Legal, Regulations, Investigations and Compliance.

Legal, Regulations,

Investigations

and Compliance

2

Domain Objectives

• Discuss the world’s various major legal systems

• Describe the differences and similarities between common law and civil law

• Explain laws and regulations affecting information technology

• Discuss computer related crime and its importance to information assurance and security

3

• Describe the importance of international cooperation in relation to computer crime

• Explain an incident response methodology

• Discuss the importance of digital evidence management and handling

• Describe general guidelines for computer forensic investigations

Domain Objectives

4

Availability

ConfidentialityIntegrity

Information Security

Information Security TRIAD

5

Domain Agenda

• Major Legal Systems

• Information Technology Laws and Regulations

• Incident Response

• Computer Forensics

6

Major Legal Systems

• Common Law

• Civil Law

• Customary Law

• Religious Law

• Mixed Law

7

Common Law

• Roots in England

• Based on Legal Precedents, Past Decisions, and Societal Traditions

8

Common Law

• Overview of Common Law

• Courts

• Judges

• Common Law Countries

9

Common Law: Criminal Law

• Based on common law, statutory law, or a combination of both

• Deals with behavior or conduct

• Typically the punishment meted out by the criminal courts involves some loss of personal freedom for the guilty party

10

Common Law: Tort Law

• Definition

• Punishment

• Traces its origin to criminal law

11

Common Law: Tort Law

• Principles of a Tort

• Categories of a Tort

12

• Law created by administrative agencies by way of rules, regulations, orders, and decisions

• Areas covered by Administrative Law

Common Law: Administrative Law

13

Civil Law

• Traces its roots back to two beginnings:

• Roman Empire

• Napoleonic Code of France

• Characteristics

• Presents various sub-divisions

• Common law as opposed to Civil law

• Methodological approach difference

• Judges’ role difference

14

Customary Law

• Regionalized systems

• Reflects the society’s norms and values

• Most countries combine customary law with another legal system

15

Religious Law

• Traditional Islamic law (Sharia)

• Guided by the Qur’an or Sunnah

• Covers all aspects of a person’s life

16

• Convergence of two or more legal systems

• Examples of mixed law

Mixed Law

17Source: WorldLegalSystems

World Legal Systems

18

Domain Agenda





19

Information Technology Law & Regulations

• Intellectual Property Law

• Patent• Trademark• Copyright• Trade Secret• Licensing Issues

• Privacy

• Liability

• Computer Crime

• International Cooperation

20

Intellectual Property Laws

• Purpose

• Two categories

• Industrial Property

• Copyright

21

Intellectual Property: Patent

• Definition

• Advantages

22

• Characteristics of a Trademark

• Word

• Name

• Symbol

• Purpose of a Trademark

• Color

• Sound

• Product shape

Intellectual Property: Trademark

™

23

©

Intellectual Property: Copyright

• Covers the expression of ideas

• Writings

• Recordings

• Computer programs

• Weaker than patent protection

24

Intellectual Property: Trade Secret

• Should be confidential

• Protection of Trade Secret

25

Intellectual Property: Software Licensing Issues

• Categories of software licensing:

• Freeware

• Shareware

• Commercial

• Academic

• Master agreements and end user licensing agreements (EULAs)

26

• Rights and Obligations

• Individuals

• Organizations

Privacy Laws and Regulations

27

• Generic Approach

• Regulation by Industry

• The overall objective is to:

• Protect citizen’s personal information

• Balance the business and governmental need to collect and use this information

Privacy Initiatives

28

Privacy and the OECD

• The Organization for Economic Co-operation and Development (OECD)

• 7 core principles

29

• Employee Monitoring

• Authorized Usage Policies

• Internet usage

• Email

• Telephone (i.e., VoIP)

Employee Privacy

30

• Responsibilities of end users

• Encourage use of:

• Encryption

• Anti-virus

• Patches

• Shredding

Privacy: Personal Protection

31

Liability

• Legal Responsibility

• Penalties

• Civil

• Criminal Penalties

• Negligence is often used to establish liability

32

• Acting without care

• Due care

Negligence

33

• Ethereal concept often judged against a continually moving benchmark

• Requires a commitment to an ongoing risk analysis and risk management process

• Due Care vs. Due Diligence

Due Diligence

34

Computer Crimes

• Often divided into 3 categories

• Computers as a Tool

• Computers as the Target of Crime

• Computer Incidental to the Crime

35

• Insider abuse

• Viruses

• White collar/Financial fraud

• Corporate espionage

• Hacking

• Child Pornography

• Stalking

• Organized crime

• Terrorism

• Identity Theft

• Social Engineering

Computer Crimes

36

• Initiatives related to International Cooperation in dealing with Computer Crime

• The Council of Europe (CoE) Cybercrime Convention

International Cooperation

37

Domain Agenda





38

• Response capability

• Policy and guidelines• Response

• Incident response

• Triage• Containment• Investigation• Analysis and Treatment• Recovery

• Debriefing

• Metrics

• Public Disclosure

Incident Response: Overview

39

• Incident response in its simplest form is the practice of:

• Detecting a problem

• Determining its cause

• Minimizing the damage it causes

• Resolving the problem

• Documenting each step of the response for future reference

Incident Response Objectives

40

• The foundation for Incident Response (IR) is comprised of:

• Policy

• Procedures

• Guidelines

• Management of evidence

Response Capability

41

Incident Response Policy

• Escalation Process

• Interaction with third party entities

42

Response Team

• Staffing and training

• Virtual Team

• Permanent Team

• Hybrid of the Virtual and Permanent

• Response Team Members

43

Incident Response and Handling

• Incident

• Approved Handling Process

44

Incident Response and Handling Phases

• Triage

• Investigation

• Containment

• Analysis and tracking

45

• Triage encompasses:

• Detection

• Classification

• Notification

Triage

46

Triage - Detection

• Initial Screening

• False Positives

47

• Incident Hierarchy

• General Classifiers

• Source (internal vs. external)

• More Granular or Specific Characteristics

• (i.e., worm vs. spam)

Triage - Classification

48

Investigation Phase Components

• Components of this phase:

• Analysis

• Interpretation

• Reaction

• Recovery

49

Investigation Phase Objectives

• Desired outcomes of this phase are:

• Reduce the impact

• Identify the cause

• Get back up and running in the shortest possible time

• Prevent the incident from re-occurring

50

Investigation Considerations

• The investigative phase must consider:

• Adherence to company policy

• Applicable laws and regulations

• Proper evidence management and handling

51

Containment

• Reduce the potential impact of the incident

• Systems, devices, or networks that can become “infected”

• The containment strategy depends on:

• Category of the attack

• Asset(s) affected

• Criticality of the data or system

52

Containment Strategies

• Disconnecting the system from the network

• Virtually isolating the systems through network segmentation

• Implementing a firewall or filtering router with the appropriate rule sets

• Installation of Honeynets/Honeypots

53

Containment Documentation

• Incident and evidence handling procedures

• Sources of evidence

• Risk of Entrapment vs. Enticement

54

Analysis and Tracking

• The Concept of Root Cause

• Determines actual initial event

• Attempts to identify the true source and actual point of entry

55

Analysis and Tracking Goals

• Obtain sufficient information to stop the current incident

• Prevent future “like” incidents from occurring

• Identify what or whom is responsible

56

Analysis and Tracking Team

• Heterogeneous and/or Eclectic Skills

• Solid understanding of the systems affected

• Real World, Applied Experience

57

Analysis and Tracking Logs

• Dynamic Nature of the Logs

• Feeds into the tracking process

• Working Relationship with other Entities

58

Recovery Phase Goal

• To get back up and running

• The Business (worst case)

• Affected Systems (best case)

• Protect evidence

59

Recovery and Repair

• Recovery into production of affected systems

• Ensure system can withstand another attack

• Test for vulnerabilities and weaknesses

60

Closure of the Incident

• Incident response is an iterative process

• Closure to the incident

61

Debriefing/Feedback

• Formal process

• Include all of the team members

• Use output to adapt or modify policy and guidelines

62

Communications of the Incident

• Public disclosure of an incident can:

• Compound the negative impact

• Provide an opportunity regain public trust

• Communication handled by authorized personnel only

63





Domain Agenda

64

Computer Forensics

• Key Components

• Crime scenes

• Digital evidence

• Guidelines

65

Computer Forensics: The Law

• The inclusion of the “law”, introduces concepts that may be foreign to many information security professionals

• Crime scene

• Chain of custody

• Best evidence

• Admissibility requirements

• Rules of evidence

66

Computer Forensics: Evidence

• Computer Forensics includes:

• Evidence or potential evidence

• Falls under the larger domain of Digital Forensic Science Research Workshop

• Deals with evidence and the legal system

67


• Correctly identifying the crime scene, evidence, and potential containers of evidence

• Collecting or acquiring evidence:

• Adhering to the criminalistic principles

• Keeping contamination and the destruction of the scene to a minimum

68


• Using the scientific methods:

• Determine characteristics of the evidence

• Comparison of evidence

• Event reconstruction

• Presentation of findings:

• Interpreting and analysis of the examination

• Articulating these in a format appropriate for the intended audience

69

Crime Scene

• Prior to identifying evidence, the larger crime scene needs to be addressed

• A crime scene is nothing more than:

• The environment in which potential evidence may exist

• Digital crime scenes follow the same principles

70

Crime Scene

• The principles of criminalistics apply to both digital and physical crime scenes:

• Identify the scene

• Protect the environment

• Identify evidence and potential sources of evidence

• Collect evidence

• Minimize the degree of contamination

71

Crime Scene: Physical vs. Virtual

• The Crime Scene Environment

• Physical

• Virtual or Cyber

72

Locard’s Principle

• Locard’s Principle of Exchange

• When a crime is committed, the Perpetrator

• Leaves something behind

• Takes something with them

• This principle allows us to identify aspects of the person or persons responsible, even with a purely digital crime scene

73

Behavior

• Investigation or Root Cause Analysis

• Means, Opportunity, and Motives (MOM)

• Modus Operandi (MO)

• Criminal computer behavior is no different than typical criminal behavior

74

Behavior of Computer Criminals

• Computer criminals have specific MO’s

• Hacking software/tools

• Types of systems or networks attacked, etc.

• Signature behaviors

• MO & Signature behaviors

• Profiling

• Interviewing

75

Crime Scene Analysis

• Protect the ‘crime scene’ from unauthorized individuals

• Once a scene has been contaminated, there is no undo or redo button to push

• The damage is done!

76

Digital Evidence

• The exact requirements for the admissibility of evidence vary

• Evidence

77

Digital Evidence: 5 Rules

• Admissible

• Authentic

• Complete

• Accurate

• Convincing

78

Digital Evidence: Hearsay

• Hearsay

• Second-hand evidence

• Normally not admissible

• Business records exceptions:

• Computer generated information can fall into this category

• May require someone to attest to the how the records/information were created

79

Digital Evidence: Life Span

• Digital evidence

• Volatile and “fragile”

• May have a short “life span”

• Collect quickly

• By order of volatility (i.e., most volatile first)

• Document, document, document!

80

Digital Evidence: Chain of Custody

• Chain of Custody

• Who

• What

• When

• Where

• How

81

Digital Evidence: Accuracy and Integrity

• Ensuring the accuracy and integrity of evidence is critical!

• The current protocol for demonstrating accuracy and integrity relies on hash functions

• MD5

• SHA 256

82

General Guidelines

• IOCE/SWGDE 6 principles for computer forensics and digital/electronic evidence

• When dealing with digital evidence, all of the general forensic and procedural principles must be applied

• Upon seizing digital evidence, actions taken should not change that evidence

• When it is necessary for a person to access original digital evidence, that person should be trained for the purpose

83

Six IOCE/SWGDE Principles

• All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review

• An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession

• Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles

84

General Guidelines: Dos and Don’ts

• Minimize Handling/Corruption of Original Data

• Account for Any Changes and Keep Detailed Logs of Your Actions

• Comply with the Five Rules for Evidence

• Do Not Exceed Your Knowledge

• Follow Your Local Security Policy and Obtain Written Permission

85


• Capture as Accurate an Image of the System as Possible

• Be Prepared to Testify

• Ensure Your Actions are Repeatable

• Work Fast

• Proceed From Volatile to Persistent Evidence

• Don't Run Any Programs on the Affected System

86


• Act ethically

• In good faith

• Attempt to do no harm

• Do not exceed one’s knowledge, skills, and abilities

87

Domain Summary

• Know local laws and regulations

• Have an approved procedure for handling of incidents

• Ensure that all handling of sensitive information is compliant with regulation

• Follow best practices and document all steps of an investigation

“SecurityTranscends

Technology”

Legal, Regulations, Investigations and Compliance.

Documents

Transcript of Legal, Regulations, Investigations and Compliance.