• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
10. law invest & ethics

10. law invest & ethics






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Will address: Laws Computer Crime Computer Crime Investigations Ethics
  • From CISSP Study Guide

10. law invest & ethics 10. law invest & ethics Presentation Transcript

  • Law, Investigations and Ethics
  • ObjectivesTo review computer crime laws and regulations; investigativemeasures and techniques used to determine if a crime hasbeen committed and methods to gather evidence; and theethical constraints that provide a code of conduct for thesecurity professional.To review the methods for determining if a computer crimehas been committed; the laws that would be applicable for thecrime; laws prohibiting specific types of computer crime;methods to gather and preserve evidence of a computercrime, investigative methods and techniques; and ways inwhich RFC 1087 and the (ISC)2 Code of Ethics can be appliedto resolve ethical dilemmas.
  • Law Investigation and Ethics Laws Security incidents Recognition skills Response skills Technical skills Investigations Incident handling Code of Ethics
  • Major categories of computer crime Computer assisted crime - Criminal activities that are not unique to computers but merely use computers as tools to assist the criminal endeavor (e.g., fraud, child pornography) Computer specific or targeted crime - Crimes directed at computers, networks, and the information stored on these systems (e.g., denial of service, sniffers, attacking passwords) Computer is incidental - The computer is incidental to the criminal activity (e.g., customer lists for traffickers)
  • LawsCriminal Law - Individual conduct violating governmentlaws enacted for the protection of the public Unauthorized access Exceeding authorized access Intellectual property theft or misuse of information Pornography Theft of computing services Forgery using a computer Property theft (e.g., computer hardware and chips) Invasion of privacy Denial-of-services Computer fraud Releasing viruses and other malicious code Sabotage (i.e., data alteration or malicious destruction) Extortion by computer Embezzlement using a computer Espionage involving computers Terrorism involving computers Identity theft
  • Laws Cont… Civil Law (Tort)  Wrong against an individual or business, typically resulting in damage or loss to that individual or business  There is no jail sentence under the civil law system Administrative Law (Regulatory law)  Establishes the standards of performance and conduct for organizations conducting business in various industries  Violations of these laws can result in financial penalties or imprisonment
  • Proprietary Rights & Obligations Legal Forms of Protection  Trade Secrets: Information that Provides a Competitive Advantage. Protect Ideas.  Copyrights: Right of an Author to Prevent Use or Copying Works of the Author. Protect Expression of Ideas.  Patents: Protect Results of Science, Technology & Engineering Business Needs  Protect Developed Software  Contractual Agreements  Define Trade Secrets for Employees
  • Proprietary Rights & Obligations Cont… Security Techniques to Protect Trade Secrets  Numbering Copies  Logging Document Issuance  Checking Files & Workstations  Secure Storage  Controlled Distribution  Limitations on Copying Contractual Commitments to Protect Proprietary Rights  Licensing Agreements with Vendors  Liability for Compliance
  • Proprietary Rights & Obligations Cont… Enforcement Efforts  Software Protection Association (SPA)  Federation Against Software Theft (FAST)  Business Software Alliance (BSA) Personal Computers  Establish User Accountability  Policy Development and Circulation  Purging of Proprietary Software
  • Protection for Computer Objects Hardware - Patents Firmware  Patents for Physical Devices  Trade Secret Protection for Code Object Code Software - Copyrights Source Code Software - Trade Secrets Documentation - Copyrights
  • Management Problems Corporate Recordkeeping  Accuracy of Computer Records: Potential Use in Court  IRS Rules: Inadequate Controls May Impact Audit Findings Labor and Management Relations  Collective Bargaining: Disciplinary Actions, Workplace Rules  Work Stoppage  Limitations on Background Investigations  Limitations on Drug and Polygraph Testing  Disgruntled Employees  Non-Disclosure Requirements  Immigration Laws  Establishment and Enforcement of Security Rules
  • Management Problems Cont… Data Communications: Disclosure thru -  Eavesdropping and Interception  Loss of Confidential Information Outsourcing  Contract Review  Review of Contractor’s Capabilities  Impact of Downsizing  Contractor Use of Proprietary Software
  • Management Problems Cont… Personal Injury  Employee Safety  Carpal Tunnel Syndrome  Radiation Injury Insurance Against Legal Liability  Requirements for Security Precautions  Right to Inspect Premises  Cooperation with Insurance Company
  • Legal Liability Due Care - Minimum and Customary Practice of Responsible Protection of Assets Due Diligence - The Prudent Management and Execution of Due Care Programming Errors - Reasonable Precautions for -  Loss of a Program  Unauthorized Revisions  Availability of Backup Versions Product Liability  Liability for Database Inaccuracies: Due to Security Breaches  European Union: No Limits on Personal Liability for Personal Injury
  • Legal Liability Cont… Defamation  Libel Due to Inaccuracy of Data  Unauthorized Release of Confidential Information  Alteration of Visual Images Foreign Corrupt Practices Act  Mandate for Security Controls or Cost/Benefit Analysis  Potential SEC Litigation
  • Legal Liability Cont… Failure to Observe Standards  FIPS Pubs and CSL Bulletins  Failure to Comply Used in Litigation Personal Liability  Action or Inaction was Proximate Cause  Financial Responsibility to Plaintiff  Joint and Several Liability
  • Legal Liability Cont… Federal Sentencing Guidelines  Chapter 8 Added 1991  Applicable to Organizations  Violations of Federal Law  Specifies Levels of Fines  Mitigation of Fines Through Implementation of Precautions
  • Privacy & Other Personal Rights The Federal Privacy Act  Government Files Open to Public Unless Specified  Act Applies to Executive Branch Only  “Record” = Information about an Individual  Must be Need to Maintain Records  Disclosure Prohibited without Consent  Requirements on Government Agencies  Record Disclosures  Public Notice of Existence of Records  Ensure Security & Confidentiality of Records
  • Privacy and Other Personal Rights Cont… State Acts and Regulations  Fair Information Practices Acts: Define Information that Can be Collected  Uniform Information Practices Code - National Conference of Commissioners on Uniform State Laws: Recommended Model  Statutes Regulating Information Maintained by Private Organizations: e.g..., Health Care, Insurance
  • Privacy and Other Personal Rights Cont… Other Employee Rights  Electronic Mail: Expectations of Privacy  Drug Testing: Limited to Sensitive Positions Only  Freedom From Hostile Work Environment International Privacy  European Statutes Cover Both Government and Private Corporate Records  Application Primarily to Computerized Data Banks  Strict Rules on Disclosure  Prohibitions of Transfer of Information Across National Boundaries
  • Privacy and Other Personal Rights Cont… Management Responsibilities  Regular Review with Legal Department  Consider all Jurisdictions  Prepare Policies for Compliance  Enforce Policies  Document Enforcement
  • Computer Crime Laws Federal  Computer Fraud and Abuse Act (Title 18, U.S. Code, 1030)  *Accessing Federal Interest Computer (FIC) to acquire national defense information  Accessing an FIC to obtain financial information  Accessing an FIC to deny the use of the computer  *Accessing an FIC to affect a fraud  *Damaging or denying use of an FIC thru transmission of code, program, information or command  Furthering a fraud by trafficking in passwords  Economic Espionage Act of 1996: Obtaining trade secrets to benefit a foreign entity  Electronic Funds Transfer Act: Covers use, transport, sell, receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained debit instruments in interstate or foreign commerce.
  • Federal Computer Crime Laws Cont… Child Pornography Prevention Act of 1996 (CPPA): Prohibits use of computer technology to produce child pornography. Computer Security Act of 1987: Requires Federal Executive agencies to Establish Computer Security Programs. Electronic Communications Privacy Act (ECPA): Prohibits unauthorized interception or retrieval of electronic communications Fair Credit Reporting Act: Governs types of data that companies may be collected on private citizens & how it may be used. Foreign Corrupt Practices Act: Covers improper foreign operations, but applies to all companies registered with the SEC, and requires companies to institute security programs. Freedom of Information Act: Permits public access to information collected by the Federal Executive Branch.
  • Computer Laws Cont… International Laws  Lack of Universal Cooperation  Differences in Interpretations of Laws  Outdated Laws Against Fraud  Problems with Evidence Admissibility  Extradition  Low Priority
  • Computer Crime Computer Crime as a Separate Category  Rules of Property: Lack of Tangible Assets  Rules of Evidence: Lack of Original Documents  Threats to Integrity and Confidentiality: Goes beyond normal definition of a loss  Value of Data: Difficult to Measure. Cases of Restitution only for Media  Terminology: Statues have not kept pace. Is Computer Hardware “Machinery”? Does Software quality as “Supplies”.
  • Computer Crime Cont… Computer Crime is Hard to Define  Lack of Understanding  Laws are Inadequate: Slow to Keep Pace with Rapidly Changing Technology  Multiple Roles for Computers  Object of a Crime: Target of an Attack  Subject of a Crime: Used to attack (impersonating a network node)  Medium of a Crime: Used as a Means to Commit a Crime (Trojan Horse) Difficulties in Prosecution  Understanding: Judges, Lawyers, Police, Jurors  Evidence: Lack of Tangible Evidence  Forms of Assets: e.g., Magnetic Particles, Computer Time  Juveniles:  Many Perpetrators are Juveniles  Adults Don’t Take Juvenile Crime Seriously
  • Nature and Extent of Computer-Related Crime Typology  Input Tampering: Entry of Fraudulent or False Data  Throughput Tampering: Altering Computer Instructions  Output Tampering: Theft of Information Most Common Crimes  Input and Output Type  Fraudulent Disbursements  Fabrication of Data
  • The Computer Criminal Typical Profile  Male, White, Young  No Prior Record  Works in Data Processing or Accounting Myths  Special Talents are Necessary  Fraud has Increased Because of Computers
  • The Criminal Motivation Personal Motivations  Economic  Egocentric  Ideological  Psychotic Environmental Motivations  Work Environment  Reward System  Level of Interpersonal Trust  Ethical Environment  Stress Level  Internal Controls Environment
  • The Control Environment Factors that Encourage Crime  Motivation  Personal Inducements Factors that Discourage Crime  Prevention Measures  Internal Controls Systems  Access Control Systems  Detection Measures  Auditing  Supervision
  • Crime Investigation Detection and Containment  Accidental Discovery  Audit Trail Review  Real-Time Intrusion Monitoring  Limit Further Loss  Reduction in Liability Report to Management  Immediate Notification  Limit Knowledge of Investigation  Use Out-of-Band Communications
  • Crime Investigation Cont… Preliminary Investigation  Determine if a Crime has Occurred  Review Complaint  Inspect Damage  Interview Witnesses  Examine Logs  Identify Investigation Requirements
  • Crime Investigation Cont… Disclosure Determination  Determine if Disclosure is Required by Law  Determine if Disclosure is Desired  Caution in Dealing with the Media Courses of Action  Do Nothing  Surveillance  Eliminate Security Holes  Is Police Report Required?  Is Prosecution a Goal?
  • Crime Investigation Cont… Conducting the Investigation  Investigative Responsibility  Internal Investigation  External Private Consultant Investigation  Local/State/Federal Investigation  Factors  Cost  Legal Issues (Privacy, Evidence, Search & Seizure)  Information Dissemination  Investigative Control
  • Crime Investigation Cont… Execute the Plan  Secure and Control Scene  Protect Evidence  Don’t Touch Keyboard  Videotape Process  Capture Monitor Display  Unplug System  Remove Cover  Disks and Drives  Search Premises (for Magnetic Media and Documentation)  Seize Other Devices (that may contain information)
  • Crime Investigation Cont… Conduct Surveillance  Physical: Determine Subject’s Habits, Associates, Life Style  Computer: Audit Logs or Electronic Monitoring Other Information Sources  Personnel Files  Telephone and Fax Logs  Security Logs  Time Cards Investigative Reporting  Document Known Facts  Statement of Final Conclusions
  • Computer Forensics Conduct a Disk Image Backup of Suspect System: Bit level Copy of the Disk, Sector by Sector Authenticate the File System: Create Message Digest for all Directories, Files & Disk Sectors Analyze Restored Data: Conduct Forensic Analysis in a Controlled Environment  Search Tools: Quick View Plus, Expert Witness, Super Sleuth  Searching for Obscure Data: Hidden Files/Directories, Erased or Deleted Files, Encrypted Data, Overwritten Files  Steganography: Hiding a Piece of Information within Another  Review Communications Programs: Links to Others
  • Computer Forensics Cont… Reassemble and Boot Suspect System with Clean Operating System  Target System May Be Infected  Obtain System Time as Reference  Run Complete System Analysis Report Boot Suspect System with Original Operating System  Identify Rogue Programs  Identify Background Programs  Identify What System Interrupts have Been Set
  • Computer Forensics Cont… Search Backup Media: Don’t Forget Off-Site Storage Search Access Controlled Systems and Encrypted Files  Password Cracking  Publisher Back Door  Documentary Clues  Ask the Suspect  Case Law on Obtaining Passwords from Suspects
  • The Evidence Types of Evidence  Direct: Oral Testimony by Witness  Real: Tangible Objects/Physical Evidence  Documentary: Printed Business Records, Manuals, Printouts  Demonstrative: Used to Aid the Jury (Models, Illustrations, Charts Best Evidence Rule: To Limit Potential for Alteration Exclusionary Rule: Evidence Must be Gathered Legally or it Can’t Be Used Hearsay Rule: Key for Computer Generated Evidence  Second Hand Evidence  Admissibility Based on Veracity and Competence of Source  Exceptions: Rule 803 of Federal Rules of Evidence (Business Documents created at the time by person with knowledge, part of regular business, routinely kept, supported by testimony)
  • The Evidence Cont… Chain of Evidence (Chain of Custody) - Accountability & Protection  Who Obtained Evidence  Where and When it was Obtained  Who Secured it  Who Controlled it  Account for Everyone Who Had Access to or Handled the Evidence  Assurance Against Tampering
  • The Evidence Cont… Admissibility of Evidence: Computer-generated Evidence is Always Suspect  Relevancy: Must Prove a Fact that is Material to the Case  Reliability: Prove Reliability of Evidence and the Process for Producing It Evidence Life Cycle  Collection and Identification  Storage, Preservation, and Transportation  Presentation in Court  Return to Victim (Owner)
  • Legal Proceedings Discovery  Defense Granted Access to All Investigative Materials  Protective Order Limits Who Has Access Grand Jury and Preliminary Hearings  Witnesses Called  Assign Law Enforcement Liaison Trial: Unknown Results Recovery of Damages: Thru Civil Courts
  • Legal Proceedings Cont… Post Mortem Review: Analyze Attack and Close Security Holes  Incident Response Plan  Information Dissemination Policy  Incident Reporting Policy  Electronic Monitoring Statement  Audit Trail Policy  Warning Banner (Prohibit Unauthorized Access and Give Notice of Monitoring)  Need for Additional Personnel Security Controls
  • Ethics Differences Between Law vs. Ethics: Must vs. Should Origins  Common Good  National Interest  Individual Rights  Enlightened Self-Interest  Law  Tradition/Culture  Religion Fundamental Changes to Society No Sandbox Training
  • Referential Resources National Computer Ethics and Responsibilities Campaign (NCERC) Computer Ethics Resource Guide National Computer Security Association (NCSA) Computer Ethics Institute  1991 – Ten Commandments of Computer Ethics  End User’s Basic Tenants of Responsible Computing  Four Primary Values  Considerations for Conduct  The Code of Fair Information Practices  Unacceptable Internet Activities (RFC 1087)
  • (ISC)2 Code of Ethics Code of Ethics Preamble  Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.  Therefore, strict adherence to this Code is a condition of certification Code of Ethics Canons  Protect society, the commonwealth, and the infrastructure.  Act honorably, honestly, justly, responsibly, and legally.  Provide diligent and competent service to principals.  Advance and protect the profession.
  • Competitive Intelligence Published Material & Public Documents Disclosures by Competitor Employees (without Subterfuge) Market Surveys & Consultant’s Reports Financial Reports & Broker’s Research Surveys Trade Fairs, Exhibits, & Competitor Literature Analysis of Competitor Products Reports of Own Personnel Legitimate Employment Interviews with Competitor Employees
  • Industrial Espionage Camouflaged Questioning of Competitor’s Employees Direct Observation under Secret Conditions False Job Interviews False Negotiations Use of Professional Investigators Hiring Competitor’s Employees Trespassing Bribing Suppliers and Employees Planting Agent on Competitor Payroll Eavesdropping Theft of Information Blackmail and Extortion
  • Plan of Action Develop organizational guide to computer ethics Develop a computer ethics policy to supplement the computer security policy Include computer ethics information in the employee handbook Expand business ethics policy to include computer ethics Foster user awareness of computer ethics Establish an E-mail privacy policy and promote user awareness of it
  • ?