Legal Regulations, Investigations and Compliance

Question 1

What is Common Law ?

Answer 1

• Common Law is known as Case Law.

* three types - Criminal, Civil and administrative.

Question 2

What is Criminal Law ?

Answer 2

Criminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause.

Question 3

Criminal Law Purposes?

Answer 3

Punishment : Jail, probation, Fines or financial restitution

Deterrence: penalty is severe enough to dissuade any further criminal activity.

Question 4

Criminal Law - Burden of Proof ?

Answer 4

To be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore the burden of proof rests with the prosecution.

Question 5

Criminal Law - CLassifications

Answer 5

Felony - More Serious, Jail time > 1 Year.

Misdemeanor - Less serious, Jail time < 1 Year.

Question 6

What is Civil Law ?

Answer 6

Civil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death.

Question 7

What are Civil Law Penalties ?

Answer 7

Unlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim:

• Compensation - payment of actual damages to victim (legal, lost profits, attorney)
• Punative - This is a cash settlement determined by a jury, intended as a punishment.
• Statutory damages - Mandatory damages determined by law and assessed for violating the law

Question 8

Civil Law - Burden of Proof ?

Answer 8

To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt.

Question 9

Civil Law - Liability and Due Care ?

Answer 9

The concepts of liability and due care are germane to civil law cases, but they’re also applicable under administrative law, which we discuss in the following section.

Question 10

The principle of proximate causation

Answer 10

An action taken or not taken was part of a sequence of

events that resulted in negative consequences.

Question 11

What is Due Care ?

Answer 11

The conduct that a reasonable person exercises in a given situation, which provides a standard for determining negligence. In the practice of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices.

Question 12

What is Due Diligence ?

Answer 12

The prudent management and execution of due care. In the context of information security, due diligence commonly refers to risk identification and risk management practices, not only in the day-to-day operations of an organization, but also in the case of technology procurement, as well as mergers and acquisitions.

Question 13

What is the principle of culpable negligence.

Answer 13

If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent.

Question 14

What is Administrative Law ?

Answer 14

Administrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and officials.
* These laws are generally enforced by government agencies.

Question 15

What is International Law ?

Answer 15

Problems with Int. Law:

• Lack of universal cooperation.
• Different interpretation of the law.
• Different rules of evidence.
• resolution priority
• Outdated laws and technology
• Extradition

Question 16

Other Legal Systems around the world could include:

Answer 16

• Civil Law - judge interprets the law, not based on precedent. Most common type of law.
• Religious Law (Sharia)
• Pluralistic (Mixed - civil, common, religious)

Question 17

What is Computer Crime ?

Answer 17

• Computer crime consists of any criminal activity in which computer systems or networks are used as tools.
• Also includes crimes where computers are the targets.

Question 18

Difficulties with Computer Crime ?

Answer 18

• Lack of Understanding - technology is difficult to explain
• Inadequate Laws - Laws do not keep pace with tech.
• Multiples roles - against a computer vs using a computer vs Support using a computer (criminals use computers for crime related communications.)

Question 19

Why are computer crimes difficult to prosecute ?

Answer 19

• Lack of tangible assets
• rules of evidence (most is hearasay)
• A lack of Evidence (lack of skills, long trail of computers)
• definition of loss - a loss of confidentiality or integrity with regards to Data in a computer crime is greater than in a civil or criminal suit.
• Location of Perpetrators - perpetrators outside of country. law enforcement is difficult.
• Criminal Profiles
• • Juveniles
• • Trusted Individuals

Question 20

6 Classifications of Computer Crime ?

Answer 20

• Business attacks
• Financial attacks
• “Fun” attacks
• Grudge attacks
• Ideological attacks
• Military and intelligence attacks
• Terrorist attacks

Question 21

Why Attack Businesses ?

Answer 21

• Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise.
• Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.
• Lack of reporting or prosecution: Because of public relations concerns and the inability to prosecute computer criminals because of either a lack of evidence or a lack of properly handled

Question 22

Why Attack Financial Institutions?

Answer 22

• Theft, Embezzlement.

* 99% are greed focused.

Question 23

Why ‘Fun’ Attacks ?

Answer 23

• the realm of thrill seekers and script kiddies.
• motivated by curiosity and what ifs….
• usually easy to detect and prosecute, again script kiddies.

Question 24

Why Grudge Attacks ?

Answer 24

• targetted at businesses or people

* attackers are usually known to the victims so a success prosecution is more likely.

Question 25

Why ideological Attacks ?

Answer 25

• commonly known as hacktivism
• target business and people due to controversy
• Mostly DDoS style Attacks, can include data theft

Question 26

Why Military Intelligence Attacks ?

Answer 26

• criminals, traitors, foreign state agencies / actors

Question 27

Intellectual Property ?

Answer 27

Protected under 1 of 4 Classifications:

• Patents
• Trademarks
• Copyrights
• Trade Secrets

Question 28

What is a Patent ?

Answer 28

• A patent, as defined by the U.S. Patent and Trademark Office (PTO) is “the grant of a property right to the inventor.”
• This allows the owner to dictate who can make, use, sell or import the invention you have patented.
• US Patents are valid for 20 years.

Question 29

What are the US Patent Laws covered by ?

Answer 29

35 U.S.C.

37 C.F.R.

Question 30

What is a TradeMark ?

Answer 30

A trademark, as defined by the U.S. PTO, is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.”

Question 31

What is Copyright ?

Answer 31

A copyright is a form of protection granted to the authors of “original works of authorship,” both published and unpublished. A copyright protects a tangible form of expression rather than the idea or subject matter itself.

Copyright Act of 1909 - only published work.
Copyright Act of 1976 - Any original work.

Question 32

How long does a Copy Right last for ?

Answer 32

Lifetime of the authour + 70 years.

Question 33

What is a trade secret ?

Answer 33

A trade secret is proprietary or business-related information that a company or individual uses and has exclusive rights to.

Question 34

Trade Secret Requirements:

Answer 34

• Must be guinine and not obvious
• Must have value to the owner
• must provide for a competitive / economic advantage
• must be reasonably protected from disclosure.

Question 35

EU Privacy Laws:

Answer 35

• Must be collected fairly and lawfully
• Data must only be used for the reason it was collected.
• data collected is valid for a limited period of time.
• Must be accurate and kept up to date
• captured data must be accessible to the target people.
• individuals have the right to correct errors in the data.
• personal data cannot be disclosed.
• privacy of information when the data is trasfered must be equal else is prohibited.

Question 36

U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A

Answer 36

The Federal Privacy Act of 1974 protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents.

Question 37

U.S. Health Insurance Portability and Accountability

Act (HIPAA) of 1996, PL 104–191

Answer 37

comprehensive health privacy legislation.

As of 2009 all breaches must be disclosed to the public

Question 38

Who is covered by HIPAA ?

Answer 38

• Payers / Health Care Plan
• Healthcare clearing houses
• Health providers

Question 39

Penalties for HIPAA violation.

Answer 39

Civil penalties for HIPAA violations include fines of $100 per incident, up to $25,000 per provision, per calendar year.

Criminal penalties include fines up to $250,000 and potential imprisonment of corporate officers for up to ten years. Additional state penalties may also apply.

Question 40

U.S. Health Information Technology for Economic

and Clinical Health Act (HITECH) of 2009

Answer 40

Broadens the scope of HIPAA.

• Business Associates
• pharmacy Benefit Managers
• third party administrators
• persons performing HIPAA legal, accounting and admin work.
• Also covers electronic health records (EHR)
• Covered entities must inform the public of a breach.
• issuance of technical guidance on technologies and methodologies

Question 41

HITECH (2009) Data Breach notifications

Answer 41

> 500 report is immediate to major news outlets & individuals. as well as posted on the website.
< 500 individuals must be contacted directly.

Question 42

U.S. Gramm-Leach-Bliley Financial Services (GLBA)

Modernization Act, PL 106-102

Answer 42

• Geared towards banks and finanical institutions
• Opened up competition
• required financial institutions to protect customers information.

Question 43

GLBA - the three privacy rules ?

Answer 43

• Financial Privacy Rule: Requires each financial institution to provide information to each customer regarding the protection of customers’ private information.
• Safeguards Rule: Requires each financial institution to develop a formal written security plan that describes how the institution will protect its customers’ PII.
• Pretexting Protection: Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private information about institutions’ customers.

Question 44

The U.K Data Protection Act (DPA) (1998)

Answer 44

This applies to any organisation that handles sensitive data:

Names, DOB, Address, telephone, e-mail, race, ethnic origin, political or religious opinion, trade or labour union membership, physical / mental condition, sexual orientation / life style, criminal or civil records / allegations.

Question 45

DPA 8 privacy and disclosure principals

Answer 45

• “Personal data shall be processed fairly and lawfully and [shall not be processed unless certain other conditions (set forth in the Act are met].”
• “Personal data shall be obtained only for one or more specified and
• “Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.”
• “Personal data shall be accurate and, where necessary, kept up-to-date.”
• “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
• “Personal data shall be processed in accordance with the rights of data subjects under this Act.”
• “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
• “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Question 46

Payment Card Industry Data Security Standard (PCI DSS)

Answer 46

• Applies to any business world wide that transmits, processes or stores payment card data.
• Each card vendor (visa, amex) manages their own compliance program.
• Each Organisation has to submit annual self-assessment and network scan.

Question 47

PCI DSS has 6 core principals

Answer 47

• Build and Maintain your network (firewalls, no defaults)
• Protect card holder data (protect and encrypt)
• Maintain a vuln mgmnt program (update and patch)
• Strong Access Controls ( card holders, unique IDs)
• Monitor Networks (track network access, test systems)
• Maintain an info. sec. policy

Question 48

PCI DSS penalities:

Answer 48

• $25,000 - $500,000

* loss of rights to process credit card transactions.

Question 49

Disclosure Laws:

Answer 49

Requiring organizations to notify individuals of a data breach, disclosure laws fulfill a secondary purpose — allowing potential victims to take defensive or corrective action to help avoid or minimize the damage resulting from identity theft.

Question 50

California Security Breach Information Act (SB-1386)

Answer 50

• First state law to require customer notification in the events of a breach where personal data is stolen or lost.
• Law is applicable to business that hire californians not in california.
• If the cost to notify people exceeds $250,000 or there is more than 500,000 individuals then individuals can be informed via email and a web post.

Question 51

U.S. Computer Fraud and Abuse Act of 1986,

18 U.S.C. § 1030 (as amended)

Answer 51

The U.S. Computer Fraud and Abuse Act of 1986 is the major computer crime law currently in effect in the USA.

• This act established 2 new offenses:
  1) Unauthorized access, or access that exceeds authorization, of a federal interest computer to further an intended fraud, shall be punish- able as a felony [Subsection (a)(4)].

2) Altering, damaging, or destroying information in a federal interest computer or preventing authorized use of the computer or information, that causes an aggregate loss of $1,000 or more during a one-year period or potentially impairs medical treatment, shall be punishable as a felony [Subsection (a)(5)]

Misdemeaner: Trafficking in computer passwords or similar information if it affects interstate or foreign commerce or permits unauthorized access to computers used by or for the U.S. government.

Question 52

U.S. Electronic Communications Privacy Act (ECPA) of 1986

Answer 52

prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, and electronic communications. However, the ECPA does provide specific statutory exceptions, allowing network providers to monitor their networks for legitimate business purposes if they notify the network users of the monitoring process.

Question 53

U.S. Computer Security Act of 1987

Answer 53

The U.S. Computer Security Act of 1987 requires federal agencies to take extra security measures to prevent unauthorized access to computers that hold sensitive information.

the Act also:

• Assigns NIST responsibility for gov. computer security
• Assigns NIST responsibility for gov. info sec. standards
• Assigns the NSA responsibility for gov. crypto

Question 54

U.S. Federal Sentencing Guidelines of 1991

Answer 54

• Establish written standards of conduct for organizations,
• provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on senior management officials with penalties for negligence, including fines of up to $290 million.

Question 55

U.S. Economic Espionage Act of 1996

Answer 55

The EEA makes it a criminal offense to take, download, receive, or possess trade secret information that’s been obtained without the owner’s authorization.

Penalties include fines of up to $10 million, up to 15 years in prison, and forfeiture of any property used to commit the crime.

Question 56

U.S. Child Pornography Prevention Act of 1996

Answer 56

Combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children.

Question 57

USA PATRIOT Act of 2001 - Section 202

Answer 57

Authority to Intercept Wire, Oral, and Electronic Communications Relating to Computer Fraud and Abuse Offenses:

Under previous law, investigators couldn’t obtain a wiretap order for violations of the Computer Fraud and Abuse Act. This amendment authorizes such action for felony violations of that Act

Question 58

USA PATRIOT Act of 2001 - Section 209

Answer 58

Section 209 — Seizure of Voice-Mail Messages Pursuant to Warrants:

Under previous law, investigators could obtain access to e-mail under the ECPA but not voice-mail, which was covered by the more restrictive wiretap statute. This amendment authorizes access to voice-mail with a search warrant rather than a wiretap order.

Question 59

USA PATRIOT Act of 2001 - Section 210

Answer 59

Section 210 — Scope of Subpoenas for Records of Electronic
Communications:

Under previous law, subpoenas of electronic records were restricted to very limited information. This amendment expands the list of records that can be obtained and updates technology-specific terminology.

Question 60

USA PATRIOT Act of 2001 - Section 211

Answer 60

Section 211 — Clarification of Scope:

This amendment governs privacy protection and disclosure to law enforcement of cable, telephone, and Internet service provider records.

Question 61

USA PATRIOT Act of 2001 - Section 212

Answer 61

Section 212 — Emergency Disclosure of Electronic Communications to Protect Life and Limb:

Prior to this amendment, no special provisions existed that allowed a communications provider to disclose customer
information to law enforcement officials in emergency situations, such as an imminent crime or terrorist attack, without exposing the provider to civil liability suits from the customer.

Question 62

USA PATRIOT Act of 2001 - Section 214

Answer 62

Section 214 — Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act):

Clarifies law enforcement authority to trace communications on the Internet and other computer networks, and it authorizes the use of a pen/trap device nationwide, instead of limiting it to the jurisdiction of the court.

Question 63

What is a Pen / trap device ?

Answer 63

A pen/trap device refers to a pen register that shows outgoing numbers called from a phone and a trap and trace device that shows incoming numbers that called a phone.

Question 64

USA PATRIOT Act of 2001 - Section 217

Answer 64

Interception of Computer Trespasser Communications:

Under previous law, it was permissible for organizations to monitor activity on their own networks but not necessarily for law enforcement to assist these organizations in monitoring, even when such help was specifically requested.

This amendment allows organizations to authorize persons “acting under color (pretense or appearance) of law” to
monitor trespassers on their computer systems.

Question 65

USA PATRIOT Act of 2001 - Section 220

Answer 65

Section 220 — Nationwide Service of Search Warrants for Electronic Evidence: Removes jurisdictional issues in obtaining search warrants for e-mail.

For an excellent example of this problem, read The Cuckoo’s
Egg: Tracking a Spy Through the Maze of Computer Espionage, by Clifford Stoll (Doubleday).

Question 66

USA PATRIOT Act of 2001 - Section 814

Answer 66

Section 814 — Deterrence and Prevention of Cyberterrorism:

Greatly strengthens the U.S. Computer Fraud and Abuse Act, including raising the maximum prison sentence from 10 years to 20 years.

Question 67

USA PATRIOT Act of 2001 - Section 815

Answer 67

Section 815 — Additional Defense to Civil Actions Relating to
Preserving Records in Response to Government Requests:

Clarifies the “statutory authorization” (government authority) defense for violations of the ECPA.

Question 68

USA PATRIOT Act of 2001 - Section 815

Answer 68

Section 816 — Development and Support of Cybersecurity Forensic Capabilities:

Requires the Attorney General to establish regional computer forensic laboratories, maintain existing laboratories, and provide forensic and training capabilities to Federal, State, and local law enforcement personnel and prosecutors.

Question 69

U.S. Sarbanes-Oxley Act of 2002 (SOX)

Answer 69

SOX was passed in 2002 to restore public trust in publicly held corporations and public accounting firms by establishing new standards and strengthening existing standards for these entities including auditing, governance, and financial disclosures.

SOX established the Public Company Accounting Oversight Board (PCAOB), which is a private-sector, nonprofit corporation responsible for overseeing auditors in the implementation of SOX

Question 70

U.S. CAN-SPAM Act of 2003

Answer 70

The act establishes standards for sending commercial e-mail messages, charges the U.S. Federal Trade Commission (FTC) with enforcement of the provision, and provides penalties that include fines and imprisonment for violations of the Act.

Question 71

Directive 95/46/EC on the protection of personal data (1995, EU)

Answer 71

The directive states that personal data should not be processed at all, except when certain conditions are met.

Question 72

Safe Harbor (1998)

Answer 72

This permits U.S.-based organizations to certify

themselves as properly handling private data belonging to European citizens.

Question 73

The Council of Europe’s Convention on Cybercrime (2001)

Answer 73

The Convention on Cybercrime is an international treaty, currently signed by more than 40 countries (the U.S. ratified the treaty in 2006), requiring criminal laws to be established in signatory nations for computer hacking activities, child pornography, and intellectual property violations.

The treaty also attempts to improve international cooperation with respect to monitoring, investigations, and prosecution.

Question 74

The Computer Misuse Act 1990 (U.K.)

Answer 74

This act defines three criminal offenses related to computer crime:

• unauthorized access (successful or not)
• unauthorized modification.
• hindering authorized access (Denial of Service).

Question 75

Cybercrime Act 2001 (Australia)

Answer 75

This act defines three criminal offenses related to computer crime, and also establishes criminal jail time and penalties:

• unauthorized access (successful or not)
• unauthorized modification.
• hindering authorized access (Denial of Service

Question 76

Computer Forensics:

Answer 76

The science of conducting a computer crime investigation to determine what has happened and who is responsible, and to collect legally admissible evidence for use in a computer crime case.

Question 77

Evidence:

Answer 77

Evidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime.

Question 78

The 4 types of evidence:

Answer 78

• Direct evidence: (Oral, written statement from a witness)
• Real Evidence: (tangible objects)
• Documentary: (computer records, receipts, manuals)
• demonstrative: (models, simulations, walk throughs)

Question 79

The Best Evidence Rule:

Answer 79

The best evidence rule, defined in the Federal Rules of Evidence, states that

“to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is [ordinarily] required.”

The exception is that if the data resides on a computer so a print out / output can be classified as an original.

Question 80

The Hearsay Rule:

Answer 80

• Hearsay evidence is evidence that’s not based on personal, first-hand knowledge of a witness, but rather comes from other sources. Generally this is not admissible in court.

Several courts have acknowledged that the hearsay rules are applicable to computer-stored records containing human statements but are not applicable to computer-generated records untouched by human hands.

Question 81

Admissibility of evidence

Answer 81

• Relevant: It must tend to prove or disprove facts that are relevant and material to the case.
• Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody.
• Legally permissible: It must be obtained through legal means.

Question 82

Chain of custody and the evidence life cycle

Answer 82

The chain of custody (or chain of evidence) provides accountability and protection for evidence throughout its entire life cycle and includes the following information, which is normally kept in an evidence log.

• Persons involved
• Description of evidence
• Location of evidence
• Date / Time
• Method Used.

Question 83

Evidence of LifeCycle (5 Stages):

Answer 83

• Collection and identification
• Analysis
• Storage, preservation, and transportation
• Presentation in court
• Return to victim (owner)

Question 84

Conducting investigations (The Process)

Answer 84

• Detect and contain the computer crime
• Notify Management
• Conduct a preliminary investigation
• disclosure (Yay or Nay)
• Conduct the Investigation
• identify suspects (motive, opportunity means (MOM))
• identify witnesses
• Prepare for Search and Seizure.
• Report Your Findings.

Question 85

Incident Handling / Response:

Answer 85

• Incident response begins before an incident actually occurs.
• Preparation is the key to a quick and successful response.
• A well-documented and regularly practiced incident response plan ensures effective preparation.

Question 86

Incident Handling Procedures:

Answer 86

• Response procedures: Include detailed procedures that address different contingencies and situations.
• Response authority: Clearly define roles, responsibilities, and levels of authority for all members of the Computer Incident Response Team (CIRT).
• Available resources: Identify people, tools, and external resources (consultants and law enforcement agents) that are available to the CIRT. Training should include use of these resources, when possible.
• Legal review: The incident response plan should be evaluated by appropriate legal counsel to determine compliance with applicable laws and to determine whether they’re enforceable and defensible.

Question 87

Incident Handling Stepping Stones:

Answer 87

1) Determine if an incident has occurred.
2) Notify the appropriated people.
3) Contain the Incident (damage)
4) Assess the damage
5) Resume normal Operations
6) Evaluate incident response effectiveness