Law, Investigation, & Ethics

What laws apply to computer crimes, how to determine a crime has occurred, how to preserve evidenced, conduct an investigation, & what are the liabilities.

Computer Crimes CISSP Obligations

Legal Ethical responsibilities to

Employer Constituency being served Profession as a whole

Crimes are increasing Hard to estimate economic impact

Common Types of Computer Crime

DoS, DDos Social Engineering

Fraud Espionage Embezzle-ment

Password Theft

Illegal Content of material

Software Piracy

Information Warfare

Data-diddling

Network Intrusions

Destruction / alteration

of data

Dumpster Diving

Script Kiddies

Terrorism

Emanation Watching

Spoofing IP addresses

Malicious Code

Masquerading

Examples Slammer Worm of January 03 Code Red Klez Worm DDos against Yahoo, Amazon, etc Feb 2000 Love Letter worm May 2000 Microsoft network penetration Oct 2000 Mitnick’s attacks on phone systems 80’s Morris Internet Worm Nov 88 Attacks on U.S. classified computer systems

(The Cuckoo’s Egg) 1986

Problems

Jurisdictional International character of Internet Different types of laws Different “desires” of enforcement

Rapid pace of technology Outpaces laws Outpaces understanding by law makers

Law

Legal Systems Common Law: US, UK, Australia, Canada Civil Law: France, Germany, etc Religious Law: Islamic, etc

Ex US Legislative Branch: statutory laws Administrative: Administrative laws Judicial: Common laws in court decisions

Statutory Law Collected as

Session laws in order of enactment Statutory Codes: subject matter

United States Code Code title Number Abbreviation for Code Statutory Section within the title Date of the edition or supplement

EX: 18 U.S.C. 1001 (1992) Section 1001 in Title 18 of the 1992 edition of

the United States Code: Crimes & Criminal Procedures

Administrative & Common Law

Administrative Law is Arranged Chronologically: Federal Register Subject Matter: Code of Federal

Regulations

Common Law is compiled Case Reports chronologically Case Digests by subject matter

Common Law Systems Categories

Legal Systems Not court decisions

Criminal Law Individual conduct violates government

laws enacted to protect the public Civil Law

Wrong inflicted upon person or org by other person or org

Administrative/Regulatory Law

Intellectual Property Law

Patent Copyright Trade Secret

Proprietary valuable technical info Trademark

Word, name, etc used to distinguish goods from those sold by others

Warranty

Patent

Right to exclude others from using invention

Criteria for patent1. Must be

Process, Machine, Object made by humans, compositions of matter, New use of above

2. Must be useful3. Must be Novel4. Must be obvious to skilled person

Copyright

Original works of authorship

Use by educators, researchers & librarians Fair use: limited copying for teaching Limited reproduction for libraries

Author’s life + 70 years

Warranty Contract that commits org to stand by

product Implied Warranty

Fitness for particular purpose: seller statements Warranty of merchantability: fit to be sold

Express warranty basic requirments Must state is either full or limited Must show coverage is clear easy statements Must insure customer can read before purchase

Information & Privacy Laws Right to protection of “personally

identifiable information” HIPAA items Principles

Notice of disclosure to 3rd parties Choice to opt out of disclosure Access Security Enforcement

Privacy Policy

Orgs develop & publish covering Type of info collected Cookies & server logs used How info is shared Rules for disclosing to 3rd parties Mechanisms used to protect

Privacy-Related Legislation Cable Communications Act Children’s Online Privacy Protection Act Customer Proprietary Network Info Rules Financial Services Modernization Act 1973 U.S. Code of Fair Info Practices

Must not be record systems who’s existence is kept secret

Must be a way for person to find out what kept Must be a way to prevent info being kept Org must insure info is accurate

European Union (EU) Principles Generally more protective than US

Therefore transfer from US is a problem Principles

Info cannot be disclosed without permission of person or authorized by law

Records must be up-to-date Individuals have right to correct errors Info can be used only for original purpose Individuals have right to receive report on info

held Transmission of info prohibited where equivalent

personal data protection cannot be assured

Health Care-Related Privacy Issues Excellent example of privacy issues Access controls usually do not provide sufficient

granularity to implement least privilege Most off-the-shelf apps not adequate Outside partners, members, etc User access via Internet a problem Criminal & Civil penalties Public perception U.S. Kennedy-Kassebaum Health Insurance Portability

& Accountability Act (1996) Standard: Safeguards

Platform for Privacy Preferences (P3P) W3C privacy practices for web sites Org can post privacy policy as xml

Who has access Type of info stored How info is used Legal entity making privacy statement

Posting requires org to think about privacy issues

P3P enabled web browsers AT&T’s Privacy Bird software

Electronic Monitoring Keystroke monitoring Email monitoring Surveillance cameras Badges RFID Magnetic entry cards Org should

Inform employees what monitored Uniformly apply Explain what is acceptable use Tell who can see and what used for

Enticement vs Entrapment

Misc Privacy Laws 2000 U.S. Electronic Signatures in Global &

National Commerce PATRIOT Act

Subpoena of electronic records Monitoring of Internet Search & seizure of info on live systems Notification of warrant can come after search

Federal Info Security Mgt Act Ensure effectiveness of info security controls Recognize highly networked government Maintenance of minimum info controls Provide improved oversight

Investigation Computer forensics

collecting info about computer system admissible in court

Issues Compressed time frame Info is intangible Investigation might interfere with “normal” Difficulty in gathering info Data for investigation co-located with “normal” Expert / specialist required International problems Expanded definitions of property to include electronic

info

Evidence Gathering, Control, Storage &

Preservation are extremely critical Subject to easy modification “Chain of Evidence”

Location where obtained Time obtained Id of person obtaining ID of people securing ID of people controlling

Evidence Life Cycle

1. Discovery & recognition2. Protection3. Recording4. Collection5. Identification6. Preservation7. Transportation8. Presentation in court9. Return to owner

Evidence Admissibility Relevant

Related to crime: describes, time, what has occured

Legally permissible Obtained in lawful manner

Reliability Not been tampered with or altered

Identification Properly identified without altering

Preservation Not subject to damage or destruction

Types of Evidence Best evidence: originals Secondary: copy of originals Direct: five senses Conclusive: Incontrovertible Opinions: Expert & Non-expert (facts only) Circumstantial: inference Hearsay: third party (not admissible in

court)

Conducting the Investigation Involve Management, Org security, human

resources, legal department Watch for retaliatory acts Prepare plan ahead of time

Establish prior liaison with law enforcement Jurisdiction Set up means for reporting computer crimes Establish procedures for dealing with Plan for and & conduct investigation Insure proper collection of evidence

Conducting the Investigation Prevent negative publicity if possible Exigent Circumstances Doctrine

Search without warrant when destruction of evidence in deemed imminent

Too early (strict) vs too late Good sources of evidence

Telephone records, video cameras, audit trails, system logs, backups, witnesses, emails

Motive – Opportunity - Means

Liability Senior Mgt subject to $290M in fines if orgs

do not comply with law Prudent man rule Due care or reasonable care

Prevent orgs resources use in DDos Backups Scans for malicious code BC & DR Plans Local & remote access controls Security policies, procedures, & guidelines Personnel screening Establishing an incident handling plan

Incident Handling Plan Questions What is considered an incident How should incident be reported To whom should be reported When should senior mgt be told What action should be taken Who should handle the response How much damage was caused What info was damaged or compromised Are recovery procedures ok What type of follow up required Should additional safeguards be implemented

Ethics (ISC)2 Code of Ethics Coalition for Computer Ethics

Not use computer to harm others Not interfere with other’s computer work Not snoop Not use computer to steal Not use computer to bear false witness Not copy or use stolen software Not use computers without authorization Not steal other’s intellectual output Think about social consequences of computer use Use computer in ways to ensure consideration &

respect for others

Unacceptable Activities Seeks to gain unauthorized access Destroys integrity of computer based

info Distupts the intended use of Internet Wastes resources such as people,

capacity or computers Compromises privacy of others Involves negligence in conduct of

Internet experiments

Organization for Economic Cooperation & Development Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability Transborder Issues