4.6 - Privacy, Licensing, and Policies

Question 1

Incident response: Chain of custody

Answer 1

• Control evidence - Maintain integrity
• Everyone who contacts the evidence
  – Avoid tampering, use hashes
• Label and catalog everything
  – Seal, store, and protect - Use digital signatures

Question 2

Incident response: First response

Answer 2

• Identify the issue - Logs, in person, monitoring data
• Report to proper channels
  – Don’t delay
  – May include internal management and law enforcement
• Collect and protect information relating to an event
  – Many different data sources and protection mechanisms

Question 3

Incident response: Copy of drive

Answer 3

• Copy the contents of a disk
  – Bit-for-bit, byte-for-byte
• Remove the physical drive
  – Use a hardware write-blocker
  – Preserve the data
• Software imaging tools
  – Use a bootable device
• Use hashes for data integrity
  – Drive image is hashed to ensure
  that data has not been modified

Question 4

Incident response: Documentation

Answer 4

• Document the findings
  – For Internal use, legal proceedings, etc.
• Summary information
  – Overview of the security event
• Detailed explanation of data acquisition
  – Step-by-step method of the process
• The findings - An analysis of the data
• Conclusion - Professional results, given the analysis

Question 5

Software licenses

Answer 5

• Most software includes a license
  – Terms and conditions
  – Overall use, number of copies, and backup options
• Valid licenses
  – Per-seat or concurrent
• Non-expired licenses
  – Ongoing Subscriptions
  – Annual, three-year, etc.
  – Use the software until the expiration date

Question 6

Licenses

Answer 6

• Personal license
  – Designed for the home user
  – Usually associated with a single device
  – Or small group of devices owned
  by the same person
  – Perpetual (one time) purchase
• Corporate use license
  – Per-seat purchase / Site license
  – The software may be installed everywhere
  – Annual renewals

Question 7

Open source license

Answer 7

• Free and Open Source (FOSS)
  – Source code is freely available
  – End user can compile their own executable
• Closed source / Commercial
  – Source code is private
  – End user gets compiled executable
• End User Licensing Agreement (EULA)
  – Determines how the software can be used

Question 8

Regulating credit card data

Answer 8

• Payment Card Industry
  – Data Security Standard (PCI DSS)
  – A standard for protecting credit cards
• Six control objectives
  – Build and Maintain a Secure Network and Systems
  – Protect Cardholder Data
  – Maintain a Vulnerability Management Program
  – Implement Strong Access Control Measures
  – Regularly Monitor and Test Networks
  – Maintain an Information Security Policy

Question 9

Personal government-issued information

Answer 9

• Used for government services and documentation
  – Social security number, driver license
• There may be restrictions on collecting or storing
  government information - Check your local regulations
• U.S. Office of Personnel Management (OPM)
  – Compromised personal identifiable information
  – Personnel file information; name, SSN, date of birth,
  job assignments, etc.
  – July 2015 - Affected ~21.5 million people

Question 10

PII - Personally identifiable information

Answer 10

• Any data that can identify an individual
  – Part of your privacy policy - How will you handle PII?
• Not everyone realizes the importance of this data
  – It becomes a “normal” part of the day
  – It can be easy to forget its importance
• Attackers use PII to gain access or impersonate
  – Bank account information
  – Answer badly-written password-reset questions

Question 11

GDPR - General Data Protection Regulation

Answer 11

• European Union regulation
  – Data protection and privacy for individuals in the EU
  – Name, address, photo, email address, bank details,
  posts on social networking websites, medical information,
  a computer’s IP address, etc.
• Controls export of personal data
  – Users can decide where their data goes
• Gives individuals control of their personal data
  – A right to be forgotten, right of erasure
• Site privacy policy
  – Details all of the privacy rights for a user

Question 12

PHI - Protected Health Information

Answer 12

• Health information associated with an individual
  – Health status, health care records, payments for
  health care, and much more
• Data between providers
  – Must maintain similar security requirements
• HIPAA regulations
  – Health Insurance Portability and Accountability Act of 1996

Question 13

Data retention requirements

Answer 13

• Keep files that change frequently for version control
  – Files change often - Keep at least a week, perhaps more
• Recover from virus infection
  – Infection may not be identified immediately
  – May need to retain 30 days of backups
• Often legal requirements for data retention
  – Email storage may be required over years
  – Some industries must legally store certain data types
  – Different data types have different storage requirements
  – Corporate tax information, customer PII, tape backups, etc.