Domain 6 “ Legal, R egulations, Investigations, and C ompliance” Major Legal Systems Common Law Rooted in the English legal system established in the 12th century, hence widely practiced in England and former colonies of England such as the US, Canada, Australia… «Precedence-­‐based, i.e., reliance on previous court rulings Defining characteristic is the adversarial approach to litigation Consists of three branches: (1) criminal, (2) tort, and (3) administrative Criminal law • Used when an individual’s conduct such as the following violates government laws for protecting the public: murder, assault, rape, criminal damage, theft, robbery, embezzlement, fraud, etc. • Punishment can be incarceration, probation, death, or fines Tort law • Deals with civil wrongs (torts) against individuals or companies (not general public) that result in damages or loss, e.g., ▪ ▪ ▪ ▪ ▪ ▪ ▪ Intentional: intentional infliction of emotion distress Wrongs against property: nuisance against landowner Wrongs against a person: car accident, dog bites Negligence: wrongful death Nuisance: trespassing Dignitary wrongs: invasion of privacy Economic wrongs: contract disputes, the probate of wills, trusts, property disputes, infringement of patent/copyright/trademark ▪ Strict liability: failure to warn risks and defects in product or design • Punishment is usually fines • Offenses can be both criminal and tort, such as assault against an individual Administrative law • Deals with regulatory standards created by government agencies that regulate performance and conduct (hence also called regulatory law), e.g., building safety code • Also to confine government power to its proper scope, curb potential abuse of power, ensure proper procedures are followed in the public’s interest • Punishment can be fines, incarceration, or license suspension For example, high officials of a company which sell products that endanger public safety are liable under administrative, criminal, and civil law Civil Law Rooted in Roman law, it is the most common legal system in continental Europe and throughout the world (including China, Japan and Korea) «Rule-­‐based, i.e., relies on codified law (codification is the process of collecting and restating the law of a jurisdiction in certain areas, usually by subject, forming a legal code) In civil law, judges dominate trials, i.e., play a more active role in determining the facts of the case Customary Law Based on regional traditions and customs Usually combined with other kinds of law in a mixed legal system Religious Law Based on regional beliefs Mixed Law With the creation of the North American Free Trade Agreement (NAFTA), European Union, etc., the blending of two or more systems of law – typically common and civil law – is becoming common, e.g., in the Netherlands and South Africa Intellectual Property Law A patent is an invention that has been sufficiently documented as to allow the federal patent office to verify its originality A trademark is any distinguishing name, character, logo, or other symbol that establishes an identity for a product, service, or organization Copyright law • protects the right of an author to control the public distribution, reproduction, display and adaption of his original work • (equivalently) allows an author to protect how his work is expressed • does not require the author to file for copyright protection, because law comes into force as soon as the idea is expressed in a tangible form • protects computer programs as soon as they are written A trade secret must conform to these requirements: • The information must be a genuine secret. The owner can license the secret to others, and as long as reasonable operational and legal protections are in place, it remains a secret. • The information must provide the owner with competitive or economic advantages. • The owner must take reasonable steps to protect the information. Privacy People deserve • protection against unreasonable intrusion ▪ people should know what kind of data is collected about them and be able to give consent ▪ people should be able trust the organizations gathering such data will not release it to unauthorized persons • protection against lack of due process ▪ people have the right to demand that accurate information about them is collected and maintained Laws The Sarbanes-­‐Oxley Act applies to all publicly listed company on the US market • Governs accounting practices and methods by which companies report on their financial status • Some parts deal with IT: processes and controls must be in place to protect the data HIPPA provides national standards and procedures for the storage, use, and transmission of personal medical information and health care data The Gramm-­‐Leach-­‐Bliley Act requires financial institutions to develop privacy notices and give their customers to option to prohibit financial institutions from sharing their info with nonaffiliated 3rd parties • Employees need to be trained on information security issues • Security measures must be fully tested • Institutions must have a written security policy The Computer Fraud and Abuse Act is the primary antihacking statute The Federal Privacy Act allows agencies to gather information about individuals, but it must be relevant and necessary for its approved cause; and individuals • have the right to see the info the government has about them • can change of delete any info that is incorrect • sue the government for violations of the Act, including for allowing unauthorized access to their personal info The Payment Card Industry Data Security Standards (PCI DSS) is the result of proactive steps by the credit card industry to stabilize customer trust in credit cards Successful privacy codes Canadian Independent Computing Services Association has developed the Privacy Principles for Data Processors: • Information remains the client’s property • Information will be used only for the purpose for which it was intended • Information will not be disposed of, transferred, sold, or released to any other party without the client’s permission • Will be retained only for the limited time necessary for its intended functions The OECD guidelines: • Data should be collected in limited amounts only, and with the consent of the person involved • Data should be obtained by lawful and fair means • Data should be accurate, complete and up-­‐to-­‐date to ensure its relevance to the purpose of collection • Data should be collected only for legitimate purposes, and not used for any other purpose • Data should not be disclosed to others, except by consent or in accordance with law enforcement • Reasonable security safeguards should exist to ensure protection of data against unauthorized modification, disclosure, or destruction • A data controller should be accountable for complying with preceding principles Computer Crime Ranking of loss associated with computer crime in descending order: • Virus contamination • Unauthorized access to information • Laptop or mobile hardware theft Examples of computer-­‐assisted crime: • • • • Carrying out hacktivism Attacking financial systems Stealing military intelligence Attacking critical infrastructure systems Examples of computer-­‐targeted crime: • • • • Launching buffer overflow attacks Distributed denial-­‐of-­‐service attacks Installing malware, e.g., rootkits, sniffers Capturing passwords or other sensitive data Examples where computer is incidental: • Storage of stolen information Types of Evidence Best evidence (NOT direct evidence) is the primary evidence used in a trial because it provides the most reliability, e.g., signed contract is best evidence, but oral evidence is not Secondary evidence is not viewed as reliable and strong in proving innocence or guilt when compared to best evidence, e.g., oral evidence, copies of original documents Direct evidence supports the truth of an assertion (in criminal law, an assertion of guilt or of innocence) directly, i.e., without an intervening inference • A witness testifies that he/she saw defendant kill X Circumstantial evidence requires an inference to connect it to a conclusion of fact • A witness testifies that he/she saw defendant enter X’s house and come out with a bloody knife Corroborating evidence tends to support a proposition that is already supported by some evidence, therefore confirming the proposition • Witness A saw defendant hit a green car, and witness B saw green paint on defendant’s car Real evidence or physical evidence is any material object, introduced in a trial, intended to prove a fact in issue based on its demonstrable physical characteristics • Contract, defective product, murder weapon, fingerprints, firearm residue, etc. Demonstrative evidence is evidence in the form of a representation of an object, as opposed to real evidence, testimony, etc. • Photos, X-­‐rays, videotapes, movies, sound recordings, diagrams, forensic animation, maps, drawings, graphs, animation, simulations, models, etc. Opinion evidence is evidence of what the witness thinks, believes, or infers in regard to facts, as distinguished from personal knowledge of the facts themselves • Usually irrelevant unless the witness is an expert Documentary evidence is any evidence introduced at a trial in the form of documents, including any media by which information can be preserved • A film of the murder taking place would be documentary evidence • A blood-­‐spattered letter introduced solely to show that the defendant stabbed the author of the letter is physical evidence, but if the letter shows motive for murder, then the letter is both physical and documentary evidence Hearsay evidence is secondhand evidence and generally not admissible in court, but there are exceptions • Under U.S. Federal Rules of Evidence 803(6), the evidence is admissible if the witness ▪ has custody of the records in question on a regular basis ▪ relies on those records in the regular course of business ▪ knows that they were prepared in the regular course of business • Under U.S. Federal Rules of Evidence 1001(3), a memory of disk dump is admissible, even if it is not done in the regular course of business Rules of Evidence The Best Evidence Rule is to deter any alteration of evidence, either intentionally or unintentionally (note: this does not apply to the crime scene, for which the goal is to minimize contamination) The five rules of evidence [Bra01]: Admissible: must be usable in court Authentic: relates to the incident Complete: eliminates alternative suspects Reliable (accurate in [Tip09]): original and not tampered with • Believable (convincing in [Tip09]): clear, easy to understand, and believable by a jury • • • • Note: the concept of admissibility above is different from the legal concept of admissibility Admissibility requires [Har10]: • Relevance: must tend to prove or disprove some fact that is at issue in the proceeding • Reliability: the source must be reliable, e.g., ▪ witness must be credible ▪ hearsay evidence is generally considered unreliable ▪ documentary evidence must be authentic and has demonstrable chain of custody • Sufficiency (not covered by [HBH03]): cannot be subject to personal interpretation General guidelines: • DOJ/FBI Search and Seizure Manual • NIST SP 800: Computer Forensic Guidelines • IOCE/SWGDE Best Practices for Computer Forensics ▪ When dealing with digital evidence, all generic forensic and procedural principles must be applied ▪ Upon seizing digital evidence, actions taken should not change that evidence ▪ When it is necessary for a person to access original digital evidence, that person should be trained ▪ All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review ▪ An individual responsible for all actions taken with respect to digital evidence while the evidence is in his/her possession ▪ Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles • ACPO Good Practices Guide for Computer Based Evidence • IACIS forensic examination procedures In exigent circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence (there is an impending possibility that the evidence might be destroyed) Forensics Investigation Synonyms of computer forensics • • • • • digital forensics network forensics electronic data discovery cyber forensics forensic computing Evidence life cycle [Har10] • • • • • • Identification Preservation Collection Examination Analysis Presentation Evidence life cycle [HBH03] • • • • • Collection and identification Analysis Storage, preservation, and transportation Presentation in court Return to victim (owner) Incidence Response There are three types of incident response teams: • Permanent team: cost-­‐prohibitive for small organizations • Virtual team: made up of experts who have other duties and assignments within the organization ▪ can be costly in terms of disrupting their regular duties Hybrid team: a mix of permanent and virtual team Phases [HBH03]: • Triage is the process of receiving, sorting, and prioritizing information to facilitate proper handling • Notification and identification • Action/reaction ▪ Containment limits the extent of the attack, e.g., unplugging from the Internet ▪ Analysis by computer forensics experts of logs, audit trails, videotapes, etc., while maintaining chain of custody (making copies on write-­‐once media, ensuring the integrity of all evidence, documenting every steps, etc.), to provide accurate information for senior management to make informed decisions ▪ Tracing the origin of the attack, either directly (while the attack is ongoing) or indirectly • Follow-­‐up ▪ Repair and recovery ▪ Prevention 2 (ISC) Code of Ethics • Act honorably, honestly, justly, responsibly, and legally, and protect society • Work diligently, provide competent services, and advance the security profession • Encourage the growth of research—teach, mentor, and value the certification • Discourage unnecessary fear or doubt, and do not consent to bad practices • Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures • Observe and abide by all contracts, expressed or implied, and give prudent advice • Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are fully qualified to perform • Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals References [Bra01] M. Braid, Collecting Electronic Evidence After a System Compromise, AusCERT, 2001. [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, 2003. [Har10] S. Harris, CISSP All-­‐in-­‐One Exam Guide, Fifth Edition, McGraw-­‐Hill Osborne Media, 2010. [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, 2009.