Law, Investigation, & Ethics What laws apply to computer crimes, how to determine a crime has occurred, how to preserve evidenced, conduct an investigation, & what are the liabilities.
Computer Crimes CISSP Obligations Legal Ethical responsibilities to Employer Constituency being served Profession as a whole Crimes are increasing Hard to estimate economic impact
Common Types of Computer Crime DoS, DDosSocial Engineering FraudEspionageEmbezzle -ment Password Theft Illegal Content of material Software Piracy Information Warfare Data- diddling Network Intrusions Destruction / alteration of data Dumpster Diving Script Kiddies Terrorism Emanation Watching Spoofing IP addresses Malicious Code Masqueradi ng
Examples Slammer Worm of January 03 Code Red Klez Worm DDos against Yahoo, Amazon, etc Feb 2000 Love Letter worm May 2000 Microsoft network penetration Oct 2000 Mitnicks attacks on phone systems 80s Morris Internet Worm Nov 88 Attacks on U.S. classified computer systems (The Cuckoos Egg) 1986
Problems Jurisdictional International character of Internet Different types of laws Different desires of enforcement Rapid pace of technology Outpaces laws Outpaces understanding by law makers
Law Legal Systems Common Law: US, UK, Australia, Canada Civil Law: France, Germany, etc Religious Law: Islamic, etc Ex US Legislative Branch: statutory laws Administrative: Administrative laws Judicial: Common laws in court decisions
Statutory Law Collected as Session laws in order of enactment Statutory Codes: subject matter United States Code Code title Number Abbreviation for Code Statutory Section within the title Date of the edition or supplement EX: 18 U.S.C (1992) Section 1001 in Title 18 of the 1992 edition of the United States Code: Crimes & Criminal Procedures
Administrative & Common Law Administrative Law is Arranged Chronologically: Federal Register Subject Matter: Code of Federal Regulations Common Law is compiled Case Reports chronologically Case Digests by subject matter
Common Law Systems Categories Legal Systems Not court decisions Criminal Law Individual conduct violates government laws enacted to protect the public Civil Law Wrong inflicted upon person or org by other person or org Administrative/Regulatory Law
Intellectual Property Law Patent Copyright Trade Secret Proprietary valuable technical info Trademark Word, name, etc used to distinguish goods from those sold by others Warranty
Patent Right to exclude others from using invention Criteria for patent 1.Must be Process, Machine, Object made by humans, compositions of matter, New use of above 2.Must be useful 3.Must be Novel 4.Must be obvious to skilled person
Copyright Original works of authorship Use by educators, researchers & librarians Fair use: limited copying for teaching Limited reproduction for libraries Authors life + 70 years
Warranty Contract that commits org to stand by product Implied Warranty Fitness for particular purpose: seller statements Warranty of merchantability: fit to be sold Express warranty basic requirments Must state is either full or limited Must show coverage is clear easy statements Must insure customer can read before purchase
Information & Privacy Laws Right to protection of personally identifiable information HIPAA items Principles Notice of disclosure to 3 rd parties Choice to opt out of disclosure Access Security Enforcement
Privacy Policy Orgs develop & publish covering Type of info collected Cookies & server logs used How info is shared Rules for disclosing to 3 rd parties Mechanisms used to protect
Privacy-Related Legislation Cable Communications Act Childrens Online Privacy Protection Act Customer Proprietary Network Info Rules Financial Services Modernization Act 1973 U.S. Code of Fair Info Practices Must not be record systems whos existence is kept secret Must be a way for person to find out what kept Must be a way to prevent info being kept Org must insure info is accurate
European Union (EU) Principles Generally more protective than US Therefore transfer from US is a problem Principles Info cannot be disclosed without permission of person or authorized by law Records must be up-to-date Individuals have right to correct errors Info can be used only for original purpose Individuals have right to receive report on info held Transmission of info prohibited where equivalent personal data protection cannot be assured
Health Care-Related Privacy Issues Excellent example of privacy issues Access controls usually do not provide sufficient granularity to implement least privilege Most off-the-shelf apps not adequate Outside partners, members, etc User access via Internet a problem Criminal & Civil penalties Public perception U.S. Kennedy-Kassebaum Health Insurance Portability & Accountability Act (1996) Standard: Safeguards
Platform for Privacy Preferences (P3P) W3C privacy practices for web sites Org can post privacy policy as xml Who has access Type of info stored How info is used Legal entity making privacy statement Posting requires org to think about privacy issues P3P enabled web browsers AT&Ts Privacy Bird software
Electronic Monitoring Keystroke monitoring monitoring Surveillance cameras Badges RFID Magnetic entry cards Org should Inform employees what monitored Uniformly apply Explain what is acceptable use Tell who can see and what used for Enticement vs Entrapment
Misc Privacy Laws 2000 U.S. Electronic Signatures in Global & National Commerce PATRIOT Act Subpoena of electronic records Monitoring of Internet Search & seizure of info on live systems Notification of warrant can come after search Federal Info Security Mgt Act Ensure effectiveness of info security controls Recognize highly networked government Maintenance of minimum info controls Provide improved oversight
Investigation Computer forensics collecting info about computer system admissible in court Issues Compressed time frame Info is intangible Investigation might interfere with normal Difficulty in gathering info Data for investigation co-located with normal Expert / specialist required International problems Expanded definitions of property to include electronic info
Evidence Gathering, Control, Storage & Preservation are extremely critical Subject to easy modification Chain of Evidence Location where obtained Time obtained Id of person obtaining ID of people securing ID of people controlling
Evidence Life Cycle 1.Discovery & recognition 2.Protection 3.Recording 4.Collection 5.Identification 6.Preservation 7.Transportation 8.Presentation in court 9.Return to owner
Evidence Admissibility Relevant Related to crime: describes, time, what has occured Legally permissible Obtained in lawful manner Reliability Not been tampered with or altered Identification Properly identified without altering Preservation Not subject to damage or destruction
Types of Evidence Best evidence: originals Secondary: copy of originals Direct: five senses Conclusive: Incontrovertible Opinions: Expert & Non-expert (facts only) Circumstantial: inference Hearsay: third party (not admissible in court)
Conducting the Investigation Involve Management, Org security, human resources, legal department Watch for retaliatory acts Prepare plan ahead of time Establish prior liaison with law enforcement Jurisdiction Set up means for reporting computer crimes Establish procedures for dealing with Plan for and & conduct investigation Insure proper collection of evidence
Conducting the Investigation Prevent negative publicity if possible Exigent Circumstances Doctrine Search without warrant when destruction of evidence in deemed imminent Too early (strict) vs too late Good sources of evidence Telephone records, video cameras, audit trails, system logs, backups, witnesses, s Motive – Opportunity - Means
Liability Senior Mgt subject to $290M in fines if orgs do not comply with law Prudent man rule Due care or reasonable care Prevent orgs resources use in DDos Backups Scans for malicious code BC & DR Plans Local & remote access controls Security policies, procedures, & guidelines Personnel screening Establishing an incident handling plan
Incident Handling Plan Questions What is considered an incident How should incident be reported To whom should be reported When should senior mgt be told What action should be taken Who should handle the response How much damage was caused What info was damaged or compromised Are recovery procedures ok What type of follow up required Should additional safeguards be implemented
Ethics (ISC) 2 Code of Ethics Coalition for Computer Ethics Not use computer to harm others Not interfere with others computer work Not snoop Not use computer to steal Not use computer to bear false witness Not copy or use stolen software Not use computers without authorization Not steal others intellectual output Think about social consequences of computer use Use computer in ways to ensure consideration & respect for others
Unacceptable Activities Seeks to gain unauthorized access Destroys integrity of computer based info Distupts the intended use of Internet Wastes resources such as people, capacity or computers Compromises privacy of others Involves negligence in conduct of Internet experiments
Organization for Economic Cooperation & Development Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability Transborder Issues