Leg, Inv and Comp

Question 1

What are the three major categories of law in the US

Answer 1

Civil, criminal and adminstrative

Question 2

Under criminal law, what does burden of proof mean?

Answer 2

Judge or jury must believe beyond a reasonable doubt that the defendant is guilty.

Question 3

Classifications in criminal law are split into two categories. What are they?

Answer 3

Felony and misdemeanour

Question 4

Civil Penalties do not provide a jail term, and instead provide financial restitution to the victim. True or False?

Answer 4

True

Question 5

What three types of civil penalties are there?

Answer 5

Compensatory (damages, legal fees, lost profits)
Punitive (punish the offender)
Statutory (violating the law)

Question 6

Under civil law, what does burden of proof mean?

Answer 6

Judge or Jury believes they are guilty based on evidence

Question 7

Liability and due care relate to civil law and which other type?

Answer 7

Administrative

Question 8

If the cost of implementing a safeguard is less than the cost of the estimated loss, could an organisation be held liable?

Answer 8

Yes

Question 9

What does proximate causation mean?

Answer 9

An action taken or not taken was part of a sequence of events that resulted in negative consequences.

Question 10

Which rule requires an individual to perform the following duties?

• In good faith
• In the best interests of the enterprise
• With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances

Answer 10

The Prudent Man Rule

Question 11

In information security the steps that an individual or organisations take to perform their duties and implement information security best practices are otherwise known as what?

Answer 11

Due care

Question 12

in the context of information security, research into risk identification and risk management can otherwise be known as what?

Answer 12

Due diligence

Question 13

What term is used to describe an organisation that fails to follow a standard of due care in the protection of its assets

Answer 13

Culpable Negligence

Question 14

Which type of law defines standards of performance and conduct for major industries, organisations and officials?

Answer 14

Administrative (Regulatory)

Question 15

What is a mixed law system otherwise known as, ie religious and civil for example?

Answer 15

Pluralistic

Question 16

A novice or less experienced hacker can otherwise be known as what?

Answer 16

Script Kiddie

Question 17

An ideological attack is commonly known by which term?

Answer 17

Hactivism

Question 18

Intellectual Property is protected under US law under which 4 classifications?

Answer 18

Trade Secrets
Copyright
Patents
Trademarks

Question 19

International protection for patents is otherwise known as?

Answer 19

The Patent Cooperation Treaty

Question 20

A newly granted patent is valid for how many years?

Answer 20

20

Question 21

The grant of a property right to an inventor is otherwise known as what?

Answer 21

Patent

Question 22

A word, name, symbol or device is commonly protected by what?

Answer 22

Trademark

Question 23

In the US which Act is used to protect trademarks?

Answer 23

The Trademark Law Treaty Implementation Act

Question 24

What term is used to protect authors of “original works of authorship” whether published or not?

Answer 24

Copyright

Question 25

Object code or documentation would commonly be protect by what?

Answer 25

Copyright

Question 26

Traditionally how long does a copyright of works last for?

Answer 26

An authors lifetime plus 70 years

Question 27

In the US which Act is used to protect copyright?

Answer 27

The Copyright Act 1976

Question 28

Proprietary or business related information that a company or individual uses and has exclusive rights to is commonly known as what?

Answer 28

Trade Secret

Question 29

The following are requirements of which type of intellectual property?

• must be genuine and not obvious
• must provide the owner a competitive or economic advantage
• must be reasonably protect from disclosure

Answer 29

Trade Secret

Question 30

The EU Privacy Rules define what requirements? 7 in total

Answer 30

• collected lawfully and fairly
• used for original purpose that it was collected for and for a reasonable period only
• must be accurate and up to date
• must be accessible to individuals whom data it is
• individuals have the right to correct their data
• cannot be disclosed to third parties unless required by law or consent granted by individual
• transmission of personal data to locations where the location does not have equivalent privacy laws is prohibited

Question 31

The US Federal Privacy Act 1974 is used to protect what?

Answer 31

records and information maintained by US government agencies about US citizens and lawful permanent residents

Question 32

The US Federal Privacy Act 1974 has which requirements? 3

Answer 32

• no agency may disclose information about an individual, unless written request received by individual
• provisions for individual access to their information
• provisions for amendments of that information by the individual concerned

Question 33

The US Health Insurance Portability and Accountability Act 1996 (HIPAA) is used to protect what?

Answer 33

individually identifiable health information

Question 34

Which 3 organisations must comply with HIPAA?

Answer 34

Health Insurers (Payers)
Health Providers (Hospitals)
Healthcare clearinghouses (public or private entity that facilitates or processes non-standard data elements of health information into standard data elements), e.g. data warehouse.

Question 35

The following are provisions of which law?

• broadens the scope of HIPAA compliance to include additional third parties such as pharmacies, claims processing/billing companies, persons performing legal/accounting/admin work.
• promotes the adoption of electronic health records
• notification when the security/privacy of unsecured electronic healthcare information has been breached.
• issuance of technical guidance on the technologies/methodologies used to render electronic information unusable in the event that it’s breached.

Answer 35

HITECH - US Health Information Technology for Economic and Clinical Health Act 2009

Question 36

regarding HITECH, what are the two notification requirements depending on amount of data breached?

Answer 36

• if over 500, breach must be reported to HHS, media outlets and individuals affected.
• if less than 500, breach must be reported to HHS secretary annually and to individuals affected.

Question 37

Which Act requires financial institutions to protect their customers personal identifiable information?

Answer 37

US Gramm-Leach-Bliley Financial Services Modernization Act PL 106-102 (GLBA)

Question 38

What are the 3 rules of GLBA?

Answer 38

• Financial Privacy Rule
• Safeguard Rule
• Pretexting Protection

Question 39

What is the financial privacy rule in relation to GLBA?

Answer 39

Requires each financial institution to provide information to each customer regarding the protection of each customers personal information

Question 40

What is the safeguard rule in relation to GLBA?

Answer 40

Requires each financial institution to develop a formal written security plan

Question 41

What is Pretexting Protection in relation to GLBA?

Answer 41

Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private customer information

Question 42

What are the 8 principles of the data protection act?

Answer 42

• Information process fairly and lawfully
• obtained for one or more specified and lawful purposes and not processed other than for the original reason for which it was obtained
• personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
• Shall be accurate and up to date where necessary
• shall not be kept longer than necessary, ie purpose for which it was originally obtained
• shall be processed in accordance with the rights of the data subject
• appropriate technical/organisational measures taken to protect information
• Shall not be transferred to a country/territory outside the European Economic Area, unless they have equivalent privacy rights in place

Question 43

What are the 6 principles of PCI-DSS

Answer 43

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regular monitor and test networks
6. Maintain an information security policy

Question 44

What are the two requirements of PCI-DSS Principle 1: Build and maintain a secure network?

Answer 44

1. Install and maintain a firewall configuration to protect cardholder data.
2. Don’t use vendor supplied defaults for system password or other security parameters

Question 45

What are the two requirements of PCI-DSS Principle 2: Protect Cardholder data?

Answer 45

1. Protect stored cardholder data

2. Encrypt transmission of cardholder data across open/public networks.

Question 46

What are the two requirements of PCI-DSS Principle 3: Maintain a vulnerability management program?

Answer 46

1. use and reguarly update Anti-virus software

2. Develop and maintain secure systems and applications

Question 47

What are the three requirements of PCI-DSS Principle 4: Implement strong access control measures?

Answer 47

1. restrict access to cardholder data by business need to know
2. assign a unique ID to each person that has computer access
3. restrict physical access to cardholder data

Question 48

What are the two requirements of PCI-DSS Principle 5: Reguarly monitor and test networks?

Answer 48

1. Track and monitor all access to network resources and cardholder data
2. reguarly test security systems and processes

Question 49

What is the one requirement of PCI-DSS Principle 6: Maintain an information security policy?

Answer 49

1. maintain a policy that addresses information security

Question 50

What is the main disclosure Act called in the US? (not currently legal)

Answer 50

Data Accountability and Trust Act (DATA)

Question 51

Which Act covers the following 3 areas?

• classified national defence or foreign relation information
• records of financial institutions or credit reporting agencies
• government computers

Answer 51

The US Computer Fraud and Abuse Act 1986

Question 52

What are the three offences established by the US Computer Fraud and Abuse Act 1986?

Answer 52

• Unauthorised access to a federal computer for purposes of fraud (felony)
• Altering, damaging or destroying information on a federal interest computer (felony)
• trafficking in computer passwords or similar information (Misdemeanour)

Question 53

A “protected” computer is otherwise known as what in the Computer Fraud and Abuse Act 1986?

Answer 53

Federal

Question 54

Amendments to the Computer Fraud and Abuse Act 1986 include what 5 provisions in relation to computer crime?

Answer 54

• Unauthorised access to a computer that results in disclosure of US defence information.
• unauthorised access to a “protected computer”
• unauthorised access to a “protected” computer that affects use of that computer
• unauthorised access to a “protected” computer causing damage or intentionally transmitting malicious code that causes damage to a “protected” computer
• transmission of interstate or foreign commerce communication threatening to cause damage to a “protected” computer.

Question 55

What is the main computer crime act in the US?

Answer 55

The Computer Fraud and Abuse Act 1986

Question 56

In the US which Act provides the legal basis for network monitoring?

Answer 56

The US Electronic Communications Privacy Act 1986 (ECPA)

Question 57

Which Act provides the following:

• requires federal agencies to take extra measures to prevent unauthorised access to computers containing sensitive information
• identify and develop security plans for sensitive systems
• security-related awareness training for employees
• assigns formal government responsibility to NIST (National Institute of Standards and Technology) for computer security standards.
• assigns cryptography to the National Security Agency (NSA) for classified government/military systems

Answer 57

US Computer Security Act 1987

Question 58

The US Federal Sentencing Guidelines 1991 provides which 3 things?

Answer 58

• written standards of conduct for organisations
• relief in sentencing for organisations that have demonstrated due diligence
• responsibility for due care on senior management

Question 59

The US Economic Espionage Act 1996 provides what main thing?

Answer 59

industrial espionage, ie trade secrets from other organisations

Question 60

Which act in the US targets Child pornography?

Answer 60

US Child Pornography Prevention Act 1996

Question 61

The USA Patriot Act 2001 stands for what?

Answer 61

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001

Question 62

Sections of relevance in the USA PATRIOT Act 2001

Answer 62

• Authority to intercept wire, oral and electronic communications relating to computer fraud and abuse offences
• Seizure of voicemail messages pursuant to warrants
• Scope of subpoenas for records of electronic communication
• Clarification of scope
• Emergency disclosure of electronic communication to protect life or limb
• Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act)
• Interception of Computer Trespasser Communications
• Nationwide service of search warrants for electronic evidence
• Deterrence and prevention of cyber-terrorism
• Additional defence to civil actions relating to preserving records in response to government requests
• development and support of cyber-security forensic capabilities

Question 63

What is a pen/trap device?

Answer 63

pen register shows outgoing number called from a phone and a trap and trace device that shows incoming numbers to that phone.

Question 64

Which act was introduced to create and strengthen existing standards for public corporations and public accounting firms including auditing, governance and financial disclosures?

Answer 64

The US Sarbanes-Oxley Act of 2002

Question 65

What does the US CAN-SPAM Act 2003 (Controlling the Assault of Non-solicited Pornography and Marketing) provide?

Answer 65

Establishes standards for sending commercial email messages

Question 66

Directive 95/46/EC on the protection of personal data (1995 EU) states what?

Answer 66

that personal data should not be processed at all unless certain conditions have been met. (relates to European citizens)

Question 67

Which Act permits US based organisations to certify themselves as properly handling private data belonging to European citizens?

Answer 67

Safe Harbour Act 1998

Question 68

What is the purpose of the Council of Europe’s Convention on Cybercrime (2001)?

Answer 68

requires criminal laws to be established in signatory nations for computer hacking activities, child pornography and intellectual property violations. also attempts to improve international cooperation with respect to monitoring, investigations and prosecutions

Question 69

What are the three offences relating to computer crime in the Computer Misuse Act 1990? UK (known as cybercrime act 2001 in Australia)

Answer 69

• unauthorised access whether successful or unsuccessful
• unauthorised modification
• hindering authorised access (Denial of Service)

Question 70

Most evidence gathered in a computer crime case is generally categorised as what?

• Direct evidence
• Real evidence
• Documentary evidence
• Demonstrative evidence

Answer 70

• Documentary evidence

Question 71

What is original, unaltered evidence defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial

Answer 71

Best

Question 72

What would a duplicate or copy of evidence such as tape backup, screen capture or photograph be defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial

Answer 72

Secondary

Question 73

What type of evidence supports or substantiates other evidence presented in a case?
Best
Secondary
Corroborative
Conclusive
Circumstantial

Answer 73

Corroborative

Question 74

What type of evidence would be defined as irrefutable?
Best
Secondary
Corroborative
Conclusive
Circumstantial

Answer 74

Conclusive

Question 75

What type of evidence would you associate relevant facts that you can't directly or conclusively connect to other events be commonly known as?
Best
Secondary
Corroborative
Conclusive
Circumstantial

Answer 75

Circumstantial

Question 76

Can data that’s extracted from a computer be considered best evidence?

Answer 76

Yes, if it is a fair and accurate representation of the original data.

Question 77

What type of rule defines evidence that is not based on personal, first-hand knowledge of a witness, but rather comes from other sources?

Answer 77

Hearsay rule

Question 78

Do some courts consider a computer stored record containing a human statement as hearsay evidence?

Answer 78

Yes

Question 79

Do some courts consider computer generated records untouched by humans as hearsay evidence?

Answer 79

No

Question 80

What is the common applied test of admissibility for computer records called?

Answer 80

business records exception

Question 81

What are the 5 criteria for business records exception?

Answer 81

• made at or near the time the event occurred
• made by or transmitted by a person who has knowledge of the business process
• made and relied on during regular conduct of the business
• kept for motives that tend to assure their accuracy
• in the custody of the witness on a regular basis

Question 82

what is the difference between entrapment and enticement?

Answer 82

entrapment encourages someone to commit a crime whereas enticement lures someone towards some evidence after the crime has already occurred (honey pot)

Question 83

What are the 5 stages of the evidence life-cycle?

Answer 83

1. Collection and identification
2. Analysis
3. Storage, preservation and transportation
4. Presentation in court
5. Return to victim (owner)

Question 84

What are the 4 circumstances in which law enforcement agencies can seize computer’s or electronic evidence?

Answer 84

1. Voluntary or consensual
2. Subpoena
3. Search Warrant or Writ of possession
4. Exigent circumstances

Question 85

What is the difference between a subpoena and a search warrant?

Answer 85

Subpoena issued to individual and search warrant issued to law enforcement agency

Question 86

What are exigent circumstances?

Answer 86

If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant

Question 87

When recording information in an evidence log, what 3 things must be captured?

Answer 87

Description of evidence
Name of person that has collect evidence
date, time, location and circumstances

Question 88

What 4 areas are mentioned in the guidelines for how information should be marked?

Answer 88

• Mark the evidence
• or use an evidence tag
• seal the evidence
• protect the evidence

Question 89

What is a MOM test in relation to conducting investigations?

Answer 89

Did the suspect have the Motive, Opportunity and Means.

Question 90

What are the 6 steps of incident response?

Answer 90

1. Determine whether a security incident has occurred
2. Notify the appropriate people about the incident
3. Contain the incident (or damage)
4. Assess the damage
5. Recover normal operations
6. Evaluate incident response effectiveness

Question 91

What is the difference between an investigation and incident response?

Answer 91

Investigation involves the gathering of evidence for possible prosecution. incident response focuses on containing the damage and resuming normal operations

Question 92

What is the computer game fallacy?

Answer 92

any computer, system or network that is not properly protected is fair game.

Question 93

what is the law abiding citizen fallacy?

Answer 93

if no physical theft is involved, an activity isn’t really stealing

Question 94

What is the Shatterproof Fallacy?

Answer 94

Any damage done will have a limited effect

Question 95

What is the candy from a baby fallacy?

Answer 95

It’s so easy, it can’t be wrong

Question 96

What is the hackers fallacy?

Answer 96

Computers provide a valuable means of learning, that will in turn benefit society.

Question 97

What is the difference between a hacker and a cracker?

Answer 97

A cracker always does it at the expense of others

Question 98

What is the free information fallacy?

Answer 98

Any and all information should be free so should be obtained through any means

Question 99

What are the four canons in the ISC code of ethics?

Answer 99

1. Protect society, the commonwealth and the infrastructure
2. Act honourably, honestly, justly, responsibly and legally
3. Provide diligent and competent service to principles
4. Advance and protect the profession

Question 100

What is the Internet Architecture Board? (ethics and the internet RFC 1087)

Answer 100

defines unethical and unacceptable behaviour on the internet

Question 101

What is the Computer Ethics Institute?

Answer 101

ten commandments of computer ethics.

Question 102

Wat is Tort Law?

Answer 102

deals with civil wrongs against an individual or business entity. compensation normally involves monetary values

Question 103

What is customary law?

Answer 103

regionalised systems that reflect the society’s norms and values based on programmatic wisdom and traditions.

Question 104

Computer crimes can often be categorised into which 3 categories?

Answer 104

Computer as a tool
computers as the target of the crime
computers incidental to the crime.

Question 105

What is the Council of European (COE) COnvention on Cybercrime?

Answer 105

international response to criminal behaviours

Question 106

What organisation oversees interantional patent and trademark efforts?

Answer 106

WIPO World Intellectual property Organisatoin

Question 107

What is an EULA?

Answer 107

End User Licensing Agreement

Question 108

What is the difference between a master agreement and EULA?

Answer 108

master agreement sets out general overall conditions whereas EULA is more granular.

Question 109

What is PII?

Answer 109

Personally Identifiable Information

Question 110

What is the OECD (Organisation for Economic Cooperation and Development?

Answer 110

defines principles for securing personal information. broadly classifies principles based on differing internal laws and regulations

Question 111

What Legal principles can be used as a checklist to determine whether employee monitoring is justified?

Answer 111

EU Directive (7 principles)

Question 112

In the US which Act outlines minimum ethic requirements for computer use?

Answer 112

The 1991 US Federal Sentencing Guidelines for Organisations. (FSGO)

Question 113

What is CEI?

Answer 113

Computer Ethics Institute. 10 commandments

Question 114

What is the Internet Activities/Architecture Board?

Answer 114

ethical behaviour on internet

Question 115

What is the National Computer Ethics and Responsibilities Campaign? (NCERC)

Answer 115

goal is to foster computer ethics awareness and education.

Question 116

What is the Golden rule with regards ethics?

Answer 116

treat others as you wish to be treated

Question 117

What is Kant’s categorical imperative with regards ethics?

Answer 117

if an action is not right for everyone it is not right for anyone.

Question 118

What is Descarts rule of change with regards ethics?

Answer 118

if an action is not repeatable at all times, it is not right at any time.

Question 119

ulitarian?

Answer 119

acheives the most good