Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4482: Computer Security Management: Assessment and Forensics

Published byArnold Derrick Long Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 4482: Computer Security Management: Assessment and Forensics"— Presentation transcript:

1 CSE 4482: Computer Security Management: Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition. 4/20/2017 1

2 Ch 12: Law and Ethics Upon completion of this chapter, you should be able to: Differentiate between law and ethics Describe the ethical foundations and approaches that underlie modern codes of ethics Identify major national and international laws that relate to the practice of information security Describe the role of culture as it applies to ethics in information security Identify current information on laws, regulations, and relevant professional organizations Management of Information Security, 3rd ed. 2

3 Understand the current legal environment
Introduction All information security professionals must understand the scope of an organization’s legal and ethical responsibilities Understand the current legal environment Keep apprised of new laws, regulations, and ethical issues as they emerge To minimize the organization’s liabilities Educate employees and management about their legal and ethical obligations And proper use of information technology Management of Information Security, 3rd ed. 3

4 Law and Ethics in Information Security
Laws: Rules adopted and enforced by governments to codify expected behavior in modern society Ethics: Relatively fixed moral attitudes or customs of a societal group (based on cultural mores) The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not Management of Information Security, 3rd ed. 4

5 Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organizations operate Can influence the organization to a greater or lesser extent, depending on the nature of the organization and the scale on which it operates Management of Information Security, 3rd ed. 5

6 Types of Law Civil law Criminal law Tort law
Pertains to relationships between and among individuals and organizations Criminal law Addresses violations harmful to society Actively enforced and prosecuted by the state Tort law A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury Management of Information Security, 3rd ed. 6

7 Civil lawsuits In a civil law problem, ‘victim’ must take action to get a legal remedy (adequate compensation). ‘victim’ must hire a private lawyer & pay expenses of pursuing the matter the police does not get involved, beyond the point of restoring the order In Civil Law, to convict someone, the guilt must be proven on ‘balance of probabilities’. In Civil Law, monetary remedies (damages) are most common.

8 Criminal cases In a criminal law problem, ‘victim’ (may) report the case to the police and they have the responsibility to investigate. if charge has been properly laid and there is supporting evidence, the Crown Prosecutor (not person who complains of incident) prosecutes in the courts – public funds finance these services even if a ‘victim’ starts a prosecution privately, the Attorney General has the power to take over the prosecution

9 Criminal cases II In Criminal Law, to convict someone, the guilt must be proven ‘beyond reasonable doubt’. In Criminal Law, the sentence to the offender may include one or a combination of the following: fine restitution – compensate for victim’s loss or damages probation community service imprisonment

10 Types of Law (contd.) Private law Public law
Regulates the relationships among individuals and among individuals and organizations Family law, commercial law, and labor law Public law Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments Criminal, administrative, and constitutional law Management of Information Security, 3rd ed. 10

11 Question Is DDoS a civil or criminal offence?

12 Difference between policy and law Policies must be:
Policy Versus Law Difference between policy and law Ignorance of policy is an acceptable defense Policies must be: Distributed to all individuals who are expected to comply with them Readily available for employee reference Easily understood, with multilingual, visually impaired and low-literacy translations Acknowledged by employee with consent form Uniformly enforced for all employees Management of Information Security, 3rd ed. 12

13 International Laws and Legal Bodies
International trade is governed by international treaties and trade agreements Many domestic laws and customs do not apply There are currently few international laws relating to privacy and information security Because of cultural differences and political complexities of the relationships among nations Management of Information Security, 3rd ed. 13

14 International Laws and Legal Bodies (cont’d.)
European Council Cyber-Crime Convention Empowers an international task force to oversee a range of Internet security functions Standardizes technology laws internationally Attempts to improve the effectiveness of international investigations into breaches of technology law Goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process Management of Information Security, 3rd ed. 14

15 International Laws and Legal Bodies (cont’d.)
The Digital Millennium Copyright Act A U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures European Union Directive 95/46/EC Increases individual rights to process and freely move personal data Database Right U.K. version of this directive Management of Information Security, 3rd ed. 15

16 Relevant U.S. Laws The Computer Fraud and Abuse Act of 1986 (CFA Act)
landmark in the fight against cybercrime : the first law to address crime in which the computer is the ‘subject’ The cornerstone of many computer-related federal laws and enforcement efforts Amended in October 1996 by the National Information Infrastructure Protection Act Further modified by the USA Patriot Act of 2001 Provides law enforcement agencies with broader latitude to combat terrorism-related activities The USA Patriot Act was updated and extended, in many cases permanently Management of Information Security, 3rd ed. 16

17 CFA Act criminal offences under the CFA Act:
knowingly accessing a computer without authorization or exceeding authorized access to obtain national security data intentionally accessing a computer without authorization (or) to obtain one of the following: a financial record of a financial institution; information from any US-government department or agency; information from any protected computer. 3) intentionally accessing without authorization (or) a government computer and affecting the use of the government’s operation of the computer

18 CFA Act – contd. knowingly causing the transmission of a program, information, code or command that causes damage such as: loss to one or more persons (or companies) during any one-year period aggregating at least $5,000 in value the modification or impairment of medical records physical injury to any person a threat to public health of safety damage affecting a government computer system 5) knowingly and with intent to defraud traffics a password or a similar information through which a computer may be accessed without authorization

19 CFA Act – contd. although the Act does not specifically mention hacking, malware and denial of service, they are its main focus Punishment for offences prosecuted under the CFAA varies from fines to imprisonment of up to 20 years, or both.

20 Case Study: Morris Case (1988)
One of the first cases prosecuted under the CFA Act. Morris, a Ph.D. candidate in CS (Cornell U), wanted to demonstrate the weakness of security measures of computers on the Internet, a network linking university, government and military computers around the US. His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash. However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic“ at numerous institutions, with estimated damages of $200 to $53,000 for each institution. Morris was sentenced to three years‘ probation and 400 hours of community service, and was fined $10,500.

21 Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987 One of the first attempts to protect federal computer systems Established minimum acceptable security practices Established a Computer System Security and Privacy Advisory Board within the Department of Commerce Requires mandatory periodic training in computer security awareness and accepted computer security practice for all users of Federal computer systems Management of Information Security, 3rd ed. 21

22 Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987 (cont’d.) Charged the National Bureau of Standards and the NSA (now NIST) with the development of: Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Management of Information Security, 3rd ed. 22

23 Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987 (cont’d.) Charged the National Bureau of Standards and the NSA ( now NIST) with the development of: (cont’d.) Guidelines for operators of federal computer systems containing sensitive information in training their employees in security awareness Validation procedures for, and evaluation of the effectiveness of, standards and guidelines Through research and liaison with other government and private agencies Management of Information Security, 3rd ed. 23

24 Patriot Act allows law enforcement greater latitude in combating criminals and terrorists who use computers and communication networks [telephone, computer, wireless] L.E. has authority to intercept voice communications in computer hacking investigations L.E. has authority to obtain voice mail and other stored voice communications using standard search warrants rather than wiretap orders L.E. has authority to trace communications on the Internet and other computer networks

25 Patriot Act - II L.E. has authority to issue nationwide search warrants for s and other electronic data ⇒ ISPs compelled to disclose unopened s … ISPs are permitted to disclose customer info in the case of emergency - if they suspect an immediate risk of death or serious physical injury to any person Patriot Act one of the most controversial acts – gives away personal freedoms and constitutional rights inexchange for higher levels of national) safety … For more see:

26 Case Study: Patriot Act vs. Constitution (2004)
“ … While conducting surveillance of the defendant and co-defendant, the agents lost track of them. The agents then dialed the defendant’s cell phone several times, and used the provider’s computer data to determine which cell transmission towers were being ‘hit’ by that phone. The cell’s data revealed the defendant’s general locationand helped catch him. On appeal of his conviction, the defendant argued that the cell-site data and resulting evidence should have been suppressed because they turned his phone into a tracking device – and that violated his constitutional rights …” The court found that the cell-site data falls under the category of ‘electronic communication’, hence was not illegal … “Computer Forensics: Principles and Practices”, pp. 423 by L. Volonino, R. Anzaldua, J. Godwin

27 Relevant U.S. Laws (cont’d.)
Privacy Laws Many organizations collect, trade, and sell personal information as a commodity Individuals are becoming aware of these practices and looking to governments to protect their privacy Aggregation of data from multiple sources permits unethical organizations to build databases with alarming quantities of personal information Management of Information Security, 3rd ed. 27

28 Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.) The Privacy of Customer Information Section of the section of regulations covering common carriers Specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes The Federal Privacy Act of 1974 regulates the government’s use of private information Ensure that government agencies protect the privacy of individuals’ and businesses’ information Management of Information Security, 3rd ed. 28

29 Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.) The Electronic Communications Privacy Act of 1986 A collection of statutes that regulates the interception of wire, electronic, and oral communications These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution Prohibits search and seizure without a warrant Management of Information Security, 3rd ed. 29

30 Relevant U.S. Laws (cont’d.)
Health Insurance Portability & Accountability Act Of 1996 (HIPAA) An attempt to protect the confidentiality and security of health care data Establishes and enforces standards Standardizes electronic data interchange Requires organizations that retain health care information to use information security mechanisms to protect this information Also requires an assessment of the organization's InfoSec systems, policies, and procedures Management of Information Security, 3rd ed. 30

31 HIPPA II Provides guidelines for the use of electronic signatures
Based on security standards ensuring message integrity, user authentication, and nonrepudiation Fundamental privacy principles: Consumer control of medical information Boundaries on the use of medical information Accountability for the privacy of private information Fundamental privacy principles: (cont’d.) Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual Security of health information Management of Information Security, 3rd ed. 31

32 The Financial Services Modernization Act
Also called Gramm-Leach-Bliley Act of 1999 Applies to banks, securities firms, and insurance companies Requires all financial institutions to disclose their privacy policies Describing how they share nonpublic personal information Describing how customers can request that their information not be shared with third parties Management of Information Security, 3rd ed. 32

33 The Financial Services Modernization Act II
Ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship Distributed at least annually for the duration of the professional association Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for financial institutions – it is now a legal requirement. Management of Information Security, 3rd ed. 33

34 Relevant U.S. Laws (cont’d.)
Export and Espionage Laws Economic Espionage Act (EEA) of 1996 An attempt to protect intellectual property and competitive advantage Attempts to protect trade secrets from the foreign government that uses its classic espionage apparatus to spy on a company Also between two companies Or a disgruntled former employee Management of Information Security, 3rd ed. 34

35 Relevant U.S. Laws (cont’d.)
Export and Espionage Laws The Security and Freedom through Encryption Act of 1997 Provides guidance on the use of encryption Institutes measures of public protection from government intervention Reinforces an individual’s right to use or sell encryption algorithms Prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence Management of Information Security, 3rd ed. 35

36 Relevant Canadian Laws
Two key Canadian (federal) privacy laws: The Privacy Act - imposes obligations on federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. Personal Information Protection and Electronic Document Act (PIPEDA) - sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Figure 12-1: Export restrictions Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 36

37 Relevant U.S. Laws (cont’d.)
U.S. Copyright Law Extends protection to intellectual property, including words published in electronic formats ‘Fair use’ allows material to be quoted so long as the purpose is educational and not for profit, and the usage is not excessive Proper acknowledgement must be provided to the author and/or copyright holder of such works Including a description of the location of source materials, using a recognized form of citation Management of Information Security, 3rd ed. 37

38 Relevant U.S. Laws (cont’d.)
Freedom of Information Act of 1966 All Federal agencies are required to disclose records requested in writing by any person Applies only to Federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies Sarbanes-Oxley Act of 2002 Enforces accountability for the financial record keeping and reporting at publicly traded corporations Management of Information Security, 3rd ed. 38

39 Relevant U.S. Laws (cont’d.)
Sarbanes-Oxley Act of 2002 (cont’d.) Requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organization’s financial reporting and record-keeping systems As these executives attempt to ensure that the systems used to record and report are sound, the related areas of availability and confidentiality are also emphasized Management of Information Security, 3rd ed. 39

40 State and Local Regulations
Information security professionals must understand state laws and regulations Ensure that their organization’s security policies and procedures comply Georgia Computer Systems Protection Act Has various computer security provisions Establishes specific penalties for use of information technology to attack or exploit information systems in organizations The Georgia Identity Theft Law a business may not discard a record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable Management of Information Security, 3rd ed. 40

41 Ethics in Information Security
The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework Information security professionals may be expected to be more articulate about the topic than others in the organization Often must withstand a higher degree of scrutiny Management of Information Security, 3rd ed. 41

42 Ten Commandments of Computer Ethics
From the Computer Ethics Institute Thou shalt not: Use a computer to harm other people Interfere with other people's computer work Snoop around in other people's computer files Use a computer to steal Use a computer to bear false witness Copy or use proprietary software (w/o paying) Management of Information Security, 3rd ed. 42

43 Ten Commandments - contd
Use other people's computer resources without authorization or proper compensation Appropriate other people's intellectual output Think about the social consequences of the program you are writing or the system you are designing Always use a computer in ways that ensure consideration and respect for fellow humans

44 Differences in computer use ethics
Ethics and Education Differences in computer use ethics Not exclusively cultural Found among individuals within the same country, within the same social class, and within the same company Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained on the expected behaviors of an ethical employee Management of Information Security, 3rd ed. 44

45 Deterring Unethical and Illegal Behavior
InfoSec personnel should do everything in their power to deter unethical and illegal acts Using policy, education and training, and technology as controls to protect information Categories of unethical behavior Ignorance Accident Intent Management of Information Security, 3rd ed. 45

46 Deterring Unethical and Illegal Behavior (cont’d.)
Deterrence Best method for preventing an illegal or unethical activity Examples: laws, policies, and technical controls Laws and policies and their associated penalties only deter if three conditions are present: Fear of penalty Probability of being caught Probability of penalty being administered Management of Information Security, 3rd ed. 46

47 Professional Organizations and their Codes of Ethics
Some professional organizations have established codes of conduct and/or codes of ethics (e.g. ACM, Bar assoc, Nurses Assoc) Members are expected to follow Codes of ethics can have a positive effect on an individual’s judgment regarding computer use Security professionals must act ethically According to the policies and procedures of their employers, their professional organizations, and the laws of society Management of Information Security, 3rd ed. 47

48 Organizational Liability and the Need for Counsel
What if an organization does not support or encourage strong ethical conduct by its employees? What if an organization does not behave ethically? If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action Management of Information Security, 3rd ed. 48

49 Organizational Liability and the Need for Counsel (cont’d.)
An organization increases its liability if it refuses to take measures (due care) to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions Due diligence requires that an organization make a valid and ongoing effort to protect others Management of Information Security, 3rd ed. 49

50 Managing Investigations in the Organization
When (not if) an organization finds itself dealing with a suspected policy or law violation Must appoint an individual to investigate it How the internal investigation proceeds Dictates whether or not the organization has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation The investigator (CISO, InfoSec Manager or other appointed individual) must document what happened and how Management of Information Security, 3rd ed. 50

51 Law and ethics in information security The legal environment
Summary Introduction Law and ethics in information security The legal environment Ethical concepts in information security Professional organizations’ codes of ethics Organizational liability and the need for counsel Key U.S. Federal agencies Managing investigations in the organization Management of Information Security, 3rd ed. 51

Download ppt "CSE 4482: Computer Security Management: Assessment and Forensics"

Similar presentations

Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Legal and Ethical Issues. 1. Describe and explain legal and ethical issues. 2. Describe guidelines for avoiding legal action and list methods for protecting.

Legal and Ethical Issues. 1. Describe and explain legal and ethical issues. 2. Describe guidelines for avoiding legal action and list methods for protecting.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.

Principles of Information Security, 3rd Edition2 Introduction  You must understand scope of an organization’s legal and ethical responsibilities  To.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.

The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Legal, Ethical, and Professional Issues in Information Security

Legal, Ethical, and Professional Issues in Information Security
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Understanding Business Ethics

Understanding Business Ethics
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Legal, Ethical, and Professional Issues In Information Security.

Legal, Ethical, and Professional Issues In Information Security.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Similar presentations

Ads by Google