CYB 134 - Week 8
computer fraud and abuse act was the foundation for
-criminalizing unauthorized access to computer systems -criminalizing knowingly accessing government or interstate connected computers without permission -criminalizing transmitting codes or commands that cause harm
login banners
-establish expectation of privacy -notify about monitoring -obtain users consent to monitoring -establishes the system's admin authority to consent to law enforcement search
most significant human factors (causes of people being a weak link)
-inadequate cybersecurity knowledge -poor capture and communication of risks -culture and relationship issues -under-investment in security training -using trust instead of procedures -absence of a single point of accountability -social engineering
how do bad actors compromise the access of a valid user
-phishing -guessing passwords, sharing passwords -password reuse -leaving computer unlocked
DMCA exceptions
-the person lawfully obtained the encrypted copy, phonorecord, performance or display of the published work -such act is necessary to conduct such encryption research -the person made a good faith effort to obtain authorization before the circumvention -Such act does not constitute infringement under this title or a violation of applicable law other than this section
3 forms of computer involvement in criminal activitiy
-tool of a crime -victim of a crime -incidental to a crime
5 false assumptions about social engineering attacks
1) cybercriminals don't spend time building a connection with their target 2) services from important companies are always safe 3) threats only come by email 4) cybercriminals don't have access to work or personal emails 5) bad actors won't make use to timely or socially relevant content
why don't people report risks?
1. the risk doesn't directly impact the person's immediate location, department or budget (silo thinking) 2. there are sometimes negative personal or career consequences for reporting risks 3. the process for filtering and escalating risks is not well developed
cyber related crimes is what rank on the FBI's priority list?
3rd
circumventing technological controls used to protect intellectual property is a violation of the
DMCA
primary statue enacted in the US to bring copyright legal concerns up to date with the digital world
DMCA
unusual ethical principle
I will not present analysis and opinion as fact
a corporate culture that creates disinterested or disaffected staff is much more likely to lead to
a cybersecurity threat from within
people being a weak link is not
a new problem
click fraud
a piece of malware that defrauds the advertising revenue counter engine through fraudulent user clicks
US digital signature law
a signature, contract, or other record may not be denied legal effect, validity or enforceability solely because it is in electronic form
Digital Millennium Copyright Act (DMCA)
amended title 17 to implement the World Intellectual Property Organization Copyright Treaty and Performances and Phonograms Treaty and for other purposes -one section made it illegal to develop, produce, and trade any device or mechanism designed to circumvent technological controls used in copy protection
Electronic Communications Privacy Act (ECPA)
an act dealing with privacy issues resulting from increasing use of technology specific to telecommunication. Federal wiretap statues were modified to include electronic communications, criminal sanctions for unauthorized access to stored electronic records and communications were added, and pen registers and tap and trace issues were addressed
don't underestimate the extent to which
an enterprise's culture correlates with its security posture
Internet Crime Complaint Center (IC3)
an online clearing house that communicates issues associated with cybercrime
fear
an unpleasant emotion caused by the belief that someone or something is dangerous, likely to cause pain, or a threat.
AMLBot
anti money laundering bot that looks at transactions to determine if money laundering may have occured
social engineering
art of manipulating people through personal interactions to gain unauthorized access to something
CanSPAM
attempted to regulate commercial email by establishing national guidelines and giving the FTC enforcement powers (helped curb spam) -didn't work well -also applied to phones
main protection against social engineering
awareness training with real life examples
the cyber-law environment has not
been fully defined by the courts
training teaches people what?
best practices
which city got scammed? what was the scam?
city of Newark was recently scammed into believing a nation existed, when it didn't
there are not a lot of resources being devoted to
combatting cybercrime
phishing and spear phishing is the most
common social engineering attack
obedience
complying with an order, request, or law, or submission to another's authority
consistent way to bypass security
compromise or misuse the valid access of an authorized user
exceeding granted authority is also
computer trespass
some people have unlimited privileges because they're
considered trustworthy
best rule for situations involving export of encryption containing software
consult an expert (lawyer)
people are more likely than technology to
create cybersecurity failures
if people are disconnected from the group/company they're more likely to
create issues
some laws prohibit the use and possession of
cryptographic technology
in China, a license is required for
cryptographic use
there are very complicated export laws dealing with
cryptography
export laws mainly place restrictions on
cryptography (can't export new cryptography methods)
plugging in an unknown charging cable is
dangerous
Sarbanes-Oxley Act (SOX)
dealt with financial regulations, and specified that all process associated with the financial reporting of a firm must be controlled and audited on a regular basis
when perform a cybersecurity investigation, you should always
document you steps
in the event of failure, instead of being equally accountable, shared owners expect to be
equally unaccountable
Gramm-Leach-Bliley Act (GLBA)
established opt-out methods for individuals to maintain some control over the use of the information provided in a business transaction with a member of the financial community -dealt with financial regulations
organizations with an employee-oriented (positive) culture that values teamwork tend to have
fewer security gaps
even with the law, people have
for years they've made copies of music and videos, violating copyright laws
botnets
groups of computers commandeered by a malicious hacker
the White House recently set new
healthcare cybersecurity standards
Computer Fraud and Abuse Act (CFAA)
helped to define computer trespass -most common charge from CFAA is accessing without authority or exceeding authority
greed
intense and selfish desire for something
common law (case law)
laws based on precedent (previous events) (judicial branch)
administrative laws
laws made by administrative bodies given power by other legislation (ex: EPA, FAA, FCC)
Export Laws
laws over what can be exported (out of the US)
statutory laws
laws passed by a legislative branch og government
Edward Snowden importance
leaked highly classified information from the NSA in 2013
driving force behind cybercrime
low risk of being caught (physically remote)
sometimes, cybersecurity people see all actions as
malicious or bad
the Wassenaar Arrangement has enabled
mass-marketed products to generally flow across borders
the USA Patriot Act requires ISPs to
modify their systems to allow law enforcement easier access
the speed at which emerging technologies are adopted continuously creates
more potential cybersecurity vulnerabilities
spear phishing
more targeted version of phishing, aimed at tailoring the attack to the victim
USA Patriot Act
passed in response to 9/11 which extended tap and trace, and changed the levels of checks and balances in laws related to privacy in the US -allows for eavesdropping system (Carnivore)
91% of data breaches comes from
phishing
vishing
phishing over the phone
the absence of a defined, single owner is a frequent cause of
process or asset protection failure
major provision of electronic communications privacy act (ECPA)
prohibition against an employer's monitoring an employee's computer usage, including email unless consent is obtained
main objective of the Convention on Cybercrime
pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international cooperation
people see risks but don't
report them (silo thinking, concern for reputation or career)
shared ownership is a significant
security gap
no one should directly access
security infrastructure they designed
when people feel no connection or support from their organization they are more likely to
seek opportunities to take personal advantage of their position
Payment Card Industry Data Security Standard (PCI DSS)
set of contractual rules governing how credit card data is to be protected
law enforcement encryption debate
should law enforcement be given access to our digital lives? -law enforcement and the government have attempted to get laws passed to allow their access to our digital lives
AMLBot recently helped
shut down 3 dardweb services
ethics can vary by
socio-cultural factors and groups
organizations hire high cost specialists but don't
spend enough money keeping them current
types of US laws
statutory laws administrative laws common law (case law)
controversial issue associated with DMCA
takedown notices
cybersecurity is not purley
technical
the music and video industry has long relied on
technology to protect its rights with respect to intellectual property
the convention on cybercrime helped to define what?
the Computer Fraud and Abuse Act
silo thinking
the belief that because a risk doesn't impact your immediate location, department or budget it is not a problem or worth reporting
convention on cybercrime
the first international treaty on crimes committed via the Internet and other computer networks
human factors are the most likely to create
the opportunities that lead to a cybersecurity failure
single point of accountability
the principle that all critical assets, processes and actions must have clear ownership and traceability to a single person
ethics
the social-moral environment in which a person makes decisions
an insurance company, Lloyd's of London recently did what?
they recently completely pulled themselves off the network to investigate a cybersecurity issue
after breaches, hackers vigilantly try what/
they try to use breached credentials at multiple other sites
computer trespass
unauthorized entry into a computer system via any means
spam
unsolicited commercial e-mail
Wassenar Agreement
update to encryption export rules that removed key restrictions on encryption and effectively remove mass-market encryption products from being effected by the law (ex: modern phones)
people are the _________________ link in cybersecurity
weakest
helpfullness
willingness to help others
social media is a what environment?
zero trust environment