On every network, there will eventually be incidents of prohibited activity. In this video, you’ll learn how to handle incidents, manage end-user policies, and more.
On any network, there will be times when inappropriate activity needs to be handled. The first thing you’ll need to do is identify that a particular prohibited activity is occurring. You can look through logs and monitoring data for this information, or sometimes you may see this happening, yourself.
Your first step should be to report everything that’s seen and identified to the proper channels. There’s probably a notification list for these types of events, in your organization. At that point, you need to make sure that you’re able to gather as much evidence and data as possible. And there are usually a list of different data resources and how to manage those, so you’re able to preserve as much detail as possible.
Knowing what to document for these security events can be a challenge. Most of this should be identified in your security policy. This documentation should always be available for reference by anybody in the organization, because it affects everyone who might be using the network. One challenge with this is that it’s constantly in flux. There are always going to be changes to the security policy. So you need to have a process in place to add those changes and make everyone aware of them. You might want to consider some type of method that allows you to constantly edit this live document, such as a wiki or a similar type of software.
When these events occur, you want to be sure to document as much as possible. So make sure that you’ve written as many notes as you can. Take pictures of the area. And make sure you keep all of the logs that may have occurred during this time frame.
Once you’ve collected this information, you want to be sure that nothing in this information is going to change. The integrity of this evidence is going to be very important. So you want to make sure that this information is as well-preserved as possible. If somebody needs to examine this information, you need to make sure that all of that information is documented, as well.
If you’re collecting digital evidence, you may take a hash of that evidence. That way, later on you could perform the same hash function and confirm that the data you’re looking at later is exactly the same information that you looked at originally.
You want to be sure to label everything that you’ve collected, and that you have an overall catalog of all of the different items. Make sure that everything is sealed away, and stored and protected. And you might want to make sure and double check that all of your digital materials also have a digital signature, or some type of hash, associated with them.
Much of the software that we use is categorized in a number of different ways. It’s very common, for example, to find commercial software as being closed-source software. That means that all of the source code for this particular application is private. We don’t have access to the source. As an end user, we’re provided with the application executable. We have no idea what type of coding is inside of that executable.
On the other side of this is FOSS. FOSS stands for Free and Open Source Software, where the source code is completely available. You can look through it. You can even modify it, if you’d like. And the end user can compile their own executable, so that you know exactly what this application does.
Almost all software is going to include a EULA. That’s an End User Licensing Agreement that details exactly how the end user is able to use the software that’s being provided. And in extreme cases, software may include DRM, or Digital Rights Management. DRM puts electronic limits on how someone is able to use software. And it’s very common to see DRM used with audio and video media.
Software might also be licensed in a couple of different ways. One very common way, at home, is to have a personal license. This is where the license is associated with a single device, or series of devices, all owned by the same person. And usually, when you’re buying that software, you’re buying it perpetually, and there’s no additional cost every year.
In a large organization, it’s common to have an enterprise license. You’re usually purchasing this on a per-seat basis, or for the entire site, with a site license. This means the software can be installed on practically everyone’s workstation, and they are usually annual renewals to maintain the software license.
One very significant set of policies in your organization should revolve around how you handle personally-identifiable information, or PII. In many organizations, PII is tightly-controlled, and in others the personal information isn’t kept, at all. If you work with PII every day, you can sometimes forget how important it is to maintain a level of security of that information.
A good example of when this personal information can get out happened in July of 2015, in the US Office of Personnel Management. Personally identifiable information was released that contained the names, social security number, date of birth, job assignments, and other details of people who worked for the US government. Approximately 21 and 1/2 million people had this personal information released, making it a significant release of PII.
When you’re working for a third-party organization, they get to decide what’s appropriate for you do on their network. Every organization has a different philosophy on what type of traffic is allowed and what type of traffic is not allowed. Usually, there are policies in place that can administratively block some of this information. They may be blocking content based on URL. They may be blocking certain applications from running on the network, or they may block it based on your username or group that you belong to.
One philosophy might be that everything is blocked, and only certain traffic types are allowed onto the network. This would, obviously, require a lot more administration for the IT group. But it would limit exactly what you’re able to see on your screen.
Another philosophy might be to allow everything, but only block certain kinds of traffic coming through the network. This is much more common, but it’s obviously a lot less secure than a policy where you’re blocking everything on the network.