Law and Compliance Flashcards
Section 1 of the CMA 1990 concerns what?
Unauthorised access to computer material.
Section 2 of the CMA 1990 concerns what?
Unauthorised access with intent to commit or facilitate commission of further offences.
Section 3 of the CMA 1990 concerns what?
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
Under the CMA 1990, a person is guilty under the crimes within the act if they what?
A person is guilty of an offence if—
- he causes a computer to perform any function with intent to secure access to any program or data held in any computer
- the access he intends to secure [or to enable to be secured,] is unauthorised
- he knows at the time when he causes the computer to perform the function that that is the case.
Basically, if you know you shouldn’t be accessing the computer, and you perform some action against it in order to secure access to that computer anyway, then you are guilty.
Under the CMA 1990 Section 2, you are guilty under that section if you do what?
Basically, anything that would facilitate an offence under any of the other sections. So if you create software for someone who is creating malware, or if you are performing actions to facilitate the compromise of an organisation (think writing the phishing email, even if you don’t send it).
Under the CMA section 3, you are guilty if you do what?
A person is guilty of an offence if—
- he does any unauthorised act in relation to a computer;
- at the time when he does the act he knows that it is unauthorised
AND
{
you intend to:
- impair the operation of any computer;
- prevent or hinder access to any program or data held in any computer
- impair the operation of any such program or the reliability of any such data
- to enable any of the things mentioned in paragraphs (a) to (c) above to be done
OR
- you are ‘reckless’ as to whether the act will do any of the things mentioned in paragraphs
- reckless means you don’t care. - it’s defined through precendent law
}
The Human Rights Act 1998 is based on what EU directive?
European Convention on Human Rights
Which article of the Human rights act is most relevant to penetration testing?
Article 8 of the Human Rights Act - Right to respect for private and family life
What impact does Article 8 of the Human Rights Act - Right to respect for private and family life have on penetration testing activities
- Don’t compromise personal data unnecessarily
- Don’t store personal data
- Don’t read it either.
instances where this can happen:
- network sniffing
- sql injection - if you pull an entire table
- IDOR (this actually happened to me, fortunately it was the client and they didn’t mind).
What are the 7 principles of Data protection according to the DPA 2018? Let Porpoises Dive And Swim In Aqueducts
The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability - Specific only to the UK
Describe the data protection act 2018 principle of Lawfulness, fairness and transparency
processed lawfully, fairly and in a transparent manner in relation to individuals
Describe the data protection act 2018 principle of purpose limitation
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes do not count
Describe the data protection act 2018 principle of data minimisation
adequate, relevant and limited to what is necessary for the purposes
Describe the data protection act 2018 principle of accuracy
accurate and, where necessary, kept up to date
- anything known to be inaccurate must be deleted as soon as possible
Describe the data protection act 2018 principle of storage limitation
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes agreed upon
- can’t keep it longer than you said you would, or longer than you need it.
Describe the data protection act 2018 principle of integrity and confidentiality
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Describe the data protection act 2018 principle of accountability
- specific only to the UK, done’st apply to GDPR
- There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance.
- this might include assigning a data controller, who in turn can implement other controls and processes to ensure evidence of compliance is available.`
What impact does the Police and Justice Act 2006 have on penetration testing?
Made it illegal to perform DOS attacks.
Made it illegal to supply and own hacking tools.
- basically amended the CMA 1990, but didn’t change much about it.
CMA 3Za describes what?:
The types of damage considered relevant in the CMA, basically covers health of people, wealth of people/companies, security of nation.
CMA 3a describes what?
Making, supplying or obtaining articles for use in offence under section 1 (Unauthorised access) or 3 (causing damage);.
Effectively, if you create something with the understanding that it may be used, or you made it specifically for, committing offences under sections 1 or 3, then you are guilty.
it’s all about intention of the act, if you intend for it to be used in one of these crimes, you’re guilty.
