Staying Legal
Problem
Monitoring the activity of people is starting to enter questionable legal (not to mention ethical) grounds. How can you stay on the right side of it?
Solution
Know your legal requirements, be ethical, and you are unlikely to get burned.
Discussion
It is hard to write a section that will comprehensively cover all areas in all countries; each legal system has its own statutes and acts that apply to the area of computing. To give this section a fair appreciation, we are going to approach it from an ethical standpoint. There are sections of U.S. and U.K. law referenced in the "See Also" section at the end. To quote them would probably be counterproductive, as they are likely to send you to sleeptrust us, we've read them.
It is ethically wrong to spy on someone without good cause. In the case of detecting an attack or an attacker, your good cause is the protection of your business or personal assets. This is fairly simple, but you would still do well to include a banner to this effect at any point of access (e.g., FTP, web server, Telnet, SSh, etc.). Something along the lines of:
----- This is Simon's FTP Server. ----- Unauthorized access or unauthorized use is not permitted. All use of this server is monitored for security reasons.
This quite clearly states that access is only for those authorized and that usage should also be authorized (so an employee uploading the latest Star Wars movie is also subject despite being authorized for access), and that all such usage is being monitored. It also states the reason for doing so. If you feel like adding a bit more emphasis to it, you can always add:
Anyone found to be in breach of authorized use will be prosecuted to the fullest extent of the law.
It doesn't really add much legally, but people might think a bit more if they think you might actually do something about it!
Legally, you are going to do pretty well against someone who is attempting to compromise the security of your systems.
"Your honor, my client's privacy was invaded while he was exploiting a buffer overflow to deface the web site of the plaintiff."
"Case Dismissed."
In most (but not alldon't count on it) countries, this is a criminal offense in itself. However, your own employees, and even your legitimate customers, are in a very different situation.
There is a significant difference between "attack" and "misuse," as the previous FTP server/Star Wars example shows. As an employer, you need to define an acceptable use policy before you can monitor for acceptable use. If you don't tell your employees what they can and can't do, you can't realistically expect them to know. You should be aware that the emphasis is on getting them to read the policy; ideally, you should have them sign a hardcopy of the policy and then keep it on record. This should be kept up to date, reissued, and hopefully re-signed. The time scale for this is dependant on your business, but annually is a good bet. Obviously, this doesn't actually mean that anyone reads the thingthey just sign it and get back to workbut it does give you a position of far greater strength. A reasonable acceptable use policy is available for download from http://www.sans.org/resources/policies/; there are also a lot of good guidelines here for other areas of policy implementation.
If you are keeping information on computer, and this information could possibly be related to the actions of an individual, which they may be within IDS logs, you should be aware of your obligations under any personal data laws that may be in force in your country. A company once had issues with getting billing information for their software from another country, the billing records matched a username with duration of use of the software, and this was determined to be enough to identify an individual and prevent that data from being exported. Ensure that you either use the obfuscation feature until completely necessary, or are allowed to keep such information in order to avoid problems.
|
|
Installing Snort from Source on Unix
- Installing Snort from Source on Unix
- Installing Snort Binaries on Linux
- Installing Snort on Solaris
- Installing Snort on Windows
- Uninstalling Snort from Windows
- Installing Snort on Mac OS X
- Uninstalling Snort from Linux
- Upgrading Snort on Linux
- Monitoring Multiple Network Interfaces
- Invisibly Tapping a Hub
- Invisibly Sniffing Between Two Network Points
- Invisibly Sniffing 100 MB Ethernet
- Sniffing Gigabit Ethernet
- Tapping a Wireless Network
- Positioning Your IDS Sensors
- Capturing and Viewing Packets
- Logging Packets That Snort Captures
- Running Snort to Detect Intrusions
- Reading a Saved Capture File
- Running Snort as a Linux Daemon
- Running Snort as a Windows Service
- Capturing Without Putting the Interface into Promiscuous Mode
- Reloading Snort Settings
- Debugging Snort Rules
- Building a Distributed IDS (Plain Text)
- Building a Distributed IDS (Encrypted)
Logging to a File Quickly
- Logging to a File Quickly
- Logging Only Alerts
- Logging to a CSV File
- Logging to a Specific File
- Logging to Multiple Locations
- Logging in Binary
- Viewing Traffic While Logging
- Logging Application Data
- Logging to the Windows Event Viewer
- Logging Alerts to a Database
- Installing and Configuring MySQL
- Configuring MySQL for Snort
- Using PostgreSQL with Snort and ACID
- Logging in PCAP Format (TCPDump)
- Logging to Email
- Logging to a Pager or Cell Phone
- Optimizing Logging
- Reading Unified Logged Data
- Generating Real-Time Alerts
- Ignoring Some Alerts
- Logging to System Logfiles
- Fast Logging
- Logging to a Unix Socket
- Not Logging
- Prioritizing Alerts
- Capturing Traffic from a Specific TCP Session
- Killing a Specific Session
How to Build Rules
- How to Build Rules
- Keeping the Rules Up to Date
- Basic Rules You Shouldnt Leave Home Without
- Dynamic Rules
- Detecting Binary Content
- Detecting Malware
- Detecting Viruses
- Detecting IM
- Detecting P2P
- Detecting IDS Evasion
- Countermeasures from Rules
- Testing Rules
- Optimizing Rules
- Blocking Attacks in Real Time
- Suppressing Rules
- Thresholding Alerts
- Excluding from Logging
- Carrying Out Statistical Analysis
Detecting Stateless Attacks and Stream Reassembly
- Detecting Stateless Attacks and Stream Reassembly
- Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
- Detecting and Normalizing HTTP Traffic
- Decoding Application Traffic
- Detecting Port Scans and Talkative Hosts
- Getting Performance Metrics
- Experimental Preprocessors
- Writing Your Own Preprocessor
Managing Snort Sensors
- Managing Snort Sensors
- Installing and Configuring IDScenter
- Installing and Configuring SnortCenter
- Installing and Configuring Snortsnarf
- Running Snortsnarf Automatically
- Installing and Configuring ACID
- Securing ACID
- Installing and Configuring Swatch
- Installing and Configuring Barnyard
- Administering Snort with IDS Policy Manager
- Integrating Snort with Webmin
- Administering Snort with HenWen
- Newbies Playing with Snort Using EagleX
Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Databases
- Performing Real-Time Data Analysis
- Generating Text-Based Log Analysis
- Creating HTML Log Analysis Output
- Tools for Testing Signatures
- Analyzing and Graphing Logs
- Analyzing Sniffed (Pcap) Traffic
- Writing Output Plug-ins
Monitoring Network Performance
- Monitoring Network Performance
- Logging Application Traffic
- Recognizing HTTP Traffic on Unusual Ports
- Creating a Reactive IDS
- Monitoring a Network Using Policy-Based IDS
- Port Knocking
- Obfuscating IP Addresses
- Passive OS Fingerprinting
- Working with Honeypots and Honeynets
- Performing Forensics Using Snort
- Snort and Investigations
- Snort as Legal Evidence in the U.S.
- Snort as Evidence in the U.K.
- Snort as a Virus Detection Tool
- Staying Legal
Index
EAN: 2147483647
Pages: 167
