SecurityArena

Guide to Practical Info Security!

Who's Online

We have 6 guests online
Print E-mail
Written by Administrator   
Saturday, 13 June 2009 14:40
Article Index
CBK Law, Investigations & Ethics
Ethics
MOM
Computer Fraud and Abuses
Legal Responsibilities and Implications
Types of Laws
Computer Crime Investigations
Evidence
Laws and Regulations
All Pages

CBK Law, Investigations & Ethics

This domain examines computer crimes, laws, and regulations. This includes techniques in investigating a crime, gathering evidence, and handling procedures. It also covers how to develop and implement an incident-handling program. 


Ethics

Law and ethics are related in an interesting fashion. Laws are usually based on ethics; however, laws do not cover every scenario that is where ethics come in. In other words, in a given scenario some things may not be against the law, but that does not mean that they are ethical.

(ISC)2

(ISC)2 include following Code of Ethics principles:

  • Protect society, the common wealth and the infrastructure.
  • Act honorably, honestly, justly, responsibly and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

Computer Ethics Institute

Ten Commandments of Computer Ethics are:

  • One should not use a computer to harm other people.
  • One should not interfere with other people’s computer work.
  • One should not make uninvited queries in other people’s computer files.
  • One should not use a computer to steal.
  • One should not use a computer to bear false witness.
  • One should not copy or use proprietary software for which you have not paid.
  • One should not use other people’s computer resources without authorization or proper compensation.
  • One should not appropriate other people’s intellectual output.
  • One should think about the social consequences of the program you are writing or the system you are designing.
  • One should always use a computer in ways that ensure consideration and respect for your fellow humans.

Internet Activities Board (IAB)

It is the coordinating committee for Internet design, engineering, and management. IAB sees the use of the Internet as a privilege, which should be treated as such and used with respect. IAB defines the unethical and unacceptable behavior as follows:

  • Purposely seeking to gain unauthorized access to Internet resources
  • Disrupting the intended use of the Internet.
  • Wasting resources through purposeful actions.
  • Destroying the integrity of computer-based information.
  • Compromising the privacy of others.
  • Involving negligence in the conduct of Internet-wide experiments.

Generally Accepted Information Security Principles (GAISP)

GAISP was previously known as GASSP (Generally Accepted System Security Principles).

GAISP committee seeks to develop and maintain GAISP with guidance from security professionals, IT product developers, information owners, and other organizations that have extensive experience in defining and stating the principles of information security.


 

Motivations, Opportunities and Means (MOM)

In order to clearly figure out a crime one has to figure out the criminal thinking and procedures.

  • Motivations It pertains to who and why of a crime.
  • Opportunities It pertains to where and when of a crime.
  • Means It pertains to capabilities of a criminal needed to be successful.

Computer Fraud and Abuses

  • Salami  It involves subtracting a small amount of funds from an account with the hope that such an insignificant amount would not be noticed.
  • Data Diddling  It refers to the alteration of existing data. Many times this modification happens before it is entered into an application or as soon as it completes processing and is outputted from an application.
  • Excessive Privileges  It is likely to occur when a user has more computer rights, permissions and privileges than what is required for the tasks he / she needs to fulfill. Individuals with in an organization may gain these excessive due to phenomenon of Authorization Creep.
  • Password Sniffing  It refers to sniffing network traffic in the hopes of capturing passwords being sent between computers.
  • IP Spoofing  It refers to manually changing the IP address within a IP packet used to carry out some attack, so as to point its origin to another address instead of the attacker. Spoofing can be considered a masquerading attack. Masquerading is the act of trying to pretend to be someone else.
  • Denial of Service (DoS)  DoS attacks are aimed against the availability of a service to its authorized users. Several types of tools are available to perform DoS attacks, which makes DoS attacks extremely easy to carry out. Many systems are vulnerable to SYN attacks, Ping of Death attacks, fragment attacks, and DDoS attacks, because these attacks are mainly aimed at the use of the protocols within the TCP/IP stack, integral to almost all computers.
  • Dumpster Diving  It refers to someone searching through another person’s garbage for discarded document, information and other precious items that could then be used against that person or company. Dumpster diving is unethical, but it’s not illegal unless it’s done by trespassing on someone else’s property.
  • Emanations Capturing  It refers to eavesdropping of the electrical waves emitted by every electrical device. One very grave and real security risk is emanation capturing of company or home wireless network (secured as well as unsecured). To avoid these capturing special shielding like tempest may be used that permit only a small amount of electrical signals to be emitted. The companies can also use material within the walls of the building to stop these types of electrical waves from passing through them.
  • Wiretapping  It refers to eavesdropping of communication signals passing through communication lines. Tools used to intercept communications include cellular scanners, radio receivers, microphone receivers, tape recorders, network sniffers, and telephone-tapping devices.
It is illegal to intentionally eavesdrop on another person’s conversation under most countries’ prevailing laws in order to protect an individual’s privacy expectations. Eavesdropping is only acceptable if the person consents with or there is a court order allowing law enforcement to perform these actions.
  • Social Engineering  It is a highly effective type of attack that exploits the human element of security. Social engineering is described as a technique used by hackers to deceive a trusted information system user within a organization into revealing sensitive information, or trick an unsuspecting person into performing actions that create a security hole in information system.
It is imperative to understand that a misplaced reliance on security technologies alone, such as firewalls, authentication devices, encryption, and intrusion detection systems are virtually ineffective against a motivated attacker employing a wide array of techniques including social engineering.
  • Masquerading  A method that an attacker can use to fool others of her real identity.
  • Phreaking  Phreakers are hackers who specialize in telephone and Private Branch Exchange (PBX) fraud. Famous 2600 group was a telephone phreakers group.
    • Blue boxes. A device that simulates a tone that tricks the telephone company’s system into thinking the user is authorized for long distance service, which enables him to make the call.
    • Red boxes. Simulates the sound of coins being deposited into a payphone.
    • Black boxes. Manipulates the line voltage to receive a toll-free call.
  • Passive vs Active  A passive attack is non-intrusive, as in eavesdropping or wiretapping. An active attack is intrusive, as in DoS, social engineering or penetration attacks.

Legal Responsibilities and Implications

Due Diligence

It means that did the company properly investigated and assessed all of its possible weaknesses and vulnerabilities to truly understand the true risk level or not.

Due Care

Means that a company did all that it could have reasonably done, under the circumstances, to prevent security breaches, protected its resources and employees and also took reasonable steps to ensure that if a security breach or incident did take place, proper controls or countermeasures were in place to mitigate the possible damages.

Prudent (careful) man rule

To perform duties that prudent people would exercise in a similar circumstances. In case of a security incident, before making a decision, court will try to establish following:

  • Whether like a prudent organization, this organization carried out an exercise to ascertain true risk level (due diligence)
  • And thereafter did the organization put all appropriate safeguards needed to be put in place to protect the company’s mission (due care) by protecting its tangible and intangible resources, reputation, employees, customers, shareholders, and legal position.
  • Senior management has an obligation to behave in a prudent manner, thereby protecting the company from different actions that can negatively affect it, including protection from malicious code, natural disasters, privacy violation, infraction of the law, etc.

Downstream liabilities

When companies come together to work in an integrated manner, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility needed which should be clearly defined in the contracts that each party signs.

Legally recognized obligation

There is a standard of conduct expected of every company to protect all others from unreasonable risks emanating from its activities. A company obligation is legally recognized if it fails to conform to this standard, thus resulting in an injury or damage to another company or person.

Proximate causation

If someone can prove that the damage that was caused was the company’s fault.


Types of Laws

Civil law It is also called as Tort law. It deals with wrongs against individuals or companies that result in damages or loss. A civil lawsuit would result in financial restitution instead of jail sentences.

Tort Law

Tort law is a body of law that addresses, and provides remedies for, civil wrongs not arising out of contractual obligations. A person who suffers legal damages may be able to use tort law to receive compensation from someone who is legally responsible, or "liable," for those injuries. Generally speaking, tort law defines what constitutes a legal injury and establishes the circumstances under which one person may be held liable for another's injury. Torts cover intentional acts and accidents.

  • For instance, Alice throws a ball and accidentally hits Brenda in the eye. Brenda may sue Alice for losses occasioned by the accident (e.g., costs of medical treatment, lost income during time off work, and pain and suffering). Whether or not Brenda wins her suit depends on if she can prove Alice engaged in tortuous conduct. Here, Brenda would attempt to prove Alice had a duty and failed to exercise the standard of care which a reasonable person would render in throwing the ball.
  • If it was an accident, Brenda must prove negligence. To do this, Brenda must show that her injury was reasonably foreseeable, that Alice owed Brenda a duty of care not to hit her with the ball, and that Alice failed to meet the standard of care required.

Criminal law

It is used when an individual’s conduct violates the government’s laws, which have been developed to protect the public. Jail sentences are commonly the punishment.

Administrative law

It deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals, within those companies.

Intellectual Property Laws

Intellectual property laws deal with legal property rights over creations of the mind, both artistic and commercial, and the corresponding fields of law. Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; ideas, discoveries and inventions; and words, phrases, symbols, and designs.

  • Trade secret. A trade secret is something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft drink, such as Coke or Pepsi. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could also be a new form of mathematics, source code of a program, a method of making the perfect jelly bean, or ingredients for a special, secret sauce.

Employees must be informed of the level of secrecy or confidentiality of the resource, and of their expected behavior pertaining to that resource.

A company must practice due care and properly protect the resource that it has claimed to be so important to the survival and competitiveness of the company, for law to take effect against any breach against trade secret.

  • Copyright. Copyright gives the creator of an original work exclusive right for a certain time period in relation to that work, including its publication, distribution and adaptation; after which time the work is said to enter the public domain.

      Copyright applies to any expressible form of an idea or information that is substantive and discrete and fixed in a medium.

  • Trademark. It is used to protect a word, name, symbol, sound, shape, color, device or combination of these.
  • Patent. A patent is a set of exclusive rights granted by a state to an inventor or his assignee for a limited period of time in exchange for a disclosure of an invention.
  • Software Piracy If a company is found guilty of illegally copying software or using more copies than its license permits, the network administrator or security officer in charge of this task will be primarily responsible.
    • The Software Protection Association (SPA) has been formed by major companies to enforce proprietary rights of software. The association was formed to protect the founding companies’ software developments, but it also helps others to ensure that their software is properly licensed.
    • Federation Against Software Theft (FAST), headquartered in London.
    • Business Software Alliance (BSA), based in Washington, D.C.
    • Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.
  • Equipment Disposal. Depending on the vendor of the system, it may be illegal to sell a computer with an operating system without proper licensing, or it may be illegal to sell the system without an operating system at all, at time of equipment or software disposal.

 


Computer Crime Investigations

Computer Security Incident response team (CSIRT)

The team should have members from senior management, the network administrator, security officer, network engineer or software programmer, member from legal department and a contact for public affairs. Team should have following items:

  • List of outside agencies and resources to contact or report to.
  • List of computer forensics experts to contact.
  • Steps on how to secure and preserve evidence.
  • Steps on how to search for evidence
  • List of items that should be included on the report.
  • A list that indicates how the different systems should be treated in this type of situation.

Sequence of Incident Reporting

An organization's networked systems security policy should include an information dissemination policy identifying, among others, whom to notify in the event of an intrusion and in what order.

  • The first contact should be with the responsible manager and other managers who need to be made aware.
  • The next in order of importance should be the internal public relations point of contact.
  • Next, the Local Computer Security Incident Response Team (CSIRT), if one exists, should be contacted.

Sequence of Actions by CSIRT

  • A suspected crime is reported.
  • CSIRT will investigate the report and determine that an actual crime has been committed.
  • Team determines that a crime has been carried out.
  • Senior management be informed immediately.
  • In case suspect is an employee, a human resources representative is called.
  • Document all events; starting time of the crime along with the company employees and resources involved.
  • Company decides whether it will conduct its own forensics investigation or call in external experts.
  • If external experts are called in, the attacked system is left alone, to preserve as much evidence of the attack as possible.
  • If company decides to conduct its own forensics investigation, then computer forensics procedures start.

Computer Forensics investigation

  • 1st step. Remove the system from the network, dump the contents of the memory, power down the system, and make a sound image of the attacked system and perform forensic analysis on this copy. This will ensure that the evidence stays unharmed on the original system in case some steps in the investigation actually corrupt or destroy data. Also the memory of the system should be dumped to a file before doing any work on the system or powering it down.

Wires and cables should be labeled, and a photograph of the labeled system and surroundings should be taken before it is actually disassembled. Media should be write-protected. Storage should be dust free, kept at room temperature without much humidity, and, of course, not close to any strong magnets or magnetic fields.

  • 2nd step / Chain of custody. Must follow a very strict and organized procedure when collecting and tagging evidence.
    • It dictates that all evidence be labeled with information indication who secured and validated it.
    • The chain of custody is a history that shows how evidence was collected, analyzed, transported and preserved in order to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.
  • The life cycle of evidence. It includes following:
    • Collection and identification
    • Storage, preservation and transportation.
    • Presentation in court
    • Being returned to victim or owner.

Event Handling

  • Incident handling should be closely related to disaster recovery planning and should be part of the company’s disaster recovery plan.
  • Both are intended to react to some type of incident that requires a quick reaction so that the company can return to normal operations.
  • Employees need to know how to report an incident to the incident-handling team.
  • The process must be centralized, easy to accomplish, convenient, and welcomed.

Evidence

Best evidence

It is the primary evidence used in a trial because it provides the most reliability. It is used for documentary evidence such as contracts.

Secondary evidence

It is not viewed as reliable and strong in proving innocence or guilt when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.

Direct evidence

It can prove fact all by itself instead of needing backup information to refer to. When using direct evidence, inference or presumptions are not required.

One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.

Conclusive evidence

It is irrefutable and cannot be contradicted.

Circumstantial evidence

It can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.

Corroborative evidence

It is supporting evidence used to help prove an idea or point. It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence.

Opinion evidence

When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts.

Hearsay evidence

Pertains to oral or written evidence that is presented in court that is secondhand and that has no firsthand proof of accuracy or reliability.

Characteristics of evidence

  • Sufficient. It must be persuasive enough to convince a reasonable person of the validity of the findings. Means also that it cannot be easily doubted.
  • Reliable / Competent. It must be consistent with fact, must be factual and not circumstantial.
  • Relevant. It must have a reasonable and sensible relationship to the findings.
  • Legally permissible. It was obtained in a legal way.

Laws and Regulations

Search and Seizure Laws

  • American citizens are protected by the Fourth Amendment against unlawful search and seizure, so law enforcement agencies (but management is not LEA) must have probable cause and request a search warrant from a judge or court before conducting such a search.
  • Exigent circumstances  If the suspect tries to destroy the evidence or there is an impending possibility that evidence might be destroyed, law enforcement may quickly seize the evidence to prevent its destruction. Court will later decide whether the seizure was proper and legal before allowing the evidence to be admitted.

Enticement vs Entrapment

  • Enticement. It is luring someone toward some evidence like a honey pot, after that individual has already committed a crime. It is legal and ethical.
  • Entrapment. It is encouraging someone to commit a crime that the individual may have had no intention of committing. It is considered neither legal nor ethical.

Privacy

  • Privacy laws dictate that data collected by government agencies must be collected fairly and lawfully, must be used only for the purpose for which it was collected, must only be held for a reasonable amount of time, and must be accurate and timely.
  • If companies are going to use any type of monitoring, they need to make sure it is legal in their business sector and must inform all employees that they may be subjected to monitoring.
  • Employees need to be informed regarding what is expected behavior pertaining to the use of the company’s computer systems, network, e-mail system, and phone system. They need to also know what the ramifications are for not meeting those expectations. These requirements are usually communicated through policies.
  • Logon banners should be used to inform users of what could happen if they do not follow the rules pertaining to using company resources. This provides legal protection for the company.

 Available Laws and Regulations

  • Federal Privacy Act of 1974
  • Computer Fraud and Abuse Act (1986 and amended in 1996) It is the primary U.S. federal antihacking statute.
  • Gramm-Leach-Bliley Act of 1999 It requires financial institutions to develop privacy notices and give their customers the option to prohibit banks from sharing their information with nonaffiliated third parties.
  • Health Insurance Portability and Accountability Act (HIPAA) This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information.
  • Security and Freedom Through Encryption Act This act was approved in 1997 and guarantees the right of all U.S. citizens and residents to be able to use and sell encryption products and technology.
  • Federal Sentencing Guidelines In 1991, U.S. Federal Sentencing Guidelines were developed and passed down to provide judges with courses of action to take when overseeing white collar crimes that take place within organizations.
  • European Union Privacy Principles
    • The reason for gathering of data must be specified at the time of collection.
    • Data cannot be used for other purposes.
    • Unnecessary data should not be collected.
    • Data should only be kept for as long as it is needed to accomplish the stated task. Only the necessary individuals who are required to accomplish the stated task should be allowed access to the data.
    • Whoever is responsible for securely storing the data should not allow unintentional “leaking” of data.
Last Updated on Friday, 28 August 2009 05:07
 
Please register or login to add your comments to this article.
Banner
Copyright © 2010 Information Security Arena. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.
 
Joomla 1.5 Templates by Joomlashack