CHAPTER 9_Legal, Regulations, Investigations, and Compliance Flashcards
Explanations: Corroborative Evidence
Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary piece of evidence.
Emphasis: Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), a U.S. federal regulation, has been mandated to provide national standards and procedures for the storage, use, and transmission of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.
Bullets: Safeguards Rule
Develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
Bullets: Dignitary wrongs
Include invasion of privacy and civil rights violations.
Emphasis: New and Improved SAS 70
New and Improved SAS 70SAS 70 is a set of standards that auditors use to evaluate the controls of a service organization as it relates to customers’ internal control over financial reporting. The industry stretched the use of the SAS 70 beyond its original intended purpose. Organizations needed to make sure that their service providers were providing the necessary protection of their digital assets, but the industry did not have a specific standard for this type of evaluation, so we all used SAS 70, which was really just for financial control evaluation.
Explanations: Hacker Intrusion
A financial institution, Cheapo, Inc., buys the necessary middleware to enable it to offer online bank account transactions for its customers. It does not add any of the necessary security safeguards required for this type of transaction to take place over the Internet.
Explanation Bullets: The law made many changes to already existing laws, which are listed here:
- Foreign Intelligence Surveillance Act of 1978
- Electronic Communications Privacy Act of 1986
- Money Laundering Control Act of 1986
- Bank Secrecy Act (BSA)
- Immigration and Nationality Act
Bullets: Minimum Capital Requirements
Measures the risk and spells out the calculation for determining the minimum capital required.
Explanations: The Evolution of Attacks
We have gone from bored teenagers with too much time on their hands to organized crime rings with very defined targets and goals.
Bullets: Access
Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Explanation Bullets: Common Internet Crime Schemes
- Auction fraud
- Counterfeit cashier’s check
- Debt elimination
- Parcel courier e-mail scheme
- Employment/business opportunities
- Escrow services fraud
- Investment fraud
- Lotteries
- Nigerian letter, or “419”
- Ponzi/pyramid
- Reshipping
- Third-party receiver of funds
Emphasis: Best Evidence
Best EvidenceBest evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.
Emphasis: Opportunity
Opportunity is the “where” and “when” of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. If a company does not have a firewall, hackers and attackers have all types of opportunities within that network. If a company does not perform access control, auditing, and supervision, employees may have many opportunities to embezzle funds and defraud the company. Once a crime fighter finds out why a person would want to commit a crime (motive), she will look at what could allow the criminal to be successful (opportunity).
Bullets: Enforcement
There must be effective means of enforcing these rules.
Explanation Bullets: 2. Intentionally accessing a computer without authorization to obtain:
- Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
- Information from any department or agency of the United States.
- Information from any protected computer if the conduct involves an interstate or foreign communication.
Explanations: USA PATRIOT Act
Activities to protect the nation are encroaching on citizen privacy.Response: Yep. It usually does.
Emphasis: Dumpster diving
Dumpster diving refers to the concept of rummaging through a company or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. The intruder would have to gain physical access to the premises, but the area where the garbage is kept is usually not highly guarded. Dumpster diving is unethical, but it’s not illegal. Trespassing is illegal, however, and may be done in the process of dumpster diving. (Laws concerning this may vary in different jurisdictions.)
Emphasis: Computer surveillance
Computer surveillance pertains to auditing events, which passively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitoring. In most jurisdictions, active monitoring may require a search warrant. In most workplace environments, to legally monitor an individual, the person must be warned ahead of time that her activities may be subject to this type of monitoring.
Explanations: The Crux of Computer Crime Laws
Computer crime laws (sometimes referred to as cyberlaw) around the world deal with some of the core issues: unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the use of malware (malicious software).
Emphasis: vendor management governing
A vendor management governing process needs to be set up, which includes performance metrics, service level agreements (SLAs), scheduled meetings, a reporting structure, and someone who is directly responsible. Your company is always responsible for its own risk. Just because it farms out some piece of its operations does not resolve it of this responsibility. The company needs to have a holistic program that defines procurement, contracting, vendor assessment, and monitoring to make sure things are continually healthy and secure.
Explanations: Trade Secret
I Googled Kentucky Fried Chicken’s recipes, but can’t find them.Response: I wonder why.
Emphasis: record
An actual record is information about an individual’s education, medical history, financial history, criminal history, employment, and other similar types of information. Government agencies can maintain this type of information only if it is necessary and relevant to accomplishing the agency’s purpose. The Federal Privacy Act dictates that an agency cannot disclose this information without written permission from the individual. However, like most government acts, legislation, and creeds, there is a list of exceptions.
Explanation Bullets: The core principles defined by the OECD are as follows:
- Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject.
- Personal data should be kept complete and current, and be relevant to the purposes for which it is being used.
- Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose.
- Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated.
- Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
- Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.
- Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied requests to do so.
- Organizations should be accountable for complying with measures that support the previous principles.
Emphasis: Best evidence
Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.
Bullets: Wrongs against a person
Examples include car accidents, dog bites, and a slip and fall.
Explanation Bullets: The IAB considers the following acts as unethical and unacceptable behavior:
- Purposely seeking to gain unauthorized access to Internet resources
- Disrupting the intended use of the Internet
- Wasting resources (people, capacity, and computers) through purposeful actions
- Destroying the integrity of computer-based information
- Compromising the privacy of others
- Conducting Internet-wide experiments in a negligent manner
Emphasis: Criminal law
Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim. For example, in the O.J. Simpson case, he was first tried and found not guilty in the criminal law case, but then was found liable in the civil law case. This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases.
Emphasis: Circumstantial evidence
Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.
Emphasis: Data diddling
Data diddling refers to the alteration of existing data. Many times, this modification happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customer’s loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20.
Explanation Bullets: The control objectives are implemented via 12 requirements, as stated at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml:
- Use and maintain a firewall.
- Reset vendor defaults for system passwords and other security parameters.
- Protect cardholder data at rest.
- Encrypt cardholder data when they are transmitted across public networks.
- Use and update antivirus software.
- Systems and applications must be developed with security in mind.
- Access to cardholder data must be restricted by business “need to know.”
- Each person with computer access must be assigned a unique ID.
- Physical access to cardholder data should be restricted.
- All access to network resources and cardholder data must be tracked and monitored.
- Security systems and processes must be regularly tested.
- A policy must be maintained that addresses information security.
Emphasis: Laws, Directives, and Regulations
Laws, Directives, and RegulationsRegulation in computer and information security covers many areas for many different reasons. Some issues that require regulation are data privacy, computer misuse, software copyright, data protection, and controls on cryptography. These regulations can be implemented in various arenas, such as government and private sectors for reasons dealing with environmental protection, intellectual property, national security, personal privacy, public order, health and safety, and prevention of fraudulent activities.
Emphasis: salami
A salami attack is one in which the attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. Salami attacks usually take place in the accounting departments of companies, and the most common example of a salami attack involves subtracting a small amount of funds from many accounts with the hope that such an insignificant amount would be overlooked. For example, a bank employee may alter a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and move this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $30,000 a year.
Explanations: Personally Identifiable Information
Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.
Emphasis: Secondary evidence
Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.
Explanations: International Issues
If a hacker in Ukraine attacked a bank in France, whose legal jurisdiction is that? How do these countries work together to identify the criminal and carry out justice? Which country is required to track down the criminal? And which country should take this person to court? Well, we don’t really know exactly. We are still working this stuff out.
Emphasis: Import/Export Legal Requirements
Import/Export Legal RequirementsAnother complexity that comes into play when an organization is attempting to work with organizations in other parts of the world is import and export laws. Each country has its own specifications when it comes to what is allowed in their borders and what is allowed out. For example, the Wassenaar Arrangement implements export controls for “Conventional Arms and Dual-Use Goods and Technologies.” It is currently made up of 40 countries and lays out rules on how the following items can be exported from country to country:
Explanations: Secondary Evidence
Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.
Explanation Bullets: Some examples of computer-assisted crimes are
- Attacking financial systems to carry out theft of funds and/or sensitive information
- Obtaining military and intelligence material by attacking military systems
- Carrying out industrial spying by attacking competitors and gathering confidential business data
- Carrying out information warfare activities by attacking critical national infrastructure systems
- Carrying out hactivism, which is protesting a government or company’s activities by attacking their systems and/or defacing their web sites.
Emphasis: laws
• Civil legal systems should not be confused with the civil (or tort) laws found in the United States.
Bullets: Notice
Individuals must be informed that their data is being collected and about how it will be used.
Emphasis: Do You Trust Your Neighbor?
Do You Trust Your Neighbor?Most organizations do not like to think about the fact that the enemy might be inside and working internally to the company. It is more natural to view threats as the faceless unknowns that reside on the outside of our environment. Employees have direct and privileged access to a company’s assets and they are commonly not as highly monitored compared to traffic that is entering the network from external entities. The combination of too much trust, direct access, and the lack of monitoring allows for a lot of internal fraud and abuse to go unnoticed.
Explanations: Conclusive Evidence
Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.
Emphasis: opinion rule
When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so they can help the judge and jury better understand the matters of the case.
Emphasis: containment
The next stage is containment. In the medical world, if you were found to have tuberculosis, you would be put in an isolation room because no one wants to catch your cooties. In the containment phase, the damage must be mitigated. In the computer world, this could mean that an infected server is taken off the network, firewall configurations are changed to stop an attacker, or the system that is under attack is disconnected from the Internet.
Explanations: Dumpster Diving
I went through your garbage and found your Social Security number, credit card number, network schematics, mother’s maiden name, and evidence that you wear funny underwear.
Explanations: IP Spoofing
I couldn’t have carried out that attack. I have a different address!Response: I’m not convinced.
Explanation Bullets: Certain common ethical fallacies are used by many in the computing world to justify unethical acts. They exist because people look at issues differently and interpret (or misinterpret) rules and laws that have been put into place. The following are examples of these ethical fallacies:
- Hackers only want to learn and improve their skills. Many of them are not making a profit off of their deeds; therefore, their activities should not be seen as illegal or unethical.
- The First Amendment protects and provides the right for U.S. citizens to write viruses.
- Information should be shared freely and openly; therefore, sharing confidential information and trade secrets should be legal and ethical.
- Hacking does not actually hurt anyone.
Explanation Bullets: Some examples of computer-targeted crimes include
- Distributed Denial-of-Service (DDoS) attacks
- Capturing passwords or other sensitive data
- Installing malware with the intent to cause destruction
- Installing rootkits and sniffers for malicious purposes
- Carrying out a buffer overflow to take control of a system
Explanations: Third-Party Risk
We outsource everything. Can we outsource risk?Response: Nope.
Bullets: Choice
Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
Explanations: Personal Information
A company that holds medical information, Medical Information, Inc., does not have strict procedures on how patient information is disseminated or shared.
Explanations: Data Diddling
Can I just diddle the data a little?Response: Nope, it’s illegal.
Bullets: Market Discipline
Requires member institutions to disclose their exposure to risk and validate adequate market capital.
Explanation Bullets: Some of the requirements the law lays out for organizations are as follows:
- Obtain consent when they collect, use, or disclose their personal information;
- Collect information by fair and lawful means; and
- Have personal information policies that are clear, understandable, and readily available.
Explanations: Procurement and Vendor Processes
Response: The salesperson took me out to lunch and the product comes in a pretty box. I am sure it is fine.
Emphasis: Incident Investigators
Incident InvestigatorsIncident investigators are a breed of their own. Many people suspect they come from a different planet, but to date that hasn’t been proven. Good incident investigators must be aware of suspicious or abnormal activities that others might normally ignore. This is because, due to their training and experience, they may know what is potentially going on behind some abnormal system activity, while another employee would just respond, “Oh, that just happens sometimes. We don’t know why.”
Explanations: Sarbanes-Oxley Act (SOX)
Companies should not cook their books.Response: We should make that a law.
Explanations: Internal Protection of Intellectual Property
Ensuring that specific resources are protected by the previously mentioned laws is very important, but other measures must be taken internally to make sure the resources that are confidential in nature are properly identified and protected.
Emphasis: trade secret
A trade secret is something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft drink, such as Coke or Pepsi. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could also be a new form of mathematics, the source code of a program, a method of making the perfect jelly bean, or ingredients for a special secret sauce. A trade secret has no expiration date unless the information is no longer secret or no longer provides economic benefit to the company.
Bullets: Financial Privacy Rule
Provide each consumer with a privacy notice that explains the data collected about the consumer, where that data are shared, how that data are used, and how that data are protected. The notice must also identify the consumer’s right to opt out of the data being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.
Emphasis: cyberlaw
Computer crime laws (sometimes referred to as cyberlaw) around the world deal with some of the core issues: unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the use of malware (malicious software).
Explanations: Cops or No Cops?
Management needs to make the decision as to whether law enforcement should be called in to handle the security breach. The following are some of the issues to understand if law enforcement is brought in:
Explanations: Investigations
Since computer crimes are only increasing and will never really go away, it is important that all security professionals understand how computer investigations should be carried out. This includes legal requirements for specific situations, understanding the “chain of custody” for evidence, what type of evidence is admissible in court, incident response procedures and escalation processes.
Explanations: Types of Legal Systems
As stated earlier, different countries often have different legal systems. In this section, we will cover the core components of these systems and what differentiates them.
Explanations: Prescreening Personnel
Chapter 2 described why it is important to properly screen individuals before hiring them into a corporation. These steps are necessary to help the company protect itself and to ensure it is getting the type of employee required for the job. This chapter looks at some of the issues from the other side of the table, which deals with that individual’s privacy rights.
Emphasis: Hearsay Evidence
Hearsay EvidenceHearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability. If a witness testifies about something he heard someone else say, it is too far removed from fact and has too many variables that can cloud the truth. If business documents were made during regular business routines, they may be admissible. However, if these records were made just to be presented in court, they could be categorized as hearsay evidence.
Bullets: Package and transport supplies
Antistatic bags, evidence bags and tape, cable ties, and others
Explanations: The Computer Ethics Institute
The Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means.
Explanations: Software Piracy
Software piracy occurs when the intellectual or creative work of an author is used or duplicated without permission or compensation to the author. It is an act of infringement on ownership rights, and if the pirate is caught, he could be sued civilly for damages, be criminally prosecuted, or both.
Emphasis: Due Care versus Due Diligence
Due Care versus Due DiligenceDue diligence is the act of gathering the necessary information so the best decision-making activities can take place. Before a company purchases another company, it should carry out due diligence activities so that the purchasing company does not have any “surprises” down the road. The purchasing company should investigate all relevant aspects of the past, present, and predictable future of the business of the target company. If this does not take place and the purchase of the new company hurts the original company financially or legally, the decision makers could be found liable (responsible) and negligent by the shareholders.
Emphasis: Conclusive evidence
Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.
Emphasis: Employee Privacy Issues
Employee Privacy IssuesWe are continuing with our theme of privacy, because it is so important and there are so many aspects of it. Within a corporation, several employee privacy issues must be thought through and addressed if the company wants to be properly protected. An understanding that each state and country may have different privacy laws should prompt the company to investigate exactly what it can and cannot monitor before it does so.
Bullets: Intentional
Examples include assault, intentional infliction of emotional distress, or false imprisonment.
Emphasis: Means
Means pertains to the abilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, keyboard, and a word processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person may have the means to commit this crime much more successfully than the other two individuals.
Emphasis: reliable
For evidence to be reliable, or accurate, it must be consistent with the facts. Evidence cannot be reliable if it is based on someone’s opinion or copies of an original document, because there is too much room for error. Reliable evidence means it is factual and not circumstantial.
Explanation Bullets: • Cover all aspects of human life, but commonly divided into:
- Cover all aspects of human life, but commonly divided into:
- Responsibilities and obligations to others.
- Religious duties.
- Knowledge and rules as revealed by God, which define and govern human affairs.
- Rather than create laws, lawmakers and scholars attempt to discover the truth of law.
- Law, in the religious sense, also includes codes of ethics and morality, which are upheld and required by God. For example, Hindu law, Sharia (Islamic law), Halakha (Jewish law), and so on.
Bullets: Disassembly and removal tools
Antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on
Explanations: Liability and Its Ramifications
You may not have hacked the system yourself, but it was your responsibility to make sure it could not happen.
Emphasis: Health Information Technology for Economic and Clinical Health (HITECH) Act
In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act, was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Emphasis: Federal Privacy Act of 1974
Federal Privacy Act of 1974In the mid-1960s, a proposal was made that the U.S. government compile and collectively hold in a main federal data bank each individual’s information pertaining to the Social Security Administration, the Census Bureau, the Internal Revenue Service, the Bureau of Labor Statistics, and other limbs of the government. The committee that made this proposal saw this as an efficient way of gathering and centralizing data. Others saw it as a dangerous move against individual privacy and too “Big Brother.” The federal data bank never came to pass because of strong opposition.
Emphasis: Due diligence
In the context of security, due care means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages. In short, due care means that a company practiced common sense and prudent management and acted responsibly. Due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities.
Bullets: Discover’s program
Discover Information Security and Compliance program (DISC)
Explanations: What Is Admissible in Court?
He is guilty because I don’t like him.Response: Um, I need more than that.
Emphasis: Council of Europe (CoE) Convention on Cybercrime
The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions.
Explanations: Basel II
If a bank cannot follow through on its promises, it can affect the whole economy.
Explanation Bullets: While often overlooked, it is critical that information security issues are addressed in many of the contracts organizations use or enter into during regular business activities. Security considerations should be taken for at least the following contracts types:
- Outsourcing agreements
- Hardware supply
- System maintenance and support
- System leasing agreements
- Consultancy service agreements
- Web site development and support
- Nondisclosure and confidentiality agreements
- Information security management agreements
Explanation Bullets: The U.S. Office of Budget and Management’s definition of PII components are listed here:
- Full name (if not common)
- National identification number
- IP address (in some cases)
- Vehicle registration plate number
- Driver’s license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Birthday
- Birthplace
- Genetic information
Emphasis: trademark
A trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color, or combination of these. The reason a company would trademark one of these, or a combination, is that it represents their company (brand identity) to a group of people or to the world. Companies have marketing departments that work very hard in coming up with something new that will cause the company to be noticed and stand out in a crowd of competitors, and trademarking the result of this work with a government registrar is a way of properly protecting it and ensuring others cannot copy and use it.
Emphasis: Surveillance, Search, and Seizure
Surveillance, Search, and SeizureTwo main types of surveillance are used when it comes to identifying computer crimes: physical surveillance and computer surveillance. Physical surveillance pertains to security cameras, security guards, and closed-circuit TV (CCTV), which may capture evidence. Physical surveillance can also be used by an undercover agent to learn about the suspect’s spending activities, family and friends, and personal habits in the hope of gathering more clues for the case.
Explanations: The Many Facets of Cyberlaw
Legal issues are very important to companies because a violation of legal commitments can be damaging to a company’s bottom line and its reputation. A company has many ethical and legal responsibilities it is liable for in regard to computer fraud. The more knowledge one has about these responsibilities, the easier it is to stay within the proper boundaries.
Bullets: Economic wrongs
Examples include patent, copyright, and trademark infringement.
Emphasis: Gramm-Leach-Bliley Act of 1999 (GLBA)
The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties. The act dictates that the board of directors is responsible for many of the security issues within a financial institution, that risk management must be implemented, that all employees need to be trained on information security issues, and that implemented security measures must be fully tested. It also requires these institutions to have a written security policy in place.
Emphasis: Cybersquatting
Cybersquatting takes place when someone purchases a domain name with the goal of hurting a company with a similar domain name or to carry out extortion. For example, if you owned a company called Bob’s Barbeque, you would probably buy a domain name similar to this and set up your company’s web site. If I purchase very similar domain names that point to your competitors’ sites, this can reduce traffic coming to your site, thus hurting your business. I might do this specifically so that you would want to purchase the domain names from me and I in turn will charge you way too much for these domain names. This is considered trafficking domain names with bad faith intent to profit from the goodwill of a trademark. Some individuals go around purchasing many domain names similar to existing companies just so they can mark up the price on the domain names and make a profit in this manner.
Explanation Bullets: The following items are less often used because they are commonly shared by so many people, but they can fall into the PII classification and may require protection from improper disclosure:
- First or last name, if common
- Country, state, or city of residence
- Age, especially if nonspecific
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
Bullets: Strict liability
Examples include a failure to warn of risks and defects in product manufacturing or design.
Explanation Bullets: The next step is the analysis of the evidence. Forensic investigators use a scientific method that involves:
- Determining the characteristics of the evidence, such as whether it’s admissible as primary or secondary evidence, as well as its source, reliability, and permanence
- Comparing evidence from different sources to determine a chronology of events
- Event reconstruction, including the recovery of deleted files and other activity on the system
Emphasis: digital evidence
Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data for the purposes of a digital criminal investigation. It is the coming together of computer science, information technology, and engineering with law. When discussing computer forensics with others, you might hear the terms digital forensics, network forensics, electronic data discovery, cyberforensics, and forensic computing. (ISC)2 uses computer forensics as a synonym for all of these other terms, so that’s what you’ll see on the CISSP exam. Computer forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire. At one time computer forensics results were differentiated from network and code analysis, but now this entire area is referred to as digital evidence.
Explanation Bullets: FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. Requirements of FISMA are as follows:
- Inventory of information systems
- Categorize information and information systems according to risk level
- Security controls
- Risk assessment
- System security plan
- Certification and accreditation
- Continuous monitoring
Bullets: Security
Reasonable efforts must be made to prevent loss of collected information.
Emphasis: how
While it is important to know what laws and regulations your company needs to be compliant with, it is also important to know how to ensure that compliance is being met and how to properly convey that to the necessary stakeholders. A compliance program should be developed, which outlines what needs to be put into place to be compliant with the necessary internal and external drivers, and then an audit team will assess how well the organization is doing to meet the identified requirements.
Emphasis: Patents
Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious—which means, for example, that a company could not patent air. Thank goodness. If a company figured out how to patent air, we would have to pay for each and every breath we took!
Explanations: Forensics Field Kits
When forensics teams are deployed, they should be properly equipped with all of the tools and supplies needed. The following are some of the common items in the forensics field kits:
Explanations: Trademark
My trademark is my stupidity.Response: Good for you!
Bullets: Supervision
Provides a framework for oversight and review to continually analyze risk and improve security measures.
Emphasis: Motive
Motive is the “who” and “why” of a crime. The motive may be induced by either internal or external conditions. A person may be driven by the excitement, challenge, and adrenaline rush of committing a crime, which would be an internal condition. Examples of external conditions might include financial trouble, a sick family member, or other dire straits. Understanding the motive for a crime is an important piece in figuring out who would engage in such an activity. For example, in the past many hackers attacked big-name sites because when the sites went down, it was splashed all over the news. However, once technology advanced to the point where attacks could not bring down these sites, or once these activities were no longer so highly publicized, the individuals eventually stopped initiating these types of attacks because their motives were diminished.
Explanations: Wiretapping
Most communications signals are vulnerable to some type of wiretapping or eavesdropping. It can usually be done undetected and is referred to as a passive attack. Tools used to intercept communications include cellular scanners, radio receivers, microphone receivers, tape recorders, network sniffers, and telephone-tapping devices.
Explanation Bullets: The life cycle of evidence includes:
- Collection and identification
- Storage, preservation, and transportation
- Presentation in court
- Return of the evidence to the victim or owner
Emphasis: Corroborative evidence
Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary piece of evidence.
Emphasis: What Can We Learn from This?
What Can We Learn from This?Closure of an incident is determined by the nature or category of the incident, the desired incident response outcome (for example, business resumption or system restoration), and the team’s success in determining the incident’s source and root cause. Once it is determined that the incident is closed, it is a good idea to have a team briefing that includes all groups affected by the incident to answer the following questions:
Explanations: Controlling the Crime Scene
Whether the crime scene is physical or digital, it is important to control who comes in contact with the evidence of the crime to ensure its integrity. The following are just some of the steps that should take place to protect the crime scene:
Explanations: Business Records Exception
A legal exception to the U.S. hearsay rule of the Federal Rules of Evidence (FRE) is called the business records exception rule or business entry rule.
Explanations: Password sniffing
is just what it sounds like—sniffing network traffic with the hope of capturing passwords being sent between computers. Several tools are available on the Internet that provide this functionality. Capturing a password is tricky, because it is a piece of data that is usually only used when a user wants to authenticate into a domain or access a resource. Some systems and applications do send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a file containing all users’ password hash values, not the passwords themselves, and when the authenticating system is asked to verify a user’s password, it compares the hashing value sent to what it has in its file.
Explanation Bullets: The incident response team should have the following basic items available:
- A list of outside agencies and resources to contact or report to.
- Roles and responsibilities outlined.
- A call tree to contact these roles and outside entities.
- A list of computer or forensics experts to contact.
- Steps on how to secure and preserve evidence.
- A list of items that should be included on a report for management and potentially the courts.
- A description of how the different systems should be treated in this type of situation. (For example, the systems should be removed from both the Internet and the network and powered down.)
Emphasis: Direct evidence
Direct evidence can prove a fact all by itself and does not need backup information to refer to. When direct evidence is used, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.
Bullets: Onward Transfer
Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
Emphasis: Administrative/regulatory law
Administrative/regulatory law deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals within those specific industries. Some examples of administrative laws could be that every building used for business must have a fire detection and suppression system, must have easily seen exit signs, and cannot have blocked doors, in case of a fire. Companies that produce and package food and drug products are regulated by many standards so the public is protected and aware of their actions. If a case was made that specific standards were not abided by, high officials in the companies could be held accountable, as in a company that makes tires that shred after a couple of years of use. The people who held high positions in this company were most likely aware of these conditions but chose to ignore them to keep profits up. Under administrative, criminal, and civil law, they may have to pay dearly for these decisions.Intellectual Property Laws
Cops or No Cops? : Management needs to make the decision as to whether law enforcement should be called in to handle the security breach. The following are some of the issues to understand if law enforcement is brought in:
- Company loses control over investigation once law enforcement is involved.
- Secrecy of compromise is not promised; it could become part of public record.
- Effects on reputation need to be considered (the ramifications of this information reaching customers, shareholders, and so on).
- Evidence will be collected and may not be available for a long period of time. It may take a year or so to get into court.
Explanation Bullets: • Based on previous interpretations of laws:
- Based on previous interpretations of laws:
- In the past, judges would walk throughout the country enforcing laws and settling disputes.
- They did not have a written set of laws, so they based their laws on custom and precedent.
- In the 12th century, the King of England imposed a unified legal system that was “common” to the entire country.
- Reflects the community’s morals and expectations.
- Led to the creation of barristers, or lawyers, who actively participate in the litigation process through the presentation of evidence and arguments.
- Today, the common law system uses judges and juries of peers. If the jury trial is waived, the judge decides the facts.
- Typical systems consist of a higher court, several intermediate appellate courts, and many local trial courts. Precedent flows down through this system. Tradition also allows for “magistrate’s courts,” which address administrative decisions.
- The common law system is broken down into the following:
- Criminal.
- Based on common law, statutory law, or a combination of both.
- Addresses behavior that is considered harmful to society.
- Punishment usually involves a loss of freedom, such as incarceration, or monetary fines.
- Civil/tort
- Offshoot of criminal law.
- Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a “reasonable man of ordinary prudence” would do to prevent foreseeable injury to the victim.
- The defendant’s breach of that duty causes injury to the victim; usually physical or financial.
- Categories of civil law:
Emphasis: Computer Criminal Behavior
Computer Criminal BehaviorLike traditional criminals, computer criminals have a specific modus operandi (MO). In other words, criminals use a distinct method of operation to carry out their crime that can be used to help identify them. The difference with computer crimes is that the investigator, obviously, must have knowledge of technology. For example, an MO for computer criminals may include the use of specific hacking tools, or targeting specific systems or networks. The method usually involves repetitive signature behaviors, such as sending e-mail messages or programming syntax. Knowledge of the criminal’s MO and signature behaviors can be useful throughout the investigative process. Law enforcement can use the information to identify other offenses by the same criminal, for example. The MO and signature behaviors can also provide information that is useful during the interview and interrogation process as well as the trial.
Explanation Bullets: The investigator works from the duplicate image because it preserves the original evidence, prevents inadvertent alteration of original evidence during examination, and allows re-creation of the duplicate image if necessary. Most media are “magnetic based,” and the data are volatile and can be contained in the following:
- Registers and cache
- Process tables and ARP cache
- System memory (RAM, ROM)
- Temporary file systems
- Special disk sectors
Emphasis: Personal Privacy Protection
Personal Privacy ProtectionEnd users are also responsible for their own privacy, especially as it relates to protecting the data that are on their own systems. End users should be encouraged to use common sense and best practices. This includes the use of encryption to protect sensitive personal information, as well as firewalls, antivirus software, and patches to protect computers from becoming infected with malware. Documents containing personal information, such as credit card statements, should also be shredded. Also, it’s important for end users to understand that when data are given to a third party, they are no longer under their control.
Controlling the Crime Scene : Whether the crime scene is physical or digital, it is important to control who comes in contact with the evidence of the crime to ensure its integrity. The following are just some of the steps that should take place to protect the crime scene:
- Only allow authorized individuals access to the scene. These individuals should have knowledge of basic crime scene analysis.
- Document who is at the crime scene.
- In court, the integrity of the evidence may be in question if there are too many people milling around.
- Document who were the last individuals to interact with the systems.
- If the crime scene does become contaminated, document it. The contamination may not negate the derived evidence, but it will make investigating the crime more challenging.
Emphasis: Personal Information Protection and Electronic Documents Act (PIPEDA)
Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that deals with the protection of personal information. One of its main goals is to oversee how the private sector collects, uses, and discloses personal information in regular business activities. The law was enacted to help and promote consumer trust and facilitate electronic commerce. It was also put into place to reassure other countries that Canadian businesses would protect privacy data so that cross-border transactions and business activities could take place in a more assured manner.
Emphasis: Opinion Evidence
Opinion EvidenceWhen a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so they can help the judge and jury better understand the matters of the case.
Emphasis: Incident management
Incident management includes proactive and reactive processes. Proactive measures need to be put into place so that incidents can actually be detected in a controllable manner, and reactive measures need to be put into place so those incidents are then dealt with properly.
Emphasis: Interviewing and Interrogating
Interviewing and InterrogatingOnce surveillance and search and seizure activities have been performed, it is very likely that suspects must be interviewed and interrogated. However, interviewing is both an art and a science, and the interview should be conducted by a properly trained professional. Even then, the interview may only be conducted after consultation with legal counsel. This doesn’t, however, completely relieve you as an information security professional from responsibility during the interviewing process. You may be asked to provide input or observe an interview in order to clarify technical information that comes up in the course of questioning. When this is needed, there should be one person in charge of the interview or interrogation, with one or two others present. Both the topics of discussion and the questions should be prepared beforehand and asked in a systematic and calm fashion, because the purpose of an interrogation is to obtain evidence for a trial.
Explanation Bullets: Section 13410(d) of the HITECH Act revised Section 1176(a) of the Social Security Act (the Act) by establishing:
- Four categories of violations that reflect increasing levels of culpability;
- Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
Bullets: Pretexting Protection
Implement safeguards against pretexting (social engineering).
Emphasis: Circumstantial Evidence
Circumstantial EvidenceCircumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.
Explanations: Incident Management
Incident management includes proactive and reactive processes. Proactive measures need to be put into place so that incidents can actually be detected in a controllable manner, and reactive measures need to be put into place so those incidents are then dealt with properly.
Explanation Bullets: You should understand the following set of procedures (stages) for incident response:
- Triage
- Investigation
- Containment
- Analysis
- Tracking
- Recovery
What Can We Learn from This? : Closure of an incident is determined by the nature or category of the incident, the desired incident response outcome (for example, business resumption or system restoration), and the team’s success in determining the incident’s source and root cause. Once it is determined that the incident is closed, it is a good idea to have a team briefing that includes all groups affected by the incident to answer the following questions:
- What happened?
- What did we learn?
- How can we do it better next time?
Emphasis: Direct Evidence
Direct EvidenceDirect evidence can prove a fact all by itself and does not need backup information to refer to. When direct evidence is used, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.
The Forensics Investigation Process : To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure the evidence is admissible. Figure 9-5 illustrates the phases through a common investigation process. Each team or company may commonly come up with their own steps, but all should be essentially accomplishing the same things:
- Identification
- Preservation
- Collection
- Examination
- Analysis
- Presentation
- Decision
Explanation Bullets: The foundation of admissibility is based on the following items:
- Procedures for collecting and maintaining evidence
- Proof of how errors were avoided
- Identification of custodian and skill set
- Reasonable explanations for
- Why certain actions were taken
- Why specific procedures were bypassed
Emphasis: Response: I am sure there are no privacy issues to be concerned about
You don’t even want to know about all the data Google collects on you.Response: I am sure there are no privacy issues to be concerned about.
Emphasis: Federal Sentencing Guidelines for Organizations (FSGO)
The Federal Sentencing Guidelines for Organizations (FSGO) is outline for ethical requirements, and in some cases will reduce the criminal sentencing and liability if ethical programs are put in place. This was updated with requirements that made it much more important for the senior executives and board members of an organization to actively participate and be aware of the ethics program in an organization. The intent is to enforce and foster a sense of due diligence that will detect criminal activity as well as protect against it and deter it from happening. Aspects of the Sarbanes-Oxley Act of 2002 are intended to function in much the same manner but with regard to accounting and truthfulness in corporate reporting.
Bullets: Data Integrity
Data must be relevant and reliable for the purpose it was collected for.
Emphasis: Personally identifiable information (PII)
Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.
Emphasis: Economic Espionage Act of 1996
Economic Espionage Act of 1996Prior to 1996, industry and corporate espionage was taking place with no real guidelines for who could properly investigate the events. The Economic Espionage Act of 1996 provides the necessary structure when dealing with these types of cases and further defines trade secrets to be technical, business, engineering, scientific, or financial. This means that an asset does not necessarily need to be tangible to be protected or be stolen. Thus, this act enables the FBI to investigate industrial and corporate espionage cases.
Emphasis: Electronic Assets
Electronic AssetsAnother complexity that the digital world has brought upon society is defining what has to be protected and to what extent. We have gone through a shift in the business world pertaining to assets that need to be protected. Fifteen years ago and more, the assets that most companies concerned themselves with protecting were tangible ones (equipment, building, manufacturing tools, inventory). Now companies must add data to their list of assets, and data are usually at the very top of that list: product blueprints, Social Security numbers, medical information, credit card numbers, personal information, trade secrets, military deployment and strategies, and so on. Although the military has always had to worry about keeping their secrets secret, they have never had so many entry points to the secrets that had to be controlled. Companies are still having a hard time not only protecting their data in digital format, but defining what constitutes sensitive data and where that data should be kept.
Emphasis: relevant
For evidence to be relevant, it must have a reasonable and sensible relationship to the findings. If a judge rules that a person’s past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Therefore, the prosecuting lawyer cannot even mention them in court.
Emphasis: incident response team
All organizations should develop an incident response team, as mandated by the incident response policy, to respond to the large array of possible security incidents. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place. The team should have proper reporting procedures established, be prompt in their reaction, work in coordination with law enforcement, and be an important element of the overall security program. The team should consist of representatives from various business units, such as the legal department, HR, executive management, the communications department, physical/corporate security, IS security, and information technology.
Emphasis: sufficient
For evidence to be complete, it must present the whole truth of an issue. For the evidence to be sufficient, or believable, it must be persuasive enough to convince a reasonable person of the validity of the evidence. This means the evidence cannot be subject to personal interpretation. Sufficient evidence also means it cannot be easily doubted.
Emphasis: expression
In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource, as does trade secret law. It protects the expression of the idea of the resource instead of the resource itself. A copyright is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Computer programs and manuals are just two examples of items protected under the Federal Copyright Act. The item is covered under copyright law once the program or manual has been written. Although including a warning and the copyright symbol (©) is not required, doing so is encouraged so others cannot claim innocence after copying another’s work.
Emphasis: Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) of 2002 is a U.S. law that requires every federal agency to create, document, and implement an agency-wide security program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. It explicitly emphasizes a “risk-based policy for cost-effective security.”
Explanations: A Few Different Attack Types
Several categories of computer crimes can be committed, and different methods exist to commit those crimes. The following sections go over some of the types of computer fraud and abuses.
Explanations: Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act was written in 1986 and amended in 1988, 1994, 1996, 2001 by the USA PATRIOT Act, 2002, and 2008 by the Identity Theft Enforcement and Restitution Act. It is the primary U.S. federal antihacking statute. The following outlines the specifics of the law:
Emphasis: The Increasing Need for Privacy Laws
The Increasing Need for Privacy LawsPrivacy is different from security, and although the concepts can intertwine, they are distinctively different. Privacy is the ability of an individual or group to control who has certain types of information about them. Privacy is an individual’s right to determine what data they would like others to know about themselves, which people are permitted to know that data, and the ability to determine when those people can access it. Security is used to enforce these privacy rights.
Emphasis: Hearsay evidence
Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability. If a witness testifies about something he heard someone else say, it is too far removed from fact and has too many variables that can cloud the truth. If business documents were made during regular business routines, they may be admissible. However, if these records were made just to be presented in court, they could be categorized as hearsay evidence.