Open rainit2006 opened 3 years ago
Statement on Auditing Standards の略。AICPA(American Institute of Certified Public Accountants:米国公認会計士協会)の取り決めた監査基準で国際的にも認められている。
SAS70は、受託業務(アウトソーシングサービス等)にかかわる内部統制について評価する基準として、米国公認会計士協会(AICPA)が定めたものです。米国の企業改革法(SOX法)第404条の施行以前から広く利用されており、SOX法第404条の施行後、企業が外部に委託した業務にかかわる内部統制を評価する方法として、広く採用されています。業務の受託を行っている企業は、SAS70に基づき作成された報告書を提供することによって、受託業務の内部統制の有効性について委託者に報告することができます。
The European Union has restrictions on “transborder data flows’ that would allow private data to flow to countries whose laws would not protect that data. The “Safe Harbor’ privacy framework was developed between the United States and the EU to provide a streamlined means for U.S. organizations to comply with the European privacy laws.
adopted in 1995 which regulates the processing of personal data within the European Union (EU). It is an important component of EU privacy and human rights law.
The General Data Protection Regulation, adopted in April 2016, has superseded the Data Protection Directive and became enforceable on 25 May 2018
Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.
Testimony(証言) from a first hand witness, what they experienced with their 5 senses.
Evidence to support circumstances for a point or other evidence.
Supports facts or elements of the case, not a fact on its own, but support other facts.
Not first and knowledge – normally inadmissible in a case. Computer generated records and with that Log Files were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”
Computer-generated or electronic information are categorized as hearsay.
The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.
Legally admissible evidence. Competent evidence tends to prove the matter in dispute. In a murder trial, for example, competent evidence might include the murder weapon with the defendant's fingerprints on it. 如果某证据的取得是通过违反法律途径的,那么它违背了证据的competent要求,不能作为法庭证据。
This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.
It is vital that the evidence’s integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never the originals. We check hash on both original and copy before and after the forensics.
This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it? 法廷などで事象を説明するため証拠が欠かせません。しかし、ずさんな管理をしていると証拠能力自体を失ってしまうのです。 証拠を手に入れた時点から、いつ・どこで・誰が・何をしたものなのかの順番に書き残しておき、証拠能力があることを一目で示すことも必要です。
Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field.
The first step in a forensic investigation is to make a copy of the hard drive. This method ensures that the original system is not altered in any way during the investigation process. Following this procedure ensures an accurate chain of custody.
When seizing and preserving electronic evidence, it is important to restrict all physical and remote access to the computer, photograph any images on the screen showing the state of the system, do not touch the keyboard, and conduct all forensic analysis operations of the evidence on imaged copies of the original disk in order to prevent inadvertent alteration of the original evidence.
A rule that states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
Data marts are closely tied to data warehouses, but there is a distinct difference. Data marts are collections of data from different databases or systems that fulfill a specific need. Data warehouses are collections of data from different databases or systems that could cover a wide variety of objectives. However, it is common for data marts to be subsets of data warehouses.
Reciprocal agreements are made between companies with the understanding that available facilities can be used by a company in the event of a disaster. These agreements come with a handful of problems, however. One problem is that they are not legally binding. Also, there are confidentiality issues. Most companies would not want to migrate their business operations into the house of another company, possibly revealing proprietary information.
Clipping levels are thresholds set by management of acceptable numbers of mistakes or errors made by employees. The reason clipping levels are set is to notify security or management when innocent mistakes become routine enough to suspect fraudulent behavior.
The backup site should be at least 25 miles away from the primary site to give the company maximum protection in cases of regional disasters.
A distributed computing technology provides commonly needed application functionality and procedures across various environments. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. Application functionality is separated into distinct units (services) and offered up through well-defined interfaces and data-sharing standardization. This means that individual applications do not need to possess the same redundant code and functionality. The functionality can be offered by an individual entity, and then all other applications can just call upon and use the one instance. This is really the crux of all distributed computing technologies and approaches; SOA is just a more web-based approach.
Although each company will implement its own change management policy, the general procedures will remain the same. The correct order is:
Configuration management is the process of establishing and maintaining consistent baselines on all organizational systems. It could be considered a sub-area of change management.
NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a trojan horse.
Using software that bypasses normal security constraints to allow unauthorized access to data. For example, such a program may issue commands directly to the disk drivers without going through normal file I/O routines, bypassing not only security restrictions but also leaving no audit trail.
欧洲反病毒发展研究所(EICAR)。 EICARテストファイル (EICAR Standard Anti-Virus Test File) とは EICAR が開発したアンチウイルス (AV) ソフトウェアの応答をテストするためのファイルである。 テスト用ウイルス
MOM – Motivations, Opportunities and Means
Locard's exchange principle,罗卡定律,洛卡尔物质交换原理 犯罪学和侦查学常用的一条痕迹学定律其实还有个简单点的名字:触物留痕定律……顾名思义,即两样东西相互接触后必然会相互交换并留下一些物质,也就是微量物证。或者说,犯罪肯定会留下痕迹。
情報漏洩対策を行うセキュリティシステムのことです。 IT資産管理ツールなどのようにIDやパスワードを管理してユーザー監視を行う情報漏洩対策とは異なり、DLPはデータそのものを監視して守ります。
If software is released into the public domain, anyone may use it for any purpose, without restriction.
A fail-secure system will default to a secure state in the event of a failure, blocking all access. A fail-open system will fail in an open state, granting all access.
In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.
Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. UPS provides immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss.
Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. NetFlowとは、米シスコシステムズ(Cisco Systems,INC.)が開発した、ネットワークのトラフィックの情報を監視・分析するための技術です。主にシスコ製のルーターやスイッチに実装されていますが、現在では、フロー計測における業界の標準となりつつあり、多くのベンダーのネットワーク機器でサポートされるようになっています。
A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.
不可抗力条項
ストックホルム症候群. 誘拐事件や監禁事件などの犯罪被害者についての臨床において、被害者が生存戦略として犯人との間に心理的なつながりを築くことをいう.
Distributing load to multiple regions. E.g. Someone deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider.
コンピュータセキュリティにかかるインシデントに対処するための組織の総称。インシデント関連情報、脆弱性情報、攻撃予兆情報を常に収集、分析し、対応方針や手順の策定などの活動をしています。 CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.
Security event:
Security incident:
An IDS cannot mitigate single-packet attacks. An IDS is a network monitoring device that passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has a management interface and at least one monitoring interface for each monitored network. Each monitoring interface operates in promiscuous mode and cannot be assigned an Internet Protocol (IP) address; however, it does have a MAC address assigned to its monitoring port. Because an IDS does not reside in the path of network traffic, traffic does not flow through the IDS; therefore, the IDS cannot directly block malicious traffic before it passes into the network. However, an IDS can send alerts to a management station when it detects malicious traffic and may be able to modify the configuration of other network security devices, such as firewalls, to block traffic. For example, an IDS that detected an Internet Control Message Protocol (ICMP) attack could configure a firewall at the edge of the wide area network (WAN) to block specific ICMP messages until the attack was mitigated.
By contrast, an intrusion prevention system (IPS) is a network monitoring device that can mitigate single-packet attacks. An IPS requires at least two interfaces for each monitored network: one interface monitors traffic entering the IPS, and the other monitors traffic leaving the IPS. Because all monitored traffic must flow through an IPS, an IPS can directly block malicious traffic before it passes into the network. Like an IDS, an IPS does not have an IP address assigned to its monitoring port; however, an IPS also does not have a MAC address assigned to its monitoring port.