1. Information Systems Security Legal, Regulations, and Compliance

2. Not Just Fun & Games  Continually on the rise  Affects the public and government sectors  Crimes go unnoticed or unreported  Costs billions of dollars each year

3. Example of Computer Crime  ILOVEYOU, SoBIG, Blaster  DDoS brings down Excite and Yahoo  Extortion for credit card numbers  Stealing funds from financial institutions  Stealing military secrets  Competitors stealing secrets

4. Types of Laws  Common Law  Criminal Law  Tort Law  Administrative Law  Civil Law  Customary Law  Religious Law  Mixed Law

5. Criminal Profile  Script Kiddies –May not understand the ramifications –“Ankle Biters” curious individuals –“Machine Gunners” dispatch 1000s of probes  Dedicated Cracker –Chooses victim and gathers intelligence –More dangerous –Has a goal in mind from the start

6. Motivation  Grudge –Get back at the company or individual –Terrorist, sympathy, or information warfare  Financial  Business  “Fun”

7. Example Attacks  Salami –Carrying out smaller crimes that might go unnoticed  Data diddling –Modifying data in the computer to change outcomes  Dumpster diving –Obtaining information in the trash can

8. Telephone Fraud  Phreakers –Telephone fraud –Red boxing  Simulating coins dropped into the phone –Blue boxing  Using analog tones to gain long distance –Black boxing  Manipulating voltages

9. U.S. Privacy Laws  Privacy Act of 1974 –Data held on individuals by government  Electronic Communications Privacy Act of 1986 –Prohibits unauthorized eavesdropping  Health Insurance Portability and Accountability Act (HIPPA)  Gramm Leach Bliley Act of 1999

10. European Union  Reason data being collected must be stated  Data cannot be used for other purposes  Unnecessary data is not collected  Data keep only while needed  Only necessary individuals have access  No intentional ‘leaking’ of data

11. Transborder information Flows  Movement of data across international borders  Different regions have different laws  Restrictions on flow of financial data  Often data flow is taxable

12. Employee Privacy Act  Must be in security policy and employees should be aware  Ensure monitoring is lawful  Possible types of monitoring –Key logging –Cameras –Telephone –email

13. Common Law - Civil  Tort law - wrongs against individuals resulting in damage  Contract Law  Case law built on precedent  Determines liability  Less of a burden of proof  Embodied in the USC

14. Criminal  Laws created to protect the public  Public in the defendant  Can win criminal and lose civil on same case or vise versa  More stringent burden of proof  Includes jail time or death

15. Administrative Laws  Different by industry –FDA, Healthcare, Education, etc.  Performance and conduct of organizations, officials, and officers  Deals with industry regulations  Punishment can be financial or may merit imprisonment

16. US Federal Laws  Electronic Communications Act of 1996 –Wiretap act –Stored communication act  Computer Fraud and Abuse Act of 1986 –Used in prosecuting computer crimes –“Anti hacking law”  Electronic Espionage Act of 1996 –Industrial espionage –Stealing Trade Secrets

17. Intellectual Property Laws  Trade secret –Maintains confidentiality of proprietary business data –Owner invested resources to develop –Data must provide competitive value  Copyright –Protects original works of authorship –Protects expression of new ideas –Source code is copyrightable –In USA, good for 75 years

18. More  Trademark –Protects word, name, symbol, etc. which is used to identify a product or company –Protects a company’s look or feel  Patent –Allows owner to exclude others from practicing invention for a time period (20 years) –Invention must be novel and non-obvious

19. Software piracy  Copy creator’s work without permission  Software protection association (SPA)  Business software alliance (BSA) –Washington  Federation against software theft (FAST) –London

20. Digital Millennium Copyright Act  Illegal to tamper with or break into controls that protect copyrighted materials  Only protects copyrighted items  Prevent reverse engineering  First attempt to enforce was by Adobe against a white hat at DefCon

21. Countries Working Together  Countries do not view computer crime the same  Government may not work together  Evidence rules are different  Jurisdiction issues  G8 have agreed to fight cybercrime  Interpol distributes info about cross-border crimes

22. Violation Analysis  Ensure that it is not a user error or misconfiguration  Individuals should be in charge of investigating and determining if crime exist  Type of investigation –Internal –Law enforcement

23. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject to 4 th amendment  Private citizen may be a police agent

24. Role of Evidence  Material offered to judge and jury  May directly or indirectly prove or disprove the crime has been committed  Evidence must be tangible –Electrical voltages are intangible –Hard to prove lack of modification

25. Evidence Requirements  Material – relevant to case  Competent – proper collection, obtained legally, and chain of custody maintained  Relevant – pertains to subject’s motives and should prove or disprove a fact

26. Chain of Custody  Who obtained it?  Where and when was it obtained?  Who secured it?  Who had control or possession?  How was it moved?

27. Types of Evidence  Best –Primary, original documents, not oral  Secondary –Copies of documents, oral, eyewitness  Direct –Can prove fact by itself –Does not need corroborative information –Information from witness

28. More Types  Conclusive –Irrefutable and cannot be contradicted  Circumstantial –Assumes the existence of another fact –Cannot be used alone to prove the fact  Corroborative –Supporting evidence –Supplementary tool

29. More Types  Opinion –Experts give educated opinion  Hearsay –No firsthand proof –Computer generated evidence  Real –Physical evidence –Tangible objects

30. More Types  Documentary –Records, manuals, printouts –Most evidence is documentary  Demonstrative –Aids jury in the concept –Experiments, charts, animation

31. Hearsay Rule Exception  Business record exemption to hearsay rule –Documents can be admitted if created during normal business activity –This does not include documents created for a specific court case –Regular business records have more weight –Federal rule 803(6)  Records must be in custody on a regular basis  Records are relied upon by normal business

32. Before the Crime Happens  Select an Incident Response Team (IRT)  Decide whether internal or external  Set policies and procedures  If internal, include –IT –Management –Legal –PR

33. Incident Handling  First goal –Contain and repair damage –Prevent further damage –Collect evidence

34. Evidence Collection  Photograph area  Dump contents from memory  Power down system  Photograph internal system components  Label each piece of evidence –Bag it –Seal –Sign

35. Forensics  Study of technology and how it relates to law  Image disk and other storage devices –Bit level copy (deleted files, slack space,etc) –Use specialized tools –Further work will be done on copy  Create message digest for integrity

36. Thing to Look For  Hidden Files  Steganography  Slack Space  Malware  Deleted Files  Swap Files

37. Trapping the Bad Guy  Enticement –Legal attempt to lure a criminal into committing a crime –Provide a honeypot in your DMZ –Pseudo flaw (software code) –Padded cell (virtual machine)  Entrapment –Illegal attempt to trick a person into committing a crime