information systems security legal, regulations, and compliance
TRANSCRIPT
Information Systems Security
Legal, Regulations, and Compliance
Not Just Fun & Games
Continually on the rise Affects the public and government sectors Crimes go unnoticed or unreported Costs billions of dollars each year
Example of Computer Crime
ILOVEYOU, SoBIG, Blaster DDoS brings down Excite and Yahoo Extortion for credit card numbers Stealing funds from financial institutions Stealing military secrets Competitors stealing secrets
Types of Laws
Common Law Criminal Law Tort Law Administrative Law Civil Law Customary Law Religious Law Mixed Law
Criminal Profile
Script Kiddies– May not understand the ramifications– “Ankle Biters” curious individuals– “Machine Gunners” dispatch 1000s of probes
Dedicated Cracker– Chooses victim and gathers intelligence– More dangerous– Has a goal in mind from the start
Motivation
Grudge– Get back at the company or individual– Terrorist, sympathy, or information warfare
Financial Business “Fun”
Example Attacks
Salami– Carrying out smaller crimes that might go
unnoticed Data diddling
– Modifying data in the computer to change outcomes
Dumpster diving– Obtaining information in the trash can
Telephone Fraud
Phreakers– Telephone fraud– Red boxing
Simulating coins dropped into the phone
– Blue boxing Using analog tones to gain long distance
– Black boxing Manipulating voltages
U.S. Privacy Laws
Privacy Act of 1974– Data held on individuals by government
Electronic Communications Privacy Act of 1986– Prohibits unauthorized eavesdropping
Health Insurance Portability and Accountability Act (HIPPA)
Gramm Leach Bliley Act of 1999
European Union
Reason data being collected must be stated Data cannot be used for other purposes Unnecessary data is not collected Data keep only while needed Only necessary individuals have access No intentional ‘leaking’ of data
Transborder information Flows
Movement of data across international borders
Different regions have different laws Restrictions on flow of financial data Often data flow is taxable
Employee Privacy Act
Must be in security policy and employees should be aware
Ensure monitoring is lawful Possible types of monitoring
– Key logging– Cameras– Telephone– email
Common Law - Civil
Tort law - wrongs against individuals resulting in damage
Contract Law Case law built on precedent Determines liability Less of a burden of proof Embodied in the USC
Criminal
Laws created to protect the public Public in the defendant Can win criminal and lose civil on same
case or vise versa More stringent burden of proof Includes jail time or death
Administrative Laws
Different by industry– FDA, Healthcare, Education, etc.
Performance and conduct of organizations, officials, and officers
Deals with industry regulations Punishment can be financial or may merit
imprisonment
US Federal Laws
Electronic Communications Act of 1996– Wiretap act– Stored communication act
Computer Fraud and Abuse Act of 1986– Used in prosecuting computer crimes– “Anti hacking law”
Electronic Espionage Act of 1996– Industrial espionage– Stealing Trade Secrets
Intellectual Property Laws
Trade secret– Maintains confidentiality of proprietary business
data– Owner invested resources to develop– Data must provide competitive value
Copyright– Protects original works of authorship– Protects expression of new ideas– Source code is copyrightable– In USA, good for 75 years
More
Trademark– Protects word, name, symbol, etc. which is used
to identify a product or company– Protects a company’s look or feel
Patent– Allows owner to exclude others from practicing
invention for a time period (20 years)– Invention must be novel and non-obvious
Software piracy
Copy creator’s work without permission Software protection association (SPA) Business software alliance (BSA)
– Washington Federation against software theft (FAST)
– London
Digital Millennium Copyright Act
Illegal to tamper with or break into controls that protect copyrighted materials
Only protects copyrighted items Prevent reverse engineering First attempt to enforce was by Adobe
against a white hat at DefCon
Countries Working Together
Countries do not view computer crime the same
Government may not work together Evidence rules are different Jurisdiction issues G8 have agreed to fight cybercrime Interpol distributes info about cross-border
crimes
Violation Analysis
Ensure that it is not a user error or misconfiguration
Individuals should be in charge of investigating and determining if crime exist
Type of investigation– Internal – Law enforcement
Law Enforcement vs. Citizens
Search must have probable cause– 4th amendment search warrant
Private citizen not subject to 4th amendment Private citizen may be a police agent
Role of Evidence
Material offered to judge and jury May directly or indirectly prove or disprove
the crime has been committed Evidence must be tangible
– Electrical voltages are intangible– Hard to prove lack of modification
Evidence Requirements
Material – relevant to case Competent – proper collection, obtained
legally, and chain of custody maintained Relevant – pertains to subject’s motives and
should prove or disprove a fact
Chain of Custody
Who obtained it? Where and when was it obtained? Who secured it? Who had control or possession? How was it moved?
Types of Evidence
Best– Primary, original documents, not oral
Secondary– Copies of documents, oral, eyewitness
Direct– Can prove fact by itself– Does not need corroborative information– Information from witness
More Types
Conclusive– Irrefutable and cannot be contradicted
Circumstantial– Assumes the existence of another fact– Cannot be used alone to prove the fact
Corroborative– Supporting evidence– Supplementary tool
More Types
Opinion– Experts give educated opinion
Hearsay– No firsthand proof– Computer generated evidence
Real– Physical evidence– Tangible objects
More Types
Documentary– Records, manuals, printouts– Most evidence is documentary
Demonstrative– Aids jury in the concept– Experiments, charts, animation
Hearsay Rule Exception
Business record exemption to hearsay rule– Documents can be admitted if created during
normal business activity– This does not include documents created for a
specific court case– Regular business records have more weight– Federal rule 803(6)
Records must be in custody on a regular basis Records are relied upon by normal business
Before the Crime Happens
Select an Incident Response Team (IRT) Decide whether internal or external Set policies and procedures If internal, include
– IT – Management– Legal– PR
Incident Handling
First goal– Contain and repair damage– Prevent further damage– Collect evidence
Evidence Collection
Photograph area Dump contents from memory Power down system Photograph internal system components Label each piece of evidence
– Bag it– Seal– Sign
Forensics
Study of technology and how it relates to law
Image disk and other storage devices– Bit level copy (deleted files, slack space,etc)– Use specialized tools– Further work will be done on copy
Create message digest for integrity
Thing to Look For
Hidden Files Steganography Slack Space Malware Deleted Files Swap Files
Trapping the Bad Guy
Enticement– Legal attempt to lure a criminal into committing
a crime– Provide a honeypot in your DMZ– Pseudo flaw (software code)– Padded cell (virtual machine)
Entrapment– Illegal attempt to trick a person into committing
a crime