Lecture 12 Notes Flashcards
Three main categories of laws play a role in our legal system
Criminal Law
Civil Law
Administrative Law
Criminal Law
Criminal law forms the bedrock of a body of laws that keep our society safe
These are the laws that the police and other law enforcement agencies are concerned with
Computer Fraud and Abuse Act
Electronic Communications Privacy Act
Identity Theft and Assumption Deterrence Act
Civil Law
designed to provide for an orderly society
Law enforcement authorities do not become involved in matters of civil law beyond taking action necessary to restore order
No action is taken until the person who thinks they have been wronged files a civil lawsuit
Civil laws do not use imprisonment as a punishment
Administrative Law
Therefore, executive branch agencies have some leeway to enact administrative law, in the form of policies, procedures, and regulations that govern the daily operations of the agency
Administrative law is published in the Code of Federal Regulations (CFR)
Computer Crime Federal vs State
Many computer crime laws are defined at the federal level
Computer Fraud and Abuse Act of 1984 (CFAA)
Some of the major provisions of the act are that it is a crime to …
Access classified or financial information in a federal system without authorization or in excess of authorized privileges
Access a computer used exclusively by the federal government without authorization
Use a federal computer to perpetrate a fraud
1994 CFAA amendments
Outlawed the creation of any type of malicious code that might cause damage to a computer system
Modified the CFAA to cover any computer used in interstate transactions rather than just “federal interest” computer systems
Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage
Provided legal authority for the victims of computer crime to pursue civil action to gain compensation for damages
Computer Security Act of 1987 (CSA)
Mandates baseline security requirements for all federal agencies
NIST Responsible
Federal Sentencing Guidelines of 1991
Punishment guidelines to help federal judges interpret computer crime laws
The guidelines formalized the prudent man rule, which requires senior executives to take responsibility for ensuring due care
Paperwork Reduction Act of 1995
Requires that agencies obtain Office of Management and Budget (OMB) approval before requesting information from the public
National Information Infrastructure Protection Act of 1996
Broadens CFAA to cover computer systems used in international transactions, and parts of the national infrastructure (railroads, etc.)
Treats any intentional or reckless act as a felony
Government Information Security Reform Act of 2000
To provide a comprehensive framework for establishing effective controls over information resources that support federal operations and assets
To define security management measures that safeguard the highly networked nature of the federal computing environment, including the need for federal government interoperability
To provide government-wide management and oversight of information security risks, including coordination of information security efforts
The act also introduces the notion of mission-critical systems
- A national security system handling classified information
Intellectual Property Four Types
Copyrights
Trademarks
Patents
Trade Secrets
Copyrights and the DMCA
Copyright law guarantees the creators of original works of authorship protection against unauthorized duplication of their work
-The creator of a work has an automatic copyright from the instant the work is created, even without an official registration
-Computer programs are considered literary works
Copyright law protects only the actual source code, but does not protect the ideas or process behind the software
Digital Millennium Copyright Act (DMCA)
- Prohibits attempts to circumvent copyright protection mechanisms
- Limits the liability of Internet service providers (ISPs) when their facilities are used by criminals violating copyright laws
Trademarks
Slogans, and logos used to identify a company and its products/services
do not need to be officially registered to gain protection
Patents
Patents protect the intellectual property rights of inventors
They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (directly or via licensing agreements)
Trade Secrets
Processes or other information that a company wants to keep secret
Economic Espionage Act of 1996
Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years
Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years
Licensing
Contractual license agreements
Utilize a written contract between vendor and customer, outlining the responsibilities of each (used for highly specialized software packages)
Shrink wrap license agreement
Are written on the outside of the software packaging: you acknowledge agreement to the terms of the contract simply by breaking the seal
Click wrap license agreement
During the installation process, you are required to click a button indicating that you have read (and agree to) the terms of the agreement
Import/Export
Currently, U.S. firms can export high-performance computing systems to virtually any country without prior approval
Exceptions exist for Tier 3 and Tier 4 countries
Encryption export controls
Under previous regulations, it was virtually impossible to export even relatively low-grade encryption technology
Firms can now submit their products for review by the Commerce Department, and freely export these products upon successful completion of the review
Privacy
The Constitution’s Bill of Rights does not explicitly provide for a right to privacy
The 4th Amendment to the U.S. Constitution represents the basis for privacy rights
Privacy Act of 1974
Severely limits the ability of federal government agencies to disclose private information to other persons or agencies without the prior written consent of the affected individuals
Electronic Communications Privacy Act of 1986
Makes it a crime to invade the electronic privacy of an individual
Communications Assistance for Law Enforcement Act of 1994
Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order
Health Insurance Portability and Accountability Act of 1996
Requires strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals
Children’s Online Privacy Protection Act of 1998
Puts a number of restrictions on websites that cater to children or knowingly collect information from children
Identity Theft and Assumption Deterrence Act of 1998
In the past, the only legal victims of identity theft were the creditors who were defrauded
This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law
Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (GLBA) somewhat relaxed the regulations concerning the services financial institutions could provide and the information they could share with each other
USA PATRIOT Act of 2001
Enacted in response to the September 11, 2001, terrorist attacks
Greatly broadened the powers of law enforcement and intelligence agencies across a number of areas, including monitoring electronic communications
Allows the government to obtain detailed information on user activity from ISPs through the use of a subpoena
Admissible evidence
Must be relevant to determining a fact
The fact that the evidence seeks to determine must be material (that is, related) to the case
Must be competent, meaning it must have been obtained legally
Types of evidence
Real evidence
Consists of items that may actually be brought into a court of law
Documentary evidence
Includes any written items brought into court to prove a fact
Testimonial evidence
Consists of the testimony of a witness
International Organization on Computer Evidence (IOCE)
outlined 6 principles to guide technicians as they perform media, network, and software analysis in the pursuit of forensic evidence
1 All of the general forensic and procedural principles must be applied
2 Upon seizing digital evidence, actions taken should not alter that evidence
3 When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4 All activities relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
5 An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
6 Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Information system security practitioners generally put crimes against or involving computers into different categories
Military and Intelligence Attacks
Launched to gather military information or other sensitive intelligence
Business Attacks
Focus on illegally obtaining an organization’s confidential information
Financial Attacks
Carried out to unlawfully obtain money or “free” services (phone phreaking)
Terrorist Attacks
Aim at disrupting entire systems
Grudge Attacks
Attacks carried out by disgruntled employees
Thrill Attacks
Attacks launched only for the fun of it (script kiddies)
Incident Handling
When an incident occurs, you must handle it in a manner that is outlined in your security policy and consistent with local laws / regulations
The most common reason incidents are not reported is that they are never identified
Response Teams
When an incident occurs, the response team has four primary responsibilities
- Determine the amount and scope of damage
- Determine whether any confidential information was compromised
- Implement any necessary recovery procedures
- Supervise the implementation of additional security measures necessary to improve security and prevent recurrence of the incident
Incident Response Process
Step 1: Incident Detection and Identification
Identifying incidents and notifying appropriate personnel
To successfully detect and identify incidents, a security team must monitor any relevant events and recognize abnormal or suspicious activity
Step 2: Response and Reporting
The next step is to choose an appropriate response
Your security policy should specify steps to take for various types of incidents
Isolation and containment: limit further damage
Gather evidence: collect/confiscate equipment/data for investigations
Analysis and reporting: determine the most likely course of events
Step 3: Recovery and Remediation
Restoration: remediate any damage and prevent future damage
Lessons learned
Reporting Incidents
Your security policy should contain guidelines to define
- when an incident should be reported
- to whom to report an incident
- the timeline for reporting
Ethics
Security professionals hold themselves and each other to a high standard of conduct because of the sensitive positions of trust they occupy
Codes of ethics are not laws
(ISC)2 Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent services to principals
- Advance and protect the profession
RFC 1087
any activity with the following purposes is unacceptable and unethical
- Seeking to gain unauthorized access to the resources of the Internet
- Disrupting the intended use of the Internet
- Wasting resources (people, capacity, computer) through such actions
- Destroying the integrity of computer-based information
- Compromising the privacy of users
