CYBR3300 Chapter 2
Computer Security Act (CSA)
A U.S. law designed to improve security of federal information systems. It charged the National Bureau of Standards, now NIST, with the development of standards, guidelines, and associated methods and techniques for computer systems, among other responsibilities. was one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices established a Computer System Security and Privacy Advisory Board within the Department of Commerce - identifies emerging safety issues pertaining to computer systems security - reports to Secretary of Commerce amended the Federal Property and Administrative Services Act of 1949 requires mandatory periodic training in computer security awareness and practices
InfraGard
A US association consisting of regional chapters of the FBI and affiliations of public, private, and academic organizations that cooperate to exchange information on the protection of critical national info resources IMAs = InfraGard Member Alliances
Electronic Communications Privacy Act (ECPA) of 1986
A collection of statutes that regulate the interception of wire, electronic, and oral communications Federal wiretapping act Addresses several areas, 89 2015 > FCC removed FTC's authrity over ISPs 2016 > FCC established Internet privacy rules
Association of Computing Machinery
ACM respected professional society, originally established in 1947 •the world's first educational and scientific computing society strongly promotes education and provides discounted membership for students code of ethics requires members to perform their duties in a manner befitting an ethical computing professional Code contains specific references to protecting the confidentiality of information, causing no harm, etc. Wide variety of publications - Communications of the ACM
evidentiary material (EM)
AKA "items of potential evidentiary value" Any information that could potentailly support the organization's legal or policy-based case against a suspect
Health Insurance Portability and Accountability Act (HIPAA) of 1996
AKA Kennedy-Kassebaum Act Attempts to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data intercharge Affects all health care orgs •requires organizations that retain health care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain them requires a comprehensive assessment of the organization's information security systems, policies, and procedures •provides guidelines for the use of electronic signatures based on security standards ensuring message integrity, user authentication, and nonrepudiation
Freedom of Information Act (FOIA) of 1966
All federal agencies are required to disclose records requested in writing by any person •applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies •Each state has its own public access laws that should be consulted for access to state and local records
Applied ethics
An approach that applies moral codes to actions drawn from realistic situations Seeks to define how we might use ethics in practice
•Virtue approach
Ancient Ethical actions ought to be consistent with so-called ideal virtues that is, those virtues that all of humanity finds most worthy and indicate a fully developed humanity Honesty, courage, compassion, generosity, tolerance, love, fidelity, integrity, fairness, self-control, prudence Asks all persons to consider if the outcome will reflect well on their own and others' perceptions of them
Privacy of Customer Information section 222 of USC Title 47
Any proprietary info will be used only for providing services and not marketing Carriers can't disclose info except when necessary Doesn't permit aggregate info if same info is providedto all common carriers
•Common good approach
Based on he work of the Greek philosophers Life in community yields a positive outcome for the individual and each individual should contribute to that community Argues that the complex relationships found in a society are the basis of a process founded one ethical reasoning that respects and has compassion for all others focus on the common welfare
State and Local Regulations
•It is the responsibility of information security professionals to understand state laws and regulations and ensure that their organization's security policies and procedures comply with the laws and regulations •The Georgia Computer Systems Protection Act has various computer security provisions, and establishes specific penalties for use of information technology to attack or exploit information systems in organizations •The Georgia Identity Theft Law requires that a business may not discard a record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable
Ethics and Education
•Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education •Employees must be trained and kept up-to-date on InfoSec topics, including the expected behaviors of an ethical employee - use scenarios •Proper ethical and legal education, training and awareness are vital to creating an informed, well-prepared, and low-risk system user
12 requirements in six areas
•Secure Network and Systems Development and Maintenance •1. Firewall installation and operation (protection of cardholder data) •2. Modification of default system passwords and configurations •Cardholder Data Protection •3. General protection of cardholder data storage •4. Use of encryption when transmitting cardholder data across open, public networks •Vulnerability Management Program Maintenance •5. Use of maintained and updated malware and anti-virus protection •6. Secure systems and application development and maintenance •Strong Access Control Measure Implementation •7. Use of need-to-know access controls for cardholder data •8. Formal access controls for system components emphasizing effective identification and authentication procedures •9. Management of physical security for cardholder data access •Network Monitoring and Testing •10. Network resources and cardholder data monitored, tracked, and audited •11. Security systems and processes periodically tested •Information Security Policy Maintenance •12. Effective and comprehensive information security policy developed and implemented for all personnel
•The CSA charged the National Bureau of Standards (now NIST) and the National Security Agency with the development of:
•Standards, guidelines, and associated methods and techniques for computer systems •Uniform standards and guidelines for most federal computer systems •Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems •Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice •Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
Digital Millennium Copyright Act (DMCA)
•The Digital Millennium Copyright Act (DMCA) is a U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures •The European Union created Directive 95/46/EC that increases individual rights to process and freely move personal data •The United Kingdom has already implemented a version of this directive called the Database Right
Key Law Enforcement Agencies
•The Federal Bureau of Investigation's InfraGard Program promotes efforts to educate, train, inform, and involve the business and public sector in information security •Every FBI field office has established an InfraGard chapter and collaborates with public and private organizations and the academic community to share information about attacks, vulnerabilities, and threats •InfraGard's dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources
Types of Law
•Types of Laws can be categorized based on their origins:
From these fairly well-defined and agreed-upon ethical frameworks come a series of ethical standards as follows
•Utilitarian approach •Rights approach •Fairness or justice approach •Common good approach Virtue approach
Managing Digital Forensics
•When - not if - an organization finds itself having to deal with a suspected policy or law violation, it must appoint an individual to investigate it •How the internal investigation proceeds will dictate whether or not the organization has the ability to take action against the perpetrator if in fact evidence is found that substantiates the accusation In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation, the investigator (CISO or other individual) must act to document what happened and how
USA PATRIOT Act
CFA was further modified by the USA PATRIOT Act of 2001 - providing law enforcement agencies with broader latitude to combat terrorism-related activities after the 9/11 attacks on the NY World Trade Center USA Patriot Act of 2001 was updated and extended, in many cases permanently through the USA Patriot Improvement and Reauthorization Act of 2005 •In May 2015, the U.S. Senate failed to extend the USA PATRIOT Act, resulting in the expiration of many of its components on June 1, 2015 The controversy over a section that allowed the National Security Agency (NSA) to collect metadata, resulted in modification and incorporation of those components in the USA FREEDOM Act
HIPAA privacy principles
Consumer control of medical info Boundaries on the use of medical info Accountability for the privacy of private info Balance of public responsibility for the use of medical info for the greater good measured against impact to the indiv Security of health info
Computer Fraud and Abuse (CFA) Act
Cornerstone of many computer-related federal laws and enforcement efforts Criminalizes accessing a compuer without authorization or exceeding authorized access for systems containing info of national interest was amended by the National Information Infrastructure Protection Act of 1996 •Punishment for offenses include fines and/or imprisonment for up to 20 years and depends on the value of the information obtained and whether the offense is judged to have been committed for: •For purposes of commercial advantage •For private financial gain In furtherance of a criminal act
Intent
Criminal or unethical intent refers to the state of mind of the individual committing the infraction Legal defense can be built on intentions Deterring those with criminal intent is best doen by litigation, prosecution, and technical controls
International Laws and Legal Bodies
Doing business on the Internet = doing business globally •Many domestic laws and customs do not apply to international trade, which is governed by international treaties and trade agreements •Because of the political complexities of the relationships among nations and cultural differences, there are currently few international laws relating to privacy and information security
Future of PCI DSS
Embedded smart chips Tokenization Apple Pay
•Utilitarian approach
Emphasizes that an ethical decision is one that results in the most good, or the least harm Seeks to link consequences to choices
American Recovery and Reinvestment Act (ARRA)
Enacted in 2009 •designed to provide a response to the economic crisis in the United States specifically focused on providing tax cuts and funding for programs, federal contracts, grants, and loans
The InfoSec professional has a unique position within the organization,
Entrusted with one of the most valuable assets the organization has -- the information privy to the secrets and structures of the systems that store, transmit, use, and protect that information Must be beyond reproach, with the highest ethical and moral standards
FBI's National Infrastructure Protection Center (NIPC)
Established in 1998 Served as US Gov's focal point for threat assessment and the warning, investigation, and response to threats or attacks against critical US infrastructures Folded into DHS after 9/11 Now part of NPPD
U.S. Copyright Law
Extends protection to intellectual property, which includes words published in electronic formats •doctrine of fair use allows material to be quoted for the purpose of news reporting, teaching, scholarship, and a number of other related activities, so long as the purpose is educational and not for profit and the usage is not excessive •Proper acknowledgement must be provided to the author and/or copyright holder of such works, including a description of the location of source materials by using a recognized form of citation
Components of NPPD
Federal Protective Service (FPI) Office of Biometric Identity Management (OBIM) Office of Cyber and Infra Analysis (OCIA) Office of Cybersecurity and Communications (CS&C) Office of Infra Protection (IP)
International Information Systems Security Certification Consortium, Inc. (ISC)2
Focuses on the development and implementation of InfoSec certifications and credentials •The code of ethics put forth by (ISC)2 is primarily designed for information security professionals who have earned one of their certifications This code includes four mandatory canons: •Protect society, the commonwealth, and the infrastructure •Act honorably, honestly, justly, responsibly, and legally •Provide diligent and competent service to principals •Advance and protect the profession Seeks to provide sound guidance that will enable reliance on the ethicalit and trustworthiness of the InfoSec professional
•Fairness or justice approach
Founded on the work of Aristotle and other Greek philosophers All persons who are equal should be treated equally Defines ethical actions as those that have outcomes that regard all human beings equally "Level playing field"
Ignorance
Ignorance of the law is no excuse, but ignorance of policies and procedures is First method of deterrence is the SETA program Orgs must design, publish, and disseminate org policies and relevant laws Reminders and awareness program
Accident
Individuals with privileges to info in org are greatest threats Solution: careful placement of controls
The Future of US Information Security and Privacy Laws
InfoSec bills are fighting their way through Congress Infosec professionals should know how to minotr legal horizon - GovTrack: privacy rights, science, tech, communications, crime and law enforcement Monitor the news in all forms Add the bill to a list of potential legslation they monito When a bill is signed > refer to their org's legal depts or consulatants for interpretation and advice
Digital forensics
Investigation involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis Like traditional forensics , digital forensics follows clear, well-defined methodologies but still tends to be as much art as science
The key difference between law and ethics
Law carries the sanction of a governing authority Ethics do not
due care
Measures that an organization takes to ensure every employee knows what is acceptable and what is not.
Common law, case law, and precedent
Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board
Statutory law
Originates from a legislative branch specifically tasked with the creation and publication of laws ad statutes Two types: 1. Civil law - pertaining to relationships between and among individuals and orgs - contract, employment, family, tort law - damages to civil law are pursued in civil court and not prosecuted by state 2. Criminal law - violations harmful to society - actively enforced and prosecuted by the state - statutes with traffic, public order, property damage, personal damage - state takes responsibility of retribution
regulatory or administrative law
Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations.
Personal information
PID about medical condition PID containing account of ID number, balances, lmits PID provided to business upon opening an acount PID about tax returns
PCI DSS
Payment Card Industry Data Security Standard is a set of industry standards that are mandated for any organization that handles credit, debit, and specialty payment cards in an effort to reduce credit card fraud current standard (3.2) is presented by the PCI Security Standards Council as focusing on 12 requirements in six areas NOT Law - mandated by many payment card issuers Reqs listed earlier mirror generally accepted best practices
search warrant
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination Affidavit becomes a search warrant when signed by an approving authority
HIPAA Privacy Rule
Privacy standards of HIPAA severely restrict the dissemination and distribution of private health information without documented consent Restricts use of health information
•Rights approach
Suggests that an ethical action is the one that best protects and respects the moral rights of those affected by that action Begins with the belief that humans have an innate dignity based on their ability to make choices These rights imply certain duties--the duty to respect the rights of others
affidavit
Sworn testimony that certain facts are in the possession of the investigating officers and that they warrant the examination of specific items located at a specific place. Facts, items, and place must be specified
Gramm-Leach-Bliley (GLB) Act of 1999
The Financial Services Modernization Act or Gramm-Leach-Bliley (GLB) Act of 1999 number of provisions that affect banks, securities firms and insurance companies requires all financial institutions to disclose their privacy policies, describing how they share nonpublic personal information, and describing how customers can request that their information not be shared with third parties ensures that the privacy policies in effect in an organization are fully disclosed when a customer initiates a business relationship, and distributed at least annually for the duration of the professional association
long-arm jurisdiction
The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.
Deterrence
The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place
ethics
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment The organized study of how humans ought to act Rules we should live by
Forensics
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting Allows investigators to determine what happened by examiing the results of an event--criminal, natural, intentional, or accidental
Information Security and Law
The legal environment influences the behavior of every organization
evidentiary material policy (EM policy)
The policy document that guides the development and implementation of EM procedures regarding the colllection, handling, and storage of items of potential evidentiary value
Deontological ethics
The study of rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences AKA duty-based or obligation-based ethics Seeks to define the person's ethical duty
Descriptive ethics
The study of the choices that have been made by indivudals in the past What do others think is right?
Meta-ethics
The study of the meaning of ethical judgments and properties What is right?
Normative ethics
The study of what makes actions right or wrong Moral theory How should people act/
Health Information Technology for Economic and Clinical Health (HITECH) Act
enacted as part of ARRA in-cooperation with HIPAA also requires that covered entities notify information owners of breaches
By educating employees and management about their legal and ethical obligations and the proper use of information technology and information security, security professionals can
keep an organization focused on their primary mission
Constitutional law
originates with the US, state, or local Constitution, bylaws, or charter
The benefits of PCI DSS compliance
promoted by the PCI Security Standards Council •An assertion that systems processing payment cards are secure, promoting trust in customers •Improved reputation with payment card issue and payment processing organizations •Prevention of security breaches •Assistance in complying with other security standards, such as HIPAA, SOX, and GLB •Support for organizational security strategies •Increased efficiency of the information infrastructure
U.S. Secret Service
protect key members of the U.S. government detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes transferred from the Department of the Treasury to the Department of Homeland Security in March 2003 DHS has added to its critical infrastructure defense strategies the protection of the nation's cyber infrastructures
Security and Freedom through Encryption Act of 1997
provides guidance on the use of encryption, and institutes measures of public protection from government intervention reinforces an individual's right to use or sell encryption algorithms, without concern for the impact of other regulations requiring some form of key registration prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence
due diligence
reasonable steps taken by people or organizations to meet the obligations imposed by laws of regulations
Public law
regulates structure and administration of government agencies and their relationship with citizens, employees, other govs Criminal, administrative, constitutinal laws
Privacy Act of 1974
regulates the government's collection, storage, use, and dissemination of individual personal information contained in records regulates the government's use of private information •created to ensure that government agencies protect the privacy of individuals' and businesses' information, and makes them responsible if any portion of this information is released without permission
Laws
rules adopted and enforced by governments to codify expected behaviors in modern society Largely drawn from the ethics of a culture - define socially acceptable behaviors that conform to the widely held principles of the members of that society
a future information security professional, you will be required to understand the
scope of an organization's legal and ethical responsibilities
Within modern society, individuals elect to trade some aspects of personal freedom for
social order
Breach Laws
specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information - PII •Most of these laws also require some form of after-breach support from the organization, such as free or discounted credit monitoring, progress reports, and a description of actions taken to rectify the incident and prevent reoccurrence •Although the United States currently does not have a national breach law, several bills and proposals are being reviewed by the U.S. Congress - the only currently established federal breach notification statutes are those within the GLB Act and HIPAA
Private law
subset of civil law regulates relationships among individuals and orgs Encompasses family, commercial, and labor laws
Tort law
subset of sivil law that allows individuals to seek redress in the event of personal, physical, or financial injury
E-discovery
the identification and preservation of evidentiary material related to a specific legal action
jurisdiction
the power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decision
InfoSec professionals may be expected to be more informed about ethics and they must often
withstand a higher degree of scrutiny
Standards versus Law
•A variety of groups have created standards that offer guidance on how information security could or should be applied to industry segments or geographic areas •Some industries have security requirements defined at least in part by government regulations; banking, health care, and education come to mind Other industries impose binding requirements on themselves that include significant enforcement mechanisms
Policy Vs Law
•Because policies function like laws, they must be crafted with the same care as laws to ensure that the policies are complete, appropriate, and fairly applied to everyone in the workplace The key difference between policy and law is that while ignorance of the law is not an excuse (ignorantia juris non excusat), ignorance of policy is a viable defense, thus policies must be •Distributed to all individuals who are expected to comply with them •Read by all employees •Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees •Acknowledged by the employee, usually by means of a signed consent form •Uniformly enforced, with no special treatment for any group (e.g., executives)
Professional Organizations and Their Codes of Ethics
•Codes of ethics can have a positive effect on an individual's judgment regarding computer use Many employers don't encourage or require employees to join these professional orgs Some certifications have little impact but others have great impact •It remains the individual responsibility of security professionals to act ethically and according to the policies and procedures of their employers, their professional organizations, and the laws of society It is the org's responsibility to develop, disseminate, and enforce its policies
Sarbanes-Oxley (SOX) Act of 2002
•Designed to enforce accountability for financial record keeping and reporting at publicly traded corporations •The law requires that the CEO and CFO assume direct and personal accountability for the completeness and accuracy of a publicly traded organization's financial reporting and record-keeping systems •As these executives attempt to ensure that the integrity of recording and reporting systems is sound—often relying upon the expertise of CIOs and CISOs to do so—they must also maintain the availability and confidentiality of information CIOs are responsible for security, accuracy, an reliability of the systems that manage and report financial data
European Council Cybercrime Convention
•Empowers an international task force to oversee a range of Internet security functions, and to standardize technology laws internationally •attempts to improve the effectiveness of international investigations into breaches of technology law overall goal of the convention is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process Many US orgs had to comply with EU-US Safe Harbor Framework - 2015, ECJ overturned Safe Harbor - replaced it with EU-US Privacy Shield Privacy Shielf is designed to implement a program in which participating companies are deemed as having adequate protection
laws and policies and their associated penalties only deter if three conditions are present
•Fear of penalty - termination, imprisonment, or forfeiture of pay •Probability of being caught - must be strong possibility •Probability of penalty being administered - org must be willing and ready to impose punishment
SANS
•Founded in 1989, SANS is a professional research and education cooperative organization with a large membership, dedicated to the protection of information and systems The SANS GIAC Code of Ethics requires: •Respect for the public •Respect for the certification •Respect for my employer •Respect for myself
Australian High Tech Crime
•High tech crimes are defined and prosecuted in Australia under its Commonwealth legislation Part 10.7—Computer Offences of the Criminal Code Act 1995 That law specifically includes: •data system intrusions (such as hacking) •unauthorized destruction or modification of data •actions intended to deny service of computer systems to intended users, such as denial of-service (DoS) attacks and distributed denial of service (DDoS) attacks using botnets •the creation and distribution of malicious software
Organizational Liability and the Need for Counsel
•If an employee, acting with or without authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action •An organization increases its liability if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions •Due diligence requires that an organization make a valid and ongoing effort to protect others
Deterring Unethical and Illegal Behavior
•It is the responsibility of InfoSec personnel to deter unethical and illegal acts, using policy, education and training, and technology as controls or safeguards, in order to protect the organization's information and systems •three general categories of unethical behavior that organizations and society should seek to eliminate: •Ignorance •Accident •Intent •Deterrence is the best method for preventing an illegal or unethical activity -Laws, policies, and technical controls
restitution
a legal requirement to make compensation or payment resulting from a loss or injury
Information Systems Security Association (ISSA)
a nonprofit society of information security professionals Focus on auditing, control, and security •Its primary mission is to bring together qualified practitioners of information security for information exchange and educational development •ISSA provides conferences, meetings, publications, and information resources to promote information security awareness and education •ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM, "promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources." Pledge, pg 77
Economic Espionage Act (EEA)
an attempt to protect intellectual property and competitive advantage Congress passed the Economic Espionage Act (EEA) in 1996 •This law attempts to protect trade secrets •"from the foreign government that uses its classic espionage apparatus to spy on a company, to the two American companies that are attempting to uncover each other's bid proposals, or to the disgruntled former employee who walks out of his former company with a computer diskette full of engineering schematics"
liability
an entity's legal obligation or responsibility can be applied o conduct even when no law or contract has been breached
Consumer victim
any individual whose PII has been obtained, compromised, used, or recorded without their permission
Ethics
based on cultural mores, which are relatively fixed moral attitudes or customs of a societal group Some are thought to be universal
National Security Agency (NSA)
coordinates, directs, and performs highly-specialized activities to protect U.S. information systems produce foreign intelligence information responsible for the security of communications and information systems at many federal government agencies associated with national security. Information Assurance Directorate (IAD) provides information security "solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense" Develops and promots and Inform Assurance Framework Forum with commercial orgs and academic researchers - Provides guidance an tech cpecs for sec solutions - Crommon Criteria InfoSec outreach programs - recognizes universities - certification program
To minimize the organization's liabilities, the information security practitioner must understand the
current legal environment and keep apprised of new laws, regulations, and ethical issues as they emerge
Morality
defines acceptable and unacceptable behavior within a group context
digital malfeasance
a crime against or using digital media, computer technology, or related components
The Ten Commandments of Computer Ethics (Computer Ethics Institute)
Thou shalt NOT •Use a computer to harm other people •Interfere with other people's computer work •Snoop around in other people's computer files •Use a computer to steal •Use a computer to bear false witness •Copy or use proprietary software for which you have not paid •Use other people's computer resources without authorization or proper compensation Appropriate other people's intellectual output •Thou shalt think about the social consequences of the program you are writing or the system you are designing •Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans (source: Computer Professionals for Social Responsibility)
It is not yet industry standards to hire new employees directly into InfoSec positions
True
