ISA 562
Internet Security Theory & Practice
16. Laws, Regulations, Compliance,
& Investigation
1
Objectives






Computer crime
Laws and regulations for IT
Differences and similarities between common
and Civil law
Incident response technology
Forensics
Etc.
2
Introduction
Need to decide on a suitable set of investigative
procedures (involving techniques and measures)
used to determine if a crime has been committed
 Provide methods to gather and secure evidence
(chain of evidence)
 Develop incident-handling capabilities to react
quickly and efficiently to malicious threats or
suspicious incidents
3
Major Legal Systems

Common Law



English roots
originally developed from court decisions based on
customs, traditions and precedents.
Law types:



Criminal Law
Torts
Administrative Law
4
Legal Systems

Civil Law



Custom


Society's norms and values
Religious Law


Roots back to Roman empire and Napoleonic Code of
France
Body of laws established by state or nation for its own
regulations
Examples: Islamic Mosaic, etc.
Mixed Law


Combining legal systems
Important in inter-state or international crime!
5
IT Laws and regulations

Intellectual property






designed to protect intangible items, and property from those
wishing to copy or use it without compensation to the inventor or
creator:
Patent: an invention registered with the relevant office
Copyright: an expression in tangible media
Trademark: a symbol representing a product (to identify goods and
distinguish them from those of others)
Trade secret: valuable business or technical information, processes,
etc that are confidential and critical to business
Software License of copyrighted material

Freeware, Shareware, Commercial, Academic
6
IT Laws (continued)
Privacy: rights and obligations of individuals and
organizations over personal material
 Initiatives

Generic approaches


Regulation by industry




Vertical Enactment
Requirements for financial sectors, healthcare, government etc
Privacy and the EU
Employees


Horizontal enactment across all industries
Monitoring and usage policies (Internet, email, etc)
Personal protection

End user responsibilities  encourage them to use specific
technologies like encryption, anti-virus, etc
7
Other Concerns

Liability


Negligence


Acting without care
Due Diligence


Legal Responsibilities for damage or injury, etc
The degree of prudence that might be properly expected from a
reasonable person put in the given circumstances
Computer Crime

Computer crime examples





Insider abuse
Stalking
Financial fraud
Hacking
International cooperation
8
Incident Response
Incident : an event that may negatively impact a business
or its assets
 Need for Incident response





Establish Capabilities to handle Compromises


Root cause analysis
Discover the problem an resolve it
Minimize damage
Document the steps
Policy (Escalation Process), procedures, guidelines and
management evidence
Establish a Team


Virtual, permanent or a combination of the two
Each situations has its pros and cons
9
Incident Response and handling

Phases

Triage: first step in incident handling


Contains detection, classification and notification
 Detection recognizes false positives and negatives
 Classification assigns a severity of event (eg. high, medium, low)
 Notification warns entities depending on the severity
Investigation: components include




Analysis : automated or manual
Interpretation: explanation for the event
Reaction: What to do because of the event
Recovery: Specific procedures after the event
10
Incident Response and handling (continued)

Objectives



Considerations



Reduce Impact
Identify cause, etc
Legal
Policy
Containment



Reducing the impact of the incident
Depends on the attack, what was affected, etc
Strategies:




System Isolation
System Disconnection
Implementing a security product (like firewalls)
Documentation of Handling procedures, source of evidence, etc.
11
Computer Forensics

Evidence




Deals with both evidence and legal issues
Identified as






Crime scenes
Evidence
Potential containers of evidence
Acquire evidence


Digital, electronic, storage or wire
Computer forensics is new; only abut 25 years old,
fingerprint analysis goes back to the 1800s
Criminal principles
Minimize evidence contamination and destruction at the
source
Use scientific methods when acquiring evidence
Presenting comprehensible findings
12
Computer forensics (continued)

Treat as Crime scene




Read about Locards’ Principle of Exchange
Behaviors




Where potential evidence of the crime may exist
Could be physical, virtual or cyber
Means, Opportunity and Motives (MOM)
Modus Operandi (MO): Eg, Hacking - signature
behaviors
The scene should be preserved, no unauthorized
individuals / procedures in place.
Contamination cannot be undone!
13
Computer forensics (continued)

Digital Evidence




Rules:



Admissibility in court  criteria varies
Should have some probative value
Relevant to the case at hand
Admissible and Authentic
Complete, Accurate and Convincing
Hearsay



An out of court statement offered as proof of an assertion
(second hand evidence)
Normally not admissible
One important exception: computer generated information
14
Computer forensics (continued)

Life span



Chain of custody




Volatile
May be short life span, etc
Evidence handling
Who, what, where, when, and how
Requires a formal process that is well documented
Accuracy and integrity

Examples are MD5 & SHA
15
Computer forensics (continued)

Guidelines






All activity (seizure, access, etc.) should be fully
document
Minimize handling/corruption of original data
Be prepared to testify
Work fast
Comply with evidence rules
Act ethically, In good faith, etc
16
Reference

ISC2 CBK Material
17