530 Chapter 17  Law and Investigations Conducting the Investigation If you elect not to call in law enforcement, you should still attempt to abide by the principles of a sound investigation to ensure the accuracy and fairness of your inquiry. It is important to remember a few key principles:  Never conduct your investigation on an actual system that was compromised. Take the sys- tem offline, make a backup, and use the backup to investigate the incident.  Never attempt to “hack back” and avenge a crime. You may inadvertently attack an inno- cent third party and find yourself liable for computer crime charges.  If in doubt, call in expert assistance. If you don’t wish to call in law enforcement, contact a private investigations firm with specific experience in the field of computer security inves- tigations.  Normally, it’s best to begin the investigation process using informal interviewing tech- niques. These are used to gather facts and determine the substance of the case. When spe- cific suspects are identified, they should be questioned using interrogation techniques. Again, this is an area best left untouched without specific legal advice. Summary Computer security necessarily entails a high degree of involvement from the legal community. In this chapter, you learned about a large number of laws that govern security issues such as computer crime, intellectual property, data privacy, and software licensing. You also learned about the procedures that must be followed when investigating an incident and collecting evi- dence that may later be admitted into a court of law during a civil or criminal trial. Granted, computer security professionals can not be expected to understand the intricate details of all of the laws that cover computer security. However, the main objective of this chap- ter is to provide you with the foundations of that knowledge. The best legal skill that a CISSP candidate should have is ability to identify a legally questionable issue and know when to call in an attorney who specializes in computer/Internet law. Exam Essentials Understand the differences between criminal law, civil law, and administrative law. Crimi- nal law protects society against acts that violate the basic principles we believe in. Violations of criminal law are prosecuted by federal and state governments. Civil law provides the framework for the transaction of business between people and organizations. Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by gov- ernment agencies to effectively carry out their day-to-day business. 4335c17.fm Page 530 Thursday, June 10, 2004 5:41 AM Exam Essentials 531 Be able to explain the basic provisions of the major laws designed to protect society against com- puter crime. The Computer Fraud and Abuse Act (as amended) protects computers used by the government or in interstate commerce from a variety of abuses. The Computer Security Act outlines steps the government must take to protect its own systems from attack. The Government Informa- tion Security Reform Act further develops the federal government information security program. Know the difference between copyrights, trademarks, patents, and trade secrets. Copyrights protect original works of authorship, such as books, articles, poems, and songs. Trademarks are names, slogans, and logos that identify a company, product, or service. Patents provide protection to the creators of new inventions. Trade secret law protects the operating secrets of a firm. Be able to explain the basic provisions of the Digital Millennium Copyright Act of 1998. The Digital Millennium Copyright Act prohibits the circumvention of copy protection mecha- nisms placed in digital media and limits the liability of Internet service providers for the activ- ities of their users. Know the basic provisions of the Economic Espionage Act of 1996. The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government. Understand the various types of software license agreements. Contractual license agree- ments are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-wrap agreements are included in a package but require the user to accept the terms during the soft- ware installation process. Explain the impact of the Uniform Computer Information Transactions Act on software licensing. The Uniform Computer Information Transactions Act provides a framework for the enforcement of shrink-wrap and click-wrap agreements by federal and state governments. Understand the restrictions placed upon export of high-performance hardware and encryption technology outside of the United States. No high-performance computers or encryption tech- nology may be exported to Tier 4 countries. The export of hardware capable of operating in excess of 190,000 MTOPS to Tier 3 countries must be approved by the Department of Com- merce. New rules permit the easy exporting of “mass market” encryption software. Understand the major laws that govern privacy of personal information in both the United States and the European Union. The United States has a number of privacy laws that affect the government’s use of information as well as the use of information by specific industries, like financial services companies and healthcare organizations, that handle sensitive information. The European Union has a more comprehensive directive on data privacy that regulates the use and exchange of personal information. Know the basic requirements for evidence to be admissible in a court of law. To be admissible, evidence must be relevant to a fact at issue in the case, the fact must be material to the case, and the evidence must be competent, or legally collected. Explain the various types of evidence that may be used in a criminal or civil trial. Real evi- dence consists of actual objects that may be brought into the courtroom. Documentary evidence consists of written documents that provide insight into the facts. Testimonial evidence consists of verbal or written statements made by witnesses. 4335c17.fm Page 531 Thursday, June 10, 2004 5:41 AM 532 Chapter 17  Law and Investigations Written Lab Answer the following questions about law and investigations: 1. What are the key rights guaranteed to individuals under the European Union’s directive on data privacy? 2. What are the three basic requirements that evidence must meet in order to be admissible in court? 3. What are some common steps that employers take to notify employees of system monitoring? 4335c17.fm Page 532 Thursday, June 10, 2004 5:41 AM Review Questions 533 Review Questions 1. Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system(s)? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act 2. Which law first required operators of federal interest computer systems to undergo periodic training in computer security issues? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act 3. What type of law does not require an act of Congress to implement at the federal level but, rather, is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law 4. Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service 5. What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government-owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located in the United States 4335c17.fm Page 533 Thursday, June 10, 2004 5:41 AM 534 Chapter 17  Law and Investigations 6. What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment C. Second Amendment D. Gramm-Leach-Bliley Act 7. Matthew recently authored an innovative algorithm for solving a mathematical problem and he would like to share it with the world. However, prior to publishing the software code in a tech- nical journal, he would like to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade Secret 8. Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They would like to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret 9. Richard recently developed a great name for a new product that he plans to begin using imme- diately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He would like to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® C. ™ D. † 10. What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm-Leach-Bliley Act 4335c17.fm Page 534 Thursday, June 10, 2004 5:41 AM Review Questions 535 11. What law formalizes many licensing arrangements used by the software industry and attempts to standardize their use from state to state? A. Computer Security Act B. Uniform Computer Information Transactions Act C. Digital Millennium Copyright Act D. Gramm-Leach-Bliley Act 12. The Children’s Online Privacy Protection Act was designed to protect the privacy of children using the Internet. What is the minimum age a child must be before companies may collect per- sonal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16 13. Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the “transitory activities” clause of the Digital Millennium Copy- right Act? A. The service provider and the originator of the message must be located in different states. B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. C. Any intermediate copies must not ordinarily be accessible to anyone other than antici- pated recipients and must not be retained for longer than reasonably necessary. D. The transmission must be originated by a person other than the provider. 14. Which one of the following laws is not designed to protect the privacy rights of consumers and Internet users? A. Health Insurance Portability and Accountability Act B. Identity Theft Assumption and Deterrence Act C. USA Patriot Act D. Gramm-Leach-Bliley Act 15. Which one of the following types of licensing agreements is most well known because it does not require that the user take action to acknowledge that they have read the agreement prior to exe- cuting it? A. Standard license agreement B. Shrink-wrap agreement C. Click-wrap agreement D. Verbal agreement 4335c17.fm Page 535 Thursday, June 10, 2004 5:41 AM 536 Chapter 17  Law and Investigations 16. What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act? A. Healthcare B. Banking C. Law enforcement D. Defense contractors 17. What is the standard duration of patent protection in the United States? A. 14 years from the application date B. 14 years from the date the patent is granted C. 20 years from the application date D. 20 years from the date the patent is granted 18. Which one of the following is not a valid legal reason for processing information about an indi- vidual under the European Union’s data privacy directive? A. Contract B. Legal obligation C. Marketing needs D. Consent 19. What type of evidence must be authenticated by a witness who can uniquely identify it or through a documented chain of custody? A. Documentary evidence B. Testimonial evidence C. Real evidence D. Hearsay evidence 20. What evidentiary principle states that a written contract is assumed to contain all of the terms of an agreement? A. Material evidence B. Best evidence C. Parol evidence D. Relevant evidence 4335c17.fm Page 536 Thursday, June 10, 2004 5:41 AM Answers to Review Questions 537 Answers to Review Questions 1. C. The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for those individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer system(s). 2. A. The Computer Security Act requires mandatory periodic training for all persons involved in the management, use, or operation of federal computer systems that contain sensitive information. 3. D. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Con- gress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch. 4. C. The National Institute of Standards and Technology (NIST) is charged with the security man- agement of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part of the Department of Defense) is respon- sible for managing those systems that do process classified and/or sensitive information. 5. C. The original Computer Fraud and Abuse Act of 1984 covered only systems used by the gov- ernment and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, covering a large portion (but not all) of the com- puter systems in the United States. 6. B. The Fourth Amendment to the U.S. Constitution sets the “probable cause” standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property. 7. A. Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation. Patent protection does not apply to mathematical algorithms. Matthew can’t seek trade secret protec- tion because he plans to publish the algorithm in a public technical journal. 8. D. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely. 9. C. Richard’s product name should be protected under trademark law. Until his registration is granted, he may use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark and Richard may begin using the ® symbol. 10. A. The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances. 11. B. The Uniform Computer Information Transactions Act (UCITA) attempts to implement a stan- dard framework of laws regarding computer transactions to be adopted by all states. One of the issues addressed by UCITA is the legality of various types of software license agreements. 4335c17.fm Page 537 Thursday, June 10, 2004 5:41 AM 538 Chapter 17  Law and Investigations 12. A. The Children’s Online Privacy Protection Act (COPPA) provides severe penalties for compa- nies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children under the age of 13 before any infor- mation is collected (other than basic information required to obtain that consent). 13. A. The Digital Millennium Copyright Act does not include any geographical location require- ments for protection under the “transitory activities” exemption. The other options are three of the five mandatory requirements. The other two requirements are that the service provider must not determine the recipients of the material and the material must be transmitted with no mod- ification to its content. 14. C. The USA Patriot Act was adopted in the wake of the 9/11 terrorist attacks. It broadens the powers of the government to monitor communications between private citizens and therefore actually weakens the privacy rights of consumers and Internet users. The other laws mentioned all contain provisions designed to enhance individual privacy rights. 15. B. Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a writ- ten agreement prior to using the software. Verbal agreements are not normally used for software licensing but also require some active degree of participation by the software user. 16. B. The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way financial institutions may handle private information belonging to their customers. 17. C. United States patent law provides for an exclusivity period of 20 years beginning at the time the patent application is submitted to the Patent and Trademark Office. 18. C. Marketing needs are not a valid reason for processing personal information, as defined by the European Union privacy directive. 19. C. Real evidence must be either uniquely identified by a witness or authenticated through a doc- umented chain of custody. 20. C. The parol evidence rule states that a written contract is assumed to contain all of the terms of an agreement and may not be modified by a verbal agreement. 4335c17.fm Page 538 Thursday, June 10, 2004 5:41 AM Answers to Written Lab 539 Answers to Written Lab Following are answers to the questions in this chapter’s written lab: 1. Individuals have a right to access records kept about them and know the source of data included in those records. They also have the right to correct inaccurate records. Individu- als have the right to withhold consent from data processors and have legal recourse if these rights are violated. 2. To be admissible, evidence must be reliable, competent, and material to the case. 3. Some common steps that employers take to notify employees of monitoring include clauses in employment contracts that state that the employee should have no expectation of privacy while using corporate equipment, similar written statements in corporate acceptable use and privacy policies, logon banners warning that all communications are subject to moni- toring, and warning labels on computers and telephones warning of monitoring. 4335c17.fm Page 539 Thursday, June 10, 2004 5:41 AM [...]... agencies, their computer systems are often attractive targets for experienced attackers To protect from more numerous and more sophisticated attackers, you will generally find more formal security policies in place on systems that house such information As you learned in Chapter 5, Security Management Concepts and Principles,” data can be classified according to sensitivity and stored on systems that support... and stored on systems that support the required level of security It is common to find stringent perimeter security as well as internal controls to limit access to classified documents on military and intelligence agency systems You can be sure that serious attacks to acquire military or intelligence information are carried out by professionals Professional attackers are generally very thorough in covering... and restricted information from law enforcement or military and technological research sources Disclosure of such information could compromise investigations, disrupt military planning, and threaten national security Attacks to gather military information or other sensitive intelligence often precede other, more damaging attacks An attacker may be looking for the following kinds of information: Military... information: Military descriptive information of any type, including deployment information, readiness information, and order of battle plans Secret intelligence gathered for military or law enforcement purposes Descriptions and storage locations of evidence obtained in a criminal investigation Any secret information that could be used in a later attack Due to the sensitive nature of information collected and... focus on illegally obtaining an organization’s confidential information This could be information that is critical to the operation of the organization, such as a secret recipe, or information that could damage the organization’s reputation if disclosed, such as personal information about its officers The gathering of a competitor’s confidential information, also 544 Chapter 18 Incidents and Ethics called... acquire competitive information for many years The temptation to steal a competitor’s secrets and the ease with which a savvy attacker can compromise some computer systems to extract files that contain valuable research or other confidential information can make this type of attack attractive The goal of business attacks is solely to extract confidential information The use of the information gathered... this type can be put into a position from which it might not ever recover It is up to you as the security professional to ensure that the systems that contain confidential data are secure In addition, a policy must be developed that will handle such an intrusion should it occur (For more information on security policies, see Chapter 6, “Asset Value, Policies, and Roles.”) Financial Attacks Financial... communications Major Categories of Computer Crime 545 Most large power and communications companies have dedicated a security staff to ensure the security of their systems, but many smaller businesses that have systems connected to the Internet are more vulnerable to attacks You must diligently monitor your systems to identify any attacks and then respond swiftly when an attack is discovered Grudge Attacks Grudge... where to search for valuable evidence Experienced security professionals learn how their systems operate on a daily basis and are comfortable with the regular operations of the system The more you know your systems, the more an unusual event stands out Incident Handling When an incident occurs, you must handle it in a manner that is outlined in your security policy and consistent with local laws and... for standard ethics rules, or codes, and have devised guidelines for ethical behavior We present two codes of ethics in the following sections These rules are not laws They are minimum standards for professional behavior They should provide you with a basis for sound, ethical judgment Any security professional should be expected to abide by these guidelines regardless of their area of specialty Make . of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government-owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located. (NIST) is charged with the security man- agement of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part. institutions. The act was broadened in 198 6 to include all federal interest systems. The Computer Abuse Amendments Act of 199 4 further amended the CFAA to cover all systems that are used in interstate