Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.
The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).
Technology can be a great tool to simplify a process or increase the output of existing processes. Despite this, Information Technology (IT) teams must be cautious when implementing new technology into their environment because this can also increase their liability of information retrieval if a lawsuit is filed against them. Rarely if ever is an enterprise application, such as e-discovery software, ready to go out of the box. Most enterprise applications of scale require months of planning, negotiations, architecture discussions, engineering consultation, cross-divisional resource allocation, and process redesign to accommodate the software. Information security and IT teams, knowledgeable of this fact should interface with their legal teams prior to ideation of implementing an enterprise e-discovery tool. Just having a tool and not a defined process to effectively manage, correlate, extract, and secure subpoenaed data can leave a company exposed to multiple financial and legal repercussions. An example of this was seen with the case of Morgan Stanley vs. Ronald Perelman where “Morgan Stanley was hit with a $1.75 billion jury verdict, which hinged primarily on the company’s lax e-discovery procedures.” (Cummings, 2007)
The Computer Emergency Response Team (CERT) is responsible for computer related information incident handling within a specific government Agency. Part of that mission is the inherent issue to provide support to law enforcement officials. CERT must provide evidence to those that are going to complete the law enforcement effort of an incident.
By: Anthony Bundschuh (posted on January 22, 2005)
This paper is an overview of the current state of ethics in the IT community. It describes the current state of ethics in IT, identifies the major areas of concern for the IT community, and discusses the relationships an IT professional will face, and the conflicts that may jeopardize those relationships.
With the increased use of electronic records in the Biotechnology Industry, there became a need for requirements to address data security, data integrity and traceability of this data. In response to this need, the Food and Drug Administration (FDA) published a regulation called 21 CFR Part 11, in August of 1997.
The Internet has been a boon to business, science, education and just about any field you can think of, including crime. Just like every human invention, Internet has two sides to it, on the one hand it allows businesses to be more productive and scientists to share research data almost instantaneously, on the other hand it grants criminals an additional tool to commit crimes and get away with it.
While recent news headlines of the past few months have focused on the controversial topic of offshore outsourcing of jobs from the United States to countries such as India, China, and Mexico, other headlines, relating to some of the effects of this phenomenon, have exposed problematic consequences and outcomes.
The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs.
Technology has continued to astound the world's electronic culture by reacting with the use of mechanisms to defend and protect against the unknown. Cyber insurance has been one of those phenomenons that has experienced many challenges and at the same time mutated into a more complex tool to protect companies.
This document will summarize the requirements of Sarbanes-Oxley as they apply to IT and define the controls IT must be concerned with in the certification process. This document pertains only to the role of IT and IT security in Sarbanes-Oxley controls compliance; other company departments - accounting, finance, human resources, etc., may be subject to controls not covered herein.
This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.
By: Clint M Satterwhite (posted on October 31, 2003)
This paper outlines most of the issues regarding monitoring of employee workplace computer use and attempts to present an objective presentation of the information from both the employee and employer's perspectives.
The careful planning, integration, training, and support of a multi-disciplined group of Incident Responders will continue to be, for most corporations, the last line of defense against computer crimes; and, the better their relationship with the Local, State, and Federal Agencies they work with, the better the success of both their proactive and reactive activities.
The purpose of this paper is to inform management and upper level administration of the legal liabilities and loss of productivity due to the inappropriate use of the Internet, email, interconnected computer systems and pirated software.
A discussion of the issues faced by the legal system in keeping up with the fast paced development of technology and the ways in which the current laws can help, as well as the role that ethics have to play in the world of computer security.
This paper offers some observations of the disparities between the criminals manipulating digital data and law enforcement chasing after them; and tenders some suggestions in an effort to even the playing field.
This paper will briefly explain how the U.S. Patriot Act legislation came into existence, but its main focus will be to outline the requirements of the recently proposed Section 326 "Customer Identification Program.
The Internet has brought many important changes to the way we do business, both in the public and private sectors. We can use it to instantly communicate with others across the country, conduct business meetings, or control equipment in remote locations.
This paper will define and outline the process of port scanning, discuss ethical and legal issues surrounding port scanning, and assert the importance of strictly defining scanning in an organization's policy.
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC