Add to collection(s) Add to saved
  1. Business
  2. Management

Incident Response

advertisement 
Legal, Regulations,
Investigations
and Compliance
Domain Objectives
• Discuss the world’s various major legal systems
• Describe the differences and similarities between
common law and civil law
• Explain laws and regulations affecting information
technology
• Discuss computer related crime and its
importance to information assurance and security
2
Domain Objectives
• Describe the importance of international
cooperation in relation to computer crime
• Explain an incident response methodology
• Discuss the importance of digital evidence
management and handling
• Describe general guidelines for computer
forensic investigations
3
Information Security TRIAD
Availability
Information
Security
Integrity
Confidentiality
4
Domain Agenda
• Major Legal Systems
• Information Technology Laws and
Regulations
• Incident Response
• Computer Forensics
5
Major Legal Systems
• Common Law
• Civil Law
• Customary Law
• Religious Law
• Mixed Law
6
Common Law
• Roots in England
• Based on Legal Precedents, Past
Decisions, and Societal Traditions
7
Common Law
• Overview of Common Law
• Courts
• Judges
• Common Law Countries
8
Common Law: Criminal Law
• Based on common law, statutory law,
or a combination of both
• Deals with behavior or conduct
• Typically the punishment meted out by
the criminal courts involves some loss
of personal freedom for the guilty party
9
Common Law: Tort Law
• Definition
• Punishment
• Traces its origin to criminal law
10
Common Law: Tort Law
• Principles of a Tort
• Categories of a Tort
11
Common Law: Administrative Law
• Law created by administrative agencies
by way of rules, regulations, orders, and
decisions
• Areas covered by Administrative Law
12
Civil Law
• Traces its roots back to two beginnings:
• Roman Empire
• Napoleonic Code of France
• Characteristics
• Presents various sub-divisions
• Common law as opposed to Civil law
• Methodological approach difference
• Judges’ role difference
13
Customary Law
• Regionalized systems
• Reflects the society’s norms and values
• Most countries combine customary law
with another legal system
14
Religious Law
• Traditional Islamic law (Sharia)
• Guided by the Qur’an or
Sunnah
• Covers all aspects of a person’s life
15
Mixed Law
• Convergence of two or more legal
systems
• Examples of mixed law
16
World Legal Systems
Source: WorldLegalSystems
17
Domain Agenda
• Major Legal Systems
• Information Technology Laws and
Regulations
• Incident Response
• Computer Forensics
18
Information Technology Law & Regulations
• Intellectual Property Law
• Patent
• Trademark
• Copyright
• Trade Secret
• Licensing Issues
• Privacy
• Liability
• Computer Crime
• International Cooperation
19
Intellectual Property Laws
• Purpose
• Two categories
• Industrial Property
• Copyright
20
Intellectual Property: Patent
• Definition
• Advantages
21
Intellectual Property: Trademark
• Characteristics of a Trademark
• Word
• Name
• Symbol
• Color
• Sound
• Product shape
™
• Purpose of a Trademark
22
Intellectual Property: Copyright
• Covers the expression of ideas
• Writings
• Recordings
• Computer programs
©
• Weaker than patent protection
23
Intellectual Property: Trade Secret
• Should be confidential
• Protection of Trade Secret
24
Intellectual Property: Software Licensing Issues
• Categories of software licensing:
•
•
•
•
Freeware
Shareware
Commercial
Academic
• Master agreements and end user
licensing agreements (EULAs)
25
Privacy Laws and Regulations
• Rights and Obligations
• Individuals
• Organizations
26
Privacy Initiatives
• Generic Approach
• Regulation by Industry
• The overall objective is to:
• Protect citizen’s personal information
• Balance the business and governmental
need to collect and use this information
27
Privacy and the OECD
• The Organization for Economic Co-operation
and Development (OECD)
• 7 core principles
28
Employee Privacy
• Employee Monitoring
• Authorized Usage Policies
• Internet usage
• Email
• Telephone (i.e., VoIP)
29
Privacy: Personal Protection
• Responsibilities of end users
• Encourage use of:
• Encryption
• Anti-virus
• Patches
• Shredding
30
Liability
• Legal Responsibility
• Penalties
• Civil
• Criminal Penalties
• Negligence is often used to establish
liability
31
Negligence
• Acting without care
• Due care
32
Due Diligence
• Ethereal concept often judged against a
continually moving benchmark
• Requires a commitment to an ongoing
risk analysis and risk management
process
• Due Care vs. Due Diligence
33
Computer Crimes
• Often divided into 3 categories
• Computers as a Tool
• Computers as the Target of Crime
• Computer Incidental to the Crime
34
Computer Crimes
• Insider abuse
• Stalking
• Viruses
• Organized crime
• White collar/Financial
fraud
• Terrorism
• Corporate espionage
• Hacking
• Identity Theft
• Social Engineering
• Child Pornography
35
International Cooperation
• Initiatives related to International
Cooperation in dealing with Computer Crime
• The Council of Europe (CoE) Cybercrime
Convention
36
Domain Agenda
• Major Legal Systems
• Information Technology Laws and
Regulations
• Incident Response
• Computer Forensics
37
Incident Response: Overview
• Response capability
• Policy and guidelines
• Response
• Incident response
•
•
•
•
•
• Debriefing
• Metrics
• Public
Disclosure
Triage
Containment
Investigation
Analysis and Treatment
Recovery
38
Incident Response Objectives
• Incident response in its simplest form is the
practice of:
•
•
•
•
•
Detecting a problem
Determining its cause
Minimizing the damage it causes
Resolving the problem
Documenting each step of the response for
future reference
39
Response Capability
• The foundation for Incident Response
(IR) is comprised of:
•
•
•
•
Policy
Procedures
Guidelines
Management of evidence
40
Incident Response Policy
• Escalation Process
• Interaction with third party entities
41
Response Team
• Staffing and training
• Virtual Team
• Permanent Team
• Hybrid of the Virtual and Permanent
• Response Team Members
42
Incident Response and Handling
• Incident
• Approved Handling
Process
43
Incident Response and Handling Phases
• Triage
• Investigation
• Containment
• Analysis and tracking
44
Triage
• Triage encompasses:
• Detection
• Classification
• Notification
45
Triage - Detection
• Initial Screening
• False Positives
46
Triage - Classification
• Incident Hierarchy
• General Classifiers
• Source (internal vs. external)
• More Granular or Specific
Characteristics
• (i.e., worm vs. spam)
47
Investigation Phase Components
• Components of this phase:
•
•
•
•
Analysis
Interpretation
Reaction
Recovery
48
Investigation Phase Objectives
• Desired outcomes of this phase are:
• Reduce the impact
• Identify the cause
• Get back up and running in the shortest
possible time
• Prevent the incident from re-occurring
49
Investigation Considerations
• The investigative phase must consider:
• Adherence to company policy
• Applicable laws and regulations
• Proper evidence management and
handling
50
Containment
• Reduce the potential impact of the incident
• Systems, devices, or networks that can become
“infected”
• The containment strategy depends on:
• Category of the attack
• Asset(s) affected
• Criticality of the data or system
51
Containment Strategies
• Disconnecting the system from the network
• Virtually isolating the systems through network
segmentation
• Implementing a firewall or filtering router with
the appropriate rule sets
• Installation of Honeynets/Honeypots
52
Containment Documentation
• Incident and evidence handling procedures
• Sources of evidence
• Risk of Entrapment vs. Enticement
53
Analysis and Tracking
• The Concept of Root Cause
• Determines actual initial event
• Attempts to identify the true source
and actual point of entry
54
Analysis and Tracking Goals
• Obtain sufficient information to stop
the current incident
• Prevent future “like” incidents from
occurring
• Identify what or whom is responsible
55
Analysis and Tracking Team
• Heterogeneous and/or Eclectic Skills
• Solid understanding of the systems
affected
• Real World, Applied Experience
56
Analysis and Tracking Logs
• Dynamic Nature of the Logs
• Feeds into the tracking process
• Working Relationship with other Entities
57
Recovery Phase Goal
• To get back up and running
• The Business (worst case)
• Affected Systems (best case)
• Protect evidence
58
Recovery and Repair
• Recovery into production of affected
systems
• Ensure system can withstand another
attack
• Test for vulnerabilities and
weaknesses
59
Closure of the Incident
• Incident response is an iterative process
• Closure to the incident
60
Debriefing/Feedback
• Formal process
• Include all of the team members
• Use output to adapt or modify policy and
guidelines
61
Communications of the Incident
• Public disclosure of an incident can:
• Compound the negative impact
• Provide an opportunity regain public trust
• Communication handled by authorized
personnel only
62
Domain Agenda
• Major Legal Systems
• Information Technology Laws and
Regulations
• Incident Response
• Computer Forensics
63
Computer Forensics
• Key Components
• Crime scenes
• Digital evidence
• Guidelines
64
Computer Forensics: The Law
• The inclusion of the “law”, introduces concepts
that may be foreign to many information security
professionals
•
•
•
•
•
Crime scene
Chain of custody
Best evidence
Admissibility requirements
Rules of evidence
65
Computer Forensics: Evidence
• Computer Forensics includes:
• Evidence or potential evidence
• Falls under the larger domain of Digital
Forensic Science Research Workshop
• Deals with evidence and the legal system
66
Computer Forensics: Evidence
• Correctly identifying the crime scene, evidence,
and potential containers of evidence
• Collecting or acquiring evidence:
• Adhering to the criminalistic principles
• Keeping contamination and the destruction of
the scene to a minimum
67
Computer Forensics: Evidence
• Using the scientific methods:
• Determine characteristics of the evidence
• Comparison of evidence
• Event reconstruction
• Presentation of findings:
• Interpreting and analysis of the examination
• Articulating these in a format appropriate for
the intended audience
68
Crime Scene
• Prior to identifying evidence, the larger crime
scene needs to be addressed
• A crime scene is nothing more than:
• The environment in which potential
evidence may exist
• Digital crime scenes follow the same
principles
69
Crime Scene
• The principles of criminalistics apply to
both digital and physical crime scenes:
• Identify the scene
• Protect the environment
• Identify evidence and potential sources of
evidence
• Collect evidence
• Minimize the degree of contamination
70
Crime Scene: Physical vs. Virtual
• The Crime Scene Environment
• Physical
• Virtual or Cyber
71
Locard’s Principle
• Locard’s Principle of Exchange
• When a crime is committed, the Perpetrator
• Leaves something behind
• Takes something with them
• This principle allows us to identify aspects of the
person or persons responsible, even with a
purely digital crime scene
72
Behavior
• Investigation or Root Cause Analysis
• Means, Opportunity, and Motives (MOM)
• Modus Operandi (MO)
• Criminal computer behavior is no different
than typical criminal behavior
73
Behavior of Computer Criminals
• Computer criminals have specific MO’s
• Hacking software/tools
• Types of systems or networks attacked,
etc.
• Signature behaviors
• MO & Signature behaviors
• Profiling
• Interviewing
74
Crime Scene Analysis
• Protect the ‘crime scene’ from
unauthorized individuals
• Once a scene has been
contaminated, there is no undo or
redo button to push
• The damage is done!
75
Digital Evidence
• The exact requirements for the admissibility of
evidence vary
• Evidence
76
Digital Evidence: 5 Rules
• Admissible
• Authentic
• Complete
• Accurate
• Convincing
77
Digital Evidence: Hearsay
• Hearsay
• Second-hand evidence
• Normally not admissible
• Business records exceptions:
• Computer generated information can fall into
this category
• May require someone to attest to the how
the records/information were created
78
Digital Evidence: Life Span
• Digital evidence
•
•
•
•
Volatile and “fragile”
May have a short “life span”
Collect quickly
By order of volatility (i.e., most
volatile first)
• Document, document, document!
79
Digital Evidence: Chain of Custody
• Chain of Custody
•
•
•
•
•
Who
What
When
Where
How
80
Digital Evidence: Accuracy and Integrity
• Ensuring the accuracy and integrity of
evidence is critical!
• The current protocol for demonstrating
accuracy and integrity relies on hash
functions
• MD5
• SHA 256
81
General Guidelines
• IOCE/SWGDE 6 principles for computer
forensics and digital/electronic evidence
• When dealing with digital evidence, all of the
general forensic and procedural principles must
be applied
• Upon seizing digital evidence, actions taken
should not change that evidence
• When it is necessary for a person to access
original digital evidence, that person should be
trained for the purpose
82
Six IOCE/SWGDE Principles
• All activity relating to the seizure, access,
storage or transfer of digital evidence must be
fully documented, preserved and available for
review
• An Individual is responsible for all actions taken
with respect to digital evidence whilst the
digital evidence is in their possession
• Any agency, which is responsible for seizing,
accessing, storing or transferring digital
evidence is responsible for compliance with
these principles
83
General Guidelines: Dos and Don’ts
• Minimize Handling/Corruption of Original
Data
• Account for Any Changes and Keep Detailed
Logs of Your Actions
• Comply with the Five Rules for Evidence
• Do Not Exceed Your Knowledge
• Follow Your Local Security Policy and Obtain
Written Permission
84
General Guidelines: Dos and Don’ts
• Capture as Accurate an Image of the System as
Possible
• Be Prepared to Testify
• Ensure Your Actions are Repeatable
• Work Fast
• Proceed From Volatile to Persistent Evidence
• Don't Run Any Programs on the Affected
System
85
General Guidelines: Dos and Don’ts
• Act ethically
• In good faith
• Attempt to do no harm
• Do not exceed one’s knowledge, skills,
and abilities
86
Domain Summary
• Know local laws and regulations
• Have an approved procedure for
handling of incidents
• Ensure that all handling of sensitive
information is compliant with regulation
• Follow best practices and document all
steps of an investigation
87
“Security Transcends Technology”
Related documents
FORENSICS OUTLINE,protocol,vocab,search,etc-4
FORENSICS OUTLINE,protocol,vocab,search,etc-4
15. Legal, Regulations, Compliance, and Investigations
15. Legal, Regulations, Compliance, and Investigations
File - Ms. Collins forensic science
File - Ms. Collins forensic science
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Complete Rules
Complete Rules
AJ 53 – Police Field Operations - Sierra College Administration of
AJ 53 – Police Field Operations - Sierra College Administration of
Forensic Science – Chapter 1 Worksheet
Forensic Science – Chapter 1 Worksheet
Jeopardy - Menifee County Schools
Jeopardy - Menifee County Schools
Emergency Code Poster
Emergency Code Poster
Introduction and Physical Evidence Test
Introduction and Physical Evidence Test
Download
advertisement