Law, Investigation, & Ethics
advertisement
Law, Investigation, & Ethics What laws apply to computer crimes, how to determine a crime has occurred, how to preserve evidenced, conduct an investigation, & what are the liabilities. Computer Crimes CISSP Obligations Legal Ethical responsibilities to Employer Constituency being served Profession as a whole Crimes are increasing Hard to estimate economic impact Common Types of Computer Crime DoS, DDos Social Engineering Fraud Espionage Embezzle -ment Password Theft Illegal Content of material Software Piracy Information Warfare Datadiddling Network Intrusions Destruction Dumpster / alteration Diving of data Script Kiddies Terrorism Emanation Spoofing IP Watching addresses Malicious Code Masqueradi ng Examples Slammer Worm of January 03 Code Red Klez Worm DDos against Yahoo, Amazon, etc Feb 2000 Love Letter worm May 2000 Microsoft network penetration Oct 2000 Mitnick’s attacks on phone systems 80’s Morris Internet Worm Nov 88 Attacks on U.S. classified computer systems (The Cuckoo’s Egg) 1986 Problems Jurisdictional International character of Internet Different types of laws Different “desires” of enforcement Rapid pace of technology Out paces laws Out paces understanding by law makers Law Legal Systems Common Law: US, UK, Australia, Canada Civil Law: France, Germany, etc Religious Law: Islamic, etc Ex US Legislative Branch: statutory laws Administrative: Administrative laws Judicial: Common laws in court decisions Statutory Law Collected as Session laws in order of enactment Statutory Codes: subject matter United States Code Code title Number Abbreviation for Code Statutory Section within the title Date of the edition or supplement EX: 18 U.S.C. 1001 (1992) Section 1001 in Title 18 of the 1992 edition of the United States Code: Crimes & Criminal Procedures Administrative & Common Law Administrative Law is Arranged Chronologically: Federal Register Subject Matter: Code of Federal Regulations Common Law is compiled Case Reports chronologically Case Digests by subject matter Common Law Systems Categories Legal Systems Not court decisions Criminal Law Civil Law Individual conduct violates government laws enacted to protect the public Wrong inflicted upon person or org by other person or org Administrative/Regulatory Law Intellectual Property Law Patent Copyright Trade Secret Trademark Proprietary valuable technical info Word, name, etc used to distinguish goods from those sold by others Warranty Patent Right to exclude others from using invention Criteria for patent 1. Must be Process, Machine, Object made by humans, compositions of matter, New use of above 1. 2. 3. Must be useful Must be Novel Must be obvious to skilled person Copyright Original works of authorship Use by educators, researchers & librarians Fair use: limited copying for teaching Limited reproduction for libraries Author’s life + 70 years Warranty Contract that commits org to stand by product Implied Warranty Fitness for particular purpose: seller statements Warranty of merchantability: fit to be sold Express warranty basic requirments Must state is either full or limited Must show coverage is clear easy statements Must insure customer can read before purchase Information & Privacy Laws Right to protection of “personally identifiable information” HIPAA items Principles Notice of disclosure to 3rd parties Choice to opt out of disclosure Access Security Enforcement Privacy Policy Orgs develop & publish covering Type of info collected Cookies & server logs used How info is shared Rules for disclosing to 3rd parties Mechanisms used to protect Privacy-Related Legislation Cable Communications Act Children’s Online Privacy Protection Act Customer Proprietary Network Info Rules Financial Services Modernization Act 1973 U.S. Code of Fair Info Practices Must not be record systems who’s existence is kept secret Must be a way for person to find out what kept Must be a way to prevent info being kept Org must insure info is accurate European Union (EU) Principles Generally more protective than US Therefore transfer from US is a problem Principles Info cannot be disclosed without permission of person or authorized by law Records must be up-to-date Individuals have right to correct errors Info can be used only for original purpose Individuals have right to receive report on info held Transmission of info prohibited where equivalent personal data protection cannot be assured Health Care-Related Privacy Issues Excellent example of privacy issues Access controls usually do not provide sufficient granularity to implement least privilege Most off-the-shelf apps not adequate Outside partners, members, etc User access via Internet a problem Criminal & Civil penalties Public perception U.S. Kennedy-Kassebaum Health Insurance Portability & Accountability Act (1996) Standard: Safeguards Platform for Privacy Preferences (P3P) W3C privacy practices for web sites Org can post privacy policy as xml Who has access Type of info stored How info is used Legal entity making privacy statement Posting requires org to think about privacy issues P3P enabled web browsers AT&T’s Privacy Bird software Electronic Monitoring Keystroke monitoring Email monitoring Surveillance cameras Badges RFID Magnetic entry cards Org should Inform employees what monitored Uniformly apply Explain what is acceptable use Tell who can see and what used for Enticement vs Entrapment Misc Privacy Laws 2000 U.S. Electronic Signatures in Global & National Commerce PATRIOT Act Subpoena of electronic records Monitoring of Internet Search & seizure of info on live systems Notification of warrant can come after search Federal Info Security Mgt Act Ensure effectiveness of info security controls Recognize highly networked government Maintenance of minimum info controls Provide improved oversight Investigation Computer forensics collecting info about computer system admissible in court Issues Compressed time frame Info is intangible Investigation might interfere with “normal” Difficulty in gathering info Data for investigation co-located with “normal” Expert / specialist required International problems Expanded definitions of property to include electronic info Evidence Gathering, Control, Storage & Preservation are extremely critical Subject to easy modification “Chain of Evidence” Location where obtained Time obtained Id of person obtaining ID of people securing ID of people controlling Evidence Life Cycle 1. 2. 3. 4. 5. 6. 7. 8. 9. Discovery & recognition Protection Recording Collection Identification Preservation Transportation Presentation in court Return to owner Evidence Admissibility Relevant Legally permissible Not been tampered with or altered Identification Obtained in lawful manner Reliability Related to crime: describes, time, what has occured Properly identified without altering Preservation Not subject to damage or destruction Types of Evidence Best evidence: originals Secondary: copy of originals Direct: five senses Conclusive: Incontrovertible Opinions: Expert & Non-expert (facts only) Circumstantial: inference Hearsay: third party (not admissible in court) Conducting the Investigation Involve Management, Org security, human resources, legal department Watch for retaliatory acts Prepare plan ahead of time Establish prior liaison with law enforcement Jurisdiction Set up means for reporting computer crimes Establish procedures for dealing with Plan for and & conduct investigation Insure proper collection of evidence Conducting the Investigation Prevent negative publicity if possible Exigent Circumstances Doctrine Good sources of evidence Search without warrant when destruction of evidence in deemed imminent Too early (strict) vs too late Telephone records, video cameras, audit trails, system logs, backups, witnesses, emails Motive – Opportunity - Means Liability Senior Mgt subject to $290M in fines if orgs do not comply with law Prudent man rule Due care or reasonable care Prevent orgs resources use in DDos Backups Scans for malicious code BC & DR Plans Local & remote access controls Security policies, procedures, & guidelines Personnel screening Establishing an incident handling plan Incident Handling Plan Questions What is considered an incident How should incident be reported To whom should be reported When should senior mgt be told What action should be taken Who should handle the response How much damage was caused What info was damaged or compromised Are recovery procedures ok What type of follow up required Should additional safeguards be implemented Ethics (ISC)2 Code of Ethics Coalition for Computer Ethics Not use computer to harm others Not interfere with other’s computer work Not snoop Not use computer to steal Not use computer to bear false witness Not copy or use stolen software Not use computers without authorization Not steal other’s intellectual output Think about social consequences of computer use Use computer in ways to ensure consideration & respect for others Unacceptable Activities Seeks to gain unauthorized access Destroys integrity of computer based info Disrupts the intended use of Internet Wastes resources such as people, capacity or computers Compromises privacy of others Involves negligence in conduct of Internet experiments Organization for Economic Cooperation & Development Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability Transborder Issues
