Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing & Auditing Internet Usage Policies

Similar presentations


Presentation on theme: "Assessing & Auditing Internet Usage Policies"— Presentation transcript:

1 Assessing & Auditing Internet Usage Policies
Presented to the Institute of Internal Auditors 13 April 2004 M. E. Kabay, PhD, CISSP Associate Professor & Program Director, Information Assurance Division of Business & Management, Norwich University M. E. Kabay, PhD, CISSP Copyright © 2004 M. E. Kabay All rights reserved.

2 Topics Assessing vs Auditing Fundamentals of Information Assurance
Functions of IA Selected Topics in ‘Net Abuse Intellectual Property Video from Commonwealth Films Wrap-up

3 Assessing vs Auditing Assessment—Evaluation: judgement about something based on an understanding of the situation. Audit—Verification: judgement of extent of compliance with formal policies. Goals today: Facilitate both assessments and audits Provide wider context than simply compliance with formal written policies. Increase awareness of issues so that auditors can engage in more productive discussion with IT and security colleagues

4 Fundamentals of IA The Classic Triad Confidentiality Integrity
Availability The Parkerian Hexad Possession Authenticity Utility Information Assurance (IA)

5 Copyright © 2004 M. E. Kabay. All rights reserved.
The Classic Triad C I A Explain what these letters stand for. Can you think of other shorthand summaries of what information security involves? Copyright © 2004 M. E. Kabay All rights reserved.

6 Copyright © 2004 M. E. Kabay. All rights reserved.
Confidentiality Restricting access to data Protecting against unauthorized disclosure of existence of data E.g., allowing industrial spy to deduce nature of clientele by looking at directory names Protecting against unauthorized disclosure of details of data E.g., allowing 13-yr old girl to examine HIV+ records in Florida clinic 1. The Canadian consumer-tracking service Air Miles inadvertently left 50,000 records of applicants for its loyalty program publicly accessible on their Web site for an undetermined length of time. The Web site was offline as of 21 January until the problem was fixed. 2. An error in the configuration or programming of the F. A. O. Schwarz Web site resulted paradoxically in weakening the security of transactions deliberately completed by FAX instead of through SSL. Customers who declined to send their credit-card numbers via SSL ended up having their personal details — address and so forth — stored in a Web page that could be accessed by anyone entering a URL with an appropriate (even if randomly chosen) numerical component. 3. Prof. Ross Anderson of Cambridge University analyzed requirements on the AMAZON.COM online bookstore for credit card number, password, and personal details such as phone number. He identified several risks: (1) merchant retention of credit card numbers poses a far higher risk of capture than of capture in transit; (2) adding a password increases the likelihood of compromise because so many naïve users choose bad passwords and then write them down; (3) even the British site for Amazon contravenes European rules on protecting consumer privacy; (3) such practices make it easier for banks to reject their clients' claims of fraudulent use of their credit-card numbers. C Copyright © 2004 M. E. Kabay All rights reserved.

7 Copyright © 2004 M. E. Kabay. All rights reserved.
Integrity Internal consistency, validity, fitness for use Avoiding physical corruption E.g., database pointers trashed or data garbled Avoiding logical corruption E.g., inconsistencies between order header total sale & sum of costs of details 1. Sun Valley, ID uses a computer-based identification and authorization system using a computer-generated pass with a bar code, radio-linked scanners and computers, and so on. The system works very well. Unfortunately, after a hard disk crash in mid-December 1997, the operators found that — surprise — they had no backups for the data they lost. Thousands of users were asked to re-register with the area. 2. At the Stanford University Graduate School of Business, system administrators installed additional disk capacity to their servers. They then reloaded files from a corrupt backup tape on 7 Mar. The faculty and student files were destroyed, leaving many faculty members and graduate students without their research files. [This incident again demonstrates the importance of VERIFYING THE READABILITY of backups. It also strengthens my belief in the wisdom of making TWO backups before attempting to reload a system.] 3. The RAND Corporation reported that CD-ROMs can deteriorate within 5-10 years -- much faster than the 50 years usually quoted. This instability is quite apart from the even more serious problem of incompatibility of medium, where a perfectly good storage device becomes unreadable because of changes in technology. Ever try to read an 8-inch floppy disk from the 1970s on your DVD player? 4. Pity Mr Cody Johnston, a commercial trucker in Bozeman, MT. He admittedly broke speeding laws and paid a fine, but the local newspaper reported his misdemeanor as a sexual deviation charge, which potentially includes homosexuality and bestiality. Apparently the court computer system printed out a list of convictions using erroneous labels for the internal codes. Mr Johnston sued the court and the newspaper for libel. 5. A Social Security Administration employee who become angry with a woman with whom he argued in an Internet chat room used a fellow-employee's terminal to fill in a death date for the woman in her SSA records. She applied for a loan at her bank and discovered that she was ""cyberdead."" Jorge Yong admitted culpability, resigned and paid $800 in fines and damages. C I Copyright © 2004 M. E. Kabay All rights reserved.

8 Copyright © 2004 M. E. Kabay. All rights reserved.
Availability Timely access to data Avoid delays E.g., prevent system crashes & arrange for recovery plans Avoid inconvenience E.g., prevent mislabeling of files 1. Installation of some new software on the ETrade Web-based stock brokerage caused intermittent, serious failures that interrupted electronic trading for several hours on Wednesday 3 February. Some customers interviewed by R. Scott Raynovich, writing for Wired, stated that they would pull their brokerage business out of Etrade for failing to provide consistent service. An anonymous investor reportedly said, "I'm trusting these guys with thousands of dollars of my money, and they can't provide me consistent access to it," said one ETrade customer, who asked to remain unnamed because he feared retribution from ETrade officials as he attempted to transfer money to another service. Hours, sometimes days, go by with me unable to put money into a suddenly hot stock, pull out of one that's tanking, or try to get in on an IPO. I'm disgusted with this company." 2. E-Trade, the online stock trading firm, was severely embarrassed when its computers crashed on the 3rd, 4th and 5th of February because of software quality problems. Clients were up in arms over the difficulties they experienced in buying and selling stocks quickly -- the much-touted advantages of electronic trading via the Internet. 3. The Charles Schwab online stock brokerage computers went down at 09:37 on for about 90 minutes, causing disruption for its clients, who were normally placing an average of 153,000 trades a day online — 28% of the market for online securities trading. 4. On 21 Feb 1999, there was a 15 hour period when many ISPs in the UK were down due to (1) a problem on a transatlantic link maintained by Teleglobe and (2) the simultaneous upgrade of a mail server on the Cable Internet ISP. Malcolm Park noted in RISKS that many users of the affected ISPs complained about interference with their Net-dependent business. He pointed out that businesses should know that the Internet has no guarantee of service; at the very least, it would be appropriate for anyone dependent on the 'Net to have a contract with a backup ISP. [MK comments: here in Vermont, I have two ISPs -- and have often had to resort to the secondary one when the first one's local node is saturated or malfunctioning. Unfortunately, I still have only one set of wires between our home out in the boondocks and the central switch -- but at least the set includes three different phone numbers.] A C I Copyright © 2004 M. E. Kabay All rights reserved.

9 Problem: Missing Elements
Which principle of the C-I-A triad has been breached when A child takes bank card with password in envelope but does not open it? Someone sends threat to President using your address but not your logon? Someone converts all the salary figures in your database to Iraqi Dinars? ANSWER: NONE OF THEM – THE TRIAD IS INSUFFICIENT TO DESCRIBE SECURITY BREACHES

10 Copyright © 2004 M. E. Kabay. All rights reserved.
The Parkerian Hexad Protect the 6 atomic elements of INFOSEC: Confidentiality Possession or control Integrity Authenticity Availability Utility See Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information Assets. McGraw-Hill (New York). ISBN xii pp. Index. for extensive discussion of these issues. Copyright © 2004 M. E. Kabay All rights reserved.

11 Copyright © 2004 M. E. Kabay. All rights reserved.
Why “Parkerian?” Donn G. Parker Recipient of Lifetime Achievement Award from NCSC in 1993 Donn Parker Donn B. Parker is a retired (1997) senior management consultant at SRI International in Menlo Park, California who has specialized in Information security and computer crime research for 30 of his 47 years in the computer field. He has written numerous books, papers, articles, and reports in his specialty based on interviews of over 200 computer criminals and reviews of the security of many large corporations. He received the 1992 Award for Outstanding Individual Achievement from the Information Systems Security Association and the 1994 National Computer System Security Award from U.S. NIST/NCSC, The Aerospace Computer Security Associates 1994 Distinguished Lecturer award, and The MIS Training Institute Infosecurity News 1996 Lifetime Achievement Award. The Information Security Magazine identified him as one of the five top Infosecurity Pioneers (1998). He formed the International Information Integrity Institute (I-4) at SRI that has been serving over 75 corporate members for 9 years to keep them aware of the most advanced information security concepts and controls. * * * Listen to (or watch) a 1 hour 49 minute audio conference on Early Computer Crime moderated by Donn Parker with pioneer researchers Whitfield Diffie (Sun Microsystems), John Markoff (The New York Times), Peter Neumann (Computer Science Lab at SRI) and Cliff Stoll (author of The Cuckoo's Egg) recorded on See page tnc_program.html?program_id=79 for various audio and video streaming formats. Copyright © 2004 M. E. Kabay All rights reserved.

12 Copyright © 2004 M. E. Kabay. All rights reserved.
Possession Control over information Preventing physical contact with data E.g., case of thief who recorded ATM PINs by radio (but never looked at them) Preventing copying or unauthorized use of intellectual property E.g., violations by software pirates 1. In Beijing, a court ordered two software pirates to compensate Microsoft for stealing their software and making illegal copies. This was the first case in which the Chinese justice system condemned miscreants for violations of intellectual property rights. 2. Hitachi, IBM, NEC, Pioneer and Sony (the ""Galaxy Group"") announced their agreement on a new digital watermark standard that would embed a cryptographic code in every frame of a digitial multimedia work. New digital equipment would not allow copies of such works." 3. The Norwegian company FAST makes software that can download MP3 files. The International Federation of the Phonographic Industry (IFPI) lodged a complaint that resulted in criminal prosecution of FAST for facilitating the theft of illegally posted copyrighted music from the Web. The IFPI was also contemplating a complaint against Lycos, whose search engine catalogs these illegal snippets of intellectual property. A C P I Copyright © 2004 M. E. Kabay All rights reserved.

13 Copyright © 2004 M. E. Kabay. All rights reserved.
Authenticity Correspondence to intended meaning Avoiding nonsense E.g., part number field actually contains cost Avoiding fraud E.g., sender's name on is changed to someone else's 1. According to the British National Criminal Intelligence Service, the explosion in credit-card counterfeiting and other credit fraud is largely due to increased activity by Asian Triads. Losses grew by 500% between 1991 and 1998, with total theft estimated at £25M in the UK in 1998. 2. In Newmarket, Ontario (near Toronto), thieves in cahoots with a gas-station employee installed a miniature camera focused on the debit-card PIN pad. Videos of customers punching in their PINs, coupled with account information provided by the criminal employee sufficed to let the gang create fake debit cards to pillage accounts. The criminals got into the habit of visiting ATMs at midnight so they could steal two days' worth of maximum withdrawals. Police reported total thefts in the hundreds of thousands of dollars. The criminals were arrested just before a planned expansion to five more gas stations. 3. The Transportation Federal Credit Union was robbed of over $1M by Asian crime groups which developed algorithms for generating valid debit-card numbers (with a success rate of about 50%). The fake cards were then used to extract money from the victimized accounts. Unfortunately, a software error at the Union precluded verification of the encrypted checksums on the cards' magnetic strips. 4. In Finland, high-tech thieves installed a ""small black card reader"" on top of the regular slot for inserting debit and credit cards in an ATM. With the codes from their extra card reader plus some standard shoulder-surfing to garner PINs, the thieves were able to create 60 counterfeit cards and stole the equivalent of U$36,600. 5. A father and his teenaged daughter were arrested in Michigan in mid-December after allegedly using a scanner, computer, and color printer to create counterfeit U$20 bills and spending $2,800 of the fake money on Christmas presents. Donald Gill of Fairgrove, MI was held in jail pending Federal felony charges. His 17-year-old girl was released on bail and charged under state laws (minors are not subject to federal felony laws). Au Av C P A Copyright © 2004 M. E. Kabay All rights reserved.

14 Copyright © 2004 M. E. Kabay. All rights reserved.
Utility Usefulness for specific purposes Avoid conversion to less useful form E.g., replacing dollar amounts by foreign currency equivalent Prevent impenetrable coding E.g., employee encrypts source code and "forgets" decryption key 1. The entire Y2K debacle is a case of a change in the environment's rendering a data storage format less useful than it was previously. U Au Av C P I Copyright © 2004 M. E. Kabay All rights reserved.

15 Copyright © 2004 M. E. Kabay. All rights reserved.
Functions of IA (1) Avoidance: e.g., prevent vulnerabilities and exposures Deterrence: make attack less likely Detection: quickly spot attack Prevention: prevent exploit Mitigation: reduce damage Transference: shift control for resolution Copyright © 2004 M. E. Kabay All rights reserved.

16 Copyright © 2004 M. E. Kabay. All rights reserved.
Functions of IA (2) Investigation: characterize incident Sanctions & rewards: punish guilty, encourage effective responders Recovery: immediate response, repair Correction: never again Education: advance knowledge and teach others Copyright © 2004 M. E. Kabay All rights reserved.

17 Information Assurance (IA)
Avoid Deter Educate Detect Correct Prevent Recover Mitigate Punish/reward Transfer Investigate Copyright © 2004 M. E. Kabay All rights reserved.

18 Abuse by Outsiders Industrial espionage Web defacement Trojan horses
Viruses and worms Bad software Denial of service Psyops / disinformation Discourage investors Demoralize employees Lead to bad decisions

19 Internet Abuse by Insiders
Attacks on the employer Stealing property / information Damaging / vandalizing property / information Sullying reputation (of self and employer) Attacks on others (leading to liability) Creating hostile work environment Wasting time and resources

20 Essential Policies for 'Net Use
Appropriate use of and Web Protecting privacy Protecting intellectual property Safeguarding resources

21 Selected Topics in ‘Net Abuse
Selling Products and Services Netiquette for Beginners Marketing on the 'Net Spamming the 'Net Market Data Collection: Ethical & Legal Issues Public Relations Nightmares Covert Ads Flamewars

22 Selected Topics (cont'd)
Shills Spoofs USENET Etiquette Internal & the Law Avoid Hostile Work Environment 'Net Filters & Audit Trails Intellectual Property

23 Selling Products and Services
Nothing inherently unethical But problems include: Immortal messages (need expiration date) Inaccurate messages (need digital signature) Inauthentic messages (need non-repudiation) Unwanted messages (need good judgement) Copyright © 2004 M. E. Kabay All rights reserved.

24 Netiquette for Beginners
All & postings using company ID are equivalent to writing on company letterhead Copyright © 2004 M. E. Kabay All rights reserved.

25 Copyright © 2004 M. E. Kabay. All rights reserved.
Marketing on the 'Net World-Wide Web—marketing the right way Legitimate mailing lists NOT Junk (spam) unsolicited, often fraudulent, many forged headers: is this the company you want to keep? who pays? denial of service outrage from many recipients serious business consequences Copyright © 2004 M. E. Kabay All rights reserved.

26 Copyright © 2004 M. E. Kabay. All rights reserved.
Spamming the 'Net Term from Monty Python skit about SPAMÔ Sending large numbers of identical messages to many news groups or addresses Many readers get several related news groups Annoys members, uses bandwidth Severe consequences hate mail bombing removal of Internet access deletion of all future messages expulsion from new groups Copyright © 2004 M. E. Kabay All rights reserved.

27 Spamming the 'Net: Case Studies
Anonymous executive writing in Network World (1994) Posted advertising to 20 news groups Thought people would be interested bombs 800 number posted in alt.sex groups Thousands of obscene phone calls Receptionist quit All 800 calls sent directly to his phone Nearly destroyed his career 1. See <http://www.vix.com/spam/> for good material about spam. 2. BTW, the Hormel Corporation is deeply offended by the misuse of the word SpamÔ to describe unsolicited and repetitive postings. At one point they demanded that Sanford “Spamford” Wallace of the notorious Cyber Promotions firm cease and desist in his abuse of their trademark. 3. If you get harassed by junk and it looks like the headers are valid, write back to the spammer with a standard polite but firm demand to be removed from all their lists. Send a copy of the offending to the ISP using and suggest appropriate measures be taken against this abuse of the 'Net. 4. To verify the existence of a domain, use the WHOIS server at <http://rs.internic.net/cgi-bin/whois>. If the domain doesn't exist, the header has been forged. 5. Be sceptical of addresses supposedly from AOL or PRODIGY — they are often spoofs. 6. If the fraudulent contains an 800 number, be aware that this may be a ruse to fool people into causing serious expense to the victim of a spoof. Malicious supporters of spam have been spamming in the name of anti-spam activists. Copyright © 2004 M. E. Kabay All rights reserved.

28 CAN-SPAM Act (2003) Dictates requirements for opt-out facilities
Requires identification of source Completely useless in stopping criminal spammers Fines for violation of restrictions Can lead to problems for legitimate businesses whose employees are ignorant of law and Internet culture Marketing manager contracts with spammer Employee sends spam on own initiative

29 Market Data Collection: Ethical & Legal Issues
Point of sale data capture Credit records (beware GLB Act) Medical records (beware HIPAA) Compilations of addresses 'Net usage statistics about individuals Spyware Misleading EULAs (end-user license agreements) ASK YOUR CORPORATE ATTORNEY FOR ADVICE Copyright © 2004 M. E. Kabay All rights reserved.

30 Public Relations Nightmares
Lack of professionalism a killer Dishonesty of any kind — remember the audience Spamming Flaming people in professional news groups Copyright violations Netiquette resources on the Web: Copyright © 2004 M. E. Kabay All rights reserved.

31 Copyright © 2004 M. E. Kabay. All rights reserved.
Covert Ads Forums, newsgroups may have strict standards Responses should be technical and helpful Do not introduce company name and product without clear benefit to recipient Repeated marketing hyperbole in technical forum repels potential customers Beware of posting superficially-objective responses that are slanted: will be nailed Copyright © 2004 M. E. Kabay All rights reserved.

32 Copyright © 2004 M. E. Kabay. All rights reserved.
Flamewars Technology insulates some people from empathy Not everyone capable of writing with subtlety and sensitivity Flamewars are written shouting matches Avoid ad hominem remarks comments on intelligence or competence imputation of motives statements claiming to know other people's thoughts outright verbal abuse Copyright © 2004 M. E. Kabay All rights reserved.

33 Copyright © 2004 M. E. Kabay. All rights reserved.
Shills Employees who write as if they were customers All employees should identify themselves as such if information bears on their credibility Such tactics backfire strong objections to dishonesty perpetrators locked out of forums great abuse heaped on individuals and employers long term distrust Copyright © 2004 M. E. Kabay All rights reserved.

34 Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofs Impersonation of others Writing bad things about competitors Can be used as industrial sabotage Possibly actionable Copyright © 2004 M. E. Kabay All rights reserved.

35 Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofs: Case Study ReplyNet vs Promo: October 1995 Promo Enterprises is mass sent junk to 171,000 recipients listed “REPLY.NET” as return address Promo has recently announced competition with ReplyNet auto-reply service ReplyNet Inc. provides non-objectionable advertising on 'Net ReplyNet received 100s of complaints sent apologies but largely rejected damage to reputation as responsible service Copyright © 2004 M. E. Kabay All rights reserved.

36 Spoofs: Case Study (cont'd)
ReplyNet initiated lawsuit: Violations of US. federal law Forgery Trademark violation Damages payable to ReplyNet $5-$10 for each of 171,000 people Refunds for on-line time to all unwilling recipients May be a case of industrial sabotage (“spamotage” in John Schwartz's phrase—Washington Post) Settled out of court on “generous terms” In May 97, Craig Nowak, a clueless college student, chose a return address at random for his slimy first attempt at junk . Unfortunately for his victim, "flowers.com" is a legitimate business whose owner received 5,000 bounced messages and plenty of abuse for supposedly spamming the world. Fortunately for the anti-spam cause, the enraged florist, Tracy LaQuey Parker, launched a lawsuit for damages and was supported by the Electronic Frontier Foundation (Austin chapter) and the Texas Internet Service Providers Association. In late September 97, the plaintiffs won a temporary injunction against the defendant preventing him from further use of the appropriated domain name (not that he'd have wanted to, at that point). Copyright © 2004 M. E. Kabay All rights reserved.

37 Copyright © 2004 M. E. Kabay. All rights reserved.
USENET Etiquette Lurk before you leap: learn specific style Stick to the forum/section subject area Make messages concise Quote only relevant text from previous message Respect copyright laws Don't flame people Avoid profanity, ethnic/religious slurs, etc. On USENET, everything you write may be archived and available forever See <http://www.dejanews.com> and <http://www.excite.com> for examples of search engines capable of locating archival USENET and other materials. Copyright © 2004 M. E. Kabay All rights reserved.

38 Copyright © 2004 M. E. Kabay. All rights reserved.
Internal can be used in court of law typically stored on system or backups (sometimes for years) don't send you would be ashamed of in public can be seized under subpoena Goofing off at the office goes high-tech By Marc Gunther, Knight-Ridder Newspapers / Originally ran March 25, 1996 WASHINGTON -- It was a funny thing, Jamey Cribbs thought. No matter how much disk space he bought for the computer networks he manages at a sprawling Michigan hospital system, it always filled up in a hurry. Then a worker called to complain that her computer was short of space. The trouble was, she had loaded a byte-gobbling golf game onto her terminal. Now Cribbs uses a software program for businesses that eliminates games like Solitaire from office PCs. The age-old struggle between bosses and slackers has gone high-tech. Surveys show millions of workers use their office computers which are supposed to promote efficiency to play games, surf the Internet or worse. Best of all, they can look busy while goofing off. So companies are cracking down. Many firms now have strict policies prohibiting personal use of office PCs. And they are enforcing the rules. Kmart dismissed a programmer in charge of its World Wide Web site, for linking the corporate message to an erotic picture. Transit police officers in Minneapolis were disciplined for playing a strip-poker game on their workplace computers. An ABC News producer lost his job after 23 years with the company for sending pornographic pictures over the office network. And what computers giveth, computers can taketh away. DVD Software of Irvine, Calif., has sold hundreds of companies its UnGame software, which seeks out and erases computer games from office PCs. A company called Webster Network Strategies of Naples, Fla., builds electronic filters [Cont'd on next page] Copyright © 2004 M. E. Kabay All rights reserved.

39 Avoid Hostile Work Environment
[Cont'd from preceding page] into office networks that prevent workers from using the Internet for such things as viewing sexy pictures or sports scores. To companies that don't think they have a problem with Internet abuse, Webster offers free-of-charge audits of employees' usage. The results are remarkably consistent, says sales manager Julie Novak. "The sex sites are the highest in most cases. Sports usually follows, not too far behind. Then online sales: lingerie, sex toys, maybe things are people are too shy to buy in a store," Novak says. "You can really see the priorities of people." What really steams up bosses is when they learn that employees use the Internet to scan help-wanted ads. The actual scope of the problem is hard to gauge. Webster's audits find that workers at some companies average 90 minutes a day of wasted time. Some of the most popular World Wide Web sites, such as ESPNET SportsZone and the Playboy site, report usage peaks during daytime business hours. And a survey of computer-game players by Coleman & Associates, a consulting firm in Teaneck, N.J., found that 23 percent last played on their office PCs. But Emily Coleman, who did the study, doesn't worry about workers who spend a few minutes relaxing with Doom or Minesweeper. "If you're thinking at work, you can't be a robot," Coleman says. "You've got to take a break. The real question should be, is the work getting done?" At least, she says, workers are developing computer skills and staying at their desks. "I've worked in offices. I know how much time people spend at the coffee machine. This is progress. They're at their desks. At least they can answer the phone," she says with a laugh. Others note that the spread of PCs into the home means that more and more employees are taking their office work home. But Yossi Hollander, a 38-year-old programmer who came up with the idea for the UnGame software with his wife, Dana, says unauthorized game-playing and net-surfing are serious matters. They not only erode productivity but overload office networks. He scoffs at the idea that games played at lunch or after hours don't interfere with business. "OK, so you're playing a golf game at lunch," he says. "You're on the 17th hole. You're about to break the course record. Lunch is now over and the phone rings. What are you going to do, answer the phone or play the 18th hole?" UnGame has been sold to corporations, government agencies and colleges. Greg Scott, information services manager for Oregon State's college of business in Corvallis, installed the anti-game software after demand for the 140 computers in his lab outstripped supply. "Seat time is exceedingly valuable," he said. "This is one more tool in my quiver." In Minneapolis, the strip-poker game played by transit cops led to an agency scandal. Female co-workers brought suit for sexual harassment, in part because the computer-generated women who bared their cyber-cleavage were named after real-life workers. A supervisor was disciplined after trying, and failing, to delete evidence of the game. While Internet surfing is a newer problem, Webster's Internet filter program, introduced last summer, has already been sold to such big customers as Boeing Co., Northeast Utilities and the Florida Department of Transportation. Novak, the sales manager, said the software was invented to block pornography, but that its sales are now being driven by concerns about productivity and office networks that are strained to capacity. Some corporations are reportedly rethinking plans to give employees broad Internet access. Texaco Inc. reviews network logs to monitor worker surfing and Frigidaire Corp. postponed plans to provide employee access, according to the trade magazine Network World. [Cont'd on bottom of next page] Abusive internal should be explicitly barred by corporate policy racism sexism harassment of all kinds Libel Same applies to inappropriate Web use Copyright © 2004 M. E. Kabay All rights reserved.

40 'Net Filters & Audit Trails
Filters control what can be displayed through Web browser Web pages USENET groups Useful as part of pattern of parental controls Also useful in workplace (contentious issue) Game filters also available to purge games similar to anti-virus software Some 'Net Filters: CyberPatrol 'Net Nanny SafeSurf CYBERsitter SurfWatch Game filter: Ungame -- DVD Software (Irvine, CA) Copyright © 2004 M. E. Kabay All rights reserved.

41 Intellectual Property I: Fundamentals
Purpose Subject Matter What is Protected by Copyright? Formalities Works Made for Hire Contractual Sale Infringement HTML Linking Framing Scumware Criminal Law 1st Amendment? Fair Use

42 Purpose of Intellectual Property Law
Stimulate creativity for Mechanisms: Protect intellectual property Prevent loss of control or possession Support gainful return on investment Copyright Trademark Patent Copyright © 2004 M. E. Kabay All rights reserved.

43 Copyright © 2004 M. E. Kabay. All rights reserved.
Subject Matter Original works of authorship Independent product of author Not copied Exclusion Idea Procedure Process Method of operation Concept Principle Discovery Copyright © 2004 M. E. Kabay All rights reserved.

44 What is Protected by Copyright?
Reproduction Preparation of derivative works Distribution Performance Display in public

45 Copyright © 2004 M. E. Kabay. All rights reserved.
Formalities Original work is automatically copyrighted in the name of the author / creator Not necessary to indicate “Copyright © 2001 name-of-author. All rights reserved.” Advisable to do so to strengthen legal position in case of claimed doubt. May register US works with US Copyright Office Offers increased protection $500-$20,000 statutory damages Register within 3 months of publication Copyright © 2004 M. E. Kabay All rights reserved.

46 Works Made for Hire Full-time employees generally forfeit claim to work created expressly for purpose of their job Copyright belongs to the employer Employers' rights do not apply to creative work outside employment Not created with employer facilities, tools Not interfering with regular work Created outside normal working hours Problems can occur when creative outside work is directly related to job function

47 Copyright © 2004 M. E. Kabay. All rights reserved.
Contractual Sale Copyright ownership may be traded or sold Employers often include clause claiming copyright over all creations by employee Sometimes specify work created for any purpose and at any time E.g., children's story book No obligation to agree to such clause But no obligation to hire employee without such agreement Publishers almost always try to get all rights Recent case distinguishes between paper publication and electronic publication Copyright © 2004 M. E. Kabay All rights reserved.

48 Writers Win a Court Battle for Control 1999-09
New York state court ruled in favor of National Writers Union Against New York Times & other major publishers Affirmed right of writers to control publication if their materials in new media Publishers wanted to use submissions for CD-ROMs or Web without paying additional royalties For more information about the “Tasini v. The New York Times” ruling visit the National Writers Union Web site at Copyright © 2004 M. E. Kabay All rights reserved.

49 Copyright © 2004 M. E. Kabay. All rights reserved.
Infringement Any use without express permission of copyright holder Printing Posting on Web Using in derivative work Direct infringement Monetary profit is not an issue Distributing someone else's work for free is not a mitigating factor Contributory infringement: ISPs? Requires substantial or pervasive involvement Copyright © 2004 M. E. Kabay All rights reserved.

50 Copyright © 2004 M. E. Kabay. All rights reserved.
Facts? Factual information cannot be copyrighted in itself; e.g., 2+2 = 4 Distance between Norwich and Montpelier The representation of factual information can be copyrighted; e.g., A times-table designed for children with pictures of friendly animals romping around edge of the table A map of Vermont with particular fonts, colors, and symbols Copyright © 2004 M. E. Kabay All rights reserved.

51 Copyright © 2004 M. E. Kabay. All rights reserved.
NBA vs Pagers — EDUPAGE Sports pagers receive scores in real time NBA does not want pagers to broadcast games scores during games NBA argues in court that this information is proprietary Second U.S. Court of Appeals in New York ruled in favor of pager companies Copyright © 2004 M. E. Kabay All rights reserved.

52 Copyright © 2004 M. E. Kabay. All rights reserved.
Associated Press June 2001 – claim copyright protection for facts reported in news wire feeds Would prevent even summarizing or abstracting articles Serious doubts that this claim will be accepted if any case goes to court Copyright © 2004 M. E. Kabay All rights reserved.

53 Copyright © 2004 M. E. Kabay. All rights reserved.
HTML Does “borrowing” HTML source code constitute infringement? In theory yes In practice, no Copyright © 2004 M. E. Kabay All rights reserved.

54 Copyright © 2004 M. E. Kabay. All rights reserved.
Linking Does pointing to a Web site violate copyright? Depends on how it's done Putting copyrighted material in a FRAME has been argued to be infringement was accused of infringement Copyright © 2004 M. E. Kabay All rights reserved.

55 Copyright © 2004 M. E. Kabay. All rights reserved.
Framing: TotalNews — RISKS, EDUPAGE Materials from news source Banner ad fees paid to TotalNews “Channels” controlled by TotalNews From EDUPAGE: NEWS LINK SITE SUED OVER HOT LINKS A lawsuit filed in U.S. District Court in New York City accuses Phoenix-based TotalNews of "blatant acts of misappropriation, trademark dilution and infringement, willful copyright violations, and other related tortious acts." The plaintiffs, which include CNN, The Washington Post Co., Dow Jones, Times Mirror and Reuters, are upset that the hot links provided from TotalNews to their Web sites display their content framed by the TotalNews home page and its banner ads. Bruce Keller, an attorney for the plaintiffs calls totalnews.com "a parasitic Web site with no content of its own." However, TotalNews says it's simply providing PC users links to some 1,200 news sources, allowing viewers to compare information from each, and that if the case goes against them, the precedent will endanger the ability of Web site operators to provide hot links to other sites. "Hot links either do or don't violate trademarks. That's not new. Framing is new. And framing and selling ads is pretty damn new," says Keller. (Broadcasting & Cable 3 Mar 97) Copyright © 2004 M. E. Kabay All rights reserved.

56 Framing: TotalNews (cont'd)
News organizations claimed Misappropriation Entire commercial value of news Reselling to others for TotalNews' profit Federal trademark infringement & dilution Diluting distinctiveness Causing confusion, deceiving customers Copyright infringement Violating several exclusive rights

57 Framing: TotalNews (cont'd)
Violation of advertising laws, deceptive practices & unfair competition Mistaken impression of affiliation Tortious interference with business relationships Selling ads by making news available Conclusion: case settled out of court TotalNews would stop framing Would link to news sites only with permission See

58 Links: Ticketmaster vs Microsoft
— Ticketmaster Group sues Microsoft MS includes hot links from Microsoft Web pages to Ticketmaster Web pages No formal agreement granting permission for such links Ticketmaster sees MS as deriving benefit from the linkage but bypassing Ticketmaster's advertising Ticketmaster programmed Web pages to lead all Sidewalk users trying to follow unauthorized links to a dead end Groups Express Shock At Ticketmaster Move (05/01/97; 8:52 a.m. EDT) By Charlotte Dunlap, Computer Reseller News HOLLYWOOD, Calif. -- Electronic governing bodies and civil liberties groups are shocked over Ticketmaster's move earlier this week to sue Microsoft for providing links from its local Internet directory sites to Ticketmaster's event pages. At issue is Microsoft's creation of links within its Seattle Sidewalk online site. These links bypass Ticketmaster's home page and go directly into its event pages, thus bypassing advertisements located in preceding pages. Seattle Sidewalk "has 24 to 48 links to our site, which is annoying, but that's not the issue," said Alan Citron, senior vice president for multimedia with Ticketmaster. "Our position is, if they're going to build a page strictly around our content, we should share in the ad revenue." Microsoft officials did not return calls for comment. Internet-standards and social-issues bodies said links to other sites are the foundation from which the Web was created. Posting information to a public server implies others can provide links to it, these groups maintained. "Ticketmaster knew when they put up a Web page that's accessed to a public server that people can link to it, and it's an implied license," said Stanton McCandlish, program director at Electronic Frontier Foundation in San Francisco. "Microsoft can't make use of the materials, and there's no copy being made by Microsoft, but their pages just link to it -- that's how the Internet works. It's a URL, an address." Dave Banisar, staff counsel with the Electronic Privacy Information Center in Washington, D.C., agreed. "There's a number of stupid suits like this going on around the world. What it all comes down to is they all missed the point of what the Web is supposed to be. It's designed for linking." (Cont'd on next page) Copyright © 2004 M. E. Kabay All rights reserved.

59 Links: Gary Bernstein Sues Entire Web? (1998-09)
Hollywood photographer Gary Bernstein Sued several Web operators for having links to sites containing pirated copies of his works Included indirect links links to site with links to sites Contamination spread along Web links from bad site to all those linked to it presumably every Web site on planet Los Angeles Federal District Court Judge Manuel A. Real dismissed indirect linkage Bernstein withdrew entire suit New York Times 25 Sep 98 via EDUPAGE Copyright © 2004 M. E. Kabay All rights reserved.

60 Superpose Your Own Ads on Competitor's Site? 1999-02
Alexa Internet company Subscribers to Alexa service got “smart links” Pop-up information company address financial information Offered competitors opportunity to superpose their own ads on top of their competition's Web pages Advertisements could be tailored for specific target E.g., when user clicked competitor's Web site Such services became known as scumware Edupage: SERVICE PUTS ADS ON COMPETITORS' WEB SITES More than 100 advertisers, including Amazon.com and CDNow, have signed up for a service that places their banner ads on their competitors' Web sites. Alexa Internet offers a service that tracks Internet users' surfing patterns and then sends them "smart links" to relevant sites. Users download a toolbar onto their computer screens that delivers information on different companies' Web sites, including address, number of Web visitors and financial data. It also delivers ads, targeted so that they appear only when the user is visiting a designated site. Thus, Amazon.com can ensure that its ad pops up when the Alexa customer logs onto barnesandnoble.com or the U.S. Library of Congress. If the ad is clicked on, it balloons in size, superimposed over the top of the barnesandnoble.com page. "It's as close as you can get to putting an ad on somebody's front door," says the COO of Alexa. (Reuters 11 Feb 99) Copyright © 2004 M. E. Kabay All rights reserved.

61 Copyright © 2004 M. E. Kabay. All rights reserved.
What is Scumware? Software changes appearance and functions of Web sites without permission of Webmasters Overlays advertisements with other ads Adds unauthorized hyperlinks to possibly objectionable sites Interferes with existing hyperlinks by adding other destinations Some products install themselves without warning of these functions Difficult or impossible to control Difficult to uninstall Also known as thiefware Copyright © 2004 M. E. Kabay All rights reserved.

62 Examples of Scumware: Surf+
Copyright © 2004 M. E. Kabay All rights reserved.

63 Examples of Scumware: TopText
Dun & Bradstreet - Provider of international and U.S. business credit information Experian - National consumer credit bureau and business credit reporting service Equifax - One of three national consumer credit repositories Trans Union - National repository of consumer credit information Credit Managers Association of California - Business credit services CMA Business Credit Services - Provides business credit reporting and commercial collections worldwide Copyright © 2004 M. E. Kabay All rights reserved.

64 Copyright © 2004 M. E. Kabay. All rights reserved.
Legal Issues Robin Gross, Attorney for Electronic Frontier Foundation (EFF) – scumware may violate Copyright law US federal rules against deceptive/unfair business practices Copyright: Creating unauthorized derivative work Deception: Give impression that new hyperlink is endorsed by original Website owners Copyright © 2004 M. E. Kabay All rights reserved.

65 Copyright © 2004 M. E. Kabay. All rights reserved.
Legal Issues (cont'd) Moral Rights recognized by most countries other than USA Package of intellectual property rights granted to the original creator of work Right of integrity; Right of attribution; Right of disclosure; Right to withdraw or retract; Right to reply to criticism. Modifying Web pages without permission can violate all of these moral rights Copyright © 2004 M. E. Kabay All rights reserved.

66 Copyright © 2004 M. E. Kabay. All rights reserved.
Fighting Scumware Users Don't sign up for such software without reading and understanding terms of service Remove products if unacceptable Guides available online Webmasters Test pages to see what scumware does to them Use scripts to redirect visitors with infested browsers to warning pages Sign petitions, join lawsuits to protest Copyright © 2004 M. E. Kabay All rights reserved.

67 Copyright © 2004 M. E. Kabay. All rights reserved.
is covered by copyright law Your message is inherently copyrighted Do not copy / post / otherwise distribute someone else's message without permission What about postings to public discussion groups? Posting copyrighted materials in public without permission is a violation of copyright How does permission get signified? Copyright © 2004 M. E. Kabay All rights reserved.

68 Copyright © 2004 M. E. Kabay. All rights reserved.
Criminal Law 17 USC 506(a) stipulates criminal liability for infringing copyright “wilfully and for purposes of commercial advantage or private financial gain.” Includes removal of copyright notice Use of fraudulent copyright notice Felony sanctions (18 USC 3571) 10 or more copies in 180 days of 1 or more works with total retail value of at least $2500 5 years in prison & $250,000 in fines 2nd offense: 10 years Copyright © 2004 M. E. Kabay All rights reserved.

69 Copyright © 2004 M. E. Kabay. All rights reserved.
1st Amendment? Does the 1st Amendment protect unauthorized copying of copyrighted works? Some defendants have claimed 1st Amendment protections when publishing work of public officials But SCOTUS* ruled that even a public official's own copyrighted materials cannot be infringed No ban on publishing the substance of such documents; only on publishing exact form *SCOTUS: Supreme Court of the United States Copyright © 2004 M. E. Kabay All rights reserved.

70 Copyright © 2004 M. E. Kabay. All rights reserved.
Fair Use Fuzzy doctrine No specific law with specifics Questions: more YES the fairer the use Copyright © 2004 M. E. Kabay All rights reserved.

71 Copyright © 2004 M. E. Kabay. All rights reserved.
Fair Use – Cont'd Guidelines for determining if your use of copyrighted materials qualifies as fair use*: 1. Is your use noncommercial? 2. Is your use for purposes of criticism, comment, parody, news reporting, teaching, scholarship, or research? 3. Is the original work mostly fact (as opposed to mostly fiction or opinion)? * Larry Lessig, David Post and Eugene Volokh in Cyberspace Law for Non-Lawyers (1996): Copyright © 2004 M. E. Kabay All rights reserved.

72 Copyright © 2004 M. E. Kabay. All rights reserved.
Fair Use – cont'd 4. Has the original work been published (as opposed to sent out only to one or a few people)? 5. Are you copying only a small part of the original work? 6. Are you copying only a relatively insignificant part of the original work (as opposed to the most important part)? Copyright © 2004 M. E. Kabay All rights reserved.

73 Copyright © 2004 M. E. Kabay. All rights reserved.
Fair Use – Cont'd 7. Are you adding a lot new to the work (as opposed to just quoting parts of the original)? 8. Does your conduct leave unaffected any profits that the copyright owner can make (as opposed to displacing some potential sales OR potential licenses of reprint rights)? The more YES answers there are to the above questions, the more likely it is that your use is legal. The more NO answers there are, the more likely it is that your use is illegal. So is this use of the Fair Use text a fair use? Copyright © 2004 M. E. Kabay All rights reserved.

74 Intellectual Property II: Trademarks
Domain Names Cybersquatting Cases Federal Trademark Dilution Act of 1995 Anticybersquatting Consumer Protection Act of 1999 International Protection of Trademarks

75 Trademarks Purpose Definition and Types Classes of Marks
Application and Exceptions to Grant Nature of Protection Relief for Violation

76 Purpose of Trademarks Represent origin of goods or services
For the producer Use symbol or other designation Represent who makes goods or provides service Reap financial rewards resulting from past quality For the consumer Allow quick recognition of goods or services as being from same manufacturer or provider Prevent confusion and counterfeits

77 Definition and Types of Marks
Trademark Word, name, symbol, device or combination Used to distinguish goods from other similar goods Service mark Identifying and distinguishing services Collective mark TM or SM Coöp, association, union, guild Certification mark Assertion of compliance with standards or origin by certifying organization

78 Examples of Marks TruSecure SecureWatch TruSecure OverWatch CISSP

79 US Legal Protection of Trademarks
Trademark Protection Act of 1946 = “Lanham Act” – see In 15 USC Civil law 15 USC §1114 = §32 of Lanham Act Use likely to Cause confusion Cause mistake Deceive

80 Lanham Act – cont'd 15 USC §1125 = Lanham Act §43
Word, term, name, symbol, device, or combination Likely to cause confusion, mistake or deception Affiliation, connection, association with person Origin, sponsorship, approval Goods, services, commercial activities Commercial promotion or advertising Nature, characteristics, qualities Geographical origin

81 Classes of Marks Fanciful Invented words; e.g., Alera, Adario, Elantra
Arbitrary; e.g., Cougar, Pavillion Suggestive – ordinary words or combinations Connotes quality, ingredient, characteristics but not substance; e.g., PestPatrol, SaferSite Descriptive – ordinary words w/ secondary meaning – primary meaning is source Yellow Pages, Blue Flame Generic – class of product/service – no protection under Lanham Act You have mail, Instant messaging , Web site, e-commerce

82 Nature of Protection for Trademarks
Prevent confusion by users Factors considered by the courts Similarity of marks Similarity of goods Relationship between parties offering goods Classes of purchasers Evidence of confusion Defendant's intent Strength of plaintiff's mark

83 Checkpoint Systems Inc. vs Check Point Software Technologies
The companies Checkpoint Systems provides anti-shoplifting equipment Check Point Software provides firewalls The claim Checkpoint accused Check Point of infringing on its trademark The ruling Court refused to grant injunction Argued there was no likelihood of confusion

84 Relief for Violation of Trademarks
Injunction prohibiting continued violation Seizure of goods and counterfeit marks Recovery of plaintiff's profits Destruction of infringing goods and advertising Recovery of actual damages incurred (loss of profits, goodwill) Recovery of legal costs including attorney's fees in some cases

85 Domain Names The Domain Name System (DNS) Dispute resolution
Hyperlinks Cybersquatting Cases

86 The Domain Name System Converts words (e.g., into IP addresses (e.g., ) Early years – DARPA contract with USC 1992: NSFNET opened to .com users Network Solutions Inc. became registrar for .com, .net, .org 1998: ICANN (Internet Corporation for Assigned Names and Numbers) Established by US government Highly controversial – much political turmoil over actions, governance

87 Hyperlinks and Trademarks
Cannot legally use Others' trademarks or logos on a Web site without permission Framing to bring another's content directly into a page that appears to be created by another site Others' trademarks in invisible metatags visible to search engines

88 Federal Trademark Dilution Act of 1995
Prior to 1995, courts had to rule against plaintiff if no confusion could be shown Thus radically different businesses could use existing trademarks without infringing the Lanham Act But large companies with famous trademarks argued that frequent use diluted value of their marks Congress passed TDA of 1995 to protect such plaintiffs even when no confusion likely

89 Cybersquatting Cases Have Used Trademark Dilution Act
Many examples of parasites who register famous trademarks or people's names as DNS entries Hope to capitalize by extorting money to sell registration to legitimate users Many firms have appealed under ICANN rules or gone to court for trademark dilution Intermatic Inc. vs Toeppen an excellent example of case illuminating the issues Defendant registered 240 domain names using famous company names and trademarks Intermatic argued that Toeppen should not be able to block its use of its TM in domain name Judge ruled in favor of plaintiff because of dilution

90 Anticybersquatting Consumer Protection Act of 1999
Increasing complaints about cybersquatting Bad faith use of TM, company name or person's name defined clearly for domain names Multiple criteria Most significant: offer to sell or transfer domain name For financial gain Without prior use for real business Registration of multiple similar infringing domain names Statutory damages of $1,000-$100,000 per domain name

91 International Protection of Trademarks
Paris Convention for the Protection of Industrial Property (1883) National treatment – same rules for all Rights of priority for filing of registration Similar rights of refusal of registration Seizure of contraband / counterfeits Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS, 1994) Includes TM protection 7-year terms of protection with unlimited renewals

92 Video: get.net.smart Commonwealth Films: excellent source
Topics: Monitoring Internet usage Personal use of corporate resources Sites that are off-limits Denial of service Confidentiality Illegal activities Free preview copies available Preview copy being used today by permission

93 Protecting Your Systems (Top-Level Overview Only)
Fiduciary Responsibility Security Policies Not Shelfware System & Network Management Computer Emergency Response Team Disaster Recovery Procedures Updated & Tested Copyright © 2004 M. E. Kabay All rights reserved.

94 Fiduciary Responsibility to Protect Systems
Failure to protect assets Can result in lawsuits for damages from stakeholders Includes shareholders, employees, clients Terrible publicity Downstream liability Attacker invades your systems due to faulty security Uses your systems to launch attack on third party Legitimate basis for tort Viewed by some tort experts as potential growth area Copyright © 2004 M. E. Kabay All rights reserved.

95 Security Policies Not Shelfware
Up to date & realistic Adequate education & training Active monitoring and enforcement Ongoing awareness programs – changes

96 System & Network Management
Monitor vulnerabilities & patches Intrusion detection systems & response Firewalls, antivirus systems

97 Computer Emergency Response Team
Drawn from throughout organization Analyze priorities for response Collect evidence for analysis, correction, prosecution Initiate rapid recovery

98 Disaster Recovery Procedures
Team drawn from entire organization Documentation absolutely up to date Safeguard people, corporate assets TEST plans thoroughly TEST plans often TEST plans thoroughly and often TEST plans often and thoroughly Did I mention you have to test plans?

99 For Further Reading Doubilet, D. M., V. I. Polley & J. R. Sapp (2002), eds. Employee Use of the Internet and A Model Corporate Policy: With Commentary on Its Use in the U.S. and Other Countries. American Bar Association. ISBN pp. Kabay, M. E. (2002). and Internet Use Policies. Chapter 33 from Bosworth, S. & M. E. Kabay (2002) Computer Security Handbook, 4th Edition. Wiley (ISBN ). Flynn, N. L. (2000). The E-Policy Handbook : Designing and Implementing Effective , Internet, and Software Policies. AMACOM (New York, NY). ISBN Index.

100 Further Reading (cont'd)
Overly, M. R. (1998). E-Policy: How to Develop Computer, E-Policy, and Internet Guidelines to Protect Your Company and Its Assets. AMACOM(New York, NY). ISBN: Index. Whelan, J. (2000). Work. Financial Times Prentice Hall. ISBN pp.

101 Contact Information M. E. Kabay, PhD, CISSP Associate Professor of Information Assurance Program Director, Master’s and Bachelor’s Degrees in Information Assurance Division of Business & Management, Norwich University, Northfield VT Web site: MSIA information: BSIA information: Norwich Graduate Portal:

102 Copyright © 2004 M. E. Kabay. All rights reserved.
DISCUSSION Copyright © 2004 M. E. Kabay All rights reserved.


Download ppt "Assessing & Auditing Internet Usage Policies"

Similar presentations


Ads by Google