Legal, Regulations, Investigations and Compliance.
-
Upload
augustus-cook -
Category
Documents
-
view
216 -
download
0
Transcript of Legal, Regulations, Investigations and Compliance.
Legal, Regulations,
Investigations
and Compliance
2
Domain Objectives
• Discuss the world’s various major legal systems
• Describe the differences and similarities between common law and civil law
• Explain laws and regulations affecting information technology
• Discuss computer related crime and its importance to information assurance and security
3
• Describe the importance of international cooperation in relation to computer crime
• Explain an incident response methodology
• Discuss the importance of digital evidence management and handling
• Describe general guidelines for computer forensic investigations
Domain Objectives
4
Availability
ConfidentialityIntegrity
Information Security
Information Security TRIAD
5
Domain Agenda
• Major Legal Systems
• Information Technology Laws and Regulations
• Incident Response
• Computer Forensics
6
Major Legal Systems
• Common Law
• Civil Law
• Customary Law
• Religious Law
• Mixed Law
7
Common Law
• Roots in England
• Based on Legal Precedents, Past Decisions, and Societal Traditions
8
Common Law
• Overview of Common Law
• Courts
• Judges
• Common Law Countries
9
Common Law: Criminal Law
• Based on common law, statutory law, or a combination of both
• Deals with behavior or conduct
• Typically the punishment meted out by the criminal courts involves some loss of personal freedom for the guilty party
10
Common Law: Tort Law
• Definition
• Punishment
• Traces its origin to criminal law
11
Common Law: Tort Law
• Principles of a Tort
• Categories of a Tort
12
• Law created by administrative agencies by way of rules, regulations, orders, and decisions
• Areas covered by Administrative Law
Common Law: Administrative Law
13
Civil Law
• Traces its roots back to two beginnings:
• Roman Empire
• Napoleonic Code of France
• Characteristics
• Presents various sub-divisions
• Common law as opposed to Civil law
• Methodological approach difference
• Judges’ role difference
14
Customary Law
• Regionalized systems
• Reflects the society’s norms and values
• Most countries combine customary law with another legal system
15
Religious Law
• Traditional Islamic law (Sharia)
• Guided by the Qur’an or Sunnah
• Covers all aspects of a person’s life
16
• Convergence of two or more legal systems
• Examples of mixed law
Mixed Law
17Source: WorldLegalSystems
World Legal Systems
18
Domain Agenda
• Major Legal Systems
• Information Technology Laws and Regulations
• Incident Response
• Computer Forensics
19
Information Technology Law & Regulations
• Intellectual Property Law
• Patent• Trademark• Copyright• Trade Secret• Licensing Issues
• Privacy
• Liability
• Computer Crime
• International Cooperation
20
Intellectual Property Laws
• Purpose
• Two categories
• Industrial Property
• Copyright
21
Intellectual Property: Patent
• Definition
• Advantages
22
• Characteristics of a Trademark
• Word
• Name
• Symbol
• Purpose of a Trademark
• Color
• Sound
• Product shape
Intellectual Property: Trademark
™
23
©
Intellectual Property: Copyright
• Covers the expression of ideas
• Writings
• Recordings
• Computer programs
• Weaker than patent protection
24
Intellectual Property: Trade Secret
• Should be confidential
• Protection of Trade Secret
25
Intellectual Property: Software Licensing Issues
• Categories of software licensing:
• Freeware
• Shareware
• Commercial
• Academic
• Master agreements and end user licensing agreements (EULAs)
26
• Rights and Obligations
• Individuals
• Organizations
Privacy Laws and Regulations
27
• Generic Approach
• Regulation by Industry
• The overall objective is to:
• Protect citizen’s personal information
• Balance the business and governmental need to collect and use this information
Privacy Initiatives
28
Privacy and the OECD
• The Organization for Economic Co-operation and Development (OECD)
• 7 core principles
29
• Employee Monitoring
• Authorized Usage Policies
• Internet usage
• Telephone (i.e., VoIP)
Employee Privacy
30
• Responsibilities of end users
• Encourage use of:
• Encryption
• Anti-virus
• Patches
• Shredding
Privacy: Personal Protection
31
Liability
• Legal Responsibility
• Penalties
• Civil
• Criminal Penalties
• Negligence is often used to establish liability
32
• Acting without care
• Due care
Negligence
33
• Ethereal concept often judged against a continually moving benchmark
• Requires a commitment to an ongoing risk analysis and risk management process
• Due Care vs. Due Diligence
Due Diligence
34
Computer Crimes
• Often divided into 3 categories
• Computers as a Tool
• Computers as the Target of Crime
• Computer Incidental to the Crime
35
• Insider abuse
• Viruses
• White collar/Financial fraud
• Corporate espionage
• Hacking
• Child Pornography
• Stalking
• Organized crime
• Terrorism
• Identity Theft
• Social Engineering
Computer Crimes
36
• Initiatives related to International Cooperation in dealing with Computer Crime
• The Council of Europe (CoE) Cybercrime Convention
International Cooperation
37
Domain Agenda
• Major Legal Systems
• Information Technology Laws and Regulations
• Incident Response
• Computer Forensics
38
• Response capability
• Policy and guidelines• Response
• Incident response
• Triage• Containment• Investigation• Analysis and Treatment• Recovery
• Debriefing
• Metrics
• Public Disclosure
Incident Response: Overview
39
• Incident response in its simplest form is the practice of:
• Detecting a problem
• Determining its cause
• Minimizing the damage it causes
• Resolving the problem
• Documenting each step of the response for future reference
Incident Response Objectives
40
• The foundation for Incident Response (IR) is comprised of:
• Policy
• Procedures
• Guidelines
• Management of evidence
Response Capability
41
Incident Response Policy
• Escalation Process
• Interaction with third party entities
42
Response Team
• Staffing and training
• Virtual Team
• Permanent Team
• Hybrid of the Virtual and Permanent
• Response Team Members
43
Incident Response and Handling
• Incident
• Approved Handling Process
44
Incident Response and Handling Phases
• Triage
• Investigation
• Containment
• Analysis and tracking
45
• Triage encompasses:
• Detection
• Classification
• Notification
Triage
46
Triage - Detection
• Initial Screening
• False Positives
47
• Incident Hierarchy
• General Classifiers
• Source (internal vs. external)
• More Granular or Specific Characteristics
• (i.e., worm vs. spam)
Triage - Classification
48
Investigation Phase Components
• Components of this phase:
• Analysis
• Interpretation
• Reaction
• Recovery
49
Investigation Phase Objectives
• Desired outcomes of this phase are:
• Reduce the impact
• Identify the cause
• Get back up and running in the shortest possible time
• Prevent the incident from re-occurring
50
Investigation Considerations
• The investigative phase must consider:
• Adherence to company policy
• Applicable laws and regulations
• Proper evidence management and handling
51
Containment
• Reduce the potential impact of the incident
• Systems, devices, or networks that can become “infected”
• The containment strategy depends on:
• Category of the attack
• Asset(s) affected
• Criticality of the data or system
52
Containment Strategies
• Disconnecting the system from the network
• Virtually isolating the systems through network segmentation
• Implementing a firewall or filtering router with the appropriate rule sets
• Installation of Honeynets/Honeypots
53
Containment Documentation
• Incident and evidence handling procedures
• Sources of evidence
• Risk of Entrapment vs. Enticement
54
Analysis and Tracking
• The Concept of Root Cause
• Determines actual initial event
• Attempts to identify the true source and actual point of entry
55
Analysis and Tracking Goals
• Obtain sufficient information to stop the current incident
• Prevent future “like” incidents from occurring
• Identify what or whom is responsible
56
Analysis and Tracking Team
• Heterogeneous and/or Eclectic Skills
• Solid understanding of the systems affected
• Real World, Applied Experience
57
Analysis and Tracking Logs
• Dynamic Nature of the Logs
• Feeds into the tracking process
• Working Relationship with other Entities
58
Recovery Phase Goal
• To get back up and running
• The Business (worst case)
• Affected Systems (best case)
• Protect evidence
59
Recovery and Repair
• Recovery into production of affected systems
• Ensure system can withstand another attack
• Test for vulnerabilities and weaknesses
60
Closure of the Incident
• Incident response is an iterative process
• Closure to the incident
61
Debriefing/Feedback
• Formal process
• Include all of the team members
• Use output to adapt or modify policy and guidelines
62
Communications of the Incident
• Public disclosure of an incident can:
• Compound the negative impact
• Provide an opportunity regain public trust
• Communication handled by authorized personnel only
63
• Major Legal Systems
• Information Technology Laws and Regulations
• Incident Response
• Computer Forensics
Domain Agenda
64
Computer Forensics
• Key Components
• Crime scenes
• Digital evidence
• Guidelines
65
Computer Forensics: The Law
• The inclusion of the “law”, introduces concepts that may be foreign to many information security professionals
• Crime scene
• Chain of custody
• Best evidence
• Admissibility requirements
• Rules of evidence
66
Computer Forensics: Evidence
• Computer Forensics includes:
• Evidence or potential evidence
• Falls under the larger domain of Digital Forensic Science Research Workshop
• Deals with evidence and the legal system
67
Computer Forensics: Evidence
• Correctly identifying the crime scene, evidence, and potential containers of evidence
• Collecting or acquiring evidence:
• Adhering to the criminalistic principles
• Keeping contamination and the destruction of the scene to a minimum
68
Computer Forensics: Evidence
• Using the scientific methods:
• Determine characteristics of the evidence
• Comparison of evidence
• Event reconstruction
• Presentation of findings:
• Interpreting and analysis of the examination
• Articulating these in a format appropriate for the intended audience
69
Crime Scene
• Prior to identifying evidence, the larger crime scene needs to be addressed
• A crime scene is nothing more than:
• The environment in which potential evidence may exist
• Digital crime scenes follow the same principles
70
Crime Scene
• The principles of criminalistics apply to both digital and physical crime scenes:
• Identify the scene
• Protect the environment
• Identify evidence and potential sources of evidence
• Collect evidence
• Minimize the degree of contamination
71
Crime Scene: Physical vs. Virtual
• The Crime Scene Environment
• Physical
• Virtual or Cyber
72
Locard’s Principle
• Locard’s Principle of Exchange
• When a crime is committed, the Perpetrator
• Leaves something behind
• Takes something with them
• This principle allows us to identify aspects of the person or persons responsible, even with a purely digital crime scene
73
Behavior
• Investigation or Root Cause Analysis
• Means, Opportunity, and Motives (MOM)
• Modus Operandi (MO)
• Criminal computer behavior is no different than typical criminal behavior
74
Behavior of Computer Criminals
• Computer criminals have specific MO’s
• Hacking software/tools
• Types of systems or networks attacked, etc.
• Signature behaviors
• MO & Signature behaviors
• Profiling
• Interviewing
75
Crime Scene Analysis
• Protect the ‘crime scene’ from unauthorized individuals
• Once a scene has been contaminated, there is no undo or redo button to push
• The damage is done!
76
Digital Evidence
• The exact requirements for the admissibility of evidence vary
• Evidence
77
Digital Evidence: 5 Rules
• Admissible
• Authentic
• Complete
• Accurate
• Convincing
78
Digital Evidence: Hearsay
• Hearsay
• Second-hand evidence
• Normally not admissible
• Business records exceptions:
• Computer generated information can fall into this category
• May require someone to attest to the how the records/information were created
79
Digital Evidence: Life Span
• Digital evidence
• Volatile and “fragile”
• May have a short “life span”
• Collect quickly
• By order of volatility (i.e., most volatile first)
• Document, document, document!
80
Digital Evidence: Chain of Custody
• Chain of Custody
• Who
• What
• When
• Where
• How
81
Digital Evidence: Accuracy and Integrity
• Ensuring the accuracy and integrity of evidence is critical!
• The current protocol for demonstrating accuracy and integrity relies on hash functions
• MD5
• SHA 256
82
General Guidelines
• IOCE/SWGDE 6 principles for computer forensics and digital/electronic evidence
• When dealing with digital evidence, all of the general forensic and procedural principles must be applied
• Upon seizing digital evidence, actions taken should not change that evidence
• When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
83
Six IOCE/SWGDE Principles
• All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review
• An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession
• Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles
84
General Guidelines: Dos and Don’ts
• Minimize Handling/Corruption of Original Data
• Account for Any Changes and Keep Detailed Logs of Your Actions
• Comply with the Five Rules for Evidence
• Do Not Exceed Your Knowledge
• Follow Your Local Security Policy and Obtain Written Permission
85
General Guidelines: Dos and Don’ts
• Capture as Accurate an Image of the System as Possible
• Be Prepared to Testify
• Ensure Your Actions are Repeatable
• Work Fast
• Proceed From Volatile to Persistent Evidence
• Don't Run Any Programs on the Affected System
86
General Guidelines: Dos and Don’ts
• Act ethically
• In good faith
• Attempt to do no harm
• Do not exceed one’s knowledge, skills, and abilities
87
Domain Summary
• Know local laws and regulations
• Have an approved procedure for handling of incidents
• Ensure that all handling of sensitive information is compliant with regulation
• Follow best practices and document all steps of an investigation
“SecurityTranscends
Technology”