Information Systems Security

Legal, Regulations, and Compliance

Not Just Fun & Games

Continually on the rise Affects the public and government sectors Crimes go unnoticed or unreported Costs billions of dollars each year

Example of Computer Crime

ILOVEYOU, SoBIG, Blaster DDoS brings down Excite and Yahoo Extortion for credit card numbers Stealing funds from financial institutions Stealing military secrets Competitors stealing secrets

Types of Laws

Common Law Criminal Law Tort Law Administrative Law Civil Law Customary Law Religious Law Mixed Law

Criminal Profile

Script Kiddies– May not understand the ramifications– “Ankle Biters” curious individuals– “Machine Gunners” dispatch 1000s of probes

Dedicated Cracker– Chooses victim and gathers intelligence– More dangerous– Has a goal in mind from the start

Motivation

Grudge– Get back at the company or individual– Terrorist, sympathy, or information warfare

Financial Business “Fun”

Example Attacks

Salami– Carrying out smaller crimes that might go

unnoticed Data diddling

– Modifying data in the computer to change outcomes

Dumpster diving– Obtaining information in the trash can

Telephone Fraud

Phreakers– Telephone fraud– Red boxing

Simulating coins dropped into the phone

– Blue boxing Using analog tones to gain long distance

– Black boxing Manipulating voltages

U.S. Privacy Laws

Privacy Act of 1974– Data held on individuals by government

Electronic Communications Privacy Act of 1986– Prohibits unauthorized eavesdropping

Health Insurance Portability and Accountability Act (HIPPA)

Gramm Leach Bliley Act of 1999

European Union

Reason data being collected must be stated Data cannot be used for other purposes Unnecessary data is not collected Data keep only while needed Only necessary individuals have access No intentional ‘leaking’ of data

Transborder information Flows

Movement of data across international borders

Different regions have different laws Restrictions on flow of financial data Often data flow is taxable

Employee Privacy Act

Must be in security policy and employees should be aware

Ensure monitoring is lawful Possible types of monitoring

– Key logging– Cameras– Telephone– email

Common Law - Civil

Tort law - wrongs against individuals resulting in damage

Contract Law Case law built on precedent Determines liability Less of a burden of proof Embodied in the USC

Criminal

Laws created to protect the public Public in the defendant Can win criminal and lose civil on same

case or vise versa More stringent burden of proof Includes jail time or death

Administrative Laws

Different by industry– FDA, Healthcare, Education, etc.

Performance and conduct of organizations, officials, and officers

Deals with industry regulations Punishment can be financial or may merit

imprisonment

US Federal Laws

Electronic Communications Act of 1996– Wiretap act– Stored communication act

Computer Fraud and Abuse Act of 1986– Used in prosecuting computer crimes– “Anti hacking law”

Electronic Espionage Act of 1996– Industrial espionage– Stealing Trade Secrets

Intellectual Property Laws

Trade secret– Maintains confidentiality of proprietary business

data– Owner invested resources to develop– Data must provide competitive value

Copyright– Protects original works of authorship– Protects expression of new ideas– Source code is copyrightable– In USA, good for 75 years

More

Trademark– Protects word, name, symbol, etc. which is used

to identify a product or company– Protects a company’s look or feel

Patent– Allows owner to exclude others from practicing

invention for a time period (20 years)– Invention must be novel and non-obvious

Software piracy

Copy creator’s work without permission Software protection association (SPA) Business software alliance (BSA)

– Washington Federation against software theft (FAST)

– London

Digital Millennium Copyright Act

Illegal to tamper with or break into controls that protect copyrighted materials

Only protects copyrighted items Prevent reverse engineering First attempt to enforce was by Adobe

against a white hat at DefCon

Countries Working Together

Countries do not view computer crime the same

Government may not work together Evidence rules are different Jurisdiction issues G8 have agreed to fight cybercrime Interpol distributes info about cross-border

crimes

Violation Analysis

Ensure that it is not a user error or misconfiguration

Individuals should be in charge of investigating and determining if crime exist

Type of investigation– Internal – Law enforcement

Law Enforcement vs. Citizens

Search must have probable cause– 4th amendment search warrant

Private citizen not subject to 4th amendment Private citizen may be a police agent

Role of Evidence

Material offered to judge and jury May directly or indirectly prove or disprove

the crime has been committed Evidence must be tangible

– Electrical voltages are intangible– Hard to prove lack of modification

Evidence Requirements

Material – relevant to case Competent – proper collection, obtained

legally, and chain of custody maintained Relevant – pertains to subject’s motives and

should prove or disprove a fact

Chain of Custody

Who obtained it? Where and when was it obtained? Who secured it? Who had control or possession? How was it moved?

Types of Evidence

Best– Primary, original documents, not oral

Secondary– Copies of documents, oral, eyewitness

Direct– Can prove fact by itself– Does not need corroborative information– Information from witness

More Types

Conclusive– Irrefutable and cannot be contradicted

Circumstantial– Assumes the existence of another fact– Cannot be used alone to prove the fact

Corroborative– Supporting evidence– Supplementary tool

More Types

Opinion– Experts give educated opinion

Hearsay– No firsthand proof– Computer generated evidence

Real– Physical evidence– Tangible objects

More Types

Documentary– Records, manuals, printouts– Most evidence is documentary

Demonstrative– Aids jury in the concept– Experiments, charts, animation

Hearsay Rule Exception

Business record exemption to hearsay rule– Documents can be admitted if created during

normal business activity– This does not include documents created for a

specific court case– Regular business records have more weight– Federal rule 803(6)

Records must be in custody on a regular basis Records are relied upon by normal business

Before the Crime Happens

Select an Incident Response Team (IRT) Decide whether internal or external Set policies and procedures If internal, include

– IT – Management– Legal– PR

Incident Handling

First goal– Contain and repair damage– Prevent further damage– Collect evidence

Evidence Collection

Photograph area Dump contents from memory Power down system Photograph internal system components Label each piece of evidence

– Bag it– Seal– Sign

Forensics

Study of technology and how it relates to law

Image disk and other storage devices– Bit level copy (deleted files, slack space,etc)– Use specialized tools– Further work will be done on copy

Create message digest for integrity

Thing to Look For

Hidden Files Steganography Slack Space Malware Deleted Files Swap Files

Trapping the Bad Guy

Enticement– Legal attempt to lure a criminal into committing

a crime– Provide a honeypot in your DMZ– Pseudo flaw (software code)– Padded cell (virtual machine)

Entrapment– Illegal attempt to trick a person into committing

a crime