Chapter 9 - Legal Compliance Flashcards
Computer targeted crime
A computer was the target
Computer assisted crime
When a computer is used as a tool to commit the crime
Computer is incidental
A computer is used towards the crime but not for the crime, like storing discovered lotto ticket numbers
Zombie, bots, and a botnet oh my
Zombie - a compromised computer
Bots - the software
Botnet - the collection of compromised computers
Advanced persistent threat APT
Advanced - highly knowledgable and understanding of the environment
Persistent - will wait for the perfect moment and stake a foothold
CoE convention on cybercrime
First true attempt at making internationally accepted cybercrime policies
OECD
Cross border policy companies that transfer data across borders should be aware of
EU principles on privacy
A directive on how private data should be handled internationally
EU data protection directive
All EU union companies must abide by the data protection laws put into place
Safe harbor
A set of stopgap policies to make non EU companies in compliance with EU standards more quickly
Wassenaar agreement
Exportation restrictions including technology - these are restricted by good and bad countries and some countries have import restrictions like big brother countries who don’t want people to have cryptography
Tort law
This is a civil law in the common law system, ie crime against a business or a person financially .. Jury judges on liability
What are the law systems of the world?
Common - US/UK Civil - Most of Europe Religious - Muslim Customary - How it has always been Mixed - various systems based on local
Criminal law
Murder kidnapping etc, judged based on guilt
Regulatory law
Building codes and other administrative policies
Intellectual property law
Copyright and trademark laws
Trade secret
A profitable secret idea or recipe of ideas that could damage a company if leaked
Copyright
Protects the expression of an idea, like a painting or programming code
Trademark
This is a brand or slogan
Patent
This is claiming an invention for a certain number of years before being public domain
Software protection association
A group of major companies working together against piracy
FAST
London based federation against software theft
Digital millennium copyright act
Law that makes it federally illegal to create products or methods that circumvent copyright mechanisms
Generic approach to privacy
Horizontal enactment rules that stretch across all industry bounderies
Regulation by industry approach to privacy
Specific sector enacted privacy like healthcare
PII
Personally identifiable information - this is what people want to keep private and unique
SOX
Uses COSO model for compliance and helps keep companies honest
HIPAA
Health information privacy act used to secure your PID - violations are extremely steep
HITECH act
An added protection for HIPAA rules govern in the civil and criminal sector
GLBA
Gramm-Leach-Bliley act enforces financial institutions to develop privacy notices and options for information sharing
This is not just banks
Computer fraud and abuse act
Written in 1986 and amended several times after .. Most recently in 2008
.. Protects against knowingly accessing a computer without authorization to or the distribution of malicious code
Federal privacy act of 1974
Federal law that states one has the right to sue if government uses private data in an unintended manner
PIPEDA
Canadian privacy law protecting PID
Basel II
Basel forces banks to have a certain amount of actual money not just ledgers of money .. Basel II requires them to have strong risk mitigation in place
PCIDSS
Credit company standardization of security and must be followed by any company that uses them (ie most)
FISMA
A law that requires each federal agency to have a risk based for cost effective security policy
Economic espionage act
Defined trade secrets to include tech and allowed FBI to investigate industrial and corporate espionage
USA PATRIOT
An anti terrorism act to unify and unbound the federal and civil ability to spy on suspected terrorist activity (ie big brother)
REP
Reasonable expectation of privacy - implied right of privacy stated by the 4th amendment of the constitution
what is the challenge of REP?
If it isn’t stated in the privacy policy and you are terminated, lawsuits can be won for wrongful termination
Due care vs due diligence
Due care is when a company does all it could have and properly mitigated damages
Due diligence is the proper investigation into weakness and vulnerability prior to making decisions
SAS
Statement on auditing standards
SAS 70
Service providing organizations must follow and comply with this standard
Downstream liability
When a company that is relying on yours gets affected by your negligence
Legally recognized obligation
When a legally written law has been broken
Proximate cause
This is the direct and obvious chain of events that are the cause of the plaintiffs damages
Procurement process
This is everything from discovery to evaluation to purchasing and aquiring
RFP
Request for proposal - a request to vendors designed to solve a business problem and security requirements
Vendor management
Developing and monitoring vendor activity and governance of SLA
Steps to becoming compliant ?
- Find out laws that govern your business (SOX HIPPA or GLBA etc)
- Determine security framework to match the laws (ISO 27001,COSO, etc)
- Choose a risk methodology (ISO 27005, OCTAVE)
- Choose a control method (CoBit, NIST 800-53)
- Implement and comply to standards
GRC
Governance Risk Compliance is the three key things that must be accounted for in a business in regard to business health
KPI
Key performance indicator - each of the GRC can be audited for key points, these are the KPI
What is the difference between incident and event?
Event is a single documented occurrence if an issue and an incident is a series of events
What is the purpose of an incident response team?
To follow the incident response policy and know exactly what to do when
Incident management
What proactive and reactive steps can be instituted to improve the incident handling?
what are the 6 steps to incident response?
Triage Investigation Containment Analysis Tracking Recovery
Computer forensics
Used to discover digital evidence from the network and computer crime scene
What is the key steps to ensure a system does not lose forensic information?
Unplug network
Dump ram to disk
Power off
Clone disk
IOCE/SWDGE
Standardization of computer forensics
MOM did it
Motive - who? why?
Opportunity - where? When?
Means - knowledge and capability to commit the crime
Modes operandi
MO.. A computer hackers habits, call sign, signature or anything to link
What are some tools to use to make sure to properly copy a drive?
Encase, FTK Imager, -dd unix
Primary and working image
Primary image is stored in a library
Working image is used for analysis
Chain of custody
Who has touched the evidence and what was done, precisely, to it since the crime
Logs hearsay
Logs will be viewed as heresay unless they are collected on a regular basis by the business before hand
Primary vs secondary vs direct evidence
Primary is most reliable and verifiable
Secondary is tamper able yet valid, like verbal or document copies
Direct evidence relies on nothing else to support it
Corroboration
The necessity to combine evidence to make a point
Enticement vs entrapment
Enticement is the desire to do something illegal
Entrapment is making them do something illegal by tricking them
Salami attack
If I take 5c from 50,000 bank accounts I could make 30,000 more a year
Data diddling
It was just an extra 0.. I fixed it by moving the extra !
Password sniffing
I can find your password if I just got to .shadow file and find your reverse hash!
IP spoofing
It wasn’t me, I have a different IP
Dumpster diving
You know how you don’t shred anything? Hmm.
Wiretap
You really wanted to hear that conversation with grandma didn’t you?
Cyber squatting
Not illegal but generally requires legal entities to resolve. A.com will cost 1 million dollars
Where can I find the cissp code of ethics?
www.isc2.org
Computer ethics foundation
Wrote Ten Commandments of computer ethics
Internet architecture board
Internet engineering and top level architect responsible for the health of the Internet based on ethics in RFC 1087
Federal sentencing guidelines for organizations
Federal code of ethics used for modifying sentencing