Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compliance and Forensic Investigations

Information Security 365/765Lecture 13 – Legal Regulations,

Industry Compliance and Forensic InvestigationsNovember 8, 2016

OverviewOverview• Computer crimes and computer

laws• Motives and profiles of attackers• Various types of evidence• Laws and acts to fight computer

crime• Computer crime investigation

process• Incident handling procedures• Ethics and best practices

05/02/23 UNIVERSITY OF WISCONSIN 2

Laws, Ethics and Laws, Ethics and InvestigationsInvestigations• Laws, ethics and investigations

are important parts of information security

• More attention needs to be paid to this area if society is serious about controlling crime


Laws, Ethics and Laws, Ethics and InvestigationsInvestigations• Laws are still in their infancy

• Few precedents to rely upon• Legal system is developing quickly• Hacking is often seen as a hobby.

This may change as punishments increase in severity.

• Security professionals should understand the laws, how they apply to the workplace and management


The EU and PrivacyThe EU and Privacy• The European Union (EU) has some

of the most stringent data privacy rules

• When it comes to data collection, the EU has six privacy principles which all countries and businesses within those countries must follow


European Privacy PrinciplesEuropean Privacy Principles1. The reason for gathering the information must be specified at the time of collection2. Data cannot be used for other purposes3. Un-necessary data should not be collected


European Privacy PrinciplesEuropean Privacy Principles4. Data should only be kept for as long as necessary to complete the stated task5. Only the necessary individuals who are require to accomplish the stated task should be allowed to access the data6. Whoever is responsible for securely storing the data should not allow the unintentional leaking of data


Privacy: The Need For Privacy: The Need For Better LawsBetter Laws

• Data aggregation and data retrieval technologies advancement -- Large data warehouses

• Loss of borders – Private data flows from country to country with ease

• Convergent technology advances – Gathering, mining and distributing information has become much easier


Laws, DirectivesLaws, Directivesand Regulationsand Regulations

Covers many different areas for many different reasons•Privacy•Computer Misuse•Software copyright•Data protection•Controls on cryptography


Laws, DirectivesLaws, Directivesand Regulationsand Regulations

• Laws, directives and regulations usually provide only broad guidance and not detailed instructions

• Environments are just too diverse to get specific in terms of the details of laws, directives and regulations

• Let’s look at some examples


Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.


HIPAAHIPAAHIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.


GLB (GLBA)GLB (GLBA)The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.


CFAACFAAThe Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.


Federal Privacy Act of 1974Federal Privacy Act of 1974The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.


PCI-DSS (PCI)PCI-DSS (PCI)Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.


Carrying Out SecurityCarrying Out SecurityInvestigationsInvestigations

As computer related crime (and prosecutions) increase, it is becoming more and more important for IT professionals to learn how to carry out investigationsOften times an entire environment of a company is used in a detailed investigation


Security IncidentSecurity IncidentResponse TeamResponse Team

Every organization should have a an incident response team which is capable of:1.Determining the extent of the damage2.Stopping further damage from occuring3.Fixing the damage4.Preserving evidence5.Finding the responsible party05/02/23 UNIVERSITY OF WISCONSIN 18

Security Incident Security Incident Response Team - PlanResponse Team - Plan

• List of outside teams and resources to contact

• Roles and responsibilities outlined• A call/contact tree• A list of relevant items to always include

in the report for management and potential prosecution

• A description of how to treat different systems during an incident


Incident Response Incident Response ProceduresProcedures• Triage – learn what is wrong as

quickly as possible (initial assessment of problem)

• Reaction – containment, analysis, tracking

• Follow-up – Repair, recovery, prevention


Performing an IncidentPerforming an IncidentPost-MortemPost-Mortem

• What happened?• What did we learn?• What can we do better, next

time?


Decision to Involve, orDecision to Involve, orNot Involve Law Not Involve Law

EnforcementEnforcement• Company loses control over investigation• Secrecy, if sensitive data is compromised,

is not 100% assured• Effects on reputation need to be

considered• Evidence will be collected and may not be

available for a long period of time• In summary, agility and visibility of the

investigation take on a new dimension05/02/23 UNIVERSITY OF WISCONSIN 22

Collecting DigitalCollecting DigitalEvidence (Forensics)Evidence (Forensics)

Computer forensics specialists must know what to look for and how to collect it properly•Logs, timestamps, etc.•Keep powered up, or power down equipment•Making copies properly, so as not to disturb original


Digital Forensics PrinciplesDigital Forensics Principles1. When dealing with digital evidence,

all the general rules of physical evidence handling should still apply (chain of custody, security, etc.)

2. Upon seizing digital evidence, actions taken should not change that evidence

3. People who must access original evidence must be trained for the purpose


Digital Forensics PrinciplesDigital Forensics Principles4. All activity relating to the seizure, storage and transfer of digital evidence, bust be fully documented, preserved and available for review5. An individual is responsible for all actions taken while digital evidence is under their control6. Any agency responsible for the seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles05/02/23 UNIVERSITY OF WISCONSIN 25

Identifying Motive, Identifying Motive, OpportunityOpportunity

and Means (MOM Did It!)and Means (MOM Did It!)• Motive – The “who and why” of a crime

• Opportunity – The “Where and when” of a crime

• Means – The knowledge, skills and overall capability to carry out a crime


Three Different TypesThree Different Typesof Forensic Assessmentsof Forensic Assessments

• Network Analysis – Communications, log and path tracing

• Media Analysis – Disk imaging, Modify, Access, Create (MAC) analysis of files, content analysis, steganography, cryptography, etc.

• Software Analysis – Reverse engineering, Malicious Code Review, Exploit Review


Stages of Forensic Stages of Forensic InvestigationsInvestigations

• Identification• Preservation• Collection• Examination• Analysis• Presentation• Decision


Controlling theControlling theCrime SceneCrime Scene

• Only allow authorized individuals to access the scene

• Document who is at the crime scene (In court, the integrity of the evidence may be brought into question, if there were an uncontrollable amount of people at the crime scene)

• Document who were the last people to interact with the systems under consideration


Common Attack TypesCommon Attack TypesSalami AttackSalami Attack

A salami attack is when small attacks add up to one major attack that can go undetected due to the nature of this type of cyber crime. It also known as salami slicing.


Common Attack TypesCommon Attack TypesData DiddlingData Diddling

Data diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting documents used for data entry and exchanging valid disks and tapes with a modified replacement


Common Attack TypesCommon Attack TypesExcessive PrivilegeExcessive Privilege

When a rogue employee has access rights to various, and deep-lying parts of the business --most often due to employees being with the organization for a long period of time and changing roles as they go along-- access to other parts of the system remains


Common Attack TypesCommon Attack TypesPassword SnifferPassword Sniffer

A password sniffer is a software application that scans and records passwords that are used or broadcasted on a computer or network interface. It listens to all incoming and outgoing network traffic and records any instance of a data packet that contains a password.


Common Attack TypesCommon Attack TypesIP SpoofingIP Spoofing

IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network.


Common Attack TypesCommon Attack TypesDumpster DivingDumpster Diving

Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network


Common Attack TypesCommon Attack TypesEmanation CapturingEmanation Capturing

em·a·na·tion (eməˈnāSHən)Listening in on wireless broadcasts, or other electronic signals either intentionally or unintentionally generated by computer equipment


Common Attack TypesCommon Attack TypesWiretappingWiretapping

A form of eavesdropping involving physical connection to the communications channels to breach the confidentiality of communications. For example, many poorly-secured buildings have unprotected telephone wiring closets where intruders may connect unauthorized wires to listen in on phone conversations and data communications.


EthicsEthics• There are no firm rules for the ethics of

information systems professionals• Everything is open to interpretation,

morals, personal beliefs, etc.• However, if I had to pick an ethical model

to follow, I would suggest the ISC2 CISSP Code of Ethics, for information security professionals


ISC2 Code of EthicsISC2 Code of EthicsProtect society, the Protect society, the

commonwealth, and the commonwealth, and the infrastructureinfrastructure• Promote and preserve public trust

and confidence in information and systems.

• Promote the understanding and acceptance of prudent information security measures.

• Preserve and strengthen the integrity of the public infrastructure.

• Discourage unsafe practice.05/02/23 UNIVERSITY OF WISCONSIN 39

ISC2 Code of EthicsISC2 Code of EthicsAct honorably, honestly, justly, Act honorably, honestly, justly,

responsibly, and legallyresponsibly, and legally• Tell the truth; make all stakeholders aware of your

actions on a timely basis.• Observe all contracts and agreements, express or

implied.• Treat all members fairly. In resolving conflicts,

consider public safety and duties to principals, individuals, and the profession in that order.

• Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.

• When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.


ISC2 Code of EthicsISC2 Code of EthicsProvide diligent and competent Provide diligent and competent

service to principalsservice to principals• Preserve the value of their systems,

applications, and information.• Respect their trust and the

privileges that they grant you.• Avoid conflicts of interest or the

appearance thereof.• Render only those services for which

you are fully competent and qualified.



Internet

Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compliance and Forensic Investigations