Law, Investigation, & Ethics What laws apply to computer crimes, how to determine a crime has...
-
Upload
emilio-gerry -
Category
Documents
-
view
220 -
download
0
Transcript of Law, Investigation, & Ethics What laws apply to computer crimes, how to determine a crime has...
Law, Investigation, & Ethics
What laws apply to computer crimes, how to determine a crime has occurred, how to preserve evidenced, conduct an investigation, & what are the liabilities.
Computer Crimes CISSP Obligations
Legal Ethical responsibilities to
Employer Constituency being served Profession as a whole
Crimes are increasing Hard to estimate economic impact
Common Types of Computer Crime
DoS, DDos Social Engineering
Fraud Espionage Embezzle-ment
Password Theft
Illegal Content of material
Software Piracy
Information Warfare
Data-diddling
Network Intrusions
Destruction / alteration
of data
Dumpster Diving
Script Kiddies
Terrorism
Emanation Watching
Spoofing IP addresses
Malicious Code
Masquerading
Examples Slammer Worm of January 03 Code Red Klez Worm DDos against Yahoo, Amazon, etc Feb 2000 Love Letter worm May 2000 Microsoft network penetration Oct 2000 Mitnick’s attacks on phone systems 80’s Morris Internet Worm Nov 88 Attacks on U.S. classified computer systems
(The Cuckoo’s Egg) 1986
Problems
Jurisdictional International character of Internet Different types of laws Different “desires” of enforcement
Rapid pace of technology Outpaces laws Outpaces understanding by law makers
Law
Legal Systems Common Law: US, UK, Australia, Canada Civil Law: France, Germany, etc Religious Law: Islamic, etc
Ex US Legislative Branch: statutory laws Administrative: Administrative laws Judicial: Common laws in court decisions
Statutory Law Collected as
Session laws in order of enactment Statutory Codes: subject matter
United States Code Code title Number Abbreviation for Code Statutory Section within the title Date of the edition or supplement
EX: 18 U.S.C. 1001 (1992) Section 1001 in Title 18 of the 1992 edition of
the United States Code: Crimes & Criminal Procedures
Administrative & Common Law
Administrative Law is Arranged Chronologically: Federal Register Subject Matter: Code of Federal
Regulations
Common Law is compiled Case Reports chronologically Case Digests by subject matter
Common Law Systems Categories
Legal Systems Not court decisions
Criminal Law Individual conduct violates government
laws enacted to protect the public Civil Law
Wrong inflicted upon person or org by other person or org
Administrative/Regulatory Law
Intellectual Property Law
Patent Copyright Trade Secret
Proprietary valuable technical info Trademark
Word, name, etc used to distinguish goods from those sold by others
Warranty
Patent
Right to exclude others from using invention
Criteria for patent1. Must be
Process, Machine, Object made by humans, compositions of matter, New use of above
2. Must be useful3. Must be Novel4. Must be obvious to skilled person
Copyright
Original works of authorship
Use by educators, researchers & librarians Fair use: limited copying for teaching Limited reproduction for libraries
Author’s life + 70 years
Warranty Contract that commits org to stand by
product Implied Warranty
Fitness for particular purpose: seller statements Warranty of merchantability: fit to be sold
Express warranty basic requirments Must state is either full or limited Must show coverage is clear easy statements Must insure customer can read before purchase
Information & Privacy Laws Right to protection of “personally
identifiable information” HIPAA items Principles
Notice of disclosure to 3rd parties Choice to opt out of disclosure Access Security Enforcement
Privacy Policy
Orgs develop & publish covering Type of info collected Cookies & server logs used How info is shared Rules for disclosing to 3rd parties Mechanisms used to protect
Privacy-Related Legislation Cable Communications Act Children’s Online Privacy Protection Act Customer Proprietary Network Info Rules Financial Services Modernization Act 1973 U.S. Code of Fair Info Practices
Must not be record systems who’s existence is kept secret
Must be a way for person to find out what kept Must be a way to prevent info being kept Org must insure info is accurate
European Union (EU) Principles Generally more protective than US
Therefore transfer from US is a problem Principles
Info cannot be disclosed without permission of person or authorized by law
Records must be up-to-date Individuals have right to correct errors Info can be used only for original purpose Individuals have right to receive report on info
held Transmission of info prohibited where equivalent
personal data protection cannot be assured
Health Care-Related Privacy Issues Excellent example of privacy issues Access controls usually do not provide sufficient
granularity to implement least privilege Most off-the-shelf apps not adequate Outside partners, members, etc User access via Internet a problem Criminal & Civil penalties Public perception U.S. Kennedy-Kassebaum Health Insurance Portability
& Accountability Act (1996) Standard: Safeguards
Platform for Privacy Preferences (P3P) W3C privacy practices for web sites Org can post privacy policy as xml
Who has access Type of info stored How info is used Legal entity making privacy statement
Posting requires org to think about privacy issues
P3P enabled web browsers AT&T’s Privacy Bird software
Electronic Monitoring Keystroke monitoring Email monitoring Surveillance cameras Badges RFID Magnetic entry cards Org should
Inform employees what monitored Uniformly apply Explain what is acceptable use Tell who can see and what used for
Enticement vs Entrapment
Misc Privacy Laws 2000 U.S. Electronic Signatures in Global &
National Commerce PATRIOT Act
Subpoena of electronic records Monitoring of Internet Search & seizure of info on live systems Notification of warrant can come after search
Federal Info Security Mgt Act Ensure effectiveness of info security controls Recognize highly networked government Maintenance of minimum info controls Provide improved oversight
Investigation Computer forensics
collecting info about computer system admissible in court
Issues Compressed time frame Info is intangible Investigation might interfere with “normal” Difficulty in gathering info Data for investigation co-located with “normal” Expert / specialist required International problems Expanded definitions of property to include electronic
info
Evidence Gathering, Control, Storage &
Preservation are extremely critical Subject to easy modification “Chain of Evidence”
Location where obtained Time obtained Id of person obtaining ID of people securing ID of people controlling
Evidence Life Cycle
1. Discovery & recognition2. Protection3. Recording4. Collection5. Identification6. Preservation7. Transportation8. Presentation in court9. Return to owner
Evidence Admissibility Relevant
Related to crime: describes, time, what has occured
Legally permissible Obtained in lawful manner
Reliability Not been tampered with or altered
Identification Properly identified without altering
Preservation Not subject to damage or destruction
Types of Evidence Best evidence: originals Secondary: copy of originals Direct: five senses Conclusive: Incontrovertible Opinions: Expert & Non-expert (facts only) Circumstantial: inference Hearsay: third party (not admissible in
court)
Conducting the Investigation Involve Management, Org security, human
resources, legal department Watch for retaliatory acts Prepare plan ahead of time
Establish prior liaison with law enforcement Jurisdiction Set up means for reporting computer crimes Establish procedures for dealing with Plan for and & conduct investigation Insure proper collection of evidence
Conducting the Investigation Prevent negative publicity if possible Exigent Circumstances Doctrine
Search without warrant when destruction of evidence in deemed imminent
Too early (strict) vs too late Good sources of evidence
Telephone records, video cameras, audit trails, system logs, backups, witnesses, emails
Motive – Opportunity - Means
Liability Senior Mgt subject to $290M in fines if orgs
do not comply with law Prudent man rule Due care or reasonable care
Prevent orgs resources use in DDos Backups Scans for malicious code BC & DR Plans Local & remote access controls Security policies, procedures, & guidelines Personnel screening Establishing an incident handling plan
Incident Handling Plan Questions What is considered an incident How should incident be reported To whom should be reported When should senior mgt be told What action should be taken Who should handle the response How much damage was caused What info was damaged or compromised Are recovery procedures ok What type of follow up required Should additional safeguards be implemented
Ethics (ISC)2 Code of Ethics Coalition for Computer Ethics
Not use computer to harm others Not interfere with other’s computer work Not snoop Not use computer to steal Not use computer to bear false witness Not copy or use stolen software Not use computers without authorization Not steal other’s intellectual output Think about social consequences of computer use Use computer in ways to ensure consideration &
respect for others
Unacceptable Activities Seeks to gain unauthorized access Destroys integrity of computer based
info Distupts the intended use of Internet Wastes resources such as people,
capacity or computers Compromises privacy of others Involves negligence in conduct of
Internet experiments
Organization for Economic Cooperation & Development Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability Transborder Issues