Chapter 9 - Legal Compliance

Question 0

Computer targeted crime

Answer 0

A computer was the target

Question 1

Computer assisted crime

Answer 1

When a computer is used as a tool to commit the crime

Question 2

Computer is incidental

Answer 2

A computer is used towards the crime but not for the crime, like storing discovered lotto ticket numbers

Question 3

Zombie, bots, and a botnet oh my

Answer 3

Zombie - a compromised computer
Bots - the software
Botnet - the collection of compromised computers

Question 4

Advanced persistent threat APT

Answer 4

Advanced - highly knowledgable and understanding of the environment
Persistent - will wait for the perfect moment and stake a foothold

Question 5

CoE convention on cybercrime

Answer 5

First true attempt at making internationally accepted cybercrime policies

Question 6

OECD

Answer 6

Cross border policy companies that transfer data across borders should be aware of

Question 7

EU principles on privacy

Answer 7

A directive on how private data should be handled internationally

Question 8

EU data protection directive

Answer 8

All EU union companies must abide by the data protection laws put into place

Question 9

Safe harbor

Answer 9

A set of stopgap policies to make non EU companies in compliance with EU standards more quickly

Question 10

Wassenaar agreement

Answer 10

Exportation restrictions including technology - these are restricted by good and bad countries and some countries have import restrictions like big brother countries who don’t want people to have cryptography

Question 11

Tort law

Answer 11

This is a civil law in the common law system, ie crime against a business or a person financially .. Jury judges on liability

Question 12

What are the law systems of the world?

Answer 12

Common - US/UK
Civil - Most of Europe 
Religious - Muslim
Customary - How it has always been
Mixed - various systems based on local

Question 13

Criminal law

Answer 13

Murder kidnapping etc, judged based on guilt

Question 14

Regulatory law

Answer 14

Building codes and other administrative policies

Question 15

Intellectual property law

Answer 15

Copyright and trademark laws

Question 16

Trade secret

Answer 16

A profitable secret idea or recipe of ideas that could damage a company if leaked

Question 17

Copyright

Answer 17

Protects the expression of an idea, like a painting or programming code

Question 18

Trademark

Answer 18

This is a brand or slogan

Question 19

Patent

Answer 19

This is claiming an invention for a certain number of years before being public domain

Question 20

Software protection association

Answer 20

A group of major companies working together against piracy

Question 21

FAST

Answer 21

London based federation against software theft

Question 22

Digital millennium copyright act

Answer 22

Law that makes it federally illegal to create products or methods that circumvent copyright mechanisms

Question 23

Generic approach to privacy

Answer 23

Horizontal enactment rules that stretch across all industry bounderies

Question 24

Regulation by industry approach to privacy

Answer 24

Specific sector enacted privacy like healthcare

Question 25

PII

Answer 25

Personally identifiable information - this is what people want to keep private and unique

Question 26

SOX

Answer 26

Uses COSO model for compliance and helps keep companies honest

Question 27

HIPAA

Answer 27

Health information privacy act used to secure your PID - violations are extremely steep

Question 28

HITECH act

Answer 28

An added protection for HIPAA rules govern in the civil and criminal sector

Question 29

GLBA

Answer 29

Gramm-Leach-Bliley act enforces financial institutions to develop privacy notices and options for information sharing

This is not just banks

Question 30

Computer fraud and abuse act

Answer 30

Written in 1986 and amended several times after .. Most recently in 2008
.. Protects against knowingly accessing a computer without authorization to or the distribution of malicious code

Question 31

Federal privacy act of 1974

Answer 31

Federal law that states one has the right to sue if government uses private data in an unintended manner

Question 32

PIPEDA

Answer 32

Canadian privacy law protecting PID

Question 33

Basel II

Answer 33

Basel forces banks to have a certain amount of actual money not just ledgers of money .. Basel II requires them to have strong risk mitigation in place

Question 34

PCIDSS

Answer 34

Credit company standardization of security and must be followed by any company that uses them (ie most)

Question 35

FISMA

Answer 35

A law that requires each federal agency to have a risk based for cost effective security policy

Question 36

Economic espionage act

Answer 36

Defined trade secrets to include tech and allowed FBI to investigate industrial and corporate espionage

Question 37

USA PATRIOT

Answer 37

An anti terrorism act to unify and unbound the federal and civil ability to spy on suspected terrorist activity (ie big brother)

Question 38

REP

Answer 38

Reasonable expectation of privacy - implied right of privacy stated by the 4th amendment of the constitution

Question 39

what is the challenge of REP?

Answer 39

If it isn’t stated in the privacy policy and you are terminated, lawsuits can be won for wrongful termination

Question 40

Due care vs due diligence

Answer 40

Due care is when a company does all it could have and properly mitigated damages

Due diligence is the proper investigation into weakness and vulnerability prior to making decisions

Question 41

SAS

Answer 41

Statement on auditing standards

Question 42

SAS 70

Answer 42

Service providing organizations must follow and comply with this standard

Question 43

Downstream liability

Answer 43

When a company that is relying on yours gets affected by your negligence

Question 44

Legally recognized obligation

Answer 44

When a legally written law has been broken

Question 45

Proximate cause

Answer 45

This is the direct and obvious chain of events that are the cause of the plaintiffs damages

Question 46

Procurement process

Answer 46

This is everything from discovery to evaluation to purchasing and aquiring

Question 47

RFP

Answer 47

Request for proposal - a request to vendors designed to solve a business problem and security requirements

Question 48

Vendor management

Answer 48

Developing and monitoring vendor activity and governance of SLA

Question 49

Steps to becoming compliant ?

Answer 49

1. Find out laws that govern your business (SOX HIPPA or GLBA etc)
2. Determine security framework to match the laws (ISO 27001,COSO, etc)
3. Choose a risk methodology (ISO 27005, OCTAVE)
4. Choose a control method (CoBit, NIST 800-53)
5. Implement and comply to standards

Question 50

GRC

Answer 50

Governance Risk Compliance is the three key things that must be accounted for in a business in regard to business health

Question 51

KPI

Answer 51

Key performance indicator - each of the GRC can be audited for key points, these are the KPI

Question 52

What is the difference between incident and event?

Answer 52

Event is a single documented occurrence if an issue and an incident is a series of events

Question 53

What is the purpose of an incident response team?

Answer 53

To follow the incident response policy and know exactly what to do when

Question 54

Incident management

Answer 54

What proactive and reactive steps can be instituted to improve the incident handling?

Question 55

what are the 6 steps to incident response?

Answer 55

Triage
Investigation
Containment
Analysis
Tracking
Recovery

Question 56

Computer forensics

Answer 56

Used to discover digital evidence from the network and computer crime scene

Question 57

What is the key steps to ensure a system does not lose forensic information?

Answer 57

Unplug network
Dump ram to disk
Power off
Clone disk

Question 58

IOCE/SWDGE

Answer 58

Standardization of computer forensics

Question 59

MOM did it

Answer 59

Motive - who? why?
Opportunity - where? When?
Means - knowledge and capability to commit the crime

Question 60

Modes operandi

Answer 60

MO.. A computer hackers habits, call sign, signature or anything to link

Question 61

What are some tools to use to make sure to properly copy a drive?

Answer 61

Encase, FTK Imager, -dd unix

Question 62

Primary and working image

Answer 62

Primary image is stored in a library

Working image is used for analysis

Question 63

Chain of custody

Answer 63

Who has touched the evidence and what was done, precisely, to it since the crime

Question 64

Logs hearsay

Answer 64

Logs will be viewed as heresay unless they are collected on a regular basis by the business before hand

Question 65

Primary vs secondary vs direct evidence

Answer 65

Primary is most reliable and verifiable
Secondary is tamper able yet valid, like verbal or document copies
Direct evidence relies on nothing else to support it

Question 66

Corroboration

Answer 66

The necessity to combine evidence to make a point

Question 67

Enticement vs entrapment

Answer 67

Enticement is the desire to do something illegal

Entrapment is making them do something illegal by tricking them

Question 68

Salami attack

Answer 68

If I take 5c from 50,000 bank accounts I could make 30,000 more a year

Question 69

Data diddling

Answer 69

It was just an extra 0.. I fixed it by moving the extra !

Question 70

Password sniffing

Answer 70

I can find your password if I just got to .shadow file and find your reverse hash!

Question 71

IP spoofing

Answer 71

It wasn’t me, I have a different IP

Question 72

Dumpster diving

Answer 72

You know how you don’t shred anything? Hmm.

Question 73

Wiretap

Answer 73

You really wanted to hear that conversation with grandma didn’t you?

Question 74

Cyber squatting

Answer 74

Not illegal but generally requires legal entities to resolve. A.com will cost 1 million dollars

Question 75

Where can I find the cissp code of ethics?

Answer 75

www.isc2.org

Question 76

Computer ethics foundation

Answer 76

Wrote Ten Commandments of computer ethics

Question 77

Internet architecture board

Answer 77

Internet engineering and top level architect responsible for the health of the Internet based on ethics in RFC 1087

Question 78

Federal sentencing guidelines for organizations

Answer 78

Federal code of ethics used for modifying sentencing