CYB 134 - Week 8

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

computer fraud and abuse act was the foundation for

-criminalizing unauthorized access to computer systems -criminalizing knowingly accessing government or interstate connected computers without permission -criminalizing transmitting codes or commands that cause harm

login banners

-establish expectation of privacy -notify about monitoring -obtain users consent to monitoring -establishes the system's admin authority to consent to law enforcement search

most significant human factors (causes of people being a weak link)

-inadequate cybersecurity knowledge -poor capture and communication of risks -culture and relationship issues -under-investment in security training -using trust instead of procedures -absence of a single point of accountability -social engineering

how do bad actors compromise the access of a valid user

-phishing -guessing passwords, sharing passwords -password reuse -leaving computer unlocked

DMCA exceptions

-the person lawfully obtained the encrypted copy, phonorecord, performance or display of the published work -such act is necessary to conduct such encryption research -the person made a good faith effort to obtain authorization before the circumvention -Such act does not constitute infringement under this title or a violation of applicable law other than this section

3 forms of computer involvement in criminal activitiy

-tool of a crime -victim of a crime -incidental to a crime

5 false assumptions about social engineering attacks

1) cybercriminals don't spend time building a connection with their target 2) services from important companies are always safe 3) threats only come by email 4) cybercriminals don't have access to work or personal emails 5) bad actors won't make use to timely or socially relevant content

why don't people report risks?

1. the risk doesn't directly impact the person's immediate location, department or budget (silo thinking) 2. there are sometimes negative personal or career consequences for reporting risks 3. the process for filtering and escalating risks is not well developed

cyber related crimes is what rank on the FBI's priority list?

3rd

circumventing technological controls used to protect intellectual property is a violation of the

DMCA

primary statue enacted in the US to bring copyright legal concerns up to date with the digital world

DMCA

unusual ethical principle

I will not present analysis and opinion as fact

a corporate culture that creates disinterested or disaffected staff is much more likely to lead to

a cybersecurity threat from within

people being a weak link is not

a new problem

click fraud

a piece of malware that defrauds the advertising revenue counter engine through fraudulent user clicks

US digital signature law

a signature, contract, or other record may not be denied legal effect, validity or enforceability solely because it is in electronic form

Digital Millennium Copyright Act (DMCA)

amended title 17 to implement the World Intellectual Property Organization Copyright Treaty and Performances and Phonograms Treaty and for other purposes -one section made it illegal to develop, produce, and trade any device or mechanism designed to circumvent technological controls used in copy protection

Electronic Communications Privacy Act (ECPA)

an act dealing with privacy issues resulting from increasing use of technology specific to telecommunication. Federal wiretap statues were modified to include electronic communications, criminal sanctions for unauthorized access to stored electronic records and communications were added, and pen registers and tap and trace issues were addressed

don't underestimate the extent to which

an enterprise's culture correlates with its security posture

Internet Crime Complaint Center (IC3)

an online clearing house that communicates issues associated with cybercrime

fear

an unpleasant emotion caused by the belief that someone or something is dangerous, likely to cause pain, or a threat.

AMLBot

anti money laundering bot that looks at transactions to determine if money laundering may have occured

social engineering

art of manipulating people through personal interactions to gain unauthorized access to something

CanSPAM

attempted to regulate commercial email by establishing national guidelines and giving the FTC enforcement powers (helped curb spam) -didn't work well -also applied to phones

main protection against social engineering

awareness training with real life examples

the cyber-law environment has not

been fully defined by the courts

training teaches people what?

best practices

which city got scammed? what was the scam?

city of Newark was recently scammed into believing a nation existed, when it didn't

there are not a lot of resources being devoted to

combatting cybercrime

phishing and spear phishing is the most

common social engineering attack

obedience

complying with an order, request, or law, or submission to another's authority

consistent way to bypass security

compromise or misuse the valid access of an authorized user

exceeding granted authority is also

computer trespass

some people have unlimited privileges because they're

considered trustworthy

best rule for situations involving export of encryption containing software

consult an expert (lawyer)

people are more likely than technology to

create cybersecurity failures

if people are disconnected from the group/company they're more likely to

create issues

some laws prohibit the use and possession of

cryptographic technology

in China, a license is required for

cryptographic use

there are very complicated export laws dealing with

cryptography

export laws mainly place restrictions on

cryptography (can't export new cryptography methods)

plugging in an unknown charging cable is

dangerous

Sarbanes-Oxley Act (SOX)

dealt with financial regulations, and specified that all process associated with the financial reporting of a firm must be controlled and audited on a regular basis

when perform a cybersecurity investigation, you should always

document you steps

in the event of failure, instead of being equally accountable, shared owners expect to be

equally unaccountable

Gramm-Leach-Bliley Act (GLBA)

established opt-out methods for individuals to maintain some control over the use of the information provided in a business transaction with a member of the financial community -dealt with financial regulations

organizations with an employee-oriented (positive) culture that values teamwork tend to have

fewer security gaps

even with the law, people have

for years they've made copies of music and videos, violating copyright laws

botnets

groups of computers commandeered by a malicious hacker

the White House recently set new

healthcare cybersecurity standards

Computer Fraud and Abuse Act (CFAA)

helped to define computer trespass -most common charge from CFAA is accessing without authority or exceeding authority

greed

intense and selfish desire for something

common law (case law)

laws based on precedent (previous events) (judicial branch)

administrative laws

laws made by administrative bodies given power by other legislation (ex: EPA, FAA, FCC)

Export Laws

laws over what can be exported (out of the US)

statutory laws

laws passed by a legislative branch og government

Edward Snowden importance

leaked highly classified information from the NSA in 2013

driving force behind cybercrime

low risk of being caught (physically remote)

sometimes, cybersecurity people see all actions as

malicious or bad

the Wassenaar Arrangement has enabled

mass-marketed products to generally flow across borders

the USA Patriot Act requires ISPs to

modify their systems to allow law enforcement easier access

the speed at which emerging technologies are adopted continuously creates

more potential cybersecurity vulnerabilities

spear phishing

more targeted version of phishing, aimed at tailoring the attack to the victim

USA Patriot Act

passed in response to 9/11 which extended tap and trace, and changed the levels of checks and balances in laws related to privacy in the US -allows for eavesdropping system (Carnivore)

91% of data breaches comes from

phishing

vishing

phishing over the phone

the absence of a defined, single owner is a frequent cause of

process or asset protection failure

major provision of electronic communications privacy act (ECPA)

prohibition against an employer's monitoring an employee's computer usage, including email unless consent is obtained

main objective of the Convention on Cybercrime

pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international cooperation

people see risks but don't

report them (silo thinking, concern for reputation or career)

shared ownership is a significant

security gap

no one should directly access

security infrastructure they designed

when people feel no connection or support from their organization they are more likely to

seek opportunities to take personal advantage of their position

Payment Card Industry Data Security Standard (PCI DSS)

set of contractual rules governing how credit card data is to be protected

law enforcement encryption debate

should law enforcement be given access to our digital lives? -law enforcement and the government have attempted to get laws passed to allow their access to our digital lives

AMLBot recently helped

shut down 3 dardweb services

ethics can vary by

socio-cultural factors and groups

organizations hire high cost specialists but don't

spend enough money keeping them current

types of US laws

statutory laws administrative laws common law (case law)

controversial issue associated with DMCA

takedown notices

cybersecurity is not purley

technical

the music and video industry has long relied on

technology to protect its rights with respect to intellectual property

the convention on cybercrime helped to define what?

the Computer Fraud and Abuse Act

silo thinking

the belief that because a risk doesn't impact your immediate location, department or budget it is not a problem or worth reporting

convention on cybercrime

the first international treaty on crimes committed via the Internet and other computer networks

human factors are the most likely to create

the opportunities that lead to a cybersecurity failure

single point of accountability

the principle that all critical assets, processes and actions must have clear ownership and traceability to a single person

ethics

the social-moral environment in which a person makes decisions

an insurance company, Lloyd's of London recently did what?

they recently completely pulled themselves off the network to investigate a cybersecurity issue

after breaches, hackers vigilantly try what/

they try to use breached credentials at multiple other sites

computer trespass

unauthorized entry into a computer system via any means

spam

unsolicited commercial e-mail

Wassenar Agreement

update to encryption export rules that removed key restrictions on encryption and effectively remove mass-market encryption products from being effected by the law (ex: modern phones)

people are the _________________ link in cybersecurity

weakest

helpfullness

willingness to help others

social media is a what environment?

zero trust environment


Set pelajaran terkait

MLT ASCP Practice Questions 2.7.16

View Set

Chapter 11: Public Goods and Common Resources

View Set

Managerial Accounting - Chapter 8: Budgetary Planning

View Set

Chapter 12: Management of Patients with Oncologic Disorders

View Set

Antony and Cleopatra - Hi Q - Act 2

View Set

Chapter 6 - Organizational Structure and Design

View Set

CH 33 - Assessment and Management of Patients with Allergic Disorders

View Set

Quiz 1- Mental & Behavioral Health

View Set