Brandeis called the
right to privacy “the right to be alone.”
– Ellen Alderman The Right to Privacy (1995)
• American right to privacy is rooted in the Fourth
Amendment to the United States Constitution. This
Amendment, which was ratified in 1791, states:
The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be seized.
35
Continuing Threats to Home Users
Information Security
 Topics:
• CERT/CC has observed a significant increase in
activity resulting in compromises in home user
machines
• Many home users DO NOT keep their machines up
to date with security patches and workarounds, DO
NOT run current anti-virus software, and exercise
caution when handling email attachments
• Intruders are aware of these facts. Consequently,
this has been marked by an increase in intruder
specifically targeting home users who have Cable
Modems or DSL (Digital Subscriber Line)
connections
36
Steps to Users can Take to Improve
Computer Systems (Home)
Information Security
•
Use Personal Router (if connected to Cable Modem or DSL) (i.e.
Linksys, D-Link, etc.)
•
Use Personal Firewall (i.e. Zone Alarm FREE)
– Software firewall – specialized software running on
individual computer or network
– Network firewall – a dedicated device designed to protect
one or more computers.
•
Use Anti-Virus (i.e. McAfee, Norton or Micro Trends)
•
Don't open unknown email
•
Don't run programs of unknown origin
•
Turn off your computer or disconnect from the network when
not in use
•
Make regular backups of critical data
37
Security Knowledge in Practice
(Business)
Information Security
 Steps to Improve Your Systems Security
• Vender Provides - when you receive software from a vendor, it
has default settings. This default configuration may leave you
vulnerable to compromise persistent series of attacks, trying
multiple approaches, in an attempt to break into a computer system
•
Harding and Securing – identify hardware/software
•
Prepare – files & directories, process, performance, network,
procedures, contacts, test environments and disaster recovery
•
Detect - analysis and monitor information sources and logs
• Respond – analysis, forensics, containment an PR
• Improve - patch, re-architect
38
Important Resources
Information Security
• CERT®/CC Contact Information
– http://www.cert.org
– +1 412-268-7090 (24-hour hotline)
• SANS (System Adminstion, Audit, Network, Security) Org
– http://www.cert.org
– +1 866-570-9927 (8-5 EST hotline)
• Federal Bureau of Investigation, National Infrastructure
Protection Center (NIPC)
– http://www.nipe.gov
– +1 888-585-9078 (24-hour hotline)
• Virus Bulletin (Independent Anti-Virus Advice)
– http://www.virusbtn.com/
39
Important Resources (cont)
•
Information Security
Federal Trade Commission
– http://www.ftc.gov
– +1 877-FTC-HELP (24-hour hotline)
•
Commonwealth of Virginia Cyber Cops, Office of the Attorney
General, Technological Division, Computer Crime Unit
– http://jcots.state.va.us
– +1 804-786-6053 (24-hour hotline)
•
Federal Bureau of Investigation (Online Child Pornography)
Innocent Images National Initiative
– http://www.fbi.gov/hq/cid/cac/innocent.htm
– +1 800-843-5678 (24-hour hotline)
•
Request That Your Name Be Removed From Marketing Lists To
Reduce the Number of Pre-approved Credit Card Applications
Received by U.S. Mail
– +1 800-567-8688
40
Business/Home
Information Security
Seminar
Presented by:
Jose R. Paloschavez
E-mail: [email protected]
Candidate for Master of Science in Network Security
Capitol College
2003
41