Domain 9 Official CISSP CBK V3
• Neither StaridLabs nor any representative of StaridLabs is licensed,
certified, or competent enough to offer legal advice.
• This presentation is intended as training for the CISSP exam. If legal
advice is necessary in a situation then we highly recommend you
consult a licensed lawyer.
• StaridLabs provides no guarantee that the information in the CISSP
CBK and/or presented in this training is accurate or legally advisable.
• the act, process, or result of arranging in a systematic form or code
• the science or philosophy of law
• a system or body of law
• the course of court decisions
• Laws change depending on where you are located.
• In the United States laws can be: Federal, State, County, and City.
• The CISSP guide attempts to keep its training applicable globally but
isn’t always possible.
Major Legal System Categorizations
• Common Law
• Civil or Code Law
• Customary Law
• Religious Law
• Mixed Law
• Maritime Law (Not applicable in CISSP CBK)
• Customary law system used by Anglo-Saxons in Northern France and
• Still used in England and has been spread throughout the world by
English colonization including United States, Canada and Australia.
• Largely the European Union uses Civil Law instead of Common Law.
• King of England created a unified legal system in the twelfth century
that was common to the whole country. Prior to this laws were based
on local practices.
What is Common Law?
• Uses the adversarial approach to litigation.
• Does not rely on codification of law.
• Barristers (lawyers) take a very active role.
• Reliance on previous court rulings. (Jurisprudence)
• Judges are a fairly passive role in determining facts.
• Most Common Law systems consist of three branches: Criminal Law,
Tort Law, and Administrative Law.
Common Law: Criminal Law Branch
• Deals with behaviors or conduct that is seen as harmful to the public
• An individual violates a governmental law designed to protect the
public and as such the victim is society.
• Government prosecutes on behalf of the public.
• Punishment can be incarceration, probation, or death. Fines occur as
well in some cases but loss of freedoms is the primary punishment.
Common Law: Tort Law
• Deals with civil wrongs (torts) against an individual or business entity.
• Monetary damages are generally the penalty.
• Can sometimes be both a violation of Tort and Criminal law.
• Types of torts:
Wrongs against a person or property
Common Law: Administrative Law
• Known as regulatory law in some countries.
• Deals with the governance of public bodies and the designation of
power to administrative agencies, commissions, boards,
administrative tribunals, or professional associations.
• Examples: Security Exchange Committee (SEC), Labor Relations
Boards, Law Societies, Medical Boards, School Boards
• Objective is to confine government power to it’s proper scope and
stop potential abuse of power.
• Punishments can be fines, inability to practice a profession, and in
some cases incarceration.
Civil Law: A Brief History
• Started in the Roman Empire
• Started gain in Italy and spread to Europe in the late 1700’s to early
• At one time was the most common legal system in Europe.
• Became regionalized over time with Germany, Norway, Sweden,
Denmark, and Switzerland developing their own national systems.
• Civil law can be subdivided into French, German, or Scandanavian civil
• Has a heavy reliance on legislation as the primary source of law (vs
Jurisprudence in Common Law)
• System relies on codification of law.
• Lower courts are not compelled to follow decisions of higher courts
• Judges are more active in determining facts of a case and in some
instances direct the investigation.
• Regional legal systems which reflect social norms and values based on
• Rare to find a country who’s law structure is entirely based on
• Often combined with civil or common law. This is called a ‘mixed legal
• All legal systems have been influenced by religion.
• Some countries try to differentiate legal law from religious law.
• Islam is practiced by a large portion of the worlds population.
• Many Muslim societies follow Islamic Law or Sharia.
• Traditional Islamic Law is separated in to rules of worship and rules of
• Guided by the Qur'an and the Sunnah, or manner in which the prophet
• Sharia covers all aspects of a person’s life (Religious practices, Diet, Dress,
Family Life, Commerce, domestic justice)
• Law is not man-made, it is divine will.
• Lawmakers do not create the law, Jurists and clerics attempt to discover
the truth of law.
• Sharia has been codified, but still remains open to interpretation.
• Mixed law is the convergence of two or more legal systems, usually
civil law and common law, but often also customary, religious, civil, or
• Blending of legal systems can result in political and economic
• An example is the United Kingdom and Scotland.
This was my first result when googling
• In law, liability refers to being legally responsible.
• Sanctions can be civil and/or criminal.
• Negligence is acting without care, or the failure to act as a reasonable and
prudent person would under similar circumstances.
• The definition of “reasonable person” is murky and available for extensive
Due care/Due Diligence
• Due care is the requirement that executives with fiduciary responsibilities
meet certain requirements to protect the company’s assets.
• This includes the safety and protection of technology and information systems which
are corporate assets.
• Due diligence is conceptual and can change often.
• From Webster: the care that a reasonable person exercises to avoid harm to other
persons or their property
• From Wikipedia:
• In criminal law, due diligence is the only available defense to a crime that is one of strict
liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal
offence is proven, the defendant must prove on balance that they did everything possible to
prevent the act from happening. It is not enough that they took the normal standard of care
in their industry – they must show that they took every reasonable precaution.
• Examples of computer crimes:
• The law still hasn’t caught up with technology.
• Technology makes cyber stalking easy
• Cyber stalking can be very useful in technical and non-technical cases. Murder
investigations, kidnappings, drug trafficking, etc can all have information available on
the public internet.
• Computer crimes can occur from outside the company as well as from
insiders. Inside threats are often greater overall risks to the company.
• Most computer crimes span multiple countries.
• Borders and jurisdiction causes lots of issues.
• A country can prosecute spammers, scammers, and internet
criminals, but they can easily move to a country which promotes,
tolerates, or ignores digital crime.
The Council of Europe Convention on
• Ratified by 30 countries including Canada, the United States, and
• Came into effect July 1, 2004
• Contains 48 articles
• Parties must establish laws against cybercrime and offenses related to child
• Ensure law enforcement officials have the necessary procedural authority to
investigate and prosecute cybercrime effectively.
• Provide international cooperation to other parties in the fight against
computer related crime.
Intellectual Property Laws
• Designed to protect tangible and intangible items or property
• Goal is to protect property from people wishing to copy or use it
without due compensation to the inventor or creator.
• The idea is that copying someone else's idea entails far less work that
what is required for the original development.
• Intellectual property is divided into two categories:
• Industrial Property
• Inventions (patents), trademarks, industrial designs, and geographical indications of
• Literary and artistic works (novels, poems, plays, films, music, drawings, paintings,
photographs, sculptures, architectural designs)
• Grants the owner the legally enforceable right to exclude others from
practicing the invention for a specific period of time (generally 20 years)
• Strongest form of intellectual property protection.
• Protects novel, useful, and nonobvious inventions.
• Requires formal application to a government entity.
• When the patent is granted it is published in the public domain, to
stimulate other innovations.
• When the patent expires the protection ends and the invention enters the
• WIPO, a part of the United Nations (UN), is in charge of the filing and
processing of international patents.
• Designed to protect the goodwill an organization invests in it’s
products, services or image.
• Allows exclusive rights to the owner of markings that the public uses
to identify a vendor, merchant, products, or goods.
• Can consist of any word, name, symbol, color, sound, product shape,
device, or combination of these.
• Must be distinctive and cannot mislead or deceive consumers or
violate public order or morality.
• Registered with the government registrar
• WIPO oversees international trademark efforts.
• Covers the expression of ideas rather than the ideas themselves.
• Protects artistic property such as writing, recordings, databases, and
• In many countries once the work or property is completed or in a
tangible form, the copyright protection is automatically assumed.
• Weaker than patent protection, but duration is longer. (50 years after
creators death or 70 years total under US law)
• If the artist’s country is a member of the International BERNE
convention then the protection afforded will be the minimum level
afforded in all participating countries.
• Refers to proprietary business or technical information, processes,
designs, practices, etc that are confidential and critical to the
business. (Pepsi’s secret formula)
• To be categorized as a trade secret it must not be generally known
and must provide economic benefit ot the company.
• Must be reasonable steps taken to protect its secrecy.
• In a dispute, the contents of the trade secret do not need to be
• Often the main complaint in industrial and economic espionage cases.
• Some software may be illegal to import or export. Example is some
types of encryption software.
• Information Security professionals should check local laws especially
when working internationally (or choosing employees or datacenters
Trans-Border Data Flow
• As information moves between systems or cloud hosting companies,
the location where the data is stored matters.
• If the information is transferred and/or stored in 3 countries, you may
have to edeal with three or more jurisdictions and three different
• If the organization who owns the server is a member of a different
country, sometimes their home country can gain jurisdiction over the
server even if it’s in another country.
• A lot of personally identifiable information (PII) is stored online or
• Data compromises happen often.
• There are now many regulations for the responsible protection, use,
and transfer of PII.
• An example of a common guideline is the Organization for Economic
Cooperation and Development (OECD). (Pages 1185-1187. Read it)
Employee Monitoring and Surveillance
• Monitoring of employees must be done carefully.
• On the one hand you need to curb abuse, theft, etc. (Due Diligence)
• On the other hand the employee has rights to privacy.
• Over monitoring can cause hostile employes. (This is bad)
• The EU created 7 principals called the Directive on Data Protection
which is a guideline for monitoring. These regulations are similar to
the ones in the US, Canada, and the UK and can be used as a
Directive on Data Protection
• Notice: Individuals must be informed about what is collected and the uses for the
• Choice: Individuals must be given the opportunity to decline data sharing with 3rd
parties or to be used for purposes not stated in the notice.
• Onward transfer: 3rd parties receiving data must also subscribe to this directive.
• Security: Organizations must take reasonable precautions to protect personal
data from loss, misuse, unauthorized access, disclosure, alteration, and
• Data Integrity: Data should be reliable and only the data necessary should be
• Access: Individuals must have access to the personal information about them.
They must be able to correct, amend, or delete the information.
• Enforcement: A compliance program must exist to enforce this directive.
• The creation of computers started a large debate on ethics.
• Computers can be used inappropriately and can replace humans
which could cause widespread job loss.
• Another fear is that humans will become seen more as machines and
will be treated as such.
• Quite a few regulations exist regarding professional ethics.
• Ethics programs can be very beneficial. If an ethics program is in place
then some criminal cases will have substantially reduced penalties.
• The FSGO has requirements to show that an Ethics program is continuously
being improved and that it is effective.
Computers in the Workplace
• Computers can pose a threat to jobs.
• People may feel they are being replaced.
• Computers require operators, which changes many of the jobs to
require different skills.
• Criminals can reach systems from anywhere in the world, and the
payffs are larger.
• An inside employee can steal all the company data and walk out with
it in his/her pocket.
Privacy and Anonymity
• Private information is passed around constantly. People like their
privacy and have concerns about data being shared and what can be
inferred based on data from different sources.
• Ethics around IP are tough.
• People like music and software to be free, but companies,
programmers and artists won’t create the IP if they won’t get their
investment back in licenses, fees, or profit of some sort.
Computer Game Fallacy
• Computer users tend to think that computers will generally prevent
them from cheating and doing wrong.
• Programmers believe that an error in programming syntax will
prevent the program from working. So if the program works then it
must be working correctly.
Law-Abiding Citizen Fallacy
• Users sometimes confuse what is legal with regards to computer use,
with what is reasonable behavior for using a computer.
• Users do not realize that they have a responsibility to consider the
ramifications of their actions and to behave accordingly.
• Most computer users believe that they can do little harm accidentally
with a computer.
• If a user sends a mass mailing which is discriminatory, this could hurt
a large group of people.
• Most people realize that certain activities in public is illegal, but still
do it online thinking it’s ok or anonymous.
• Ultimately users don’t consider the impact
of their actions before doing them.
• Stealing software, books, etc is very easy on a computer.
• Copying retail software without paying for it is theft.
• Just because it’s easy and it may be hard to catch you doesn’t mean
it’s ethical, legal, or acceptable.
• Commonly accepted hacker believe is that it’s acceptable to do
anything with a computer as long as the motivation is to learn and
not to gain a profit.
Free Information Fallacy
• Notion that “information wants to be free.”
• Copying and distribution of data is completely under the control of
the people who do it and the people who allow it to happen.
Hacking and Hacktivism
• A hacker was originally a person who sought to understand
computers as thoroughly as possible. Soon hacking came to be
associated with phreaking, breaking into phone networks to make
free calls, etc which is illegal.
MIT Hacker Ethic
• Access computers should be unlimited and total.
• All information should be free.
• Authority should be mistrusted and decentralization promoted.
• Hackers should be judged solely by their skills at hacking, rather than
by race, class, age, gender, or position.
• Computers can be used to create art and beauty.
• Computers can change your life for the better.
Various Codes of ethics
• Most professional organizations have their own code of ethics.
• I’m not going to re-type 20 pages. Read up on these (1203-foo)
The Code of Fair Information Practices
Internet Activities Board
Computer Ethics Institute
National Conference on Computing and Values
The Working Group on Computer Ethics
National Computer Ethics and Responsibilities Campaign (NCERC)
ISC Code of Professional Ethics (1208-1209)
• Treat others as you wish to be treated
• If an action is not right for everyone, it is not
right for anyone.
• If an action is not repeatable at all times, it is
not right at any time.
• Take the action that achieves the most good.
• Incur least harm or cost
• Do No Harm
• Assume that all property and information
belongs to someone.
• Is it against the law
• Is the action contrary to codes of ethics
• Is there hard evidence to support or deny the
value of taking an action
• Let the people affected decide
• Will the costs and benefits be equitably
• Are you comparing against competing
• Are decisions biased in favor of one group
• Full Disclosure
• Can the data be adequately protected to
• Does IT stand behind ethical principals
• If you need to do something that may be perceived as unethical, inform all
parties about your intentions. (Preferably in writing)
• If a conflict exists between two codes of ethics, the higher ethic wins.
• Consider precedence. An action taken by you on a small scale could result
in significant harm If carried out on a larger scale. (But TIM did it so we 98
million people thought it was ok to ping google too!)
• Whoever owns or is responsible for information must ensure that it is
reasonably protected and that users are aware of how to use it responsibly.
• As an information user, always assume others own it and that their
interests must be protected unless explicitly notified that the information is
able to be used freely.
• Digital Investigations can become court cases.
• Phases of an investigation:
Identify Evidence (Also protect the scene)
• Live evidence is digital evidence gathered from a running system or process
• Dead evidence is from a shutdown/at rest system (hard Disk)
• Only individuals with knowledge of basic crime scene analysis should be
allowed to deal with the scene.
General Forensic Guidelines
• Upon seizing digital evidence, actions taken should not change that
• When it’s necessary for a person to access original digital evidence, that
person should be trained for the purpose.
• All activity relating to the seizure, access, storage, or transfer of digital
evidence must be fully documented, preserved, and available for review.
• An individual is responsible for all actions taken with respect to digital
evidence while the digital evidence is in his possession.
• Any agency that is responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principals.
More General Forensic Guidelines
Minimize handling/corruption of original data
Account for any changes and keep detailed logs of your actions.
Comply with the five rules of evidence
Do not exceed your knowledge
Follow your local security policy and obtain written permission.
Capture as accurate an image of the system as possible.
Be prepared to testify
Ensure your actions are repeatable
Proceed from volatile to persistent evidence
Do not run any programs on the affected system
• Triage Phase
• Determine if this is a real incident
• Investigative Phase
• Analysis and Tracking
• Recovery Phase
• Recover/repair the system and prevent the incident from re-occurring.
Chain of Custody
• Refers to who, what, when, where, and how the evidence was
handled throughout the entire case lifecycle. From the first person on
the scene until the court case is over.
• For digital evidence file hashes are very common and useful. Use SHA256 hashes to prove files have not changed from initial gather time.
• Have chain of custody forms where people sign over evidence to each
• Interviewing witnesses and suspects is delicate.
• Before starting the interview review policies, notify management, and
consult legal council.
• Never conduct the interview alone.
• Preferably video tape the interview.
• Have an expert do it if at all possible. (Risk is high, don’t mug yourself)
• Legal council should be in the room.
Reporting and Documenting
• A clear report should be written.
• Assume it’ll be read in court with the media watching.
• Once the whole incident is wrapped up, review the incident and try to
learn some lessons:
• How could it have been avoided?
• How did the incident response go? Could we have done better?
• How did the forensic case go?
• Evidence should have some sort of value
• Evidence should be relevant to the case at hand
• Should meet the five rules of evidence
• Involves recovery of evidence from information media
• Hard drives, DVD’s, CD-ROMS, portable memory devices
• Media may have been damaged, overwritten, degaussed, or reused
• If the investigator is unable to collect sufficient evidence, media
forensic investigators exist to help. (Very Expensive)
• Analysis and examination of data from network logs and network
activity for use as potential evidence.
• Must have proper evidence collection and handling (chain of custody)
for the evidence to be admissible.
• Analysis of program code (source code, compiled code, machine
• Decompiling and reverse engineering often used.
• Can locate author identification, author attributes, programming
Hardware/Embedded Device Analysis
• Smart phones, PDA’s, CMOS chips, etc can all be useful as evidence.