Datasäkerhet och integritet
Utveckling av eTjänster
Datasäkerhet och integritet
Chapter 10
•
Incident and Disaster Response
– Introduction
Incident and Disaster Response Orientation
•
Earlier we looked at threats, planning, and protections
•
Now we complete the discussion of the
plan-protect-respond cycle
•
Response planning is necessary because defenses can
never stop all attacks. Companies must respond
appropriately when attacks happen or natural
disasters occur
•
Example - Walmart and Hurricane Katrina
Walmart and Hurricane Katrina 1
•
Walmart Is the Largest Retailer in the U.S.
– Supplied $20 million in cash – Supplied 100,000 free meals
– 1,900 truckloads full of diapers, toothbrushes, other
emergency supplies
• 45 trucks were rolling before the hurricane hit land
– Provided police and relief workers with flashlights, batteries,
ammunition, protective gear, and meals
Walmart and Hurricane Katrina 2
•
Walmart Business Continuity Center
– A permanent department with a small core staff – Activated two days before Katrina hit
– Soon, 50 managers and specialists were at work in the
center
– Before computer network went down, sent detailed orders
to its distribution center in Mississippi
– Recovery merchandise for stores: bleach, mops, etc.
Walmart and Hurricane Katrina 3
• Communication
– Network communication failed
– Relied on telephone to contact its stores and other key
constituencies
• Response
– Stores came back to business within days
– Engaged local law enforcement to preserve order in lines to get
into stores
• Preparation
– Full-time director of business continuity – Detailed business continuity plans
– Clear lines of responsibility
• Multitasking
Incident Response & Incident Severity
•
Incidents Happen
–
Protections inevitably break down, occasionally
–
Successful attacks are called
security incidents
,
breaches
, or
compromises
•
Incident Severity
–
False alarms
• Apparent compromises are not real compromises • Also called false positives
• Handled by the on-duty staff
Incident Severity cont.
•
Major incidents
– Beyond the capabilities of the on-duty staff
– Must convene a Computer Security Incident Response Team
(CSIRT)
– CSIRT needs participation beyond IT security
•
Disasters
– Fires, floods, hurricanes, major terrorist attacks – Must assure business continuity
• Maintaining the day-to-day operations of the firm
• Requires a business continuity group headed by a senior manager • Core permanent staff will facilitate activities
– IT disaster response is restoring IT services
Rehearsals for Speed and Accuracy 1
•
Speed and Accuracy Are Essential
–
Speed of response can reduce damage
• Attacker will have less time to do damage
• The attacker cannot burrow as deeply into the system and
become very difficult to detect
• Speed is also necessary in recovery
–
Accuracy is equally important
• Common mistake is to act on incorrect assumptions
• If problem is misdiagnosed or the wrong approach is taken, can
make things much worse
Rehearsals for Speed and Accuracy 2
• Planning Before an Incident or Disaster
– Decide what to do ahead of time
– Time to consider matters thoroughly and without the time pressure of a
crisis
– During an attack, human decision-making skills degrade – Incident response is reacting to incidents according to plan – Must have flexibility within the plan to adapt
– Best to adapt within a plan than to improvise completely
• Team Members Must Rehearse the Plan
– Rehearsals find mistakes in the plan – Practice builds speed
• Types of Rehearsals
– Walkthroughs (table-top exercises)
– Live tests (actually doing planned actions) can find subtle problems, but are
The Incident Response Process: Part I
•
Process for Major Incidents
•
Detection, Analysis, and Escalation
–
Must detect through technology or people
–
Need good intrusion detection technology
• All employees must know how to report incidents
–
Must analyze the incident enough to guide
subsequent actions
• Confirm that the incident is real
• Determine its scope: Who is attacking; what are they doing;
The Incident Response Process: Part I
•
Detection, Analysis, and Escalation
– If deemed severe enough, escalate to a major incident
• Pass to the CSIRT, the disaster response team, or the business
continuity team
•
Containment
– Disconnection of the system from the site network or the
site network from the Internet (damaging)
• Harmful, so must be done only with proper authorization • This is a business decision, not a technical decision
– Black holing the attacker (only works for a short time)
– Continue to collect data to understand the situation (allows
harm to continue)
The Incident Response Process: Part I
Recovery
•
Repair during continuing server operation
– Avoids lack of availability – No loss of data
– Possibility of a rootkit not
having been removed, etc.
•
Data
– Restoration from backup tapes – Loses data since last trusted
The Incident Response Process: Part I
Recovery and Apology
•
Software
– Total software reinstallation of operating system and applications
may be necessary for the system to be trusted
– Manual reinstallation of software
• Need installation media and product activation keys
• Must have good configuration documentation before the incident
– Reinstallation from a disk image
• Can greatly reduce time and effort • Requires a recent disk image
•
Apology
– Acknowledge responsibility and harm without evasion or weasel
words
– Explain potential inconvenience and harm in detail
The Incident Response Process: Part II
Punishment 1
•
Punishing employees is usually fairly easy
– Most employees are at-will employees
– Companies usually have wide discretion in firing at-will
employees
– This varies internationally
– Union agreements may limit sanctions or at least require
more detailed processes
•
The decision to pursue criminal prosecution
– Must consider cost and effort
– Must consider probable success if pursued (attackers are
The Incident Response Process: Part II
Punishment 2
•
Collecting and managing evidence
– Forensics: Courts have strict rules for admitting evidence in
court
– Call the authorities and a forensics expert for help – Protecting evidence
• Pull the plug on a server if possible
• This is a business decision, not an IT decision
– Document the chain of custody
• Who held the evidence at all times • What they did to protect it
• Document the chain of custody
•
Post-mortem Evaluation
The Incident Response Process: Part II
•
Organization of the CSIRT
– Should be led by a senior manager
– Should have members from affected line operations
– IT security staff may manage the CSIRT’s operations on a
day-to-day basis
– Might need to communicate with the media; only do so via
public relations
– Corporate legal counsel must be involved to address legal
issues
– Human resources is necessary, especially if there will be
Criminal Law vs. Civil Law
Dimension Criminal Law Civil Law
Deals with Violations of criminal statutes
Interpretations of rights and duties that companies or individuals have relative to each other
Penalties Jail time and fines Monetary penalties and orders to parties to take or not take certain actions Cases brought by Prosecutors Plaintiff is one of two
parties Criterion for verdict Beyond a reasonable
doubt Preponderance of the evidence (usually) Requires mens rea (guilty
mind) Usually Rarely, although may affect the imposed penalty Applicable to IT security Yes, to prosecute
attackers and avoid breaking the law
Jurisdictions
• Cyberlaw
– Cyberlaw is any law dealing with information technology
• Jurisdictions
– Areas of responsibility within which government bodies can make
and enforce law, but beyond which they cannot
• International Law
– Differences are wide and rapidly changing (generally improving) – Important to multinational firms
– Also important to purely domestic firms
• Suppliers and buyers may be in other countries • Attackers may be in other countries
Evidence and Computer Forensics
• Admissibility of Evidence
– Unreliable evidence may be kept from juries
– Belief that juries cannot evaluate unreliable evidence properly – Example: Hearsay evidence
• Federal Rules of Civil Procedure
– Guide U.S. courts
– Now have strong rules for evaluating the admissibility of electronic
evidence
• Computer Forensics Experts
– Professionals trained to collect and evaluate computer evidence in
ways that are likely to be admissible in court
Evidence, Computer Forensics and Law
•
Expert Witnesses
– Normally, witnesses can only testify regarding facts, not
interpretations
– Expert witnesses may interpret facts to make them comprehensible
to the jury in situations where juries are likely to have a difficult time evaluating the evidence themselves
•
Swedish Laws - Grundlagar
– Tryckfrihetsförordningen (1949:105)
• TF utgör en av fem grundlagar och omfattar bl.a. regler om
allmänna handlingar offentlighet
– Regeringsformen (1974:152)
Swedish Laws – Lagar 1
• Arkivlag (1990:782)
– ArkivL reglerar en myndighets skyldighet att värna om det
allmänna kulturarvet med att vårda allmänna handlingar
• Bokföringslag (1976:125)
– BL stadgar om vilka subjekt som är bokföringsskyldiga och på vilket
sätt bokföring skall ske samt vad som avses med bokföringsskyldig händelse
• Brottsbalk (1962:700)
– BrB stadgar om vad som är att betrakta som brott och det straff
som kan utgöra påföljd vid brottsligt förfarande
• Lag om elektronisk kommunikation (2003:389)
– Lagen innebär en ny och samlad reglering av elektroniska
Swedish Laws – Lagar 2
• Förvaltningslag (1986:223)
– FvL reglerar bl.a. en myndighets skyldigheter gentemot
allmänheten
• Högskolelag (1992:1434)
– HL reglerar högskolor och universitets organisation och
befogenheter
• Lag om kvalificerade elektroniska signaturer (2000:832)
– Lagen specificerar vilka regler som gäller för certifikatutfärdare vid
utfärdande av kvalificerade certifikat.
• Lag (2001:99) om den officiella statistiken
– Lagen omfattar den officiella statistiken vilken skall vara
Swedish Laws – Lagar 3
• Personuppgiftslag (1998:204)
– PuL syftar till att skydda den personliga integritet och omfattar
regler om behandling av personuppgifter
• Offentlighet- och sekretesslag (2009:400), förkortad OSL.
– Det är numera OSL 18 kap. 8 § som kan ge sekretessskydd.
omfattar regler om när och på vilket sätt viss information inte får lämnas ut
• SäkerhetsskyddsL(1996:627)
– Säkerhetsskyddslagen omfattar regler om myndigheters
säkerhetsarbete. Lagen innefattar bl.a säkerhetsprövning och registerkontroll
• Lag om upphovsrätt till litterära och konstnärliga verk
((1960:729)
– URL reglerar upphovsmannens rätt till sitt alster och de inskränkningar i
Swedish Laws – Lagar 4
•
Ett antal förordnigar (regler) finns, tex.
– Arkivförordning, Förordning om kvalificerade elektroniska signaturer
(2000:833), Personuppgiftsförordning (1998:1191), etc.
•
Ett antal föreskrifter finns, tex
– Föreskrifter om statliga myndigheters informationssäkerhet ikraft,
MSBFS 2009:10, Datainspektionens föreskrifter (DIFS), etc.
•
Personuppgiftslagen (1998:204) beskriven i detalj
med rekommendationer för behandling av
personuppgifter
– https://itsakhandbok.irt.kth.se/ > 4 Lagar
Swedish – Databrott 1
•
Nätbrottslighet, databrott, IT-brottslighet eller
cyberbrott är ett sätt att bryta mot lagen genom att
använda internet
– Idag är i stort sett alla slags brott IT-relaterade
•
I svensk lagstiftning finns två definierade it-brott
– Dataintrång: Brottsbalken 4 kap. 9 c §
– Datorbedrägeri: Brottsbalken 9 kap. 1 § andra stycket
•
Gromning (grooming)
– Att ta kontakt med barn i sexuellt syfte är olagligt och kan
ge fängelse i upp till ett år
Swedish – Databrott 2
•
Vanligaste brotten
– Bedrägeri och Handel med illegala tjänster såsom koppleri
och droger
– Barnpornografibrott och Näthat (olika typer av meddelanden) – Våldsbrott där gärningspersonen använder internet för att
planera brott
– Gromning, Phishing (stjäla personliga uppgifter) och
Skimning (stjäla betalkortsinformation)
•
Polisen
– https://polisen.se/Om-polisen/Olika-typer-av-brott/IT-brott/
Intrusion Detection Systems (IDSs)
• Event logging for suspicious events • Sometimes send alarms
Network IDSs (NIDSs)
•
Stand-alone device or built into a switch or router
•
Can see and filter all packets passing through them
•
Switch or router NIDSs can collect data on all ports
•
Collects data for only its portion of the network
– Blind spots in network where no NIDS data is collected
Host IDSs (HIDSs) 1
•
Attractions
– Provide highly detailed information for the specific host
•
Weaknesses
– Limited viewpoint; only one host – Can be attacked and disabled
•
Operating System Monitors
– Collect data on operating system events – Multiple failed logins
– Creating new accounts
– Adding new executables (programs - may be attack
Host IDSs (HIDSs) 2
•
Operating System Monitors cont.
– Modifying executables (installing Trojan horses does this) – Adding registry keys (changes how system works)
– Changing or deleting system logs and audit files – Changing system audit policies
– User accessing critical system files – User accessing unusual files
Analyzing Log Files
•
Event Correlation
– Suspicious patterns
in a series of events across multiple
devices
– Difficult because the
relevant events exist in much larger event streams that are
logged
– Usually requires
many analyses of
Managing IDSs 1
•
Tuning for Precision
– Too many false positives
• False alarms
• Can overwhelm administrators, dull vigilance
– False negatives allow attacks to proceed unseen
– Tuning for false positives turns off unnecessary rules,
reduces alarm levels of unlikely rules
• For instance, alarms for attacks against Solaris operating systems can
be deleted if a firm has no Sun Microsystems servers
• Tuning requires a great deal of expensive labor • Even after tuning, most alerts will be false positives
•
Updates
Managing IDSs 2
• Processing Performance
– If processing speed cannot keep up with network traffic, some packets will
not be examined
– This can make some IDSs useless during attacks that increase the traffic
load
• Storage
– Limited disk storage for log files
– When log files reach storage limits, they must be archived – Event correlation is difficult across multiple backup tapes
– Adding more disk capacity reduces the problem but never eliminates it
• Honeypot
Business Continuity Planning
•
A business continuity plan specifies how a company
plans to restore or maintain core business operations
when disasters occur
Business Continuity Planning
Principles of Business Continuity Management
• Protect people first
– Evacuation plans and drills
– Never allow staff members back into unsafe environments
– Must have a systematic way to account for all employees and notify loved ones – Counseling afterwards
• People have reduced capacity in decision making during a crisis
– Planning and rehearsal are critical
• Avoid rigidity
– Unexpected situations will arise
– Communication will break down and information will be unreliable – Decision makers must have the flexibility to act
• Communication
– Try to compensate for inevitable breakdowns – Have a backup communication system
Business Continuity Planning
• Business Process Analysis
– Identification of business processes and their interrelationships – Prioritization of business processes
• Downtime tolerance (in the extreme, mean time to belly-up) • Importance to the firm
• Required by higher-importance processes
– Resource needs (must be shifted during crises)
• Cannot restore all business processes immediately
• Testing the Plan
– Difficult because of the scope of disasters
– Difficult because of the number of people involved
• Updating the Plan
– Must be updated frequently
– Business conditions change and businesses reorganize constantly
IT Disaster Recovery 1
• IT Disaster Recovery
– Looks specifically at the technical aspects of how a company can get its IT back into
operation using backup facilities
– A subset of business continuity or for disasters that only affect IT
– All decisions are business decisions and should not be made by IT or IT security staff
• Types of Backup Facilities
– Hot sites
• Ready to run (e.g., power, HVAC, computers) - just add data
• Considerations: Rapid readiness at high cost
• Must be careful to have the software at the hot site up-to-date in terms of configuration
– Cold sites
• Building facilities, power, HVAC, communication to outside world only
• No computer equipment
• Less expensive but usually take too long to get operating
– Site sharing
• Site sharing among a firm’s sites (problem of equipment compatibility and data synchronization)
IT Disaster Recovery 2
•
Office Computers
– Hold much of a corporation’s data and analysis capability – Will need new computers if old computers are destroyed or
unavailable
• Will need new software
• Well-synchronized data backup is critical
– People will need a place to work
•
Restoration of Data and Programs
– Restoration from backup tapes; need backup tapes at the remote
recovery site
– May be impossible during a disaster