720 likes | 1.39k Views
COMPUTER LAW, INVESTIGATION AND ETHICS . Topics to Be Covered. Computer Laws Computer Crime Computer Crime Investigations Computer Ethics. COMPUTER CRIME LAWS. Proprietary Rights & Obligations. Legal Forms of Protection
E N D
Topics to Be Covered • Computer Laws • Computer Crime • Computer Crime Investigations • Computer Ethics
Proprietary Rights & Obligations • Legal Forms of Protection • Trade Secrets: Information that Provides a Competitive Advantage.Protect Ideas. • Copyrights: Right of an Author to Prevent Use or Copying Works of the Author. Protect Expression of Ideas. • Patents: Protect Results of Science, Technology & Engineering • Business Needs • Protect Developed Software • Contractual Agreements • Define Trade Secrets for Employees
Proprietary Rights & Obligations (continued) • Security Techniques to Protect Trade Secrets • Numbering Copies • Logging Document Issuance • Checking Files & Workstations • Secure Storage • Controlled Distribution • Limitations on Copying • Contractual Commitments to Protect Proprietary Rights • Licensing Agreements with Vendors • Liability for Compliance
Proprietary Rights & Obligations (continued) • Enforcement Efforts • Software Protection Association (SPA) • Federation Against Software Theft (FAST) • Business Software Alliance (BSA) • Personal Computers • Establish User Accountability • Policy Development and Circulation • Purging of Proprietary Software
Protection for Computer Objects • Hardware - Patents • Firmware • Patents for Physical Devices • Trade Secret Protection for Code • Object Code Software - Copyrights • Source Code Software - Trade Secrets • Documentation - Copyrights
Management Problems • Corporate Recordkeeping • Accuracy of Computer Records: Potential Use in Court • IRS Rules: Inadequate Controls May Impact Audit Findings • Labor and Management Relations • Collective Bargaining: Disciplinary Actions, Workplace Rules • Work Stoppage • Limitations on Background Investigations • Limitations on Drug and Polygraph Testing • Disgruntled Employees • Non-Disclosure Requirements • Immigration Laws • Establishment and Enforcement of Security Rules
Management Problems (continued) • Data Communications: Disclosure thru - • Eavesdropping and Interception • Loss of Confidential Information • Outsourcing • Contract Review • Review of Contractor’s Capabilities • Impact of Downsizing • Contractor Use of Proprietary Software
Management Problems (continued) • Personal Injury • Employee Safety • Carpal Tunnel Syndrome • Radiation Injury • Insurance Against Legal Liability • Requirements for Security Precautions • Right to Inspect Premises • Cooperation with Insurance Company
Legal Liability • Due Care:Minimum and Customary Practice of Responsible Protection of Assets • Due Diligence:The Prudent Management and Execution of Due Care • Programming Errors:Reasonable Precautions for - • Loss of a Program • Unauthorized Revisions • Availability of Backup Versions • Product Liability • Liability for Database Inaccuracies: Due to Security Breaches • European Union: No Limits on Personal Liability for Personal Injury
Legal Liability (continued) • Defamation • Libel Due to Inaccuracy of Data • Unauthorized Release of Confidential Information • Alteration of Visual Images • Foreign Corrupt Practices Act • Mandate for Security Controls or Cost/Benefit Analysis • Potential SEC Litigation
Legal Liability (continued) • Failure to Observe Standards • FIPS Pubs and CSL Bulletins • Failure to comply with legislation • Personal Liability • Action or Inaction was Proximate Cause • Financial Responsibility to Plaintiff • Joint and Several Liability
Legal Liability (continued) • Federal Sentencing Guidelines • Chapter 8 Added 1991 • Applicable to Organizations • Violations of Federal Law • Specifies Levels of Fines • Mitigation of Fines Through Implementation of Precautions
Privacy & Other Personal Rights • The Federal Privacy Act • Government Files Open to Public Unless Specified • Act Applies to Executive Branch Only • “Record” = Information about an Individual • Must be Need to Maintain Records • Disclosure Prohibited without Consent • Requirements on Government Agencies • Record Disclosures • Public Notice of Existence of Records • Ensure Security & Confidentiality of Records
Privacy and Other Personal Rights (continued) • State Acts and Regulations • Fair Information Practices Acts: Define Information that Can be Collected • Uniform Information Practices Code - National Conference of Commissioners on Uniform State Laws: Recommended Model • Statutes Regulating Information Maintained by Private Organizations: e.g..., Health Care, Insurance
Privacy and Other Personal Rights (continued) • Other Employee Rights • Electronic Mail: Expectations of Privacy • Drug Testing: Limited to Sensitive Positions Only • Freedom From Hostile Work Environment • International Privacy • European Statutes Cover Both Government and Private Corporate Records • Application Primarily to Computerized Data Banks • Strict Rules on Disclosure • Prohibitions of Transfer of Information Across National Boundaries
Privacy and Other Personal Rights (continued) • Management Responsibilities • Regular Review with Legal Department • Consider all Jurisdictions • Prepare Policies for Compliance • Enforce Policies • Document Enforcement
Computer-Related Laws • Criminal Law • Victim is Society • Purpose of Prosecution is Punishment • Deterrent Effect of Punishment • Burden of Proof is Reasonable Doubt • Felonies - Jail > One Year • Misdemeanors - Jail < One Year • Federal and State Levels
Computer Crime Laws • Federal • Computer Fraud and Abuse Act (Title 18, U.S. Code, 1030) • *Accessing Federal Interest Computer (FIC) to acquire national defense information • Accessing an FIC to obtain financial information • Accessing an FIC to deny the use of the computer • *Accessing an FIC to affect a fraud • *Damaging or denying use of an FIC thru transmission of code, program, information or command • Furthering a fraud by trafficking in passwords • Economic Espionage Act of 1996: Obtaining trade secrets to benefit a foreign entity • Electronic Funds Transfer Act: Covers use, transport, sell, receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained debit instruments in interstate or foreign commerce.
Federal Computer Crime Laws (continued) • Child Pornography Prevention Act of 1996 (CPPA): Prohibits use of computer technology to produce child pornography. • Computer Security Act of 1987: Requires Federal Executive agencies to Establish Computer Security Programs. • Electronic Communications Privacy Act (ECPA): Prohibits unauthorized interception or retrieval of electronic communications • Fair Credit Reporting Act: Governs types of data that companies may be collected on private citizens & how it may be used. • Foreign Corrupt Practices Act: Covers improper foreign operations, but applies to all companies registered with the SEC, and requires companies to institute security programs. • Freedom of Information Act: Permits public access to information collected by the Federal Executive Branch.
Computer Laws (continued) • Civil Law (Tort Law) • Damage/Loss to an Individual or Business • Type of Punishment Different: No Incarceration • Primary Purpose is Financial Restitution • Compensatory Damages: Actual Damages, Attorney Fees, Lost Profits, Investigation Costs • Punitive Damages: Set by Jury to Punish Offender • Statutory Damages: Established by Law • Easier to Obtain Conviction: Preponderance of Evidence • Impoundment Orders/Writs of Possession: Equivalent to Search Warrant
Computer Laws (continued) • International Laws • Lack of Universal Cooperation • Differences in Interpretations of Laws • Outdated Laws Against Fraud • Problems with Evidence Admissibility • Extradition • Low Priority
Computer Crime • Computer Crime as a Separate Category • Rules of Property: Lack of Tangible Assets • Rules of Evidence: Lack of Original Documents • Threats to Integrity and Confidentiality: Goes beyond normal definition of a loss • Value of Data: Difficult to Measure. Cases of Restitution only for Media • Terminology: Statues have not kept pace. Is Computer Hardware “Machinery”? Does Software quality as “Supplies”.
Computer Crime (continued) • Computer Crime is Hard to Define • Lack of Understanding • Laws are Inadequate: Slow to Keep Pace with Rapidly Changing Technology • Multiple Roles for Computers • Object of a Crime: Target of an Attack • Subject of a Crime: Used to attack (impersonating a network node) • Medium of a Crime: Used as a Means to Commit a Crime (Trojan Horse)
Computer Crime (continued) • Difficulties in Prosecution • Understanding: Judges, Lawyers, Police, Jurors • Evidence: Lack of Tangible Evidence • Forms of Assets: e.g., Magnetic Particles, Computer Time
Legal Aspects of Cryptography • Prohibitions on UseApproach(e.g., France) • Prohibitions on Export (e.g., USA, GB, CAN, GER) • US Controls Export of Cryptography Implemented in Software • Practically Impossible to Enforce
Nature and Extent of Computer-Related Crime • Typology • Input Tampering: Entry of Fraudulent or False Data • Throughput Tampering: Altering Computer Instructions • Output Tampering: Theft of Information • Most Common Crimes • Input and Output Type • Fraudulent Disbursements • Fabrication of Data
The Computer Criminal • Typical Profile • Male, White, Young • No Prior Record • Works in Data Processing or Accounting • Myths • Special Talents are Necessary • Fraud has Increased Because of Computers
The Computer Criminal (continued) • Personal Motivations • Economic • Egocentric • Ideological • Psychotic
The Computer Criminal (continued) • Environmental Motivations • Work Environment • Reward System • Level of Interpersonal Trust • Ethical Environment • Stress Level • Internal Controls Environment
The Control Environment • Factors that Encourage Crime • Motivation • Personal Inducements • Factors that Discourage Crime • Prevention Measures • Internal Controls Systems • Access Control Systems • Detection Measures • Auditing • Supervision
Investigation Steps • Detection and Containment • Accidental Discovery • Audit Trail Review • Real-Time Intrusion Monitoring • Limit Further Loss • Reduction in Liability • Report to Management • Immediate Notification • Limit Knowledge of Investigation • Use Out-of-Band Communications
Investigation Steps (continued) • Preliminary Investigation • Determine if a Crime has Occurred • Review Complaint • Inspect Damage • Interview Witnesses • Examine Logs • Identify Investigation Requirements
Investigation Steps (continued) • Disclosure Determination • Determine if Disclosure is Required by Law • Determine if Disclosure is Desired • Caution in Dealing with the Media • Courses of Action • Do Nothing • Surveillance • Eliminate Security Holes • Is Police Report Required? • Is Prosecution a Goal?
Investigation Steps (continued) • Conducting the Investigation • Investigative Responsibility • Internal Investigation • External Private Consultant Investigation • Local/State/Federal Investigation • Factors • Cost • Legal Issues (Privacy, Evidence, Search & Seizure) • Information Dissemination • Investigative Control
Investigative Process • Identify Potential Suspects • Insiders • Outsiders • Collaboration • Identify Potential Witnesses • Who to Interview • Who to Conduct Interview
Investigative Process (continued) • Identify Type of System to be Seized • Network, Hardware & Software Configuration • System Experts • Security System in Place • Location of System • Elements of Proof • Probable Cause/Warrant • Location of Analysis
Investigative Process (continued) • Identify Search and Seizure Team Members • Lead Investigator • Information Security Representative • Legal Representative • Technical Representatives • Obtain and Serve Search Warrants • Determine if System Is at Risk • Access of Suspect • Potential Destruction of Evidence
Investigation Steps (continued) • Execute the Plan • Secure and Control Scene • Protect Evidence • Don’t Touch Keyboard • Videotape Process • Capture Monitor Display • Unplug System • Remove Cover • Disks and Drives • Search Premises (for Magnetic Media and Documentation) • Seize Other Devices (that may contain information)
Investigation Steps (continued) • Conduct Surveillance • Physical: Determine Subject’s Habits, Associates, Life Style • Computer: Audit Logs or Electronic Monitoring • Other Information Sources • Personnel Files • Telephone and Fax Logs • Security Logs • Time Cards • Investigative Reporting • Document Known Facts • Statement of Final Conclusions
Computer Forensics • Conduct a Disk Image Backup of Suspect System: Bit level Copy of the Disk, Sector by Sector • Authenticate the File System: Create Message Digest for all Directories, Files & Disk Sectors • Analyze Restored Data: Conduct Forensic Analysis in a Controlled Environment • Search Tools: Quick View Plus, Expert Witness, Super Sleuth • Searching for Obscure Data: Hidden Files/Directories, Erased or Deleted Files, Encrypted Data, Overwritten Files • Steganography: Hiding a Piece of Information within Another • Review Communications Programs: Links to Others
Computer Forensics (continued) • Reassemble and Boot Suspect System with Clean Operating System • Target System May Be Infected • Obtain System Time as Reference • Run Complete System Analysis Report • Boot Suspect System with Original Operating System • Identify Rogue Programs • Identify Background Programs • Identify What System Interrupts have Been Set
Computer Forensics (continued) • Search Backup Media: Don’t Forget Off-Site Storage • Search Access Controlled Systems and Encrypted Files • Password Cracking • Publisher Back Door • Documentary Clues • Ask the Suspect • Case Law on Obtaining Passwords from Suspects
Rules of Evidence • Types of Evidence • Direct: Oral Testimony by Witness • Real: Tangible Objects/Physical Evidence • Documentary: Printed Business Records, Manuals, Printouts • Demonstrative: Used to Aid the Jury (Models, Illustrations, Charts • Best Evidence Rule: To Limit Potential for Alteration • Exclusionary Rule: Evidence Must be Gathered Legally or it Can’t Be Used • Hearsay Rule: Key for Computer Generated Evidence • Second Hand Evidence • Admissibility Based on Veracity and Competence of Source • Exceptions: Rule 803 of Federal Rules of Evidence (Business Documents created at the time by person with knowledge, part of regular business, routinely kept, supported by testimony)
Rules of Evidence (continued) • Chain of Evidence: Accountability & Protection • Who Obtained Evidence • Where and When it was Obtained • Who Secured it • Who Controlled it • Account for Everyone Who Had Access to or Handled the Evidence • Assurance Against Tampering
Rules of Evidence (continued) • Admissibility of Evidence: Computer-generated Evidence is Always Suspect • Relevancy: Must Prove a Fact that is Material to the Case • Reliability: Prove Reliability of Evidence and the Process for Producing It • Evidence Life Cycle • Collection and Identification • Storage, Preservation, and Transportation • Presentation in Court • Return to Victim (Owner)
Legal Proceedings • Discovery • Defense Granted Access to All Investigative Materials • Protective Order Limits Who Has Access • Grand Jury and Preliminary Hearings • Witnesses Called • Assign Law Enforcement Liaison • Trial: Unknown Results • Recovery of Damages: Thru Civil Courts
Legal Proceedings (continued) • Post Mortem Review: Analyze Attack and Close Security Holes • Incident Response Plan • Information Dissemination Policy • Incident Reporting Policy • Electronic Monitoring Statement • Audit Trail Policy • Warning Banner (Prohibit Unauthorized Access and Give Notice of Monitoring) • Need for Additional Personnel Security Controls