It’s important to know about the administrative tasks associated with privacy settings, software licensing, and security policies. In this video, you’ll learn about chain of custody, software license types, payment card security, protected health information, and more.
When you work in information technology, you may run across an incident where evidence needs to be collected. And one way to maintain the integrity of that evidence is to have a chain of custody. This chain of custody documents everyone who comes in contact with this evidence this helps prevent tampering because we can see exactly who had access to this evidence. And if this is digital evidence, we might want to use hashing to ensure that the evidence we’re looking at later is exactly the same as the evidence that was originally taken.
It’s always important when collecting this evidence to label and catalog everything that you’re taking as evidence. If this is physical evidence, you can put it in an evidence container and seal it to make sure that nothing changes with that evidence. If it’s digital evidence, you may want to sign it with a digital signature to ensure that not only you’re the one who took that evidence, but you can confirm that nothing in that evidence has changed.
Being the first responder to an incident is an important one. Not only are you the one discovering the incident, but you also have the opportunity to mitigate or limit the scope of that particular event. We might discover this event by looking through logs or monitoring data, or we might visually see that this event is occurring. When these events occur, time is of the essence. You should make sure that you report it immediately, either to your internal management team, or if this is a legal issue, you might want to involve law enforcement.
And as the first responder, you may be responsible for collecting any evidence and ensuring that no evidence is destroyed during this process. It’s very common when collecting this evidence to get a copy of any storage drives. When taking this evidence, we’re not simply copying the files, we’re copying every single bit of information from that storage drive. You’ll sometimes hear this referred to as a bit-for-bit copy or a byte-for-byte copy.
That means you’re not only collecting all of the files, you’re also collecting anything else that might be on that storage device. We’ll sometimes perform this drive copy by physically removing the drive from the device. We will then connect it to a hardware write blocker that would prevent anything from changing the data that’s on that storage drive. We can then make a copy of that drive by using a hardware copying device or by using software imaging tools that can create the copy for us.
And once you collect that digital data, you want to create a hash for everything that you’ve collected. You can use that hash later to verify that the evidence that you’re examining is exactly the same evidence that was originally taken. And one of the keys of any type of incident response is to always have documentation. This might be used for internal purposes within your organization, or this may be a legal issue and we would use that documentation during legal proceedings.
This documentation should include a summary of the event and everything that occurred during that particular incident. We should also have detailed explanations in this documentation of how all of this data was acquired. In many cases, this will be a step by step description of exactly what you did to get information off of a storage drive and into an image. This documentation would also include an analysis of all of the data that was collected, and ultimately would provide a conclusion based on all of this analysis.
If you’ve ever purchased software for an organization, then there are a lot of different options for software licensing. The license is a set of terms and conditions on how that software can be used. This might be descriptions of the overall use of the software, how many copies can be made of the software, and what backup options you might have for storing that software on a backup system. This software license also may have descriptions on how this software is to be used.
For example, if you purchase 10 licenses of a piece of software and it is a per seat license, that means there are 10 people that you can hand the software to and only those 10 people could ever use this software. You could also purchase a concurrent license which means those 10 licenses could all be used at the same time, but it might be different people using that license at different times of the day. As long as you don’t have more than 10 people concurrently using that license, then you are using the license to the terms of the agreement.
Some licenses are perpetual, which means you purchase the license one time and it can be used forever without any additional purchases. Other types of licenses might be subscription licenses where you might have an annual subscription or a three year subscription, and you can use the software up until that expiration date. Once you hit that expiration date, you either have to purchase new licenses or you have to stop using the software.
It’s very common for us to see these perpetual licenses where you purchase one time. When you’re purchasing a personal license, these are designed for a home user that would not commonly purchase an ongoing annual license. This is often a license that is associated with a single device or it’s associated with a group of devices used by a single person.
Corporate environments though need a bit more flexibility in how those licenses can be used, and in many cases, they can be a per seat license or even a site license that is used for everybody at that location. These corporate licenses often have annual renewals or renewals every few years to maintain that license. If you’d rather use software that does not have a cost associated with it, you might want to consider free and open source software or FOSS.
Not only is this software free to use, the source code for the software is also available for you to see. This means that you can check through the software to know exactly what that software can do. And then you can compile that code and put it on your own systems for no cost. If you’re purchasing an operating system from Microsoft or from Apple, then you’re probably using closed source software or commercial software.
With closed source, you don’t have access to the source code you can’t compile this software yourself. , Instead you’re provided the executable from the manufacturer. Once all of the terms for this software are decided upon, they’re put into a single licensing document called an end user licensing agreement or a EULA. This EULA is often presented as a long scrolling document during the installation process that many people simply page all the way through and click OK without reading.
But the contents of this EULA dictate exactly how this software should be used. And very often there’s a negotiation that takes place between the end user and the manufacturer to create a EULA that fits best for the customer. If you’ve ever used your credit card at a retailer and you’ve wondered how is this information going to stay safe, then you can reference back to the Payment Card Industry Data Security Standard, or what’s known as PCI DSS.
This is a set of standards on how your credit card information is protected while it is stored and transmitted over the network. These are mandated by the Payment Card Industry, and they work very hard to make sure that anyone collecting credit cards is compliant with the PCI DSS. Although you don’t have to know the details for your exam, it’s useful to know what these standards are referencing in the PCI DSS.
For example, you need to know how to build, maintain a secure network and secure systems, how to protect cardholder data, maintain a vulnerability management program, provide access control measures, monitor and test the networks, and maintain an information security policy. If all of these are in place, then a retailer can accept and store your credit cards, and you can feel comfortable knowing that your private information will remain private.
Some of our private information is created or maintained by governmental agencies. For example, if you live in the United States, then you probably have a Social Security number and a driver’s license. Those two pieces of documentation alone contain quite a bit of personally identifiable information, or PII. Because this is considered sensitive information, there may be laws and regulations on what a third party could collect from you from these documents.
For example, they may be able to reference your driver’s license to be able to confirm that you’re the proper age. But they may not be able to store any of the information that is contained on that license. An example of this information getting into the wrong hands can be found from July 2015 with the US Office of Personnel Management or OPM. Unfortunately, the data in this organization was compromised and a third party gained access to privileged information that included names, Social Security numbers, date of birth, job assignments, and other details.
In total, approximately 21 and one half million people were affected by this data breach. It’s very likely that the organization you work for contains some type of PII or personally identifiable information from your customers. This raises the question on how any organization can properly manage PII. We first need to recognize that this information is sensitive, and we need to have security controls in place to prevent access from an unauthorized third party.
Our personal information is often the gateway to other types of access. For example, someone could use our personal information to gain access to our bank account. Or someone may be trying to reset a password by using the poorly written password reset questions such as what are the last four digits of your Social Security number or in what city did you grow up? If you have access to our PII, then you can easily answer these questions and circumvent any security that we may have already had on these accounts.
The European Union has set very specific guidelines on how a user’s personal data can be used, and they’ve codified this in the GDPR, or the General Data Protection Regulation. This means that any of your personal data, including your name, your address, your photo, your email address, and other details fall under the purview of the GDPR. One of the main purposes of this regulation is to put the control of your data back into your hands.
So even though an organization may be collecting this information, you have the ultimate decision on how that information can be used and where it can be stored. You may see this regulation referred to as the right to be forgotten. But it’s probably more accurate to say it’s the right of erasure, where you can ask an organization to delete all records associated with your personal data.
Our health care data is often shared between our health care providers. So we need to have rules in place that ensures that any of our data is stored or transmitted in a secure form. Many of these regulations around PHI are associated with HIPAA. This is the Health Insurance Portability and Accountability Act of 1996. And there are specific regulations inside of HIPAA that are designed to keep your health information safe.
One of the most important assets that any organization has is the data that they’re storing. And there may be requirements in information technology to maintain that data over a certain time frame. We refer to these as data retention requirements. Some of these retention requirements are in place that we can have version control for our documents. This way, if we need to recover a previous version of a document, we can go back in time and recover that from a backup.
This data retention can also be a bit of an insurance policy. We might want to have an extended amount of data retention because if we’re infected with a virus or ransomware, we may need to go back in time and recover all of that data from a known good backup. And in the organization where you work, there may be a legal requirement for data retention. For example, in some organizations they’re required to store email over a number of years.
You might also work for an industry where they are legally required to store certain data types for a certain amount of time. These might include corporate tax information, customer PII, you may have to have tape backups, or store this information in an offsite facility.