Bookmark and Share

Front Back
Assurance. What we have when we have?
4 cannons of ISC - squared code of ethics?
* Protect society, the commonwealth, and the
* Act honorably, honestly, justly, responsibly, and legally.
* Provide diligent and competent service to principals.
* Advance and protect the profession.
For the test, know there is a 10 (ten) commandments of computer ethics.
1 •Thou shall not use a computer to harm other people.
2 •Thou shall not interfere with other people’s computer work.
3 •Thou shall not snoop around in other people’s computer files.
4 •Thou shall not use a computer to steal.
5 •Thou shall not use a computer to bear false witness.
6 •Thou shall not copy or use proprietary software for which you have not paid.
7 •Thou shall not use other people’s computer resources without authorization and/or proper compensation.
8 •Thou shall not appropriate other people’s intellectual output.
9 •Thou shall think about the social consequences of the program you are writing or the system you are designing.
10 •Thou shall always use a computer in ways that ensure consideration and respect for your fellow humans.
IAB added what to the ethical tenant?
IAB added the wasting resources (people, capacity and computers) ethical tenant.
GASSP = generally accepted system security principles

GASSP - is one that is more international b/c everybody uses computers, we need to do it [security for computers] right.
Two ethical falacies you will hear?
1. Information needs/wants to be free. NO, info is private.

2. U.S. First amendment - yes, protects us to write viruses. DOESN'T protect/allow you to disseminate it.
define the following types of laws:

Tort/civil law - don't go to jail for this

Regulatory - (certain states): you can go to jail & be fined for regulatory stuff

Criminal - you against the state; you can go to jail (aka the state/society/people v. me). In a court of law, its BEYOND a reasonable doubt.
Punitive damage (aka Civil Law Concept)?
Punitive damage
- punishing damage
- set by jury to punish offender
- the jury gets to scale the damage (aka $10 for me; 1 billion for Bill Gates)
Administrative/Regulatory Law. Explain....

Also, explain neglegance.
Administrative / Regulatory Laws
- cannot go to jail for
- expected to bear the weight as part of society (aka build your building safely; drive on the correct side of the road)

Neglegence - taking something that was normally a civil or regulatory issue.

* Patent
* Copyright
* Trade Secrets
* Trademark
Patent - legal ownership of a thing I produce

Patents protect Novel, useful and non-obvious inventions.

Copyright protects an expression or works of art.

Trade Secrets - a way of doing something; think a recipe

Trademark - word, symbol, name or device... a way to distinguish my thing from everyon elses (aka sound, picture....)
When is a trade secret no longer a trade secret?
When you're not actively protecting it!
Computer Security, Privacy & Crime Laws (U.S).

Lots of laws: all say don't do "that". KNOW???
1986 (amended in 1996) - US Computer Fraud and Abuse Act => Its an issue because its so hard to put definition around computing activities.

MEMORIZE the act exists.

Kennedy Kassenbaum
Banking Security Law
HIPPA => 1996 Kennedy-Kassenbaum Health Insurance & Portability Accountability Act

Banking Security Law - if you're going to handle PII - keep it safe => 1999 US Grahm-Leach-Bliley Act
Additional notes on Due care and due diligence?
Proper due care and due diligence will show and thus prove you did everything you should/could have and bad things still happen. Thus proving we acted in a prudent and reasonable manner.
Discuss neglegance from the perspective of liability???
Neglegance - you had an obligation which you didn't adhear to and thus someone was injured or damaged.
Computer Crime Investigation & looking for criminals.
For us, question is - are we going to be able to detect something is going on. Biggest thing: how can we ensure we WONT screw up the investigation.

* this is not the area to learn on the job. its critical to bring someone in to do this; we are NOTE the first responders.

One of the first things to do is determine whether there was a breach or an attack. [It may be undocumented or unknown but completely legite...aka his example of a computer software app comunicating back to its company in ...a foreign land]
The bad guys....

Trojan writer
Spammers - stegenography, they can hide it in ascii

Cracker - someone that breaks the law
Computer Crime. Know these three terms.

Breachines of personnel security:
Social engineering
Social engineering - if we can get you to feel instead of think than we can socially engineer you. Do NOT discount this or think you're above it. [Human beings have two sides - logical and emotional]

Masquerading -
breaches of operating security:

Data diddling
ip spoofing
password sniffing
excess privileges

Additional notes from Ben/Dave - from class...
Data diddling - Data diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting documents used for data entry and exchanging valid disks and tapes with modified replacements.

ip spoofing - one way; but it works

excess privileges - not adhearing to least privilges

Additional notes: most of the incidents Ben & Daves company look at are malware on users workstations. eg/what systems aren't logged -> desktops!!! Who is the least experienced user -> desktop user!
Whats the problem with computer crimes?
Computer crimes are:
- not the typical crimes
- if you steal a usb drive thats $5 but it has 100k credit cards on it...what have you stolen. $5...thats the problem.
Notes regarding FBI & computer crimes.
FIC = federal interest computers

Most of the computer crimes

FBI is swamped today dealing with terrorism and child porn. Unless your loss is 100k or more, or your key infrastructure to society, you'll probably not hear back from them.
What is the primary purpose for civil/tort law?

Know the difference between:
compensatory damage
punitive damage
statutory damage
• Damage/Loss to an Individual or Business

• Type of Punishment Different: No Incarceration
• Primary Purpose is Financial Restitution
1. Compensatory Damages: Actual Damages, Attorney Fees, Lost Profits, Investigation Costs
2. Punitive Damages: Set by Jury to Punish Offender
3. Statutory Damages: Established by Law (aka if you litter; you will be fined)

Notes regarding computer laws and international lwas
Its likely, even in the Schnucks & Target breaches, no one will be prosecuted. You're better off paying your fines and protecting yourself moving forward. Again, its REALLY difficult to get convictions in the security space at this day in age.

Example of a hacker next door going through a proxy in Europe, Frankce, Rio Dejenero (sp)...then the FBI will say, you lost 10 million...sorry - we don't have jurisdiction.
Notes on Computer investigation steps/issues?

What is computer foresnics about? And what do you document?
* > 50% of all malicious attacks are generated by an internal person

REporting to management: use Out-of-bound communications => once your environment is compromised, you cannot trust anyone.

Computer forensics....its only about THE FACTS. Thus, only document known facts. Why? Your notes will/can be used in court.
Notes to remember of potention suspects and interviewing regarding "investigative steps"?

Also - what does forensics include?

Computer forensics....let who do this?
Potential suspects - insiders and outsiders

NEVER conduct an interview by yourself for an internal suspect; have HR there

Forensics include bit for bit copies of info.

Computer forensics - when it comes to this, let the professionals do their job.
Know the following are two options in computer forensics:

Reassemble and Boot Suspect System with Clean Operating System

Boot Suspect System with Original Operating System
Reassemble and Boot Suspect System with Clean Operating System

• Target System May Be Infected
• Obtain System Time as Reference
• Run Complete System Analysis Report

Boot Suspect System with Original Operating System

• Identify Rogue Programs
• Identify Background Programs
• Identify What System Interrupts have Been Set
Evidence Admissibility?
Evidence admissibility:

* everything needs to be done with an eye towards keeping things:
1. preserved &
2. reliable
Four (4) types of evidence?
Four (4) types of evidence:
* technically all of our computer evidence is "hear say" (aka its what the computer told me about what "you" did
1.Direct: Oral Testimony by Witness 2. Real: Tangible Objects/Physical Evidence 3. Documentary: Printed Business Records, Manuals, Printouts 4. Demonstrative: Used to Aid the Jury (Models, Illustrations, Charts) (what you see on TV) Best Evidence Rule: To Limit Potential for have to have the best possible evidence you can find rather than what you want to use.
Exclusionary Rule? (for evidence)
Exclusionary Rule: Evidence Must be Gathered Legally or it Can’t Be Used
Rules of evidence....every time you have a chain of possession, you must have ALL of this every time the chain "is modified"
1. Location of evidence when obtained
2. Time evidence was obtained
3. Indentifcation of individuals who discvoered evidence
4. identification of individuals who secured evidence
5. identification of individuals who controlled evidence and/or who maintained possession of that evidence
Describe the evidence life cycle?
Evidence Life Cycle • Collection and Identification
• Storage, Preservation, and Transportation
• Presentation in Court
• Return to Victim (Owner)
Exceptions to Hearsay rule. Be aware of this.
Concerning admission of evidence through repetition of out-of-court statements (slide 592 if more info is needed :))
x of y cards