ObjectivesTo review computer crime laws and regulations; investigativemeasures and techniques used to determine if a crime hasbeen committed and methods to gather evidence; and theethical constraints that provide a code of conduct for thesecurity professional.To review the methods for determining if a computer crimehas been committed; the laws that would be applicable for thecrime; laws prohibiting specific types of computer crime;methods to gather and preserve evidence of a computercrime, investigative methods and techniques; and ways inwhich RFC 1087 and the (ISC)2 Code of Ethics can be appliedto resolve ethical dilemmas.
Law Investigation and Ethics Laws Security incidents Recognition skills Response skills Technical skills Investigations Incident handling Code of Ethics
Major categories of computer crime Computer assisted crime - Criminal activities that are not unique to computers but merely use computers as tools to assist the criminal endeavor (e.g., fraud, child pornography) Computer specific or targeted crime - Crimes directed at computers, networks, and the information stored on these systems (e.g., denial of service, sniffers, attacking passwords) Computer is incidental - The computer is incidental to the criminal activity (e.g., customer lists for traffickers)
LawsCriminal Law - Individual conduct violating governmentlaws enacted for the protection of the public Unauthorized access Exceeding authorized access Intellectual property theft or misuse of information Pornography Theft of computing services Forgery using a computer Property theft (e.g., computer hardware and chips) Invasion of privacy Denial-of-services Computer fraud Releasing viruses and other malicious code Sabotage (i.e., data alteration or malicious destruction) Extortion by computer Embezzlement using a computer Espionage involving computers Terrorism involving computers Identity theft
Laws Cont… Civil Law (Tort) Wrong against an individual or business, typically resulting in damage or loss to that individual or business There is no jail sentence under the civil law system Administrative Law (Regulatory law) Establishes the standards of performance and conduct for organizations conducting business in various industries Violations of these laws can result in financial penalties or imprisonment
Proprietary Rights & Obligations Legal Forms of Protection Trade Secrets: Information that Provides a Competitive Advantage. Protect Ideas. Copyrights: Right of an Author to Prevent Use or Copying Works of the Author. Protect Expression of Ideas. Patents: Protect Results of Science, Technology & Engineering Business Needs Protect Developed Software Contractual Agreements Define Trade Secrets for Employees
Proprietary Rights & Obligations Cont… Security Techniques to Protect Trade Secrets Numbering Copies Logging Document Issuance Checking Files & Workstations Secure Storage Controlled Distribution Limitations on Copying Contractual Commitments to Protect Proprietary Rights Licensing Agreements with Vendors Liability for Compliance
Proprietary Rights & Obligations Cont… Enforcement Efforts Software Protection Association (SPA) Federation Against Software Theft (FAST) Business Software Alliance (BSA) Personal Computers Establish User Accountability Policy Development and Circulation Purging of Proprietary Software
Management Problems Corporate Recordkeeping Accuracy of Computer Records: Potential Use in Court IRS Rules: Inadequate Controls May Impact Audit Findings Labor and Management Relations Collective Bargaining: Disciplinary Actions, Workplace Rules Work Stoppage Limitations on Background Investigations Limitations on Drug and Polygraph Testing Disgruntled Employees Non-Disclosure Requirements Immigration Laws Establishment and Enforcement of Security Rules
Management Problems Cont… Data Communications: Disclosure thru - Eavesdropping and Interception Loss of Confidential Information Outsourcing Contract Review Review of Contractor’s Capabilities Impact of Downsizing Contractor Use of Proprietary Software
Management Problems Cont… Personal Injury Employee Safety Carpal Tunnel Syndrome Radiation Injury Insurance Against Legal Liability Requirements for Security Precautions Right to Inspect Premises Cooperation with Insurance Company
Legal Liability Due Care - Minimum and Customary Practice of Responsible Protection of Assets Due Diligence - The Prudent Management and Execution of Due Care Programming Errors - Reasonable Precautions for - Loss of a Program Unauthorized Revisions Availability of Backup Versions Product Liability Liability for Database Inaccuracies: Due to Security Breaches European Union: No Limits on Personal Liability for Personal Injury
Legal Liability Cont… Defamation Libel Due to Inaccuracy of Data Unauthorized Release of Confidential Information Alteration of Visual Images Foreign Corrupt Practices Act Mandate for Security Controls or Cost/Benefit Analysis Potential SEC Litigation
Legal Liability Cont… Failure to Observe Standards FIPS Pubs and CSL Bulletins Failure to Comply Used in Litigation Personal Liability Action or Inaction was Proximate Cause Financial Responsibility to Plaintiff Joint and Several Liability
Legal Liability Cont… Federal Sentencing Guidelines Chapter 8 Added 1991 Applicable to Organizations Violations of Federal Law Specifies Levels of Fines Mitigation of Fines Through Implementation of Precautions
Privacy & Other Personal Rights The Federal Privacy Act Government Files Open to Public Unless Specified Act Applies to Executive Branch Only “Record” = Information about an Individual Must be Need to Maintain Records Disclosure Prohibited without Consent Requirements on Government Agencies Record Disclosures Public Notice of Existence of Records Ensure Security & Confidentiality of Records
Privacy and Other Personal Rights Cont… State Acts and Regulations Fair Information Practices Acts: Define Information that Can be Collected Uniform Information Practices Code - National Conference of Commissioners on Uniform State Laws: Recommended Model Statutes Regulating Information Maintained by Private Organizations: e.g..., Health Care, Insurance
Privacy and Other Personal Rights Cont… Other Employee Rights Electronic Mail: Expectations of Privacy Drug Testing: Limited to Sensitive Positions Only Freedom From Hostile Work Environment International Privacy European Statutes Cover Both Government and Private Corporate Records Application Primarily to Computerized Data Banks Strict Rules on Disclosure Prohibitions of Transfer of Information Across National Boundaries
Privacy and Other Personal Rights Cont… Management Responsibilities Regular Review with Legal Department Consider all Jurisdictions Prepare Policies for Compliance Enforce Policies Document Enforcement
Computer Crime Laws Federal Computer Fraud and Abuse Act (Title 18, U.S. Code, 1030) *Accessing Federal Interest Computer (FIC) to acquire national defense information Accessing an FIC to obtain financial information Accessing an FIC to deny the use of the computer *Accessing an FIC to affect a fraud *Damaging or denying use of an FIC thru transmission of code, program, information or command Furthering a fraud by trafficking in passwords Economic Espionage Act of 1996: Obtaining trade secrets to benefit a foreign entity Electronic Funds Transfer Act: Covers use, transport, sell, receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained debit instruments in interstate or foreign commerce.
Federal Computer Crime Laws Cont… Child Pornography Prevention Act of 1996 (CPPA): Prohibits use of computer technology to produce child pornography. Computer Security Act of 1987: Requires Federal Executive agencies to Establish Computer Security Programs. Electronic Communications Privacy Act (ECPA): Prohibits unauthorized interception or retrieval of electronic communications Fair Credit Reporting Act: Governs types of data that companies may be collected on private citizens & how it may be used. Foreign Corrupt Practices Act: Covers improper foreign operations, but applies to all companies registered with the SEC, and requires companies to institute security programs. Freedom of Information Act: Permits public access to information collected by the Federal Executive Branch.
Computer Laws Cont… International Laws Lack of Universal Cooperation Differences in Interpretations of Laws Outdated Laws Against Fraud Problems with Evidence Admissibility Extradition Low Priority
Computer Crime Computer Crime as a Separate Category Rules of Property: Lack of Tangible Assets Rules of Evidence: Lack of Original Documents Threats to Integrity and Confidentiality: Goes beyond normal definition of a loss Value of Data: Difficult to Measure. Cases of Restitution only for Media Terminology: Statues have not kept pace. Is Computer Hardware “Machinery”? Does Software quality as “Supplies”.
Computer Crime Cont… Computer Crime is Hard to Define Lack of Understanding Laws are Inadequate: Slow to Keep Pace with Rapidly Changing Technology Multiple Roles for Computers Object of a Crime: Target of an Attack Subject of a Crime: Used to attack (impersonating a network node) Medium of a Crime: Used as a Means to Commit a Crime (Trojan Horse) Difficulties in Prosecution Understanding: Judges, Lawyers, Police, Jurors Evidence: Lack of Tangible Evidence Forms of Assets: e.g., Magnetic Particles, Computer Time Juveniles: Many Perpetrators are Juveniles Adults Don’t Take Juvenile Crime Seriously
Nature and Extent of Computer-Related Crime Typology Input Tampering: Entry of Fraudulent or False Data Throughput Tampering: Altering Computer Instructions Output Tampering: Theft of Information Most Common Crimes Input and Output Type Fraudulent Disbursements Fabrication of Data
The Computer Criminal Typical Profile Male, White, Young No Prior Record Works in Data Processing or Accounting Myths Special Talents are Necessary Fraud has Increased Because of Computers
The Criminal Motivation Personal Motivations Economic Egocentric Ideological Psychotic Environmental Motivations Work Environment Reward System Level of Interpersonal Trust Ethical Environment Stress Level Internal Controls Environment
The Control Environment Factors that Encourage Crime Motivation Personal Inducements Factors that Discourage Crime Prevention Measures Internal Controls Systems Access Control Systems Detection Measures Auditing Supervision
Crime Investigation Detection and Containment Accidental Discovery Audit Trail Review Real-Time Intrusion Monitoring Limit Further Loss Reduction in Liability Report to Management Immediate Notification Limit Knowledge of Investigation Use Out-of-Band Communications
Crime Investigation Cont… Preliminary Investigation Determine if a Crime has Occurred Review Complaint Inspect Damage Interview Witnesses Examine Logs Identify Investigation Requirements
Crime Investigation Cont… Disclosure Determination Determine if Disclosure is Required by Law Determine if Disclosure is Desired Caution in Dealing with the Media Courses of Action Do Nothing Surveillance Eliminate Security Holes Is Police Report Required? Is Prosecution a Goal?
Crime Investigation Cont… Execute the Plan Secure and Control Scene Protect Evidence Don’t Touch Keyboard Videotape Process Capture Monitor Display Unplug System Remove Cover Disks and Drives Search Premises (for Magnetic Media and Documentation) Seize Other Devices (that may contain information)
Crime Investigation Cont… Conduct Surveillance Physical: Determine Subject’s Habits, Associates, Life Style Computer: Audit Logs or Electronic Monitoring Other Information Sources Personnel Files Telephone and Fax Logs Security Logs Time Cards Investigative Reporting Document Known Facts Statement of Final Conclusions
Computer Forensics Conduct a Disk Image Backup of Suspect System: Bit level Copy of the Disk, Sector by Sector Authenticate the File System: Create Message Digest for all Directories, Files & Disk Sectors Analyze Restored Data: Conduct Forensic Analysis in a Controlled Environment Search Tools: Quick View Plus, Expert Witness, Super Sleuth Searching for Obscure Data: Hidden Files/Directories, Erased or Deleted Files, Encrypted Data, Overwritten Files Steganography: Hiding a Piece of Information within Another Review Communications Programs: Links to Others
Computer Forensics Cont… Reassemble and Boot Suspect System with Clean Operating System Target System May Be Infected Obtain System Time as Reference Run Complete System Analysis Report Boot Suspect System with Original Operating System Identify Rogue Programs Identify Background Programs Identify What System Interrupts have Been Set
Computer Forensics Cont… Search Backup Media: Don’t Forget Off-Site Storage Search Access Controlled Systems and Encrypted Files Password Cracking Publisher Back Door Documentary Clues Ask the Suspect Case Law on Obtaining Passwords from Suspects
The Evidence Types of Evidence Direct: Oral Testimony by Witness Real: Tangible Objects/Physical Evidence Documentary: Printed Business Records, Manuals, Printouts Demonstrative: Used to Aid the Jury (Models, Illustrations, Charts Best Evidence Rule: To Limit Potential for Alteration Exclusionary Rule: Evidence Must be Gathered Legally or it Can’t Be Used Hearsay Rule: Key for Computer Generated Evidence Second Hand Evidence Admissibility Based on Veracity and Competence of Source Exceptions: Rule 803 of Federal Rules of Evidence (Business Documents created at the time by person with knowledge, part of regular business, routinely kept, supported by testimony)
The Evidence Cont… Chain of Evidence (Chain of Custody) - Accountability & Protection Who Obtained Evidence Where and When it was Obtained Who Secured it Who Controlled it Account for Everyone Who Had Access to or Handled the Evidence Assurance Against Tampering
The Evidence Cont… Admissibility of Evidence: Computer-generated Evidence is Always Suspect Relevancy: Must Prove a Fact that is Material to the Case Reliability: Prove Reliability of Evidence and the Process for Producing It Evidence Life Cycle Collection and Identification Storage, Preservation, and Transportation Presentation in Court Return to Victim (Owner)
Legal Proceedings Discovery Defense Granted Access to All Investigative Materials Protective Order Limits Who Has Access Grand Jury and Preliminary Hearings Witnesses Called Assign Law Enforcement Liaison Trial: Unknown Results Recovery of Damages: Thru Civil Courts
Legal Proceedings Cont… Post Mortem Review: Analyze Attack and Close Security Holes Incident Response Plan Information Dissemination Policy Incident Reporting Policy Electronic Monitoring Statement Audit Trail Policy Warning Banner (Prohibit Unauthorized Access and Give Notice of Monitoring) Need for Additional Personnel Security Controls
Ethics Differences Between Law vs. Ethics: Must vs. Should Origins Common Good National Interest Individual Rights Enlightened Self-Interest Law Tradition/Culture Religion Fundamental Changes to Society No Sandbox Training
Referential Resources National Computer Ethics and Responsibilities Campaign (NCERC) Computer Ethics Resource Guide National Computer Security Association (NCSA) Computer Ethics Institute 1991 – Ten Commandments of Computer Ethics End User’s Basic Tenants of Responsible Computing Four Primary Values Considerations for Conduct The Code of Fair Information Practices Unacceptable Internet Activities (RFC 1087)
(ISC)2 Code of Ethics Code of Ethics Preamble Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification Code of Ethics Canons Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
Competitive Intelligence Published Material & Public Documents Disclosures by Competitor Employees (without Subterfuge) Market Surveys & Consultant’s Reports Financial Reports & Broker’s Research Surveys Trade Fairs, Exhibits, & Competitor Literature Analysis of Competitor Products Reports of Own Personnel Legitimate Employment Interviews with Competitor Employees
Industrial Espionage Camouflaged Questioning of Competitor’s Employees Direct Observation under Secret Conditions False Job Interviews False Negotiations Use of Professional Investigators Hiring Competitor’s Employees Trespassing Bribing Suppliers and Employees Planting Agent on Competitor Payroll Eavesdropping Theft of Information Blackmail and Extortion