When we are discussing accountability we need to define what that really means. An acceptable meaning would be to hold people accountable for their actions, to be able to trace all activities in the corporate environment back to the source of those activities. This means the is the ability to use identification, authentication, and authorization processes in order to know which user a given event is associated with and what permissions allowed them to carry it out.
It can be quite easy to criticize accountability and its associated auditing tools. It could be argued that implementing surveillance techniques is like having Big Brother watching over your every move. This might be true in certain instances - if people are monitored excessively, it is possible to create an unhealthy environment.
When people are held accountable, it can keep the corporate environment secure in several ways: it enables a principle called nonrepudiation, it deters those who would otherwise misuse resources, and it detects and prevents intrusions. The processes are used to ensure accountability and can also assist in the preparation materials for legal proceedings.
In general, non-repudiation involves associating actions or changes with a unique individual. For example, a secure area may use a key card access system where non-repudiation would be violated if key cards were shared or if lost and stolen cards were not immediately reported. Similarly, the owner of a computer account must not allow others to use it, such as by giving away their password, and a policy should be implemented to enforce this.
In digital security, non-repudiation means:
- A service that provides proof of the integrity and origin of data.
- An authentication that can be said to be genuine with high confidence.
- An authentication that the data is available under specific circumstances, or for a period of time: data availability.
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash such as SHA2 usually ensures that the data will not be changed undetectably. Even with this safeguard, it is possible to tamper with data in transit, either through a man-in-the-middle attack or phishing. Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information, such as after being mutually authenticated.
The common method to provide non-repudiation in the context of digital communications or storage is Digital Signatures, a more powerful tool that provides non-repudiation in a publicly verifiable manner. Message Authentication Codes (MAC), useful when the communicating parties have arranged to use a shared secret that they both possess, does not give non-repudiation. A misconception is that encrypting, per se, provides authentication "If the message decrypts properly then it is authentic" - Wrong! MAC can be subject to several types of attacks, like: message reordering, block substitution, block repetition, .... Thus just providing message integrity and authentication, but not non-repudiation. To achieve non-repudiation one must trust a service (a certificate generated by a trusted third party (TTP) called certificate authority (CA)) which prevents an entity from denying previous commitments or actions (e.g. sending message A to B). The difference between MAC and Digital Signatures, one uses symmetric keys and the other asymmetric keys (provided by the CA). Note that the goal is not to achieve confidentiality: in both cases (MAC or digital signature), one simply appends a tag to the otherwise plaintext, visible message. If confidentiality is also required, then an encryption scheme can be combined with the digital signature, or some form of authenticated encryption could be used. Verifying the digital origin means that the certified/signed data likely came from someone who possesses the private key corresponding to the signing certificate. If the key used to digitally sign a message is not properly safeguarded by the original owner, digital forgery can occur.
Deterrence is a strategy to influence the behaviour of people to follow a certain policy using the fear of sanctions. Deterrence is a strategy to influence the behaviour of people to follow a certain policy using the fear of sanctions. Therefore, it is composed of two main concepets: the certainty of sanctions and the severity of those sanctions . In other words, people desert unwelcome actions if they feel the probability of being apprehended is high (certainty of sanctions) and/or the extent of the potential penalty is to high (severity of sanctions).
From the viewpoint of the certainty of sanctions, in the past we have seen employees were aware that sanctions existed as a result of violations and the presence of detection efforts was quite effective in deterring the abuse of information systems and the violation of security policies. Recently, it is reported that security policies are violated when the benefit of violation is more substantial than the sanction that would be imposed, or a neutralization technique is involved . The implication is that organizations should not rely solely on employee awareness of sanctions because violations will occur regardless of the emphasis on the sanctions. Organizations are required to use detection as a practical method to increase the probability of being able to identify every violation. The most powerful way of increasing the certainty of sanctions is to find every violation and identifying the violator. Therefore, the certainty of sanctions should be viewed from the perspectives of detection as well as awareness.
Regarding the severity of sanctions, the sort of sanctions considered was solely punishment with various degrees. It can be argued that the sole application of punishment has no influence on deterring violations . The method of sanctions began to extend from simple punishment, to include other methods such as shame, informal sanctions, self-control, moral beliefs, and general deterrence based on rational choice . So, the severity of sanctions needs to be approached not only from the existing concept of the intensity of sanctions, but should also include a variety of sanctions.
Intrusion Detection and Prevention
The evolution of malicious software (malware) poses a critical challenge to the design of intrusion detection systems (IDS). Malicious attacks have become more sophisticated and the foremost challenge is to identify unknown and obfuscated malware, as the malware authors use different evasion techniques for information concealing to prevent detection by an IDS. In addition, there has been an increase in security threats such as zero-day attacks designed to target internet users. Therefore, computer security has become essential as the use of information technology has become part of our daily lives.
Intrusion can be defined as any kind of unauthorised activities that cause damage to an information system. This means any attack that could pose a possible threat to the information confidentiality, integrity or availability will be considered an intrusion. For example, activities that would make the computer services unresponsive to legitimate users are considered an intrusion. An IDS is a software or hardware system that identifies malicious actions on computer systems in order to allow for system security to be maintained (Liao et al., 2013a). The goal of an IDS is to identify different kinds of malicious network traffic and computer usage, which cannot be identified by a traditional firewall. This is vital to achieving high protection against actions that compromise the availability, integrity, or confidentiality of computer systems. IDS systems can be broadly categorized into two groups: Signature-based Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS).
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPS have become a necessary addition to the security infrastructure of nearly every organization.
IDPS typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPS can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.
Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it, and attempt to block or stop it.
Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection, or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.
Admissibility of Records
Admissible evidence, in a court of law, is any testimonial, documentary, or tangible evidence that may be introduced to a factfinder—usually a judge or jury—to establish or to bolster a point put forth by a party to the proceeding. For evidence to be admissible, it must be relevant and "not excluded by the rules of evidence", which generally means that it must not be unfairly prejudicial, and it must have some indicia of reliability. The general rule in evidence is that all relevant evidence is admissible and all irrelevant evidence is inadmissible.
A record should correctly reflect what was communicated or decided or what action was taken. Records management policies, procedures and practices should lead to authoritative records that have the following characteristics:
- Authenticity—An authentic record is one that can be proven to:
– Be what it purports to be
– Have been created or sent by the person purported to have created or sent it
– Have been created or sent at the time purported
- Reliability—A reliable record is one whose contents can be trusted as a full and accurate representation of the transactions, activities or facts to which they attest and can be depended upon in the course of subsequent transactions or activities. Records should be created at the time of the transaction or incident to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts or by instruments routinely used within the business to conduct the transaction.
- Integrity—The integrity of a record refers to it being complete and unaltered. It is necessary that a record be protected against unauthorized alteration. Records management policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition or deletion to a record should be explicitly indicated and traceable.
If the information is going to be used in a criminal proceeding, organizations must be able to identify who has had access to a particular record at any given time from collection, to creation of the evidence copy, to presentation as evidence. The evidentiary weighting of records will be substantially reduced if the chain of custody cannot be adequately established or is discredited.
- Usability—A useable record is one that can be located, retrieved, presented and interpreted. It should be directly connected to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify a record within the context of broader business activities and functions. The links between records that document a sequence of activities should be maintained.
The topic of electronic record management is a course in itself, and is to broad to be completely covered in this chapter.
"Survey of intrusion detection systems: techniques, datasets and challenges" by Ansam Khraisat is licensed under CC BY 4.0
"CS406: Information Security" by Saylor.org Academy is licensed under CC BY 3.0
"Non-repudiation" by Various authors, Wikipedia is licensed under CC BY-SA 3.0
"Admissible evidence" by Various authors, Wikipedia is licensed under CC BY-SA 3.0