HR Security & Legal
advertisement
Chapter 17 Human Resources Security The topic of security awareness, training, and education is mentioned prominently in a number of standards and standardsrelated documents, including ISO 27002 (Code of Practice for Information Security Management) and NIST Special Publication 800-100 (Information Security Handbook: A Guide for Managers). Benefits to Organizations Security awareness, training, and education programs provide four major benefits to organizations: • Improving employee behavior • Increasing employee accountability • Mitigating liability for employee behavior • Complying with regulations and contractual obligations Human Factors Employee behavior is a critical concern in ensuring the security of computer systems and information assets Principal problems associated with employee behavior are: Errors and omissions Fraud Actions by disgruntled employees ION AT C U ED NG INI A TR Man age IT S and ecurity Pr o Spe fess ciali iona sts Edu ls catio Exp nand erie nce F u Rela andRe nctiona tive spon l Ro B toIT sibil les Acq uir De i t i e sig Syst es an n ems Dev d Imple e lop me a nt Opend rate Rev iew a Evand luat e Use Invo A lved ll Em with ploy IT ees S Syst Bas ecuri ics a ty ems ndL itera cy B = beginning I = intermediate A= advanced B A I A I ics Bas y t uri acy Sec Liter and Emp All loye es Secu y Awa rity urit r en Sec eness ess ar Aw ESS EN R A AW Figure 17.1 Information Technology (IT) Learning Continuum Awareness • Seeks to inform and focus an employee's attention on security issues within the organization • Aware of their responsibilities for maintaining security and the restrictions on their actions • Users understand the importance of security for the wellbeing of the organization • Promote enthusiasm and management buy-in • Program must be tailored to the needs of the organization and target audience • Must continually promote the security message to employees in a variety of ways • Should provide a security awareness policy document to all employees NIST SP 800-100 ( Information Security Handbook: A Guide for Managers ) describes the content of awareness programs, in general terms, as follows: “Awareness tools are used to promote information security and inform users of threats and vulnerabilities that impact their division or department and personal work environment by explaining the what but not the how of security, and communicating what is and what is not allowed. Awareness not only communicates information security policies and procedures that need to be followed, but also provides the foundation for any sanctions and disciplinary actions imposed for noncompliance. Awareness is used to explain the rules of behavior for using an agency’s information systems and information and establishes a level of expectation on the acceptable use of the information and information systems.” Designed to teach people the skills to perform their ISrelated tasks more securely General users Programmers, developers, system maintainers • What people should do and how they should do it • Focus is on good computer security practices • Develop a security mindset in the developer Managers • How to make tradeoffs involving security risks, costs, benefits Executives • Risk management goals, measurement, leadership Education • • Most in depth program • Fits into employee career development category • Often provided by outside sources Targeted at security professionals whose jobs require expertise in security o College courses o Specialized training programs Employment Practices and Policies • Managing personnel with potential access is an essential part of information security • Employee involvement: o Unwittingly aid in the commission of a violation by failing to follow proper procedures o Forgetting security considerations o Not realizing that they are creating a vulnerability o Knowingly violate controls or procedures Security in the Hiring Process • • Objective: o “To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities” Need appropriate background checks and screening o Investigate accuracy of details • For highly sensitive positions: o Have an investigation agency do a background check o Criminal record and credit check Employment Agreements Objectives with respect to current employees: •Ensure that employees, contractors, and third-party users are aware of information security threats and concerns and their responsibilities and liabilities with regard to information security •Are equipped to support the organizational security policy in their work •Reduce the risk of human error Two essential elements of personnel security during employment are: •A comprehensive security policy document •An ongoing awareness and training program Security principles: •Least privilege •Separation of duties •Limited reliance on key employees Termination of Employment • Termination security objectives: • Ensure employees, contractors, and third party users exit organization or change employment in an orderly manner • The return of all equipment and the removal of all access rights are completed Critical actions: • Remove name from all authorized access lists • Inform guards that ex-employee general access is not allowed • Remove personal access codes, change physical locks and lock combinations, reprogram access card systems • Recover all assets, including employee ID, documents, data storage devices • Notify by memo or email appropriate departments Email and Internet Use Policies • • Organizations are incorporating specific e-mail and Internet use policies into their security policy document Concerns for employers: o Work time consumed in non-work-related activities o Computer and communications resources may be consumed, compromising the mission that the IS resources are designed to support o Risk of importing malware o Possibility of harm, harassment, inappropriate online conduct Business use only Policy scope Content ownership Privacy Standard of conduct Reasonable personal use Unlawful activity prohibited Security policy Company policy Company rights Disciplinary action Security Incident Response • Response procedures to incidents are an essential control for most organizations o Procedures need to reflect possible consequences of an incident on the organization and allow for a suitable response o Developing procedures in advance can help avoid panic • Benefits of having incident response capability: o Systematic incident response o Quicker recovery to minimize loss, theft, disruption of service o Use information gained during incident handling to better prepare for future incidents o Dealing properly with legal issues that may arise during incidents CSIRTs are responsible for: Rapidly detecting incidents Minimizing loss and destruction Mitigating the weaknesses that were exploited Restoring computing services “Any action that threatens one or more of the classic security services of confidentiality, integrity, availability, accountability, authenticity, and reliability in a system” Unauthorized access to a system • Accessing information not authorized to see • Passing information on to a person not authorized to see it • Attempting to circumvent the access mechanisms • Using another person’s password and user id Unauthorized modification of information on the system • Attempting to corrupt information that may be of value • Attempting to modify information without authority • Processing information in an unauthorized manner Table 17.2 Security Incident Terminology Detecting Incidents • Incidents may be detected by users or administration staff o Staff should be encouraged to make reports of system malfunctions or anomalous behaviors • Automated tools o o o o System integrity verification tools Log analysis tools Network and host intrusion detection systems (IDS) Intrusion prevention systems •Ensure that all information destined for the incident handling service is channeled through a single focal point Goal: •Commonly achieved by advertising the triage function as the single point of contact for the whole incident handling service •Requesting additional information in order to categorize the incident Responds to incoming information by: •Notifying the various parts of the enterprise or constituency about the vulnerability and shares information about how to fix or mitigate the vulnerability •Identifies the incident as either new or part of an ongoing incident and passes this information on to the incident handling response function Responding to Incidents • Must have documented procedures to respond to incidents • Procedures should: Detail how to identify the cause Describe the action taken to recover from the incident Identify typical categories of incidents and the approach taken to respond to them Identify the circumstances when security breaches should be reported to third parties such as the police or relevant CERT Identify management personnel responsible for making critical decisions and how to contact them Hotline/Helpdesk Call Center Information Request IDS Incident report Triage Email Vulnerability Report Other Analyze Obtain contact info Resolution Coordinate information & response Provide technical assistance Figure 17.2 Incident Handling Life Cycle Documenting Incidents • Should immediately follow a response to an incident o Identify what vulnerability led to its occurrence o How this might be addressed to prevent the incident in the future o Details of the incident and the response taken o Impact on the organization’s systems and their risk profile Chapter 19 Legal and Ethical Aspects “Computer crime, or cybercrime, is a term used broadly to describe criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity.” --From the New York Law School Course on Cybercrime, Cyberterrorism, and Digital Law Enforcement Types of Computer Crime • The U.S. Department of Justice categorizes computer crime based on the role that the computer plays in the criminal activity: Computers as targets Computers as storage devices Computers as communications tools Involves an attack on data integrity, system integrity, data confidentiality, privacy, or availability Using the computer to store stolen password lists, credit card or calling card numbers, proprietary corporate information, pornographic image files, or pirated commercial software Crimes that are committed online, such as fraud, gambling, child pornography, and the illegal sale of prescription drugs, controlled substances, alcohol, or guns Table 19.1 Cybercrimes Cited in the Convention on Cybercrime (page 1 of 2) Table 19.1 Cybercrimes Cited in the Convention on Cybercrime (page 2 of 2) Table 19.2 CERT 2007 E-Crime Watch Survey Results (Table can be found on page 614 in the textbook) Law Enforcement Challenges • The deterrent effect of law enforcement on computer and network attacks correlates with the success rate of criminal arrest and prosecution • Law enforcement agency difficulties: o Lack of investigators knowledgeable and experienced in dealing with this kind of crime o Required technology may be beyond their budget o The global nature of cybercrime o Lack of collaboration and cooperation with remote law enforcement agencies • Convention on Cybercrime introduces a common terminology for crimes and a framework for harmonizing laws globally The lack of success in bringing them to justice has led to an increase in their numbers, boldness, and the global scale of their operations Cybercriminals Are difficult to profile Tend to be young and very computer-savvy Range of behavioral characteristics is wide No cybercriminal databases exist that can point to likely suspects Are influenced by the success of cybercriminals and the lack of success of law enforcement Many of these organizations have not invested sufficiently in technical, physical, and human-factor resources to prevent attacks Cybercrime Victims Reporting rates tend to be low because of a lack of confidence in law enforcement, concern about corporate reputation, and a concern about civil liability • Executive management and security administrators need to look upon law enforcement as a resource and tool • Management needs to: o Understand the criminal investigation process o Understand the inputs that investigators need o Understand the ways in which the victim can contribute positively to the investigation Patents Unauthorized making, using or selling Trademarks Unauthorized use or colorable imitation Copyrights Unauthorized use Figure 19.1 Intellectual Property Infringement Copyright • Protects tangible or fixed expression of an idea but not the idea itself • Creator can claim and file copyright at a national government copyright office if: o Proposed work is original o Creator has put original idea in concrete form Copyright Rights • Copyright owner has these exclusive rights, protected against infringement: o Reproduction right o Modification right o Distribution right • Examples include: o Literary works o Musical works o Dramatic works o Pantomimes and choreographic works o Pictorial, graphic, and sculptural works o Public-performance right o Motion pictures and other audiovisual works o Public-display right o Sound recordings o Architectural works o Software-related works Patent • Grant a property right to the inventor • “The right to exclude others from making, using, offering for sale, or selling” the invention in the United States or “importing” the invention into the United States • Types: Utility • Any new and useful process, machine, article of manufacture, or composition of matter Design • New, original, and ornamental design for an article of manufacture Plant • Discovers and asexually reproduces any distinct and new variety of plant • A word, name, symbol, or device • Used in trade with goods • Indicates source of goods • Distinguishes them from goods of others • Trademark rights may be used to: o Prevent others from using a confusingly similar mark o But not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark Trademark Intellectual Property Relevant to Network and Computer Security • A number of forms of intellectual property are relevant in the context of network and computer security • Examples of some of the most prominent: Software Databases Digital content Algorithms •Programs produced by vendors of commercial software •Shareware •Proprietary software created by an organization for internal use •Software produced by individuals •Data that is collected and organized in such a fashion that it has potential commercial value •Includes audio and video files, multimedia courseware, Web site content, and any other original digital work •An example of a patentable algorithm is the RSA publickey cryptosystem U.S. Digital Millennium Copyright ACT (DMCA) • Signed into law in 1998 • Implements WIPO treaties to strengthen protections of digital copyrighted materials • Encourages copyright owners to use technological measures to protect their copyrighted works o Measures that prevent access to the work o Measures that prevent copying of the work • Prohibits attempts to bypass the measures o Both criminal and civil penalties apply to attempts to circumvent • Certain actions are exempted from the provisions of the DMCA and other copyright laws including: Fair use Reverse engineering Encryptio n research Security testing Personal privacy • Considerable concern exists that DMCA inhibits legitimate security and encryption research o Feel that innovation and academic freedom is stifled and open source software development is threatened Digital Rights Management (DRM) • Systems and procedures that ensure that holders of digital rights are clearly identified and receive stipulated payment for their works o May impose further restrictions such as inhibiting printing or prohibiting further distribution • No single DRM standard or architecture • Objective is to provide mechanisms for the complete content management life cycle • Provide persistent content protection for a variety of digital content types/platforms/media use o h g arin e l C Dig lice ital nse ge Usa es rul tent der n o C rovi p Pro t con ected tent Paying distribution ing Pay fees alty roy lice Requ nse irin and g pay ing d ecte t o Pr ntent co uter b i r t Dis Information flow Money flow Figure 19.2 DRMComponents mer u s Con ROLES SERVICES vice Ser ers vid Pro hts Rig rs de Hol ers um s n Co —————————————————————————————— tent Con ment e nag Ma y ntit Ide ment e nag Ma hts Rig ent em nag a M FUNCTIONS —————————————————————————————— y/ urit n c e S ptio ry Enc n/ atio c i t hen tion Aut horiza Aut ing/ Bill nts me Pay Figure 19.3 DRM System Architecture y iver Del • Overlaps with computer security • Dramatic increase in scale of information collected and stored o Motivated by law enforcement, national security, economic incentives • Individuals have become increasingly aware of access and use of personal information and private details about their lives • Concerns about extent of privacy compromise have led to a variety of legal and technical approaches to reinforcing privacy rights European Union (EU) Directive on Data Protection • Adopted in 1998 to: o Ensure member states protect fundamental privacy rights when processing personal information o Prevent member states from restricting the free flow of personal information within EU • Organized around principles of: Notice Consent Security Consistency Onward transfer Access Enforcement United States Privacy Initiatives Privacy Act of 1974 • Deals with personal information collected and used by federal agencies • Permits individuals to determine records kept • Permits individuals to forbid records being used for other purposes • Permits individuals to obtain access to records and to correct and amend records as appropriate • Ensures agencies properly collect, maintain, and use personal information • Creates a private right of action for individuals Also have a range of other privacy laws “An organization’s data policy for privacy and protection of personally identifiable information should be developed and implemented. This policy should be communicated to all persons involved in the processing of personally identifiable information. Compliance with this policy and all relevant legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable information requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personally identifiable information and ensuring awareness of the privacy principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personally identifiable information should be implemented.” Privacy and Data Surveillance • Demands of homeland security and counterterrorism have imposed new threats to personal privacy • Law enforcement and intelligence agencies have become increasingly aggressive in using data surveillance techniques to fulfill their mission • Private organizations are exploiting a number of trends to increase their ability to build detailed profiles of individuals • o o o o o Spread of the Internet Increase in electronic payment methods Near-universal use of cellular phone communications Ubiquitous computation Sensor webs Both policy and technical approaches are needed to protect privacy when both government and nongovernment organizations seek to learn as much as possible about individuals • Ethical Issues • Ethics: “A system of moral principles that relates to the benefits and harms of particular actions, and to the rightness and wrongness of motives and ends of those actions.” • Many potential misuses and abuses of information and electronic communication that create privacy and security problems Basic ethical principles developed by civilizations apply o Unique considerations surrounding computers and information systems o Scale of activities not possible before o Creation of new types of entities for which no agreed ethical rules have previously been formed Hu ma nity Pro fess ion alis m Eac hp rofe ssio n , rity g e t In ness, fair e, ... car e, car f o er ng ord ell-bei r e h Hig cietal w so ue niq u ion nd ds fess ards a andar ics o r P and st th st alism, de of e co ion fess ssion's o r p ofe r in p Figure 19.5 The Ethical Hierarchy Ethical Issues Related to Computers and Information Systems • Some ethical issues from computer use: o o o o Repositories and processors of information Producers of new forms and types of assets Instruments of acts Symbols of intimidation and deception • Those who understand, exploit technology, and have access permission, have power over these Professional/Ethical Responsibilities • • • Concern with balancing professional responsibilities with ethical or moral responsibilities Types of ethical areas a computing or IS professional may face: o o o o Organizations have a duty to provide alternative, less extreme opportunities for the employee o • Ethical duty as a professional may come into conflict with loyalty to employer “Blowing the whistle” Expose a situation that can harm the public or a company’s customers Potential conflict of interest In-house ombudsperson coupled with a commitment not to penalize employees for exposing problems Professional societies should provide a mechanism whereby society members can get advice on how to proceed • • • Ethics are not precise laws or sets of facts Many areas may present ethical ambiguity Many professional societies have adopted ethical codes of conduct which can: 1 • Be a positive stimulus and instill confidence 2 • Be educational 3 • Provide a measure of support 4 • Be a means of deterrence and discipline 5 • Enhance the profession's public image Comparison of Codes of Conduct • Both codes place their emphasis on the responsibility of professionals to other people • Do not fully reflect the unique ethical problems related to the development and use of computer and IS technology • Common themes: o Dignity and worth of other people o Personal integrity and honesty o Responsibility for work o Confidentiality of information o Public safety, health, and welfare o Participation in professional societies to improve standards of the profession o The notion that public knowledge and access to technology is equivalent to social power The Rules • Collaborative effort to develop a short list of guidelines on the ethics of computer systems • Ad Hoc Committee on Responsible Computing o Anyone can join this committee and suggest changes to the guidelines o Moral Responsibility for Computing Artifacts • Generally referred to as The Rules • The Rules apply to software that is commercial, free, open source, recreational, an academic exercise or a research tool o Computing artifact • Any artifact that includes an executing computer program As of this writing, the rules are as follows: 1) The people who design, develop, or deploy a computing artifact are morally responsible for that artifact, and for the foreseeable effects of that artifact. This responsibility is shared with other people who design, develop, deploy or knowingly use the artifact as part of a sociotechnical system. 2) The shared responsibility of computing artifacts is not a zero-sum game. The responsibility of an individual is not reduced simply because more people become involved in designing, developing, deploying, or using the artifact. Instead, a person’s responsibility includes being answerable for the behaviors of the artifact and for the artifact’s effects after deployment, to the degree to which these effects are reasonably foreseeable by that person. 3) People who knowingly use a particular computing artifact are morally responsible for that use. 4) People who knowingly design, develop, deploy, or use a computing artifact can do so responsibly only when they make a reasonable effort to take into account the sociotechnical systems in which the artifact is embedded. 5) People who design, develop, deploy, promote, or evaluate a computing artifact should not explicitly or implicitly deceive users about the artifact or its foreseeable effects, or about the sociotechnical systems in which the artifact is embedded. Revision for exam • Link in class
