Lecture 12 Notes Flashcards

1
Q

Three main categories of laws play a role in our legal system

A

Criminal Law
Civil Law
Administrative Law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Criminal Law

A

Criminal law forms the bedrock of a body of laws that keep our society safe

These are the laws that the police and other law enforcement agencies are concerned with

Computer Fraud and Abuse Act
Electronic Communications Privacy Act
Identity Theft and Assumption Deterrence Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Civil Law

A

designed to provide for an orderly society

Law enforcement authorities do not become involved in matters of civil law beyond taking action necessary to restore order

No action is taken until the person who thinks they have been wronged files a civil lawsuit

Civil laws do not use imprisonment as a punishment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Administrative Law

A

Therefore, executive branch agencies have some leeway to enact administrative law, in the form of policies, procedures, and regulations that govern the daily operations of the agency

Administrative law is published in the Code of Federal Regulations (CFR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Computer Crime Federal vs State

A

Many computer crime laws are defined at the federal level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Computer Fraud and Abuse Act of 1984 (CFAA)

A

Some of the major provisions of the act are that it is a crime to …
Access classified or financial information in a federal system without authorization or in excess of authorized privileges

Access a computer used exclusively by the federal government without authorization

Use a federal computer to perpetrate a fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

1994 CFAA amendments

A

Outlawed the creation of any type of malicious code that might cause damage to a computer system

Modified the CFAA to cover any computer used in interstate transactions rather than just “federal interest” computer systems

Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage

Provided legal authority for the victims of computer crime to pursue civil action to gain compensation for damages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Computer Security Act of 1987 (CSA)

A

Mandates baseline security requirements for all federal agencies

NIST Responsible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Federal Sentencing Guidelines of 1991

A

Punishment guidelines to help federal judges interpret computer crime laws

The guidelines formalized the prudent man rule, which requires senior executives to take responsibility for ensuring due care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Paperwork Reduction Act of 1995

A

Requires that agencies obtain Office of Management and Budget (OMB) approval before requesting information from the public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

National Information Infrastructure Protection Act of 1996

A

Broadens CFAA to cover computer systems used in international transactions, and parts of the national infrastructure (railroads, etc.)

Treats any intentional or reckless act as a felony

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Government Information Security Reform Act of 2000

A

To provide a comprehensive framework for establishing effective controls over information resources that support federal operations and assets

To define security management measures that safeguard the highly networked nature of the federal computing environment, including the need for federal government interoperability

To provide government-wide management and oversight of information security risks, including coordination of information security efforts

The act also introduces the notion of mission-critical systems
- A national security system handling classified information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Intellectual Property Four Types

A

Copyrights
Trademarks
Patents
Trade Secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Copyrights and the DMCA

A

Copyright law guarantees the creators of original works of authorship protection against unauthorized duplication of their work
-The creator of a work has an automatic copyright from the instant the work is created, even without an official registration
-Computer programs are considered literary works
Copyright law protects only the actual source code, but does not protect the ideas or process behind the software

Digital Millennium Copyright Act (DMCA)

  • Prohibits attempts to circumvent copyright protection mechanisms
  • Limits the liability of Internet service providers (ISPs) when their facilities are used by criminals violating copyright laws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Trademarks

A

Slogans, and logos used to identify a company and its products/services

do not need to be officially registered to gain protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Patents

A

Patents protect the intellectual property rights of inventors

They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (directly or via licensing agreements)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Trade Secrets

A

Processes or other information that a company wants to keep secret

18
Q

Economic Espionage Act of 1996

A

Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years

Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years

19
Q

Licensing

A

Contractual license agreements
Utilize a written contract between vendor and customer, outlining the responsibilities of each (used for highly specialized software packages)

Shrink wrap license agreement
Are written on the outside of the software packaging: you acknowledge agreement to the terms of the contract simply by breaking the seal

Click wrap license agreement
During the installation process, you are required to click a button indicating that you have read (and agree to) the terms of the agreement

20
Q

Import/Export

A

Currently, U.S. firms can export high-performance computing systems to virtually any country without prior approval
Exceptions exist for Tier 3 and Tier 4 countries

Encryption export controls
Under previous regulations, it was virtually impossible to export even relatively low-grade encryption technology
Firms can now submit their products for review by the Commerce Department, and freely export these products upon successful completion of the review

21
Q

Privacy

A

The Constitution’s Bill of Rights does not explicitly provide for a right to privacy

The 4th Amendment to the U.S. Constitution represents the basis for privacy rights

22
Q

Privacy Act of 1974

A

Severely limits the ability of federal government agencies to disclose private information to other persons or agencies without the prior written consent of the affected individuals

23
Q

Electronic Communications Privacy Act of 1986

A

Makes it a crime to invade the electronic privacy of an individual

24
Q

Communications Assistance for Law Enforcement Act of 1994

A

Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order

25
Q

Health Insurance Portability and Accountability Act of 1996

A

Requires strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals

26
Q

Children’s Online Privacy Protection Act of 1998

A

Puts a number of restrictions on websites that cater to children or knowingly collect information from children

27
Q

Identity Theft and Assumption Deterrence Act of 1998

A

In the past, the only legal victims of identity theft were the creditors who were defrauded

This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law

28
Q

Gramm-Leach-Bliley Act of 1999

A

The Gramm-Leach-Bliley Act (GLBA) somewhat relaxed the regulations concerning the services financial institutions could provide and the information they could share with each other

29
Q

USA PATRIOT Act of 2001

A

Enacted in response to the September 11, 2001, terrorist attacks

Greatly broadened the powers of law enforcement and intelligence agencies across a number of areas, including monitoring electronic communications

Allows the government to obtain detailed information on user activity from ISPs through the use of a subpoena

30
Q

Admissible evidence

A

Must be relevant to determining a fact

The fact that the evidence seeks to determine must be material (that is, related) to the case

Must be competent, meaning it must have been obtained legally

31
Q

Types of evidence

A

Real evidence
Consists of items that may actually be brought into a court of law

Documentary evidence
Includes any written items brought into court to prove a fact

Testimonial evidence
Consists of the testimony of a witness

32
Q

International Organization on Computer Evidence (IOCE)

A

outlined 6 principles to guide technicians as they perform media, network, and software analysis in the pursuit of forensic evidence
1 All of the general forensic and procedural principles must be applied
2 Upon seizing digital evidence, actions taken should not alter that evidence
3 When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
4 All activities relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
5 An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
6 Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles

33
Q

Information system security practitioners generally put crimes against or involving computers into different categories

A

Military and Intelligence Attacks
Launched to gather military information or other sensitive intelligence

Business Attacks
Focus on illegally obtaining an organization’s confidential information

Financial Attacks
Carried out to unlawfully obtain money or “free” services (phone phreaking)

Terrorist Attacks
Aim at disrupting entire systems

Grudge Attacks
Attacks carried out by disgruntled employees

Thrill Attacks
Attacks launched only for the fun of it (script kiddies)

34
Q

Incident Handling

A

When an incident occurs, you must handle it in a manner that is outlined in your security policy and consistent with local laws / regulations

The most common reason incidents are not reported is that they are never identified

35
Q

Response Teams

A

When an incident occurs, the response team has four primary responsibilities

  • Determine the amount and scope of damage
  • Determine whether any confidential information was compromised
  • Implement any necessary recovery procedures
  • Supervise the implementation of additional security measures necessary to improve security and prevent recurrence of the incident
36
Q

Incident Response Process

A

Step 1: Incident Detection and Identification
Identifying incidents and notifying appropriate personnel
To successfully detect and identify incidents, a security team must monitor any relevant events and recognize abnormal or suspicious activity

Step 2: Response and Reporting
The next step is to choose an appropriate response
Your security policy should specify steps to take for various types of incidents
Isolation and containment: limit further damage
Gather evidence: collect/confiscate equipment/data for investigations
Analysis and reporting: determine the most likely course of events

Step 3: Recovery and Remediation
Restoration: remediate any damage and prevent future damage
Lessons learned

37
Q

Reporting Incidents

A

Your security policy should contain guidelines to define

  • when an incident should be reported
  • to whom to report an incident
  • the timeline for reporting
38
Q

Ethics

A

Security professionals hold themselves and each other to a high standard of conduct because of the sensitive positions of trust they occupy

Codes of ethics are not laws

39
Q

(ISC)2 Code of Ethics Preamble

A

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this Code is a condition of certification.

40
Q

Code of Ethics Canons

A
  • Protect society, the commonwealth, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent services to principals
  • Advance and protect the profession
41
Q

RFC 1087

A

any activity with the following purposes is unacceptable and unethical

  • Seeking to gain unauthorized access to the resources of the Internet
  • Disrupting the intended use of the Internet
  • Wasting resources (people, capacity, computer) through such actions
  • Destroying the integrity of computer-based information
  • Compromising the privacy of users