Upload
brian-mckenna
View
216
Download
4
Embed Size (px)
Citation preview
The European 'Cyber-tools
Online Search for Evidence'
Foundation has completed a
methodology to help companies
do computer forensics across
the different EU states.
The guidelines standardise
single system evidence
collection, so companies can
avoid legal pitfalls.
Robin Urry at the Joint
Research Centre said a demo of
the standard ran successfully in
the UK, Belgium, France, Italy
and Germany.
Adhering to the CTOSE
model, also means that police
units in different countries use
the same investigation
procedures.
This eradicates the risk of
evidence being deemed
inadmissible in a court said
Urry.
Interpol, Europol and High
Tech Crime Units throughout
Europe helped mould the
standard.
The process, which also
includes guidelines for first
responders is being used in a
major bank and Urry urges
other organizations to refer to
the standard and customize it
for their own use.
"CTOSE is a good first stake
in the ground to help everyone
walk the same path in digital
evidence."
The European Commission
gave the project �1.5m and
around 70 members in
academia, private industry and
law enforcement formulated it.
Members included: QinetiQ,
University of St Andrews,
University of Stuttgart, Alcatel,
the European Commission
Joint research centre among
others.
The CTOSE methodoloy will
be replicated in the US and
Australia in 2005.
Security firms leap into Cahoot debate
ne
ws
7In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
IT security directors under jail threat Brian McKenna
Information security directors
need to pay close attention to
emerging US and EU corporate
governance and privacy legislation
in order to stay out of prison,
security experts have warned.
Speakers at the SecurIT summit
in Montreaux, Switzerland told
delegates to look beyond network
security and cotton on to a
perilous new legal environment.
Michael Colao, Director of
Information Management at
investment bank Dresdner
Kleinwort Wasserstein, said: “Two
years ago CIOs and CSOs did not
need to worry about the law; now
there are regulations being
imposed on them that hold them
personally liable”.
UK data protection legislation
set the European scene by
stipulating that companies take
‘appropriate technical and
organizational measures’ to
safeguard information. This lead
has been extended across Europe
in ways that will challenge security
heads for years to come. Italy’s
data protection act entails a
training element, and runs to a
book length of “excruciating
detail”, Colao complained.
And the tendency of local law,
like the Italian regime and
California’s SB 1386, to turn
global, forcing global companies to
declare data privacy leaks, ups the
stakes significantly, he added. For
instance, the Disciplinario Tecnico
in the Italian legislation requires all
companies whose business bears
on the country to clear out
dormant accounts every six
months. The penalty? Three years
in jail.
Microsoft has had to change its
internal global security policy
because of the Italian DPA, he
said.
Colao also slammed recent anti-
spam legislation that defines the
phenomenon as ‘unsolicited
commercial detail’. Legitimate
email has to require ‘prior consent’
from the recipient. “This is bad
law”, he said “Proving prior
consent is very difficult. We just
don’t know what the enforcement
posture of this legislation will be,
but one thing is for sure: it won’t
deter spammers”.
The Belgian penalty for
spamming is set at a hefty
�250,000.
Meanwhile, Agne Lindberg, a
partner at the Delphi law firm in
Sweden advised SecurIT delegates
that the EU Decision on
cybercrime of 20 June 2003,
currently stuck in the European
Parliament, will raise the bar on
company liability. Sanctions
against companies whose networks
get used for cybercriminal activity
will be significant: “you will need
very tight controls; policies won’t
be enough”, he said.
He also cautioned delegates to
pay close attention to the legal
implications of off-shoring. “India,
as an example, has peculiar
legislation that has a wide fair use
licence”. Software developed under
contract belongs to the on-shore
company for five years only, for
instance.
Colao echoed Lindberg. “You
can outsource IT, but you can’t
outsource legal liability”, he said.
At least three IT security
companies were prompt to
comment on the avoidability of
Cahoot's well-publicized security
breach of 5 November. RSA,
Kavado, and Netegrity stepped
forward to offer advice.
The BBC exposed Abbey's
online bank to be guilty of a
security blunder introduced during
a system upgrade twelve days
previously. The upshot of the
breach was that customers were
able to see details of other
people's accounts, but unable to
move money around.
Tim Pickard strategic marketing
director RSA Security, Emea
commented: "This is graphic
proof of RSA Security's assertion
that username and password
security is totally inadequate for
today's ecommerce. Enlightened
electronic traders such as AOL in
the service provision sector and
Credit Suisse in the online
banking environment, have
already committed to the next
generation of secure log-on
service. Strong, two-factor
authentication, incorporating
something that the user knows
and something that the user has,
would dramatically improve the
security of consumers in this type
of environment."
Netegrity, meanwhile said, in a
statement 'although no financial
loss was suffered, the damage to
Cahoot's brand and customers'
confidence could be long-lasting’.
And Vik Desai, CEO of web
application security provider
Kavado said that "banks owe a
duty of care to protect their
customers privacy and also a legal
obligation under the Data
Protection Act. We already
protect many financial institutions
customers from this sort of
security breach, but some are yet
to take make a minor investment
in the inexpensive technology
available which can be quickly and
easily installed to protect
customers from both the mistakes
of IT departments and also
attacks by cyber criminals.
"This security breach could
easily have been prevented by
installing web application firewalls
which prevent applications
allowing unauthorised access, even
in the event of the IT department
making a mistake. In this instance
the technology would have
prevented access to account details
without the user name and
password being supplied, and
secondly would have alerted the
bank to the security problem in
the system upgrade".
CTOSE branchesout to US andAustraliaSarah Hilley