Transcript Air Force Association (AFA) - va

Air Force Association (AFA)
AGENDA
1. Disaster Recovery Plan
6. Attacks on Networks
2. Plan to Recover
7. Intellectual Property &
Privacy Laws
3. Legal Regulations
4. Cyberlaws
5. Computer Crime
8. Laws to Protect against
Cyber Crime
9. Lab
choose a page
Disaster Recovery
How do you protect data from this?
• Minimize the effects
• Handle the disaster right after it hits
Protected data will:
1.
Be Available
2.
Have Integrity
3.
Be Confidential
Disaster Recovery Plan
Identify Critical Functions
What functions are essential to keep the business going?
What resources do those functions require?
How long can the business survive without operating?
How much can you afford to spend for protection?
EXAMPLE:
In a hospital where electronic records can save
lives, the data is critical and success depends on
access to the data
The Resources required are servers, computers,
networks, backup systems. People are aslo
critical to operate the systems.
Plan to Recover
Backup Data
Backup Servers (could use Cloud Servers)
Backup Facilities (could be pre-fab or
shared)
Plan for Outsourcing Services and Staffs
Agreements with other businesses for shortterm use of facilities and infrastructure
Backup Power systems
Backup Heating and Air Conditioning
systems
Extra supplies (paper, forms, cables)
Documentation
Legal Regulations
Unique types of crimes developed along with the
increased use of technology, exploiting these new tools.
Stalkers abuse social web sites and chat rooms in
anonymity. Fraud, theft and embezzlement lurked on the
internet in the form of phishing attacks and scams and
financial dealings. Criminals discovered vulnerabilities in
the complex systems, blackmailing networks and intercepting bank transfers.
Businesses, Banks, Hospitals, Schools and Government facilities were suddenly at risk.
New efforts launched to develop effective laws,
policies and law enforcement procedures to
catch the criminals and bring them to justice.
Technology is evolving at an exponential rate
and the legal system is struggling to keep up.
Companies conduct business across the US and
internationally, expanding the challenge to
develop effective laws, policies and methods of
enforcement.
“Cyberlaws” Computer Crime Laws
International and National Cyberlaws deal with
unauthorized changes to personal information,
destruction or disclosure of information, unauthorized
access and inserting malicious code into systems to
disrupt or disable them.
EXAMPLES OF CYBER CRIMES: (CISSP, Shon Harris)
• Attacks on Financial systems to steal money or info
• Attacks on military installations for info or materials
• Spying on industries to obtain confidential data
• Information Warfare attacks on national infrastructure
• “Hactivism” – attacking websites and defacing them as
a protest against the government or companies
• Distributed Denial of Service Attacks
• Capture passwords or other sensitive data, install
malware, rootkits and sniffers
• Carry out a buffer overflow to take control of a system
• Cyber porn and stalking (especially of children)
Computer Crime
Most criminals are never caught because they destroy the logs that track their
movements and use innocent people’s systems to conduct attacks. They find
vulnerabilities and insert malicious code like Trojan Horses and Zombies (which
conduct the attack for the criminals. Law Enforcement at local police stations, FBI,
Secret Service and government security had to learn new ways to protect the chain
of custody and new forensic methods.
RESPONSES by VICTIM COMPANIES:
Patch software, Patched hardware or infrastructure, Install additional security
software, Conduct forensic investigation, Change security policies, Change or
replace systems or software, Report intrusions to law enforcement, Attempted
to identify the criminal, Notified victims of attack, Provided new security
services, Used third-party investigators, Reported crimes to public media
Attacks on Networks
According to a 2010 article by Lance Whitney, spam shot up to 200 billion messages
each day in 2009. 80 to 90% of all emails sent to organizations were spam, and spam
carrying malware surged during the second half of 2009 from 600 million to 3 billion a
day. Attackers used social networks like Facebook and Twitter to inject malware.
Twitter’s shortened URLs were exploited to misdirect users to fake sites. Attackers
used business accounts to spread malware to thousands at a time, injecting malware,
causing damage across networks.
International companies and federations are increasing efforts to notify each other of
criminal activities and resolve jurisdiction issues across the countries with varied legal
systems. Some legal systems use religious laws to govern. Interpol or the
International Police cooperate to share information and resolve crimes. Sometimes
governments are involved in the attacks, complicating the issues.
Another very dangerous threat is one that is within an organization, where the
attacker has access to all the sensitive data and can hide from detection.
Intellectual Property and Privacy Laws
These laws deal with protection for music, software or data that are owned by an
individual or company from unauthorized duplication or use.
INTELLECTUAL PROPERTY:
• Trade Secrets
• Copyrights
• Trademarks
• Patents
PESONALLY IDENTIFIABLE INFO:
Name
Social Security or National ID Number
IP Address
Vehicle Registration
Drivers License Number
Face, Fingerprints or Handwriting
Credit Card Numbers
Digital ID
Birthday or Age and/or Birthplace
Genetic Info or Gender
Name of School and Grades
Criminal Record
Laws to Protect against Cyber Crime
Some Examples Below
Sarbanes-Oxley Act (SOX) : Public Company Accounting Reform and Investor
Protection Act of 2002: Enforces standards for safe transfer and protection of data
and funds
USA Patriot Act of 2001: Allows Federal agencies to access more data and
information to protect Americans against terrorism
Health Insurance Portability and Accountability Act: National Standards and
procedures for the storage, use and transmission of personal medical information and
healthcare data.
Gramm-Leach-Bliley Act of 1999: Financial Privacy Rules, Safeguards Rule and
Pretexting Protection (social engineering)
Computer Fraud and Abuse Act: Lists illegal acts using computers in unauthorized
ways to obtain data or information
Policy Lab
Learn to:
Enable Editing
Force a minimal password length
Force password change every 30 days
Force password history
Set an account lockout threshold
Protect your credit cards
Use security for your personal information