CSE 4482 Computer Security Management: Assessment and Forensics. Law and Ethics

Transcription

1 CSE 4482 Computer Security Management: Assessment and Forensics Law and Ethics Instructor: N. Vlajic, Fall 2013

2 Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 12, pp

3 Learning Objectives Upon completion of this material, you should be able to: Differentiate between law and ethics. Identify major US laws that relate to the practice of information security. Identify relevant professional organizations and their Codes of Ethics.

4 Introduction

5 Introduction (cont.) Law written rules adopted & enforced by a government to define expected behavior these rules attempt to balance individual freedoms and social order, which may be in conflict laws are largely drawn from the ethics of a culture Ethics informal set of values and beliefs about right and wrong behavior some ethics are thought to be universal murder, theft, assault are legally and ethically unacceptable in most world s cultures Key difference between law and ethics: law caries the sanction of a governing authority and ethics do not!

6 Introduction (cont.) In majority of cases, what is legal is also ethical and the other way around. However, with the society operating a dynamic and ever-changing environment, there are cases when law and ethics are in conflict.

7 Introduction (cont.) Relationship between Law and Ethics Edward Snowden NSA Leak Case Breaking into Somebody s Account Screening of Web-traffic by Employer Harcourt%20Colledge%20Publishers-Donald%20F.%20Kuratko/chapter_6.htm

8 Introduction to Law

9 Introduction to Law Categories of Law in Canada and USA: Public Law(s): regulate 1) organization and functioning of the state 2) relationship between the state and its subjects concerned with matters that affect society as a whole deals with regulation of behavior generally Private Law(s): regulate relationship between individuals and groups that are not of public importance deals with disputes between parties regulates rights and duties of individuals to each other

10 Introduction to Law Subcategories of Law Public Law(s) Constitutional Law related to interpretation & application of the Constitution of Canada, including the Charter of R&F (freedom of expression & religion, freedom from unreasonable search & seizure, ) Administrative Law addresses actions and operations of government & government agencies Criminal Law deals with behaviors that results in injury to people and/or property (murder, break and enter, sexual assault, etc.) Private / Civil Law(s) Family Law deals with various relationships of family life Contract Law outlines requirements for legally binding agreements Tort Law seeks compensation for loss caused by negligence Property Law outlines relationship between individuals & property Labour Law outlines relationship between employers & employees

11 Criminal vs. Civil Law Case Criminal Law Procedure the victim (may) report the case to the police & they have the responsibility to investigate if charge has been properly laid & there is supporting evidence the Crown Prosecutor represents the case in the courts and public funds finance these services even if a victim starts a prosecution privately, the Attorney General has the power to take over the prosecution Civil Law Procedure the victim must take action to get a legal remedy or adequate compensation victim must hire a private lawyer & pay expenses of pursuing the matter the police does not get involved, beyond the point of restoring the order

12 Criminal vs. Civil Law Case (cont.) Criminal vs. Civil Law Principles In Criminal Law, to convict someone, the guilt must be proven beyond reasonable doubt. In Criminal Law, the sentence to the offender may include one or a combination of the following: fine restitution compensate for victim s loss or damages probation community service imprisonment In Civil Law, to convict someone, the guilt must be proven on balance of probabilities. In Civil Law, monetary remedies (damages) are most common.

13 Criminal vs. Civil Law Case (cont.) beyond reasonable doubt evidence = = clear and convincing evidence ( merely possibility that what is presented is true is not sufficient) balance of probabilities evidence = = evidence with 50% threshold (produces a belief that what is presented is more likely true than not true) More evidence is needed to find the defendant at fault in criminal than in civil ones.

14 Criminal vs. Civil Law Case (cont.)

15

16 Criminal vs. Civil Law Case (cont.) Every crime has two essential parts: the action or "actus reus" and the intent or "mens rea" (guilty mind). For example, the crime of arson has two parts: actually setting fire to a building and doing it wilfully and deliberately. Setting a fire by accident may not be a crime. For most criminal cases both the action and the intent must be proven. If either element is missing, then no crime has been committed.

17 Law and Computer Security attacker victim Is a DDoS a Civil or a Criminal offence? In US, as of 2008, DDoS is considered a criminal offence under Computer Misuse Act. In Canada, DDoS is also a criminal offence under Criminal Code 430: Unauthorized Use of Computer & Mischief.

18 Law and Computer Security (cont.) In the early days of computer security, information security professionals were pretty much left on their own to defend their systems against attacks. They did not have much help from the criminal and civil justice systems. When they did seek assistance from law enforcement, they were met with reluctance by overworked agents who did not have a basic understanding of how something that involved a computer could actually be a crime Fortunately, both our legal system and the man and women of law enforcement have come a long way over the past two decades CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 630)

19 Law and Computer Security (cont.) The first computer security issues addressed by legislators were those involving computer crime. Early computer crime prosecutions were attempted under traditional criminal law, and many were dismissed because judges thought that applying traditional law to this modern type of crime was too far of a stretch. Example: Hearsay evidence! Legislators responded by passing specific statutes that defined computer crime and laid out specific penalties for various crimes Every information security professional should have basic understanding of the law as it relates to information technology. However, the most important lesson to be learned is knowing when it is necessary to call in an attorney CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 633)

20 Law and Computer Security (cont.) To minimize their & their organization s liability, information security professionals must: keep informed about new laws, regulations and ethical issues as they emerge understand the scope of organization s legal and ethical responsibilities educate the management and employees about their legal and ethical obligations and the proper use of information technology

21 Computer Crime Computer Crime criminal activity in which either (aka Cybercrime) of the following is true: computer is a target e.g., somebody attempts to control a computer or interfere with its availability (examples: development and distribution of malware, DDoS attacks, ) computer is a storage device e.g., somebody uses a computer to store stolen or inappropriate content computer is a communication tool e.g., somebody uses computer(s) to conduct illegal sale of drugs or guns

22 Convention on Cybercrime Cybercrime 1 st international agreement seeking to Convention address Computer/Cyber Crimes by (2001) harmonizing national laws & increasing inter-national cooperation initially drawn up by the Council of Europe and active participation of Canada & Japan in 2006, USA became the 16 th nation to ratify the treaty currently, 40 states had ratified, and 11 states had signed (but not ratified) the convention Canada one of them

23

24

25 List of cybercrimes cited in the Convention on Cybercrime represents an international consensus on what constitutes cybercrime and what crimes are considered important. Stallings, Computer Security, 2 nd edition, pp. 596

26 US Laws Key US laws of interest to IS professionals

27 US Laws (cont.) INSTITUTIONS STATE Computer Fraud & Abuse Act Patriot Act Federal Privacy Act Electronic Communications Privacy Act INDIVIDUAL Health Insurance Portability and Accountability Ac Gramm-Leach-Bliley Act Children s Online Privacy Protection Act

28 US Laws: CFA Act Computer Fraud law passed by the US Congress and Abuse Act landmark in the fight against cyber- (CFA Act) crime the first law to address crime of 1986 involving computers initially intended to address offenses to computers of the US government and certain financial institutions amended in 1988, 1994, 1996 and 2001 by the USA Patriot Act through amendments, the scope extended to all protected computers, i.e. any computer connected to the Internet

29 US Laws: CFA Act (cont.) criminal offences under the CFA Act: 1) knowingly accessing a computer without authorization 1 or exceeding authorized access 2 to obtain national security data 2) intentionally accessing a computer without authorization (or 2 ) to obtain one of the following: a) a financial record of a financial institution; b) information from any US-government department or agency; c) information from any protected computer. 3) intentionally accessing without authorization (or 2 ) a government computer and affecting the use of the government s operation of the computer 4) knowingly causing the transmission of a program, information, code or command that causes damage such as: a) loss to one or more persons (or companies) during any one-year period aggregating at least $5,000 in value

30 US Laws: CFA Act (cont.) criminal offences under the CFA Act (cont.) b) the modification or impairment of medical records c) physical injury to any person d) a threat to public health of safety e) damage affecting a government computer system 5) knowingly and with intent to defraud traffics a password or a similar information through which a computer may be accessed without authorization 1 Access without authorization = access by an outsider who breaks in and uses a computer for any malicious purpose 2 Exceeding authorized access = access by an authorized user who obtains or alters information that he/she is not allowed to obtain or alter (e.g. employees)

31 US Laws: CFA Act (cont.) Computer Fraud although the Act does not specifically and Abuse Act mention hacking, malware and (cont.) denial of service, they are its main focus example: 1) knowing transmission of a code that causes damage infection by a virus 2) knowing execution of a command that causes damage DDoS attack Punishment for offences prosecuted under the CFA varies from fines to imprisonment of up to 20 years, or both.

32 US Laws: CFA Act (cont.) Case Study: Morris Case (1988) One of the first cases prosecuted under the CFA Act. Morris, a Ph.D. candidate in CS (Cornell U), wanted to demonstrate the weakness of security measures of computers on the Internet, a network linking university, government and military computers around the United States. His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash. However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic" at numerous institutions, with estimated damages of $200 to $53,000 for each institution. Morris was sentenced to three years probation and 400 hours of community service, and was fined $10,500.

33 US Laws: Patriot Act US Patriot Act allows law enforcement greater (2001 weeks latitude in combating criminals after Sept. 11) and terrorists who use computers and communication networks [telephone, computer, wireless] L.E. has authority to intercept voice communications in computer hacking investigations L.E. has authority to obtain voice mail and other stored voice communications using standard search warrants rather than wiretap orders L.E. has authority to trace communications on the Internet and other computer networks

34 US Laws: Patriot Act (cont.) US Patriot Act (2001 weeks after Sept. 11) L.E. has authority to issue nationwide search warrants for s and other electronic data ISPs compelled to disclose unopened s ISPs are permitted to disclose customer info in the case of emergency - if they suspect an immediate risk of death or serious physical injury to any person Patriot Act one of the most controversial acts gives away personal freedoms and constitutional rights in exchange for higher levels of (national) safety For more see:

35 US Laws: Patriot Act (cont.) Case Study: Patriot Act vs. Constitution (2004) While conducting surveillance of the defendant and co-defendant, the agents lost track of them. The agents then dialed the defendant s cell phone several times, and used the provider s computer data to determine which cell transmission towers were being hit by that phone. The cell s data revealed the defendant s general location and helped catch him. On appeal of his conviction, the defendant argued that the cell-site data and resulting evidence should have been suppressed because they turned his phone into a tracking device and that violated his constitutional rights The court found that the cell-site data falls under the category of electronic communication, hence was not illegal Computer Forensics: Principles and Practices, pp. 423 by L. Volonino, R. Anzaldua, J. Godwin

36 US Laws: Privacy (1) Federal Privacy regulates the government s use Act (1974) of private information addresses concerns about creation and use of computerized data the act states: government agencies must protect the privacy of individuals and businesses information and are responsible if any portion of information is released without prior written consent of the individual at the same time, individuals CAN access information controlled by others if they can demonstrate that that information is necessary to protect their health & safety

37 US Laws: Privacy (2) Electronic Comm. often referred to as federal Privacy Act wiretapping act (1986) primarily designed to prevent unauthorized government access to private electronic communications sets high standards for search warrants of: wire, oral & electronic communications while in transit communications held in electronic storage dialing, routing, addressing & signaling information some provisions of the act are later weakened by Patriot Act

38 US Laws: Privacy (3) Health Insurance aims to protect confidentiality Portability and and security of health data Accountability requires organizations that retain Act - HIPAA health care information to use (1996) comprehensive information security mechanisms severely restricts dissemination & distribution of private health info without documented consent provides patients right to know who has access to and who has accessed their information gives patients the right to examine & obtain a copy of their own data

39 US Laws: Privacy (4) Gramm-Leach- contains a number of provisions -Bliley that affect banks, security firms, Act (1999) and insurance companies the act requires that such institutions: implement a comprehensive info. security program with appropriate administrative, technical and physical safeguards ensure the security and confidentiality of customer info., and protect customer info. from unauthorized access by third party that could result in harm or inconvenience to the customer Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for financial institutions it is now a legal requirement.

40 US Laws: Privacy (4)

41 US Laws: Privacy (5) Children s Online prohibits certain actions by Privacy Protection websites and similar services Act COPP Act that are directed at children & (1998) by any site that may be visited by a person younger than 13 the act prohibits such sites from: collecting and using identifying info (name, postal code, address, SIN) from children under 13 unless they got verifiable parental consent registration requiring personal info as a requirement for playing games, applying for prizes, etc.

42 US Laws: Privacy Two key Canadian (federal) privacy laws: 1) The Privacy Act - imposes obligations on federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. 2) Personal Information Protection and Electronic Document Act (PIPEDA) - sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

43 trade secret = all forms and types of financial, business, scientific, technical, economic or engineering information that the owner has taken reasonable measures to keep secret and that is not known to the public US Laws: Export & Espionage (1) Economic attempts to prevent illegal sharing Espionage of trade secrets Act (1996) first federal law that defines trade secret and severely punishes any individual or organization that knowingly steals, copies, receives, buys or possesses trade secrets or conspires to do so penalties: fines up to $500,00 or 15 years in prison (or both) for individuals, and fines of up to $10 million for organizations

44 US Laws: Export & Espionage (2) Security And provides guidance on the use of encryption, and provides measures of protection from government intervention; specifically, the act Freedom Through Encryption Act (1999) relaxes restrictions concerning the sale and export of cryptographic products - used to be tightly controlled by the government states that the use of encryption is not probable cause to suspect a criminal activity - people can use encryption freely provides additional penalties for unlawful use of encryption in furtherance of a criminal act - e.g., with the intent to conceal a felony

45 US Laws: Copyright Laws No Electronic provides for criminal prosecution Theft Act of individuals who engage in (1997) copyright infringement prior to this act, criminal copyright infringement required that the infringement was for the purpose of commercial advantage or private financial gain merely downloading files on the Internet did not constitute a criminal activity the act permits the use of copyrighted material to support news reporting, teaching, as long as it is not for profit, and as long as proper acknowledgment is provided

46 US Laws: Sarbanes-Oxley Act Sarbanes- passed as a result of a series of financial Oxley Act scandals in 1990s (Enron, WorldCom) (2002) intended to protect general public from accounting errors & fraudulent practices puts far greater responsibility on the shoulder of corporate executives regarding: effective & efficient operation (including IT and Info Sec operation) reliable financial reporting and auditing compliance with applicable laws & regulations the act requires that all business documents (paper & electronic) must be kept for 5 years Canadian equivalent: Bill 198 (2003)

47 US Laws: Sarbanes-Oxley Act (cont.)

48 International Laws Info Sec related laws (may) vary considerably from one country to another. When organizations do business on the Internet, they do it globally; hence, it is important to be sensitive to the law and ethics values of different countries

49 Ethics Code of Ethics sets out general principles about an organization s beliefs on matters Code of Ethics Thou shall not Thou shall not Thou shall not such as mission, quality, privacy or environment effectiveness of such codes depend on the extent to which respective organizations support them with sanctions & rewards doctors and lawyers who violate ethical cannons of their professions could be removed from practice field Information Security (and IT) does not have a binding Code of Ethics instead, professional associations (ACM) and accreditation agencies ((ISC) 2, SANS) work to establish the professions codes of conduct

50 Ethics (cont.) 10 Commandments of Computer Ethics Institute (intended for IT community) 1. Thou shall not use a computer to harm other people. 2. Thou shall not interfere with other people s computer work. 3. Thou shall not snoop around in other people s computer files. 4. Thou shall not use a computer to steal. 5. Thou shall not use a computer to bear false witness. 6. Thou shall not copy or use proprietary software for which you have not paid. 7. Thou shall not use other people s computer resources without without authorization or proper compensation. 8. Thou shall not appropriate other people s intellectual output. 9. Thou shall think about the social consequences of the program you are writing or the system you are designing. 10. Thou shall always use a computer in ways that ensure consideration and respect for your fellow humans.

51 Ethics (cont.) Information Security failure to obey Code of Ethics implies loss of accreditation or certification Organizations with Code of Ethics and consequently (may) result in dramatically reduced marketability and earning power 1. Association of respected non-profit professional society Computing with scientific & educational orientation Machinery (ACM) ACM s code of ethics addresses a wide range of ethical duties the ones related to information security specify that each ACM member should: protect confidentiality of information cause no harm (e.g. loss) of information protect privacy of others protect IP & copyright of others

52 Ethics (cont.) 2. (ISC) 2 non-profit organization; focuses on development & implementation of info. sec. certifications & credentials 4 mandatory canons of (ISC) 2 code of ethics are: protect society, the commonwealth, and the infrastructure act honorably, honestly, justly, responsibly and legally provide diligent and competent service to principals advance and protect the profession 3. SANS professional research & education cooperative organ. Institute - prepares individuals towards GIAC accreditation (GIAC) GIAC s code of ethics is organized into 3 key areas: I will strive to know myself and be honest about my capability I will conduct my business in a manner that assures the IT profession is considered one of integrity professionalism I respect privacy and confidentiality