Legal Aspects in Infosec

Grenoble INP Ensimag _ (in)security we trust _!!! SecurIMAG 2012-01-12 Legal Aspects in Infosec! Description: Laws are important for protecting IT users. Being aware of some legal aspects is useful for protecting yourself and your custom. Alexandra RUIZ aruiz@lexsi.com

LEXSI Lexsi Group is an international consulting group specialized in protecting information assets, strongly driven towards innovation. Our 130 talented and dedicated experts, analysts and consultants have built the first independent, pioneer, risk management and information security provider. Lexsi is located in France (Paris and Lyon), Canada and Singapour 2 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

LEXSI AUDIT VEILLE & CYBERCRIME 1er CERT privé européen Veille en vulnérabilités Enquêtes et réponses à incidents Lu<e contre la cybercriminalité 5 missions par semaine 4 mé7ers CONSEIL 60 consultants Risk Management Résilience & conenuité d acevité Assistance à maitrise d ouvrage Accompagnement SSI, ISO 2700x... Gouvernance et stratégie SoluEons et architectures de sécurité Audit stratégique Audit de conformité Audit technique & pentest Audit de code FORMATION Plus de 800 RSSI formés Partenaire SANS InsEtute (GIAC) Parcours RSSI Nombreux modules experts 3 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

@MargaretZelle Halt, who are you?! Licence in Law Master 2 in business intelligence Currently: Work: Legal assistant at LEXSI, Lyon Student: o Master 2 in digital technology law Hobbies: 4 SecurIMAG - title - author - date o University degree in cybercriminality Books Photos Shopping

Why do you need law? 5 SecurIMAG - title - author - date

Introduction Focus on principal concerns Aspects of IT french law 6 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Table of contents Introduction in an information system : Godefrain, Pentesting New french transposition : Telecom Package Cloud Computing HADOPI LOPPSI II CNIL Employer s power of control 7 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Some articles : Fraudulent access or preservation in an IS is punished by 2 years jail and 30 000 fine (art. 323-1 penal code) When it results the deletion or the modification of data, or a functioning system change : 3 years jail and 45 000 fine (art. 323-1 penal code) Obstacle or wrongly : 5 years jail and 75 000 fine (art. 323-2 penal code) Introducing deceitfully data or deleting them or modifying : 5 years jail and 75 000 fine (art. 323-3 penal code) 8 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Some articles (same sanctions of the principal offense): The fact, without justifiable motive, of importing, detaining, offering, giving up or to give an equipment, an instrument, an IT program or any data conceived or specially adapted to commit one or some offenses (art. 323-3-1 penal code) Participation to a group or to an agreement established with the aim of the preparation, characterized by one or several material facts, of one or some offenses (art. 323-4 penal code) Offence attempt (art. 323-7 penal code) Ref : Loi Godfrain du 05/01/1988 n 88-19 sur la protection des SI contre la fraude informatique et l intrusion 9 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Exemples : Serge HUMPICH demonstrated that crédit cards have some vulnerabilities : 10 months suspended and 1F for damages (Fraudulent access and data introduction in an IS) V u l n e r a b i l i t i e s : A m a n publishes exploits of unpatched vulnerabilities (0-days) on his website. He was condamned because he has competencies to know that it could be used for damages (2009) 10 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Exemples : Radiocom 2000 : To win a game, a men used his employer s lines. He has distorted SI operation with radiophones to prevent securité procedure outbreak : for him and his associates 4 and 18 months suspended and 2 000 à 10 000F and 1 900 000F (acces and fraudulent preservation in an IS and data modifications after functioning system change 11 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Pentesting : You can t introduce yourself in an IS without autorisation But you can test your IS. Compagnies specialize in pentesting How is it possible? This compagnies have a contract with client. This contract is really important to protect themself. 12 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Introduction in an information system Pentesting : Contract has to state some important points : Autorisation Perimeter No responsabilities delegation (possibility of a responsabilities limitation) SO : If you want to test vulnerability of korben s website, it s forbidden. If you want to test your own website, you can. If someone ask you to test his website, always make a contract 13 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Telecom Package What is it? European Law of 2002 modified in 2009 French transposition of August 24th 2011 Two main aspects : Cookies must be accepted expressly by user who visited a website ( if you ve a website!) Internet service provider must informed CNIL in case of data breach Ref : Ordonnance n 2011-1012 du 24 août 2011 relative aux communications électroniques 14 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Cloud Legal aspects of Cloud : Contract : Who is responsible for personal data? Data breach Use of public or private Cloud? Audit If you are a big client, you can negociate with Google for your Cloud If you re not, you can only sign 15 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

HADOPI Who? Owner of an Internet acces (people, firms) What? Obligation of protection Why? In order to protect authors Measures? Protect your wifi with a password (and a security software labelised by HADOPI => Not really usefull in fact only business) 16 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

HADOPI Sanctions? Gradual answer : email, letter (6 month after), 1 500 and, possibly, suspension of the subscription (by the juge since 2009) What to do? If you re not responsible, you could send observations to the authors protection s commission only if you have a sanction (step 3) Evolution? Government wanted to sanction streaming 17 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

HADOPI Concretely : Martin Hack, a french teenager, download Braquo (french serie) with his parents connexion TMG raise Mr and Mrs Hack IP Legal successors give this IP to HADOPI HADOPI send an mail to Mr and Mrs Hack on the adress they gave to their ISP (will they read it one day?) If Martin was punish very hardly and promise to never download again (during 6 month) All is good 18 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

HADOPI If Martin is a rebel and download again and TMG raise IP HADOPI will send a letter to Mr and Mrs Hack parents. After 1 year, if nothing happened, nothing will happened. If (stupid) Martin download again, HADOPI decided if it will ask or not juge If Hack s familly is really unlucky, juge could condamn them to pay 1500 and, if juge is really angry, suspend their connection during one month. Conclusion : Lot of mails but no sanction yet Ref : Loi «Création et Internet» dite HADOPI, du 13/05/2009, promulguée le 12/06/2009 et Loi relative à la Protection Pénale de la Propriété Littéraire et Artistique sur Internet dite HADOPI 2, du 22 /10/2009 19 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

LOPPSI II Main points : Identity theft : 1 year and 15 000 Be careful if you want to make some joke! Selling tickets in order to make profit : 15 000 CCTV : more power for CNIL More CCTV are authorize and government could imposed it CNIL will control CCTV but couldn t give sanctions 20 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

LOPPSI II Main points : Website blocking A black list of website will be made and a juge decision could obliged ISP to block this sites Introduction of spywar by the police for catching some data without consent of the owner Police is authorized by the juge in charge of instructions to introduce a spyware in suspects computer They exploit vulnerabilities present in those computers 21 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

CNIL Personal data protector since 2004 Protection and control of all data treatment : Exemption of declaration for somme treatment Simplify declaration for current treatment Ordinary declaration for others Authorization ask for treatment with risk Could control all treatment Actualy, legislator give more and more power of control and sanctions Loi «Informatique et Libertés» du 06/01/1978 relative à l informatique, aux fichiers et aux libertés (modifiée par la loi du 06/08/2004) 22 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Employer s power of control Charter limit and inform about measures implement by the employer : Annex to the contract with employee signature Annex to the interior reglement with opinion of staff representative and validation of factory inspectorate Employee must be informed of every measures limiting his private life 23 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Employer s power of control Phone call control : Only duration and cost Could use phone bugging if employee are informed and if it s necessary for the firm SMS could be a proof Messaging control : All mails in professional messaging are professional except if they are identified as «personnal» Number of mail, origin and addressee Could filter some mails 24 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Employer s power of control Internet control : Limitation of some website (social network, porn ) Using for personal use is tolerated but you could be sanctioned for an excessive use Captation of trafics logs ( problem of confidentiality with some websites) This informations must be kept during one year. 25 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12

Thank you for your attention! 26 SecurIMAG Legal Aspects in Infosec A. RUIZ 2012-01-12