Lecture 12 Notes

Question 1

Three main categories of laws play a role in our legal system

Answer 1

Criminal Law
Civil Law
Administrative Law

Question 2

Criminal Law

Answer 2

Criminal law forms the bedrock of a body of laws that keep our society safe

These are the laws that the police and other law enforcement agencies are concerned with

Computer Fraud and Abuse Act
Electronic Communications Privacy Act
Identity Theft and Assumption Deterrence Act

Question 3

Civil Law

Answer 3

designed to provide for an orderly society

Law enforcement authorities do not become involved in matters of civil law beyond taking action necessary to restore order

No action is taken until the person who thinks they have been wronged files a civil lawsuit

Civil laws do not use imprisonment as a punishment

Question 4

Administrative Law

Answer 4

Therefore, executive branch agencies have some leeway to enact administrative law, in the form of policies, procedures, and regulations that govern the daily operations of the agency

Administrative law is published in the Code of Federal Regulations (CFR)

Question 5

Computer Crime Federal vs State

Answer 5

Many computer crime laws are defined at the federal level

Question 6

Computer Fraud and Abuse Act of 1984 (CFAA)

Answer 6

Some of the major provisions of the act are that it is a crime to …
Access classified or financial information in a federal system without authorization or in excess of authorized privileges

Access a computer used exclusively by the federal government without authorization

Use a federal computer to perpetrate a fraud

Question 7

1994 CFAA amendments

Answer 7

Outlawed the creation of any type of malicious code that might cause damage to a computer system

Modified the CFAA to cover any computer used in interstate transactions rather than just “federal interest” computer systems

Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage

Provided legal authority for the victims of computer crime to pursue civil action to gain compensation for damages

Question 8

Computer Security Act of 1987 (CSA)

Answer 8

Mandates baseline security requirements for all federal agencies

NIST Responsible

Question 9

Federal Sentencing Guidelines of 1991

Answer 9

Punishment guidelines to help federal judges interpret computer crime laws

The guidelines formalized the prudent man rule, which requires senior executives to take responsibility for ensuring due care

Question 10

Paperwork Reduction Act of 1995

Answer 10

Requires that agencies obtain Office of Management and Budget (OMB) approval before requesting information from the public

Question 11

National Information Infrastructure Protection Act of 1996

Answer 11

Broadens CFAA to cover computer systems used in international transactions, and parts of the national infrastructure (railroads, etc.)

Treats any intentional or reckless act as a felony

Question 12

Government Information Security Reform Act of 2000

Answer 12

To provide a comprehensive framework for establishing effective controls over information resources that support federal operations and assets

To define security management measures that safeguard the highly networked nature of the federal computing environment, including the need for federal government interoperability

To provide government-wide management and oversight of information security risks, including coordination of information security efforts

The act also introduces the notion of mission-critical systems
- A national security system handling classified information

Question 13

Intellectual Property Four Types

Answer 13

Copyrights
Trademarks
Patents
Trade Secrets

Question 14

Copyrights and the DMCA

Answer 14

Copyright law guarantees the creators of original works of authorship protection against unauthorized duplication of their work
-The creator of a work has an automatic copyright from the instant the work is created, even without an official registration
-Computer programs are considered literary works
Copyright law protects only the actual source code, but does not protect the ideas or process behind the software

Digital Millennium Copyright Act (DMCA)

• Prohibits attempts to circumvent copyright protection mechanisms
• Limits the liability of Internet service providers (ISPs) when their facilities are used by criminals violating copyright laws

Question 15

Trademarks

Answer 15

Slogans, and logos used to identify a company and its products/services

do not need to be officially registered to gain protection

Question 16

Patents

Answer 16

Patents protect the intellectual property rights of inventors

They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (directly or via licensing agreements)

Question 17

Trade Secrets

Answer 17

Processes or other information that a company wants to keep secret

Question 18

Economic Espionage Act of 1996

Answer 18

Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years

Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years

Question 19

Licensing

Answer 19

Contractual license agreements
Utilize a written contract between vendor and customer, outlining the responsibilities of each (used for highly specialized software packages)

Shrink wrap license agreement
Are written on the outside of the software packaging: you acknowledge agreement to the terms of the contract simply by breaking the seal

Click wrap license agreement
During the installation process, you are required to click a button indicating that you have read (and agree to) the terms of the agreement

Question 20

Import/Export

Answer 20

Currently, U.S. firms can export high-performance computing systems to virtually any country without prior approval
Exceptions exist for Tier 3 and Tier 4 countries

Encryption export controls
Under previous regulations, it was virtually impossible to export even relatively low-grade encryption technology
Firms can now submit their products for review by the Commerce Department, and freely export these products upon successful completion of the review

Question 21

Privacy

Answer 21

The Constitution’s Bill of Rights does not explicitly provide for a right to privacy

The 4th Amendment to the U.S. Constitution represents the basis for privacy rights

Question 22

Privacy Act of 1974

Answer 22

Severely limits the ability of federal government agencies to disclose private information to other persons or agencies without the prior written consent of the affected individuals

Question 23

Electronic Communications Privacy Act of 1986

Answer 23

Makes it a crime to invade the electronic privacy of an individual

Question 24

Communications Assistance for Law Enforcement Act of 1994

Answer 24

Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order

Question 25

Health Insurance Portability and Accountability Act of 1996

Answer 25

Requires strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals

Question 26

Children’s Online Privacy Protection Act of 1998

Answer 26

Puts a number of restrictions on websites that cater to children or knowingly collect information from children

Question 27

Identity Theft and Assumption Deterrence Act of 1998

Answer 27

In the past, the only legal victims of identity theft were the creditors who were defrauded

This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law

Question 28

Gramm-Leach-Bliley Act of 1999

Answer 28

The Gramm-Leach-Bliley Act (GLBA) somewhat relaxed the regulations concerning the services financial institutions could provide and the information they could share with each other

Question 29

USA PATRIOT Act of 2001

Answer 29

Enacted in response to the September 11, 2001, terrorist attacks

Greatly broadened the powers of law enforcement and intelligence agencies across a number of areas, including monitoring electronic communications

Allows the government to obtain detailed information on user activity from ISPs through the use of a subpoena

Question 30

Admissible evidence

Answer 30

Must be relevant to determining a fact

The fact that the evidence seeks to determine must be material (that is, related) to the case

Must be competent, meaning it must have been obtained legally

Question 31

Types of evidence

Answer 31

Real evidence
Consists of items that may actually be brought into a court of law

Documentary evidence
Includes any written items brought into court to prove a fact

Testimonial evidence
Consists of the testimony of a witness

Question 32

International Organization on Computer Evidence (IOCE)

Answer 32

outlined 6 principles to guide technicians as they perform media, network, and software analysis in the pursuit of forensic evidence
1 All of the general forensic and procedural principles must be applied
2 Upon seizing digital evidence, actions taken should not alter that evidence
3 When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4 All activities relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
5 An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
6 Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles

Question 33

Information system security practitioners generally put crimes against or involving computers into different categories

Answer 33

Military and Intelligence Attacks
Launched to gather military information or other sensitive intelligence

Business Attacks
Focus on illegally obtaining an organization’s confidential information

Financial Attacks
Carried out to unlawfully obtain money or “free” services (phone phreaking)

Terrorist Attacks
Aim at disrupting entire systems

Grudge Attacks
Attacks carried out by disgruntled employees

Thrill Attacks
Attacks launched only for the fun of it (script kiddies)

Question 34

Incident Handling

Answer 34

When an incident occurs, you must handle it in a manner that is outlined in your security policy and consistent with local laws / regulations

The most common reason incidents are not reported is that they are never identified

Question 35

Response Teams

Answer 35

When an incident occurs, the response team has four primary responsibilities

• Determine the amount and scope of damage
• Determine whether any confidential information was compromised
• Implement any necessary recovery procedures
• Supervise the implementation of additional security measures necessary to improve security and prevent recurrence of the incident

Question 36

Incident Response Process

Answer 36

Step 1: Incident Detection and Identification
Identifying incidents and notifying appropriate personnel
To successfully detect and identify incidents, a security team must monitor any relevant events and recognize abnormal or suspicious activity

Step 2: Response and Reporting
The next step is to choose an appropriate response
Your security policy should specify steps to take for various types of incidents
Isolation and containment: limit further damage
Gather evidence: collect/confiscate equipment/data for investigations
Analysis and reporting: determine the most likely course of events

Step 3: Recovery and Remediation
Restoration: remediate any damage and prevent future damage
Lessons learned

Question 37

Reporting Incidents

Answer 37

Your security policy should contain guidelines to define

• when an incident should be reported
• to whom to report an incident
• the timeline for reporting

Question 38

Ethics

Answer 38

Security professionals hold themselves and each other to a high standard of conduct because of the sensitive positions of trust they occupy

Codes of ethics are not laws

Question 39

(ISC)2 Code of Ethics Preamble

Answer 39

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this Code is a condition of certification.

Question 40

Code of Ethics Canons

Answer 40

• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent services to principals
• Advance and protect the profession

Question 41

RFC 1087

Answer 41

any activity with the following purposes is unacceptable and unethical

• Seeking to gain unauthorized access to the resources of the Internet
• Disrupting the intended use of the Internet
• Wasting resources (people, capacity, computer) through such actions
• Destroying the integrity of computer-based information
• Compromising the privacy of users