Transcript COMPUTER LAW, INVESTIGATION AND ETHICS

COMPUTER LAW,
INVESTIGATION
AND ETHICS
DOMAIN
LTU CISSP
Objectives
To review computer crime laws and regulations;
investigative measures and techniques used to determine if
a crime has been committed and methods to gather
evidence; and the ethical constraints that provide a code of
conduct for the security professional.
To review the methods for determining if a computer crime
has been committed; the laws that would be applicable for
the crime; laws prohibiting specific types of computer
crime; methods to gather and preserve evidence of a
computer crime, investigative methods and techniques;
and ways in which RFC 1087 and the (ISC)2 Code of Ethics
can be applied to resolve ethical dilemmas.
LTU CISSP
Topics to Be Covered




Computer Laws
Computer Crime
Computer Crime Investigations
Computer Ethics
LTU CISSP
COMPUTER CRIME
LAWS
LTU CISSP
Proprietary Rights & Obligations


Legal Forms of Protection
 Trade Secrets: Information that Provides a Competitive
Advantage. Protect Ideas.
 Copyrights: Right of an Author to Prevent Use or Copying
Works of the Author. Protect Expression of Ideas.
 Patents: Protect Results of Science, Technology &
Engineering
Business Needs
 Protect Developed Software
 Contractual Agreements
 Define Trade Secrets for Employees
LTU CISSP
Proprietary Rights & Obligations
(continued)


Security Techniques to Protect Trade Secrets
 Numbering Copies
 Logging Document Issuance
 Checking Files & Workstations
 Secure Storage
 Controlled Distribution
 Limitations on Copying
Contractual Commitments to Protect Proprietary Rights
 Licensing Agreements with Vendors
 Liability for Compliance
LTU CISSP
Proprietary Rights & Obligations
(continued)

Enforcement Efforts




Software Protection Association (SPA)
Federation Against Software Theft (FAST)
Business Software Alliance (BSA)
Personal Computers



Establish User Accountability
Policy Development and Circulation
Purging of Proprietary Software
LTU CISSP
Protection for Computer Objects


Hardware - Patents
Firmware





Patents for Physical Devices
Trade Secret Protection for Code
Object Code Software - Copyrights
Source Code Software - Trade Secrets
Documentation - Copyrights
LTU CISSP
Management Problems


Corporate Recordkeeping
 Accuracy of Computer Records: Potential Use in Court
 IRS Rules: Inadequate Controls May Impact Audit Findings
Labor and Management Relations
 Collective Bargaining: Disciplinary Actions, Workplace Rules
 Work Stoppage
 Limitations on Background Investigations
 Limitations on Drug and Polygraph Testing
 Disgruntled Employees
 Non-Disclosure Requirements
 Immigration Laws
 Establishment and Enforcement of Security Rules
LTU CISSP
Management Problems
(continued)

Data Communications: Disclosure thru 


Eavesdropping and Interception
Loss of Confidential Information
Outsourcing




Contract Review
Review of Contractor’s Capabilities
Impact of Downsizing
Contractor Use of Proprietary Software
LTU CISSP
Management Problems
(continued)

Personal Injury




Employee Safety
Carpal Tunnel Syndrome
Radiation Injury
Insurance Against Legal Liability



Requirements for Security Precautions
Right to Inspect Premises
Cooperation with Insurance Company
LTU CISSP
Legal Liability

Due Care: Minimum and Customary Practice of Responsible Protection
of Assets

Due Diligence: The Prudent Management and Execution of Due Care

Programming Errors: Reasonable Precautions for  Loss of a Program
 Unauthorized Revisions
 Availability of Backup Versions
Product Liability
 Liability for Database Inaccuracies: Due to Security Breaches
 European Union: No Limits on Personal Liability for Personal Injury

LTU CISSP
Legal Liability (continued)

Defamation




Libel Due to Inaccuracy of Data
Unauthorized Release of Confidential Information
Alteration of Visual Images
Foreign Corrupt Practices Act

Mandate for Security Controls or Cost/Benefit
Analysis

Potential SEC Litigation
LTU CISSP
Legal Liability (continued)

Failure to Observe Standards



FIPS Pubs and CSL Bulletins
Failure to Comply Used in Litigation
Personal Liability



Action or Inaction was Proximate Cause
Financial Responsibility to Plaintiff
Joint and Several Liability
LTU CISSP
Legal Liability (continued)

Federal Sentencing Guidelines





Chapter 8 Added 1991
Applicable to Organizations
Violations of Federal Law
Specifies Levels of Fines
Mitigation of Fines Through Implementation of
Precautions
LTU CISSP
Privacy & Other Personal Rights

The Federal Privacy Act
 Government Files Open to Public Unless Specified
 Act Applies to Executive Branch Only
 “Record” = Information about an Individual
 Must be Need to Maintain Records
 Disclosure Prohibited without Consent
 Requirements on Government Agencies
 Record Disclosures
 Public Notice of Existence of Records
 Ensure Security & Confidentiality of Records
LTU CISSP
Privacy and Other Personal
Rights (continued)

State Acts and Regulations

Fair Information Practices Acts: Define Information that
Can be Collected

Uniform Information Practices Code - National
Conference of Commissioners on Uniform State Laws:
Recommended Model

Statutes Regulating Information Maintained by Private
Organizations: e.g..., Health Care, Insurance
LTU CISSP
Privacy and Other Personal
Rights (continued)


Other Employee Rights
 Electronic Mail: Expectations of Privacy
 Drug Testing: Limited to Sensitive Positions Only
 Freedom From Hostile Work Environment
International Privacy
 European Statutes Cover Both Government and Private
Corporate Records
 Application Primarily to Computerized Data Banks
 Strict Rules on Disclosure
 Prohibitions of Transfer of Information Across National
Boundaries
LTU CISSP
Privacy and Other Personal
Rights (continued)

Management Responsibilities





Regular Review with Legal Department
Consider all Jurisdictions
Prepare Policies for Compliance
Enforce Policies
Document Enforcement
LTU CISSP
Computer-Related Laws

Criminal Law







Victim is Society
Purpose of Prosecution is Punishment
Deterrent Effect of Punishment
Burden of Proof is Reasonable Doubt
Felonies - Jail > One Year
Misdemeanors - Jail < One Year
Federal and State Levels
 Elements of Proof Vary Between and Among
 Specific vs. General Applicability
LTU CISSP
Computer Crime Laws

Federal
 Computer Fraud and Abuse Act (Title 18, U.S. Code,
1030)







*Accessing Federal Interest Computer (FIC) to acquire national
defense information
Accessing an FIC to obtain financial information
Accessing an FIC to deny the use of the computer
*Accessing an FIC to affect a fraud
*Damaging or denying use of an FIC thru transmission of code,
program, information or command
Furthering a fraud by trafficking in passwords
Economic Espionage Act of 1996: Obtaining trade secrets to
benefit a foreign entity

Electronic Funds Transfer Act: Covers use, transport, sell,
receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained
debit instruments in interstate or foreign commerce.
LTU CISSP
Federal Computer Crime Laws
(continued)

Child Pornography Prevention Act of 1996 (CPPA): Prohibits
use of computer technology to produce child pornography.

Computer Security Act of 1987: Requires Federal Executive agencies
to Establish Computer Security Programs.

Electronic Communications Privacy Act (ECPA): Prohibits
unauthorized interception or retrieval of electronic communications

Fair Credit Reporting Act: Governs types of data that companies may be
collected on private citizens & how it may be used.

Foreign Corrupt Practices Act: Covers improper foreign operations,
but applies to all companies registered with the SEC, and requires companies to
institute security programs.

Freedom of Information Act: Permits public access to information
collected by the Federal Executive Branch.
LTU CISSP
Computer Laws (continued)

Civil Law (Tort Law)



Damage/Loss to an Individual or Business
Type of Punishment Different: No Incarceration
Primary Purpose is Financial Restitution
 Compensatory Damages: Actual Damages, Attorney Fees,
Lost Profits, Investigation Costs
Punitive Damages: Set by Jury to Punish Offender
 Statutory Damages: Established by Law
Easier to Obtain Conviction: Preponderance of
Evidence
Impoundment Orders/Writs of Possession: Equivalent



to Search Warrant
LTU CISSP
Computer Laws (continued)

International Laws






Lack of Universal Cooperation
Differences in Interpretations of Laws
Outdated Laws Against Fraud
Problems with Evidence Admissibility
Extradition
Low Priority
LTU CISSP
Computer Crime

Computer Crime as a Separate Category



Rules of Property: Lack of Tangible Assets
Rules of Evidence: Lack of Original Documents
Threats to Integrity and Confidentiality: Goes
beyond normal definition of a loss

Value of Data: Difficult to Measure. Cases of
Restitution only for Media

Terminology: Statues have not kept pace. Is Computer
Hardware “Machinery”? Does Software quality as
“Supplies”.
LTU CISSP
Computer Crime (continued)

Computer Crime is Hard to Define


Lack of Understanding
Laws are Inadequate: Slow to Keep Pace with Rapidly
Changing Technology

Multiple Roles for Computers
 Object of a Crime: Target of an Attack
 Subject of a Crime: Used to attack (impersonating a
network node)
 Medium of a Crime: Used as a Means to Commit a
Crime (Trojan Horse)
LTU CISSP
Computer Crime (continued)

Difficulties in Prosecution




Understanding: Judges, Lawyers, Police, Jurors
Evidence: Lack of Tangible Evidence
Forms of Assets: e.g., Magnetic Particles, Computer Time
Juveniles:
 Many Perpetrators are Juveniles
 Adults Don’t Take Juvenile Crime Seriously
LTU CISSP
Legal Aspects of Cryptography


Prohibitions on Use Approach (e.g., France)
Prohibitions on Export (e.g., USA, GB, CAN, GER)


US Controls Export of Cryptography
Implemented in Software
Practically Impossible to Enforce
LTU CISSP
Nature and Extent of ComputerRelated Crime

Typology




Input Tampering: Entry of Fraudulent or False Data
Throughput Tampering: Altering Computer Instructions
Output Tampering: Theft of Information
Most Common Crimes



Input and Output Type
Fraudulent Disbursements
Fabrication of Data
LTU CISSP
The Computer Criminal

Typical Profile




Male, White, Young
No Prior Record
Works in Data Processing or Accounting
Myths


Special Talents are Necessary
Fraud has Increased Because of Computers
LTU CISSP
The Computer Criminal
(continued)

Personal Motivations




Economic
Egocentric
Ideological
Psychotic
LTU CISSP
The Computer Criminal
(continued)

Environmental Motivations






Work Environment
Reward System
Level of Interpersonal Trust
Ethical Environment
Stress Level
Internal Controls Environment
LTU CISSP
The Control Environment

Factors that Encourage Crime



Motivation
Personal Inducements
Factors that Discourage Crime

Prevention Measures



Internal Controls Systems
Access Control Systems
Detection Measures


Auditing
Supervision
LTU CISSP
COMPUTER CRIME
INVESTIGATION
LTU CISSP
Investigation Steps

Detection and Containment






Accidental Discovery
Audit Trail Review
Real-Time Intrusion Monitoring
Limit Further Loss
Reduction in Liability
Report to Management



Immediate Notification
Limit Knowledge of Investigation
Use Out-of-Band Communications
LTU CISSP
Investigation Steps (continued)

Preliminary Investigation






Determine if a Crime has Occurred
Review Complaint
Inspect Damage
Interview Witnesses
Examine Logs
Identify Investigation Requirements
LTU CISSP
Investigation Steps (continued)


Disclosure Determination
 Determine if Disclosure is Required by Law
 Determine if Disclosure is Desired
 Caution in Dealing with the Media
Courses of Action
 Do Nothing
 Surveillance
 Eliminate Security Holes
 Is Police Report Required?
 Is Prosecution a Goal?
LTU CISSP
Investigation Steps (continued)

Conducting the Investigation


Investigative Responsibility
 Internal Investigation
 External Private Consultant Investigation
 Local/State/Federal Investigation
Factors
 Cost
 Legal Issues (Privacy, Evidence, Search & Seizure)
 Information Dissemination
 Investigative Control
LTU CISSP
Investigative Process

Identify Potential Suspects




Insiders
Outsiders
Collaboration
Identify Potential Witnesses


Who to Interview
Who to Conduct Interview
LTU CISSP
Investigative Process (continued)

Identify Type of System to be Seized







Network, Hardware & Software Configuration
System Experts
Security System in Place
Location of System
Elements of Proof
Probable Cause/Warrant
Location of Analysis
LTU CISSP
Investigative Process (continued)

Identify Search and Seizure Team Members






Lead Investigator
Information Security Representative
Legal Representative
Technical Representatives
Obtain and Serve Search Warrants
Determine if System Is at Risk


Access of Suspect
Potential Destruction of Evidence
LTU CISSP
Investigation Steps (continued)

Execute the Plan
 Secure and Control Scene
 Protect Evidence
 Don’t Touch Keyboard
 Videotape Process
 Capture Monitor Display
 Unplug System
 Remove Cover
 Disks and Drives
 Search Premises (for Magnetic Media and Documentation)
 Seize Other Devices (that may contain information)
LTU CISSP
Investigation Steps (continued)


Conduct Surveillance
 Physical: Determine Subject’s Habits, Associates, Life Style
 Computer: Audit Logs or Electronic Monitoring
Other Information Sources





Personnel Files
Telephone and Fax Logs
Security Logs
Time Cards
Investigative Reporting
 Document Known Facts
 Statement of Final Conclusions
LTU CISSP
Computer Forensics

Conduct a Disk Image Backup of Suspect System: Bit
level Copy of the Disk, Sector by Sector

Authenticate the File System: Create Message Digest for all
Directories, Files & Disk Sectors

Analyze Restored Data: Conduct Forensic Analysis in a
Controlled Environment


Search Tools: Quick View Plus, Expert Witness, Super Sleuth
Searching for Obscure Data: Hidden Files/Directories, Erased or
Deleted Files, Encrypted Data, Overwritten Files


Steganography: Hiding a Piece of Information within Another
Review Communications Programs: Links to Others
LTU CISSP
Computer Forensics (continued)

Reassemble and Boot Suspect System with
Clean Operating System




Target System May Be Infected
Obtain System Time as Reference
Run Complete System Analysis Report
Boot Suspect System with Original
Operating System



Identify Rogue Programs
Identify Background Programs
Identify What System Interrupts have Been Set
LTU CISSP
Computer Forensics (continued)


Search Backup Media: Don’t Forget Off-Site Storage
Search Access Controlled Systems and
Encrypted Files





Password Cracking
Publisher Back Door
Documentary Clues
Ask the Suspect
Case Law on Obtaining Passwords from Suspects
LTU CISSP
Rules of Evidence

Types of Evidence






Direct: Oral Testimony by Witness
Real: Tangible Objects/Physical Evidence
Documentary: Printed Business Records, Manuals, Printouts
Demonstrative: Used to Aid the Jury (Models, Illustrations, Charts
Best Evidence Rule: To Limit Potential for Alteration
Exclusionary Rule: Evidence Must be Gathered Legally or it Can’t
Be Used

Hearsay Rule: Key for Computer Generated Evidence



Second Hand Evidence
Admissibility Based on Veracity and Competence of Source
Exceptions: Rule 803 of Federal Rules of Evidence (Business
Documents created at the time by person with knowledge, part of
regular business, routinely kept, supported by testimony)
LTU CISSP
Rules of Evidence (continued)

Chain of Evidence: Accountability & Protection






Who Obtained Evidence
Where and When it was Obtained
Who Secured it
Who Controlled it
Account for Everyone Who Had Access to or Handled
the Evidence
Assurance Against Tampering
LTU CISSP
Rules of Evidence (continued)

Admissibility of Evidence: Computer-generated
Evidence is Always Suspect


Relevancy: Must Prove a Fact that is Material to the Case
Reliability: Prove Reliability of Evidence and the Process
for Producing It

Evidence Life Cycle




Collection and Identification
Storage, Preservation, and Transportation
Presentation in Court
Return to Victim (Owner)
LTU CISSP
Legal Proceedings


Discovery

Defense Granted Access to All Investigative Materials

Protective Order Limits Who Has Access
Grand Jury and Preliminary Hearings




Witnesses Called
Assign Law Enforcement Liaison
Trial: Unknown Results
Recovery of Damages: Thru Civil Courts
LTU CISSP
Legal Proceedings (continued)

Post Mortem Review: Analyze Attack and Close
Security Holes






Incident Response Plan
Information Dissemination Policy
Incident Reporting Policy
Electronic Monitoring Statement
Audit Trail Policy
Warning Banner (Prohibit Unauthorized Access and Give
Notice of Monitoring)

Need for Additional Personnel Security Controls
LTU CISSP
COMPUTER ETHICS
LTU CISSP
Ethics Origins and Outlook




Differences Between Law and Ethics: Must vs. Should
Origins
 Common Good
 National Interest
 Individual Rights
 Enlightened Self-Interest
 Law
 Tradition/Culture
 Religion
Fundamental Changes to Society
No Sandbox Training
LTU CISSP
Common Fallacies of the
Computer Generation

The Computer Game Fallacy: Computer Designed to Prevent
Abuse





The Law-Abiding Citizen Fallacy: Constitutional Rights
The Shatterproof Fallacy: Limited Effects
The Candy-from-a-Baby Fallacy: It’s Easy So It Must be OK
The Hacker’s Fallacy: Means of Learning
The Free Information Fallacy: Information Wants to Be Free
LTU CISSP
Resources




National Computer Ethics and Responsibilities
Campaign (NCERC)
Computer Ethics Resource Guide
National Computer Security Association (NCSA)
Computer Ethics Institute
 1991 – Ten Commandments of Computer Ethics
 End User’s Basic Tenants of Responsible Computing
 Four Primary Values
 Considerations for Conduct
 The Code of Fair Information Practices
 Unacceptable Internet Activities (RFC 1087)
LTU CISSP
(ISC)2 Code of Ethics








Conduct to meet highest standards of moral, ethical, and
legal behavior
Maintain personal reputation and that of the profession
Report unlawful activities and cooperate in investigation
Promote prudent information security measures
Provide competent service and avoid conflicts of interest
Execute responsibilities in keeping with highest
professional standards
Use information properly
Maintain confidentiality of information
LTU CISSP
Ethical Responsibilities

Collectors of Data to Data Subjects for:



Custodians of Data to Owners of Data for:



Integrity
Confidentiality
Availability
Integrity
Users of Data to Data Subjects and Owners
for:


Confidentiality
Integrity
LTU CISSP
Competitive Intelligence








Published Material & Public Documents
Disclosures by Competitor Employees (without Subterfuge)
Market Surveys & Consultant’s Reports
Financial Reports & Broker’s Research Surveys
Trade Fairs, Exhibits, & Competitor Literature
Analysis of Competitor Products
Reports of Own Personnel
Legitimate Employment Interviews with Competitor
Employees
LTU CISSP
Industrial Espionage












Camouflaged Questioning of Competitor’s Employees
Direct Observation under Secret Conditions
False Job Interviews
False Negotiations
Use of Professional Investigators
Hiring Competitor’s Employees
Trespassing
Bribing Suppliers and Employees
Planting Agent on Competitor Payroll
Eavesdropping
Theft of Information
Blackmail and Extortion
LTU CISSP
Plan of Action






Develop organizational guide to computer ethics
Develop a computer ethics policy to supplement the
computer security policy
Include computer ethics information in the employee
handbook
Expand business ethics policy to include computer ethics
Foster user awareness of computer ethics
Establish an E-mail privacy policy and promote user
awareness of it
LTU CISSP
QUESTIONS?
LTU CISSP