Information Systems Security
Legal, Regulations, and
Compliance
Not Just Fun & Games




Continually on the rise
Affects the public and government sectors
Crimes go unnoticed or unreported
Costs billions of dollars each year
Example of Computer Crime






ILOVEYOU, SoBIG, Blaster
DDoS brings down Excite and Yahoo
Extortion for credit card numbers
Stealing funds from financial institutions
Stealing military secrets
Competitors stealing secrets
Types of Laws








Common Law
Criminal Law
Tort Law
Administrative Law
Civil Law
Customary Law
Religious Law
Mixed Law
Criminal Profile
 Script Kiddies
– May not understand the ramifications
– “Ankle Biters” curious individuals
– “Machine Gunners” dispatch 1000s of probes
 Dedicated Cracker
– Chooses victim and gathers intelligence
– More dangerous
– Has a goal in mind from the start
Motivation
 Grudge
– Get back at the company or individual
– Terrorist, sympathy, or information warfare
 Financial
 Business
 “Fun”
Example Attacks
 Salami
– Carrying out smaller crimes that might go
unnoticed
 Data diddling
– Modifying data in the computer to change
outcomes
 Dumpster diving
– Obtaining information in the trash can
Telephone Fraud
 Phreakers
– Telephone fraud
– Red boxing
 Simulating coins dropped into the phone
– Blue boxing
 Using analog tones to gain long distance
– Black boxing
 Manipulating voltages
U.S. Privacy Laws
 Privacy Act of 1974
– Data held on individuals by government
 Electronic Communications Privacy Act of
1986
– Prohibits unauthorized eavesdropping
 Health Insurance Portability and
Accountability Act (HIPPA)
 Gramm Leach Bliley Act of 1999
European Union






Reason data being collected must be stated
Data cannot be used for other purposes
Unnecessary data is not collected
Data keep only while needed
Only necessary individuals have access
No intentional ‘leaking’ of data
Transborder information Flows
 Movement of data across international
borders
 Different regions have different laws
 Restrictions on flow of financial data
 Often data flow is taxable
Employee Privacy Act
 Must be in security policy and employees
should be aware
 Ensure monitoring is lawful
 Possible types of monitoring
– Key logging
– Cameras
– Telephone
– email
Common Law - Civil
 Tort law - wrongs against individuals
resulting in damage
 Contract Law
 Case law built on precedent
 Determines liability
 Less of a burden of proof
 Embodied in the USC
Criminal
 Laws created to protect the public
 Public in the defendant
 Can win criminal and lose civil on same
case or vise versa
 More stringent burden of proof
 Includes jail time or death
Administrative Laws
 Different by industry
– FDA, Healthcare, Education, etc.
 Performance and conduct of organizations,
officials, and officers
 Deals with industry regulations
 Punishment can be financial or may merit
imprisonment
US Federal Laws
 Electronic Communications Act of 1996
– Wiretap act
– Stored communication act
 Computer Fraud and Abuse Act of 1986
– Used in prosecuting computer crimes
– “Anti hacking law”
 Electronic Espionage Act of 1996
– Industrial espionage
– Stealing Trade Secrets
Intellectual Property Laws
 Trade secret
– Maintains confidentiality of proprietary business
data
– Owner invested resources to develop
– Data must provide competitive value
 Copyright
– Protects original works of authorship
– Protects expression of new ideas
– Source code is copyrightable
– In USA, good for 75 years
More
 Trademark
– Protects word, name, symbol, etc. which is used
to identify a product or company
– Protects a company’s look or feel
 Patent
– Allows owner to exclude others from practicing
invention for a time period (20 years)
– Invention must be novel and non-obvious
Software piracy
 Copy creator’s work without permission
 Software protection association (SPA)
 Business software alliance (BSA)
– Washington
 Federation against software theft (FAST)
– London
Digital Millennium Copyright Act
 Illegal to tamper with or break into controls
that protect copyrighted materials
 Only protects copyrighted items
 Prevent reverse engineering
 First attempt to enforce was by Adobe
against a white hat at DefCon
Countries Working Together
 Countries do not view computer crime the
same
 Government may not work together
 Evidence rules are different
 Jurisdiction issues
 G8 have agreed to fight cybercrime
 Interpol distributes info about cross-border
crimes
Violation Analysis
 Ensure that it is not a user error or
misconfiguration
 Individuals should be in charge of
investigating and determining if crime exist
 Type of investigation
– Internal
– Law enforcement
Law Enforcement vs. Citizens
 Search must have probable cause
– 4th amendment search warrant
 Private citizen not subject to 4th amendment
 Private citizen may be a police agent
Role of Evidence
 Material offered to judge and jury
 May directly or indirectly prove or disprove
the crime has been committed
 Evidence must be tangible
– Electrical voltages are intangible
– Hard to prove lack of modification
Evidence Requirements
 Material – relevant to case
 Competent – proper collection, obtained
legally, and chain of custody maintained
 Relevant – pertains to subject’s motives and
should prove or disprove a fact
Chain of Custody





Who obtained it?
Where and when was it obtained?
Who secured it?
Who had control or possession?
How was it moved?
Types of Evidence
 Best
– Primary, original documents, not oral
 Secondary
– Copies of documents, oral, eyewitness
 Direct
– Can prove fact by itself
– Does not need corroborative information
– Information from witness
More Types
 Conclusive
– Irrefutable and cannot be contradicted
 Circumstantial
– Assumes the existence of another fact
– Cannot be used alone to prove the fact
 Corroborative
– Supporting evidence
– Supplementary tool
More Types
 Opinion
– Experts give educated opinion
 Hearsay
– No firsthand proof
– Computer generated evidence
 Real
– Physical evidence
– Tangible objects
More Types
 Documentary
– Records, manuals, printouts
– Most evidence is documentary
 Demonstrative
– Aids jury in the concept
– Experiments, charts, animation
Hearsay Rule Exception
 Business record exemption to hearsay rule
– Documents can be admitted if created during
normal business activity
– This does not include documents created for a
specific court case
– Regular business records have more weight
– Federal rule 803(6)
 Records must be in custody on a regular basis
 Records are relied upon by normal business
Before the Crime Happens




Select an Incident Response Team (IRT)
Decide whether internal or external
Set policies and procedures
If internal, include
– IT
– Management
– Legal
– PR
Incident Handling
 First goal
– Contain and repair damage
– Prevent further damage
– Collect evidence
Evidence Collection





Photograph area
Dump contents from memory
Power down system
Photograph internal system components
Label each piece of evidence
– Bag it
– Seal
– Sign
Forensics
 Study of technology and how it relates to
law
 Image disk and other storage devices
– Bit level copy (deleted files, slack space,etc)
– Use specialized tools
– Further work will be done on copy
 Create message digest for integrity
Thing to Look For






Hidden Files
Steganography
Slack Space
Malware
Deleted Files
Swap Files
Trapping the Bad Guy
 Enticement
– Legal attempt to lure a criminal into committing
a crime
– Provide a honeypot in your DMZ
– Pseudo flaw (software code)
– Padded cell (virtual machine)
 Entrapment
– Illegal attempt to trick a person into committing
a crime