Hendon Publishing - Article Archive Details
Keeping electronic information protected
Information is most often stored in paper or electronic formats. While most agencies have developed a protocol for keeping paper documentation secure, organizations are having a difficult time standardizing a practice to secure electronic information.
Information is breached in a number of ways and for endless reasons. This can be reflected as news articles cover a litany of exploits. Within minutes of checking the Internet, an example is illustrated on the FBI Web site explaining how a Donald F. Green, age 48, of Columbus, OH, pled guilty in United States District Court on April 11, 2008, to one count of income tax evasion, one count of conspiracy to commit bank fraud and wire fraud, and one count of bank fraud in connection with his role in a mortgage fraud scheme that fraudulently secured more than $2.6 million from mortgage loans dating back to 2003 and 2004. These examples can found daily throughout the United States as criminals take information and use it for personal, financial, or other unknown reasons.
Police agencies all have limited resources, yet they retain the obligation to the public to ensure that vital information is protected. Law enforcement agencies are especially susceptible to being targeted because they often store or have access to large amounts of sensitive information. This complex practice of preventing data from being accessed or compromised without authorization has become troublesome for the entire law enforcement community as technology continues to evolve at an unprecedented pace.
Identify the Information
Information security is critical for every law enforcement organization, regardless of demographic composition. Law enforcement agencies with only one computer often have the potential to access the same sensitive information as a large cluster of networks. It is for this reason that efficient steps be taken to safeguard critical resources.
Organizations should evaluate what information they are trying to keep secure. Is the information strictly local department statistics or does a national database of information that propagates down allow full access to millions of records? Establishing what is being protected will assist what resources need to be evaluated during the risk assessment, and substantiate the level of security necessary. Organizations must also determine where sensitive information is being stored and accessed. Is information being stored on laptops, workstations, or servers? Agencies must continuously play the “what if” game, considering, “What if a laptop gets stolen tomorrow?” or “What if the server is hacked?” Knowing where information resides is fundamentally important and will help agencies respond to information being lost or stolen.
Any new department administrator should perform a risk assessment immediately to gain critical information. Risk assessments are the processes of reviewing any given network to identify vulnerabilities, threats, or exploits. This process will also help update and locate equipment and resources.
For established administrators, this process should still be done periodically or any time a significant component of the network is altered. Regardless of the size of the computer network, system administrators and department executives should easily be able to retrieve a current list of all hardware, software, and licenses held by the agency. In addition to the itemized lists, administrators should be able to explain how information is being protected. The ISO/ IEC 27002:2005 Code of practice for information security management recommend the following be examined during a vulnerability test:
• Security policy;
• Organization of information security;
• Asset management, human resources security;
• Physical and environmental security;
• Communications and operations management;
• Access control;
• Information systems acquisition;
• Development and maintenance;
• Information security incident management
• And business continuity management, and regulatory compliance.
It is imperative for administrators to realize that knowing everything about technology is impossible. Hiring an established firm to conduct a risk assessment can prove valuable in providing a second opinion and can help shape long-term plans.
Attention to Detail
The process of the risk assessment should be well documented. This practice will capture important information about the network and will allow any administrator to maintain efficiency. A detailed list of vendor numbers should be accessible to both system and department administrators. Routine tasks should be developed pending the results of the risk assessment and spelled out clearly. These tasks should be known by more than one employee to allow continuous protection of information in an employee’s absence. In addition, administrators of a police network should document several contingency plans in the event of a disaster or emergency.
Given the complexity of many networks, departments should strive to refine or implement a departmental plan and seek support to achieve their goals. Plans can include implementing new practices for administrators, supervisors and users. Security practices should be prioritized and evaluated on a cost benefit ratio. A well-constructed and detailed budget will help law enforcement agencies seek funding to ensure that adequate security is in place.
While not all support measures are easily done, many can be deployed with little or no cost. Simple things like organizing information can be built into a daily schedule to allow documentation of maps, computers, and users on a network.
Keeping all employees well informed also allows for a much easier transition to efficient operation. Informing officers that routine password changes can significantly lower the chance of an officer’s Social Security number being stolen is easier than forcing members of the department to change their password without any reasoning.
As police agencies apply security practices, it is important to continuously be aware of trends. Being cognizant of emerging technology may allow an agency to forecast spending for a security measure before threats are readily known. If a willingness to keep information secure is a priority for all members of the department, executing safe practices can be seamless into police work.
Some exploits surface as a result of an organizations lack to perform routine maintenance. Proper maintenance can significantly reduce or prevent the chances of a hacker from exploiting any given network. Daily maintenance tasks can include reviewing security logs to determine if attempts were made to breach the network. The latest software patches should be applied to servers and workstations, and all anti-virus / anti-spyware protection should be up to date. Intrusion detection appliances or strong authentication methods can often detect an attempt to unlawfully gain access to a network.
Although a great deal of time goes into the design and structuring of a network, information cannot be protected if the daily maintenance is not performed to a satisfactory level.
Written policies allow an organization to set clear guidelines used to protect department resources. If a written policy is already in place, it should be periodically reviewed to determine its level of pertinence. A written policy will allow the departments to clarify rules, and practices done routinely. Some policies are very detail oriented and spell out very specific actions that are permitted, while other polices cover just broad terminology and concepts. Some documentation may also indicate the need to conform to an industry or government standard for information security. It is important for any federal, state, or local agency to check with your mandates to determine if a specific action is required to maintain security. If the jurisdiction sets forth a mandate, organizations should clearly spell out a written policy that reflects or provides a greater level of protection to the information security practices.
Government agencies are unique by their very nature. Because agencies operate on a permeable state of existence, they are often scrutinized very closely for any given course of action. Police strive to maintain efficiency and minimize frivolous spending. This is why law enforcement agencies must be especially vigilant in identifying typical exploits and vulnerabilities of any federal, state, or local law enforcement computer network.
Networks are usually administered by a law enforcement officer or a hired municipal employee responsible for the network. Administrators of a 24-hour network continuously balance keeping track of equipment, deploying working software under a secure environment, and maintaining a stable network. Achieving this in a conventional “Monday through Friday” network presents many problems, and having the added burden of 24-hour use presents the opportunity for increased risk.
It is not uncommon for equipment to be lost, stolen, or damaged and go unreported for an extended period of time. Law enforcement agencies should deploy technologies that limit the retention of information on laptops and easily movable computer equipment.
Administrators must practice password management and have strong policies of screening vendors who are given administrative passwords to perform routine tasks. In addition to having administrative access, many vendors need remote access to make changes or corrections to the network. A security log can be an excellent tool in reviewing who is logged onto a network at any given time.
While each police department has individual needs, most agencies require that some members be allowed permission to access restricted files. Many times, supervisors will need to oversee reports, conduct administrative functions, or access sensitive files. Being granted a greater level of access also allows the potential for a security breach, even if the actions are inadvertent or well intended. Security practices should be explained to each supervisor who has a higher level of access.
Users on a network encompass everyone from the chief or department head to the patrol officer. While the majority of users often operate within a restricted access, they are still permitted to connect to servers for information and data. Criminals often use human social skills to compromise passwords, which allow them initial access. Once access is gained, unsuspecting accounts are used to penetrate vital resources for information that can redirected for unintended purposes. Social engineering has often proved to be the most effective means of gaining access to unauthorized information. This practice is achieved as criminals use personal techniques to breach user accounts on a computer network. Kevin Mitnick, a renowned hacker, explains in his book “Art of Deception,” “Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.” Above any other exploit, it is imperative for law enforcement to actively combat social engineering to prevent information from being lost or stolen. So how do organizations integrate practices that will maintain information security and allow agencies the ability to focus on law enforcement?
It is relatively easy for administrators, supervisors and users to become overwhelmed with information security. By developing a strategy, agencies can systematically achieve goals and evolve with technology. The following is a set of guidelines that may prove useful for police organizations:
1. Identify problems surrounding information security and begin to shape goals.
2. Locate the information, and where it is being stored or accessed. 3. Conduct a risk assessment to gain critical information
4. Document network resources while paying close attention to detail.
5. Develop a support system for the network.
6. Maintain a support system.
7. Implement a written policy to safeguard both users and administration.
8. Consistently monitor for common exploits and evolving technology.
While interoperability has allowed agencies to easily share information, it has also enabled networks to be accessible instantaneously throughout the nation. Sharing information allows the vulnerability of millions of records. This phenomenon has sparked concern in officials on every level. The issue has become more difficult to address as police work to secure information in a rapidly evolving digital age. Achieving information security using the least amount of resources is the goal of every organization and will continue to present itself as a challenge for law enforcement agencies for years to come.
Matt Brodacki has testified before the Senate on emerging technologies as a police officer and has completed an M.S. program in computer forensics. He is also the owner and founder of a computer security company and can be reached at firstname.lastname@example.org.
Published in Public Safety IT, Jul/Aug 2008
Rating : 10.0
Click to enlarge images.