Computer Employee Contract

Document Sample
Computer Employee Contract Powered By Docstoc
					Cybercrime                             Cybersecurity




             The Triangle Effect


                 Security Policy




                  Jaishri Mehta
             Mt. San Antonio College
The Triangle Effect
                      Policy – Dictionary definition
 Wisdom in             Procedure        Course to Guide     High-level       Contract of
 Management            based on         and Determine       Overall Plan     Insurance
 Affairs               Material         Present and
                       Interest         Future Decisions


 Cybecrime             Cybersecurity    Cybersecurity       General          Employee
 •Who is in charge?    •Your            •Security remains   Requirements     Contract
 •Who to report to?    computer has     as the present      •Outlines the    •How the
 •Is it safe without   been breached?   standing of the     general policy   company
 being liable to       •What steps to   company             of the           wants to
 yourself?             take             •Security remains   company          insure itself
                       •What not to     the future as the                    from the
                       do?              company                              employee?
                                        develops
The Triangle Effect
                       Introduction
         Cybercrimes drive security policy or
          cybersecurity drive security policy?
         Unfortunately, cybercrime does
         Reasons –
         Bork Case
         Policy can be broken into two categories:
                      • System vulnerability – Cybersecurity
                      • Human intervention (ethics) - Cybercrime
The Triangle Effect
                      Policies
       Cannot stop cybercrime
       Help deter cybercrime
       Helps in prosecuting offenders
       Cybersecurity vulnerabilities help to find
        where crime can be committed
       Also helps hackers to find vulnerabilities
       Cybercrime, Cybersecurity and Security
        Policy cannot function without each other
The Triangle Effect
                      Cybersecurity
      Definition
       – Security of the data
       – Application of the data
       – Processes of the data and user intervention of
         the data
       – Security of the actual software
       – Security against the ability to allow upload
         software or input malicious data to intervene
         with the existing data
                      How do these vulnerabilities
The Triangle Effect
                      exist?
       Inherent?
       Not careful planning?
       Human factor?
       Not tested properly?
The Triangle Effect
                      Behavior of Software

                                                                        Actual
                                   Traditional
                                                                        Software
                                   Faults
                                                                        Functionality




                                                                            Unintended,
                                                                            undocumented,
                                   Intended                                 or unknown
                                   functionality                            functionality




                      How to Break Software Security by James A. Whittaker and Herbert H. Thompson
The Triangle Effect
                      Security Fault Model

       The software functions does not work
        according to specifications – traditional
        bugs – purple part
       The overlap is where the software works
        according specification
       The gray part – is the part where the
        software does more than it is intended to do.
The Triangle Effect
                      Problem
       Traditional bugs are tested and the product is
        created (sold)
       The security bugs are not tested and therefore
        pose a security threat to the user of the software
       Examples : Media player plays audio and video
        but writes to unencrypted temporary storage
        which software pirates are ready to exploit
       Finding security bugs shows direct correlation to
        cybercrime and need for policy
The Triangle Effect
                      Break down of the fault model

       Security and User Interface
       Security and File System User
       Security and the Operating System
       Security and the Software User
       Security inside the software
The Triangle Effect
                      Security and User Interface

       Access to a software is through the user
        interface (input data)
       The input data can also be a form of another
        program
       Threat :
              – Access Control
              – Malicious input
              – Unauthorized access or Sabotage
The Triangle Effect
                      Threats
       Access Controls:
        – User is authorized to enter but how much
          authority?
        – He may read files but does that stop him from
          copy/paste, print screen, etc.
       Malicious Input
        – Buffer overflow occurs when the software fails
          to properly constrain input length
        – Input that is interpreted as code.
        – SQL injection
The Triangle Effect
                      Examples
        Infamous Code Red II
          – Example of buffer overflow in sendmail
        What did it do?
         – Exploited the buffer overflow vulnerability in
           the Microsoft’s Internet Information Server and
           infected the computers
        Policies : also help the malicious user
                      Security and File System
The Triangle Effect
                      Users
       Files store sensitive data such as passwords,
        licenses etc.
       The file must be tested for how it is
        retrieved stored or encrypted and managed
       Threats:
              – Access to passwords
              – Sensitive data
              – piracy
The Triangle Effect
                      Threats

       Access to sensitive data
         – Basically handing over the keys to the safe
       Location of the file and how it is retrieved
       Examples:
         – Passwords stolen
         – Denial of Service
         – Pirated Licenses
       Policy for your users who have knowledge
                      Security and the Operating-
The Triangle Effect
                      System User
       Any interaction with an application must
        pass through memory sometime
       Information that passes through memory
        encrypted is fine but it has to be
        unencrypted at some point
       Where it is unencrypted and how the
        process takes place is important
       The where and the how has to be protected
The Triangle Effect
                      Threats

       Denial of Service (Dos)
       Application may crash and the information
        (data) is in an inconsistent state.
       Buffer Attacks
       Source Routing attack
       Spoofing
The Triangle Effect
                      Examples

       The fifteen year old Canadian boy whose
        alias name was “Mafia Boy” who issued a
        series of Dos on e-commerce sites such as
        e-Bay, CNN.
       Some of the sites were not functional for up
        to 24 hours resulting in loss of millions of
        dollars
                      Security and the Software
The Triangle Effect
                      User
       Every software component depends on
        another software component
       This brings on another set of vulnerabilities
       Looking at dependencies that naturally exist
        between the two software components
       Components that depend on other software
        can fail, crash, or compromised which can
        affect your own security
The Triangle Effect
                      Examples

       Ill-formed packets
       Block access to libraries
       Manipulate the application’s registry values
       Replace the files that creates, reads, writes
        or executes
       Force the application to work in low
        memory disk space
The Triangle Effect
                      Security Inside the Software

       It is the software itself that has to be
        protected as it is that particular technology
        that gives them the advantage over other
        companies
       Such as algorithms or optimizations
       Where this software is compiled and who
        can access that is of concern
The Triangle Effect
                      Threats

       Access to the proprietary software and its
        inner workings
       Using tools to reverse the compiled code
The Triangle Effect
                      Security Policies
        We looked at system vulnerabilities that can
         be caused by software or users
        Can all of the bugs be found and fixed?
        So policies are written to cover the company
        Looking at the fault model – five categories
        Ask if the different testing has been done
        Cybercrime – Cybersecurity – Security Policy
The Triangle Effect
                      Security Policies cont.

       Write policies to cover the different areas
        that are not tested or unknown
       The language should be generic as not to
        give out information of vulnerabilities.
       Do not post your system security policies on
        the web for everyone to look at.
              – Handing over the research to conduct an attack
The Triangle Effect
                      Security Policies cont.

       Ensure that the language is consistent with
        legal language
       Make sure that language is also consistent
        with law for your state.
The Triangle Effect
                      Ethics (Human Intervention)

       Weakest link in the “cyber world” is the
        human
       Why look at ethics?
       What is ethical to one may not be ethical to
        the other in “cyber world”
       Ethics are important so everyone
        understands what is considered right or
        wrong
The Triangle Effect
                      Existence of Codes of Ethics

       ACM (Association for Computing
        Machinery) and IEEE-CS (Institute for
        Electric and Electronic Engineers)
        established a joint code of ethics for
        software engineers.
       It consists of eight core principles
       One of them deals with the integrity of your
        work
The Triangle Effect
                      Whistle-Blowing
        Norman Bowie defines as “the act of an employee
         informing the public on the immoral behavior of
         an employee or supervisor”
        According to Sisela Bok, “makes revelations
         meant to call attention to negligence, abuses , or
         dangers that threaten the public interest”
        Both instances talk about wrongdoing about a
         company and protecting the public
        Security for the public not the company
The Triangle Effect
                      Whistle-Blowing cont.
      Case Illustration:
      In the early ’70s BART (Bay Area Rapid Transit) were
           developing a new, computerized mass transit system.
          It was over budget, behind schedule, and considered unsafe.
          Three engineers went to the supervisors with their concern.
          They received no satisfactions so they went to the board and
           received the no support.
          Frustrated they went to the press with their concerns.
          They were fired
          This prompted the federal Whistle-blower Protection Act of
           1989 (many states have their own laws as well)
          It still considered very risky to “whistle blow” publicly
The Triangle Effect
                      Whistle-Blowing

       This time the “cyber crime” is committed
        by the company and the individual(s) are
        trying to bring awareness.
       Is there a policy in place to protect them?
       Cybercrime, Cybersecurity and Policy –
        The Triangle Effect
                      Privacy affects the Triangle
The Triangle Effect
                      Effect
       Let us take examples:
       Michael Scanlan describes how an independent
        computer consultant purchased data from the
        Oregon’s Department of Motor Vehicles for a fee
       Then he took the data and made it electronic on
        the web.
       For a fee anyone could enter a license plate and
        find the name and address of the owner registered
        to the vehicle
                      Privacy affects the Triangle
The Triangle Effect
                      Effect cont.
       You can see the security of the individuals
        was in jeopardy.
       As a result of this information, crime could
        be committed (cyber related crime)
       There was no policy in effect to protect
        these individuals.
The Triangle Effect
                      Cybercrime

       Cybercrime is not defined concretely
       Cybercrime defined by Forester and
        Morrison suggest that “a criminal act in
        which a computer is used as a principal
        tool”
       Tavani divides Cybercrime into three
        categories
 The Triangle Effect
                       Tavani’s definition

Cybercrimes                          Cyberrelated Crimes

Cyberspecific             Cyberexacerbated          Cyberassisted

Cyberpiracy                  Cyberstalking            Income tax
Cybertresspass               Internet pedophilia    Physical assault
Cybervandalism             Internet pornography    Property damage
The Triangle Effect
                      Cybercrimes cont
       Cyberrelated crimes do not affect the other
        two apexes of triangle effect. They affect
        one of the apexes
       Cybercrime supports the triangle effect
       Examples:
              –   Leon steals a computer – cyberrelated
              –   Leon files a fraudulent tax return electronically
              –   Curador and Identity Theft – cybercrime
              –   Dimitri and Microsoft Corporation - cybercrime
The Triangle Effect
                      Intellectual Property rights
        Case Illustration:
        Dimitri Sklyarov’s Decryption Program
        Program could decrypt the code for e-reading
         developed by Adobe
        He was handcuffed on arriving in US for a
         conference for what he had in his briefcase
        Sparked “Free Sklyarov” movement on the
         principle of “fair use”
        Adobe dropped the charges
        The principles involved in this case will be
         challenged again
The Triangle Effect
                      Intellectual Property

       In the case of Sklyarov:
       His program can be used to commit cybercrime
       His program demonstrates vulnerability in the
        cybersecurity
       Is there any policy in effect? No
       Did Sklyarov commit the crime?
                      Intellectual property and
The Triangle Effect
                      domain
       If a “hacker” enters a system and discovers
        vulnerabilities in the system.
       Tells company they have vulnerabilities
       He will show the vulnerabilities for a fee
       Has cybercrime being committed?
       Cybersecurity violated?
       Is there anything to protect the company?
                      Intellectual property and
The Triangle Effect
                      domain cont.
       He has certainly trespassed but not stolen
        anything
       Asking for a fee for his findings is it bribery
        or a service?
       The kinks still have not been worked out.
       Companies do pay some of these people
The Triangle Effect
                      Risk Analysis

       Cybersecurity is an ongoing process or
        product?
       This process is the basis of risk analysis and
        risk management
       Five categories: assets, threats,
        vulnerabilities, impact, and safeguards
       The Triangle Effect
The Triangle Effect
                      Risk Analysis cont.

       In order for us to sell cybersecurity, we
        need to consider risk-analysis
       If we can show or determine cybersecurity
        in terms of $ and cents, we can convince
        them for funding
       Just how insurance companies determine
        insurance as a risk-analysis, we should do
        the same
       The Triangle Effect is one road-map
The Triangle Effect
                      Conclusion

 The Triangle Effect demonstrates that each
 component is not independent when looking at a
 community in general
 When Cybercrime and Cybersecurity and Policies
 are looked at together, we can forge policies that
 will not only help corporate companies but
 individuals and community as whole.
The Triangle Effect
                      Conclusion cont.

       When cybersecurity and the cybercrimes are
        understood along with ethics: this will pave
        and understanding of what is right and
        wrong in “cyberspace”
       Policies can be forged as guidelines
       Hence The Triangle Effect
The Triangle Effect
                      Important facts
       http://rissc.mtsac.edu
       Books referenced
         – How To Break Software Security – James A.
           Whittaker and Thompson
         – Ethics and Technology – Tavani
       Contact
              Jaishri Mehta
              Mount San Antonio College
              jmehta@mtsac.edu

				
DOCUMENT INFO
Description: Computer Employee Contract document sample