Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles...
-
Upload
katrina-webster -
Category
Documents
-
view
245 -
download
0
Transcript of Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles...
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Legal Issues and EthicsLegal Issues and Ethics
Chapter 24
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
ObjectivesObjectives
• Explain the laws and rules concerning importing and exporting encryption software.
• Identify the laws that govern computer access and trespass.
• Identify the laws that govern encryption and digital rights management.
• Describe the laws that govern digital signatures
• Explore ethical issues associated with information security.
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Key TermsKey Terms• Administrative law
• Click fraud
• Common law
• Computer Fraud and Abuse Act (CFAA)
• Computer trespass
• Digital Millennium Copyright Act (DMCA)
• Electronic Communications Privacy Act (ECPA)
• Gramm-Leach-Bliley Act (GLBA)
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Key Terms Key Terms ((continuedcontinued))
• Payment Card Industry Data Security Standard (PCI DSS)
• Sarbanes-Oxley Act (SOX)
• Section 404• Statutory law• Stored Communications Act (SCA)• Wassenaar Arrangement
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
CybercrimeCybercrime• Characteristics– Technology is constantly changing– Sophistication of computer crimes has increased– Generally focused on financial gain– Often run by organized crime– Low risk of being caught– Difficult to prosecute
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Types of CybercrimeTypes of Cybercrime
• Computer-involved crimes can be classified as– Computer-assisted– Computer-targeted– Computer-incidental
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Internet CrimeInternet Crime• Most computer crime revolves around money.
• Internet Crime Complaint Center (IC3):– FBI, NW3C, and BJA partnership– Produces common Internet crimes list and descriptions– Provides advice on how to prevent becoming a victim
of Internet crime
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Common Internet Crime SchemesCommon Internet Crime Schemes• Auction fraud
• Counterfeit cashier’s
check
• Credit card fraud
• Debt elimination
• Parcel courier e-mail
scheme
• Lotteries
• Escrow services fraud
• Identity theft
• Business opportunities
• Internet extortion
• Investment fraud
• Employment opportunities
• Nigerian Letter or “419”
• Phishing/spoofing
• Ponzi/pyramid
• Reshipping
• Spam
• Third-party receiver of funds
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Sources of LawsSources of Laws• Statutory law– Laws set by legislative bodies like Congress• Administrative law– Power granted to government agencies through
legislation• Common law– Laws derived from previous events or precedence
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Computer TrespassComputer Trespass• Unauthorized access of a computer system– Independent of access method
• Considered a crime in many countries– May warrant significant punishment– Treaties between countries regulate ways to deal with
the cyber offenders
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Convention on CybercrimeConvention on Cybercrime• First international treaty on Internet crimes– EU, U.S., Canada, Japan, and others• Created common policies to handle cybercrime• Focused on:– Copyright infringement– Computer-related fraud– Child pornography– Violations of network security
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Significant U.S. LawsSignificant U.S. Laws• Electronic Communications Privacy Act• Stored Communications Act• Computer Fraud and Abuse Act• Controlling the Assault of Non-Solicited
Pornography and Marketing Act• USA Patriot Act• Gramm-Leach-Bliley Act• Sarbanes-Oxley Act
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Electronics Communications Electronics Communications Privacy Act (ECPA)Privacy Act (ECPA)
• Addresses legal privacy issues related to computer use and telecommunications
• Warning Banners are common practice in:– Establishing the level of expected privacy– Serving notice of intent to monitor– Obtaining user’s consent to monitoring– Providing consent to law enforcement search
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Computer Fraud and Abuse Computer Fraud and Abuse Act (1986)Act (1986)
• Foundation of U.S. law on unauthorized access• Criminalizes activities such as:– Accessing government or interstate commerce systems– Using a computer in interstate crime– Trafficking in passwords or access information– Transmitting code, commands, or programs that result
in damage
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Controlling the Assault of Non-Solicited PornographyNon-Solicited Pornographyand Marketing Act of 2003 and Marketing Act of 2003
(CAN-SPAM)(CAN-SPAM)
• Established spam e-mail regulations• Provided rules of compliance– Unsubscribe, content, and sending behavior• Has had a poor track record of convictions
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
USA Patriot ActUSA Patriot Act• Response to the 9/11 terrorist attacks• Altered U.S. laws on Internet wiretaps and
tracing– Requires ISPs to facilitate Internet monitoring– Provides for federal law enforcement investigation and
adjudication of computer intrusions• Supported changes in other supporting
computer misuse laws– ECPA and CFAA
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act (GLBA)(GLBA)
• Financial industry legislation to protect individual privacy.
– Created an opt-out method providing individual control over the use of personal information
– Enforced by state, federal and securities laws– Restricts information sharing with third-party firms
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)
• Overhaul of financial accounting standards– Targeted standards of publicly traded firms
• Section 404 controls– Internal controls on financial reporting processes– Audits required on a regular basis
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Payment Card Industry Data Payment Card Industry Data Security Standard (PCI DSS)Security Standard (PCI DSS)
• Contractual rules governing exchange of credit card data between banks and merchants
– Voluntary standard• Noncompliance may result in:– Higher transaction fees– Expensive fines– Inability to process credit cards
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Import/Export Encryption Import/Export Encryption RestrictionsRestrictions
• Includes use to secure network communications• U.S. export control laws– Administered by the Bureau of Industry and Security– Encryption rules found in Export Administration
Regulations (EAR)– Controls include presale product reviews, post-export
reporting, and export license reviews.
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Non-U.S. LawsNon-U.S. Laws• Wassenaar Arrangement– International agreement on export controls dealing
with dual-use goods and technologies.– Removed key length restrictions on encryption
products.• Cryptographic use restrictions– Many countries tightly restrict the use and possession
of cryptographic technology.
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
U.S. Digital Signature LawsU.S. Digital Signature Laws• Means to show approval for electronic records– Cryptography provides integrity and non-repudiation.– Enables e-commerce transactions
• Examples:– Electronic Signatures in Global and National Commerce
Act– Uniform Electronic Transactions Act
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Other Digital Signature LawsOther Digital Signature Laws• United Nations– UN Commission on International Trade Law Model Law
on Electronic Commerce• Canada– Uniform Electronic Commerce Act• European Union– Electronic Commerce Directive
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Digital Millennium Copyright Digital Millennium Copyright Act (DMCA)Act (DMCA)
• Protects rights of recording artists.
• Identifies how new computer technology relates to copyright laws.
• Also regulates software and hardware designed to circumvent copyright protection controls.
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
EthicsEthics• Globalization blurs ethical lines.– Social norms vary among diverse principalities.• Challenge for today’s businesses:– Code of ethics must be established.– Employees need to understand what is expected.• SANS published a set of IT ethical guidelines.
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
© 2012
Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition
Chapter SummaryChapter Summary• Explain the laws and rules concerning importing and
exporting encryption software.
• Identify the laws that govern computer access and trespass.
• Identify the laws that govern encryption and digital rights management.
• Describe the laws that govern digital signatures.
• Explore ethical issues associated with information security.