4.6 Explain the importance of prohibited content/activity, and privacy, licensing, and policy concepts.

4.6 Explain the importance of prohibited content/activity, and privacy, licensing, and policy concepts.

• Incident Response
  • First Response
    • Chain of Custody
    • Inform Management / Law Enforcement as Necessary
    • Copy of Drive (Data Integrity and Preservation)
    • Documentation of Incident
• Licensing/Digital Rights Management (DRM)/ End User License Agreement (EULA)
  • Valid Licenses
  • Non-Expired Licenses
  • Personal Use License vs Corporate Use License
  • Open-Source License
• Regulated Data
  • Credit Card Transactions
  • Personal Government-Issued Information
  • PII
  • Healthcare Data
  • Data Retention Requirements

Incident Response

An organization should develop a detailed set of procedures for responding to each incident.  An incident could be a security breach, a theft, data loss or some other situation that requires a response and an investigation.  A general procedure is

• Identify the affected devices and materials
  
  
• Report the activity to the proper channels
  
  
• Who you should report to depends on the policies of your employer and the jurisdiction that you’re in
  
  
  • Your boss/manager
  • Legal department
  • Police/law enforcement
  • Government regulator
    
    
• Preserve the device so that the data is not deleted
  
  
  • Devices should be disconnected from the network so that they can’t be modified or hacked further
    
    
  • Wireless devices may be placed in a Faraday bag so that they do not communicate, which avoids the risk of being erased remotely.
    
    
• Make a forensic copy of each device.  You must use tools that generate exact copies along with hash files.
  
  
• Document everything that you see and hear, including the date/time, and who you spoke with.
  
  
• Maintain a chain of custody
  
  
  • The chain of custody tells us where the evidence was at all times.
    
    
  • We record where the device was found, where it was stored, and who had access to it
    
    
  • If we left the device unattended, even for a minute, how do we know that somebody didn’t modify the contents?  A defence lawyer will make this argument in court.

Software Licensing

Almost everything has software on it (routers, switches, access points, etc.), and software always comes with a license.  Each device will have an End User License Agreement, or EULA.  The EULA tells you what you are allowed to do with the software.  You must accept the agreement to use the software (and therefore to use the device).  What does the license agreement say?

• The geographic location where you can use the software.  A manufacturer may have different license schemes in different countries (this is known as parallel importation) or may not be permitted to sell their software in certain countries (the US government prohibits the export of some types of technology).
  
  
• Whether you can modify the software.
  
  
• Whether you must pay the manufacturer for updates.  Many manufacturers charge customers “maintenance fees” for access to updates.
  
  
• The number of users permitted to use the software or application.
  
  
• Whether the license is perpetual or for a limited time.  Many cloud-based applications require a monthly or yearly fee.
  
  
• Whether special features are permitted.  For example, the basic license on a Cisco router permits standard routing features.  A more advanced license allows a user to access security features, VoIP management features, and wireless features.  You can turn on the advanced license after you buy it.
  
  
• Whether the software is licensed for personal or commercial use.
  
  
• Whether certain uses are prohibited

Some of the different license types

• Open-Source License
  
  
  • Open Source means that the software’s source code is available to you
    
    
  • You are allowed to modify the source code
    
    
  • Open Source does not mean that the software is free (although most Open-Source applications are free)
    
    
  • There may be certain terms and conditions such as
    
    
    • You must give credit to the original author of the software
      
      
    • You can modify the software and redistribute it, but only for free
      
      
    • Free for non-commercial use only; a payment is required for commercial use
      
      
• Commercial License

• You must pay for the software
  
  
  • You can use the software for commercial purposes
    
    
  • The source code may or may not be available (some commercial software can be open source!)
    
    
• Personal License
  
  
  • You can use the software for personal or educational use only
    
    
• Enterprise License
  
  
  • An enterprise license is a blanket license for the entire organization
    
    
  • The organization may be required to keep track of how many people use the software and make appropriate payments
    
    
• Other License Types
  
  
  • Per use – the license is for one use of the software.  You must purchase a license for each time you operate the software
    
    
  • Per person – the license is for each person who uses the software.  If 100 people need to use the software, then you will require 100 licenses.
    
    
  • Per user – the license is for each simultaneous user.  If 100 people need to use the software, but a maximum of 10 people need to use the software at the same time, then you only need 10 licenses under this scheme.  Typically, the software licenses are stored on a license server.  A user can borrow a license from the server, use the software, and then return the license.
    
    
  • Company-wide – anybody in the organization can use the software without restriction
    
    
  • Per server or per core – you require a license for each server or processor core that the software runs on. 
    
    The more cores you have, the more licenses that you will require.  This is a common license scheme for database and server applications.  It is also a common license scheme for Microsoft Server operating systems.  The idea is that the more powerful the server, the more benefit you will derive from the software, and therefore, the more you should pay.
    
    
  • USB Dongle – the license is stored on a USB key.  You must connect the USB key to the computer to use the software
    
    
  • Cloud – many companies are switching to cloud licenses, where you are required to pay per month for the software.  This is also known as Software as a Service.  It reduces up-front costs for the software but increases total overall costs.  Cisco Meraki is an example of a cloud license that applies to network hardware.

DRM

A software company can include DRM, or Digital Rights Management, to prevent you from copying, printing, modifying, or sharing the data.  DRM can be applied to videos, images, PDF documents, and software programs.  Circumventing DRM may be illegal.

Regulated Data

Regulated data is data that is subject to government or industry regulations.  Regulated data should be encrypted.  Only authorized people should be able to access the regulated data.  They should only be able to access the specific data that is required for them to do their jobs. 

Document who accessed the data, what they accessed, and when they accessed it.  If you store data that belongs to a customer, you may be required to provide the customer with a copy of their data upon request.  The government may be permitted to inspect your data or data storage systems.

Some types of Regulated Data

• PII (Personally Identifying Information)
  
  
  • PII is information that could identify a person
  • It includes drivers license, date of birth, social security number, address, name, etc.
  • Storage is subject to local and national privacy laws
    
    
• PCI (Payment Card Industry)
  
  
  • The credit card companies set the PCI standards.  The credit card industry has specific requirements for what data you can store and for how long.  For example, you are not allowed to store the CVV2 code that appears on the back of a credit card.
  • It includes credit card numbers and expiry dates
  • If you accept credit cards as a method of payment, then you must comply with PCI regulations
    
    
• GDPR (General Data Protection Regulation)
  
  
  • GDPR is a European regulation.  It applies to any company that stores data belonging to a resident of the European Union, even if the company is located outside of the EU.
  • You must have consent to store or process the user’s data
  • You must have data protection procedures built into your business procedures
  • Citizens have a right to access the data that you are storing about them
  • Citizens have a right to request that you erase their data
  • You can be fined if you fail to comply with GDPR
    
    
• PHI (Protected Health Information)
  
  
  • PHI includes medical records, test results, prescriptions, diagnostics, etc.
  • In the United States, PHI is subject to the HIPAA law (Health Information Portability & Accountability Act)
    • Patients have a right to access their PHI
    • You must protect the PHI
    • You can be fined for failing to comply with HIPAA

Make sure that you comply with the regulations imposed by your employer and/or your client.  Make sure that you comply with the applicable laws and regulations in your jurisdiction.

• You are subject to the laws of the city, county, state, province, and country that you’re physically and/or legally present in.
• If you’re storing data belonging to foreigners, you may be subject to foreign laws.  For example, if you’re located in the United States, but your customers are in Belgium, and you’re storing the data in the United States, you might be subject to US law and Belgian (EU) law.
  
  
• You are subject to the laws of the region where you store your data.  If you’re located in Canada, and store data on behalf of Canadians, but you store the data in servers located in the United States, you may be subject to Canadian law and US law.
  
  
• A jurisdiction may not allow you to store its citizens data outside of its jurisdiction.  For example, the province of Alberta, Canada may require you to store personal data on servers located in Canada.  It might be illegal to store personal data belonging to Canadians on servers located in the United States. 
  
  
• A jurisdiction may require you to store the data on servers that are physically in your possession.  That means you may not be able to store data on servers operated by third parties (such as Azure or AWS).
  
  
• Encrypt the data at rest and in transit
  
  
• Use two-factor authentication to access the data
  
  
• Log all access to the data
  
  
• Users should be permitted to access only the specific data that they require
  
  
• Regular audits should be conducted on the data storage systems and any attempts to access the data.
  
  
• You should only retain the data for the length of time that it is required.  Do not store data for no reason.