TOP TIPS
1 - PERIMETER SECURITY
De-perimeterisation is like the awful remediation, one of those totally unnecessary extensions of
English that has arisen in the computing industry and is a term that would be better expressed as without boundary. That said, boundaries that may or may not be there still need defending in cyberworld.
Perimeter security comprises those preventive control devices that authenticate, or deny, access to networks, systems and applications. These range from basic passwords to complex firewall pattern analysis but all are designed to sort the white hats from the black hats in today’s highly techno-savvy society and to grant access only to those who are authorised to have it and who can prove that they are authorised to have it.
1. Use strong passwords to access systems or networks (Preventive control)
See under the Access Authentication section of this website
2. Deploy firewalls between your network/PC and an unsafe network (Preventive control)
A firewall is a protective device that controls ingress (or egress) of information or data to and from your network or PC and it works in exactly the same way as its real-life, physical counterpart, preventing the spread of flames from one combustible area to another.
Firewalls can be implemented for many reasons, most of which deal with malware.
For example, they can be designed to:
• prevent loss or leakage of confidential information to hackers;
• prevent the introduction of malicious software, such as Trojan horses, on to your systems;
• detect and defend from denial of service attacks, designed to bombard your system with so much apparently authorised input that it has to be shut down.
They can also take several forms. For example, software firewalls, extensively configurable, can be built into a PC or web server, while hardware firewalls are not so easy to configure but ensure that adverse content never reaches your critical systems in the first place.
Firewalls can be established in their own right but are often configured within network routers in terms of restrictions on IP ports.
3. Deploy firewalls within your network (Preventive control)
There will often be a need for logical segregation of security or function in an organisation and its network, especially to isolate sensitive network components.
For example, there should be no valid reason why anybody outside the payroll function should have access to the systems information therein, while stored payment card details, on systems used for business transactions, should similarly be secured against any nonauthorised access.
Also, good IT governance dictates that there is usually a requirement for development and production systems, together with their respective authorised users, to be logically or physically separate from each other.
Firewalls have their part to play in such network security configuration, usually in association with component IP addresses and/or user access privileges (security profiles).
4. Consider firewall rules carefully (Preventive control)
Firewall rule sets can range from very simple to extremely complex and should be carefully devised, formally approved and, in the business arena, implemented under strict change management.
The most simple firewall rule set is deny all. Full stop.
This is an extremely effective protective mechanism, because it prevents any data packets from crossing the firewall. The downside of this is that the organisation can get no information in or out, so is somewhat impractical as a business model.
However, it is the best place to start when developing the security model from the ground up, so to speak, because access rights can be granted in a careful and controlled manner from that point. It can allow, for example, data ingress from a particular business partner IP address or trusted systems (like www.bbc.co.uk
) by identifying their IP addresses as permissible.
This concept is known as deny all unless specifically permitted and while it takes a long time to establish and requires constant review, it is nevertheless the most secure approach.
5. Subject your network to a penetration test (Detective control)
Also known as ethical hacking, which can be anything but ethical, penetration testing is the process of trying to access the internal resources of an organisation’s network from a point outside their network gateway, either to prove whether secured information can be viewed, copied (stolen), deleted or simply corrupted.
This process is usually carried out by a proficient (and trusted) third party and is a compliance requirement of the Payment Card Industry Data Security Standard (PCI DSS - see section 9,
'Compliance with confidentiality laws and regulations').
Testing is not necessarily restricted to a technological box of tricks attached to the telecommunications cabling (or placed in the Wi-Fi vicinity) of a network. More human means can be utilised, such as the sinister-sounding social engineering, whereby a tester poses as an authorised visitor (such as a premises maintenance worker or meter reader), blags their way through whatever passes for premises security, and tries to access organisational information purely by looking like they belong and hoping that no-one will challenge them.
The sobering upshot of all this is that if someone you trust can get in, with no internal assistance, then so can one of the black hat elements of society!
6. Deploy a proxy server between internal and external network resources (Preventive control)
A proxy server, or proxy, is a hardware or software system that sits between one network and others acting as an intermediary for requests from the external networks (presumed, by default, to be hostile in this context) seeking resources or information from its host servers. It usually comprises a gateway between a home network and the internet, but can be a simple protective device between networks within an organisation.
The external requestor connects to the proxy server, requesting a service that is to be provided from the internal computers. This may be, for example, a file, or URL (web page).
The request is analysed and evaluated by the proxy, based upon a pre-determined set of criteria (that will include a catch all provision for rejection by default, with appropriate message, if no satisfactory transfer can be achieved.
If the request is validated, the proxy retrieves the necessary internal resource and returns it to the requestor. At no point will the external IP address that has submitted the request be connected directly to the internal IP address of the resource server. Dealings will only be at the proxy level, to preserve necessary internal anonymity, e.g. of IP addresses.
7. Maintain a log of perimeter activity (Detective control)
There are many reasons for keeping track of transactional and network traffic activity within and across system boundaries, e.g.:
• monitoring system usage for future capacity planning;
• assessing patterns of access by particular IP addresses that can be either encouraged or blocked according to desirability or threat;
• identifying potential (distributed) denial of service (DDOS) attacks;
• assimilation of information as evidence for compliance or legal action.
Therefore, it is a very good idea to configure event logs on firewalls, gateways, etc. and to ensure that they are large enough to store sufficient information for their purposes and saved and archived before being overwritten by further events.
8. Establish a suitable access banner at the system perimeter (Deterrent control)
Unauthorised access to computer programs or data was defined as an offence under the
Computer Misuse Act 1990, later amended and strengthened by the Police and Justice Act
2006.
However, it is initially down to the potential victims of hacking to do what they can to mitigate the threat and some of these concepts are described above.
However, if an unauthorised intruder, before entering network resources, has had to acknowledge that only authorised access is permitted, then the victim is in a stronger position when it comes to bringing an identifiable intruder to justice.
Although most hackers will not come in the front door, it can do no harm to place a website or network banner at the point of entry, requiring the terms and conditions of which to be technologically accepted by all who enter.
The wording of the banner may need to be scrutinised by a lawyer to ensure it is as watertight as possible.
Useful references:
• The Information Security Forum’s Standard of Good Practice, similar to ISO27001, is available as a free download from https://www.securityforum.org/?
page=downloadsogp
• Firewall rules: http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx
• Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/security_standards/documents.php
2 - PHYSICAL SECURITY
Physical security is not a modern phenomenon. It exists to deter or prevent persons from entering a physical facility or gaining access to a tangible object.
Historical examples include city walls, moats, etc. where physical security was as simple as a locked door or as elaborate as multiple layers of armed security guards and guardhouse placements, and the basic concept of tangible asset protection is unlikely to change until matter transfer becomes a reality.
Your physical security considerations (at all levels from corporate to personal) should include protection from fire, natural disasters, burglary, theft, vandalism, and, potentially, terrorism, depending upon your location and your interests.
The very best in software security isn't worth very much if somebody walks off with your computer under their arm. The following gives a brief overview of some of the options available for physically securing your equipment and data.
1. Secure your computer equipment - adhesive mount cables. (Preventive control)
Steel cables aren't the most attractive things to have around your desk and your computer equipment, but neither are many of the other devices in this section. That said, they are a relatively inexpensive way of preventing theft of equipment with specially-designed plates affixed to your computer case, your monitor and your desk using a super-strong adhesive compound. The cables themselves are then threaded through loops in the plates and secured with a padlock.
2. Secure your computer equipment – secure casing. (Preventive control)
Even less attractive than steel cables, but probably more secure (and expensive), are secure casings, often of quite thick and/or heavy steel that surround your computer’s case. They can be securely bolted to the floor, your desk or your car if you so desire.
3. Audible alarms. (Deterrent control)
Audible devices can be fitted to your computer casing (above), either on the inside or outside, which, when disturbed, will emit a loud siren that will alert anybody within earshot that something is being stolen. It will not prevent the theft but should deter (or at least embarrass) the miscreant.
The downside to these is that, in the writer’s view, they can sound off spontaneously as false alarms, which can result at best in irritation or at worst ignoring it and taking no action. (Be honest, when you hear a car alarm going off in a car park, do you walk over to it and note who is walking around or away from it – or even phone the police?)
4. Marking systems. (Detective control)
Computer equipment that is indelibly (and possibly invisibly) marked with appropriate detail, such as a postcode, is fairly easy and cheap. The marking can be performed in various ways - in the form of metallic tabs that are fixed with a strong epoxy adhesive, by an etching compound or simply by using a UV marking pen.
Associated with this, you should keep a separate record of the equipment manufacturer’s serial number.
5. Disk drive and USB port locks. (Preventive control)
To protect your drives from misuse there are a wide range of hardware solutions that will prevent them being used at all without a key. Some are stronger than others, and some of them have pathetic locks that can be forced easily with a paperclip, but if you choose a good one it can be extremely effective.
Software solutions, such as Active Directory Group Policy, can also be deployed to prevent copying of huge amounts of sensitive information to high-performance USB media (including
MP3 recorders and digital cameras), CD-Rs and other external drives.
6. Clear desk and screen policy (Preventive control)
A clear desk ensures that when you’re not at your desk (especially out of working hours) sensitive hard copy documents are properly locked and secured against unauthorised access or copying. The threats vary from the everyday (e.g. viewing/removal by third parties, such as cleaning contractors) to the dramatic (e.g. explosion, blowing the windows out and distributing paperwork all over the district).
Although not a physical control, closely associated with this concept is the use of screen saver passwords – always, even when at home, use a timeout based upon a short period of keyboard inactivity – and be sure to position your monitor in such a way as to prevent casual viewing or shoulder surfing. Allow yourself time to exit from and/or lock down any sensitive work you may be doing if unauthorised people approach your work area.
Remember, also, when leaving meeting rooms to clear white boards of any information that should not be disclosed to unauthorised viewers.
7. Premises security (Preventive and detective control)
Preventing and monitoring access to buildings and rooms therein is the ultimate physical security control.
Like the computer locking devices described above, this can be achieved inexpensively by use of British Standard locks with physical keys (which themselves need to be controlled and which should have duplicates available) through to sophisticated swipe card or biometric access systems, which can prevent or allow access and track the user through the premises if so desired. The considerable expense of the latter needs to be justified on the basis of risk and also must be correctly configured (e.g. to enforce effective segregation of access on a needs only basis), maintained, monitored and archived.
CCTV is a further option, similarly expensive and similarly possibly requiring significant alterations to premises for cable runs, etc.
Laser beam security, often considered a flight of fancy control (consider Tom Cruise in
'Mission Impossible' or Wallace and Gromit in 'The Wrong Trousers'), has its place in the physical protection armoury, but it is an extreme option.
Useful references:
• Physical security: http://en.wikipedia.org/wiki/Physical_security
• Physical security definition: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1150976,00.html
• Physical security devices: http://www.lockdown.co.uk/?pg=physical&s=articles
• Property identification: http://www.immobilise.com
• Disabling external drives: http://support.microsoft.com/?scid=kb%3Ben-us
%3B555324&x=6&y=9#appliesto
3 - ACCESS AUTHENTICATION
The most fundamental form of access authentication is by a combination of user name (userID) and password. It has been in use for decades and will no doubt continue to be so, but more sophisticated means of authenticating oneself to a system, be it local to a PC, networked or web-based, are constantly being developed to maintain the confidentiality of information, prevent theft of real resources, like money, or to preserve identity. Indeed, identity theft, has become increasingly significant in recent years, especially with the rise of the Facebook generation who tend to be younger with a more carefree outlook on sharing information (names, addresses, ages, images, credit cards, etc.) with their friends, peer groups - and anybody else who may be interested in listening in.
Depending on what articles you read, the differing performances of password hacking software can be measured in microseconds, given the chance, but one thing is certain – every additional character or extra form of character (upper/ lower case, numerals, or the symbols on the number row of your keyboard when the <shift> key is used) used in your password will extend the time necessary to crack it exponentially.
It’s worth taking the time to prepare a hard one to crack.
1. Use strong passwords to authenticate yourself to a network or other critical or sensitive resource. (Preventive control)
Password tips: a. Use a sufficiently long password; 8 characters is usually sufficient for most sensitive applications b. Incorporate both alpha and numeric characters and deploy a further complexity factor, such as upper case and/or control characters - @, £, ?, %, etc. – although you may be technologically forced to do this at logon.
c. Do not use words that will be found in a standard English dictionary (unless using pass-phrases – see below)
2. Change your password regularly. (Preventive control)
Change it every 90 days at most and preferably much more frequently, e.g. monthly, especially if you are accessing what you consider to be a sensitive system, such as your bank account.
3. Replace compromised passwords. (Corrective control)
If your password has become known to someone else, or even if you think this has occurred, change it immediately, to minimise misuse of the system in your name.
If you find you cannot log-in, it is possible that a third party has secured access to your system (perhaps in your absence while away from your desk) and you will need to get your password re-set.
If you have sensitive or valuable information on your system, this is the technological equivalent of letting someone have your credit card and PIN.
4. Use a pass-phrase. (Preventive control)
If you find it difficult to remembering a password, then a pass-phrase is an ideal alternative, linking words that have personal meaning to you but which cannot be found by a dictionary password cracker. Examples are 'maryhadalittlelamb' or 'libdemconcoalition', embellishing them further with numb4rs and control ch@racters as required.
5. Do not divulge your logon authentication details to a third party. (Preventive control)
If you do, then they can subsequently access your system and carry out any functions or transactions safe in the knowledge that it is being done in your name. You are accountable for any activities undertaken on your account.
6. Consider your personal accountability. (Preventive control)
Please consider and remember that a password or other authentication device is there to protect not just your organisation but also - and arguably more importantly to protect you from wrongful allegations of misuse. Anyone who has your login authentication details, whether obtained by fair means or foul, can effectively be you, at least, in cyber terms, so look after your login credentials carefully.
7. Make use of dual-authentication access control, where available. (Preventive control)
For systems with extremely sensitive or secret content, make use of dual-authentication means using tokens. It is claimed that the ideal system authentication protocol comprises using:
• something only you know (e.g. a password or PIN);
• something only you have (e.g. a device of some sort);
• something unique about you (e.g. a biometric).
Biometric reading devices (e.g. retinal scanners, fingerprinting, DNA banks) are hugely expensive, hugely complex and, unless deployed extremely professionally and as a wellcontrolled and lawfully compliant project, hugely unreliable, resulting in many false positives, so let’s consider those systems as currently out of scope for modest pockets.
That leaves us with authentication to systems using passwords and devices. Increasingly used by banks for online access, the devices in question tend to be challenge and response tokens whereby an initial code number, displayed on screen, is keyed into a calculator-sized device (after the user has authenticated themselves to it using a PIN) and the resultant number displayed on the device is then entered on screen using the keyboard, finally resulting in authenticating the user to the system.
Before use, the token device usually has to be synchronised to a central security server, especially where the authentication codes keep changing.
Useful references:
• Password cracking: http://en.wikipedia.org/wiki/Password_cracking
• Strong passwords: http://www.getsafeonline.org/nqcontent.cfm?a_id=1127
4 – PRIVILEGE MANAGEMENT
There is always a need for different people to have different requirements when having any dealings with information, whether it is in business enterprise, academia or even in the home environment at times.
When this information is compiled and derived within computer systems, it is frequently necessary to control who can see it and who can do something with it and an extension of these concepts is the protocol of separating see and do functions between different people in order to minimise the ability to abuse systems or commit fraud. This process is called segregation of duties and is based upon the old adages of need to know and need to do.
To achieve this state of harmony, which is seldom achieved to perfection for long, it is necessary to impose the discipline of privilege management, formalising and technologically enforcing rigorous data access rules.
It should be clearly stated that these rules are not just designed to protect organisational information assets but also to protect individuals from accusations of malpractice when things go wrong in the business world.
The following represents a broad set of suggestions that can be relatively easily implemented by any organisation, large or small.
1. Use a formal, approved process to grant user access to systems. (Preventive control)
No user of an organisation’s systems or business applications should be granted access by virtue of someone’s verbal say-so or on a whim.
Before being granted access, there should be a formalised, accountable and trackable procedure that: a. has been approved for use at a senior management level, i.e. by those who have ownership of the information and NOT purely by those in IT who have custody of it; b. authorises access by an identifiable person (employee, contractor, third party maintenance, etc.) who has a legitimate right of access – the authoriser will usually be the manager of the person requiring access; c. specifies clearly: i. the systems to which access is authorised, such as a network logon, email and business applications (e.g. finance, marketing); ii. the level of access within those systems, including whether access is readonly, read/write, execute, delete, etc.
d. incorporates signature (or other formally authentication method, e.g. by email) of the authoriser and date.
This approval document, whether paper or system based, must then be passed to the system(s) administrator:
• to set up the requested system(s) access;
• formally to acknowledge to the authoriser that this has been done.
All records in this process should be retained for a determined minimum period, say 12 months or until the access is no longer required, in case it is needed as evidence for any reason.
2. Remember to revoke (delete or disable) user access as soon as it is no longer needed.
(Preventive control)
One of the most delightful gifts that can be given to a systems hacker (a person attempting unauthorised access to a system) is to present him/her with a number of userIDs that have not been used in along time, especially those with lovely, juicy high-level privileges that, for example, enable new accounts to be created that have all sorts of access privileges that thoroughly compromise segregation of duties.
There are two truisms in this area of computer administration:
• those who newly require access to systems but do not have it will shout;
• those who have departed and will no longer require access to systems will not shout.
The first of these is easy to address – indeed, it will sort itself out by being increasingly enforced upon systems owners and administrators.
The second is more of a problem and can quickly become a silent majority problem unless an effective user departure process and back-up procedure is adopted:
• ensure that when a person no longer requires system access, e.g. on departure, a request to revoke their access is sent promptly by their manager to the systems administrator;
• revocation of access should be completed quickly by the administrator and acknowledge to the requestor as having been done;
It is a good idea to tie-in the revocation procedure to associated actions, such as notification to HR to take people off the payroll.
3. Back-up review of the user base (corrective control)
A back-up review should be carried out by management every three to six months to check that every current network, email or application userID is still required or revoked as necessary – this will catch those who slip through the initial net.
4. Remove high-privilege access immediately (Preventive control)
One of the most significant security threats can be the access granted to staff with high-level privileges that have to be removed from an organisation against their will, e.g. through redundancy or disciplinary dismissal.
A highly-privileged system user with a grudge can bring down an organisation’s systems long after they have parted company with the organisation – if they are given the opportunity to prepare beforehand.
It may sound brutal, but notification of redundancy or dismissal should (preferably in all cases) occur immediately before or at the same time as revocation of their system access. Removal of access rights and privileges should not wait until after departure or after serving a period of notice.
Any commonly-known administrative authentication factors should also be reset.
5. Make use of role-based security groups (Preventive control)
For ease of privilege and access administration, make use of defined, role-based security groups within networks or application systems.
Named security groups establish common access rights and privileges and new users can be allocated to them according to the role they are to perform within the organisation.
This enforces the requisite segregation of access and is far more effective than the cloning method, whereby a user is set up the same 'as Jones over there' or, worse, from scratch, both of which are beset with human error.
6. Use the principle of least privilege (Preventive control)
When determining what level of access should be granted to a system user, always err on the cautious side and give them the absolute minimum they require, subsequently building upon that.
All too often you get a situation where a user’s access requirement is a little, let’s say, nebulous, and instead of trying to clarify this, an administrator adopts the position of 'I haven’t got time for this; let’s give him Superuser access – he’ll definitely be able to do his job with that and we’ll sort it properly later'…and of course, it never is sorted.
7. Use logon warnings (Deterrent control)
Ensure that whenever a person logs in to a network, database, financial application, etc. that they are made fully aware of their right to enter it.
They should be presented with some form of brief but clear logon message that if they are not authorised to access the system (preferably by virtue of a published company policy) then they must not logon to it.
The message should also state what will happen to them if they ignore this warning.
It is made more difficult for the legal system to bring a successful case against a system intruder if it cannot be proven that he/she was warned off beforehand.
Useful references:
• The Information Security Forum’s Standard of Good Practice, similar to ISO27001, is available as a free download from https://www.securityforum.org/?page=downloadsogp
5 - ONLINE TRADING
The rise of online trading in the last few years has been nothing short of meteoric, encompassing websites as diverse as banking, gambling/gaming, shopping, share-dealing, auctions and paying income tax.
All have some common security features and all have some individual ones and the following is designed to highlight the issues of which one should be aware and to make one’s experience of online trading as pleasant as possible - except, perhaps, for income tax.
Most online traders will ask for a customer to register themselves (with a password) – this is something of a double-edged sword as it provides the user with an easy way of managing an account securely (albeit with yet another means of authentication to remember) but also enables the trader to track your purchasing habits and to 'provide you with details of goods and services which we may, from time to time, consider to be of interest to you' (if you forget or omit to check the correct boxes at registration time).
1. Be aware of phishing attempts. (Deterrent control)
Phishing is now rather old hat in security terms and has been escalated to new levels of sophistication, but for all that, it is still probably the most cost-effective means of defrauding people of their cash online and thus justifies continual repetition.
The concept of phishing is where a fraudster, attempting to impersonate an authentic financial counterparty (e.g. a bank, credit card company, or other online payment system, like PayPal), sends an email, or more likely hundreds of thousands of emails (using a bot network), encouraging the recipient in a convincing way, to divulge online authentication details that they can subsequently use themselves to steal money or order goods and services.
Some are glaringly obvious, especially where a bank asks you for your customer information when you don’t even bank with them, or the grammar and spelling are so atrocious that any respectable business using it would die of shame.
The big and perennial advice is: a. Do not respond to an email from a financial institution that asks you to provide/confirm/update your userID or password or PIN on their secure website. If it was that secure, they would not need it confirmed in the first place.
b. Do not click on any website/URL in such an email – this may, at the very least, confirm to the fraudster that you still have an active email account.
c. Delete such emails from your Inbox completely, preferably without opening it, by using the Shift + Delete keys together.
d. Never, never, never, never give details of your card PIN online. That is not what it is for – only use this parameter in a cash machine or secure hand-held authentication advice.
You could send any such email, either by forwarding or attachment, to the authentic bank or to the police, but it would give you little more than therapeutic satisfaction as such information is submitted in the thousands and, if anything, is generally used to compile statistics.
Better to phone and ask if they are interested.
2. Check for a secure and encrypted online payment indicator. (Preventive control)
When making a payment by credit card, only do so if you are absolutely certain that it is secure and authentic.
One way to determine this is to look for two things that should appear before entering any payment card information:
• the address bar (normally at the top of the web page, showing the internet address, e.g. www.amazon.co.uk) should start with https. That letter 's' is very important;
• there will be a padlock symbol at the foot of the page.
These indicate that the online payment method is protected and encrypted for transmission by the Transport Layer Security (TLS) protocol, formerly known as Secure Sockets Layer (SSL).
The web page may also indicate which entity is providing this protocol, such as Verisign.
3. Entering authentication details on a web page. (Preventive control)
Where private authentication details need to be entered on a web page (subject to the TLS point above), websites worth their salt may ask you for information in a particular way, and here is why:
• Details such as card expiry dates may be selected from a drop-down list using the mouse rather than typing the characters in – this is so that key-logging or packetsniffing software, that records what you type for later retrieval by criminals, cannot determine this information because it has not been typed in the first place.
• You may be asked to type in some distorted characters displayed in an image on the web page. This is called a captcha test and is designed to assure the recipient that the response has not been generated by a computer - any user entering a correct solution is thus presumed to be human.
4. Change your online password regularly. (Preventive control)
Password and pass-phrase strength advice is given in the access authentication section of this website.
When it comes to using a password for accessing an online bank account, or similar, it will often be the case that selected letters from your password or online PIN (not the same as a payment card PIN) will be requested at each logon session, and they may be requested in a
different order to that in which they normally appear. (e.g. Please enter characters 2, 4 and 1 of your PIN)
This is done so that your password is never completely entered in one session or in order, so that any packet-sniffing software picking up this information at a point between keyboard and encryption will require several logon sessions to get the complete information.
It therefore goes without saying that you should change such critical passwords regularly – monthly is a good basis for online banking or even weekly if it is accessed a lot.
This also a very good argument for making your password as long and complex as possible, choosing from as many character sources as are permissible, e.g. including capitals, or the @ or # characters. Just make sure you can remember it!
5. Use a challenge and response card reader where available. (Preventive control)
Some online banking systems deploy the use of challenge and response card readers (similar in appearance to pocket calculators but with a card-sized slot atone end), into which you have to insert your payment card, authenticate it with your PIN, then use the displayed characters as input to the on-screen details.
This proves to the bank two things for authentication:
• something you know (the PIN);
• something you have (the card).
The algorithm generating this information is constantly changing and is synchronised perfectly with the banking system on screen.
Different banks use these devices in several different ways, including accessing the account, setting up payment mandates and changing passwords, online PINs or other authentication parameters.
If you are given a choice whether to use these devices or not, you should use them. They are more secure than traditional passwords and you may be in danger of incurring some liability for losses if you decline their use.
6. Have no further dealings with a website that displays your password or card details in clear.
(Corrective control)
This is a bit of a no-brainer, really, but we’ll include it for completeness.
Passwords are private – they should always be displayed as a field of asterisks or similar, even when entering them on screen.
Credit card details are also private – they should only be entered in clear when you are typing them in. After that, any displayed reference to them should be the last 4, or first 4 or first and last 4 numbers, with the other 8 or 12 characters asterisked out.
If either of these are subsequently displayed in full and/or in clear, perhaps in an email sent to you for confirmation, then they are no longer secret and must be changed.
7. Secure your wireless router. (Preventive control)
Secure your wireless router for use only with the hardware code supplied to you.
You may consider that even if someone else in range is using your router, it is probably not costing you any more anyway, even in terms of performance, so where’s the problem?
Consider that, if someone in range is using your router for illicit purposes, such as money laundering or downloading inappropriate and illegal content, in the eyes of the law that makes you an accessory to the crime, unwittingly or not.
8. Opt-in, rather than opt-out. (Preventive control)
Be careful when a website asks you to complete a check box regarding carefully selected information which may be of interest to you.
Sometimes you will be asked to opt-in, which is good, because if you fail to check the box it means that you have opted out by default.
Sometimes you will be asked to opt-out, which, depending upon what you want from the organisation, could be bad and you will end up with piles of junk email or real mail, not necessarily just from that organisation and it could be difficult to revoke that choice.
Revocation can sometimes involve clicking on a link that simply confirms you are still around and could simply extend the problem.
And sometimes there is one of each; an opt-in (to soften you up) then an opt-out (to confuse you).
Whichever way you go, if you have opted in or failed to opt out, you are probably giving the go-ahead for the organisation to harvest any amount of information about your purchasing habits, websites visited, etc.
(Check out the BBC link below.)
9. Security risks associated with gaming and gambling websites. (Deterrent control)
There are not really any more security risks associated with gaming or gambling websites beyond those for any others that are financially-based, as long as they are compliant with the
Gambling Commission licensing rules (see the link below).
However, there is one really serious drawback – they can result in addiction and obsession.
Do make sure you know when to stop and do not gamble more than you can afford to lose.
Useful references:
• PayPal phishing guide: https://www.paypal.com/uk/cgi-bin/webscr?
cmd=xpt/cps/securitycenter/general/RecognizePhishing-outside
• Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/security_standards/documents.php
• BBC News website: http://news.bbc.co.uk/1/hi/technology/7283333.stm
• The Gambling Commission: http://www.gamblingcommission.gov.uk/gambling_sectors/gambling_software.aspx
6 – SOCIAL NETWORKING
Social networking is most definitely a 21st century term. Before this, the phrase, if used at all, would imply, quite rightly, a process of making contacts and widening one’s circle of friends and acquaintances for purposes of sociability, business or, perhaps, creating an impression of being widely-connected. It would involve talking to people (sadly, a diminishing art with the advent of SMS text and email), writing to them (ditto) or visiting them (ditto again but with the added disincentive of spiralling travel costs).
Now it is synonymous with electronic communication and instant messaging, via computer or mobile phone, where a person can access a recognised social networking website and quickly acquire a ridiculous quantity of friends, possibly running into the thousands, the vast majority of whom they have never met, never will do and are unlikely to be able to count as personal acquaintances in the same way as those in the first paragraph above, unless perhaps they spend all their free time (and more) cultivating this social circle - and many do.
A social networking service is invariably a web-based service that focuses on building contacts between people, thus creating the social network, possibly with common interests and activities.
Each user registering to a service will provide a profile of themselves (name, business, schools attended, interests, etc.) as they see fit and they can join online community services that bring people together with common interests.
One of the earliest of these services, established in 2003, and therefore surviving the dot.com bust the year before, was Friends Reunited. This enabled millions of people across the world to get in touch with long-lost school friends, establishing any number of school reunions, ostensibly being responsible for the make-up and break-up of a number of marriages and earning its creators £30m when it sold in 2005 for £175m to ITV. Unfortunately the broadcaster suffered a major loss when it finally disposed of it to publishers DC Thompson (the Beano people) for £25m.
So, successful social networking = big bucks and there can be hardly anybody on the planet unaware of the runaway success of Facebook, MySpace, Twitter and LinkedIn – the first being mainly targeted at a youth market while the last focuses upon professional people.
But social networking, though being a perfectly well-meant business enterprise, has a well-reported darker side involving being hijacked by small time and organised fraud, leading to theft, identity fraud, stalking, paedophilia, religious intolerance, etc. where the unwary or incautious user can become unwittingly embroiled or suffer actual losses or other harm, and it is these for whom the following advice is provided.
1. Before registering for membership of a social networking site (or allowing your child to do so), become familiar with the expectations and risks associated with using them. (Deterrent control)
Read independent, not-for-profit providers of internet safety information, such as those listed at the foot of this page.
2. Do not post any information that you may later regret. (Deterrent control)
Once information is sent out into cyberspace in any form, be it email, text, or a social networking post, it is no longer under your control and can be, for example, forwarded around the world by malicious friends (see above) or stored away for later use against you, perhaps many years later, when your circumstances have changed – particularly when you have matured into a good, solid citizen, or grown up as our parents would say.
Although we seldom read the half a million words of legalese before we click on that 'I agree' button for the reputable software terms and conditions, it is worth knowing how a social network provider is going to use and store the information you provide, which will invariably become the property of the service in question.
Do read the end-user licence agreement carefully - it may take quite a while and be extremely boring, but it won’t take anything like as long as repairing your finances or reputation after an identity theft.
3. Do not use social networking websites interactively whilst in a drunken group. (Deterrent control)
Now, this sounds a stupid comment, but many of us regret many things in life while under the influence of alcohol but doing these things in a group of similarly inebriated, elated people only makes seemingly hilarious impulses that much more overt.
There will always be the hangover and the morning after, but much worse will be the feeling of
'Oh no – what did I do last night?'
You may very soon find out.
4. Always apply and use a strong password. (Preventive control)
You should guard your access to your social networking profile jealously (and thus the contents and messages therein, which will undoubtedly include details of other people you connect with all those friends) and provide read-only access to your profile only to those whom you trust and whom you think warrant it.
Password advice is described in the Access Authentication section of these top tips listings.
5. Be circumspect about what information you, and more especially your children, post online.
(Preventive control)
Do not:
• Provide any information that can identify you and where you live unless you fully trust the recipient, can positively identify them (i.e. it is not a spoofed identity), and can secure the information sufficiently. Most public social networking sites do not have adequate authentication or identity verification capabilities.
• Provide photographs or videos that could lead to person and/or location identity or encourage a stalker or paedophile.
• Provide financial information, such as credit card details, unless the website prefixes its address (at the top of the screen) with https and displays the lock symbol (usually at the bottom of the screen).
6. Use cut down profiles (Preventive control)
Some social networking sites (such as Facebook) let you create cut down profiles that do not reveal very much about yourself.
Use this facility – at least until you know you can trust your contact, when you can give them greater access to information.
Least privilege is a very useful computing adage, meaning only give what access is required for the purpose, adding as necessary later. It applies very well to the social networking environment.
7. Use a parental control lock. (Preventive control)
Use the parental control lock on your PC to inhibit access to social networking sites for your children until they fully understand the implications of the environment they are entering and then only when they have done their homework.
8. Do not use irresponsible or salacious language - online that can get you into trouble.
(Deterrent control)
The same laws of libel apply to statements made publicly online, or even privately to third party recipients.
Make sure that what you are saying about somebody is no derogatory and untruthful or you could find yourself in a legal battle.
9. Be aware of other (legitimate) eyes upon your profile. (Deterrent control)
There have been a number of well-publicised incidents in the press about inadvisable or unguarded comments made, for example, about someone’s employer that have subsequently been read by the employer in question, or a description by the subscriber of a great time at the football on the day when they had just phoned in sick.
It’s not just your friends who are out there.
Useful references:
• Facebook security: http://www.sophos.com/security/best-practice/facebook/
• Government child safety advice: www.direct.gov.uk/en/Parents/Yourchildshealthandsafety/Internetsafety
• Get safe online: www.getsafeonline.org
.
• Childnet: http://www.childnet.com/downloading/
• Vodafone Digital Parenting magazine: http://bit.ly/aWhS4d
• DigitalMe primary children’s skills, self-confidence and safety awareness when using social networking sites: http://www.digitalme.co.uk/safe/
7 – MOBILE COMPUTING AND COMMUNICATIONS
Laptops, mobile phones, BlackBerrys, portable storage devices (like USB keys and portable drives) all are seemingly indispensable to today’s constantly connected and information-savvy population. A few days before this article was written, a Vodafone exchange centre (see http://www.bbc.co.uk/news/technology-12595681 ) was dramatically burgled and much communications equipment stolen, rendering 'leaving hundred thousand' customers without voice, text and internet access.
It was a cold shock to be incommunicado, especially for those youngsters who have never known a time before the advent of the ubiquitous mobile phone.
There have been some high-profile and embarrassing losses of portable devices and media in the last few years, both in the public and private sector, which in some situations have even threatened to compromise military operations.
There are two elements of risk relating to data loss:
• The effects of the loss of valuable data by the owner, so that they are unable to use it and it will take a great deal of effort to re-create or restore.
o Resolution: Regular data backups, such as hard drive or SIM card contents.
• Loss of confidentiality of sensitive data, such that it can be used by an unauthorised third party.
o Resolution: Data encryption or destruction.
Both of these scenarios are described below.
The general risks attendant upon today’s generation of mobile computing and telecommunications devices are broadly similar to other areas of IT protection and safety but with the added dimension of being portable and thus stealable or even just losable.
With ownership of the number of mobile phones and i-devices now climbing a vertiginous and apparently exponential curve, these tips will be new to someone.
1. Keep your mobile device always in view and in reach. (Preventive control)
Do not leave your mobile computing or communications device unattended for a single moment when outside your safe and secure area. It may only take one minute to collect your
Starbucks order from the counter, when ready, but it will take little over one second for an opportunist thief to relieve you of your equipment if it is left on your table.
2. Protect mobile devices with a PIN. (Preventive control)
Even if your mobile device is stolen (see above) or lost (e.g. left on the taxi – taxis must be simply rattling with the number of devices they accrue), it is still possible to prevent another person from accessing or using it by applying a PIN.
A dedicated phone or laptop hacker will probably not take too long to gain entry, but assuming your device is found (or stolen) by any average citizen, most will be prevented from or deterred from trying to, gain access to the services or data thereon. Not a strong control, but better than nothing.
3. Encryption (Preventive control)
If you have information on your mobile devices that could be considered sensitive information
(especially if that information relates to a third party, such as a client – very embarrassing), ensure that it is encrypted using a strong commercially available solution.
If it’s going to cost you a great deal if the data is lost, and that includes reputation or brand damage (that take years to build up and seconds to lose), it will cost a great deal less to use such a solution.
4. Destroy at-risk data or equipment (Corrective control)
Notwithstanding other security controls listed here, it is possible to have security software installed on a laptop or mobile communications device (phone, BlackBerry, etc.) that can erase all data upon it, once a loss has been reported to the enabling authority, although in the case of a laptop, it will be necessary for it to have been connected to the internet before this can be achieved.
For this to be effective, like the loss of a credit card, the sooner a report of loss/theft is made, the sooner the data can be destroyed.
5. Laptop tracking (Detective control)
Some commercial organisations provide a laptop security solution by installing tracking software upon it.
The instant a thief, fence, or buyer of your stolen laptop connects to the internet, a covert and automatic communication details the location of the device to the monitoring organisation who can then engage the appropriate authorities to retrieve the kit and – as a bonus - hopefully apprehend the miscreant.
Some of these systems deploy IP address identification, which identifies the internet location, while others use GPS for a geographical fix.
6. Regular backups (Corrective control)
If you lose a lot of data – or, more precisely, information (which is different from data) – you may well have emotions ranging from 'oh well, c’est la vie' to suicidal tendencies, depending upon how inconvenient (or how impossible) it will be for you to recover it. That, in turn, will depend upon how careful you have been in ensuring that all your critical data/information has been copied over to backup storage. (NB. backup storage does not mean copying data to another data folder on your laptop.
So, ensure you take regular backups and generations of important data and, if you do not have the original systems disks, also for your applications.
Useful references:
• Which? Mobile phone security tips: http://www.which.co.uk/mobile/advice-and-support/mobile-phone-advice/mobilephone-security/
• Open source laptop/phone tracking software: http://preyproject.com/
8 – VULNERABLE GROUPS
Vulnerable groups in information technology terms, can be classified many ways but the more common among these include young people/children, the elderly (silver surfers) or those with learning difficulties, any of whom can fall prey to vagabonds, fraudsters, paedophiles and what have become popularly known as stalkers.
Other sections of this Top Tips advice will apply in this section and cross-references will be made where appropriate.
1. Ensure the appropriate level of child supervision is provided (Deterrent control)
The younger a child is, the more they should be parentally monitored and advised if/when they are online. Engage their enthusiasm and ask them about what they have been doing, what they have found, all the time looking for warning signs that may indicate risky behaviour by undesirable websites or people.
Create a list of the information that is suitable to tell other people about online, but especially also that which should not be disclosed, such as identity details or photographs.
(See also section 6, Social networking)
2. Use parental protection functions. (Preventive control)
An internet filter will enable a parent, or other person with the young user’s interests at heart, to regulate which sites are permitted or to monitor those which have been visited.
Parental controls (like on some digital TVs) can be applied and then password-protected to ensure they remain in force.
3. Limit the time spent on computers. (Corrective control)
By ensuring that access to computer systems is restricted to a certain number of hours and particular times of day, the young compulsion to get online can be rationalised.
This will usually only work if the activity is replaced by something equally engaging, such as sport or even just watching a nice, non-interactive television programme.
4. Help with system security configuration. (Preventive control)
Ask a capable trusted friend, or family member, to check regularly the basic configuration and security of the system, especially with regard to firewall and virus protection and to provide help and advice, where appropriate, with something new such as a website or gadget.
5. Use remote access security utilities, if available. (Corrective control)
Consider installing a secure remote access tool to which your trusted family member(s) or friend(s) can use to provide immediate help, whether in response to a problem that has arisen or, preferably, for advice before it has arisen. (On-screen contact details, including phone number, should be displayed on the desktop for this purpose).
However, ensure that only those people with the interests of the user at heart are provided with the login details.
6. Assist vulnerable users with backup facilities. (Preventive control)
Elderly people and those relatively new to computing have to spend a good deal of their learning curve becoming familiar with navigating and using IT applications and producing computer files of their own.
The thought that their computer – even a new one – can crash or become infected with a calamitous virus is usually far from their minds in those early weeks and months and it can become a most frustrating and upsetting situation when precious files, including documents and digital photographs (that have since been deleted from the camera), are lost or corrupted beyond recovery.
It is not unknown for people new to computing (and a few who have been in it for years) to consider that backups can be made effectively to a different segment of the same hard drive.
Backups made in this way will be ineffective if the PC is stolen or corrupted.
Assist your computer protégé by demonstrating the value of taking regular backups of important files – letters, emails, photographs, etc. – and how this can be achieved, either by making permanent backups to CD or DVD, or using re-writable high-capacity devices, such as
USB sticks, portable external hard drives or re-writable CDs/DVDs.
Backup media should be stored securely away from the related PC or laptop.
Some websites provide online photo bank facilities for digital photographs, albeit with limited
(but usually sufficient) resolution and which can be secured, rather like a social network site, so that only approved people can view them.
7. Be aware of the serious pitfalls that can be associated with internet dating. (Deterrent control)
If engaging in internet dating, observe the same rules that you would give to others.
Do not divulge information too quickly, then when you meet, do so in a public place with other people around.
Also, just as if you were going for a long hike on a remote mountain, let someone know where you are, who you will be with and when you will expect to return.
It is also useful to take a mobile phone and/or audible personal alarm at any time that you are going to meet someone socially that you have never met before.
Useful References:
• Kidsmart: http://www.kidsmart.org.uk
• GetNetWise about Kids’ safety: http://kids.getnetwise.org
• Internet advice for the elderly: http://www.helium.com/items/1750211-internet-safetytips-for-the-elderly
• BT guide to internet for people with learning disabilities: http://btexvip05.extra.bt.com/news/Articles/ShowArticle.cfm?ArticleID=BEEFAB7F-
E85A-4D4C-BE7A-B471BCF1300C
• Online photo sharing: http://picasa.google.com/features.html
9 – COMPLIANCE WITH CONFIDENTIALITY LAWS AND REGULATIONS
Information confidentiality is a significant security issue. Loss of confidentiality of information, especially information of which you are the custodian rather than the owner (think customer data), can cause all manner of problems – loss of money through frauds (as a result of compromised identity information), embarrassment (through malicious publication of lost/stolen information), legal challenges (through breach of contractual clauses) and breaking the law or regulations (where data protection is mandatory).
This last situation is the focus of this security tips list and is a difficult one to get to grips with, not simply because there are so many laws and regulations involved, nor that they vary so much around the world (thus having implications for international web-based systems), but also because they are as boring to read and get to grips with as software terms and conditions (which we always click on to agree we have read and understood, don’t we?).
To get a bit of focus on this subject, the content of this list dwells predominantly on the two most significant laws and regulations of the day:
• the Data Protection Act, 1998, which is a UK Statutory Instrument, closely aligned with the
European Data Protection Directive;
• the Payment Card Industry Data Security Standard, a regulation initiated by a group of card issuers in 2006 to counter fraud and protect cardholders.
Website links at the foot of this page provide more information.
1. Know your data. (Compliance control)
Understand clearly what data (in transit and at rest) is used in your organisation and where it is and why you’re keeping/using it.
In the interests of protection personal data, data protection laws and regulations clearly state that there is a certain duty of care that should be taken when storing or using such information as can positively identify someone (a data subject) and the penalties for breaching these rules can be considerable.
See later for more details, but at the very least you should be aware of the location of personal data in your systems – and that includes all the unauthorised spreadsheets, documents and databases created by you and/or your workforce.
2. Classify your data. (Preventive control)
Data or information can be classified in a number of ways, but the most significant are:
• for confidentiality – sensitive information which, if leaked or lost, could cause significant embarrassment;
• for criticality – business information that is not readily available when it is needed, especially if a third party has a valid requirement for it (such as a customer), is useless;
• for integrity – information that is not accurate, up-to-date or in the required format for use can cause problems when it is used for subsequent decision-making; remember the acronym GIGO (garbage in, garbage out).
Only people who need to access restricted data should be able to do so, and all access to those resources is tracked and monitored.
3. Know your data responsibilities. (Compliance control)
Be aware of the responsibilities you have to the data subjects on whom you are holding information and implement processes for managing access requests from those subjects.
The Data Protection Act 1998 is very specific upon these points and the following summary of its eight main provisions are:
• personal information must be fairly and lawfully processed;
• personal information may only be used for the purpose or purposes for which it was obtained;
• personal information shall be adequate, relevant and not excessive with regard to the purpose or purposes for which it is being processed;
• personal information shall be accurate and, where necessary, kept up to date;
• personal information processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes;
• personal information shall be processed in accordance with the rights of data subjects under the DPA;
• appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to it;
• personal information shall not be transferred to a country or territory outside the
European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information
4. Prepare a security policy. (Preventive control)
Prepare and distribute a clearly defined security policy for all users of your systems
(employees, third parties, contractors, home-workers, etc.) – it must have senior management/board support and approval to be fully effective and to be taken seriously.
This document should be sufficiently concise to enable non-security aware people (i.e. everyday users as well as technically-hardened security professionals) to become engaged with its purpose and objectives but also be detailed enough, perhaps through use of relevant appendices, to specify technical requirements.
There should also be a facility to demonstrate commitment to the principles of the policy, either by a physical (written) or electronic sign-off that declares it has been read and understood. You never know when such a declaration may need to be used in a disciplinary or legal hearing regarding system abuse, so ensure these acknowledgements are kept secure.
Ideally, nobody should be granted any kind of access (read/execute/delete, etc.) to your systems until such a declaration has been made in which case it will probably have to be a written sign-off.
A typical security policy incorporates the following:
• the rationale behind the policy, i.e. protection for the company assets AND the user;
• do and don’t instructions, rather than should or should not;
• access to systems – information, warnings, etc.;
• password protocols;
• acceptable use of systems – civilised content, internet, email;
• downloading software (or not);
• security incident procedures – viruses, hacks, etc.;
• software/data theft and its consequences;
• disciplinary procedures for abuse, unsatisfactory conduct, gross misconduct;
• user monitoring awareness;
• sign-off and date.
Some typical policies are available on the SANS website – see below.
5. Maintain a security management programme. (Preventive control)
In order to ensure that software, data and systems are kept secure, it is wise to maintain an IT systems security management programme, consisting of such as:
• security policy (see above);
• management authorisation for user access;
• prompt userID deletion or disablement on departure;
• periodic comparison of user base to staff/contractors in post;
• strong technical password management;
• system lockouts, where appropriate;
• violations monitoring;
• security event logging;
• formal change management and version control;
• use of cryptographic techniques for sensitive data transmission and at rest;
• firewalls – see section 1, Perimeter security.
6. Maintain an asset register. (Detective control)
Maintain a formalised register of hardware and software assets, including important data and software licensing information.
This will not only guard against theft of organisational assets but can demonstrate compliance with licensing provisions and reduction in licensing costs (e.g. where existing software licences can be re-allocated).
7. Educate staff and other users in information security. (Deterrent control)
Implementing an effective training mechanism for staff and other users who will be accessing your data assets will pay dividends in enhancing information security, preventing or anticipating security threats and reducing helpdesk calls.
Training can be provided in a number of ways:
• as an integral part of organisational induction training;
• by publishing a security policy – see item 4. above;
• mentoring/buddy system;
• training courses;
• computer-based training packages;
• on-the-job training (although this should be adopted with care as, by nature, it involves learning with production data, real customers, real money, etc.
Training, unfortunately, is not a one-size-fits-all procedure because there are many different functions in an organisation, ranging from a user with read-only privileges to an enterprise
security administrator, occasionally otherwise known as indispensable or God. Tailor and structure training according to business requirements.
Section 12.6.1 of the PCI DSS requires a security awareness and training programme to be in place.
8. Carry out security compliance exercises. (Compliance control)
Good IT governance and some regulations, e.g. ISO 27001 and PCI DSS, require annual, or more frequent, security compliance audits and tests to be carried out.
These should be conducted by an independent party (e.g. internal or external auditors) and/or experienced and recommendable professionals in other areas (e.g. system penetration testing).
Useful References:
• Data Protection Act 1998: http://en.wikipedia.org/wiki/Data_Protection_Act_1998
• Information Commissioner’s Office, Data Protection Act: http://www.ico.gov.uk/for_organisations/data_protection.aspx
• UK government legislation: http://www.legislation.gov.uk/
• PCI Security Standards Council: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
• Personal Data Guardianship Code: http://www.theisaf.org/documents/pdgc.pdf
• Action Fraud: http://www.actionfraud.org.uk/
• SANS security policy templates: http://www.sans.org/security-resources/policies/
10 – EVIDENCE GATHERING
This area of IT security is mainly, but by no means exclusively, aimed at organisations rather than individuals, as it is more likely that a company will have more reason to investigate unauthorised access to or use of its information assets than a single PC user administrating his/her own finances, for example. The latter is likely to put that kind of detective work in the hands of their bank.
Evidence gathering, which is, by nature, a detective control area (i.e. after the fact) is important in a number of ways. Obviously it is necessary to identify historic information relating to access and transactions but it is another thing completely to keep it (e.g. prevent it being overwritten) secure, filter out what is needed, and be able to prove, in court if necessary, that it has not been corrupted in any way. The simple act of copying, which can provide a new data time and date, can cause problems in this area, so expert advice may be required if it is intended that data is to be used against a strong defence counsel who could be paid handsomely (but legally) by an organised crime syndicate.
So, hold on to your seats and your event logs!
1. Allocate formal responsibility for evidence gathering (Detective control)
Ensure that, in an organisation that may have a requirement to produce information retrieved from a computer, e.g. in a court of law or industrial tribunal, there is an identified, trained and formally authorised member of staff whose duty it is to understand what forensics actions need to occur in the event of a breach or criminal act, and if necessary to maintain a plan for managing such a situation.
2. Identify scenarios (Detective control)
Determine what type of situation may require evidence to be taken, considering different business scenarios that may occur.
Only by carrying out such a business-related thought process – a form of what if ? analytical cycle – is it possible to set the context for audit policies (determining what data should be captured) and event logs (specifying how it should be stored and archived) to be defined.
Organisations will no doubt learn the best way to do this from bitter experience, but it does no harm to focus the mind and the associated vulnerability fears.
3. Develop a plan (Detective control)
Develop an initial forensics gathering plan that will allow you to perform an investigation quickly and with the minimum impact upon possible evidence which also allows you to trigger an escalation in the investigation if necessary.
4. Locate relevant information (Detective control)
Learn and understand where evidence may be present in your systems, and how that may be preserved and accessed.
In carrying out such a survey, it is highly likely that many unauthorised data locations will crawl out of the woodwork, most significant of these being unauthorised, insecure and quite probably inaccurate spreadsheets developed outside of a formal change management environment.
5. Act quickly (Corrective control)
If a crime is believed to have been, or is being, committed, you should immediately inform senior security staff and/or the nominated security person (see item 1. above) and ensure the relevant authorities are contacted.
The ACPO (Association of Chief Police Officers) Good Practice guide (link below) details local hi-tech units around the country.
If a crime is believed to be currently taking place, avoid disrupting it if possible (unless major losses, including life, are imminent), and if the facilities are available, start full capture of network traffic.
This should only be done if further criminal activity is not likely to occur and then it should take a minimal amount of time (i.e. speed is of the essence).
6. Call in the experts (Corrective control)
Quickly seek the services of a reputable third party with IT forensics experience who can perform a live investigation and determine how best to gather evidence and prevent any damage (or further damage) to it.
When performing an internal investigation, attempt to gather evidence non-intrusively, initially whilst systems are online.
Secure logs to prevent any tampering which might remove or negate evidence.
7. Do not use original data for analysis (Compliance control)
Original data sources secured for an investigation should remain just that – secured!
Otherwise, critical information could be demonstrated as having been tampered with by a smart lawyer.
Wherever possible, take a copy of original data under duly authorised and witnessed conditions and keep that as a certified copy. Then, as required, take further copies of that data for analytical work, thus preserving its integrity.
In no circumstances carry out any work on original data files – even accessing it can be proven (check out the ever-growing number of file attributes that can be listed by right-clicking the header in Windows Explorer, for example) and if someone has accessed it, they can be assumed to have looked at it.
8. Maintain a log of investigation activities (Compliance control)
Maintain a detailed log of all activities when performing an investigation or monitoring an ongoing situation. Record everything from the point at which it is likely that a crime is being or has been committed right up to the time evidence is submitted to the prosecuting or disciplinary agents.
9. Only recover when essential tasks have been carried out (Corrective control)
Once all evidence collection activities have taken place, and when any involved authorities have advised to, create a recovery plan and take steps to rebuild damaged or infected systems.
10. Learn from security incidents (Preventive control)
After an investigation review all security plans, operational procedures and policies to help prevent a repeat of the incident.
Useful References:
• ACPO Guidelines: http://www.met.police.uk/pceu/documents/ACPOguidelinescomputerevidence.pdf
• UK Government Online Legislation Library: http://www.legislation.gov.uk/