Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman [email protected]

Proving Your Case - Proving Your Case - Computer SecurityComputer Security

Terrence P. MaherTerrence P. Maher

Abrahams Kaslow & CassmanAbrahams Kaslow & Cassman

[email protected]@akclaw.com

Common Types of Computer Common Types of Computer CrimeCrime

Fraud by computer manipulationFraud by computer manipulation Computer forgeryComputer forgery Damage to or modifications of Damage to or modifications of

computer data or programscomputer data or programs Unauthorized access to computer Unauthorized access to computer

systems and servicesystems and service Unauthorized reproduction of Unauthorized reproduction of

computer programscomputer programs

Essential Components of Essential Components of SecuritySecurity

Administrative and organizational Administrative and organizational securitysecurity

Personnel securityPersonnel security Physical securityPhysical security Communications - electronic securityCommunications - electronic security Hardware and Software securityHardware and Software security Operations securityOperations security Contingency planningContingency planning

Administrative and Administrative and Organizational SecurityOrganizational Security

Development of procedures to identify Development of procedures to identify risksrisks

Definition of individual security duties and Definition of individual security duties and assignment of responsibilitiesassignment of responsibilities

Designation of restricted areasDesignation of restricted areas Establishment of authorization Establishment of authorization

proceduresprocedures Identification of external dependenciesIdentification of external dependencies Preparation of contingency plansPreparation of contingency plans

Personnel SecurityPersonnel Security

Specify security requirements in job Specify security requirements in job descriptionsdescriptions

Insure personnel meet the requirements - Insure personnel meet the requirements - background investigationsbackground investigations

Adequate security motivation and trainingAdequate security motivation and training Have adequate corporate policies in placeHave adequate corporate policies in place Remember to check contractors who are Remember to check contractors who are

provided access to premises or systemsprovided access to premises or systems

Personnel SecurityPersonnel Security

Supervising access to and control over Supervising access to and control over system resources through identification system resources through identification and authorization measures - and authorization measures - monitoringmonitoring

Enforce vacation policies and rotate Enforce vacation policies and rotate assignmentsassignments

Termination procedures Termination procedures Expect revenge from disgruntled Expect revenge from disgruntled

employees or ex-employeesemployees or ex-employees

Physical SecurityPhysical Security

Site planning - location and layout, building Site planning - location and layout, building construction, fencing and shieldingconstruction, fencing and shielding

Control of access - perimeter security, Control of access - perimeter security, visitor control, access devices and badges, visitor control, access devices and badges, guards and anti-intrusion devicesguards and anti-intrusion devices

Protection against physical damage and Protection against physical damage and environmental failuresenvironmental failures

Protection of media and suppliesProtection of media and supplies Random checks and testsRandom checks and tests

Communications-Electronic Communications-Electronic SecuritySecurity

Access control - passwords, password Access control - passwords, password controls, smart cards and biometric controls, smart cards and biometric devicesdevices

Physical security of network cabling Physical security of network cabling and telecommunications equipment and telecommunications equipment

Shielding of cablesShielding of cables FirewallsFirewalls EncryptionEncryption

Hardware and Software Hardware and Software SecuritySecurity

Identification measures to identify Identification measures to identify authorized usersauthorized users

Isolation features to restrict access to Isolation features to restrict access to unauthorized devices, software and dataunauthorized devices, software and data

Access control for selective sharing of Access control for selective sharing of system resourcessystem resources

Surveillance and detection measuresSurveillance and detection measures Response techniques to counter harm Response techniques to counter harm

Operations SecurityOperations Security

Identification of assets requiring Identification of assets requiring protectionprotection

Establishment of value of those Establishment of value of those assets assets

Identification of threats associated Identification of threats associated with each assetwith each asset

Identification of the vulnerability of Identification of the vulnerability of the system to such threatsthe system to such threats

Operations SecurityOperations Security

Assessment of the risk exposure Assessment of the risk exposure associated with each assetassociated with each asset

Selection and implementation of Selection and implementation of security measuressecurity measures

Testing of security measuresTesting of security measures Audit and refinement of security Audit and refinement of security

program on a continuing basisprogram on a continuing basis

Planning for Computer CrimePlanning for Computer Crime

Place various detection measures in Place various detection measures in place in order to quickly identify place in order to quickly identify when a crime occurswhen a crime occurs

Assemble a team who will respond to Assemble a team who will respond to incidentsincidents

Determine how the team will respond Determine how the team will respond to different types of intrusionsto different types of intrusions

Test and update the proceduresTest and update the procedures

Detection ToolsDetection Tools

Intrusion detection systems are not Intrusion detection systems are not designed to collect and protect the designed to collect and protect the integrity of the type of information integrity of the type of information required to conduct law enforcement required to conduct law enforcement investigationsinvestigations

There is a lack of guidance to There is a lack of guidance to employees as to how to respond to employees as to how to respond to intrusions and capture the required intrusions and capture the required informationinformation

Detection Tools - LogsDetection Tools - Logs

System logsSystem logs Audit logsAudit logs Application logsApplication logs Network management logsNetwork management logs Network traffic captureNetwork traffic capture Contemporaneous manual entriesContemporaneous manual entries Logs maintained by the intruder, an ISP Logs maintained by the intruder, an ISP

or telecommunications provideror telecommunications provider


Logs may make little immediate sense Logs may make little immediate sense without training in the operation of the without training in the operation of the intrusion detection tool and understanding intrusion detection tool and understanding the principles upon which it operatesthe principles upon which it operates

Logs may lack sufficient detailLogs may lack sufficient detail Logs may not cover relevant time periodsLogs may not cover relevant time periods Logs may not be sufficient to permit Logs may not be sufficient to permit

comparison of normal vs. abnormal activitycomparison of normal vs. abnormal activity


In real time detection, the detection In real time detection, the detection tool may not be sufficient to keep up tool may not be sufficient to keep up with network traffic or it may be with network traffic or it may be positioned on the network in a way positioned on the network in a way that it is unable to capture all relevant that it is unable to capture all relevant datadata

Logs may not identify the perpetrator Logs may not identify the perpetrator in any useful wayin any useful way

Logs may have been compromisedLogs may have been compromised

The Response TeamThe Response Team

Have the team formed ahead of Have the team formed ahead of timetime

Team members should include a Team members should include a manager, systems operator, manager, systems operator, auditor, investigator, technical auditor, investigator, technical advisor, and legal advisor, and legal


ManagerManager• Team leader and decides on response Team leader and decides on response

to incidentto incident• Person should be able to assess the Person should be able to assess the

value of the compromised information value of the compromised information and the potential impact of the loss and the potential impact of the loss on the organizationon the organization

• Responsible for documenting all Responsible for documenting all events that have taken placeevents that have taken place


System OperatorSystem Operator• May be a systems manager or systems May be a systems manager or systems

programmer must know his or her way programmer must know his or her way around the system(s) involvedaround the system(s) involved

• For crimes in progress, the systems operator For crimes in progress, the systems operator will track the criminal and monitor system will track the criminal and monitor system activity -For crimes which have taken place, activity -For crimes which have taken place, the systems operator will be responsible for the systems operator will be responsible for reconstructing what took place reconstructing what took place

• Responsible for documenting what happenedResponsible for documenting what happened


AuditorAuditor• Help the systems operator follow the Help the systems operator follow the

trail of the crime using audit tools and trail of the crime using audit tools and audit trailsaudit trails

• Responsible for documenting the Responsible for documenting the economic impact of the incidenteconomic impact of the incident

• Includes tangible and intangible Includes tangible and intangible losses, as well as lost productive timelosses, as well as lost productive time


InvestigatorInvestigator• Usually from the law enforcement agency Usually from the law enforcement agency

that has jurisdiction over the crimethat has jurisdiction over the crime• Duty is to make sure all evidence is Duty is to make sure all evidence is

collected using proper means and in collected using proper means and in accordance with legal requirementsaccordance with legal requirements

• Will be responsible for securing Will be responsible for securing appropriate judicial authorization for appropriate judicial authorization for search warrants and monitoring of search warrants and monitoring of communicationscommunications


Technical AdvisorTechnical Advisor• Usually a technical expert who understands Usually a technical expert who understands

both technology and criminal investigation both technology and criminal investigation techniquestechniques

• Usually from the law enforcement agency Usually from the law enforcement agency which has jurisdiction over the crimewhich has jurisdiction over the crime

• Will work closely with the systems operator Will work closely with the systems operator to analyze system logs and other system to analyze system logs and other system activity that may explain the crime and activity that may explain the crime and identify the suspectidentify the suspect


LegalLegal• Risk managementRisk management• Insurance recoveryInsurance recovery• Civil prosecutionCivil prosecution

ResponseResponse

Should you call in law enforcement?Should you call in law enforcement?• trap and trace devicestrap and trace devices• pen registerspen registers• dialed number recordersdialed number recorders• search warrants for third party and search warrants for third party and

intruder facilities, equipment, systems intruder facilities, equipment, systems and recordsand records

Interview witnesses and informantsInterview witnesses and informants

Evidence and Legal Evidence and Legal ProceedingsProceedings

Admissibility and Weight of EvidenceAdmissibility and Weight of Evidence Hearsay RuleHearsay Rule Business records exceptionBusiness records exception AuthenticationAuthentication Best EvidenceBest Evidence Reliability of witnessesReliability of witnesses Chain of possession Chain of possession

Evidence and Legal Evidence and Legal ProceedingsProceedings

DiscoveryDiscovery Protective OrdersProtective Orders TestimonyTestimony

Terrence P. MaherTerrence P. Maher

Abrahams Kaslow & CassmanAbrahams Kaslow & Cassman

8712 West Dodge Road 8712 West Dodge Road

Suite 300Suite 300

Omaha, Nebraska 68114Omaha, Nebraska 68114

[email protected]@akclaw.com

Documents

Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman [email protected]