Air Force Association (AFA) 1

1.Disaster Recovery Plan 2.Plan to Recover 3.Legal Regulations 4.Cyberlaws 5.Computer Crime 2 AGENDA 6.Attacks on Networks 7.Intellectual Property & Privacy Laws 8.Laws to Protect against Cyber Crime 9.Lab

How do you protect data from this? Minimize the effects Handle the disaster right after it hits 3 Disaster Recovery Protected data will: 1.Be Available 2.Have Integrity 3.Be Confidential

Identify Critical Functions What functions are essential to keep the business going? What resources do those functions require? How long can the business survive without operating? How much can you afford to spend for protection? 4 Disaster Recovery Plan EXAMPLE: In a hospital where electronic records can save lives, the data is critical and success depends on access to the data The Resources required are servers, computers, networks, backup systems. People are aslo critical to operate the systems.

Backup Data Backup Servers (could use Cloud Servers) Backup Facilities (could be pre-fab or shared) Plan for Outsourcing Services and Staffs Agreements with other businesses for short- term use of facilities and infrastructure Backup Power systems Backup Heating and Air Conditioning systems Extra supplies (paper, forms, cables) Documentation Plan to Recover 5

Legal Regulations 6 Unique types of crimes developed along with the increased use of technology, exploiting these new tools. Stalkers abuse social web sites and chat rooms in anonymity. Fraud, theft and embezzlement lurked on the internet in the form of phishing attacks and scams and financial dealings. Criminals discovered vulnerabilities in the complex systems, blackmailing networks and intercepting bank transfers. Businesses, Banks, Hospitals, Schools and Government facilities were suddenly at risk. New efforts launched to develop effective laws, policies and law enforcement procedures to catch the criminals and bring them to justice. Technology is evolving at an exponential rate and the legal system is struggling to keep up. Companies conduct business across the US and internationally, expanding the challenge to develop effective laws, policies and methods of enforcement.

“Cyberlaws” Computer Crime Laws 7 International and National Cyberlaws deal with unauthorized changes to personal information, destruction or disclosure of information, unauthorized access and inserting malicious code into systems to disrupt or disable them. EXAMPLES OF CYBER CRIMES: (CISSP, Shon Harris) Attacks on Financial systems to steal money or info Attacks on military installations for info or materials Spying on industries to obtain confidential data Information Warfare attacks on national infrastructure “Hactivism” – attacking websites and defacing them as a protest against the government or companies Distributed Denial of Service Attacks Capture passwords or other sensitive data, install malware, rootkits and sniffers Carry out a buffer overflow to take control of a system Cyber porn and stalking (especially of children)

Computer Crime 8 Most criminals are never caught because they destroy the logs that track their movements and use innocent people’s systems to conduct attacks. They find vulnerabilities and insert malicious code like Trojan Horses and Zombies (which conduct the attack for the criminals. Law Enforcement at local police stations, FBI, Secret Service and government security had to learn new ways to protect the chain of custody and new forensic methods. RESPONSES by VICTIM COMPANIES: Patch software, Patched hardware or infrastructure, Install additional security software, Conduct forensic investigation, Change security policies, Change or replace systems or software, Report intrusions to law enforcement, Attempted to identify the criminal, Notified victims of attack, Provided new security services, Used third-party investigators, Reported crimes to public media

Attacks on Networks 9 According to a 2010 article by Lance Whitney, spam shot up to 200 billion messages each day in to 90% of all s sent to organizations were spam, and spam carrying malware surged during the second half of 2009 from 600 million to 3 billion a day. Attackers used social networks like Facebook and Twitter to inject malware. Twitter’s shortened URLs were exploited to misdirect users to fake sites. Attackers used business accounts to spread malware to thousands at a time, injecting malware, causing damage across networks. International companies and federations are increasing efforts to notify each other of criminal activities and resolve jurisdiction issues across the countries with varied legal systems. Some legal systems use religious laws to govern. Interpol or the International Police cooperate to share information and resolve crimes. Sometimes governments are involved in the attacks, complicating the issues. Another very dangerous threat is one that is within an organization, where the attacker has access to all the sensitive data and can hide from detection.

Intellectual Property and Privacy Laws 10 These laws deal with protection for music, software or data that are owned by an individual or company from unauthorized duplication or use. INTELLECTUAL PROPERTY: PESONALLY IDENTIFIABLE INFO: Trade SecretsName CopyrightsSocial Security or National ID Number TrademarksIP Address PatentsVehicle Registration Drivers License Number Face, Fingerprints or Handwriting Credit Card Numbers Digital ID Birthday or Age and/or Birthplace Genetic Info or Gender Name of School and Grades Criminal Record

Laws to Protect against Cyber Crime Some Examples Below 11 Sarbanes-Oxley Act (SOX) : Public Company Accounting Reform and Investor Protection Act of 2002: Enforces standards for safe transfer and protection of data and funds USA Patriot Act of 2001: Allows Federal agencies to access more data and information to protect Americans against terrorism Health Insurance Portability and Accountability Act: National Standards and procedures for the storage, use and transmission of personal medical information and healthcare data. Gramm-Leach-Bliley Act of 1999: Financial Privacy Rules, Safeguards Rule and Pretexting Protection (social engineering) Computer Fraud and Abuse Act: Lists illegal acts using computers in unauthorized ways to obtain data or information

Policy Lab 12 Learn to: Enable Editing Force a minimal password length Force password change every 30 days Force password history Set an account lockout threshold Protect your credit cards Use security for your personal information