Case Issues and Solutions Template
Category
Issue
Solution
Learning Topic
Standards, Policies, and Guidelines
Print
Security standards, policies, and guidelines define the rules and controls needed to protect
information and ensure effective business operations. They are components of an organization’s
overall management and governance framework.
Standards are controls, optimally mandatory, that ensure the consistent application of security
policies. Security standards can be communicated in specific directions regarding parameters and
characteristics, to include thresholds, frequency of change, cryptographic requirements, or all of
those things.
Policies are high-level statements regarding an organization’s intent for information security and
thus communicate the organization’s security philosophy or vision. Policies are usually
generated, endorsed, and communicated by senior leaders, who are then responsible for
promulgating them through an organization. Security policies define information that needs to be
protected and identify the implementing documents, and can be used to satisfy a regulation or
law.
Guidelines are recommended practices and standards, generally based on industry best practices.
While guidelines are usually not required, they can be put in place to provide instructions in
areas where there may not already be established policies or standards.
Countermeasures
Countermeasures are actions taken to minimize, mitigate, or eliminate threats to and
vulnerabilities of computer systems. Countermeasures can take several forms depending on the
nature and characteristics of the particular threats and how susceptible the system is to
vulnerabilities.
Information technology (IT) controls are a type of countermeasure that focuses on actions that
can be taken to mitigate or eliminate vulnerabilities, for example, using good programming
practices or restricting queries to only specific inputs.
Technical countermeasures, also known as technical surveillance countermeasures (TSCMs),
focus on the ability to identify or detect unauthorized electronic emanations as well as physical
security vulnerabilities that put infrastructures (physical and electronic) at risk.
FBI Digital Evidence: Standards and
Principles
Introduction
The Scientific Working Group on Digital Evidence (SWGDE) was
established in February 1998 through a collaborative effort of the
Federal Crime Laboratory Directors.
SWGDE, as the US-based component of standardization efforts
conducted by the International Organization on Computer Evidence
(IOCE), was charged with developing cross-disciplinary guidelines and
standards for the recovery, preservation, and examination of digital
evidence, including audio, imaging, and electronic devices.
The following document was drafted by SWGDE and presented at the
International Hi-Tech Crime and Forensics Conference (IHCFC) held in
London, United Kingdom, from October 4?7, 1999. It proposes the
establishment of standards for the exchange of digital evidence
between sovereign nations and is intended to elicit constructive
discussion regarding digital evidence. This document has been
adopted as the draft standard for US law enforcement agencies.
Purpose
The latter part of the twentieth century introduced the electronic
transistor and the machines and ideas made possible by it. As a result,
the world changed from analog to digital. Although the computer
reigns supreme in the digital domain, it is not the only digital device.
An entire constellation of audio, video, communications, and
photographic devices are becoming so closely associated with the
computer as to have converged with it.
From a law enforcement perspective, more of the information relevant
to the judicial process is being stored, transmitted, or processed in
digital form. The connectivity resulting from a single world economy in
which the companies providing goods and services are truly
international has enabled criminals to act across jurisdictions with ease.
Consequently, a perpetrator may be brought to justice in one
jurisdiction while the digital evidence required to successfully
prosecute the case may reside only in other jurisdictions.
This situation requires that all nations have the ability to collect and
preserve digital evidence for their own needs as well as for the
potential needs of other sovereign states. Each jurisdiction has its own
system of government and administration of justice, but in order for
one country to protect itself and its citizens, it must be able to make
use of evidence collected by other nations.
Though it is not reasonable to expect all nations to know about and
abide by the precise laws and rules of other countries, a method for
allowing the exchange of evidence must be found. This document is a
first attempt to define the technical aspects of these exchanges.
Definitions
acquisition of digital evidence: This begins when information or
physical items are collected or stored for examination purposes. The
term evidence implies that the collector of evidence is recognized by
the courts. The process of collecting is also assumed to be a legal
process and appropriate for rules of evidence in that locality. A data
object or physical item only becomes evidence when so deemed by a
law enforcement official or designee.
data objects: These are defined as objects or information of potential
probative value that are associated with physical items. Data objects
may appear in different formats without altering the original
information.
digital evidence: This is information of probative value stored or
transmitted in digital form.
physical items: These are items on which data objects or information
may be stored and/or through which data objects are transferred.
original digital evidence: These are physical items and the data
objects associated with such items at the time of acquisition or seizure.
duplicate digital evidence: This is an accurate digital reproduction of
all data objects contained on an original physical item.
copy: This is an accurate reproduction of information contained on an
original physical item, independent of the original physical item.
Standards
Principle 1
To ensure that digital evidence is collected, preserved, examined, or
transferred in a manner safeguarding the accuracy and reliability of the
evidence, law enforcement and forensic organizations must establish
and maintain an effective quality system. Standard operating
procedures (SOPs) are documented quality-control guidelines that
must be supported by proper case records and use broadly accepted
procedures, equipment, and materials.
Standards and Criteria 1.1
All agencies that seize or examine digital evidence must maintain an
appropriate SOP document. All elements of an agency’s policies and
procedures concerning digital evidence must be clearly set forth in this
SOP document, which must be issued under the agency’s management
authority.
Discussion. The use of SOPs is fundamental to both law enforcement
and forensic science. Guidelines that are consistent with scientific and
legal principles are essential to the acceptance of results and
conclusions by courts and other agencies. The development and
implementation of these SOPs must be under an agency’s management
authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to
ensure their continued suitability and effectiveness.
Discussion. Rapid technological changes are the hallmark of digital
evidence, with the types, formats, and methods for seizing and
examining digital evidence changing quickly. In order to ensure that
personnel, training, equipment, and procedures continue to be
appropriate and effective, management must review and update SOP
documents annually.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported
by data gathered and recorded in a scientific manner.
Discussion. Because a variety of scientific procedures may validly be
applied to a given problem, standards and criteria for assessing
procedures need to remain flexible. The validity of a procedure may be
established by demonstrating the accuracy and reliability of specific
techniques. In the digital evidence area, peer review of SOPs by other
agencies may be useful.
Standards and Criteria 1.4
The agency must maintain written copies of appropriate technical
procedures.
Discussion. Procedures should set forth their purpose and appropriate
application. Required elements such as hardware and software must be
listed, and the proper steps for successful use should be listed or
discussed. Any limitations in the use of the procedure or the use or
interpretation of the results should be established. Personnel who use
these procedures must be familiar with them and have them available
for reference.
Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and
effective for the seizure or examination procedure.
Discussion. Although many acceptable procedures may be used to
perform a task, considerable variation among cases requires that
personnel have the flexibility to exercise judgment in selecting a
method appropriate to the problem.
Hardware used in the seizure or examination of digital evidence should
be in good operating condition and be tested to ensure that it
operates correctly. Software must be tested to ensure that it produces
reliable results for use in seizure or examination purposes.
Standards and Criteria 1.6
All activity relating to the seizure, storage, examination, or transfer of
digital evidence must be recorded in writing and be available for review
and testimony.
Discussion. In general, documentation to support conclusions must be
such that, in the absence of the originator, another competent person
could evaluate what was done, interpret the data, and arrive at the
same conclusions as the originator.
The requirement for evidence reliability necessitates a chain of custody
for all items of evidence. Chain-of-custody documentation must be
maintained for all digital evidence.
Case notes and records of observations must be of a permanent
nature. Handwritten notes and observations must be in ink, not pencil,
although pencil (including color) may be appropriate for diagrams or
making tracings. Any corrections to notes must be made by an
initialed, single strikeout; nothing in the handwritten information
should be obliterated or erased. Notes and records should be
authenticated by handwritten signatures, initials, digital signatures, or
other marking systems.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any
aspect of original evidence must be performed by qualified persons in
a forensically sound manner.
Discussion. As outlined in the preceding standards and criteria,
evidence has value only if it can be shown to be accurate, reliable, and
controlled. A quality forensic program consists of properly trained
personnel and appropriate equipment, software, and procedures to
collectively ensure these attributes.
Comments
SWGDE’s proposed standards for the exchange of digital evidence will
be posted on the National Forensic Science Technology Center, Law
Enforcement Online, and IOCE websites.
International Organization on Computer Evidence (IOCE)
Introduction
The International Organization on Computer Evidence (IOCE) was
established in 1995 to provide international law enforcement agencies
a forum for the exchange of information concerning computer crime
investigation and other computer-related forensic issues. Comprised of
accredited government agencies involved in computer forensic
investigations, IOCE identifies and discusses issues of interest to its
constituents, facilitates the international dissemination of information,
and develops recommendations for consideration by its member
agencies. In addition to formulating computer evidence standards,
IOCE develops communications services between member agencies
and holds conferences geared toward the establishment of working
relationships.
In response to the G-8 Communique and Action plans of 1997, IOCE
was tasked with the development of international standards for the
exchange and recovery of electronic evidence. Working groups in
Canada, Europe, the United Kingdom, and the United States have been
formed to address this standardization of computer evidence.
During the International Hi-Tech Crime and Forensics Conference
(IHCFC) of October 1999, the IOCE held meetings and a workshop to
review the United Kingdom Good Practice Guide and the SWGDE Draft
Standards. The working group proposed the following principles, which
were voted upon by the IOCE delegates present, with unanimous
approval.
IOCE International Principles
The international principles developed by IOCE for the standardized
recovery of computer-based evidence are governed by the following
attributes:
?
?
?
?
?
?
?
consistency with all legal systems
allowance for the use of a common language
durability
ability to cross international boundaries
ability to instill confidence in the integrity of evidence
applicability to all forensic evidence
applicability at every level, including that of individual, agency,
and country
These principles were presented and approved at the International HiTech Crime and Forensics Conference in October 1999:
?
?
?
?
?
Upon seizing digital evidence, actions taken should not change
that evidence.
When it is necessary for a person to access original digital
evidence, that person must be forensically competent.
All activity relating to the seizure, access, storage, or transfer of
digital evidence must be fully documented, preserved, and
available for review.
An individual is responsible for all actions taken with respect to
digital evidence while the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or
transferring digital evidence is responsible for compliance with
these principles.
Other items recommended by IOCE for further debate or facilitation
include the following:
?
?
?
forensic competency and the need to generate agreement on
international accreditation and the validation of tools, techniques,
and training
issues relating to practices and procedures for the examination of
digital evidence
the sharing of information relating to crime and forensic
computing, such as events, tools, and techniques
Course Resource
Insider Fraud at Daytona Investment Bank
Scenario
Disclaimer: The storylines and characters in this module are fictitious and
were developed for the purposes of this course. No association with any
real persons, places, or events is intended or should be inferred from the
use of the fictitious names.
Daytona Investment Bank recently announced a loss of $2 billion as a
result of fraud. An internal investigation revealed that Shane Kerry, an
arbitrage trader specializing in Asian stock markets, used his
knowledge of the bank’s internal information security controls to
disguise fraudulent transactions.
The diagram below depicts the process an arbitrage trader follows to
carry out trades.
The following section documents how Shane Kerry’s knowledge of the
bank’s internal systems enabled him to perpetuate the fraud. It follows
the progression of the diagram above.
Shane’s Responsibilities
Shane’s main responsibility is to handle proprietary deals in the futures
market. He purchases portfolios of stock index futures and then sells
them at a slightly higher price. He is allowed to take bets on the small
price differences between futures contracts.
Unauthorized Trading
Shane started placing unauthorized trades, first in small amounts, and
then in very high amounts that far exceeded his trading limit. He
maintained a hedged position by creating fictitious counter portfolios
for these unauthorized trades.
Informal Culture
The informal culture of the organization where Shane works often gives
rise to the sharing of passwords for carrying out quick updates or
transactions on behalf of colleagues. Shane used his colleagues’ IDs to
cover his fraudulent actions. He was able to do this because the system
was not designed for multifaceted authentication of users.
Software Vulnerability
Shane learned from one of his colleagues in the back office that the
custom application software would allow him to create transactions
with forward dates. With this information, he began creating his
fictitious transactions with forward dates and then canceling them just
before the due dates.
Counterparty Confirmation
As per policy, a confirmation from the counterparty was required for
the completion of the transactions. However, the system did not
mandate confirmation from internal or small external parties. Shane
used this to his benefit and attached all his transactions to either
internal counterparties or small external parties. He always canceled the
transactions before their due dates.
Reports
The software systems in the bank generate reports when a trader is
close to or exceeds the upper limit for trading. A typical report looks
like this:
Trading Report: 28 September
Trader Name
Shane Kerry
Trading Limit
$50,000,000
Current Value of
Trades
$49,954,330
Nathan Lamb
Theresa Will
Dana Boyle
Thomas Fischer
$60,000,000
$120,000,000
$120,000,000
$120,000,000
$49,905,040
$59,989,400
$119,985,500
$119,960,045
Residual Limit
-$45,670
Supervisor
Alicia Wu
$94,960
$10,600
$14,500
$39,955
Alicia Wu
Patrick Jobs
John Roberts
John Roberts
A number of alerts or red flags are also raised in cases where
discrepancies are present.
However, the system only raises these alerts; it does not stop the
transactions from going through.
Management Responsibilities
Management is concerned with organizational lapses that could
encourage fraud. These include inadequate ERP internal controls, weak
password security, supervisory incompetence, and lack of training.
Managers are supposed to review reports, logs, and alerts generated
by the system and to monitor the activities of the traders. Shane’s
previous supervisors often overlooked these reports. After all, Shane
was making good money for the bank.
Shane’s current supervisor, Alicia Wu, did ask him about the alerts, and
Shane managed to assure her that he had it all covered.
Next, read the following to learn about Daytona’s culture and the
policies that led Shane to feel confident in his ability to defraud the
bank.
Investment Banking: On the Inside
Like most investment banks, Daytona follows the front office/middle
office/back office structure.
?
?
?
The front office handles deal execution and is managed by
traders. Each trader has a trading account with a trading limit
based on the trader’s experience and track record.
The middle office handles deal monitoring and comprises the risk
management department, compliance department, and treasury
department.
The back office comprises the operations department, which
verifies traders’ transactions, and the technology department,
which develops and maintains the bank’s software systems.
Organizational Policies
Here are some of Daytona’s policies:
?
?
?
For an arbitrage trader, net positions should not exceed $120
million.
No confirmation is required for internal or small external
counterparties.
For a transaction, a 30-day period is allowed between actual
transaction date and order value date.
Shane Kerry
I began at the bank seven years ago in the treasury department, and
then went into technology. Before long, I knew almost everything
about the IT systems. I transferred to the front office as an assistant
trader four years ago and immediately felt tremendous pressure to
make money for the bank. Initially, I took risks on small transactions,
and these paid off, so I began taking bigger risks. Pretty soon, it got
addictive.
Yes, the system generates alerts when you make or lose too much
money or go over your limits. My supervisor didn’t probe too much,
and I executed the transactions easily. And I was able to use my
extensive knowledge of the bank’s IT systems to cover my tracks.
Alicia Wu
I began working as Shane’s supervisor three months ago, after I came
back from a two-year sabbatical.
The IT systems had all changed while I was gone, and I didn’t get the
time I needed to attend any training. I did feel some concern about the
system-generated alerts, but whenever I asked Shane about them, he
assured me he had everything covered.
Ted Patterson, CIO
Illegal trades are common in the banking and investment industries.
We have, therefore, spent billions of dollars to customize our IT
systems and put security controls in place.
Our IT systems are geared to detect fraud. Any transaction that’s
outside of strictly defined boundaries generates an alert. But all the
alerts in the world are useless if your human safeguards fail, and that’s
what seems to have happened here.
Liza Bradford, Bank Director
Shane Kerry had in-depth knowledge of the information security
controls at Daytona Investment Bank. He used these controls to mask
his fraudulent transactions.
Yes, we experienced a failure in both our technological and our human
safeguards. We are in the process now of overhauling the entire
system.
Six months ago, Ted Patterson, Daytona Investment Bank’s chief
information officer (CIO), conducted an informal survey among the
bank’s employees. Close to 60 percent of the employees thought that
external attacks pose a greater threat than insider attacks. Not many
were convinced when Patterson told them they were wrong. Many of
them are now more alert to signs of danger from the inside, but at the
cost of $2 billion in losses.
Reflect
Why are insider attacks potentially more damaging than attacks by
outsiders? Some critical reasons are that insiders know minute details
about organizational processes and internal controls, and that security
systems are configured primarily to keep outsiders out, giving insiders
a relatively free hand to carry out attacks undetected. Consequently,
attacks by insiders normally take much longer to detect and result in
greater damage.

Purchase answer to see full
attachment