Law, Investigations,
and Ethics
1
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Domain Layout
This Domain is divided into three
sections:
– Law
– Investigations
– Ethics
2
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law
Introduction & Objectives
• This domain addresses computer
crime laws and regulations that affect
organizations and personnel.
• The CISSP will be able to describe
the laws and legal issues that are
applicable to computer crime.
3
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Investigations
Introduction & Objectives
This domain addresses:
• The investigative measures and techniques that
can be used to determine if a crime has been
committed.
• Investigation of crime incidents, collection of
evidence, and contacting of law enforcement.
• The CISSP will be able to describe the forensic
methods that are used to gather and preserve
evidence and investigate computer crimes.
4
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethics
Introduction & Objectives
• This domain addresses information
security ethics as applied to society,
employees and (ISC)2 members.
• The CISSP will understand the ethical
issues and the code of conduct
applicable for the security
professional.
5
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Goals of Information Security
• The common thread among good information security objectives is
that they address all three core security principles.
Prevents unauthorized
disclosure of systems
and information.
Prevents unauthorized
modification of systems
and information.
Availability
Prevents disruption of
service and productivity.
© Copyright 2005
(ISC)2®
All Rights Reserved.
6
Law, Investigations, and Ethics v5.0
Law & Computer
Crime
7
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Objectives
• CISSP needs to be aware of legal issues,
new legislation and regulatory
requirements.
• CISSP needs to provide management
with:
– Assurance of compliance with legal
requirements
– Awareness of legal liabilities or areas of
possible no-compliance
8
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Objectives
• Understand the issues related to information
security and law
• List the major legal systems
• Understand intellectual property laws and
how they give protection to information
• Understand the legal principles dealing with
privacy
• Understand the legal liabilities of corporate
officers in protecting assets of the corporation
• Define due care and due diligence
9
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law and Computer Crime
Subtopics
• Information Security Related Legal
Issues
• Major Legal Systems
• Intellectual Property Laws
• Privacy Laws
• Liability of Corporate Officers
10
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Information Security
Related Legal Issues
• Three types of harm usually
addressed in computer crime laws:
– Unauthorized access
– Unauthorized alteration,
destruction, or disclosure of
information
– Insertion of malicious programming
code
11
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Computer Crime Categories
• Computer Assisted Crime:
–Criminal activities that are not
unique to computers, but merely
use computers as tools to assist the
criminal endeavor (e.g., fraud, child
pornography).
12
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Computer Crime Categories, cont.
• Computer Targeted Crime:
– Crimes directed at computers, networks
and the information stored on these
systems (e.g., denial of service, sniffers,
attacking passwords).
• Computer is Incidental
– The Computer is incidental in the criminal
activity (e.g., customer lists for traffickers).
13
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Computer Crimes and
Related Laws
• Computer-related crimes and abuses e.g.,
denial of service
• Malware
• Software piracy
• Illegal content issues (child pornography)
• Wire fraud and mail fraud
• Lack of computer crime legislation has led
to prosecution through traditional laws
14
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Computer Crime Law Issues
• Defining electronic information or data
• Unlawful destruction of data or denial of
service
• Using a computer to commit, aid, or abet
crime
• Defining intellectual property
• Complex legal definitions of technical issues
• Private sector lack of reporting
• Sentencing guidelines
15
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
International Issues
• Some countries have no or poorly defined
computer crime laws
• Law enforcement technical capabilities
vary
• Governments may not wish to assist each
other in international cases
• Trans-national criminal activity
• Jurisdictional legal disputes
16
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
International Differences
• It is very important to gain
commonality of legal understandings
(harmonization) and an agreement to
work together (cooperation) regarding
the prevention, detection,
prosecution, and reporting of
computer crimes.
17
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Information Security Legal Issues
• Legislation is being created to include:
– Electronic contracts and non-repudiation
– Encryption import, export, and usage
– Internet violations
– Identity theft
– Network attacks
– Protection of personal information
18
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law and Computer Crime
Subtopics
• Information Security Related Legal
Issues
• Major Legal Systems
• Intellectual Property Laws
• Privacy Laws
• Liability of Corporate Officers
19
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Major Categories of Law
• Civil Law
• Common Law
– Criminal Law
– Civil (Tort) Law
– Administrative Law
• Customary Law
• Religious Law Systems
• Mixed Law Systems
20
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
World Legal Systems
Source: WorldLegalSystems, http://www.droitcivil.uottawa.ca/world-legal-systems/eng-monde.html
© Copyright 2005
(ISC)2®
All Rights Reserved.
21
Law, Investigations, and Ethics v5.0
Civil or Code Law
• Originally civil law was a common
legal system in much of Europe
• It is based on a comprehensive
system of written rules of law and
divided into commercial, civil, and
criminal codes.
22
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Common Law
• This type of law developed in
historical England.
• It is based on tradition, past practices,
and legal precedents set by courts
through interpretation of statutes,
legal legislation, and past rulings.
23
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Categories of Common Law
Subtopics
• Common Law System
– Criminal Law
– Civil Law
– Administrative or Regulatory Law
24
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Criminal Law
• Individual conduct that violates
government laws that are enacted for
the protection of the public.
• Violations of criminal law regarding
computer crimes can lead to a variety
of punishments, including
imprisonment, financial penalty, loss
of right to work with computers, etc.
25
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Civil (not Code) Law
• Wrong against individual or business
that results in damage or loss.
• Violations of civil law regarding
computer crimes can lead to financial
restitution or compensatory damages.
There is no prison time.
26
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Administrative or Regulatory Law
• Standards of performance and conduct
expected by official regulatory bodies from
organizations, industries, and certain
officials or officers.
•
•
•
•
Banks
Insurance companies
Stock markets
Food and drug companies
27
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Customary Law Systems
• Customary law plays a significant
role in matters of personal conduct.
• Its foundation is based on customs,
traditions, etc.
• Predominantly found in countries or
political entities with mixed legal
systems:
– African countries, China, India
28
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Religious Law Systems
• Based on religious beliefs.
• Traditionally divided into:
–Religious duties
–Obligations to other people
29
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Mixed Law Systems
• This category includes political
entities where two or more
systems apply cumulatively or
interactively (e.g., Muslim and
Common Law).
30
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law and Computer Crime
Subtopics
• Information Security Related Legal
Issues
• Major Legal Systems
• Intellectual Property Laws
• Privacy Laws
• Liability of Corporate Officers
31
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Major IP Law Categories
• Patent
• Trademark
• Copyright
• Trade Secrets
32
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Intellectual Property Laws
• Patent
– A patent grants the owner a legally enforceable right
to exclude others from practicing the invention
covered
– It protects novel, useful and non-obvious inventions
• Trademark ™
– Any word, name, symbol, color, sound, product shape
or device or combination of these used to identify
goods & distinguish them from those made or sold by
others
33
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Intellectual Property Laws (cont.)
• Copyright ©
– Covers the expression of ideas rather than
the ideas themselves - “original works of
authorship”
• Trade Secret
– Proprietary business or technical information
which is confidential and protected as long as
it’s owner takes certain security precautions
34
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law and Computer Crime
Subtopics
• Information Security Related Legal
Issues
• Major Legal Systems
• Intellectual Property Laws
• Privacy Laws
• Liability of Corporate Officers
35
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Privacy Laws
Privacy Laws could include:
• Information privacy - collection and
handling of personal data
• Medical Records
• Communications privacy - protection
of mail, phones, email, etc
36
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Need for Privacy Laws
• Globalization - distribution of information beyond
a single nation’s borders – world markets.
• Trans-border data flow – how different nations
provide privacy protection of an individual’s
information.
• Convergent technologies – technical means of
gathering, analyzing, and distributing
information.
• Data retrieval advances – methods of creating
vast repositories of personal information.
37
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Privacy Laws
Privacy recognized as fundamental right in many
nations.
• United Nations Declaration of Human Rights
• Privacy Act of 1974 (United States)
• European Union Principles
• The International Covenant on Civil & Political
Rights
• Organization for Economic Cooperation and
Development
• Existing or newly written constitutions
38
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
European Union Principles
• Data collected fairly and lawfully
• Data only used for the purposes for which
collected and only for reasonable time
• Persons entitled to receive a report, on
request, on data about them
• Accurate and, where necessary, kept up to
date
39
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
European Union Principles (cont.)
• One’s personal data cannot be
disclosed to 3rd parties unless
authorized by statute or consent of
individual
• Persons have a right to make
corrections to their personal data
• Transmission to locations where
“equivalent” personal data protection
cannot be assured is prohibited
40
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Models of Privacy Protection
• Regulatory model
• Industrial regulations
• Self-regulation
– Companies/industries - Codes of
practice
• Individual user (Self protection)
– PGP and other self-protections
41
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Privacy Issues in the Workplace
•
•
•
•
•
Employee electronic monitoring
Email monitoring
Document monitoring
Internet activity monitoring
Personally Identifiable Information
42
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Employee Monitoring Issues
Legal actions that must be taken prior to
performing electronic monitoring include:
– Establish use policy for systems
– Distribute policy to users of the system.
– Notify your employees that you are
monitoring.
– Ensure that monitoring is used in a lawful
manner such as consistent monitoring
across all employees and only monitoring
work-related activities.
43
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Law and Computer Crime
Subtopics
• Information Security Related Legal
Issues
• Major Legal Systems
• Intellectual Property Laws
• Privacy Laws
• Liability of Corporate Officers
44
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Due Care
• It is the concept that corporate
officers and others with fiduciary
responsibilities must meet certain
requirements to ensure corporate
security.
45
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Legal Responsibility for Security
• Due Care
– Taking responsibility
for security
– Demonstrating that
responsibility is taken
– Planning for threats
and vulnerabilities
– Documenting the
process
© Copyright 2005 (ISC)2® All Rights Reserved.
• Due Diligence
– Implementing controls
– Ensuring controls are
monitored and updated
– Having a team that
assesses all threats and
evaluates loss
– Reviewing adequacy of
threat analysis
– Ongoing risk
assessment and
documentation
46
Law, Investigations, and Ethics v5.0
Elements of Negligence
• Legally recognized obligation
– Perform to a standard of conduct
• Protect others from unreasonable risks
• Failure to conform to a required standard
• Proximate causation
• Resulting injury is actual loss or damage
to another
47
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
If there is a Breach of Security
• Liability and the failure to institute
appropriate information security measures
may result in:
– Organization and Board of Directors may be
held liable (individually and personally)
• Board of Directors fiduciary responsibility to
stockholders to protect assets of corporation
– Corporation may be liable to others
• Contractually
• Under doctrines of civil law
48
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Quick Quiz
• What are the major legal systems that exist
around the world?
• What are the three sub-categories of law
under Common Law?
• Why do the different legal systems create a
challenge in dealing with computer crime?
• List the intellectual property laws.
• What are some of the key items in the
European Union Privacy principles?
• Define Due Care.
49
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Summary
• The major legal systems include Common Law, Code Law, Customary
Law, Religious Law, and Mixed Law systems.
• Three categories under Common Law are Criminal, Civil and
Administrative.
• Having different legal systems around the world creates a challenge for
several reasons, they include different interpretation of crimes, different
evidence requirements, lack of cooperation, etc.
• Intellectual property laws include Patents, Trademarks, Copyright, and
Trade Secrets.
• Key items in the European Union Privacy principles include collecting
data fairly and lawfully, keeping it for a reasonable amount of time,
ensuring its accuracy and security, needing consent to disclose to third
parties, allowing ‘owners’ to view and modify as appropriate, etc.
• Due care is the concept of what a reasonable person would do under
like circumstances, therefore as it applies to information security, it is
making sure that companies implement reasonable controls that other
‘like’ companies would also implement.
50
© Copyright 2005 (ISC)2® All Rights Reserved.
Law, Investigations, and Ethics v5.0
Investigations
51
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Objectives
• Understand the issues related to computer
forensics.
• Understand the legal requirements for
electronic evidence.
• Understand the concept of the ‘chain of
custody’ of evidence.
• List the requirements for the admissibility of
computer evidence.
• Understand incident response capability and
the associated phases of the escalation
process.
52
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Reliable Investigations
• Need to conduct reliable investigations
that will stand up to scrutiny and crossexamination up to and including in an
arbitration or court setting.
• Need to ensure that all investigations
conducted are thorough and equitable
53
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Investigations Environment
• The environment for investigation
includes the infrastructure, policies,
personnel, techniques, culture and
tools that assist an organization in
conducting an investigation.
54
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Subtopics
• Computer Forensics
• Incident Response and Handling
• Investigation, Interviewing and
Interrogation
• Working with Outside Agencies
55
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Computer Forensics
• Computer forensics is the scientific
examination and analysis of data held
on, or retrieved from, computer
storage media in such a way that the
information can be used as evidence
in a court of law.
56
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Digital Forensic Science (DFS)
“The use of scientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis,
interpretation, documentation and
presentation of digital evidence derived from
digital sources for the purpose of facilitating
or furthering the reconstruction of events
found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive
to planned operations.”
Source: (2001). Digital Forensic Research Workshop (DFRWS)
57
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
DFS Types of Analysis
• There is a consensus that there are at
least 3 distinct types:
– Media Analysis (Computer Forensics)
• Examining physical media for evidence
– Software Analysis (Software Forensics)
• Review of software for malicious signatures, and
identity of author
– Network Analysis
• Scrutinize network traffic and logs to identify and
locate cause
58
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Keep in Mind:
All investigations must abide by the
Rules of Evidence
• Electronic evidence is fragile
• Integrity of the “scene”
• Admissibility in court
• Only one chance to do it correctly
59
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Chain of Custody
• Helps protect the integrity and reliability of the
evidence
• Effective process of documenting the complete
journey of the evidence during the life of the
case
• Allows you to answer the following questions:
–
–
–
–
–
Who collected it?
How & where?
Who took possession of it?
How was it stored & protected in storage?
Who took it out of storage & why?
60
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Hearsay Rule
• Hearsay is second-hand evidence;
normally not admissible.
– Value depends on veracity and competence of
source.
– Depending on the circumstance, business
records may be considered hearsay.
• No first-hand proof of accuracy, reliability,
trustworthiness
61
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Hearsay Rule, cont.
• In certain instances computer records fall
outside of the hearsay rule (e.g., business
records exemption)
– Information relates to regular business
activities
– Automatically computer generated data
• No human intervention
• Prove system was operating correctly
• Prove no one changed the data
62
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Sources of Information/Evidence
• Oral (witnesses)
– Written statements
• Written Documents
• Computer generated
• Visual/audio
– During event
– After event
63
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Admissibility of Computer Evidence
Subtopics
•
•
•
•
Relevant
Foundation of admissibility
Legally permissible
Evidence identification and
preservation
64
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Relevant
•
•
•
•
•
Proof that crime occurred
Documentation of events/time frame
Identification of acts/methods
Proof linking suspects - acts/methods
Proof of suspect's motives
65
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Foundation of Admissibility
• Witnesses that evidence is trustworthy
– Custodian identity and custodian familiarity with IT
record procedures
– Description of procedures
– Precautions against errors and error correction
– Reasons why portions of the media was erased
– Collected through normal business methods
– Reason for bypassing some procedures
66
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Legally Permissible
• Avoid illegal acts
– Unlawful obtaining of evidence
– Unlawful search and seizure
– Secret recording (except authorized by court)
– Privacy violations (access to personal data)
– Forced confessions/statements
67
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Evidence Identification &
Preservation
• Key aspects to processing and examining
evidence:
– Planning
– Recognition
– Preservation, collection and documentation
– Classification, comparison and
individualization
– Reconstruction
68
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
General Evidence
Dos and Don'ts
•
•
•
•
•
Minimize handling/corruption of original
data
Account for any changes and keep
detailed logs of your actions
Comply with the rules of evidence
Do not exceed your knowledge
Follow your local security policy and
obtain written permission
69
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
General Evidence
Dos and Don'ts, cont.
•
•
•
•
•
•
Capture as accurate an image of the system
as possible
Be prepared to testify
Ensure your actions are repeatable
Work fast
Proceed from volatile to persistent evidence
Don't run any programs on the affected system
Source: AusCERT 2003 (www.auscert.org)
70
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
IOCE
• In March 1998, the International
Organization on Computer Evidence
(IOCE) was appointed to draw
international principles for the procedures
relating to digital evidence, to ensure the
harmonization of methods and practices
among nations and guarantee the ability to
use digital evidence collected by one state
in the courts of another state.
71
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
IOCE-G8
The IOCE-G8 International Principles are governed by
the following attributes:
• Consistency with all legal systems;
• Allowance for the use of a common language;
• Durability;
• Ability to cross international boundaries;
• Ability to instill confidence in the integrity of the evidence;
• Applicability to all forensic evidence; and
• Applicability at every level, including that of individual,
agency, and country.
72
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Six Principles of IOCE-G8
• When dealing with digital evidence, all of
the general forensic and procedural
principles must be applied.
• Upon seizing digital evidence, actions
taken should not change that evidence.
• When it is necessary for a person to
access original digital evidence, that
person should be trained for the purpose.
73
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Six Principles of IOCE-G8, cont.
•
•
•
All activity relating to the seizure, access,
storage or transfer of digital evidence must be
fully documented, preserved and available for
review.
An Individual is responsible for all actions
taken with respect to digital evidence whilst the
digital evidence is in their possession.
Any agency, which is responsible for seizing,
accessing, storing or transferring digital
evidence is responsible for compliance with
these principles.
74
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Forensic Image Data Acquisition
• In keeping with the 2nd IOCE-G8 principle, care
must be taken not to change the evidence.
• Must be careful because
– Examining a live file system changes the state of the
evidence
– The computer/media is the “crime scene”
• Protecting the crime scene is paramount as
once evidence is contaminated it cannot be
decontaminated.
75
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Forensic Copies
• Bit for Bit copying captures all the data on
the copied media including hidden and
residual data (e.g., slack space, swap,
residue, unused space, deleted files etc.)
• Ensure integrity of source and image (e.g.,
hash functions)
– MD-5 sum provides a 128 bit signature that is
sensitive to bit changes.
– The reported hashes should match.
76
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Acquisition Rules of Thumb
• Make 2 copies of the original media.
– Primary Image – library/control copy
– Working Image – For analysis purposes
– Verify the integrity of the copies to the original
• If performing drive to drive imaging, use
proofed media to copy to.
– Zero the media
77
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Subtopics
• Computer Forensics
• Incident Response and Handling
• Investigation, Interviewing and
Interrogation
• Working with Outside Agencies
78
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
What is an Incident?
• Event:
– An observable occurrence; an aspect of an
investigation that can be documented,
verified, and analyzed.
• Incident:
– An adverse event or series of events that
impacts the security or ability of an
organization to conduct normal business
79
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Incidents Include:
•
•
•
•
•
•
•
•
Viruses and other malicious code
Hacker attack
Terrorist attack
Insider attack
Employee error
Unauthorized acts by employees
Competitive intelligence gathering
Hardware/Software malfunction
© Copyright 2005
(ISC)2®
All Rights Reserved.
80
Law, Investigations, and Ethics v5.0
Goals of Incident Response
• Provide an effective and efficient means of
dealing with the situation in a manner that
reduces the potential impact to the organization.
• Provide management with sufficient information
in order to decide on an appropriate course of
action.
• Maintain or restore business continuity.
• Defend against future attacks.
• Deter attacks through investigation and
prosecution.
81
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Incident Response Skills
Subtopics
• Skill sets required to meet the goals:
–Recognition Skills
–Technical Skills
–Response Skills
82
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Recognition Skills
• Investigators must be able to recognize
that an incident has occurred.
– Abnormal activities
– Suspicious activities
– Malicious code activities
– Pattern recognition
– Alarms
83
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Technical Skills
• Investigators need to possess the
sufficient skills to be proficient when
dealing with the technology.
– Incident analysis
– Audit trails, event logs
– Incident logs
– Forensic evidence collection and protection
– Counter and/or corrective measures
84
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Response Skills
Investigators need:
• Sufficient knowledge and training in order
to proficiently execute the phases of the
response escalation process.
• Ability to document and record all
information related to the incident
• Ability to develop team leadership skills
85
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Incident Response
Team Members
• Incident response team members
should include representation from
various departments, such as:
– Information Security
– Legal
– Human Resources
– Public Relations
– Communications
– Physical Security
– Network Security
– Network and Sys.
Administrators
– Internal Auditors
86
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Escalation Process
Three major sections of the escalation
process:
• Triage
– Notification and Identification
• Action/Reaction
– Containment, Analysis, Tracking
• Follow up
– Repair and Recovery, Prevention
87
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Guidelines for Incident Response
Notification
Identification Containment
Triage
Analysis
Tracking
Action/
Reaction
Repair
Recovery
Prevention
Follow up
Feed Back
88
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Triage
• The process of receiving, initial sorting,
and prioritizing information to facilitate its
appropriate handling.
• Detection
– Notification of an event.
– Identifying that an event has become an
incident.
– Determine if incident has violated any policies
or laws.
89
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Notification and Identification
• Alerted to the fact that something has happened.
• Monitoring systems
– Intrusion Detection
– Event logs
• Alert Function
– Preferably automated
• Human decision
– False positives
90
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Action & Reaction
• Once an event becomes an incident it has
to be dealt with in a legally appropriate
manner in order to mitigate or reduce the
impact.
– Containment
– Analysis
– Tracking
91
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Containment
• Containing the incident is vital. This may involve
unplugging systems from the network, or from
the Internet.
• Some incidents are contained over protracted
time periods for analysis purposes.
• Isolating affected or infected systems.
• Goal is to minimize the spread and thus the
damage.
92
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Analysis
• Logs
• Audit Trails
• Information gathering to understand:
– Who, what, when, where, why, and how
• Report to management
93
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Tracking
• Source of the incident
– Internal
– External
• Point of entry or exit
• Must be done in a forensic friendly manner
– Admissibility
• May involve outside organizations
94
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Follow-up
• Once the incident has been dealt with it is
necessary to conduct a debriefing in order
to determine what went well and what did
not.
• The findings must be “fed” back into the
Incident Response process.
95
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Repair & Recovery
• Reduce the damage
– Reputation
– Contractual obligations
– Financial
• Protect environment while recovering
– Limit services & functions
• Repair systems and environment
96
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Sanctions
• Management decision based on information
provided by the escalation phases
• Criminal
• Civil
• Job sanctions
– Termination
– Suspension
– Permanent file
97
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Subtopics
• Computer Forensics
• Incident Response and Handling
• Investigation, Interviewing and
Interrogation
• Working with Outside Agencies
98
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Interviewing & Interrogation
Interviewing
• The purpose is to discover information
Interrogation
• The purpose is to obtain evidence for trial
99
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Problem Areas
• Disclosing investigation
• Witness or suspect obtains useful
information.
• Witness or suspect might flee before
charges or bail
• Investigator deceived by witness or
suspect
100
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Trained Personnel
• Personnel should be properly trained
• Process
– 1 lead plus 1-2 other team members.
– Prepare topics or questions.
– Put witness or suspect at ease.
– Summarize information.
101
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Motives
• The motives for committing computer
related offences are the same as for the
motives for general crimes. These include
but are not limited to:
– Revenge
– Profit or financial need
– Attention
102
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Behavioral Evidence: Suspect
• Determine suspects
– Internal or External
– Suspect check list
• MOM
– Means
– Opportunity
– Motives
• Vacation history
• Prior employment
• Recent consultants/temps
103
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Enticement vs. Entrapment
Enticement
• The act of influencing by exciting hope or
desire (e.g., honey nets)
Entrapment
• The act of inducing a person to commit a
crime so that a criminal charge will be
brought against them.
104
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Subtopics
• Computer Forensics
• Incident Response and Handling
• Investigation, Interviewing and
Interrogation
• Working with Outside Agencies
105
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Policies & Procedures
• Need pre-approved policy and
procedures for dealing with:
– External reporting agencies
– Law Enforcement
106
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
External Reporting
•
•
•
•
•
•
•
•
Include incident reference numbers
Contact information
Disclosure information
Summary of hosts involved
Description of activity
Log extracts showing the activity
Time zone and accuracy of your clock
Clarify what you would like from the recipient
107
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
What should you report?
• Any violations of security policy
– Attempts
– Denial of Service
– Unauthorized use of a system
– Unauthorized changes to hardware, software,
or firmware
108
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Reporting to Law Enforcement
• Obtain management permission
• Use a single point of contact (e.g. legal
dept.)
• Provide detailed chronology
• Provide all documentation, logs, data,
video tapes, etc.
• Develop a formal procedure with the
assistance of local agency
109
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Quick Quiz
• Define computer forensics.
• What is the ‘chain of custody’ of
evidence?
• What ensures the admissibility of
computer evidence?
• What are the phases of incident
response capability?
110
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Summary
• Computer forensics is the scientific examination and
analysis of data held on, or retrieved from, computer
storage media in such a way that the information can be
used as evidence in a court of law.
• The chain of custody of evidence shows ‘control’ of the
evidence, from the time that it is collected, to the time that
it is presented in Court.
• Admissibility of computer evidence is ensured by its
relevance, foundation of admissibility, legal permissibility,
and proper identification and preservation of the evidence.
• Phases of the incident response escalation process
include notification and identification, containment,
analysis, tracking, repair and recovery, and prevention.
111
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethics
112
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Objectives
• Understand the ethical responsibilities of
certain user groups within the
organization.
• Understand and abide by the relevant
codes of ethics for CISSPs.
• List the ethical guidelines relating to
proper usage of the Internet.
113
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethical Responsibilities (cont.)
• The CISSP needs to encourage adoption
of ethical guidelines and standards
• The CISSP needs to inform users through
security awareness training about ethical
responsibilities.
114
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethical Responsibilities
• Data collectors to data subjects
– accuracy and privacy
• Data custodians to data owner
– availability, integrity and confidentiality
• Data users to owners/subjects
– confidentiality, integrity
115
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethical Responsibilities (cont.)
• System users to system owner
– availability, software integrity
• System managers to users
– availability, integrity
• Users to other users
– availability
116
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Basis and Origin of Ethics
•
•
•
•
Religion
Law
National Interest
Individual Rights
• Common good/interest
• Enlightened self interest
• Professional
ethics/practices
• Standards of good
practice
• Tradition/culture
117
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Theories of Ethics
• Teleology
– Ethics of purpose or goal
– Utilitarianism, greatest good to greatest
number
• Deontology
– Ethics of duty
– Frequently religious ethics are deontological
118
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Common Ethical Fallacies
• Computer game
• Law-abiding citizen
• Shatterproof
• Candy-from-a-baby
• Hackers
• Free information
119
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Codes of Ethics
• Relevant Professional Codes of
Ethics include:
– (ISC)2 and other professional codes of
ethics.
– Professional codes may have legal
importance
120
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
(ISC)2 Code of Ethics Preamble
• Safety of the commonwealth, duty to our
principals, and to each other requires that
we adhere, and be seen to adhere, to the
highest ethical standards of behavior.
• Therefore, strict adherence to this code is
a condition of certification.
121
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
(ISC)2 Code of Ethics Canons
• Protect society, the commonwealth, and
the infrastructure.
• Act honorably, honestly, justly,
responsibly, and legally.
• Provide diligent and competent service to
principals.
• Advance and protect the profession.
122
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethics and the Internet RFC 1087
Access and use of the Internet is a
PRIVILEGE & should be treated
as such by all users.
123
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Internet Activities Board (IAB)
Any activity is unethical & unacceptable that
purposely:
•
Seeks to gain unauthorized access to Internet
resources
•
Disrupts the intended use of the Internet
•
Wastes resources (people, capacity, computer)
through such actions
124
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Internet Activities Board (IAB),
cont.
•
Destroys the integrity of computer-based
information
•
Compromises the privacy of users
•
Involves negligence in the conduct of
Internet-wide experiments
125
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
An Ethics Action Plan
• Corporate guide to computer ethics
• Business and computer ethics policy
• Ethics included in employee handbook
• Computer ethics training campaign
• E-mail and other privacy-related policy
development
126
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethics Reviews
• Security Reviews
• Monitoring Employees
• Review of Corporate Culture
• Fraud detection and awareness
• Sales Practices
• Purchasing Procedures
• Competitive Intelligence Gathering
127
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Violation Reports
• Complaints from Customers, Vendors,
employees investigated thoroughly
• How many complaints received
• Employee turnover in a department higher
than average
128
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Ethics Summary
• Awareness and Training
– Have regular training programs and
management statements to raise ethics
consciousness
• Reward ethical practices
• Implement ethics action plan
129
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Quick Quiz
• What are the ethical responsibilities of
data collectors, custodians of data, and
users?
• What is the main principle of the
Internet Activities Board’s RFC 1087?
• What are key strategies for
organizations in dealing with ethics?
130
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
Section Summary
• Ethical responsibilities of data collectors are to ensure the
accuracy and security of the information belonging to the
owners of the data. Responsibilities of custodians include
ensuring the security of the information belonging to
owners. Responsibilities of users include ensuring the
confidentiality and availability of data.
• The Internet Activities Board summarizes it’s RFC1087 by
saying that ‘usage of the Internet is a privilege and that is
the way that it should be treated by all users’.
• Organizations should implement awareness programs,
ethics policies, corporate guides, employee handbooks,
and reward good ethical practices, to ensure the ethical
behavior of all employees.
131
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
132
© Copyright 2005
(ISC)2®
All Rights Reserved.
Law, Investigations, and Ethics v5.0
