infosec recommendations for portland pd v3

(Bond, 2016)

Portland Police Department Information Security

Recommendations for information security

Presented to Prof. Frank Appunn

Presented by Douglas Heanssler

Date February 26, 2016

Requested by Thomas College CS422

PORTLAND POLICE DEPARTMENT

Table of Contents1. INTRODUCTION................................................................................................................................. 4

2. RISKS IDENTIFICATION.................................................................................................................... 4

2.1 IDENTIFYING ASSETS...................................................................................................................... 42.2 ASSET VALUATION......................................................................................................................... 52.3 VULNERABILITY ASSESSMENT........................................................................................................5

3. RISK ASSESSMENT........................................................................................................................... 6

3.1 IMPACT AND LIKELIHOOD...............................................................................................................73.2 USING A RISK MATRIX................................................................................................................... 73.3 POTENTIAL CONTROLS................................................................................................................... 8

4. PEOPLE.............................................................................................................................................. 9

4.1 SECURITY EDUCATION................................................................................................................... 94.2 TRAINING....................................................................................................................................... 94.3 AWARENESS................................................................................................................................ 11

5. COMPUTERS.................................................................................................................................... 11

5.1 PROGRAMS................................................................................................................................. 115.2 MAINTENANCE............................................................................................................................. 125.3 SAFE PRACTICES......................................................................................................................... 13

6. NETWORKS...................................................................................................................................... 13

6.1 NETWORK ACCESS......................................................................................................................136.2 NETWORK SECURITY CONTROLS..................................................................................................14

7. PHYSICAL SECURITY...................................................................................................................... 14

7.1 BUILDING SECURITY..................................................................................................................... 157.2 MOBILE COMPUTERS...................................................................................................................15

8. CONTINGENCY PLANNING.............................................................................................................17

8.1 INCIDENT RESPONSE.................................................................................................................... 178.2 DISASTER RECOVERY.................................................................................................................. 188.3 BUSINESS CONTINUITY.................................................................................................................18

9. COSTS.............................................................................................................................................. 19

9.1 ESTIMATED COSTS......................................................................................................................199.2 COST EFFECTIVENESS................................................................................................................. 19

10. LEGAL........................................................................................................................................... 19

10.1 CJIS........................................................................................................................................... 19

11. REFERENCES.............................................................................................................................. 20

2


Executive SummaryThis document is intended to give senior authorities of the Portland Police Department a concise list of recommendations and procedures to secure the assets of the department. Cybercrime is one of the fastest growing crimes in the world, and as more people rely on technology, it will continue to grow. Police Departments aren’t somehow immune to these threats; take a look at recent news:

December 2014—Tewksbury, Massachusetts: CryptoLocker takes over the department computers and all recent backups, and the department is forced to pay $500 to get their files back.

January 2015—Midlothian, Texas: Ransomware takes over the department computers and backups, and the department is forced to pay $500 to get their files back.

March 2015—Lincoln County, Maine— Ransomware takes over the a server used by four local police departments, the backups were made incorrectly and were useless; the department is forced to pay $318 to get their files back (Peters, 2015).

The news is full of examples like the ones above. The purpose of this document is to greatly lower the odds of the Portland Police Department appearing in news stories like those. Throughout this paper, topics such as risk identification, risk assessment, people, computers, networks, physical security, and legal issues are covered. The paper clearly shows that while security programs and hardware are important to security, it is really the people and their knowledge that has the greatest amount of benefit for the money.

Please note that these suggestions are made with the best knowledge I could find as of 2016. These recommendations should be considered alongside recognized security frameworks such as the National Institute of Standards and Technology. These recommendations are by no means static, and should be considered in the context of current technology and best practices. It is impossible to fully protect against all threats, as such I make no claims that this document will provide the Portland Police Department with infallible security.

3


1. IntroductionThe Portland Police Department has a self-defined mission to “maintain a safe city by

working in partnership with the community to prevent and reduce crime, protect life and property, help resolve neighborhood problems and protect the rights of all.” (Mission Statement and Core Values, n.d.). Information security is vital to achieving these goals. In order for citizens to work cooperatively with police, they must trust the police, and to build trust the police department must be able to secure any information they have from or about private citizens. The Portland Police Dept. also uses social media to reach out to the community and appear more personal to reduce fear of police. Police also depend on their information to be accurate and available so that they may enforce the law.

2. Risks IdentificationRisk identification is the most important part of risk management in any organization. It is

the process through which a company can identify organization’s assets, how valuable those assets are, and identifying threats to those assets. A company cannot afford to have absolute security for every potential threat, such a company would spend many more times its whole revenue on security.

2.1 Identifying AssetsOne of the most important steps in risk management is knowing what you are trying to

protect. Anything that has value to an organization is an asset; this can include items such as: people, procedures, data, software, hardware, and networks (Management of Information Security, 2014). Below is a table outlining these assets:

People Procedures

Data Software Hardware Networks

Patrol Officers Local, State, and Federal laws

Criminal Database

Open Call Program

Mobile Computers

Radio Communications

DispatchWorkers

Patrol Procedures

Website Vehicles Internal Network

Police Management

Police Reports

Computer Forensic Investigation

Personal Equipment

Cellular Networks

Cleaning Crew

Officer and Civ. PII

Network Devices

Network Administrators

4


2.2 Asset ValuationThe next step in the process is to look at our assets and list them from most important to

least important, while at the same time ranking them on their value to effectiveness, department cost, and public image.

Asset Effectiveness(1-100)

Department Cost(1-100)

Public Image(1-100)

Weighted Score

Weight 1.4 1.1 1.4Patrol Officer 90 80 90 113Dispatch Workers

85 75 67 98

Laws 100 1 10 52Personal Equipment

78 40 30 65

Vehicles 75 75 70 95Open Call Program

82 40 72 87

Radio 68 50 30 64Internal Networks

78 58 20 67

Officer and Civ. PII

20 93 100 90

Police Reports 88 82 95 115Cellular Network 60 30 1 39Police Management

75 50 89 95

Criminal Database

74 88 40 85

Patrol Procedures

80 10 20 50

Network Devices 65 75 10 63Network Admin 48 40 50 60Cleaning Crew 65 38 1 45Computer Forensics Software

35 30 128

Website 35 20 70 56

2.3 Vulnerability AssessmentThe next step in the process is identifying the specific threats present. The process

provides twelve categories of threats. For simplicity I have limited the categories to relevant ones only.

Forces of Nature Damage to network assetsDamage to personnelDamage to equipment or vehicles

Human error or failure Accidental Disclosure of PII, police reports, or internal info

5


Information Extortion Encrypting computers and data (ransomware)

QOS Deviations from Providers Failure of Cellular serviceFailure of Radio system

Sabotage or Vandalism Damage to network devicesDamage to vehiclesDamage to personal equipment

Software Attacks Theft of information

Technical Software Errors or Failures

Accidental release of infoMisinformation communicated

Technical Hardware Errors of Failures

Network unavailability

Theft Theft of vehiclesTheft of hardware

3. Risk AssessmentBefore assessing the impact and likelihood of the risks one must determine what scales

will be used for each of the items. There are two categories of scales used in risk assessment—qualitative and quantitative. Quantitative scales use specific numbers to assign values to impact and likelihood. Qualitative scales use subjective terms to describe the scales, terms such as low, medium, and high. For the proceeding sections I have taken the approach of using qualitative scales. Below is an explanation of what these criteria mean, and when they should be used.

Impact Description Probability Description

Very Low Impacts business for less than 2 weeks

Very Low Likely to occur at least once in a 1 year period

Low Impacts business for 2 weeks to 1 month

Low Likely to occur at least once in a 6 month period

Moderate Impacts business for 1 month to 6 months

Moderate Likely to occur at least once in a 3 month period

High Impacts business for 6 months to 1 year

High Likely to occur at least once in a 1 month period

Critical Impacts business for greater than 1 year

Very High Likely to occur at least once in a 2 week period

6


3.1 Impact and LikelihoodI have taken the list of risks and applied qualitative rankings to both impact and likelihood

factors. These qualitative expressions are later converted to numeric values for use in a risk matrix.

We then have the following list of risks:

Risk #

Risk Name Risk Impact

Risk Likelihood

Risk Score

Risk Level

1 Website DOS Very Low High 53 Moderate

2 Dispatch Center DOS Critical Very Low 75 High

3 Theft/Disclosure of Private Data Moderate Low 59 Moderate

4 Physical Theft of Officer Property Low Very Low 36 Low

5 Physical Damage to Computers Moderate Low 59 Moderate

6 Unauthorized release of information by employee

High Very Low 62 Moderate

7 Backdoor Installation Moderate Moderate 69 High

8 Armed Planned Attack on Officers Critical Very Low 75 High

9 Armed Unplanned Attack on Officers Critical Low 85 Very High

10 Ransomware Attack High Moderate 82 Very High

11 Unauthorized Record Modification High Very Low 62 Moderate

12 Ineffective Password Low Very High 76 High

13 Incorrect Report Information Low High 66 High

14 Vehicle Breakdown Low Low 46 Moderate

3.2 Using a Risk MatrixThe way I have constructed my risk matrix gives more weight (1.3x) to damage than to

probability. This is done in order to take into account the very low probability events that could potentially ruin a company. I then assigned five point ranges to five colors to display the level of risk.s

Impact

Very Low Low Moderate High Critical

7


Likelihood

Very

Low

Physical Theft of Officer Property

Unauthorized release of information by employee + Unauthorized Record Modification

Dispatch Center DOS + Armed Planned Attack on Officers

Low

Vehicle Breakdown

Theft / Disclosure of Private Data+ Physical Damage to Computers

Armed Unplanned Attack on Officers

Mod

erat

e

Computer Backdoor Installation

Ransomware Attack

High

Website DOS Incorrect Report Information

Very

Hig

h

Ineffective Password

3.3 Potential ControlsLooking at the risk matrix I can see there are many risks in the high and very high threat

areas. These are the risks that should be addressed first. An armed and unplanned attack on an officer is already controlled for in most police departments by issuing body armor, personal defense weapons, combat training, and policies emphasizing officer safety. Ransomware

8

Range Color Risk Level

23-42 Low

43-62 Moderate

63-81 High

82-99 Very High

100-115 Extreme


presents a large threat to the information and systems of a police department. It is recommended that firewalls, intrusion detection and prevention systems, anti-malware tools, and strong education be implemented to prevent a computer from being infected with ransomware. This along with strong authorization measures protects against the special backdoors being installed in the systems. Having backup systems in place would also provide an action plan in case a dispatch center goes down.

4. PeoplePeople are the most valuable asset an organization has, without them an organization

wouldn’t be able to function. However, they can also be one of an organization’s greatest threats to information security. This threat can be greatly reduced through the use of programs such as SETA (security education, training, and awareness). It is important to note that while your employees do pose a problem to information security, they also need to be viewed as part of the solutions. There are three major benefits to having a SETA program: improved employee behavior, inform employees where to report violations, and it allows for the PPD to hold employees accountable (Management of Information Security, 2014). By investing in your employees’ knowledge, you strengthen your security for the present and set the foundation for an organization that will last into the future.

4.1 Security EducationThis is the base level of formal education an employee has on a particular subject. This is

usually referring to education at a college or university, but could also mean an education acquired through a certification training program. Courses must be set up with specific education areas, prerequisites, and clear indicators that the participant has retained knowledge of the subject matter.

It is important that an individual review what education requirements there are for certain positions. The chart to the right displays various positions and the knowledge areas they should have advanced knowledge of.

4.2 TrainingAt this level of the program employees are

given more detailed instruction on specific topics related to their responsibilities in the company. Under the 1987 Computer Security Act, all federal agencies are required to provide periodic training in acceptable computer practices and security awareness. There are seven key steps to implementing a successful training program (Management of Information Security, 2014):

9

(PWC, 2015)

(Management of Information Security, 2014)


1. Identify scope, goals, and objectives

What topic are you trying to address?

What is the ultimate outcome you’d like to see? How are you going to measure it?

What goals are you going to meet along the way to show progress?

2. Identify Training Staff

Who is going to run the training? Your own staff? A continuing education institute? An outsourced training program? A specialist in the field?

3. Identify Target Audience

How are you going to decide who gets the training? Job tasks? Amount of computer knowledge? By what computer systems they use?

4. Motivate Managers and Employees

How are you going to get funding? (It will save the PPD money if the training is done now, rather than after an employee failure.)

How are you going to get employees to take the training seriously? Incentives? Consequences?

5. Administer the Program

Maintain visibility of the program: If people see the program working, and know others can see this as well, the program will be more successful.

Topic: Make sure that the topics being taught are relevant to the group being instructed

Material: In order to save costs, it is recommended that an organization adapt existing material to fit their specific needs.

Presentation: Consider how often and in what format the training will take place.

6. Maintain the Program

Make sure the program material is updated to reflect new security concerns and new technologies.

There should be periodic checks for new best practices and ways of managing information.

7. Evaluate the Program

Did the program meet its objectives? Did the employees remember their training? Did the employees enjoy the training?

To get more specific on who should learn what, I would recommend reviewing NIST SP 800-161 as it provides a good overview of training criteria for different roles in an organization.

1 http://csrc.nist.gov/publications/drafts/800-16-rev1/draft_sp800_16_rev1_2nd-draft.pdf

10

http://csrc.nist.gov/publications/drafts/800-16-rev1/draft_sp800_16_rev1_2nd-draft.pdf


4.3 AwarenessSecurity awareness is responsible for making security a part of everyone’s daily work

experience. This may sound like an easy task, assign them reading on security and hope it sticks. However, this is not an effective way to raise awareness for security. It is recommended that a single learning objective should be focused on at a time. The instruction can be formal, but don’t just talk at an audience, talk with them in a simple and easy to understand manner. You don’t want to overload them with technical jargon or with more than a few key ideas at once. It is important to create a base of knowledge that will help them with the basics, then later on you can go into more details through training. There are many forms security awareness can take; such as: newsletters, posters, daily tips, lectures, even free handouts like bookmarks. The most important part of the educational process is making people realize their importance to information security, and how they can help (Flynn).

5. ComputersThe introduction of computers has greatly increased the effectiveness and capability of law

enforcement across the nation. Computers ranging from a handheld smartphone to large data servers connect officers with the information they need to do their jobs in the modern world. These benefits are not without risk; special care must be taken to secure computers and their information from unauthorized access and damage.

5.1 ProgramsThe basic function of computers is to run programs. This may seem simple enough;

however, programs can take many forms to achieve different objectives. Computers don’t distinguish between “good programs” and “bad programs”; that is the job of the user and other programs. A common calculator on your computer is a program, just as is the malicious code that infects millions of computers each year, the only difference being how they are designed.

5.1.1 Malware ProtectionMalware is any type of computer code that intends to steal, destroy, or hold ransom your

data or computer systems. This includes spyware, adware, ransomware, and scareware. This malicious software often infects a computer through one of three methods: viruses, worms, or Trojan horses (Reubenking, 2011). It is the job of a malware defense tool (often called an antivirus) to detect, contain, report, and remove malicious code. As malware becomes more complex and aggressive, it is increasingly difficult for these tools to stay ahead of new threats. I would recommend Kaspersky Internet Security2 as it is rated highest in detection rate and zero false positives (AV-Comparatives, 2016).

5.1.2 Software FirewallsA software firewall is a program that runs locally on a single computer. It is responsible for

blocking unauthorized, or potentially dangerous, incoming and outgoing traffic. They work by analyzing the headers and data in data packets; if the headers or data match a rule in the firewall program, the packet will be dropped or sent accordingly. These firewalls can be configured to allow certain pre-approved connections or applications through. The previously mentioned Kaspersky Internet Security comes with one of the highest rated firewalls on the market, and seeing as how it comes with the previous package, it is the one I would recommend.2 http://usa.kaspersky.com/products-services/home-computer-security/internet-security/

11

http://usa.kaspersky.com/products-services/home-computer-security/internet-security/


5.1.3 Installation of New ProgramsEven non-malicious programs can pose a threat to the organization. Installation of

unapproved antiviruses, remote desktop software, or maintenance programs can unintentionally damage your files. Even benign programs like word processors can open up your system to new threats through any unpatched coding errors they contain. It is important that the administrator of the computers know all of the software present on the computers. Without this knowledge they cannot effectively diagnose issues, plan for upgrades, or guarantee the security of the computer, or network at large. It is for this reason that all new installations, configurations, and program updates be performed by the system administrator.

5.2 MaintenanceComputers required periodic maintenance in order to maintain security and functionality.

This is just like the maintenance that is formed on police patrol cars; they need tire changes, oil changes, and inspections every so often in order to verify they are going to perform as needed. Just like cars, computers eventually become outdated and a department has to consider when it is time to purchase new equipment.

5.2.1 UpdatesAs mentioned in section 5.1.3, all computers should be configured to receive some forms

of automatic updates. I would recommend that these automatic updates only be allowed for programs that are not directly used by the employees of the PPD, such as an antivirus (both program and definitions). Updates that modify programs used by the employees, or require significant downtime of the system should be performed when the computer isn’t in use. These items include, but aren’t limited to: windows updates, case tracker updates, and driver updates. This is recommended because employees may lose productivity if a new update changes the layout of a program, such changes should be explained before they are implemented. Additionally, windows update requires a good deal of bandwidth and also asks the user to restart their computer; doing so often leaves the computer unusable for 15-25 minutes.

5.2.2 Reliability AssessmentsIt is inevitable that one day your computer will wear out and stop working. In a business

scenario we want to replace a computer before that happens and causes us issues. There are several signs (Betts, 2015) to be on the lookout that may tell you that the computer needs replacing (and also some solutions to try before replacing it):

It doesn’t meet the requirements to install the latest OS or program version

It runs slow

o Defragment your hard drive

o Run antivirus and antimalware scans

o Uninstall unnecessary programs

o Install additional RAM

It doesn’t have the proper connection ports

o Purchase an adapter

You find yourself always running out of storage space

12


o Upgrade your hard drive

It runs loud

o Clean the inside

o Replace the cooling fans

It crashes often

o Reinstall Key drivers

o Reinstall Windows

o Perform virus and malware scans

5.3 Safe PracticesThe internet is a wide open place with information on varying subjects just a few clicks

away. However, it is also a place where all manner of malicious individuals seek out victims to exploit. There are a few basic best practices that any individual should know when using computers connected to the internet.

1. Always keep your system up to date with the latest security patches. Vulnerabilities in software are discovered every day. These vulnerabilities open up your computer to ransomware, backdoor installations, and to becoming enslaved in a botnet.

2. Choose a strong password. A password is what protects your access to a machine, to your files, and to your permissions. You are responsible for whatever someone using your account does. Don’t make it easy for them to guess your password.

3. Install an antimalware tool. This is a solid recommendation for even an employee’s home computer. There is a large number of free solutions such as AVG, Avira, and Avast.

4. Protect your personal information. Any information you give out on the internet is information you no longer have direct control of. Your information could be disclosed in a breech. Limit the information you give out online to what is necessary, and only give it to trustworthy websites.

5. Be aware of how your data is used. Very few people have actually “Read and Agreed to the Terms and Conditions”. However, fine print sections like this give you a good idea how your information is used, and how it is shared.

6. Review online activity reports. It is helpful to look at your online history, especially financial transaction data, to see if anything looks out of the ordinary.

7. Be scrupulous of online offers. No, you didn’t just win the lottery that you’ve never entered. No, that person really isn’t a generous Nigerian prince needing your help. The internet is full of people with excellent offers for little investment. If the

13


offer is too good to be true, it probably is a scam (National Crime Prevention Council, 2012).

8. Only install programs from trusted sources.

9. Only allow network access to known programs.

10. Make backups of important data. (more on this in section 8)

11. Keep your computer in a physically safe location.

12. Don’t open email attachments from unknown sources.

13. Use secure connections when exchanging passwords and other login information.

14. Be wary of the latest threats to your computer.

(Massachusetts Institute of Technology, n.d.)

6. NetworksComputers are valuable assets in their own right; however, it is when they are connected

to other computers in a network that they become most effective. These connections allow computers to share information between themselves almost instantaneously. This allows for officers and police chiefs to communicate with centralized databases and other officers all over the country. These networks also represent a vulnerability in an organization as networks can be broken into and data stolen from them.

6.1 Network AccessThe first line of defense to secure your network is to control who can use it. If an individual

cannot send or receive network traffic, then they cannot steal data contained on the network nodes.

6.1.1 Authorized DevicesIt is important that only devices that need to be on a particular network are able to

connect. Too many devices on a network will lead to slow transfer speeds for all users. It is for this reason I recommend having two distinct networks in the building: a private wired network for critical functions and a private wireless network for employees of the department. There should be no unauthorized devices connected to these networks, any new device must be approved by the IT staff after being assessed for risks.

6.1.2 Authentication of UsersNowadays it is rare to find a wireless network without some form of security to prevent or

restrict certain users. This should be no different for the Portland Police Department. However, I would recommend taking this standard security (WPA2 Personal) one step up to WPA2 Enterprise. The key difference between the two is Enterprise requires a username and password which further enhances security and accountability.

6.2 Network Security ControlsA network that exists in isolation from the internet is severely limited. Much of the

communication that is done in a department is done over the internet. It is for this reason that steps should be taken to restrict access to the internal network to only approved traffic.

14

Spam email from my personal Gmail account


6.2.1 Hardware FirewallsWhile a software firewall is a piece of software installed on a user’s machine, a hardware

firewall is a physical object that performs a security role for the entire network. These devices can be configured to restrict communication to areas of an internal network. They perform the same basic functions as a software firewall, but at a network level. They can be deployed to restrict traffic between the outside internet or even between business departments (McAfee, n.d.).

Many wireless routers come with built-in firewalls that are capable of filtering out packets by ports, IP addresses, and services. These firewalls are sufficient for the home user, but they lack the management capabilities and options of a dedicated firewall. It is for this reason the company should purchase a dedicated firewall. Consulting the 2015 Gartner Magic Quadrant on Enterprise Network Firewalls, we see two companies clearly in the lead: Check Point Software Technologies3 and Palo Alto Networks4 (Hils, Young, & D'Hoinne, 2015). Our company doesn’t require a firewall that hosts many of incoming connections as we do not host any services to the public; this eliminates the PA-7000 series and anything above the Check Point 13000 series. Check Point has the highest success rate for intrusion prevention, the largest application library, more configuration options, and the ability to integrate with Active Directory. The final deciding factor is that Check Point Software was the company that created stateful firewalls. (Villegas, n.d.). I would recommend something small, like the Check Point 3200.

6.2.2 Network Based IDPSNetwork-Based Intrusion Detection and Prevention Systems (IDPS) focus on identifying

intrusion into the network and identifying attacks against systems. These systems can also be set up to monitor network traffic and identify suspicious file transfers and violations of security policy. If an important event is detected, the IDPS will notify security administrators, or a pre-programmed action can be taken to stop the attack (Scarfone & Mell, 2007).

Upon reviewing the Gartner Magic Quadrant Chart (Carlson, 2015), it is apparent that there are two industry leaders ahead of the rest—Cisco and Intel Security (McAfee). When looking at McAfee I found that they have taken a signature-less approach to identifying network traffic (McAfee, n.d.). It uses a system of emulators and full sandboxes to evaluate the immediate effects and extrapolate the latent effects of data passing through the network. I would recommend purchasing one of their smaller solutions and installing the sensors at key points on the network (such as management ports on switches or directly on key servers).

7. Physical SecurityComputer and network security mean little if physical security is weak. Many protections

that you may have implemented, based on the previous sections, can easily be defeated if an attacker has physical access to your computers (mass storage devices can be stolen, hard drives extracted, operating systems bypassed, firewalls modified, etc.).

7.1 Building SecurityProtecting something in a building is remarkably similar to protecting an information asset.

Both processes start off with a risk assessment to determine what we are trying to protect, from who/what and why we need to protect it. The risks need to be calculated based on the likelihood

3 http://www.checkpoint.com/products-solutions/all-products/index.html#az4 https://www.paloaltonetworks.com/products/product-selection#

15

https://www.paloaltonetworks.com/products/product-selection%23

http://www.checkpoint.com/products-solutions/all-products/index.html%23az


and impact, then be ranked on least critical to most critical. The most pressing risk facing the information and computing assets is an angry individual coming into the police station looking to destroy property.

Once we have established what we protecting against, we can begin laying out what we need for physical security according to the “4Ds” of physical security: deter, detect, delay, and defend. Keep in mind that no defense is unbreakable; that is why it is wise to use layered defenses (this is referred to as defense in depth).

1. Deter: Prevent an attack

A traditional fenced off area is not possible for the entire building as civilians need access to the main lobby. Walls should be present to separate the public area from the private area. These walls need access points and access controls to allow officers and other approved individuals through—traditionally a door with a lock.

2. Detect: Identify when an attack is occurring

There is always an officer present to observe the lobby and alert others if someone tries to break down the door. There are also security cameras in the lobby to monitor individuals.

3. Delay: Slow down the attack

The weakest point of the perimeter is the access point. The access control device must allow access to approved individuals and resist attempts at subverting it in order to buy time. For this item I would recommend strong doors and glass with a strong lock-pick-resistant lock.

4. Defend: Counter the attack

A form of security force must be present to counter the attacker(s). In this case it would be the officers of the Portland Police Department, and officers from nearby departments if the threat was large enough. The goals of the responders are to stop the progression of the attack by: limiting the attacker’s movement, destroying their will and/or capabilities, and finally apprehending the suspect (Physical Security Basics, 2015).

7.2 Mobile ComputersWith the introduction of mobile computers into the police department officers are able to

exchange pictures, case information, and status updates in a matter of seconds. This ability also has new security concerns given the fact that entire computers can now be stolen. It is for this reasons the department needs a strong policy on the use of mobile computers. The following is a list of some of the policy items I would recommend be included:

1.1. Physical Security1.1.1. All department owned computers will be returned to a secure lockup at the end of

an officer’s shift.1.1.2. Any computer that is not in lockup will be in the vicinity of a law enforcement

officer at all times. This policy may be superseded by policy 1.1.3.

16


1.1.3. Any computer not in lockup or in the immediate vicinity of an officer will require proper authentication from an appropriate member of the department. (Most commonly implemented as a lock screen.)

1.1.4. All unattended vehicles with mounted computer hardware will remain locked when feasible to do so.

1.1.5. All information contained on the device or displayed on the screen must be treated as confidential.

1.1.6. No new external storage devices will be connected to any department computer unless the drive has first been scanned for viruses and malware.

1.1.6a – Any storage device of unknown origin will be thoroughly examined on a computer not connected to the department network.

1.1.7. The department shall not be held liable for damage of privately owned computers.1.2. Electronic Security

1.2.1. All computerized police functions will be performed on hardware owned by the police department unless specifically authorized by the department.

1.2.1a Privately owned cell phones may be authorized for department use only if:

o It is owned solely by the officer.o It runs the official operating system of the manufacturer.o It is protected by security fitting of a device used for law

enforcement purposes.1.2.2. All department owned/authorized computers will be configured to receive and

install automatic updates during down time for that machine.1.2.3. All department owned computers will be evaluated for performance and security

related issues once per month.1.2.4. All department owned/authorized computers will have approved antivirus and

malware removal tools installed on them.1.2.5. Comprehensive virus scans will be performed once per month and quick scans

will be performed every two (2) weeks.1.2.6. Login credentials must meet specific security requirements to deter dictionary

attacks.1.2.7. Department owned computers will only connect to known networks owned by the

police department.1.3. Acceptable Use

1.3.1. Department owned equipment will not be disassembled or physically modified in any way unless such action is conducted by IT or with the permission of management.

1.3.2. Officers will not download or install software onto department owned computers. Any software installations must be assessed for risks and if approved, conducted by the IT department.

17


1.3.3. All department owned computers must be used for business purposes only. Special exceptions may be made for business related activities. Prohibited activities include but are not limited to:

Viewing social media Online gambling Playing videogames Viewing explicit material Conducting personal financial business

1.3.4. Software installed on department computers will all be legally acquired either through purchase, or freeware approved for use by the department.

1.3.5. Department owned computers may only be used for legal purposes. Any officer found to be using a computer for illegal purposes will be subject to disciplinary practices in addition to any legal actions.

1.3.6. All new hires will be required to complete a short educational course on department policies. All officers will be required to complete a refresher course every three (3) months.

(Heanssler, Waterville Police Department Portable Computer Policy, 2016)

8. Contingency PlanningIn the event of an attack or damage to the computers of the Portland Police Department,

there needs to be plans in place to resolve the situation. Without these plans there will be confusion about who does what task and when. The response to an incident will be mostly be disjointed and ineffective. It is for these reasons the PPD should have some level of incident response, business continuity, and disaster recovery plans.

8.1 Incident ResponseAn incident response plan is a detailed procedure for how an organization will respond to,

detect, and mitigate the effects of an incident (an unexpected event that compromises information security assets). I recommend that officers receive special training in incident response, and those officers form a computer security incident response team (CSIRT). This team will be responsible for writing more detailed policy on how and when to respond to incidents. These policies and procedures must dictate what happens before and incident, during an incident, and after an incident. There are several indicators of incidents; listed below are some examples grouped into levels of confidence:

Possible Indicators: Unusual levels of system usage, presence of unfamiliar files, or unusual system failures.

Probable Indicators: Large amounts of activity during system downtimes, IDPS alerts, or new accounts being created by unknown parties.

Definite Indicators: Modification of system logs, notification by hacker, or reports of compromise by outside organizations (Management of Information Security, 2014).

18


It is only possible to confirm that an incident has occurred once there is a loss of confidentiality, integrity, or availability. Once an incident has been determined to have occurred there are several key steps that need to be performed. The first step being that important personnel be notified that the incident has been detected. The CSIRT team should receive some form of alert, be it automatic or manmade, and then general management. Once the key personnel are present, they should save all logs and begin documenting what is happening for later review. Next the affected areas should be identified and isolated from the rest of the system and from the attacker. If the incident is severe and damaging, it should be escalated to a disaster (Management of Information Security, 2014).

8.2 Disaster RecoverySeeing as how the PPD is operating on limited funding, I would recommend that the

disaster recovery team also be created from officers who receive the proper training. The disaster recovery team needs to establish its own policy outlining items such as: roles and responsibilities of members, what resources will be required, what training is required, and when the disaster recovery systems should be tested and maintained (Management of Information Security, 2014).

The DR team should review the critical and important assets of the PPD. When this analysis has concluded, the DR team needs to identify controls that would be helpful in reducing the overall effect if one of the assets were compromised. These controls can include items such as data backups, fire safety devices, or even body armor for physical protection. A comprehensive written plan should also be written in case of a disaster; this plan should include the following in an easy to read format:

Date of Last Update to the Plan

Staff to be informed of a disaster (include multiple contact methods)

Emergency Service Numbers

Locations of In-house Emergency Equipment (recommend attaching a map)

Locations of off-site equipment

Prioritized List of What to Save

Procedure for conducting a follow-up assessment

(Management of Information Security, 2014)

8.3 Business ContinuityIn the event that a disaster has long lasting effects on a company a business continuity

plan must be implemented. The primary purpose of this plan is to maintain critical business functions. It is recommended that an additional team be created that is responsible for business continuity; however, in the case of the PPD it will be more cost effective to include officers already on other teams on the BC team. This team must also create a policy that outlines what should be done to restore business functions in the event of a disaster. These controls include items such as restoring from backups, replacing damaged computers, or moving to a temporary location (Management of Information Security, 2014). As an example: The Portland Police Department is destroyed by an earthquake. Fortunately, the officers have arranged to work out of the South Portland Police Department until a new site can be established for them. They

19


ordered additional computers and stored them offsite until needed, and they were able to restore their system by copying all of their apps and data off of backup drives they stored offsite.

9. CostsWhile you can get a surprising amount of stuff for free, you will eventually end up needing

to pay for something. This section covers some of the estimated costs for the items mentioned in previous sections. It is important to note than some of the items listed below can be replaced with free alternatives.

9.1 Estimated CostsItem Name Item CostRisk Identification and Risk Assessment Work Hours

$2,250 (50hrs @$45/hr)

SETA Professional $9,000 (10 hrs/week for 18 weeks @$50/hr) Kaspersky Internet Protection $2,450 (50 licenses @$49/year)CheckPoint 3200 Firewall ~$6,000Cisco 550x Switch5 ~$2,800McAfee IDPS6 ~$25,000Bulletproof Glass Solution for Building7 ~$45,000Incident Response Training and Preparation $2,700 (3 people @$30/hr for 30hrs/year)Disaster Recovery Training and Preparation $2,700 (3 people @$30/hr for 30hrs/year)Backup Desktops $4,000 (5 Desktops-including peripherals @ $800

each)Backup Toughpads8 $8,100 (3 toughpads @$2,700/unit)2TB USB Backup Hard drives9 $360 (4 hard drives @$90/unit)Backup Creation Software10 $200 (4 licenses @~$50/unit)

Total Cost ~$110,560Note: All costs are estimates and may vary significantly from the actual cost to own.

5 http://www.sears.com/cisco-esw2-550x-48dc-k9-esw2-550x-48/p-SPM7422881303?hlSellerId=10139510&sid=IDx20110310x00001i&kpid=SPM8227355329&kispla=SPM8227355329 6http://www.neobits.com/mcafee_ips_ns7200_spa_mcafee_ns7200_network_p8664618.html? atc=gbp&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA120QlDyAuNV51qBvry--iOxo7EsxiiNST0Lz1mYdqE7AaAjpQ8P8HAQ 7 http://www.tssbulletproof.com/cost-bullet-resistant-glass-system/ 8 http://www.barcodegiant.com/panasonic/part-fz-q1c302aam.htm?aw&adtype=pla&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA122W53azE1cfffIuDDVKnureObRjQGB7jr0CH9mXUu0UaAsWt8P8HAQ 9 http://www.amazon.com/Black-Passport-Ultra-Portable-External/dp/B00W8XXYSM 10 http://www.pcadvisor.co.uk/test-centre/software/13-best-backup-software-2015-2016-uk-3263573/

20

http://www.pcadvisor.co.uk/test-centre/software/13-best-backup-software-2015-2016-uk-3263573/

http://www.amazon.com/Black-Passport-Ultra-Portable-External/dp/B00W8XXYSM

http://www.barcodegiant.com/panasonic/part-fz-q1c302aam.htm?aw&adtype=pla&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA122W53azE1cfffIuDDVKnureObRjQGB7jr0CH9mXUu0UaAsWt8P8HAQ



http://www.tssbulletproof.com/cost-bullet-resistant-glass-system/

http://www.neobits.com/mcafee_ips_ns7200_spa_mcafee_ns7200_network_p8664618.html?atc=gbp&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA120QlDyAuNV51qBvry--iOxo7EsxiiNST0Lz1mYdqE7AaAjpQ8P8HAQ



http://www.sears.com/cisco-esw2-550x-48dc-k9-esw2-550x-48/p-SPM7422881303?hlSellerId=10139510&sid=IDx20110310x00001i&kpid=SPM8227355329&kispla=SPM8227355329

http://www.sears.com/cisco-esw2-550x-48dc-k9-esw2-550x-48/p-SPM7422881303?hlSellerId=10139510&sid=IDx20110310x00001i&kpid=SPM8227355329&kispla=SPM8227355329


RI and RA2% SETA

8%Kaspersky

2%Firewall

5%Ethernet Switch

3%McAfee IDPS23%

Bulletproof Glass41%

Incident Response2%

Disaster Recovery2%

Backup Desktops4%

Backup Toughpads7%

RI and RA SETA Kaspersky FirewallEthernet Switch McAfee IDPS Bulletproof Glass Incident ResponseDisaster Recovery Backup Desktops Backup Toughpads

9.2 Cost EffectivenessThere is no way around it—$110,000 is a lot of money. That amount of money could buy a

new police Ford Interceptor (Wolff-Mann, 2014), two new officers per year, or even 35,000 gallons of fuel. However, you shouldn’t think of this cost as merely an expense, it should be thought of as an investment. Purchasing this equipment and training will prevent future attacks and the subsequent embarrassment from the losses. You have to consider what is the monetary value would you place on the police being active for one day. If there was no police force in place, what would cost to build one? Threats to the department put us in this situation, we are paying to keep our department operating a full capacity.

10. LegalIn order to protect the department from legal action it is important that you design and

implement an acceptable use policy for all employees. Without a clearly written acceptable use policy the department cannot take action against misuse (unless it also violates the law) of department equipment. While it is known that ignorance of the law is not a defense, ignorance of department policy can be. It is up to the department to implement a procedure that educates employees on department policies and records their acceptance of the policy. When designing the policy keep in mind the mission of the department, visions for the future of the department, and values of the department.

10.1 CJISThe Criminal Justice Information Services (a division of the FBI, which operates under the

Department of Justice) has published the CJIS Security Policy11 for all law enforcement agencies. The policy is designed to protect Criminal Justice Information (CJI), throughout its life and various stages (info sources, transmission, storage, generation, and destruction). This policy takes into account various legal requirements and suggestions from sources such as: presidential directives, federal laws, FBI directives, the criminal justice Advisory Policy Board, and the National Institute of Standards and Technology (CJIS Information Security Officer, 2015). This policy is revised as needed to reflect new concepts and threats. This is an excellent

11 https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center

21

https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center


resource for any police department wishing to improve their security or assess their existing security.

22


11. References(2014). In M. E. Whitman, & H. J. Mattord, Management of Information Security (pp. 279-310).

Stamford: Cengage Learning\.

AV-Comparatives. (2016, February). Factsheet February 2016 Real-World Protection Test. Retrieved from Anti-Virus Comparative: http://www.av-comparatives.org/wp-content/uploads/2016/03/avc_factsheet2016_02.pdf

Betts, A. (2015, June 1). 7 Warning Signs It’s Time to Replace your Old PC. Retrieved from Make Use Of: http://www.makeuseof.com/tag/7-signs-time-to-replace-old-pc/

Bond, M. (2016, March 3). Join the Portland (ME) Police Department. Retrieved from E-Roll Call Magazine: https://andragogytheory.com/2016/03/03/join-the-portland-me-police-department/

Carlson, J. (2015, December 1). IBM Security Returns to Leadership Position in 2015 Gartner Magic Quadrant for Intrusion Prevention Systems. Retrieved from Security Intelligence: https://securityintelligence.com/ibm-security-returns-to-leadership-position-in-2015-gartner-magic-quadrant-for-intrusion-prevention-systems/

CJIS Information Security Officer. (2015, October 6). Criminal Justice Information Services (CJIS) Security Policy. (C. A. Board, Ed.) Retrieved from FBI.gov: https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center

Flynn, J. (n.d.). Implementing Security Education, Training, and Awareness Programs. Retrieved from Indiana University of Pennsylvania: https://www.iup.edu/WorkArea/DownloadAsset.aspx?id=61087

Heanssler, D. (2016). Qualitative Risk Analysis Matrix. Weekly Assignment, Thomas College.

Heanssler, D. (2016). Recommended Security Tools. Thomas College.

Heanssler, D. (2016). Waterville Police Department Portable Computer Policy.

Hils, A., Young, G., & D'Hoinne, J. (2015, April 22). Magic Quadrant for Enterprise Network Firewalls. Retrieved from Gartner: https://www.gartner.com/doc/reprints?id=1-2DVI0YW&ct=150422&st=sb&elqaid=1245&elqat=2&elqTrackId=3fde15b81c9b40618641ac7bb3b9641f%5b5/28/2015

McAfee. (n.d.). Network Security Platform. Retrieved from McAfee: http://www.mcafee.com/us/products/network-security-platform.aspx

McAfee. (n.d.). Online Safety Tips. Retrieved from McAfee Security Advice Center: http://home.mcafee.com/advicecenter/?id=ad_ost_hvsf&ctst=1

Mission Statement and Core Values. (n.d.). Retrieved from Portland Maine: http://portlandmaine.gov/998/Mission-Statement-and-Core-Values

Peters, S. (2015, April 14). Police Pay Off Ransomware Operators, Again. Retrieved from Dark Reading: http://www.darkreading.com/attacks-breaches/police-pay-off-ransomware-operators-again/d/

23


d-id/1319918

Physical Security Basics. (2015, February 8). Retrieved from The Shield Journal: https://www.shieldjournal.com/physical-security-basics/

PWC. (2015). Turnaround and transformation in cybersecurity. Retrieved from PWC: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/download.html

Reubenking, N. J. (2011, February 8). Viruses, Spyware, and Malware: What's the Difference? Retrieved from PCMag: http://www.pcmag.com/article2/0,2817,2379663,00.asp

Scarfone, K., & Mell, P. (2007, February). Guide to Intrusion Detection and Prevention Systems (IDPS). Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

Villegas, M. O. (n.d.). Comparing the best NGFWs on the market. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/feature/Comparing-the-best-NGFWs-on-the-market

24

infosec recommendations for portland pd v3

Documents