Legal, Regulations, Investigations, and Compliance
Domain 9 Official CISSP CBK V3Pages 1168-1241
Tim JensenStaridLabs
Disclaimer
• Neither StaridLabs nor any representative of StaridLabs is licensed, certified, or competent enough to offer legal advice.• This presentation is intended as training for the CISSP exam. If legal
advice is necessary in a situation then we highly recommend you consult a licensed lawyer.• StaridLabs provides no guarantee that the information in the CISSP
CBK and/or presented in this training is accurate or legally advisable.
Definitions
• Codification• the act, process, or result of arranging in a systematic form or code
• Jurisprudence• the science or philosophy of law • a system or body of law • the course of court decisions
The Law
• Laws change depending on where you are located.• In the United States laws can be: Federal, State, County, and City.• The CISSP guide attempts to keep its training applicable globally but
isn’t always possible.
Major Legal System Categorizations
• Common Law• Civil or Code Law• Customary Law• Religious Law• Mixed Law• Maritime Law (Not applicable in CISSP CBK)
Common Law
• Customary law system used by Anglo-Saxons in Northern France and England.• Still used in England and has been spread throughout the world by
English colonization including United States, Canada and Australia.• Largely the European Union uses Civil Law instead of Common Law.• King of England created a unified legal system in the twelfth century
that was common to the whole country. Prior to this laws were based on local practices.
What is Common Law?
• Uses the adversarial approach to litigation.• Does not rely on codification of law.• Barristers (lawyers) take a very active role.• Reliance on previous court rulings. (Jurisprudence)• Judges are a fairly passive role in determining facts.
• Most Common Law systems consist of three branches: Criminal Law, Tort Law, and Administrative Law.
Common Law: Criminal Law Branch
• Deals with behaviors or conduct that is seen as harmful to the public or society.• An individual violates a governmental law designed to protect the
public and as such the victim is society.• Government prosecutes on behalf of the public.• Punishment can be incarceration, probation, or death. Fines occur as
well in some cases but loss of freedoms is the primary punishment.
Common Law: Tort Law
• Deals with civil wrongs (torts) against an individual or business entity.• Monetary damages are generally the penalty.• Can sometimes be both a violation of Tort and Criminal law.• Types of torts:
• Intentional torts• Wrongs against a person or property• Dignitary Wrongs• Economic Wrongs• Negligence• Nuisance• Strict Liability
Common Law: Administrative Law
• Known as regulatory law in some countries.• Deals with the governance of public bodies and the designation of
power to administrative agencies, commissions, boards, administrative tribunals, or professional associations.• Examples: Security Exchange Committee (SEC), Labor Relations
Boards, Law Societies, Medical Boards, School Boards• Objective is to confine government power to it’s proper scope and
stop potential abuse of power.• Punishments can be fines, inability to practice a profession, and in
some cases incarceration.
Civil Law: A Brief History
• Started in the Roman Empire• Died
• Started gain in Italy and spread to Europe in the late 1700’s to early 1800’s.• At one time was the most common legal system in Europe.• Became regionalized over time with Germany, Norway, Sweden,
Denmark, and Switzerland developing their own national systems.• Civil law can be subdivided into French, German, or Scandanavian civil
law.
Civil Law
• Has a heavy reliance on legislation as the primary source of law (vs Jurisprudence in Common Law)• System relies on codification of law.• Lower courts are not compelled to follow decisions of higher courts
(Stare Decisis)• Judges are more active in determining facts of a case and in some
instances direct the investigation.
Customary Law
• Regional legal systems which reflect social norms and values based on tradition.• Rare to find a country who’s law structure is entirely based on
customary law.• Often combined with civil or common law. This is called a ‘mixed legal
system’.
Religious Law
• All legal systems have been influenced by religion.• Some countries try to differentiate legal law from religious law.
Muslim Law
• Islam is practiced by a large portion of the worlds population.• Many Muslim societies follow Islamic Law or Sharia.• Traditional Islamic Law is separated in to rules of worship and rules of human
interaction.• Guided by the Qur'an and the Sunnah, or manner in which the prophet Muhammad
lived.• Sharia covers all aspects of a person’s life (Religious practices, Diet, Dress, Family Life,
Commerce, domestic justice)• Law is not man-made, it is divine will.• Lawmakers do not create the law, Jurists and clerics attempt to discover the truth of
law.• Sharia has been codified, but still remains open to interpretation.
Mixed Law
• Mixed law is the convergence of two or more legal systems, usually civil law and common law, but often also customary, religious, civil, or common law.• Blending of legal systems can result in political and economic
pressure.• An example is the United Kingdom and Scotland.
Scotland is a silly place…
This was my first result when googling UK law…
Liability
• In law, liability refers to being legally responsible.• Sanctions can be civil and/or criminal.• Negligence is acting without care, or the failure to act as a reasonable and
prudent person would under similar circumstances.• The definition of “reasonable person” is murky and available for extensive
interpretation.
Due care/Due Diligence
• Due care is the requirement that executives with fiduciary responsibilities meet certain requirements to protect the company’s assets.• This includes the safety and protection of technology and information systems
which are corporate assets.
• Due diligence is conceptual and can change often.• From Webster: the care that a reasonable person exercises to avoid harm to other
persons or their property • From Wikipedia:
• In criminal law, due diligence is the only available defense to a crime that is one of strict liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening. It is not enough that they took the normal standard of care in their industry – they must show that they took every reasonable precaution.
Computer Crime
• Examples of computer crimes:• Counterfeit• Fraud• Theft• Child Pornography
• The law still hasn’t caught up with technology. • Technology makes cyber stalking easy
• Cyber stalking can be very useful in technical and non-technical cases. Murder investigations, kidnappings, drug trafficking, etc can all have information available on the public internet.
• Computer crimes can occur from outside the company as well as from insiders. Inside threats are often greater overall risks to the company.
International Cooperation
• Most computer crimes span multiple countries.• Borders and jurisdiction causes lots of issues.• A country can prosecute spammers, scammers, and internet
criminals, but they can easily move to a country which promotes, tolerates, or ignores digital crime.
The Council of Europe Convention on Cybercrime• Ratified by 30 countries including Canada, the United States, and Japan• Came into effect July 1, 2004• Contains 48 articles• Summary:
• Parties must establish laws against cybercrime and offenses related to child pornography
• Ensure law enforcement officials have the necessary procedural authority to investigate and prosecute cybercrime effectively.
• Provide international cooperation to other parties in the fight against computer related crime.
Intellectual Property Laws
• Designed to protect tangible and intangible items or property• Goal is to protect property from people wishing to copy or use it without
due compensation to the inventor or creator.• The idea is that copying someone else's idea entails far less work that
what is required for the original development.• Intellectual property is divided into two categories:
• Industrial Property• Inventions (patents), trademarks, industrial designs, and geographical indications of source
• Copyright• Literary and artistic works (novels, poems, plays, films, music, drawings, paintings,
photographs, sculptures, architectural designs)
Patent
• Grants the owner the legally enforceable right to exclude others from practicing the invention for a specific period of time (generally 20 years)• Strongest form of intellectual property protection.• Protects novel, useful, and nonobvious inventions.• Requires formal application to a government entity.• When the patent is granted it is published in the public domain, to stimulate
other innovations.• When the patent expires the protection ends and the invention enters the
public domain.• WIPO, a part of the United Nations (UN), is in charge of the filing and
processing of international patents.
Trademark
• Designed to protect the goodwill an organization invests in it’s products, services or image.• Allows exclusive rights to the owner of markings that the public uses to
identify a vendor, merchant, products, or goods.• Can consist of any word, name, symbol, color, sound, product shape,
device, or combination of these.• Must be distinctive and cannot mislead or deceive consumers or violate
public order or morality.• Registered with the government registrar• WIPO oversees international trademark efforts.
Copyright
• Covers the expression of ideas rather than the ideas themselves.• Protects artistic property such as writing, recordings, databases, and
computer programs.• In many countries once the work or property is completed or in a
tangible form, the copyright protection is automatically assumed.• Weaker than patent protection, but duration is longer. (50 years after
creators death or 70 years total under US law)• If the artist’s country is a member of the International BERNE
convention then the protection afforded will be the minimum level afforded in all participating countries.
Trade Secret
• Refers to proprietary business or technical information, processes, designs, practices, etc that are confidential and critical to the business. (Pepsi’s secret formula)• To be categorized as a trade secret it must not be generally known
and must provide economic benefit ot the company.• Must be reasonable steps taken to protect its secrecy.• In a dispute, the contents of the trade secret do not need to be
disclosed.• Often the main complaint in industrial and economic espionage cases.
Import/Export
• Some software may be illegal to import or export. Example is some types of encryption software.• Information Security professionals should check local laws especially
when working internationally (or choosing employees or datacenters overseas).
Trans-Border Data Flow
• As information moves between systems or cloud hosting companies, the location where the data is stored matters.• If the information is transferred and/or stored in 3 countries, you may
have to edeal with three or more jurisdictions and three different legal systems.• If the organization who owns the server is a member of a different
country, sometimes their home country can gain jurisdiction over the server even if it’s in another country.
Privacy
• A lot of personally identifiable information (PII) is stored online or electronically.• Data compromises happen often.• There are now many regulations for the responsible protection, use,
and transfer of PII.• An example of a common guideline is the Organization for Economic
Cooperation and Development (OECD). (Pages 1185-1187. Read it)
Employee Monitoring and Surveillance• Monitoring of employees must be done carefully.• On the one hand you need to curb abuse, theft, etc. (Due Diligence)• On the other hand the employee has rights to privacy.• Over monitoring can cause hostile employes. (This is bad)• The EU created 7 principals called the Directive on Data Protection
which is a guideline for monitoring. These regulations are similar to the ones in the US, Canada, and the UK and can be used as a guideline.
Directive on Data Protection
• Notice: Individuals must be informed about what is collected and the uses for the information.
• Choice: Individuals must be given the opportunity to decline data sharing with 3rd parties or to be used for purposes not stated in the notice.
• Onward transfer: 3rd parties receiving data must also subscribe to this directive.• Security: Organizations must take reasonable precautions to protect personal data
from loss, misuse, unauthorized access, disclosure, alteration, and destruction.• Data Integrity: Data should be reliable and only the data necessary should be
collected.• Access: Individuals must have access to the personal information about them. They
must be able to correct, amend, or delete the information.• Enforcement: A compliance program must exist to enforce this directive.
Professional Ethics
• The creation of computers started a large debate on ethics.• Computers can be used inappropriately and can replace humans
which could cause widespread job loss.• Another fear is that humans will become seen more as machines and
will be treated as such.• Quite a few regulations exist regarding professional ethics.• Ethics programs can be very beneficial. If an ethics program is in place
then some criminal cases will have substantially reduced penalties.• The FSGO has requirements to show that an Ethics program is continuously
being improved and that it is effective.
Common Ethics Dilemmas
Computers in the Workplace
• Computers can pose a threat to jobs.• People may feel they are being replaced.• Computers require operators, which changes many of the jobs to
require different skills.
Computer Crime
• Criminals can reach systems from anywhere in the world, and the payffs are larger.• An inside employee can steal all the company data and walk out with
it in his/her pocket.
Privacy and Anonymity
• Private information is passed around constantly. People like their privacy and have concerns about data being shared and what can be inferred based on data from different sources.
Intellectual Property
• Ethics around IP are tough.• People like music and software to be free, but companies,
programmers and artists won’t create the IP if they won’t get their investment back in licenses, fees, or profit of some sort.
Common Computer Ethics Fallacies
Computer Game Fallacy
• Computer users tend to think that computers will generally prevent them from cheating and doing wrong.• Programmers believe that an error in programming syntax will
prevent the program from working. So if the program works then it must be working correctly.
Law-Abiding Citizen Fallacy
• Users sometimes confuse what is legal with regards to computer use, with what is reasonable behavior for using a computer.• Users do not realize that they have a responsibility to consider the
ramifications of their actions and to behave accordingly.
Shatterproof Fallacy
• Most computer users believe that they can do little harm accidentally with a computer.• If a user sends a mass mailing which is discriminatory, this could hurt
a large group of people.• Most people realize that certain activities in public is illegal, but still
do it online thinking it’s ok or anonymous.• Ultimately users don’t consider the impact
of their actions before doing them.
Candy-from-a-Baby Fallacy
• Stealing software, books, etc is very easy on a computer.• Copying retail software without paying for it is theft.• Just because it’s easy and it may be hard to catch you doesn’t mean
it’s ethical, legal, or acceptable.
Hacker Fallacy
• Commonly accepted hacker believe is that it’s acceptable to do anything with a computer as long as the motivation is to learn and not to gain a profit.
Free Information Fallacy
• Notion that “information wants to be free.”• Copying and distribution of data is completely under the control of
the people who do it and the people who allow it to happen.
Hacking and Hacktivism
• A hacker was originally a person who sought to understand computers as thoroughly as possible. Soon hacking came to be associated with phreaking, breaking into phone networks to make free calls, etc which is illegal.
MIT Hacker Ethic
• Access computers should be unlimited and total.• All information should be free.• Authority should be mistrusted and decentralization promoted.• Hackers should be judged solely by their skills at hacking, rather than
by race, class, age, gender, or position.• Computers can be used to create art and beauty.• Computers can change your life for the better.
Various Codes of ethics
• Most professional organizations have their own code of ethics. • I’m not going to re-type 20 pages. Read up on these (1203-foo)• The Code of Fair Information Practices• Internet Activities Board• Computer Ethics Institute• National Conference on Computing and Values• The Working Group on Computer Ethics• National Computer Ethics and Responsibilities Campaign (NCERC)• ISC Code of Professional Ethics (1208-1209)
Ethics Principals
• Treat others as you wish to be treated• If an action is not right for everyone, it is
not right for anyone.• If an action is not repeatable at all times,
it is not right at any time.• Take the action that achieves the most
good.• Incur least harm or cost• Do No Harm• Assume that all property and information
belongs to someone.• Is it against the law
• Is the action contrary to codes of ethics• Is there hard evidence to support or deny the
value of taking an action• Let the people affected decide• Will the costs and benefits be equitably
distributed• Are you comparing against competing
companies• Compassion• Are decisions biased in favor of one group• Full Disclosure• Can the data be adequately protected to avoid
disclosure• Does IT stand behind ethical principals
Ethical Conflicts
• If you need to do something that may be perceived as unethical, inform all parties about your intentions. (Preferably in writing)• If a conflict exists between two codes of ethics, the higher ethic wins.• Consider precedence. An action taken by you on a small scale could result in
significant harm If carried out on a larger scale. (But TIM did it so we 98 million people thought it was ok to ping google too!)• Whoever owns or is responsible for information must ensure that it is
reasonably protected and that users are aware of how to use it responsibly.• As an information user, always assume others own it and that their interests
must be protected unless explicitly notified that the information is able to be used freely.
Computer Forensics
• Digital Investigations can become court cases.• Phases of an investigation:
• Identify Evidence (Also protect the scene)• Collect Evidence• Examine Evidence• Present Findings
• Live evidence is digital evidence gathered from a running system or process (RAM)• Dead evidence is from a shutdown/at rest system (hard Disk)• Only individuals with knowledge of basic crime scene analysis should be
allowed to deal with the scene.
General Forensic Guidelines
• Upon seizing digital evidence, actions taken should not change that evidence.• When it’s necessary for a person to access original digital evidence, that
person should be trained for the purpose.• All activity relating to the seizure, access, storage, or transfer of digital
evidence must be fully documented, preserved, and available for review.• An individual is responsible for all actions taken with respect to digital
evidence while the digital evidence is in his possession.• Any agency that is responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principals.
More General Forensic Guidelines
• Minimize handling/corruption of original data• Account for any changes and keep detailed logs of your actions.• Comply with the five rules of evidence• Do not exceed your knowledge• Follow your local security policy and obtain written permission.• Capture as accurate an image of the system as possible.• Be prepared to testify• Ensure your actions are repeatable• Work fast• Proceed from volatile to persistent evidence• Do not run any programs on the affected system
Incident Handling
• Triage Phase• Determine if this is a real incident
• Investigative Phase• Containment• Analysis and Tracking
• Recovery Phase• Recover/repair the system and prevent the incident from re-occurring.
Chain of Custody
• Refers to who, what, when, where, and how the evidence was handled throughout the entire case lifecycle. From the first person on the scene until the court case is over.• For digital evidence file hashes are very common and useful. Use SHA-
256 hashes to prove files have not changed from initial gather time.• Have chain of custody forms where people sign over evidence to each
other.
Interviewing
• Interviewing witnesses and suspects is delicate.• Before starting the interview review policies, notify management, and
consult legal council.• Never conduct the interview alone.• Preferably video tape the interview.• Have an expert do it if at all possible. (Risk is high, don’t mug yourself)• Legal council should be in the room.
Reporting and Documenting
• A clear report should be written.• Assume it’ll be read in court with the media watching.• Once the whole incident is wrapped up, review the incident and try to
learn some lessons:• How could it have been avoided?• How did the incident response go? Could we have done better?• How did the forensic case go?
Forensic Procedure
• Evidence should have some sort of value• Evidence should be relevant to the case at hand• Should meet the five rules of evidence• Be authentic• Be accurate• Be complete• Be convincing• Be admissible
Media Analysis
• Involves recovery of evidence from information media• Hard drives, DVD’s, CD-ROMS, portable memory devices• Media may have been damaged, overwritten, degaussed, or reused
• If the investigator is unable to collect sufficient evidence, media forensic investigators exist to help. (Very Expensive)
Network Analysis
• Analysis and examination of data from network logs and network activity for use as potential evidence.• Must have proper evidence collection and handling (chain of custody)
for the evidence to be admissible.
Software Analysis
• Analysis of program code (source code, compiled code, machine code, etc)• Decompiling and reverse engineering often used.• Can locate author identification, author attributes, programming
styles, etc.
Hardware/Embedded Device Analysis• Smart phones, PDA’s, CMOS chips, etc can all be useful as evidence.
Top Related