PIC9-13 Flashcards
IBM’s Resource Access Control Facility (RACF)
very powerful main mainframe security utility available before remote access era
Cybercrime
criminal activity in which computers or computer networks are a tool, a target or a place of criminal activity
Computers as targets of cybercrime
- information acquisition
- control the system without authorization or payment
- alter integrity of data
- interfere with system availability (hacking or denial of service)
Computer as a storage device in cybercrime
use of computer as a passive storage medium
Computers as communication tools in cybercrime
traditional crimes committed online, e.g.:
illegal sales of drugs and arms online
Advanced fee fraud
promise of large sums of money if they provide relatively small payments upfront
Bots
piece of malware that carries out certain actions on receiving a command
DOS
denial of service attack
Hack
unauthorised entry to a computer, network or website
Phishing
trick to elicit confidential information
Social engineering
use of social factors to persuade a victims to reveal information of give money
Spam
bulk sending of emails ot other messages to users
commercial misuse
“black hat marketing”
Malware
program covertly inserted into another program:
- destroy data
- run malicious programs
- compromise confidentiality, integrity or availability of system, data, applications
classified by method of spread and payload (actions).
Trojan
malware that facilitates unauthorised access to system
Rootkit
malware that enables access while hiding its presence
Virus
malware that infects a host program and propagates
Worm
Malware that does not need a host program to propagate. infects via network, usb stick, etc…)
Zombie
Computer that has been compromised and is used to perform malicious tasks under remote control
Ransomware
criminal activity where a victim is held to ransom by cybercriminals:
- hacker asks for money in exchange of removing a malware
WannaCry
Ransomware attack to NHS in 2017 targeting Windows computers
Virus components
- infection mechanism
- trigger
- payload
Virus lifetime phases
- dormant
- propagation
- triggering
- execution
Cross site request forgery
sea surf
third party cookie setting, usually without the user being aware of it
Cloaking
SEO technique in which the content presented to the search engine spider is different to that presented to the user browser
Advanced Persistent Threat
- usually part of state security
- systematic and repeated cybercrime
- political or economic motivation
Sandworm
Russian Advanced Persistent Threat group responsible for hacker attack to Ukraine power grid in 2017
Stuxnet
Advanced Persistent Threat Attack to Iran’s nuclear plant
Computer Misuse Act 1990
Offences:
- Unauthorised access to computer material
- Unauthorised access with intent of further offences
- Unauthorised modification of computer material
EU Directive on Security of Network and Information Systems (2016)
first EU rules on cybersecurity
- improved cybersecurity capabilities
- increased EU-level cooperation
- risk management
Challenges in combatting cybercrime
- technology evolves fast and legislation becomes out of date
- malware evolved quickly
- individuals poor security practice
- Limitation of legislations on
cybercrime coming from abroad - difficulty to link anti-cybercrime initiatives across jurisdictions
- complexity of tech
- cooperation of law enforcement agencies internationally
- low investment in preventive tech
- unreported cybercrime to avoid bad publicity and liability
Digital Forensic Evidence
- evidence that results from digital investigation
- must be preserved
- used for trials
- investigation should not modify the state of the computer
IS contracts
- build bespoke software
- licence agreement
- consulting
- outsourcing
Fixed Price contract
- fixed amount agreed for the complete work
- supplier takes most of the risk
- functional specs and change control very important
Time and materials contract
- Payment based on hours of work and expenses
- More typical for consultancy than software development
- Risks shared between client and supplier
Typical software contract structure
- Short agreement
- Standard terms and conditions
- Schedules or annexes (Statement of Work)
Bespoke Software Contract - Schedule of Work
- parties and context agreement
- deliverables definition
- who will do what
- timescales
- payment schedules
- User Acceptance Testing definition
- Change control definitions
- Exclusions
Bespoke Software Contract - Governance
- Design and delivery methodology
- QA methods
- Meetings and reporting
- Project managers and client contracts
- Escalation procedures
Bespoke Software Contract - Deliverables
- usually an installed system
- documentation and code
- design, testing, training
Bespoke Software Contract – Requirements and Change Control
- Functional Specs or Prioritised Requirements List
- Non-functional requirements: performance, security, availability
- Change control mechanism
Bespoke Software Contract - Ownership
- Contract should state legal rights of parties at the end of project
- Intellectual property usually assigned to the client
- Exception for open source or proprietary software used in the solution
- IP for specific methodology/process used in development retained by the supplier
Bespoke Software Contract - Confidentiality
- may include NDA
- may include clauses on promotional purposes
Bespoke Software Contract - Payment
- Typically within 30 days of invoice
- termination or surcharge upon delay
- staged payment usual
Bespoke Software Contract - Penalties
- may specify penalty charges for delay on delivery schedule
- suppliers often inflate costs to cover for potential penalty costs
- serious delays can lead supplier to walk away
- over-runs reduce profit margins
- clients can fail to meet obligations on time
- extra charges usually agreed at progress meetings. Disagreements lead to legal disputes
Bespoke Software Contract – Customer Obligations
- documentation of project activities
- access to relevant staff
- machine facilities, network links, etc.
- on site facilities and support
- timely sign-off of deliverables
- specs and execution of user acceptance tests
Bespoke Software Contract – Acceptance and Warranty
- usually defined at the outset
- client should provide fixed set of UAT and expected results from the start. can’t add test later
- warranty period usually 90 days, within which errors corrected free of charge
- subsequent maintenance on a time and material basis
Bespoke Software Contract – Other Clauses
- indemnity of parties against liability of for infringing third party rights
- termination rules set in advance
- arbitration decisions
- applicable law citation
IT consultancy contact
- Contact Hire involves supplying staff to client
- consultancy involves to assignment to complete a specific engagement
- contracts terms can be similar to bespoke contracts
- delivery is often a report or presentation
- payment usually on time and material
IT Outsourcing contract
- services to be provided
- SLA
- Payments
- demarcation of responsibilities between client and supplier
- may involve transfer of staff and assets from client to supplier
- specify termination conditions
Why defects occurr
- complexity of systems
- subsystems come from different suppliers
number of software defects in code
15-50 errors per 1000 lives of code (defects/KLOC)
Microsoft:
- 10-20 defects/KLOC in-house testing
- 0.5 defects/KLOC in production
Types of software defects
- functionality fail
- performance fail
- incompatibility
- difficulty to maintain
- hidden bugs
Impact of software defects
- can be life threatening
- can present security risks
- can have large economic implications
Liability for software failure
topics of discussion:
- increased liability stifles software products?
- increased liability discourage development in high risk fields?
- programmers subject to malpractice suits?
- should IS professionals be obliged to buy professional indemnity insurance?
Legislation for software defects
Under UK/EU law, software is categories as a product
Consumer Rights Act 2015
- give rights to a repair or replacement of digital products
- first time consumers have rights for digital content (films, games, music)
Limitation to liability for computer software
- contracts may contain clauses limiting liability for defective software
- floodgate risk: if software is faulty, it can lead to u limited liability through widespread use
Liability for AI
proposed by EU
assigns application of AI to three risk categories:
- applications that create unacceptable risk are banned (social scoring of the type used in China)
- high-risk applications like cv scanner are subject to specific legal requirements
- non banned nor high risk apps are left unregulated
Open source software - limit of liability
developer not liable for any damage, except when someone is hurt or killed
Intellectual Property
- creative works, inventions and commercial goodwill
- has value
- intangible
- can be stolen
- law for protecting it is different from physical property
Why do we need protection fo Intellectual Propery
- reward creators
- allow creators to control use
- to encourage creativity
Intellectual Property Rights
- IPO (Intellectual Property Officer) in UK
- Copyright (protects creative work)
- Patent (protects inventions)
- Trademark (protects product names, logos, symbols)
Copyright
- work must be original
- Idea must be expressed
Copyright - international applications
- Berne Convention (basic definition of copyright
- World Trade Organisation
- World International Property Office (digital environment)
EU and UK legislations
EU various directives
- term (duration)
- infosoc (online, e.g.: downloads)
- software
- database
UK Copyright, Design and Patents Act 1998
Rights of Copyright Owner
- Give copies of work to public
- Give permissions to make copies
- Give permissions to adapt a work
- Make variations or derivatives of a work
- Sell or licence rights
Duration of Copyright
- 70 years after death of last author (principal autor, director, composer for film)
- radio: 50 years after first broadcast
- Crown: 125 after work created
Fair Dealing (exceptions, Infosoc)
include:
- Research
- criticism, review, quotation, news reporting
- caricature, parody
- teaching
- library, archives, museums can make copies
EU Directive 2019 (DSM Copyright Directive)
- access subscriptions across borders
- improves rules on research, education and inclusion of disabled people
- sustainable marketplace for content creators and press
Software and Copyright
- In most countries software is protected as literary work. Includes source code, object code
- non-literal elements are not protected: UI, calculations, functions
Software copyrights - Author
- in a company, the employer owns the copyright
- independent contractors can pass copyrights to employer in formal agreement
- author can assign copyright to third parties
Software Copyright - commercial software
- customer buys licence to use, not the actual software
- owner retains copyright
- tailor made software: fist owner is the creator
- customer gets the copyright
- except for elements that are proprietary, open source or belong to third party
Software copyright - rights of others
- can’t prevent other to come up with the same code without copying
- legal to keep a back-up copy
- legal to decompile to find errors or determine interface
Open Source
- free in terms of freedom, not price
- Open Source Initiative: motivation is reliability and flexibility
- Free Software Foundation: freedom for computer users
- allow to:
Study and modify program
Redistribute copies
Distribute modified versions
Copyleft
method for making a program free and requiring all modified and extended versions to be free as well
Database directive
- Database is defined as a collection of independent work arranged in a systematically way
- rights apply if there has been a substantial investment in obtaining, verifying or presenting the content
- rights last 15 years
- rights allow creators to prohibit extraction and re-use of content
- applies to extraction of substantial quantities
