فا

‫ اخبار

صفحات: «« « ... 8 9 10 11 12 »
Using BitLocker to Encrypt Removable Media (Section 2)
IRCAR201201128
Date: 2012/01/18
The default settings in Windows 7 allow users to decide if and when they want to encrypt data on removable devices. This article explains how you can enforce BitLocker security in a more uniform manner through the use of group policy settings.
Introduction
In the first part of this article series, I showed you how you could manually use BitLocker to encrypt the contents of a USB flash drive. Although the procedure that I showed you last time works well enough, it tends to leave a lot to chance. Imagine for instance that your company keeps a lot of sensitive information on file. Ideally, you would probably like to prevent any of that data from ever walking out the door. In reality though, you may have employees whose job functions require them to have certain data available, even when they are not connected to the network.
Since the last thing that you want is for an employee to misplace a USB drive filled with personal information about all of the organization’s customers, encryption is an absolute must. BitLocker to Go can definitely provide the type of encryption that you need, but the encryption method that I demonstrated in the first part of the series requires users to manually encrypt their own USB flash drives.
Obviously, we can’t just put encryption into the user’s hands and trust them to do it. Fortunately, we do not have to. Windows 7 and Windows Server 2008 R2 include group policy settings that you can use to control how and when BitLocker encryption is used.
The Group Policy Object Editor contains quite a few different group policy settings related to BitLocker encryption, but there is an entire folder containing the settings pertaining to BitLocker encryption of removable media. You can access this folder at Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Removable Data Drives.
Control Use of BitLocker on Removable Drives
The first group policy setting that I want to show you is the Control Use of BitLocker on Removable Drives setting. As the name implies, this setting allows you to control whether or not users are allowed to encrypt removable media with BitLocker.
At its simplest, disabling this setting prevents users from encrypting removable media, whereas users can use BitLocker to encrypt removable media if you do nothing at all.
If you do choose to enable this group policy setting, then there are two options that you can set. The first of these options allows you to choose whether or not you want to allow users to apply BitLocker protection on removable data drives. Obviously, this option is a bit redundant, but the reason why Microsoft chose to include it was because it allows you to control this setting and the next setting that I am about to talk about independently when the group policy setting is enabled.
The second setting allows users to suspend and decrypt BitLocker protection on removable data drives. In other words, you can control whether or not you want to allow users to turn off BitLocker for a removable storage device.
Configure Use of Smart Cards on Removable Drives
This group policy setting allows you to control whether or not smart cards can be used as a mechanism for authenticating users for access to BitLocker encrypted content. If you do decide to enable this group policy setting, then there is a sub option that you can use to require the use of smart cards. If you choose this option, then users will only be able to access BitLocker encrypted content by using smart card based authentication.
Deny Write Access to Removable Drives Not Protected By BitLocker
The Deny Write Access to Removable Drives Not Protected By BitLocker setting is one of the more important group policy settings related to the encryption of removable media. When you enable this setting, then Windows will check every removable storage device that is inserted into the computer to see if BitLocker encryption is enabled. If BitLocker isn’t enabled on the drive, then the drive is treated as read only. Users are only given write access if BitLocker is enabled on the drive. That way, you can prevent users from writing data to unencrypted removable media.
That will give you some degree of protection, but it is still possible for a user to enable BitLocker on a home computer, encrypt a USB flash drive, and then bring the encrypted drive into the office and write data to it. Enabling the Do Not Allow Write Access to Devices Configured in Another Organization option allows Windows to look at where the removable storage device came from. If the device was encrypted by another organization, then BitLocker will deny write access to the device.
Configure Use of Passwords for Removable Data Drives
This is one of the more self explanatory settings. It allows you to control whether or not you want to require the use of a password to unlock the contents of removable drives. Assuming that you do want to password protect removable drives, you have the option to control the password’s length and complexity requirements.
Conclusion

One of the problems with encrypting data is that if the encryption keys are lost, then the data cannot be decrypted. In Part 3, I will show you a technique for avoiding this problem by storing the encryption keys in the Active Directory.

Refrences

http://www.windowsnetworking.com

18 مرداد 1393 برچسب‌ها: مقالات
Using BitLocker to Encrypt Removable Media (Section 1)
IRCAR201201127
Date: 2012/01/17
How to use BitLocker-to-go in order to prevent accidental data disclosure by encrypting removable media.
Introduction
Users who work outside of an organization have always presented a special security challenge to IT employees. On one hand, mobile workers need access to corporate data on their laptops or mobile devices. On the other hand, placing data on such devices puts the data at risk of being compromised should the device be lost or stolen.
Many organizations forbid employees from storing data on laptops or mobile devices for this very reason. This approach is not always practical though. Restricting users from placing data on their laptops or mobile devices means that the users will have to connect to the Internet any time that they need to access data, and as we all know Internet access is not always available.
Over the years Microsoft has created several different solutions that are designed to help secure the data that is stored on laptops. In Windows Vista for example, Microsoft introduced the BitLocker drive encryption feature.
As much of an improvement as BitLocker is over the file level encryption that was previously available in Windows XP, BitLocker does have its limitations. For example, the Windows Vista version of BitLocker was only able to encrypt the system volume. If a computer contains other volumes, then EFS encryption or a third-party encryption product must still be used to secure those volumes.
Another major BitLocker limitation was its inability to encrypt removable media. It is important to remember that USB flash drives have become ubiquitous. Furthermore, the capacity of such devices has increased exponentially over the last few years. What all of this means is that vast quantities of data can easily be stored in a small and inexpensive device that offers no native encryption capabilities. The really scary part is that because USB flash drives are small and inexpensive, a user may not even notice when one goes missing.
When Microsoft created Windows 7, one of the things that they set out to do was to address the various shortcomings of BitLocker. Some of these improvements include:
BitLocker is now capable of encrypting all of a system’s volumes, not just the volume containing the operating system.
The system now performs an integrity check as a part of the boot process. This helps to verify that the computer hasn’t been tampered with while offline, and that the encrypted drive is in its original computer.
It is now possible to move an encrypted hard drive to another computer.
Windows guards against cold boot attacks by requiring users to either enter a PIN or insert a USB flash drive containing key material prior to booting a computer or resuming from hibernation.
BitLocker recovery keys are now stored in the Active Directory. These keys can be used to regain access to BitLocker encrypted data in the event that a user forgets their PIN, or loses the USB flash drive containing the keying information.
BitLocker to Go
Perhaps the most significant new BitLocker feature is BitLocker to Go. BitLocker to Go makes it possible to encrypt removable storage devices, such as USB flash drives. That way, if the removable media is lost or stolen, the data that it contains will not be compromised.
As you would probably expect, BitLocker encryption is not enabled by default for USB flash drives. However, BitLocker encryption can be enabled either by an administrator (via group policy settings) or by an end user.
Microsoft has made it really easy for an end user to enable BitLocker encryption. BitLocker functionality is now integrated directly into Windows Explorer.

In figure A, I have inserted a USB flash drive into a computer that is running Windows 7. When I right click on the USB flash drive, Windows displays an option to turn on BitLocker.

Figure A: Windows Explorer now contains an option to turn on BitLocker

If I select the Turn on BitLocker option, BitLocker will only be enabled for the selected drive, not the entire system. When you enable BitLocker, Windows will prompt you to enter a password that you can use to unlock the drive. As you can see in Figure B, you also have the option of using a smart card to unlock the drive.

Figure B: You must provide a password and / or a smart card that can be used to unlock the drive

After entering a password, Windows generates a recovery key, and prompts you to either save the recovery key to a file or to print the recovery key, as shown in Figure C. You will notice in the figure that the Next button is grayed out until you perform at least one of these actions. Microsoft requires the recovery key to be saved or printed as a way of preventing data loss due to forgotten passwords.

Figure C: You must save or print your recovery key

After saving or printing your recovery key, it is time to encrypt the drive. To do so, just click the Start Encrypting button, shown in Figure D.

Figure D: Click the Start Encrypting button to encrypt the drive
Using an Encrypted Flash Drive

Using an encrypted flash drive really is not that much different than using any other flash drive. If you look at Figure E, you can see that when I insert the flash drive, I am prompted to enter a password. You will also notice that the drive’s icon includes a padlock.

Figure E: Upon inserting an encrypted flash drive, you are required to enter a password

Upon entering the password, the icon changes to show that the drive is unlocked, as shown in Figure F.

Figure F: After entering a password, the drive is unlocked
Other Operating Systems

Since BitLocker to Go was first introduced in Windows 7, you may be wondering what happens if you insert an encrypted flash drive into a PC that is running an older operating system. Figure G shows what happens when you insert an encrypted flash drive into a machine that is running Windows Vista.

Figure G: Vista gives you the option of installing a BitLocker to Go Reader
Although Vista does not natively support BitLocker to Go, you are provided with the option of installing a BitLocker to Go Reader. This reader is stored on the encrypted drive (in a non encrypted format), so it is possible to install the reader even if you do not have Internet access.
Conclusion

In this article, I have shown you how you can use BitLocker to Go to manually encrypt a USB flash drive. In Part 2 of this series, I will show you how you can use group policies to automate the process.

Refrences

http://www.windowsnetworking.com

18 مرداد 1393 برچسب‌ها: مقالات
Data Leakage Prevention
IRCAR201111122
Date: 2011-11-21
In this article we will venture into the world of Data Leakage Protection, and describe how to use this technology to better protect corporate data on personal and corporate devices.
Introduction
In the ever changing world of computing, users will use devices for both personal and corporate use. In the absence of DLP (Data Leakage Protection) technical controls, data will leak. In this article we will venture into the world of Data Leakage Protection, and describe how to use this technology to better protect corporate data on personal and corporate devices.
A data breach or data leak is a security incident in which sensitive or confidential data is copied, transmitted, viewed, stolen or used by an unauthorised individual. The information could include financial data (bank or card details), personal health information, and personal identifiable details, trade secrets and corporation’s intellectual property.
The issue of data leakage has always arisen from data at rest, data in transit, email, IM and various other internet channels, however now with the rise of mobile technology, data leakage is occurring with greater ease. The threat of data leakage from outside the corporation is still a concern, however substantial data leakage results from internal activities as well.
Every employee and every device that stores company information is a potential threat, a lost laptop can quickly become a threat to data leakage, if recovered by an outsider with malevolent intent. Data leakage could result from employee lack of awareness, they may be oblivious to the fact that their behaviour or actions are unsafe; it is often taken for granted that all employees are aware of security measures and precautions to safeguard sensitive corporate data.
Data can leave the network through various exit points within the IT infrastructure. Enterprises should prioritise the management of data loss risk by choosing DLP solutions that monitor and act at these exit points.
Common behaviours resulting in potential risk of data leakage
· Speaking loudly in public areas about sensitive corporate data
· Failing to logoff laptops
· Leaving passwords unprotected
· Accessing unauthorised websites
· Loss or theft of corporate devices (Laptops, Mobile phones, Portable hard drives)
· Loss or theft of personal devices now also being used for corporate practices
· Thumb drives
· Optical media
· Email
· Instant messaging
· Access control both physical and logical
· Lack of encryption
· Lack of two factor authentication
· Lack of remote access control
How can we go about preventing data leakage?
Potential data leakage can be managed by various data loss tools, also known as data leakage prevention or content monitoring and filtering tools. They are intended to prevent unintentional or deliberate exposure of sensitive enterprise information. It is accomplished through identifying content, tracking activity and potentially blocking sensitive data from being moved.
Data Leakage prevention can be managed through the following steps
· By performing content-aware, deep packet inspection on the network traffic as well as email and various other protocols. Content-aware data leakage prevention identifies critical data based on policies and rules previously determined and set up. It can be deployed at different stages: they are on the network, Endpoint or on stored data.
· By ensuring that complete sessions are always being tracked for analysis and not only singular packets.
· By detecting, blocking and controlling the use of specific content based on rules and policies, thus not allowing saving, printing and forwarding of specific predetermined content.
· By monitoring network traffic, email traffic and multiple channels through one product and an individual management interface
· By blocking policy violations over email and other external communication methods like IM.
· By ensuring an end user policy compliance solution, by controlling what end-users do on their computers through managing the connected devices and network interfaces, managing the applications they use and by managing websites which users are able to access. An end point solution manages the threat of portable storage devices by giving administrators control over what devices are in use, when they are in use and by whom as well as knowledge of the data that has been copied. Activity of media players, USB drives, memory cards, PDA’s, mobile phones, network cards etc. can be logged, as well as centrally disabled if need be
· By encrypting all communications and data (email, file shares, hard drives, external storage and removable media)
How to roll out a DLP Strategy effectively
When looking at rolling out a DLP strategy in your corporate environment the following should be considered to achieve optimal effectiveness.
· Ensure that your security policy is transparent to all your users, adopted and signed off by senior management.
One should aim at making the security policy simple for all involved to understand. The security documents should be made accessible to all users, highlighting and explaining the key areas of the DLP policy. The document should include the types of data being monitored as well as the reasons for wanting to monitor and protect the specific chosen types of data. The DLP strategy should be made aware to everyone, so that the trust within the corporation is maintained, and the anxiety of the DLP solution being used as a “spying” solution is reduced.
· Organise and deploy data protection technologies to avert unintentional data loss.
Accidents do happen, more than we would like to admit, users often lose laptops and devices or send an email to the incorrect recipient. By deploying strategies such as content and device control and encryption wherever possible, one can protect against accidental data loss.
· Start small and expand over time (but make a start now!)
When setting up the security policies prioritise the data so that the rules are not all turned on instantaneously. Monitoring is almost always the best start. Turn on the rules for a small batch of data and users, of most importance and expand the rules over the remaining data with time. If it is all done at once it will be overwhelming for IT as well as users which could cause avoidable complications. Starting with a small group of IT users is a safe bet.
· Ensure security messages are constructed well
When writing the security communications ensure careful well-constructed, clear concise and user understandable language is used. Avoid accusatory language in the messages, yet ensure that the messages are clear and explaining the breach that will occur if the action follows through.
· Educate Users
The aim of the security policy is not to catch people out but to educate them, by advising how to perform an operation with reduced security risk. The more the users are educated the easier this process will be and the higher the adoption rate.
Types of DLP solutions
Encryption
Encryption is a simple solution yet very effective. When data is encrypted it cannot be read by unauthorised individuals. Encrypted removable media allows corporations to ensure that any data taken outside the corporate environment is secured at all times. This is necessary where personal devices are now being used for corporate purposes. This solution can be applied to many devices, including flash drives, PDAs, Smartphones or literally any removable device.
Data on an encrypted portable storage device can be read on a machine that is running removable media encryption software installed with the corresponding encryption key; however on any other computer the data will be inaccessible. Encryptions software can also implement authorization standards that permit only the replication of specified files onto removable devices and automatically encrypt data on these devices.
Digital rights management technology (DRM)
This technology is beneficial for wider security. This technology protects files via encryption and only allows access to the encrypted files once the users’ identity has been authenticated and its rights to the access verified. This is a great form of encryption as it remains active whenever the data is, within the corporate environment or on a shared personal/corporate mobile device, both behind and beyond d the corporate firewall.
Synchronize DRM and Content Management Systems (CMS)
Numerous corporate enterprises embrace content management systems (CMSs) to help organize digital content. CMSs are intended to be control centers for entire content, including content creation, management, production and distribution. Integrated DRM-CMS solutions provide corporate assurance that content and document operations conform to current regulatory rules, privacy and security legislation.
Conclusion
There will always be numerous potential security risks brought about by the mobile and remote working age, however organizations all need to do what they can to curb or prevent these security breaches where possible. If corporates effectively combine the security measures available, encryption (in its many forms), DRM, DLP and CMS technologies, a virtually data leakage prevention system can be accomplished. Corporations should make it a priority to meet the challenge of data leakage prevention.
18 مرداد 1393 برچسب‌ها: مقالات
Wi-Fi security do's and don'ts – 2nd Section
IRCAR201111121
Date: 2011-11-21
Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths.
6. Do deploy NAP or NAC
In addition to 802.11i and a WIPS, you should consider deploying a Network Access Protection (NAP) or network access control (NAC) solution. These can provide additional control over network access, based on client identity and compliance with defined policies. They can also include functionality to isolate problematic clients and remediation to get clients back within compliance.
Some NAC solutions may also include network intrusion prevention and detection functionality, but you'd want to make sure it also specifically provides wireless protection.
If you're running Windows Server 2008 or later and Windows Vista or later for the clients, you can use Microsoft's NAP functionality. Otherwise, you may consider third-party solutions, such as the open source PacketFence.
7. Don't trust hidden SSIDs
One myth of wireless security is that disabling the SSID broadcasting of access points will hide your network, or at least the SSID, making it harder for hackers. However, this only removes the SSID from the access point beacons. It's still contained in the 802.11 association request, and in certain instances, the probe request and response packets as well. Thus an eavesdropper can discover a "hidden" SSID fairly quickly especially on a busy network with a legitimate wireless analyzer.
Some might argue disabling SSID broadcasting still provides another layer of security, but also remember it can have a negative impact on the network configuration and performance. You'd have to manually input the SSID into clients, further complicating client configuration. It would also cause an increase in probe request and response packets, decreasing available bandwidth.
8. Don't trust MAC address filtering
Another myth of wireless security is that enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This has some truth, but remember that it's very easy for eavesdroppers to monitor the network for authorized MAC addresses and then change their computer's media access control (MAC) address.
Thus you shouldn't implement MAC filtering thinking it will do much for security, but maybe as a way to loosely control which computers and devices end-users bring onto the network. But also consider the management nightmare you might face to keep the MAC list up-to-date.
9. Do limit SSIDs users can connect to
Many network administrators overlook one simple but potentially dangerous security risk: users knowingly or unknowingly connecting to a neighboring or unauthorized wireless network, opening up their computer to possible intrusion. However, filtering the SSIDs is one way to help prevent this. In Windows Vista and later, for example, you can use the netsh wlan commands to add filters to those SSIDs users can see and connect to. For desktops, you could deny all SSIDs except those of your wireless network. For laptops, you could just deny the SSIDs of neighboring networks, enabling them to still connect to hotspots and their home network.
10. Do physically secure network components
Remember, computer security isn't just about the latest technology and encryption. Physically securing your network components can be just as important. Make sure access points are placed out of reach, such as above a false ceiling or even consider mounting access points in a secure location and then run an antenna to an optimum spot. If not secured, someone could easily come by and reset an access point to factory defaults to open access.
11. Don't forget about protecting mobile clients
Your Wi-Fi security concerns shouldn't stop at your network. Users with smartphones, laptops and tablets may be protected onsite, but what about when they connect to Wi-Fi hotspots or to their wireless router at home? You should try to ensure their other Wi-Fi connections are secure as well, to prevent intrusions and eavesdropping.
Unfortunately, it isn't easy to ensure outside Wi-Fi connections are secure. It takes a combination of providing and recommending solutions and educating users on the Wi-Fi security risks and prevention measures.
First, all laptops and netbooks should have a personal firewall (such as Windows Firewall) active to prevent intrusions. You can enforce this via Group Policy if running a Windows Server or use a solution to manage non-domain computers.
Next, you need to make sure the user's Internet traffic is encrypted from local eavesdroppers while on other networks by providing VPN access to your network.
You should also make sure any of your Internet-exposed services are secured, just in case the user doesn't use the VPN while on a public or untrusted networks. For instance, If you offer email access (client or web-based) outside of your LAN, WAN or VPN, ensure you use SSL encryption to prevent any local eavesdroppers at the untrusted network from capturing the user's login credentials or messages.
References:
18 مرداد 1393 برچسب‌ها: مقالات
Wi-Fi security do's and don'ts – 1st Section
IRCAR201111120
Date: 2011-11-21
Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths.
1. Don't use WEP
WEP (wired equivalent privacy) security is long dead. Its underlying encryption can be broken quickly and easily by the most inexperienced of hackers. Thus you shouldn't use WEP at all. If you are, immediately upgrade to WPA2 (Wi-Fi protected access) with 802.1X authentication 802.11i. If you have legacy clients or access points that don't support WPA2, try firmware upgrades or simply replace the equipment.
2. Don't use WPA/WPA2-PSK
The pre-shared key (PSK) mode of WPA and WPA2 security isn't secure for business or enterprise environments. When using this mode, the same pre-shared key must be entered into each client. Thus the PSK would need to be changed each time an employee leaves and when a client is lost or stolen unpractical for most environments.
3. Do implement 802.11i
The EAP (extensible authentication protocol) mode of WPA and WPA2 security uses 802.1X authentication instead of PSKs, providing the ability to offer each user or client their own login credentials: username and password and/or a digital certificate.
The actual encryption keys are regularly changed and exchanged silently in the background. Thus to change or revoke user access all you have to do is modify the login credentials on a central server, rather than having change the PSK on each client. The unique per-session keys also prevent users from eavesdropping on each other's traffic which is now easy with some various tools.
Keep in mind, for the best security possible you should use WPA2 with 802.1X, also known as 802.11i.
To enable the 802.1X authentication, you need to have a RADIUS/AAA server. If you're running Windows Server 2008 and later, consider using the Network Policy Server (NPS), or the Internet Authenticate Service (IAS) of earlier server versions. If you aren't running a Windows Server, consider the open source FreeRADIUS server.
You can push the 802.1X settings to domain-joined clients via Group Policy if you're running Windows Server 2008 R2 or later. Otherwise, you may consider a third-party solution to help configure the clients.
4. Do secure 802.1X client settings
The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can help prevent these attacks by securing the EAP settings of the client. For instance, in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates.
You can also push these 802.1X settings to domain-joined clients via Group Policy or use a third-party solution.
5. Do use a wireless intrusion prevention system
There's more to Wi-Fi security than combating those directly trying to gain access to the network. For instance, hackers could setup rogue access points or perform denial-of-service attacks. To help detect and combat these, you should implement a wireless intrusion prevention system (WIPS). The design and approaches of WIPSs vary among vendors, but generally they monitor the airwaves looking for, alerting you to, and possibly stopping rogue access points or malicious activity.
There are many commercial vendors offering WIPS solutions. There are also open source options, such as Snort.
We will provide some other dos and don’ts in the next section.
References:
18 مرداد 1393 برچسب‌ها: مقالات
Internet Protocol Security
IRCAR2011100118
Date: 2011-10-22
IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is essentially a way to provide security for data sent between two computers on an IP network. IPsec is not just a Windows feature; the Windows implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.
IPsec is operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network.
IPsec protects data between two IP addresses by providing the following services:
Data Authentication
· Data origin authentication. You can configure IPsec to ensure that each packet you receive from a trusted party in fact originates from that party and is not spoofed.
· Data integrity. You can use IPsec to ensure that data is not altered in transit.
· Anti-replay protection. You can configure IPsec to verify that each packet received is unique and not duplicated.
Encryption
· You can use IPsec to encrypt network data so that is unreachable if captured is transit.
In Windows server 2008 and Windows Vista, IPsec is enforced either by IPsec Policies or connection security rules. IPsec Policies by default attempt to negotiate both authentication and encryption services. Connection security rules by default attempt to negotiate only authentication services. However, you can configure IPsec Policies and connection security rules to provide any combination of data protection services.
Security architecture
The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:
  • Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
  • Encapsulating Security Payloads (ESP) provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
  • Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys and Internet Key Exchange (IKE and IKEv2).
Modes of operation
IPsec can be implemented in a host-to-host transport mode, as well as in a network tunnel mode.
Transport mode
In transport mode, only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way. Transport mode is used for host-to-host communications.
Tunnel mode
In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access), and host-to-host communications (e.g. private chat).
In Windows server 2008 and Windows Vista, IPsec is enforced either by IPsec Policies or connection security rules. IPsec Policies by default attempt to negotiate both authentication and encryption services. Connection security rules by default attempt to negotiate only authentication services. However, you can configure IPsec Policies and connection security rules to provide any combination of data protection services. Tunnel mode supports NAT traversal.
18 مرداد 1393 برچسب‌ها: مقالات
Responding to Various Types of Incidents- Section 5
IRCAR201109114
Date: 2011-09-21
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized access and some of the actions related to Intellectual Property were studied in the previous sections. This section is assigned to the last part of actions related to Intellectual Property.
Type 8: Intellectual Property (Cont’d)
Special Action 16: Verify the authenticity and origin of the misused intellectual property
This will be fairly straightforward if you have identified your organization's IP through watermarks, content, or other mechanisms. It will be more challenging if you have not identified your IP or if a violator misuses portions of your IP within their own works.
There are numerous instances where violators have removed obvious copyright and trademark identifiers as well as removed the document's title in order to obscure its true owner. Thus, you may need to use multiple methods of authentication.
Special Action 17: Create a detected items log
This log will become the foundation of your evidence and may be necessary before you can receive assistance from lawyers or law enforcement. The log should include information such as IP type and locations such as a URL, filenames, timestamps, title, author, etc. When appropriate, include MD5 or SHA-1 signatures or the original and violated copies.
The Intellectual Property Incident Identification forms found at the end of the article, provide detailed examples of what information to collect.
Special Action 18: Assess the economic damage caused by intellectual property misuse
This will be much easier to do if your organization has already identified the base values of its IP. A key factor in determining damage will be how many times the IP has been misused by the violator.
For example, assume that a company that sells books in electronic form over the Internet has discovered that one of their best selling books is now being distributed for free on a violator's site. The economic damage caused by the misused version being downloaded one thousand times will be greater than if it has been downloaded only twice.
Special Action 19: Carefully collect and store evidence
Monitor and understand the current standards and techniques for digital evidence collection. Determine whether your organization has the necessary internal expertise or needs outside assistance or training. Questioning the "purity" and originality of digital evidence is a popular tactic of defense attorneys.
Perform all digital evidence gathering and analysis on bit-by-bit duplicates of the originals. Be sure to thoroughly document your collection procedures — when data was collected, what was collected, how it was collected and by whom. Properly identify each step you take. For example, if a screen shot is taken of a website containing IP misuse, you can immediately take an MD5 signature of that shot. To help maintain authenticity, be sure to keep the image creation time and MD5 creation time as close as possible together. Additionally, utilize offline browsing tools to capture a suspect's site at a specific point in time and write all evidence to media that cannot be modified, such as CD-R.
If you make an error during the collection process, do not panic. Thoroughly document the error and go on. Most importantly, try not to repeat the error again!
If in doubt, consult with your legal staff and appropriate law enforcement agencies on the proper evidence collection procedures for specific incidents.
Special Action 20: Gather appropriate information about intellectual property misusers
Utilize public sources to gather information on the violating individual or organization. Public sources include search engines, the violator's own website or storefront, publications, and public information databases. Information that should be collected includes names, locations, domain names, IP addresses, and contact information including phone numbers, email addresses, personal websites, and physical and mailing addresses. Always behave ethically and comply with all relevant laws while collecting evidence on a violator.
Special Action 21: Determine when to activate response teams
Every IP misuse incident may not justify a full response. Most organizations do not have unlimited resources or time to respond to IP misuse. Know what "battles" to fight. Such decisions are best made based on a risk assessment that identifies which IP is most important to your organization.
Special Action 22: Identify domain and ISP intellectual property protections
A significant number of ISPs and domain owners have strict IP and acceptable use policies. You can use this to your advantage if one of their customers is misusing your IP. Identify the owner of the network where the violation is occurring. Then make contact with them and describe the misuse. Many of them will then require the violator to remove the misused IP or have their web site taken down.
Special Action 23: Document all communications
Keep a log of all correspondence, phone calls, meetings, etc. that occur during an IP misuse incident. This will help identify liabilities that may exist once the final damage assessment is done. For example, if your requests to an ISP go ignored for months and during that time 1,000 more downloads of your misused IP occur, then a court may find the ISP liable for damages. Also, the individuals listed in the logs, such as DMCA agents and foreign law enforcement officials, may become key allies in future incidents. Keeping accurate and detailed notes of your communications also allows for quick retrieval of important facts as the need arises.
Special Action 24: Identify how intellectual property was inappropriately disclosed or used
This can be challenging and will be significantly based on your understanding of your organization's IP management process. For example, if the misused IP is private to your organization (e.g. trade secrets), then an employee may have leaked it or some other form of economic espionage may have occurred. However, misuse could also be due to lax permissions on your organization's website which allowed unauthorized persons to use and disclose your IP. Detailed forensics of a violator's system will usually reveal the most useful information; such access, however, will likely only be obtainable via a search warrant enforced by appropriate law enforcement.
When possible, identify and audit the actions of all persons who have interacted with the misused IP. In general this is only possible in small organizations or in larger organizations where only a small number of persons have interacted with specific IP. In such organizations, this can be an effective way to identify how IP was misused.
Once the reason for the IP misuse is identified, take appropriate steps to reduce or eliminate it.
Special Action 25: Verify that intellectual property distribution mechanisms are functioning properly
Make sure that trusted third parties or resellers of your IP have not been compromised. For example, assume your organization is a producer of electronic books and it partners with only one online company to resell them. If you find your books are being misused, you should contact the partner company to make sure that they have not been compromised. They also may be able to match a violator's Internet Protocol address or email address to an entry in their download logs.
Special Action 26: Review and update detection schemes and intellectual property management process
Utilize the information gathered during the identification and containment phases of an incident and use it to update and improve your policies, procedures and controls. This will help in preventing and responding to future IP misuse.
Special Action 27: Regularly check previously exploited vulnerabilities
If an IP misuse incident was caused by the exploitation of a specific vulnerability, regularly check to make sure that the vulnerability remains secured. If the incident was due to a breakdown or inadequacy in your organization's IP management process, establish careful auditing of appropriate IP management events.
Special Action 28: Regularly check previous intellectual property misuse web sites.
Once it has been verified that your misused IP has been removed from a web site, be sure that the violator does not simply place the IP in another location on the web site, rename it, or repost it later. Also, if a violator's ISP shuts down their website, the violator may immediately acquire a new site with a different ISP and continue to misuse your IP. Conduct regular electronic searches or use a commercial IP searching company to detect these "repeat" offenders.
Special Action 29: Keep the recovery team informed
A very significant IP misuse incident or repeated incidents over a long period of time may require an organization to recover its IP. A recovery team will likely be formed. This team will need to be kept well informed about all IP misuse incidents that could significantly impact the organization's image or profits.
Related Links:
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003
18 مرداد 1393 برچسب‌ها: مقالات
Responding to Various Types of Incidents- Section 4
IRCAR201108111
ID: IRCAR201108111
Date: 2011-08-21
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes and Unauthorized access were studied in the previous sections. This section is assigned to a part of actions related to Intellectual Property.
Type 8: Intellectual Property
Intellectual property (IP) includes the creative ideas and expressions of the human mind that possess commercial value and receive the legal protection of a property right. IP rights enable owners to select who may access and use their property, and to protect it from unauthorized use.
IP is a key value for many organizations. It is imperative that organizations protect their IP and are prepared to apply the incident handling process to intellectual property.
Special Action 1: Inventory your intellectual property
Assign a person or department to regularly conduct and maintain an inventory of your organization's intellectual property (IP). The inventory should categorize the different types of IP (proprietary knowledge, trade secrets, patents, copyrights, trademarks, etc.) and be accessible only to those with a need to know. An organization must first know what it has in order to determine how to best protect it.
Special Action 2: Prioritize your intellectual property
Conduct regular risk assessments to identify your organization's critical IP. A risk assessment is a formal process that involves determining the probability that a given threat will exploit a particular vulnerability and the impact of the exploitation. Organizations may not be able to equally protect all of their IP. A well-done risk assessment will distinguish the crucial IP that must be strongly protected. Additionally, the risk assessment will enable organizations to respond appropriately to the misuse of specific IP. Misuse of critical IP should trigger a robust response while misuse of less critical IP may require less of a response.
Special Action 3: Assign financial value to your intellectual property
Regularly determine and document the value of your IP. The documentation should be accessible only by those with a need to know. Know how much it will cost your organization if specific IP is misused. If you have patents, franchises or copyrights for information you license, your organization will already have assigned a financial value to specific IP. Valuation of trade secrets should be based on the worth of cost savings, manufacturing efficiencies or strategic buying.
Knowing the value of IP is often necessary when discussing misuse incidents with law enforcement and when asking a court for damages. It is important to do this regularly as the value of certain IP may change over time.
Special Action 4: Uniquely identify your intellectual property
Use copyright notices, watermarks, or other forms of identification to uniquely identify your IP. Use methods that uniquely identify IP based on its distribution location or method. For instance, a book may have a unique serial number embedded in it as well as other techniques that link it to the purchasing organization. Carefully document this identification. Where possible, also create and securely store MD5 and SHA-1 signatures of your IP. These signatures can be used in the incident identification phase and be a part of detection methodologies.
Special Action 5: Implement intellectual property misuse detection methodologies
Conduct regular electronic and paper searches to discover misuse of your IP. Determine whether you have the necessary internal expertise to conduct such searches or need external assistance. A variety of commercial organizations provide customized IP searching services.
Special Action 6: Make it easy to report intellectual property misuse
Establish an easy method such as a simple phone number, web form or email address for persons to report misuse of your organization's IP. Implement a formal, documented process for handling the reports, including thanking the person reporting the misuse. The person(s) who initially receives such reports should follow formal, documented procedures that define how the reports are to be managed. Organizations that receive many reports should establish a triage process that allows rapid identification of misuse of critical IP.
Special Action 7: Stay current with intellectual property laws
Carefully monitor and understand the IP laws in all the countries your organization does business in, not just your home country. An organization must have a clear and complete understanding of its rights in order to make effective decisions about how to protect its IP. Determine whether you have the necessary internal expertise to do this or need additional external help.
Special Action 8: Implement legal protections for your intellectual property
Whenever possible, obtain patents, trademarks, copyrights, etc. for your IP. Implement the legal rights that apply to specific IP. Establish a formal, documented process for initially identifying IP, applying for IP protection and monitoring IP protection application status. Additionally, be sure to monitor the time frames for specific legal protections and reapply when appropriate (e.g. renewing a trademark).
Special Action 9: Establish an intellectual property management process
Implement a formal, documented process for the entire lifecycle of IP in your organization — IP creation, modification, storage, and distribution. This process will provide an overall framework, including policies, procedures, and specific cost effective security controls, for how your organization interacts with IP. The process should include clearly defined audit controls that carefully track and log IP, particularly its distribution.
Special Action 10: Establish an intellectual property policy
Establish and enforce a formal, documented policy that stresses to all employees the importance of protecting the organization's IP and the consequences of misusing IP. The policy might include the following requirements— use of the need to know principle, proper handling of trash, fax and copier controls, cleaning whiteboards at close of business, visitor management, file and document controls, sensitivity marking of documents, air gapped or segmented computer servers for critical information, and content screening on inbound and outbound internet traffic.
It is difficult for an organization to take action against an employee who misuses IP unless there is a formal policy that states what employees can and cannot do. The policy will also set a "tone" for your organization and may discourage some employees from misusing IP.
Special Action 11: Establish specific incident-response procedures for intellectual property misuse
Responding to misuse of your organization's IP will likely require a significantly different response than responding to other security incidents (e.g. denial of service or a compromised server). Create and maintain formal, documented procedures that are specifically for IP misuse incidents. The procedures should recognize that response will vary depending on where the IP misuse has occurred. For example, handling an IP misuse incident in the United States can require different actions than handling one in Bulgaria.
Special Action 12: Develop working relationships with your legal and public affairs staff
Responding to IP misuse can require organizations to take a variety of legal actions. BEFORE an IP misuse incident occurs, make sure your legal staff knows their role and that you understand their perspective and abilities. Know what IP expertise your internal legal staff has and when you'll need external proficiency. When possible, establish agreements with external lawyers that establish how quickly they must respond during an IP misuse incident.
Special Action 13: Develop working relationships with law enforcement
IP misuse response may require organizations to work with a variety of law enforcement agencies. BEFORE an IP misuse incident occurs, understand what types of IP misuse cases law enforcement will be interested in and how they will handle such cases. In general, law enforcement will not provide assistance unless the incident has caused significant financial damage to an organization.
Offer to educate local law enforcement on why it's important to protect IP and the methods your organization uses to protect its IP. Make sure you understand what information law enforcement will need to assist you.
Special Action 14: Thoroughly document identification of intellectual property misuse
Documentation of how misuse of your organization's IP is detected is critical. Proper documentation can spell success or failure in the courtroom. It can also assist in the identification of additional IP misuse. Additionally, careful documentation provides a blue print for others such as lawyers or law enforcement in the event they need to repeat the IP misuse identification.
Documentation should contain only facts. If you feel it is important to state opinions or assumptions, then clearly mark them as such within your documentation. This is particularly important when you create reports for legal, law enforcement, government or corporate officials.
Special Action 15: Check entire violator location for intellectual property misuse
Whether IP was found in a desk, workstation, web site or other place, check the entire location for other IP misuse. Try to keep this phase of the investigation as discrete as possible. If you are searching a web site, checking should be done offline with the use of offline browsing tools or the "cached" feature found on many search engines. It is important to identify all IP misuse as this will add to the total damage amount and can help persuade lawyers and law enforcement to take action.
When appropriate, also collect information on any violations of other organizations' IP you find. Notify the other IP owners of your findings and encourage them to take appropriate action. We must work together to protect our IP.
Related Links:
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003
18 مرداد 1393 برچسب‌ها: مقالات
Responding to Various Types of Incidents- Section 3
IRCAR201108110
Date: 2011-08-15
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping, Denial of Service and Inappropriate Usage were studied in the previous sections. This section is assigned to Espionage, Hoaxes and Unauthorized access.
Type 5: Espionage
Espionage is stealing information to subvert the interests of an organization or government. Many cases of unauthorized access to corporate systems are for espionage purposes.
Special Action 5.1: Maintain a very small core team
Espionage and insider criminal cases do not benefit from many helpers. The risk of an information leak or evidence contamination rises as additional workers are added to the investigation. A senior member of management such as the CIO, or Chief Security Officer must be advised as well as the incident handling team member on the legal staff. The technical lead should be one of the more seasoned members of the incident handling team, someone who has already proven capable in previous sensitive situations. One issue that often arises is whether to include the system administrator responsible for the system targeted in the attack. If you are reasonably sure the sysadmin is not involved in the espionage, the answer is probably yes.
Special Action 5.2: Maximize data collection
Ensure that access records of the affected facility are collected and protected. These may include records from badge access systems, phone records from your organization's PBX, log books, system logs, network logs and surveillance videos. Collect as much back data as possible.
Special Action 5.3: Consider mis-direction
If an outsider is collecting the information, you may be able to provide erroneous information and actually benefit from the incident. If you suspect the information is being collected and distributed by an insider, this is less likely to work.
Special Action 5.4: Target analysis
Review the lead or leads that tipped off the organization that they might be dealing with espionage. Ask what are the most probable targets of the activity. For each probable target, ask what the information is worth? Who (outside the organization) might benefit from having the information? What are all the possible ways to acquire these targets? What are the two or three most likely ways to acquire these targets? This process leads to a fairly simple, but important question: are monitoring capabilities in place for the most likely ways to acquire the most probable targets? If the answer is yes, begin reviewing the monitoring data immediately. If the answer is no, determine what is required to monitor the most likely ways to acquire the probable targets. Make it so.
Special Action 5.5: (Advanced) Establish a war room
A war room is a secure room with copies of evidence in the case. The purpose of a war room is to facilitate displaying the data in a meaningful way to help solve high risk or difficult cases. The walls of the room can be decorated with evidence, lines of investigation, charts from the target analysis process, maps of the area and blue prints of the facility. A tape player and TV/VCR should be available; it is often a good idea to record and play back interviews, or access tapes.
Type 6: Hoaxes
Warning: If you receive a mail message entitled "Here it is doodz" don't open it! If you do it will delete all the files on your hard disk, stop your pacemaker, and cause your dog to mess on the floor.
Note: In early 1995, hundreds of thousands of users with Internet access distributed information about a virus called the Good Times Virus, even though the virus did not exist. Hoaxes are valid incidents (remember, our definition of an incident included the threat of an adverse event). They tie up incident response resources as system administrators and incident handlers try to sort things out. Hoaxes also serve to make users uncomfortable with computing resources by spreading fear, uncertainty, and doubt.
Special Action 6.1: Use Hoaxes lists on the Internet.
Type 7: Unauthorized Access
Unauthorized access ranges from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account), to unauthorized access to files and directories stored on a system or storage media by obtaining superuser privileges. Unauthorized access could also entail access to additional computer systems facilitated by gathering logon names and passwords through an unauthorized "sniffer" program or device to capture all packets traversing the network at a particular point. Another common method used to gain unauthorized access is to exploit a vulnerability in information systems, routers, or even firewalls. Exploit scripts for gaining unauthorized access are widely available on hacker web sites.
Special Action 7.1: Examine firewall or filtering router protections
The single most likely avenue of attack from an outsider is through an organization's network connections, especially the Internet connection. If possible do not allow the "r-utilities", sunrpc, xwindows, or NetBIOS/IP. Telnet and FTP should be allowed only to systems that absolutely need to provide these services to the internet. Web, DNS servers and mail relay systems are always popular targets with attackers, run as few services on these systems as possible and ensure they are well protected.
Special Action 7.2: Regularly examine access services
It is not absolutely necessary to access another user's account to perpetrate an attack on a system or network. An intruder can access information, plant Trojan horse programs and so forth, by misusing available services. One example is outsiders using the network file system (NFS) or the file access mechanisms in Windows NT to reach files and directories in another of your organization's domain.
Related Links:
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003
18 مرداد 1393 برچسب‌ها: مقالات
Responding to Various Types of Incidents- Section 2
IRCAR201107108
Date: 2011-07-12
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping and Denial of Service were studied in the previous section. This section is assigned to Inappropriate Usage.
Type 4: Inappropriate Usage
"Inappropriate usage" is the use of computer or network resources in a manner that violates an enterprise's policies or the law. Inappropriate usage ranges from theft of resources for personal gain or amusement to the use of resources to perpetrate crimes. By far the most common serious offense is the accessing, storing, or transmission of pornographic materials. Often, inappropriate usage investigations arise from an accusation that must be either proved or disproved by examination and analysis of the subject's work environment.
Special Action 4.1: Make certain your policy is sufficient for your investigation
Does it adequately inform the subjects of the investigation that they do not enjoy any assumption of privacy or personal ownership? Do the systems carry the necessary warning banners?
Special Action 4.2: Know the law
Make certain you know the laws for all jurisdictions. Since the investigation may involve multiple jurisdictions, the laws surrounding the examination of email and live transmissions can be quite difficult to ascertain quickly. Ignorance of federal and state wiretap laws does not constitute a viable legal defense. As the investigator, you are expected to know the laws relative to your profession. When in doubt, stop and consult your counsel.
Special Action 4.3: Consult with counsel
If any part of a request for information has directly or indirectly come from law enforcement, consult with your counsel. You may become an agent of the law enforcement agency and subject to additional laws restricting your ability to examine your enterprise's resources at will.
Special Action 4.4: Advise management of contingencies
Advise management at the outset that they may lose control of an investigation if the investigation reveals certain criminal activity. For example, if child pornography is uncovered, it must be reported and turned over to authorities. Authorities may elect to assume control of the investigation at that point.
Special Action 4.5: Analyze the risk of an investigation
Investigations carry many risks (privacy infringement claims, misinterpretation of investigative laws, errors of omission, intervention by authorities, etc.). If the only desire is to change behavior, and not to take an administrative action, there may be methods that are more efficient and present less risk than a resource intensive investigation.
Special Action 4.6: Establish legal protection
Since you do not know what will be uncovered, have the initiator of an investigation contact your enterprise's counsel before taking any action. One form of protection for you and your enterprise is the "Attorney Work Product" privilege. To maintain an attorney work product privilege, you must work on behalf of the attorney. Have the requests for investigative support come from the attorney to you, and return all information to the attorney alone.
Special Action 4.7: Keep the investigative team small, and maintain strict confidentiality
Inappropriate usage investigations present a risk of legal action. You are often dealing with accusations the subject may find embarrassing. Even if an individual is proven innocent of the accusations, rumors of an investigation can damage the individual's reputation and ability to function within the organization, as well as his standing in the community.
Special Action 4.8: Coordinate with physical security department
Failing to coordinate with your enterprise's physical security department when performing a subject work area investigation may inadvertently set off alarms or raise suspicions. Physical security may respond to what appears to be an unauthorized intrusion, possibly compromising the confidentiality of the investigation.
Special Action 4.9: Know your investigative team members
Make team assignments carefully. Some people become very distressed by some inappropriate materials (child pornography, death, torture and mutilation depictions). In non-law enforcement settings, many IT security members are computer or network specialists and may not be emotionally prepared to deal with these materials. Brief your team members on what to expect, and be ready to make assignment changes when requested or when you believe they're needed.
Special Action 4.10: Create a standardized presentation format
Inappropriate materials often create different emotions in the viewers. No two people seem to agree on how to define "obscenity".
Instead of presenting the materials directly, create a matrix that profiles the subject's involvement using a rating system (PG, R, X, XXX) versus activity (downloaded, stored, sent …). This provides management and human resources with a tool for consistent administration of inappropriate usage cases without the need to show the actual materials.
Special Action 4.11: Create and use a retention policy for inappropriate usage, investigative case material
Use mandatory controlled storage for inappropriate materials collected in the course of an investigation, and destroy all copies as specified in the retention policy. Special care should be taken with materials considered to be contraband, such as child pornography. With any suspected contraband, follow the directions of your enterprise's counsel on an individual case basis.
Related Links:
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003
18 مرداد 1393 برچسب‌ها: مقالات
صفحات: «« « ... 8 9 10 11 12 »