2. Objectives
To review computer crime laws and regulations; investigative
measures and techniques used to determine if a crime has
been committed and methods to gather evidence; and the
ethical constraints that provide a code of conduct for the
security professional.
To review the methods for determining if a computer crime
has been committed; the laws that would be applicable for the
crime; laws prohibiting specific types of computer crime;
methods to gather and preserve evidence of a computer
crime, investigative methods and techniques; and ways in
which RFC 1087 and the (ISC)2 Code of Ethics can be applied
to resolve ethical dilemmas.
3. Law Investigation and Ethics
Laws
Security incidents
Recognition skills
Response skills
Technical skills
Investigations
Incident handling
Code of Ethics
4. Major categories of computer crime
Computer assisted crime - Criminal activities that are not
unique to computers but merely use computers as tools
to assist the criminal endeavor (e.g., fraud, child
pornography)
Computer specific or targeted crime - Crimes directed at
computers, networks, and the information stored on
these systems (e.g., denial of service, sniffers, attacking
passwords)
Computer is incidental - The computer is incidental to
the criminal activity (e.g., customer lists for traffickers)
5. Laws
Criminal Law - Individual conduct violating government
laws enacted for the protection of the public
Unauthorized access
Exceeding authorized access
Intellectual property theft or misuse of information
Pornography
Theft of computing services
Forgery using a computer
Property theft (e.g., computer hardware and chips)
Invasion of privacy
Denial-of-services
Computer fraud
Releasing viruses and other malicious code
Sabotage (i.e., data alteration or malicious destruction)
Extortion by computer
Embezzlement using a computer
Espionage involving computers
Terrorism involving computers
Identity theft
6. Laws Cont…
Civil Law (Tort)
Wrong against an individual or business, typically resulting
in damage or loss to that individual or business
There is no jail sentence under the civil law system
Administrative Law (Regulatory law)
Establishes the standards of performance and conduct for
organizations conducting business in various industries
Violations of these laws can result in financial penalties or
imprisonment
7. Proprietary Rights & Obligations
Legal Forms of Protection
Trade Secrets: Information that Provides a Competitive
Advantage. Protect Ideas.
Copyrights: Right of an Author to Prevent Use or Copying
Works of the Author. Protect Expression of Ideas.
Patents: Protect Results of Science, Technology &
Engineering
Business Needs
Protect Developed Software
Contractual Agreements
Define Trade Secrets for Employees
8. Proprietary Rights & Obligations Cont…
Security Techniques to Protect Trade Secrets
Numbering Copies
Logging Document Issuance
Checking Files & Workstations
Secure Storage
Controlled Distribution
Limitations on Copying
Contractual Commitments to Protect Proprietary Rights
Licensing Agreements with Vendors
Liability for Compliance
9. Proprietary Rights & Obligations Cont…
Enforcement Efforts
Software Protection Association (SPA)
Federation Against Software Theft (FAST)
Business Software Alliance (BSA)
Personal Computers
Establish User Accountability
Policy Development and Circulation
Purging of Proprietary Software
11. Management Problems
Corporate Recordkeeping
Accuracy of Computer Records: Potential Use in Court
IRS Rules: Inadequate Controls May Impact Audit Findings
Labor and Management Relations
Collective Bargaining: Disciplinary Actions, Workplace Rules
Work Stoppage
Limitations on Background Investigations
Limitations on Drug and Polygraph Testing
Disgruntled Employees
Non-Disclosure Requirements
Immigration Laws
Establishment and Enforcement of Security Rules
12. Management Problems Cont…
Data Communications: Disclosure thru -
Eavesdropping and Interception
Loss of Confidential Information
Outsourcing
Contract Review
Review of Contractor’s Capabilities
Impact of Downsizing
Contractor Use of Proprietary Software
13. Management Problems Cont…
Personal Injury
Employee Safety
Carpal Tunnel Syndrome
Radiation Injury
Insurance Against Legal Liability
Requirements for Security Precautions
Right to Inspect Premises
Cooperation with Insurance Company
14. Legal Liability
Due Care - Minimum and Customary Practice of Responsible
Protection of Assets
Due Diligence - The Prudent Management and Execution of Due
Care
Programming Errors - Reasonable Precautions for -
Loss of a Program
Unauthorized Revisions
Availability of Backup Versions
Product Liability
Liability for Database Inaccuracies: Due to Security Breaches
European Union: No Limits on Personal Liability for Personal
Injury
15. Legal Liability Cont…
Defamation
Libel Due to Inaccuracy of Data
Unauthorized Release of Confidential Information
Alteration of Visual Images
Foreign Corrupt Practices Act
Mandate for Security Controls or Cost/Benefit Analysis
Potential SEC Litigation
16. Legal Liability Cont…
Failure to Observe Standards
FIPS Pubs and CSL Bulletins
Failure to Comply Used in Litigation
Personal Liability
Action or Inaction was Proximate Cause
Financial Responsibility to Plaintiff
Joint and Several Liability
17. Legal Liability Cont…
Federal Sentencing Guidelines
Chapter 8 Added 1991
Applicable to Organizations
Violations of Federal Law
Specifies Levels of Fines
Mitigation of Fines Through Implementation of
Precautions
18. Privacy & Other Personal Rights
The Federal Privacy Act
Government Files Open to Public Unless Specified
Act Applies to Executive Branch Only
“Record” = Information about an Individual
Must be Need to Maintain Records
Disclosure Prohibited without Consent
Requirements on Government Agencies
Record Disclosures
Public Notice of Existence of Records
Ensure Security & Confidentiality of Records
19. Privacy and Other Personal Rights Cont…
State Acts and Regulations
Fair Information Practices Acts: Define Information that
Can be Collected
Uniform Information Practices Code - National Conference
of Commissioners on Uniform State Laws: Recommended
Model
Statutes Regulating Information Maintained by Private
Organizations: e.g..., Health Care, Insurance
20. Privacy and Other Personal Rights Cont…
Other Employee Rights
Electronic Mail: Expectations of Privacy
Drug Testing: Limited to Sensitive Positions Only
Freedom From Hostile Work Environment
International Privacy
European Statutes Cover Both Government and Private
Corporate Records
Application Primarily to Computerized Data Banks
Strict Rules on Disclosure
Prohibitions of Transfer of Information Across National
Boundaries
21. Privacy and Other Personal Rights Cont…
Management Responsibilities
Regular Review with Legal Department
Consider all Jurisdictions
Prepare Policies for Compliance
Enforce Policies
Document Enforcement
22. Computer Crime Laws
Federal
Computer Fraud and Abuse Act (Title 18, U.S.
Code, 1030)
*Accessing Federal Interest Computer (FIC) to acquire national
defense information
Accessing an FIC to obtain financial information
Accessing an FIC to deny the use of the computer
*Accessing an FIC to affect a fraud
*Damaging or denying use of an FIC thru transmission of code,
program, information or command
Furthering a fraud by trafficking in passwords
Economic Espionage Act of 1996: Obtaining trade
secrets to benefit a foreign entity
Electronic Funds Transfer Act: Covers use, transport,
sell, receive or furnish counterfeit, altered, lost, stolen, or
fraudulently obtained debit instruments in interstate or foreign
commerce.
23. Federal Computer Crime Laws Cont…
Child Pornography Prevention Act of 1996 (CPPA):
Prohibits use of computer technology to produce child pornography.
Computer Security Act of 1987: Requires Federal Executive
agencies to Establish Computer Security Programs.
Electronic Communications Privacy Act (ECPA):
Prohibits unauthorized interception or retrieval of electronic
communications
Fair Credit Reporting Act: Governs types of data that
companies may be collected on private citizens & how it may be used.
Foreign Corrupt Practices Act: Covers improper foreign
operations, but applies to all companies registered with the SEC, and
requires companies to institute security programs.
Freedom of Information Act: Permits public access to
information collected by the Federal Executive Branch.
24. Computer Laws Cont…
International Laws
Lack of Universal Cooperation
Differences in Interpretations of Laws
Outdated Laws Against Fraud
Problems with Evidence Admissibility
Extradition
Low Priority
25. Computer Crime
Computer Crime as a Separate Category
Rules of Property: Lack of Tangible Assets
Rules of Evidence: Lack of Original Documents
Threats to Integrity and Confidentiality: Goes
beyond normal definition of a loss
Value of Data: Difficult to Measure. Cases of
Restitution only for Media
Terminology: Statues have not kept pace. Is Computer
Hardware “Machinery”? Does Software quality as
“Supplies”.
26. Computer Crime Cont…
Computer Crime is Hard to Define
Lack of Understanding
Laws are Inadequate: Slow to Keep Pace with Rapidly
Changing Technology
Multiple Roles for Computers
Object of a Crime: Target of an Attack
Subject of a Crime: Used to attack (impersonating a network node)
Medium of a Crime: Used as a Means to Commit a Crime (Trojan
Horse)
Difficulties in Prosecution
Understanding: Judges, Lawyers, Police, Jurors
Evidence: Lack of Tangible Evidence
Forms of Assets: e.g., Magnetic Particles, Computer Time
Juveniles:
Many Perpetrators are Juveniles
Adults Don’t Take Juvenile Crime Seriously
27. Nature and Extent of Computer-Related
Crime
Typology
Input Tampering: Entry of Fraudulent or False Data
Throughput Tampering: Altering Computer Instructions
Output Tampering: Theft of Information
Most Common Crimes
Input and Output Type
Fraudulent Disbursements
Fabrication of Data
28. The Computer Criminal
Typical Profile
Male, White, Young
No Prior Record
Works in Data Processing or Accounting
Myths
Special Talents are Necessary
Fraud has Increased Because of Computers
29. The Criminal Motivation
Personal Motivations
Economic
Egocentric
Ideological
Psychotic
Environmental Motivations
Work Environment
Reward System
Level of Interpersonal Trust
Ethical Environment
Stress Level
Internal Controls Environment
30. The Control Environment
Factors that Encourage Crime
Motivation
Personal Inducements
Factors that Discourage Crime
Prevention Measures
Internal Controls Systems
Access Control Systems
Detection Measures
Auditing
Supervision
31. Crime Investigation
Detection and Containment
Accidental Discovery
Audit Trail Review
Real-Time Intrusion Monitoring
Limit Further Loss
Reduction in Liability
Report to Management
Immediate Notification
Limit Knowledge of Investigation
Use Out-of-Band Communications
32. Crime Investigation Cont…
Preliminary Investigation
Determine if a Crime has Occurred
Review Complaint
Inspect Damage
Interview Witnesses
Examine Logs
Identify Investigation Requirements
33. Crime Investigation Cont…
Disclosure Determination
Determine if Disclosure is Required by Law
Determine if Disclosure is Desired
Caution in Dealing with the Media
Courses of Action
Do Nothing
Surveillance
Eliminate Security Holes
Is Police Report Required?
Is Prosecution a Goal?
35. Crime Investigation Cont…
Execute the Plan
Secure and Control Scene
Protect Evidence
Don’t Touch Keyboard
Videotape Process
Capture Monitor Display
Unplug System
Remove Cover
Disks and Drives
Search Premises (for Magnetic Media and Documentation)
Seize Other Devices (that may contain information)
36. Crime Investigation Cont…
Conduct Surveillance
Physical: Determine Subject’s Habits, Associates, Life
Style
Computer: Audit Logs or Electronic Monitoring
Other Information Sources
Personnel Files
Telephone and Fax Logs
Security Logs
Time Cards
Investigative Reporting
Document Known Facts
Statement of Final Conclusions
37. Computer Forensics
Conduct a Disk Image Backup of Suspect System: Bit
level Copy of the Disk, Sector by Sector
Authenticate the File System: Create Message Digest for all
Directories, Files & Disk Sectors
Analyze Restored Data: Conduct Forensic Analysis in a
Controlled Environment
Search Tools: Quick View Plus, Expert Witness, Super Sleuth
Searching for Obscure Data: Hidden Files/Directories,
Erased or Deleted Files, Encrypted Data, Overwritten Files
Steganography: Hiding a Piece of Information within Another
Review Communications Programs: Links to Others
38. Computer Forensics Cont…
Reassemble and Boot Suspect System with Clean
Operating System
Target System May Be Infected
Obtain System Time as Reference
Run Complete System Analysis Report
Boot Suspect System with Original Operating System
Identify Rogue Programs
Identify Background Programs
Identify What System Interrupts have Been Set
39. Computer Forensics Cont…
Search Backup Media: Don’t Forget Off-Site Storage
Search Access Controlled Systems and Encrypted Files
Password Cracking
Publisher Back Door
Documentary Clues
Ask the Suspect
Case Law on Obtaining Passwords from Suspects
40. The Evidence
Types of Evidence
Direct: Oral Testimony by Witness
Real: Tangible Objects/Physical Evidence
Documentary: Printed Business Records, Manuals, Printouts
Demonstrative: Used to Aid the Jury (Models, Illustrations,
Charts
Best Evidence Rule: To Limit Potential for Alteration
Exclusionary Rule: Evidence Must be Gathered Legally or it
Can’t Be Used
Hearsay Rule: Key for Computer Generated Evidence
Second Hand Evidence
Admissibility Based on Veracity and Competence of Source
Exceptions: Rule 803 of Federal Rules of Evidence (Business
Documents created at the time by person with knowledge, part
of regular business, routinely kept, supported by testimony)
41. The Evidence Cont…
Chain of Evidence (Chain of Custody) - Accountability &
Protection
Who Obtained Evidence
Where and When it was Obtained
Who Secured it
Who Controlled it
Account for Everyone Who Had Access to or Handled the
Evidence
Assurance Against Tampering
42. The Evidence Cont…
Admissibility of Evidence: Computer-generated Evidence
is Always Suspect
Relevancy: Must Prove a Fact that is Material to the Case
Reliability: Prove Reliability of Evidence and the Process
for Producing It
Evidence Life Cycle
Collection and Identification
Storage, Preservation, and Transportation
Presentation in Court
Return to Victim (Owner)
43. Legal Proceedings
Discovery
Defense Granted Access to All Investigative Materials
Protective Order Limits Who Has Access
Grand Jury and Preliminary Hearings
Witnesses Called
Assign Law Enforcement Liaison
Trial: Unknown Results
Recovery of Damages: Thru Civil Courts
44. Legal Proceedings Cont…
Post Mortem Review: Analyze Attack and Close
Security Holes
Incident Response Plan
Information Dissemination Policy
Incident Reporting Policy
Electronic Monitoring Statement
Audit Trail Policy
Warning Banner (Prohibit Unauthorized Access
and Give Notice of Monitoring)
Need for Additional Personnel Security Controls
45. Ethics
Differences Between Law vs. Ethics: Must vs. Should
Origins
Common Good
National Interest
Individual Rights
Enlightened Self-Interest
Law
Tradition/Culture
Religion
Fundamental Changes to Society
No Sandbox Training
46. Referential Resources
National Computer Ethics and Responsibilities
Campaign (NCERC)
Computer Ethics Resource Guide
National Computer Security Association (NCSA)
Computer Ethics Institute
1991 – Ten Commandments of Computer Ethics
End User’s Basic Tenants of Responsible Computing
Four Primary Values
Considerations for Conduct
The Code of Fair Information Practices
Unacceptable Internet Activities (RFC 1087)
47. (ISC)2 Code of Ethics
Code of Ethics Preamble
Safety of the commonwealth, duty to our principals, and to
each other requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of
certification
Code of Ethics Canons
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
48. Competitive Intelligence
Published Material & Public Documents
Disclosures by Competitor Employees (without
Subterfuge)
Market Surveys & Consultant’s Reports
Financial Reports & Broker’s Research Surveys
Trade Fairs, Exhibits, & Competitor Literature
Analysis of Competitor Products
Reports of Own Personnel
Legitimate Employment Interviews with Competitor
Employees
49. Industrial Espionage
Camouflaged Questioning of Competitor’s Employees
Direct Observation under Secret Conditions
False Job Interviews
False Negotiations
Use of Professional Investigators
Hiring Competitor’s Employees
Trespassing
Bribing Suppliers and Employees
Planting Agent on Competitor Payroll
Eavesdropping
Theft of Information
Blackmail and Extortion
50. Plan of Action
Develop organizational guide to computer ethics
Develop a computer ethics policy to supplement the computer
security policy
Include computer ethics information in the employee
handbook
Expand business ethics policy to include computer ethics
Foster user awareness of computer ethics
Establish an E-mail privacy policy and promote user
awareness of it