Chapter 9 - Legal Regulations, Investigations, & Compliance Flashcards
Where does the greatest risk of cybercrime come from? A. Outsiders B. Nation-states C. Insiders D. Script kiddies
C. Insiders
What is the largest hindrance to fighting computer crime? A. Computer criminals are generally smarter than computer investigators B. Adequate funding to stay ahead of the computer criminals C. Activity associated with computer crime is truly international D. There are so many more computer criminals than investigators that it is impossible to keep up
C. Activity associated with computer crime is truly international
Computer forensics is the marriage of computer science, information technology, and engineering with … A. Law B. Information Systems C. Analytical thought D. The scientific method
A. Law
What principal allows an investigator to identify aspects of the person responsible for a crime when, whenever committing a crime, the perpetrator leaves residual traces while stealing information? A. Meyer’s principal of legal impunity B. Criminalistic principals C. IOCE/Group of 8 Nations prinicpals for computer forensics D. Locard’s principle of exchange
D. Locard’s principle of exchange
Which of the following is part of the 5 rules of evidence? A. Be authentic, be redundant, and be admissable B. Be complete, be authentic, and be admissable C. Be complete, be redundant, and be authentic D. Be redundant, be admissable, and be complete
B. Be complete, be authentic, and be admissable
What is not mentioned as a phase of an incident report? A. Documentation B. Prosecution C. Containment D. Investigation
B. Prosecution
Which best emphasizes the abstract concept of law and is influenced by the writings of legal scholars and academics? A. Criminal Law B. Civil Law C. Religious Law D. Administrative Law
B. Civil Law
Which type of intellectual property covers the expression of ideas rather than the ideas themselves? A. Trademark B. Patent C. Copyright D. Trade Secret
B. Copyright
Which type of intellectual property protects the goodwill a merchant or vendor invests in its products? A. Trademark B. Patent C. Copyright D. Trade Secret
A. Trademark
Which of the following are computer forensic guidelines? A. IOCE, MOM, SWGDE B. MOM, SWGDE and IOCE C. IOCE, SWGDE amd ACPO D. ACPO, MOM and IOCE
C. IOCE, SWGDE and ACPO
Which of the following are categories of software licensing? A. Freeware, Open Source, and Commercial B. Commercial, Academic, and Open Source C. Academic, Freeware and Open Source D. Freeware, Commercial and Academic
D. Freeware, Commercial, Academic
What are the rights and obligations of individuals and organizations with respect to the collection, use, retaintion, and disclosure of personal information BEST related to? A. Privacy B. Secrecy C. Availability D. Reliability
A. Privacy
Triage encompasses which of the following incident response subphases? A. Collection, transport, testimony B. Tracebacl, feedback, loopback C. Detection, identification, notification D. Confidentiality, itegrity, availabiliyt
C. Detection, identification, notification
The integrity of a forensic bit stream image is determined by: A. Comapring hash totals to the original source B. Keeping good notes C. Taking pictures D. Encrypted keys
A. Comparing hash totals to the original source
When dealing with digital evidence,the crime scene A. Must never be altered B. Must be completely reproducible in a court of law C. Must exist only in one country D. Must have the least amount of contamination that is possible
D. Must have the least amount of contamination as possible
When outsourcing IT systems A. All regulatory and compliance requirements must be passed on to the provider B. the outsourcing organization is free from compliance obligations C. the outsourced IT systems are free from from compliance obligations D. the provider is free from compliance obligations
A. All regulatory and compliance requirements must be passed on to the provider
The (ISC)2 code of ethics resolves conflicts between canons by A. there can never be conflicts between canons B. working through adjudication C. the order of the canons D. vetting all canon conflicts through the coard of directors
C. the order of the canons
When dealing with digital evidence, the crime scene A. Must never be altered B. Must be completely reproducible in a court of law C. Must exist only in one country D. Must have the least amount of contamination that is possible
D. Must have the least amount of contamination as possible
To ensure proper forensics action when needed, - an incident response progam should … A. Avoid conflicts of interests by ensuring organization legal council is not part of the process B. Routinely create forensic images of all desktops and servers C. Only promote dlosed incidents to law enforcement D. Treat every incident a though it may be a crime
D.Treat every incident as though it may be a crime
A hard drive is recovered from a submerged vehicle. The drive is needed for a court case. What is the best approach to pull information off the drive? A. Wait for the drive to dry and then install it is a desktop and attemp to retrieve the information via normal operating system commands B. Place the drive in a forensic oven to dry it and then use a degausser to remove any residual humidity prior to installing the drive in a laptop and using the OS to pull off the information C. While the drive is still wet use a forensic bit to bit copy program to ensure the drive is preserved in its “native” state D. Contact a professional data recovery organization, explain the situation and request they pull a forensic image
D. Contact a professional data recovery organization, explain the situation and request they pull a forensic image
Common Law
Based on legal precedents, past decisions, an societal traditions - judges not actively involved in the determination of facts - common law now relies on statutes and regulations: Crimimal, Tort and Administrative. Criminal - harmful to public; tort - against individual or business (origin - criminal law); administrative - artifact of Anglo-American common law lega system = governance of public bodies - proper scope
Civil Law
Roman Empire, Napolean-Code of France 1804-thought to be a codification of law, reliance on legislation over jurisprudence - this is not accurate in all places. Emphasizes abstract concepts, influenced by writings legal scholars and academics, judges distinct from lawyers and play a more active role.
Customary Law
Reflect’s scoeity’s norms and values
Religious Law
Discover truth of law
Mixed Law
Convergence of two or more legal systems
Liability
Legally responsible - negligence is acting without care or failure to act as a reasonable person
Computer Crime
As a tool, as a target (viruses, digital identity theft, computer hacking), or incidental. Greatest risk comes from the inside.
Council of Europe (COE) Convention on Cyber crime -
Attempt to respond to criminal behaviors, 30 countries - laws against child porn, ability to prosecute cybercrime, provide international cooperation.
Licensing & Intellectual Property
Laws - protect tangible and intangible items.
Industrial property
Inventions, trademarks, industrial designs and geographic indications of source
Copyright
Literary and artistic work; expression of ideas - minimum 50 years (covered under Berne Convention)
Trademark
Good will invested - word, name, symbol, color, sound, product shape, device or a combination to identify goods - registered with government registrar WIPO (UN Agency) manages.
Patent (strongest)
Exclude others from practicing invention for a specific time - usually 20 years
Trade Secret
not generally known and provides economic benefit, reasonable steps to protect secrecy
Licensing Issues
42% worldwide - for every $2 in software legally purchased, $1 pirated
Master agreements
General overall condidtions
End-user licensing
More granular conditions and restrictions
Import/Export
Maybe illegal to import software - e.g. encryption
Transborder Data Flow
Developed in one country, transmitted through another, and stored in a third - latter can gain jurisdiction
Privacy
Organization of Economic Cooperation and Development (OECD): Collection limiation; Data quality; Purpose specification; Use limitation; Security safeguards; Openness; Individual participation; and Accountability
Employee Monitoring and Surveillance
Europe’s Directive in Data Protection: Notice - types of 3rd parties or other uses; Choice - Must be explicit with use - opt out of third party; Onward Transfer - written agreement with third party to adhere to same level of privacy protection; Security - loss, misues, unauthorized access, disclosure, alteration, and destruction protection; Data Integrity - reliable; Access - individual access; Enforcement - complaints investigated, damages awarded
Cybernetics
Science of information feedback systems
Walter Maner coined
“Computer Ethics”
Regulatory requirement
Miminal ethic standard
1991 US Federal Sentencing Guidelines for Organizations
Outlines minimal ethical requirements; provides reduced penalties if ethics programs are in place. Leader must be knowledeable about content and operation of program, exercise due diligence, promote ethical culture; Needs 3 sections: purpose of program, 7 minimum requirements, periodically assess.
U.S. Sarbanes-Oxley Act
Accounting refore, attest to accuracy of financial reporting documents: Section 103 - Auditing, Quality, Control and Independence - register pulic accounting firms, establish audit and quality control ethics; New Item 406(a) - Regulation S-K companies disclose - written code of ethics applied to senior officers, any waivers to above, changes to code, and if no code of ethics explain why not.
Computers in the Workplace
How they impact health and job satisfaction, computer crime, privacy and anonymity
Debate on Intellectual Property
Free or get money for development efforts?
Professional Responsibility and Globalization
Gloabal laws, business, education, information flows, rich & poor nations, and interpretation
Computer Game Fallacy
Computers work with exacting accuracy; if computer allows it, it must be permissable
Law-abiding Citizen Fallacy
Laws and reasonable behavior - some users do not realize ramifications of actions
Shatter Proof Fallacy
What a person does with computer can do minimal harm - not considering impact of actions
Candy from a baby Fallacy
Easy doesn’t make it right
Hacker Fallacy
Acceptable to do anything as long as motivation isto learn and not profit
Free information fallacy
Information wants to be free - emerged from so easy to ccopy
Hacker
Originally a person who sought to understood - soon it became associated with Phreaking
Stephen Levy - Hacker Ethic
- Access to compters unlimited - all information free - authority shold be mistrusted & decetralization promoted - hackers should be judeged solely on hacking skills - computers can create art and beauty - computer can change life for the better
3 main hacker functions
-promote belief of individual activity -support free market approach to exchange of information -promote belief that computers can have a beneficial and life changing effect
Code of Fair Information Practices
Similar to: Organization of Economic Cooperation and Development (OECD): Collection limiation; Data quality; Purpose specification; Use limitation; Security safeguards; Openness; Individual participation; and Accountability
Internet Architecture Board (IAB) and RFC 1087
Unethical to: -gain unathorized access -disrupt intended use of internet -waste resources -destroy integirty of computer-based information -compromise privacy of users
Computer Ethics Institute - 10 commandments
- Thou shall not use a computer to harm other people 2. Thou shall not interfere with other people’s computer work 3. Thou shall not snoop around in other people’s computer files 4. Thou shall not use a computer to steal 5. Thou shall not use a computer to bear false witness 6. Thou shall not copy or use propreitary software for which you have not paid 7. Thou shall not use other people’s computer resources without authorization or proper compensation 8. Thou shall not appropriate other people’s intellectual output 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing 10. Thou shalt always use a computer in ways that insure consideration and respect for you fellow humans
National Conference on Computing Values
- Preserve public trust and confidence in computers 2. Enforce fair information practices 3. Protect the legitimate interests of the constituents of the system 4. Resist fraud, waste, and abuse
Working Group on Computer Ethics - End User’s Basic Tenets
- I understand that just because something is legal, it isn’t necessary moral or right. 2. I understand that people are the ones hurt when computers are used unethically. The fact that computers exist between me and those harmed does not change moral responsibility toward my fellow human 3. I will respect the rights of authors - just because copying is easy, it is not necessarily right 4. I will not break into other people’s computers or read their information 5. I will not write, acquire or distribute harmful software
National Computer Ethics and Responsiblities Campaign (NCERC)
Foster computer ethics awareness and education
(ISC)2 Code of Professional Ethics
Professionals resolve conflicts between the canons in the order of the canons. Preamble - adhere to the code Canons: - Protect society, Common Wealth, & Infrastructure - Act honorably, honestly, justly, responsibly, legally - Provide diligent and competent service to principals -Advance and protect the profession
Peter Tippett’s Action Plan to instill ethical computer culture
- Develop guide to computer ethics 2. Develop policy to computer ethics 3. Add information to employee handbook 4. Expand business ethics policy 5. Learn about it 6. Foster awareness 7. E-mail privacy policy 8. Make sure employees know policy
Golden Rule (Grupe, Garcia-Jay, Kuechler)
Treat others as you would like to be treated
Kant’s Categorical Imperitive (Grupe, Garcia-Jay, Kuechler)
Action not right for everyone, not right for anyone
Descartes’ Rule of change (Grupe, Garcia-Jay, Kuechler)
Action not repeatable at all times, not right at any time
Utilitarian Principle (Grupe, Garcia-Jay, Kuechler)
Take action that achieves the greatest good
Risk Aversion Principle (Grupe, Garcia-Jay, Kuechler)
Incure least harm or cost
Avoid Harm (Grupe, Garcia-Jay, Kuechler)
Do no harm
No Free Lunch (Grupe, Garcia-Jay, Kuechler)
All property and information belongs to someone
Legalism (Grupe, Garcia-Jay, Kuechler)
Is it against the law?
Professionalism (Grupe, Garcia-Jay, Kuechler)
Is action contrary to code of ethics?
Evidentiary Guidance (Grupe, Garcia-Jay, Kuechler)
Is there evidence to support or deny the value of taking an action?
Client Choice (Grupe, Garcia-Jay, Kuechler)
Let the people affected decide
Equity (Grupe, Garcia-Jay, Kuechler)
Will cost and benefits be equally distributed?
Competition (Grupe, Garcia-Jay, Kuechler)
Knowledge of Market - build/buy - aware of risk?
Compassion/Last Chance (Grupe, Garcia-Jay, Kuechler)
Equal opportunities exist?
Impartiality/Objectivity (Grupe, Garcia-Jay, Kuechler)
Are decisions biased?
Openness/Full Disclosure (Grupe, Garcia-Jay, Kuechler)
Are people affected aware of system, data being collected?
Confidentiality (Grupe, Garcia-Jay, Kuechler)
Protect information where need to know is not proven, security features reduces to hold down expenses
Trustworthiness/Honesty (Grupe, Garcia-Jay, Kuechler)
Accountable for actions
Michael Davis Ethics Code
Contract between professionals
Donn Parker Ethical Principles
- Informed consent 2. Higher ethic in the worst case 3. Change of scale test 4. Owners’ conservation of ownership 5. Users’ conservation of ownership
Digital Investigation
Methodical, verifiable, & auditable - set of procedures and practices
Digital Forensic Science
Collection, Validation, identification, analysis, interpretation, documentation, and presentation of digital evidence
International Organization of Computer Evidence
(IOCE)
Scientific Working Group in Digital Evidence
(SWGDE)
Association of Chief POlice Officers
(ACPO)
Generic Guidelines for Forensic Evidence
- Identifying Evidence - Collecting or Acquiring Evidence - Examing or Analyzing the Evidence - Presentation of Findings
Crime Scene
Indentify the scene, protect the environment, identify evidence and potential sources of evidence, collect evidence, and minimize the degree of contamination - both physical (servers) and virtual (Data)
Locard’s Principle of Exchange
When a crime is committed the perpetrators leave something behind and take something with them
MOM
Means, Motive and Opportunity
MO
Modus of operandi - method of operation
Incident Response
Identifying root cause correctly and quickly is extremely important
General Guidelines for Investigation
- All general forensic principles apply also with digital evidence - actions should not change the evidence - person should be trained to access original digital evidence - all activity relating to seizure, access, storage, or transfer must be documented, preserved and available for review - individual is responsible for all actions while digital evidence is in his possession - agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Advice for any form of incident response
Act ethically, in good faith, attempt to do no harm, and do not exceed one’s knowledge, skills and abilities
Rule of Thumb for Investigator’s Methodology
- Minimize handling/corruption of original data - Account for any changes and keep logs - Comply with 5 rules of evidence - Don’t exceed knowledge - Follow your local security policy and obtain written permission - Capture as accurate an image of the system as possible - Be prepared to testify - Ensure your actions are repeatable - Work fast - Proceed from volatile to persistent evidence - Do not run any programs on the affected system
Framework for Incident Handling
- Creation of a Response Capability - Incident Response & HAndling - Recovery & Feedback
CERT/CC - Computer Emergency Response Team Coordination Center at Carnegie Melon
Incident handling model is circular and feeds back into itself - can be broken down into triage, investigation, containment, and analysis and tracking.
Triage Phase
Encompasses detection, identification and notification. False positives are one of the most time consuming aspects of information security. If not a false positive then the next step is to classify the type of incident then down to more specific and granular characteristics - this determines the level of potential risk/criticality and to determine notifications required.
Investigative Phase
Analysis, interpretation, reaction, and recovery from an incident. Desired outcome is to reduce impact, identify root cause, get back up and running and prevent a reoccurrence.
Containment
Reduce the number of other systems and devices that can become affected. Proper documentation must be maintained.
Analysis and Tracking
Focus on determining root cause - look at initial event, not just the symptoms. Attempt to determin source and point of entry. Ability to read and parse through large log files.
Recovery Phase
Get system back up and running. Also, so it can withstand another directed incident. Before putting back it should be tested for vulnerabilities and weaknesses.
Chain of Custody
who, what, when, where, and how the evidence was handled from identification through its entire life cycle which ends with destruction or permanent archiving.
Ensuirng authenticity and integrity of evidence is critical.
Currently relies on hash functions that create unique numberical signatures that are sensitive to any bit changes, e.g. SHA-256
Interviewing
An art and science - only properly trained individuals. Investigator can be charged if violations of policy, law or constituional rights are violated. Do not conduct alone and video tape if possible. Legal counsel should be present.
End of Incident Phase
Should not end without debriefing and feedback - metric data can start being built as well.
Five rules of evidence
- Be authentic - Be accurate - Be complete - Be convincing - Be admissable
Media analysis
recovery of information for hard drvise, DVDs, CD-ROMs or portable memory devices
Network Analysis
Coined by Markus Ranum. Data from network logs and network activity
Software Analysis
anaysis and examination of program code
Author identification
unique style and eccentricities
Content analysis
Finding purpose of the code
Context analysis
develop meta view of the impact of the suspicious software
US National Institute of Standards for hardware/embedded devices
- no actions performed by investigators should change data contained on digital devices or storage media - individuals accessing original data must be competent to do so and have the ability to explain their actions - an audit trail or other record of applied processes, suitable for independent third party review, must be created and preserved, accurately documenting each investigative step - the person in charge of the investigation has overall responsibility for ensuring the above mentioned procedures are followed in compliance with governing laws - upon seizing digital evidence, actions taken should not change that evidence - when it is necessary for a person to access original digital evidence, that person must be forensically competent -all activity relating to the seizure, access, storage, or transfer of digital evidence must be full documented, preserved, and available for review - an individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
Health Insurance Portablity and Accontability Act (HIPPA)
Law reuires organizations to comply with reporting information security breaches and several other controls - failure to comply mean fines for an organization
Federal Information Security Management Act (FISMA)
Requires agencies to self-audit and have an independent auditor review their security implementation annually
