CHAPTER 9_Legal, Regulations, Investigations, and Compliance Flashcards
Explanations: Corroborative Evidence
Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary piece of evidence.
Emphasis: Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), a U.S. federal regulation, has been mandated to provide national standards and procedures for the storage, use, and transmission of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.
Bullets: Safeguards Rule
Develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
Bullets: Dignitary wrongs
Include invasion of privacy and civil rights violations.
Emphasis: New and Improved SAS 70
New and Improved SAS 70SAS 70 is a set of standards that auditors use to evaluate the controls of a service organization as it relates to customers’ internal control over financial reporting. The industry stretched the use of the SAS 70 beyond its original intended purpose. Organizations needed to make sure that their service providers were providing the necessary protection of their digital assets, but the industry did not have a specific standard for this type of evaluation, so we all used SAS 70, which was really just for financial control evaluation.
Explanations: Hacker Intrusion
A financial institution, Cheapo, Inc., buys the necessary middleware to enable it to offer online bank account transactions for its customers. It does not add any of the necessary security safeguards required for this type of transaction to take place over the Internet.
Explanation Bullets: The law made many changes to already existing laws, which are listed here:
- Foreign Intelligence Surveillance Act of 1978
- Electronic Communications Privacy Act of 1986
- Money Laundering Control Act of 1986
- Bank Secrecy Act (BSA)
- Immigration and Nationality Act
Bullets: Minimum Capital Requirements
Measures the risk and spells out the calculation for determining the minimum capital required.
Explanations: The Evolution of Attacks
We have gone from bored teenagers with too much time on their hands to organized crime rings with very defined targets and goals.
Bullets: Access
Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Explanation Bullets: Common Internet Crime Schemes
- Auction fraud
- Counterfeit cashier’s check
- Debt elimination
- Parcel courier e-mail scheme
- Employment/business opportunities
- Escrow services fraud
- Investment fraud
- Lotteries
- Nigerian letter, or “419”
- Ponzi/pyramid
- Reshipping
- Third-party receiver of funds
Emphasis: Best Evidence
Best EvidenceBest evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.
Emphasis: Opportunity
Opportunity is the “where” and “when” of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. If a company does not have a firewall, hackers and attackers have all types of opportunities within that network. If a company does not perform access control, auditing, and supervision, employees may have many opportunities to embezzle funds and defraud the company. Once a crime fighter finds out why a person would want to commit a crime (motive), she will look at what could allow the criminal to be successful (opportunity).
Bullets: Enforcement
There must be effective means of enforcing these rules.
Explanation Bullets: 2. Intentionally accessing a computer without authorization to obtain:
- Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
- Information from any department or agency of the United States.
- Information from any protected computer if the conduct involves an interstate or foreign communication.
Explanations: USA PATRIOT Act
Activities to protect the nation are encroaching on citizen privacy.Response: Yep. It usually does.
Emphasis: Dumpster diving
Dumpster diving refers to the concept of rummaging through a company or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. The intruder would have to gain physical access to the premises, but the area where the garbage is kept is usually not highly guarded. Dumpster diving is unethical, but it’s not illegal. Trespassing is illegal, however, and may be done in the process of dumpster diving. (Laws concerning this may vary in different jurisdictions.)
Emphasis: Computer surveillance
Computer surveillance pertains to auditing events, which passively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitoring. In most jurisdictions, active monitoring may require a search warrant. In most workplace environments, to legally monitor an individual, the person must be warned ahead of time that her activities may be subject to this type of monitoring.
Explanations: The Crux of Computer Crime Laws
Computer crime laws (sometimes referred to as cyberlaw) around the world deal with some of the core issues: unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the use of malware (malicious software).
Emphasis: vendor management governing
A vendor management governing process needs to be set up, which includes performance metrics, service level agreements (SLAs), scheduled meetings, a reporting structure, and someone who is directly responsible. Your company is always responsible for its own risk. Just because it farms out some piece of its operations does not resolve it of this responsibility. The company needs to have a holistic program that defines procurement, contracting, vendor assessment, and monitoring to make sure things are continually healthy and secure.
Explanations: Trade Secret
I Googled Kentucky Fried Chicken’s recipes, but can’t find them.Response: I wonder why.
Emphasis: record
An actual record is information about an individual’s education, medical history, financial history, criminal history, employment, and other similar types of information. Government agencies can maintain this type of information only if it is necessary and relevant to accomplishing the agency’s purpose. The Federal Privacy Act dictates that an agency cannot disclose this information without written permission from the individual. However, like most government acts, legislation, and creeds, there is a list of exceptions.
Explanation Bullets: The core principles defined by the OECD are as follows:
- Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject.
- Personal data should be kept complete and current, and be relevant to the purposes for which it is being used.
- Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose.
- Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated.
- Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
- Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.
- Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied requests to do so.
- Organizations should be accountable for complying with measures that support the previous principles.
Emphasis: Best evidence
Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.
Bullets: Wrongs against a person
Examples include car accidents, dog bites, and a slip and fall.
Explanation Bullets: The IAB considers the following acts as unethical and unacceptable behavior:
- Purposely seeking to gain unauthorized access to Internet resources
- Disrupting the intended use of the Internet
- Wasting resources (people, capacity, and computers) through purposeful actions
- Destroying the integrity of computer-based information
- Compromising the privacy of others
- Conducting Internet-wide experiments in a negligent manner
Emphasis: Criminal law
Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim. For example, in the O.J. Simpson case, he was first tried and found not guilty in the criminal law case, but then was found liable in the civil law case. This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases.
Emphasis: Circumstantial evidence
Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.
Emphasis: Data diddling
Data diddling refers to the alteration of existing data. Many times, this modification happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customer’s loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20.
Explanation Bullets: The control objectives are implemented via 12 requirements, as stated at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml:
- Use and maintain a firewall.
- Reset vendor defaults for system passwords and other security parameters.
- Protect cardholder data at rest.
- Encrypt cardholder data when they are transmitted across public networks.
- Use and update antivirus software.
- Systems and applications must be developed with security in mind.
- Access to cardholder data must be restricted by business “need to know.”
- Each person with computer access must be assigned a unique ID.
- Physical access to cardholder data should be restricted.
- All access to network resources and cardholder data must be tracked and monitored.
- Security systems and processes must be regularly tested.
- A policy must be maintained that addresses information security.
Emphasis: Laws, Directives, and Regulations
Laws, Directives, and RegulationsRegulation in computer and information security covers many areas for many different reasons. Some issues that require regulation are data privacy, computer misuse, software copyright, data protection, and controls on cryptography. These regulations can be implemented in various arenas, such as government and private sectors for reasons dealing with environmental protection, intellectual property, national security, personal privacy, public order, health and safety, and prevention of fraudulent activities.
Emphasis: salami
A salami attack is one in which the attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. Salami attacks usually take place in the accounting departments of companies, and the most common example of a salami attack involves subtracting a small amount of funds from many accounts with the hope that such an insignificant amount would be overlooked. For example, a bank employee may alter a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and move this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $30,000 a year.
Explanations: Personally Identifiable Information
Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.
Emphasis: Secondary evidence
Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.
Explanations: International Issues
If a hacker in Ukraine attacked a bank in France, whose legal jurisdiction is that? How do these countries work together to identify the criminal and carry out justice? Which country is required to track down the criminal? And which country should take this person to court? Well, we don’t really know exactly. We are still working this stuff out.
Emphasis: Import/Export Legal Requirements
Import/Export Legal RequirementsAnother complexity that comes into play when an organization is attempting to work with organizations in other parts of the world is import and export laws. Each country has its own specifications when it comes to what is allowed in their borders and what is allowed out. For example, the Wassenaar Arrangement implements export controls for “Conventional Arms and Dual-Use Goods and Technologies.” It is currently made up of 40 countries and lays out rules on how the following items can be exported from country to country:
Explanations: Secondary Evidence
Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.
Explanation Bullets: Some examples of computer-assisted crimes are
- Attacking financial systems to carry out theft of funds and/or sensitive information
- Obtaining military and intelligence material by attacking military systems
- Carrying out industrial spying by attacking competitors and gathering confidential business data
- Carrying out information warfare activities by attacking critical national infrastructure systems
- Carrying out hactivism, which is protesting a government or company’s activities by attacking their systems and/or defacing their web sites.
Emphasis: laws
• Civil legal systems should not be confused with the civil (or tort) laws found in the United States.
Bullets: Notice
Individuals must be informed that their data is being collected and about how it will be used.
Emphasis: Do You Trust Your Neighbor?
Do You Trust Your Neighbor?Most organizations do not like to think about the fact that the enemy might be inside and working internally to the company. It is more natural to view threats as the faceless unknowns that reside on the outside of our environment. Employees have direct and privileged access to a company’s assets and they are commonly not as highly monitored compared to traffic that is entering the network from external entities. The combination of too much trust, direct access, and the lack of monitoring allows for a lot of internal fraud and abuse to go unnoticed.
Explanations: Conclusive Evidence
Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.
Emphasis: opinion rule
When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so they can help the judge and jury better understand the matters of the case.
Emphasis: containment
The next stage is containment. In the medical world, if you were found to have tuberculosis, you would be put in an isolation room because no one wants to catch your cooties. In the containment phase, the damage must be mitigated. In the computer world, this could mean that an infected server is taken off the network, firewall configurations are changed to stop an attacker, or the system that is under attack is disconnected from the Internet.
Explanations: Dumpster Diving
I went through your garbage and found your Social Security number, credit card number, network schematics, mother’s maiden name, and evidence that you wear funny underwear.
Explanations: IP Spoofing
I couldn’t have carried out that attack. I have a different address!Response: I’m not convinced.
Explanation Bullets: Certain common ethical fallacies are used by many in the computing world to justify unethical acts. They exist because people look at issues differently and interpret (or misinterpret) rules and laws that have been put into place. The following are examples of these ethical fallacies:
- Hackers only want to learn and improve their skills. Many of them are not making a profit off of their deeds; therefore, their activities should not be seen as illegal or unethical.
- The First Amendment protects and provides the right for U.S. citizens to write viruses.
- Information should be shared freely and openly; therefore, sharing confidential information and trade secrets should be legal and ethical.
- Hacking does not actually hurt anyone.
Explanation Bullets: Some examples of computer-targeted crimes include
- Distributed Denial-of-Service (DDoS) attacks
- Capturing passwords or other sensitive data
- Installing malware with the intent to cause destruction
- Installing rootkits and sniffers for malicious purposes
- Carrying out a buffer overflow to take control of a system
Explanations: Third-Party Risk
We outsource everything. Can we outsource risk?Response: Nope.
Bullets: Choice
Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
Explanations: Personal Information
A company that holds medical information, Medical Information, Inc., does not have strict procedures on how patient information is disseminated or shared.
Explanations: Data Diddling
Can I just diddle the data a little?Response: Nope, it’s illegal.
Bullets: Market Discipline
Requires member institutions to disclose their exposure to risk and validate adequate market capital.
Explanation Bullets: Some of the requirements the law lays out for organizations are as follows:
- Obtain consent when they collect, use, or disclose their personal information;
- Collect information by fair and lawful means; and
- Have personal information policies that are clear, understandable, and readily available.
Explanations: Procurement and Vendor Processes
Response: The salesperson took me out to lunch and the product comes in a pretty box. I am sure it is fine.
Emphasis: Incident Investigators
Incident InvestigatorsIncident investigators are a breed of their own. Many people suspect they come from a different planet, but to date that hasn’t been proven. Good incident investigators must be aware of suspicious or abnormal activities that others might normally ignore. This is because, due to their training and experience, they may know what is potentially going on behind some abnormal system activity, while another employee would just respond, “Oh, that just happens sometimes. We don’t know why.”
Explanations: Sarbanes-Oxley Act (SOX)
Companies should not cook their books.Response: We should make that a law.
Explanations: Internal Protection of Intellectual Property
Ensuring that specific resources are protected by the previously mentioned laws is very important, but other measures must be taken internally to make sure the resources that are confidential in nature are properly identified and protected.
Emphasis: trade secret
A trade secret is something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft drink, such as Coke or Pepsi. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could also be a new form of mathematics, the source code of a program, a method of making the perfect jelly bean, or ingredients for a special secret sauce. A trade secret has no expiration date unless the information is no longer secret or no longer provides economic benefit to the company.
Bullets: Financial Privacy Rule
Provide each consumer with a privacy notice that explains the data collected about the consumer, where that data are shared, how that data are used, and how that data are protected. The notice must also identify the consumer’s right to opt out of the data being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.
