Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

USA Patriot Act

advertisement 
Lesson 10
Cyber Legal Environment:
One of the Prime Drivers
for Incident Response
Overview
• Our Ethics
• Criminal Justice System
• Cyber Crime Legislation
• USA Patriot Act
CRIMINAL JUSTICE
SYSTEM
• Current System
• The Process
• Recidivism
Current System
• Law enforcement generally
overworked
• Understaffed
• Under-budgeted
• Lacking cyber expertise
• Court systems even more
backlogged
Normal Case
• Victim notifies law enforcement
• Police gather evidence and develop
suspects
• Search warrants executed
• Interviews/Interrogations
• Suspect(s) charged
• Case turned over to prosecutor
• Grand Jury
• Court Case
Agencies Ready to Respond
• Local Law Enforcement
• FBI Infragard Program
• DHS
– http://www.dhs.gov/how-do-i/report-cyber-incidents
– https://www.us-cert.gov/forms/report?
– Report Malware and vulnerabilities to DHS by e-mail
at cert@cert.org and soc@us-cert.gov
• U.S. Secret Service
– http://www.secretservice.gov/investigation/#cyber
• CERT/CC Hotline: (888) 282-0870
Current Trends
• Agencies developing expertise
• Sensitive to victims needs
– “They don’t confiscate your machine”
• More Cases being opened
• Many cases leading to success
–
–
–
–
Mafiaboy
Russian E-Bay Scam
Melissa Author (David Smith)
Deceptive Duo
Recommendation
• Be patient, but persistent
• Always describe issue/loss in plain
english
• Maintain chain of custody
• Estimate Dollar Loss
• Do not rule out civil court use
– “Preponderance of the evidence”
Applicable U.S. Criminal Code
• Software Piracy
• Using Computers/Networks to commit
“normal” crimes
– Plethora of U.S.C. can be used
• Computer Fraud and Abuse Act, 18 U.S.C
sect 1030 (Network Crime)
• Wiretapping & Snooping (aka sniffing)
– Wiretap Act, 18 U.S.C. sect 2511
– Electronic Communications Privacy Act (ECPA),
18 U.S.C. sect 2701
Traditional Crimes
• Criminal Trademark, 18 U.S.C. 2320
• Criminal Copyright, 18 U.S.C. 2319 and 17
U.S.C. 506(a)
• Child Pornography, 18 U.S.C. 2252A
• Criminal Trade Secrets, 18 U.S.C. 1831/1832
• Threats & Harassment 18 U.S.C. 844(e) & 875,
47 U.S.C. 223 (a)(1)(C, E)
Computer Fraud and Abuse Act (1)
• Defines certain “protected
computers”
– U.S. Govt Networks
– Financial networks
– Networks that affect interstate or
foreign commerce or communication
• Damage to a “protected computer”
is a criminal act
• Defines loss thresholds
Computer Fraud and Abuse Act (2)
• Trespass on a Govt system is a
criminal act
• Trafficking in info which can allow
unauthorized access
• Threatening to damage
• Accessing a protected computer
• Attempts are a criminal act
• Defines loss thresholds
Computer Fraud and Abuse Act (3)
• Certain privacy intrusions are a
criminal act
– Prohibits unauthorized access to
obtain:
• Financial data from federal agency or on
a protected computer
Legal Aspects of Monitoring
• Real-time monitoring:
– Two statutes govern:
• Wiretap statute
• Pen/Trap statute
– Pen Register: outgoing connection data
– Trap & Trace: incoming connection data
• ECPA covers access to stored
communications
– Covers voice mail, email, “logs”
• But, there are exceptions
Intercept/Monitoring Exceptions
• Computer Trespass Exception
– Bannered Systems allow monitoring
• Consent of a Party (victim?)
• Provider exception
–
–
–
–
To protect provider’s “rights/property”
When done in “normal ops”
Limited exception
Not an investigators privilege
Electronic Communications
Privacy Act (ECPA)
• Applies to stored info
– Communications (email, voicemail
– Transactional data (connection logs)
– Subscriber/session information
• 18 U.S.C. 2701-11 governs access
and disclosure
• Public Providers cannot offer info
• Private Provides can share info
Related Recent E-Comm Security
Legislation that could impact
Forensics
• Gramm-Leach-Bliley Act (Fall 2002)
– Financial Privacy, Safeguards, and
Pretexting
• HIPAA (1996 --->14 Apr 2003)
– Safeguards to ensure patient
confidentiality
Gramm-Leach-Bliley Act
• Financial Privacy, Safeguards, and Pretexting
• Federal Trade Commission has oversight
• Public Law 106-102, Title V
• Requires financial institutions to notify
customers about their privacy practices and
allow consumers to "opt out" of having their
nonpublic personal information disclosed
• The Act's security provisions require the
Commission and certain other federal
agencies to establish standards for financial
institutions relating to administrative,
technical and physical safeguards for
customer information.
Source FTC: http://www.ftc.gov/opa/2001/07/glb501.htm
Gramm-Leach-Bliley Act
Security Issues
• Designate an employee or employees to
coordinate its [safeguards] program
• Assess risks in each area of its operations
• Design and implement an information
security program to control these risks
• Require service providers (by contract) to
implement appropriate safeguards for the
customer information at issue
• Adapt its program in light of material changes
to its business that may affect its safeguards
Source FTC: http://www.ftc.gov/opa/2001/07/glb501.htm
HIPAA Update
• Health Insurance Portability
Accessibility and Accountability Act
• Health and Human Services issued
patient-data privacy guidelines
• Passed by Congress in 1996
• 14 April deadline for basic HIPAA
compliance
• Applies to companies providing health
care services and any business
associates handling protected patient
data
Source Network World, Mar 10, 2003, Pg 30
HIPAA Tenets
• Basic tenet: “apply administrative,
physical, and technical safeguards to
ensure confidentiality
• Companies worried about being held
liable and the consequent damages
• Perception is 14 April opens up the
litigation floodgates
• HIPAA’s 3 guidelines
– Electronic Data Interchange (EDI)
– Privacy
– Security
Source Network World, Mar 10, 2003, Pg 30
HIPAA Security Issues
• After 14 April HHS must investigate complaints
– Potential penalty: up to $25K/yr per type of violation
• Creating need for encrypted email
• Increased emphasis on audit and access control for
patient data
– For every record accessed you need to know who, what,
and when
• Strong Authentication techniques
– Individual passwords that are role based (DR, RN, LPN)
• VPN client software for remote access
Source Network World, Mar 10, 2003, Pg 30
USA PATRIOT ACT of 2001
Uniting and Strengthening America
by Providing Appropriate Tools
Required to Intercept and Obstruct
Terrorism Act
Major Sections
• Criminal Law
• Intelligence
• Cross-Flow
Organization
• Title II -- Enhanced Surveillance Procedures
•
•
•
•
•
•
Title
Title
Title
Title
Title
Title
III -- International Money Laundering
IV -- Strengthening The Border
VII-- Increased Info Sharing For CIP
VIII -- Strengthening Criminal Laws
IX -- Improved Intelligence
X -- Miscellaneous
Patriot Act
Criminal
Law
Subpoenas for Electronic Evidence
Sec 210
• Old: Subpoena
limited to customer’s
name, address,
length of service, and
means of payment
• In many cases, users
register with ISPs
under false names
• New: Update and
expand records
available by
subpoena
• Old list, plus means
and source of
payment, credit card
or bank account
number, records of
session times and
durations, and any
temporarily assigned
network address
• Not subject to sunset
Pen Register, Trap and Trace
Sec 216
• Old: “telephone lines” and
“numbers dialed”
• Did not clearly cover
computer comms
• Court could only
authorize use in single
judicial district
• New: clearly applies to
computer comms, for any
non-content info–“dialing,
routing, addressing, and
signaling information”
• Info relevant to ongoing
criminal investigation
• Nationwide federal
pen/trap orders
• New LE reporting
requirement
• Not subject to sunset
Computer Trespassers
Sec 217
• Old: Computer
owners were often not
clearly “parties” to
hacker intrusions
into the computer, so
the owner generally
not deemed able to
consent to LE
monitoring
• New: Victims of
computer attacks can
authorize persons
“acting under color of
law” (LE or CI) to
monitor trespassers
on their computer
systems
• Subject to sunset
Computer Trespasser Defn
• Any person who accesses a “protected
computer” without authorization
– “protected computer” - one used in interstate or
foreign commerce or communication
• Thus has no reasonable expectation of privacy
• In communication to, through, or from
• Explicitly excludes any person “known by the
owner or operator of the protected computer to
have an existing contractual relationship with
the owner or operator for access to all or part of
the computer”
Computer Trespasser Requirements
• Investigator may intercept comms of computer
trespasser transmitted to, through, or from
• Owner or operator of protected computer
authorizes interception
– [note: best if in writing]
• Person who intercepts is lawfully engaged in
ongoing investigation
• Person acting under color of law has reasonable
grounds to believe contents will be relevant to
investigation
• Investigators intercept only comms sent or
received by trespassers
Civil Liability for Unauthorized
Disclosures
Sec 223
• Old: civil remedies for
unauthorized
interception,
disclosure, or use of
communications
against any person or
entity
• New: All civil
remedies against
persons or entities,
other than the US
• New section allows
monetary damages
against US if
employees improperly
disclose intercept
• Adds administrative
discipline provisions
• Not subject to sunset
“Domestic Terrorism”
Sec 802
• Old: no definition of
“domestic terrorism”
• New : activities primarily
w/in territorial
jurisdiction of US
• Acts dangerous to human
life and violate US
criminal laws
• Appear intended to
intimidate or coerce
civilian population
• Influence policy of a govt
by intimidation or
coercion, or affect conduct
of a govt
– mass destruction
– assassination
– kidnapping
Crimes at U.S. Facilities Abroad
Sec 804
• Old: defined special
maritime and territorial
jurisdiction of US
• New: extends jurisdiction
to U.S. diplomatic,
consular, military, or
other premises and
related private residences
overseas for offenses
committed by or against
U.S. natl.
• Not offenses by members
or employees of U.S.
armed forces and persons
accompanying (covered
under another law)
“Federal Crime of Terrorism”
Sec 808
• Old: defined “federal
crime of terrorism” by
listing offenses
• New: adds several
offenses, including
aircraft violence and
computer crimes
• Also attacks on military
comm systems, and
material support to
terrorist orgs (including
training and expert
advice)
• Longer statute of
limitations (Sec 809)
• Add offenses to RICO
(Sec 813)
Deterrence and Prevention of
Cyberterrorism
Sec 814
• Old: “Damage” =
– $5000 loss (per
computer?)
– physical injury to
person
– threat to public health
or safety
– impairing medical care
• Did not define “loss”
• Extraterritorial
application unclear
• New
– Any impairment if used
by or for govt entity for
justice, natl defense, natl
security
– $5000 aggregated loss if
multiple victims
• Extraterritorial clear
• ‘Loss’ includes, damage
assessment, restoration,
lost revenue, response,
consequential damages
• “Person” includes govt
• Not subject to sunset
Critical Infrastructures Protection
Sec 1016
• Continuous natl effort required to ensure cyber
and physical infrastructure service
• Requires extensive modeling and analytic
capabilities
• National Infrastructure Simulation and Analysis
Center (NISAC)
• $20,000,000 authorized for DTRA for FY02
Summary
• Legislation Maturing Quickly
• Legislation more comprehensive
• Privacy vs Protection
• Plays a vital role in ID and IR
Related documents
The Different Kinds of Law
The Different Kinds of Law
To review and check your knowledge of this material, print
To review and check your knowledge of this material, print
Exam One (Preliminary Exam) Review
Exam One (Preliminary Exam) Review
Legal Rights and Responsibilities
Legal Rights and Responsibilities
Master's Comprehensive Exam Study
Master's Comprehensive Exam Study
Information Security Awareness Training 2013 Abridged
Information Security Awareness Training 2013 Abridged
Download
advertisement