CHAPTER 9_Legal, Regulations, Investigations, and Compliance Flashcards Preview

CISSP_TEST > CHAPTER 9_Legal, Regulations, Investigations, and Compliance > Flashcards

Flashcards in CHAPTER 9_Legal, Regulations, Investigations, and Compliance Deck (220):
1

Pretexting Protection

Implement safeguards against pretexting (social engineering).

2

cyberlaw

Computer crime laws (sometimes referred to as cyberlaw) around the world deal with some of the core issues: unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the use of malware (malicious software).

3

Basel II

If a bank cannot follow through on its promises, it can affect the whole economy.

The Bank for International Settlements devised a means for protecting banks from over-extending themselves and becoming insolvent. The original Basel Capital Accord implemented a system for establishing the minimum amount of capital that member financial institutions were required to keep on hand. This means that a bank actually has to have a certain amount of real money, not just accounting books logging transactions.

4

Criminal law

Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim. For example, in the O.J. Simpson case, he was first tried and found not guilty in the criminal law case, but then was found liable in the civil law case. This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases.

5

5. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causing damage that results in:

  • Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
  • Physical injury to any person.
  • A threat to public health or safety.
  • Damage affecting a government computer system.

6

Interviewing and Interrogating

Once surveillance and search and seizure activities have been performed, it is very likely that suspects must be interviewed and interrogated. However, interviewing is both an art and a science, and the interview should be conducted by a properly trained professional. Even then, the interview may only be conducted after consultation with legal counsel. This doesn’t, however, completely relieve you as an information security professional from responsibility during the interviewing process. You may be asked to provide input or observe an interview in order to clarify technical information that comes up in the course of questioning. When this is needed, there should be one person in charge of the interview or interrogation, with one or two others present. Both the topics of discussion and the questions should be prepared beforehand and asked in a systematic and calm fashion, because the purpose of an interrogation is to obtain evidence for a trial.

7

18. Which of the following is a legal form of eavesdropping when performed with prior consent or a warrant?

A. Denial of Service

B. Dumpster diving

C. Wiretapping

D. Data diddling

Extended Questions:

CORRECT C. Most communications signals are vulnerable to some type of wiretapping or eavesdropping. It can usually be done undetected and is referred to as a passive attack. Tools used to intercept communications include cellular scanners, radio receivers, microphone receivers, tape recorders, network sniffers, and telephone-tapping devices. It is illegal to intentionally eavesdrop on another person’s conversation under many countries’ existing wiretap laws. In many cases, this action is only acceptable if the person consents or there is a court order allowing law enforcement to perform these types of activities. Under the latter circumstances, the law enforcement officers must show probable cause to support their allegation that criminal activity is taking place and can only listen to relevant conversations. These requirements are in place to protect an individual’s privacy rights.

WRONG A is incorrect because Denial of Service (DoS) is an attack, not a form of eavesdropping. A DoS has the intent of overwhelming a victim system so that it can no longer carry out its intended functionality.

WRONG B is incorrect because dumpster diving is legal unless it involves trespassing. Dumpster diving refers to going through someone’s trash to find confidential or useful information. This is not considered a type of eavesdropping.

WRONG D is incorrect because data diddling is the act of willfully modifying information, programs, or documentation in an effort to commit fraud or disrupt production. Many times, this modification happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customer’s loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling.

8

Ron is a new security manager and needs to help ensure that his company can easily work with international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.

26. What does Ron need to ensure that the company follows to allow its European partners to use its clouding computing offering?

  A. Personal Information Protection and Electronic Documents Act

  B. Business exemption rule of evidence

  C. International Organization on Computer Evidence

  D. Safe Harbor requirements

26. D. If a non-European organization wants to do business with a European entity, it will need to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes.

9

13. Which of the following is a necessary characteristic of evidence for it to be admissible?

  A. It must be real.

  B. It must be noteworthy.

  C. It must be reliable.

  D. It must be important.

13. C. For evidence to be admissible, it must be sufficient, reliable, and relevant to the case. For evidence to be reliable, it must be consistent with fact and must not be based on opinion or be circumstantial.

10

opinion rule

When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so they can help the judge and jury better understand the matters of the case.

11

9. If an investigator needs to communicate with another investigator but does not want the criminal to be able to eavesdrop on this conversation, what type of communication should be used?

  A. Digitally signed messages

  B. Out-of-band messages

  C. Forensics frequency

  D. Authentication and access control

9. B. Out-of-band communication means to communicate through some other type of communication channel. For example, if law enforcement agents are investigating a crime on a network, they should not share information through e-mail that passes along this network. The criminal may still have sniffers installed and thus be able to access this data.

12

2. What is the study of computers and surrounding technologies and how they relate to crime?

  A. Computer forensics

  B. Computer vulnerability analysis

  C. Incident handling

  D. Computer information criteria

2. A. Computer forensics is a field that specializes in understanding and properly extracting evidence from computers and peripheral devices for the purpose of prosecution. Collecting this type of evidence requires a skill set and understanding of several relative laws.

13

24. As a CISSP candidate, you must sign a Code of Ethics. Which of the following is from the (ISC)2 Code of Ethics for the CISSP?

A. Information should be shared freely and openly; thus, sharing confidential information should be ethical.

B. Think about the social consequences of the program you are writing or the system you are designing.

C. Discourage unnecessary fear or doubt.

D. Do not participate in Internet-wide experiments in a negligent manner.

Extended Questions:

CORRECT C. (ISC)2 requires all certified system security professionals to commit to fully supporting its Code of Ethics. If a CISSP intentionally or knowingly violates this Code of Ethics, he or she may be subject to a peer review panel, which will decide whether the certification should be relinquished. The following list is an overview, but each CISSP candidate should read the full version and understand the Code of Ethics before attempting this exam:

• Act honorably, honestly, justly, responsibly, and legally, and protect society.

• Work diligently, provide competent services, and advance the security profession.

• Encourage the growth of research—teach, mentor, and value the certification.

• Discourage unnecessary fear or doubt, and do not consent to bad practices.

• Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures.

• Observe and abide by all contracts, expressed or implied, and give prudent advice.

• Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are fully qualified to perform.

• Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals.

WRONG A is incorrect because it is not an ethics statement within the (ISC)2 canons. It is an ethical fallacy used by many in the computing world to justify unethical acts. Some people in the industry feel as though all information should be available to all people; thus, they might release sensitive information to the world that was not theirs to release because they feel as though they are doing something right.

WRONG B is incorrect because the statement is from the Computer Ethics Institute’s Ten Commandments of Computer Ethics, not the (ISC)2 canons. The Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means.

WRONG D is incorrect because it is an ethics statement issued by the Internet Architecture Board (IAB). The IAB issues ethics-related statements concerning the use of the Internet. It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it.

14

Opportunity

Opportunity is the "where" and "when" of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. If a company does not have a firewall, hackers and attackers have all types of opportunities within that network. If a company does not perform access control, auditing, and supervision, employees may have many opportunities to embezzle funds and defraud the company. Once a crime fighter finds out why a person would want to commit a crime (motive), she will look at what could allow the criminal to be successful (opportunity).

15

Personal Information Protection and Electronic Documents Act (PIPEDA)

Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that deals with the protection of personal information. One of its main goals is to oversee how the private sector collects, uses, and discloses personal information in regular business activities. The law was enacted to help and promote consumer trust and facilitate electronic commerce. It was also put into place to reassure other countries that Canadian businesses would protect privacy data so that cross-border transactions and business activities could take place in a more assured manner.

16

Some examples of computer-targeted crimes include

  • Distributed Denial-of-Service (DDoS) attacks
  • Capturing passwords or other sensitive data
  • Installing malware with the intent to cause destruction
  • Installing rootkits and sniffers for malicious purposes
  • Carrying out a buffer overflow to take control of a system

17

Now, this in no way means countries can just depend upon the laws on the books and that every computer crime can be countered by an existing law. Many countries have had to come up with new laws that deal specifically with different types of computer crimes. For example, the following are just some of the laws that have been created or modified in the United States to cover the various types of computer crimes:

  • 18 USC 1029: Fraud and Related Activity in Connection with Access Devices
  • 18 USC 1030: Fraud and Related Activity in Connection with Computers
  • 18 USC 2510 et seq.: Wire and Electronic Communications Interception and Interception of Oral Communications
  • 18 USC 2701 et seq.: Stored Wire and Electronic Communications and Transactional Records Access
  • Digital Millennium Copyright Act
  • Cyber Security Enhancement Act of 2002

18

salami

A salami attack is one in which the attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. Salami attacks usually take place in the accounting departments of companies, and the most common example of a salami attack involves subtracting a small amount of funds from many accounts with the hope that such an insignificant amount would be overlooked. For example, a bank employee may alter a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and move this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $30,000 a year.

19

Best Evidence

Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.

20

The following items are less often used because they are commonly shared by so many people, but they can fall into the PII classification and may require protection from improper disclosure:

  • First or last name, if common
  • Country, state, or city of residence
  • Age, especially if nonspecific
  • Gender or race
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record

21

5. There are four categories of software licensing. Which of the following refers to software sold at a reduced cost?

A. Shareware

B. Academic software

C. Freeware

D. Commercial software

Extended Questions:

CORRECT B. When a vendor develops an application, it usually licenses the program rather than selling it outright. The license agreement contains provisions relating to the use and security of the software and the corresponding manuals. If an individual or company fails to observe and abide by those requirements, the license may be terminated, and depending on the actions, criminal charges may be leveled. The risk to the vendor that develops and licenses the software is the loss of profits it would have earned. The four categories of software licensing are shareware, freeware, commercial, and academic. Academic software is software that is provided for academic purposes at a reduced cost.

WRONG A is incorrect because shareware, or trialware, is a licensing model in which vendors give away a free, trial version of their software. Once the user tries the program, the user is asked to purchase a copy of it. This model is used by vendors to market their software.

WRONG C is incorrect because freeware is software that is publicly available free of charge and can be used, copied, studied, modified, and redistributed without restriction.

WRONG D is incorrect because commercial software is software that is sold at full price and typically used for commercial purposes. Most companies use commercial software with bulk licenses. Bulk licenses enable several users to use the product simultaneously. These master agreements define proper use of the software along with restrictions, such as whether corporate software can also be used by employees on their home machines.

22

trademark

A trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color, or combination of these. The reason a company would trademark one of these, or a combination, is that it represents their company (brand identity) to a group of people or to the world. Companies have marketing departments that work very hard in coming up with something new that will cause the company to be noticed and stand out in a crowd of competitors, and trademarking the result of this work with a government registrar is a way of properly protecting it and ensuring others cannot copy and use it.

23

Section 13410(d) of the HITECH Act revised Section 1176(a) of the Social Security Act (the Act) by establishing:

  • Four categories of violations that reflect increasing levels of culpability;
  • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

24

21. To better deal with computer crime, several legislative bodies have taken what steps in their strategy?

  A. Expanded several privacy laws

  B. Broadened the definition of property to include data

  C. Required corporations to have computer crime insurance

  D. Redefined transborder issues

21. B. Many times, what is corrupted, compromised, or taken from a computer is data, so current laws have been updated to include the protection of intangible assets, as in data. Over the years, data and information have become many companies’ most valuable asset, which must be protected by the laws.

25

Conclusive Evidence

Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.

26

The law made many changes to already existing laws, which are listed here:

  • Foreign Intelligence Surveillance Act of 1978
  • Electronic Communications Privacy Act of 1986
  • Money Laundering Control Act of 1986
  • Bank Secrecy Act (BSA)
  • Immigration and Nationality Act

27

14. For evidence to be legally admissible, it must be authentic, complete, sufficient, and reliable. Which characteristic refers to the evidence having a reasonable and sensible relationship to the findings?

A. Complete

B. Reliable

C. Authentic

D. Sufficient

Extended Questions:

CORRECT C. It is important that evidence be admissible, authentic, complete, sufficient, and reliable to the case at hand. These characteristics of evidence provide a foundation for a case and help ensure that the evidence is legally permissible. For evidence to be authentic, or relevant, it must have a reasonable and sensible relationship to the findings. If a judge rules that a person’s past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Thus, the prosecuting lawyer cannot even mention them in court. In addition, authentic evidence must be original; that is, it cannot be a copy or a summary of the original.

WRONG A is incorrect because evidence that is complete presents the whole truth. All evidence, even exculpatory evidence, must be handed over. This means that a prosecutor cannot present just part of the evidence that is favorable to his side of the case.

WRONG B is incorrect because evidence that is reliable must be consistent with the facts. Evidence cannot be reliable if it is based on someone’s opinion or copies of an original document, because there is too much room for error. Reliable evidence means it is factual and not circumstantial. Examples of unreliable evidence include computer-generated documentation and an investigator’s notes because they can be modified without any indication.

WRONG D is incorrect because evidence that is sufficient, or believable, is persuasive enough to convince a reasonable person of its validity. This means the evidence cannot be subject to personal interpretation. Sufficient evidence also means it cannot be easily doubted.

28

Due diligence

In the context of security, due care means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages. In short, due care means that a company practiced common sense and prudent management and acted responsibly. Due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities.

29

sufficient

For evidence to be complete, it must present the whole truth of an issue. For the evidence to be sufficient, or believable, it must be persuasive enough to convince a reasonable person of the validity of the evidence. This means the evidence cannot be subject to personal interpretation. Sufficient evidence also means it cannot be easily doubted.

30

18. If a company does not inform employees that they may be monitored and does not have a policy stating how monitoring should take place, what should a company do?

  A. Don’t monitor employees in any fashion.

  B. Monitor during off-hours and slow times.

  C. Obtain a search warrant before monitoring an employee.

  D. Monitor anyway—they are covered by two laws allowing them to do this.

18. A. Before a company can monitor its employees, it is supposed to inform them that this type of activity can take place. If a company monitors an employee without telling him, this could be seen as an invasion of privacy. The employee had an expected level of privacy that was invaded. The company should implement monitoring capabilities into its security policy and employee security-awareness programs.

31

Some of the requirements the law lays out for organizations are as follows:

  • Obtain consent when they collect, use, or disclose their personal information;
  • Collect information by fair and lawful means; and
  • Have personal information policies that are clear, understandable, and readily available.

32

International Issues

If a hacker in Ukraine attacked a bank in France, whose legal jurisdiction is that? How do these countries work together to identify the criminal and carry out justice? Which country is required to track down the criminal? And which country should take this person to court? Well, we don’t really know exactly. We are still working this stuff out.

33

reliable

For evidence to be reliable, or accurate, it must be consistent with the facts. Evidence cannot be reliable if it is based on someone’s opinion or copies of an original document, because there is too much room for error. Reliable evidence means it is factual and not circumstantial.

34

8. Protecting evidence and providing accountability for who handled it at different steps during the investigation is referred to as what?

  A. The rule of best evidence

  B. Hearsay

  C. Evidence safety

  D. Chain of custody

8. D. Properly following the chain of custody for evidence is crucial for it to be admissible in court. A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to establish that it is sufficiently trustworthy to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

35

The next step is the analysis of the evidence. Forensic investigators use a scientific method that involves:

  • Determining the characteristics of the evidence, such as whether it’s admissible as primary or secondary evidence, as well as its source, reliability, and permanence
  • Comparing evidence from different sources to determine a chronology of events
  • Event reconstruction, including the recovery of deleted files and other activity on the system

36

Economic Espionage Act of 1996

Prior to 1996, industry and corporate espionage was taking place with no real guidelines for who could properly investigate the events. The Economic Espionage Act of 1996 provides the necessary structure when dealing with these types of cases and further defines trade secrets to be technical, business, engineering, scientific, or financial. This means that an asset does not necessarily need to be tangible to be protected or be stolen. Thus, this act enables the FBI to investigate industrial and corporate espionage cases.

37

Corroborative evidence

Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary piece of evidence.

38

reasonable expectation of privacy (REP)

NOTE It is important to deal with the issue of reasonable expectation of privacy (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the Fourth Amendment of the Constitution. If it is not specifically explained to an employee that monitoring is possible and/or probable, when the monitoring takes place he could claim that his privacy rights have been violated and launch a civil suit against your company.

39

The life cycle of evidence includes:

  • Collection and identification
  • Storage, preservation, and transportation
  • Presentation in court
  • Return of the evidence to the victim or owner

40

Intellectual Property Laws

I made it, it is mine, and I want to protect it.

Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company or individual can protect what it rightfully owns from unauthorized duplication or use, and what it can do if these laws are violated.

41

Supervision

Provides a framework for oversight and review to continually analyze risk and improve security measures.

42

5. A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification?

  A. emailing information or comments about the exam to other CISSP candidates

  B. Submitting comments on the questions of the exam to (ISC)2

  C. Submitting comments to the board of directors regarding the test and content of the class

  D. Conducting a presentation about the CISSP certification and what the certification means

5. A. A CISSP candidate and a CISSP holder should never discuss with others what was on the exam. This degrades the usefulness of the exam to be used as a tool to test someone’s true security knowledge. If this type of activity is uncovered, the person could be stripped of their CISSP certification.

43

Certain common ethical fallacies are used by many in the computing world to justify unethical acts. They exist because people look at issues differently and interpret (or misinterpret) rules and laws that have been put into place. The following are examples of these ethical fallacies:

  • Hackers only want to learn and improve their skills. Many of them are not making a profit off of their deeds; therefore, their activities should not be seen as illegal or unethical.
  • The First Amendment protects and provides the right for U.S. citizens to write viruses.
  • Information should be shared freely and openly; therefore, sharing confidential information and trade secrets should be legal and ethical.
  • Hacking does not actually hurt anyone.

44

Data Integrity

Data must be relevant and reliable for the purpose it was collected for.

45

Market Discipline

Requires member institutions to disclose their exposure to risk and validate adequate market capital.

46

Incident management

Incident management includes proactive and reactive processes. Proactive measures need to be put into place so that incidents can actually be detected in a controllable manner, and reactive measures need to be put into place so those incidents are then dealt with properly.

47

Due Care versus Due Diligence

Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Before a company purchases another company, it should carry out due diligence activities so that the purchasing company does not have any "surprises" down the road. The purchasing company should investigate all relevant aspects of the past, present, and predictable future of the business of the target company. If this does not take place and the purchase of the new company hurts the original company financially or legally, the decision makers could be found liable (responsible) and negligent by the shareholders.

48

16. What role does the Internet Architecture Board play regarding technology and ethics?

A. It creates criminal sentencing guidelines.

B. It issues ethics-related statements concerning the use of the Internet.

C. It edits Request for Comments.

D. It maintains ten commandments for ethical behavior.

Extended Questions:

CORRECT B. The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering, and management. It is responsible for the architectural oversight of the Internet Engineering Task Force (IETF) activities, Internet Standards Process oversight and appeal, and editor of Request for Comments (RFCs). The IAB issues ethics-related statements concerning the use of the Internet. It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it. The IAB sees the use of the Internet as a privilege, which should be treated as such and used with respect.

WRONG A is incorrect because the Federal Sentencing Guidelines are rules used by judges when determining the proper punitive sentences for specific felonies or misdemeanors that individuals or corporations commit. The guidelines work as a uniform sentencing policy for entities that carry out felonies and/or serious misdemeanors in the U.S. federal court system. The IAB does not have anything to do with these topics.

WRONG C is incorrect because, while the Internet Architecture Board is responsible for editing Request for Comments (RFCs), this task is not related to ethics. This answer is a distracter.

WRONG D is incorrect because the Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means. The Computer Ethics Institute has developed its own Ten Commandments of Computer Ethics:

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.

3. Thou shalt not snoop around in other people’s computer files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not copy or use proprietary software for which you have not paid.

7. Thou shalt not use other people’s computer resources without authorization or proper compensation.

8. Thou shalt not appropriate other people’s intellectual output.

9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.

10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

49

1. Which of the following does the Internet Architecture Board consider unethical?

  A. Creating a computer virus

  B. Entering information into a web page

  C. Performing a penetration test on a host on the Internet

  D. Disrupting Internet communications

1. D. The Internet Architecture Board (IAB) is a committee for Internet design, engineering, and management. It considers the use of the Internet to be a privilege that should be treated as such. The IAB considers the following acts unethical and unacceptable behavior:

• Purposely seeking to gain unauthorized access to Internet resources

• Disrupting the intended use of the Internet

• Wasting resources (people, capacity, and computers) through purposeful actions

• Destroying the integrity of computer-based information

• Compromising the privacy of others

• Negligence in the conduct of Internet-wide experiments

50

Liability and Its Ramifications

You may not have hacked the system yourself, but it was your responsibility to make sure it could not happen.

As legislatures, courts, and law enforcement develop and refine their respective approaches to computer crimes, so too must corporations. Corporations should develop not only their preventive, detective, and corrective approaches, but also their liability and responsibility approaches. As these crimes increase in frequency and sophistication, so do their destruction and lasting effects. In most cases, the attackers are not caught, but there is plenty of blame to be passed around, so a corporation needs to take many steps to ensure that the blame and liability do not land clearly at its doorstep.

51

2. Which organization has been developed to deal with economic, social, and governance issues, and with how sensitive data is transported over borders?

A. European Union

B. Council of Europe

C. Safe Harbor

D. Organisation for Economic Co-operation and Development

Extended Questions:

CORRECT D. Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business gets more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules. One of these rules is that subjects should be able to find out whether an organization has their personal information and, if so, what that information is, to correct erroneous data and to challenge denied requests to do so.

WRONG A is incorrect because the European Union is not an organization that deals with economic, social, and governance issues, but does address the protection of sensitive data. The European Union Principles on Privacy are: The reason for the gathering of data must be specified at the time of collection; Data cannot be used for other purposes; Unnecessary data should not be collected; Data should only be kept for as long as it is needed to accomplish the stated task; Only the necessary individuals who are required to accomplish the stated task should be allowed access to the data; Whoever is responsible for securely storing the data should not allow unintentional "leaking" of data.

WRONG B is incorrect because the Council of Europe is responsible for the creation of the Convention on Cybercrime. The Council of Europe Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws, and improving investigative techniques and international cooperation. The Convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition is only available by treaty and when the event is a crime in both jurisdictions.

WRONG C is incorrect because Safe Harbor is not an organization but a set of requirements for organizations that wish to exchange data with European entities. Europe has always had tighter control over protecting privacy information than the U.S. and other parts of the world. So in the past when U.S. and European companies needed to exchange data, confusion erupted and business was interrupted because the lawyers had to get involved to figure out how to work within the structures of the differing laws. To clear up this mess, a "safe harbor" framework was created, which outlines how any entity that is going to move privacy data to and from Europe must go about protecting it. U.S. companies that deal with European entities can become certified against this rule base so data transfer can happen more quickly and easily.

52

10. Why is it challenging to collect and identify computer evidence to be used in a court of law?

  A. The evidence is mostly intangible.

  B. The evidence is mostly corrupted.

  C. The evidence is mostly encrypted.

  D. The evidence is mostly tangible.

10. A. The evidence in computer crimes usually comes straight from computers themselves. This means the data are held as electronic voltages, which are represented as binary bits. Some data can be held on hard drives and peripheral devices, and some data may be held in the memory of the system itself. This type of evidence is intangible in that it is not made up of objects one can hold, see, and easily understand. Other types of crimes usually have evidence that is more tangible in nature, and that is easier to handle and control.

53

Computer Criminal Behavior

Like traditional criminals, computer criminals have a specific modus operandi (MO). In other words, criminals use a distinct method of operation to carry out their crime that can be used to help identify them. The difference with computer crimes is that the investigator, obviously, must have knowledge of technology. For example, an MO for computer criminals may include the use of specific hacking tools, or targeting specific systems or networks. The method usually involves repetitive signature behaviors, such as sending e-mail messages or programming syntax. Knowledge of the criminal’s MO and signature behaviors can be useful throughout the investigative process. Law enforcement can use the information to identify other offenses by the same criminal, for example. The MO and signature behaviors can also provide information that is useful during the interview and interrogation process as well as the trial.

54

27. Lee is a new security manager who is in charge of ensuring that his company complies with the European Union Principles on Privacy when his company is interacting with their European partners. The set of principles that deals with transmitting data considered private is encompassed within which of the following laws or regulations?

A. Data Protection Directive

B. Organisation for Economic Co-operation and Development

C. Federal Private Bill

D. Privacy Protection Law

Extended Questions:

CORRECT A. The European Union (EU) in many cases takes individual privacy much more seriously than most other countries in the world, so they have strict laws pertaining to data that are considered private, which are based on the European Union Principles on Privacy. This set of principles addresses using and transmitting information considered private in nature. The principles and how they are to be followed are encompassed within the EU’s Data Protection Directive. All states in Europe must abide by these principles to be in compliance, and any company wanting to do business with an EU company, which will include exchanging privacy type of data, must comply with this directive.

WRONG B is incorrect because the Organisation for Economic Co-operation and Development (OECD) is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data are properly protected and everyone follows the same type of rules.

WRONG C is incorrect because this is a distracter answer. There is no official bill with this name.

WRONG D is incorrect because this is a distracter answer. There is no official law with this name.

55

Corroborative Evidence

Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary piece of evidence.

56

advanced persistent threat (APT)

In the computing world, we call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is becoming more of a battleground, this term is more relevant each and every day. How APTs differ from the regular old vanilla attacker is that it is commonly a group of attackers, not just one hacker, who combines knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multilevel foothold in the environment. The "advanced" aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The "persistent" component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a "low-and-slow" attack. This type of attack is coordinated by human involvement, rather than just a virus-type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded, which makes it the biggest threat of all.

57

Intentional

Examples include assault, intentional infliction of emotional distress, or false imprisonment.

58

Personal Information Protection and Electronic Documents Act (PIPEDA)

Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that deals with the protection of personal information. One of its main goals is to oversee how the private sector collects, uses, and discloses personal information in regular business activities. The law was enacted to help and promote consumer trust and facilitate electronic commerce. It was also put into place to reassure other countries that Canadian businesses would protect privacy data so that cross-border transactions and business activities could take place in a more assured manner.

59

Disassembly and removal tools

Antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on

60

The Evolution of Attacks

We have gone from bored teenagers with too much time on their hands to organized crime rings with very defined targets and goals.

About ten years ago, and even further back, hackers were mainly made up of people who just enjoyed the thrill of hacking. It was seen as a challenging game without any real intent of harm. Hackers used to take down large web sites (Yahoo!, MSN, Excite) so their activities made the headlines and they won bragging rights among their fellow hackers. Back then, virus writers created viruses that simply replicated or carried out some benign activity, instead of the more malicious actions they could have carried out. Unfortunately, today, these trends have taken on more sinister objectives.

61

Prescreening Personnel

Chapter 2 described why it is important to properly screen individuals before hiring them into a corporation. These steps are necessary to help the company protect itself and to ensure it is getting the type of employee required for the job. This chapter looks at some of the issues from the other side of the table, which deals with that individual’s privacy rights.

62

Circumstantial evidence

Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.

63

expression

In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource, as does trade secret law. It protects the expression of the idea of the resource instead of the resource itself. A copyright is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Computer programs and manuals are just two examples of items protected under the Federal Copyright Act. The item is covered under copyright law once the program or manual has been written. Although including a warning and the copyright symbol (©) is not required, doing so is encouraged so others cannot claim innocence after copying another’s work.

64

Council of Europe (CoE) Convention on Cybercrime

The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions.

65

15. If an employee is suspected of wrongdoing in a computer crime, what department must be involved?

  A. Human resources

  B. Legal

  C. Audit

  D. Payroll

15. A. It is imperative that the company gets human resources involved if an employee is considered a suspect in a computer crime. This department knows the laws and regulations pertaining to employee treatment and can work to protect the employee and the company at the same time.

66

Dignitary wrongs

Include invasion of privacy and civil rights violations.

67

The Increasing Need for Privacy Laws

Privacy is different from security, and although the concepts can intertwine, they are distinctively different. Privacy is the ability of an individual or group to control who has certain types of information about them. Privacy is an individual’s right to determine what data they would like others to know about themselves, which people are permitted to know that data, and the ability to determine when those people can access it. Security is used to enforce these privacy rights.

68

15. Which of the following best describes exigent circumstances?

A. The methods used to capture a suspect’s actions are neither legal nor ethical.

B. Enticement is used to capture a suspect’s actions.

C. Hacking does not actually hurt anyone.

D. The seizure of evidence by law enforcement because there is concern that a suspect will attempt to destroy it.

Extended Questions:

CORRECT D. Search and seizure activities can get tricky, depending on what is being searched for and where. In some circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence. In other words, if there is an impending possibility that evidence might be destroyed, law enforcement may quickly seize the evidence to prevent its destruction. This is referred to as exigent circumstances, and a judge will later decide whether the seizure was proper and legal before allowing the evidence to be admitted. For example, if a police officer had a search warrant that allowed him to search a suspect’s living room but no other rooms, and then he saw the suspect dumping cocaine down the toilet, the police officer could seize the cocaine even though it was in a room not covered under his search warrant.

WRONG A is incorrect because entrapment is used to describe illegal and/or unethical methods that are used to capture a suspect’s actions. For example, suppose a Web page has a link that indicates that if an individual clicks it, she could then download thousands of MP3 files for free. However, when she clicks that link, she is taken to the honeypot system instead, and the company records all of her actions and attempts to prosecute. Entrapment does not prove that the suspect had the intent to commit a crime; it only proves she was successfully tricked.

WRONG B is incorrect because enticement means that legal and ethical means were used to capture a suspect’s actions, as opposed to illegal and unethical methods, which are referred to as entrapment. A honeypot serves as a good example of enticement. Companies put systems in their screened subnets that either emulate services that attackers usually like to take advantage of or actually have the services enabled. The hope is that if an attacker breaks into the company’s network, she will go right to the honeypot instead of the systems that are actual production machines. The attacker will be enticed to go to the honeypot system because it has many open ports and services running and exhibits vulnerabilities that the attacker would want to exploit. The company can log the attacker’s actions and later attempt to prosecute.

WRONG C is incorrect because the idea that hacking does not actually hurt anyone is a common ethical fallacy. It is used by some in the computing world to justify unethical acts, such as capturing passwords and using them to gain unauthorized access to network resources. The phrase does not define exigent circumstances.

69

Cybersquatting

If you want this domain name it will cost 30 gazillion dollars.

While cybersquatting is not necessarily an attack method, it is a common issue that companies run into, which requires getting legal counsel involved.

70

Do You Trust Your Neighbor?

Most organizations do not like to think about the fact that the enemy might be inside and working internally to the company. It is more natural to view threats as the faceless unknowns that reside on the outside of our environment. Employees have direct and privileged access to a company’s assets and they are commonly not as highly monitored compared to traffic that is entering the network from external entities. The combination of too much trust, direct access, and the lack of monitoring allows for a lot of internal fraud and abuse to go unnoticed.

71

vendor management governing

A vendor management governing process needs to be set up, which includes performance metrics, service level agreements (SLAs), scheduled meetings, a reporting structure, and someone who is directly responsible. Your company is always responsible for its own risk. Just because it farms out some piece of its operations does not resolve it of this responsibility. The company needs to have a holistic program that defines procurement, contracting, vendor assessment, and monitoring to make sure things are continually healthy and secure.

72

record

An actual record is information about an individual’s education, medical history, financial history, criminal history, employment, and other similar types of information. Government agencies can maintain this type of information only if it is necessary and relevant to accomplishing the agency’s purpose. The Federal Privacy Act dictates that an agency cannot disclose this information without written permission from the individual. However, like most government acts, legislation, and creeds, there is a list of exceptions.

73

12. Why is computer-generated documentation usually considered unreliable evidence?

  A. It is primary evidence.

  B. It is too difficult to detect prior modifications.

  C. It is corroborative evidence.

  D. It is not covered under criminal law, but it is covered under civil law.

12. B. It can be very difficult to determine if computer-generated material has been modified before it is presented in court. Since this type of evidence can be altered without being detected, the court cannot put a lot of weight on this evidence. Many times, computer-generated evidence is considered hearsay in that there is no firsthand proof backing it up.

74

A Few Different Attack Types

Several categories of computer crimes can be committed, and different methods exist to commit those crimes. The following sections go over some of the types of computer fraud and abuses.

75

Scientific Working Group on Digital Evidence (SWDGE)

When we covered laws earlier in the chapter, we discussed how important it is to standardize different countries’ attitudes and approaches to computer crime since computer crimes often take place over international boundaries. The same thing is true with forensics. Thus, digital evidence must be handled in a similarly careful fashion so it can be used in different courts, no matter what country is prosecuting a suspect. The International Organization on Computer Evidence (IOCE) was created to develop international principles dealing with how digital evidence is to be collected and handled so various courts will recognize and use the evidence in the same manner. Within the United States, there is the Scientific Working Group on Digital Evidence (SWDGE), which also aims to ensure consistency across the forensic community. The principles developed by IOCE and SWDGE for the standardized recovery of computer-based evidence are governed by the following attributes:

76

Surveillance, Search, and Seizure

Two main types of surveillance are used when it comes to identifying computer crimes: physical surveillance and computer surveillance. Physical surveillance pertains to security cameras, security guards, and closed-circuit TV (CCTV), which may capture evidence. Physical surveillance can also be used by an undercover agent to learn about the suspect’s spending activities, family and friends, and personal habits in the hope of gathering more clues for the case.

77

digital evidence

Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data for the purposes of a digital criminal investigation. It is the coming together of computer science, information technology, and engineering with law. When discussing computer forensics with others, you might hear the terms digital forensics, network forensics, electronic data discovery, cyberforensics, and forensic computing. (ISC)2 uses computer forensics as a synonym for all of these other terms, so that’s what you’ll see on the CISSP exam. Computer forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire. At one time computer forensics results were differentiated from network and code analysis, but now this entire area is referred to as digital evidence.

78

Personally identifiable information (PII)

Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.

79

Data diddling

Data diddling refers to the alteration of existing data. Many times, this modification happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customer’s loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20.

80

22. Many privacy laws dictate which of the following rules?

  A. Individuals have a right to remove any data they do not want others to know.

  B. Agencies do not need to ensure that the data are accurate.

  C. Agencies need to allow all government agencies access to the data.

  D. Agencies cannot use collected data for a purpose different from what they were collected for.

22. D. The Federal Privacy Act of 1974 and the European Union Principles on Privacy were created to protect citizens from government agencies that collect personal data. These acts have many stipulations, including that the information can only be used for the reason for which it was collected.

81

7. Which of the following means that a company did all it could have reasonably done to prevent a security breach?

A. Downstream liability

B. Responsibility

C. Due diligence

D. Due care

Extended Questions:

CORRECT D. Due care means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages. In short, due care means that a company practiced common sense and prudent management and acted responsibly. If a company has a facility that burns to the ground, the arsonist is only one small piece of this tragedy. The company is responsible for providing fire detection and suppression systems, fire-resistant construction material in certain areas, alarms, exits, fire extinguishers, and backups of all the important information that could be affected by a fire. If a fire burns a company’s building to the ground and consumes all the records (customer data, inventory records, and similar information that is necessary to rebuild the business), then the company did not exercise due care to ensure it was protected from such loss (by backing up to an offsite location, for example). In this case, the employees, shareholders, customers, and everyone affected could potentially successfully sue the company. However, if the company did everything expected of it in the previously listed respects, it is harder to successfully sue for failure to practice due care.

WRONG A is incorrect because downstream liability means that one company’s activities—or lack of them—can negatively affect another company. If one of the companies does not provide the necessary level of protection and its negligence affects a partner it is working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and deal with viruses. Company A gets infected with a destructive virus, which is spread to company B through the extranet. The virus corrupts critical data and causes a massive disruption to company B’s production. Therefore, company B can sue company A for being negligent. This is an example of downstream liability.

WRONG B is incorrect because responsibility generally refers to the obligations and expected actions and behaviors of a particular party. An obligation may have a defined set of specific actions that are required, or a more general and open approach, which enables the party to decide how it will fulfill the particular obligation. Due diligence is a better answer to this question. Responsibility is not considered a legal term as the other answers are.

WRONG C is incorrect because due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities. Before you can figure out how to properly protect yourself, you need to find out what it is you are protecting yourself against. This is what due diligence is all about—researching and assessing the current level of vulnerabilities so that the true risk level is understood. Only after these steps and assessments take place can effective controls and safeguards be identified and implemented. Due diligence is identifying all of the potential risks and due care is actually doing something to mitigate those risks.

82

Jan’s company develops software that provides cryptographic functionality. The software products provide functionality that allows companies to be compliant with its privacy regulations and laws.

29. Which of the following is the most important functionality the software should provide to meet its customers’ needs?

  A. Provide Safe Harbor protection

  B. Protect personally identifiable information

  C. Provide transborder flow protection

  D. Provide live forensics capabilities

29. B. Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. This type of data commonly falls under privacy laws and regulation protection requirements.

83

The control objectives are implemented via 12 requirements, as stated at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml:

  • Use and maintain a firewall.
  • Reset vendor defaults for system passwords and other security parameters.
  • Protect cardholder data at rest.
  • Encrypt cardholder data when they are transmitted across public networks.
  • Use and update antivirus software.
  • Systems and applications must be developed with security in mind.
  • Access to cardholder data must be restricted by business "need to know."
  • Each person with computer access must be assigned a unique ID.
  • Physical access to cardholder data should be restricted.
  • All access to network resources and cardholder data must be tracked and monitored.
  • Security systems and processes must be regularly tested.
  • A policy must be maintained that addresses information security.

84

Digital Millennium Copyright Act (DMCA)

The individual was arrested and prosecuted under the Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms. Interestingly enough, many computer-oriented individuals protested this person’s arrest, and the company prosecuting (Adobe) quickly decided to drop all charges.

85

Secondary evidence

Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.

86

Personal Information

A company that holds medical information, Medical Information, Inc., does not have strict procedures on how patient information is disseminated or shared.

87

Dumpster Diving

I went through your garbage and found your Social Security number, credit card number, network schematics, mother’s maiden name, and evidence that you wear funny underwear.

Dumpster diving refers to the concept of rummaging through a company or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. The intruder would have to gain physical access to the premises, but the area where the garbage is kept is usually not highly guarded. Dumpster diving is unethical, but it’s not illegal. Trespassing is illegal, however, and may be done in the process of dumpster diving. (Laws concerning this may vary in different jurisdictions.)

88

Minimum Capital Requirements

Measures the risk and spells out the calculation for determining the minimum capital required.

89

Best evidence

Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no firsthand reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents. Oral evidence cannot be used to dispute a legal document, but it can be used to interpret the document.

90

3. Different countries have different legal systems. Which of the following correctly describes customary law?

A. Not many countries work under this law purely; most instead use a mixed system where this law, which deals mainly with personal conduct and patterns of behavior, is an integrated component.

B. It covers all aspects of human life, but is commonly divided into responsibilities and obligations to others, and religious duties.

C. It is a rule-based law focused on codified law.

D. Based on previous interpretations of laws, this system reflects the community’s morals and expectations.

Extended Questions:

CORRECT A. Customary law deals primarily with personal conduct and patterns of behavior. It is based on the traditions and customs of the region. It came about as communities emerged and the cooperation of individuals became necessary. Not many countries work under a purely customary law system; most instead use a mixed system where customary law is an integrated component. (Codified civil law systems emerged from customary law.) Customary law is mainly used in regions of the world that have mixed legal systems; for example, China and India. Restitution in a customary law system is commonly in the form of a monetary fine or service.

WRONG B is incorrect because it describes religious law systems. Where customary law deals mainly with personal conduct and patterns of behavior, religious law systems are commonly divided into responsibilities and obligations to others, and religious duties. Religious law systems are based on the religious beliefs of a region. In Islamic countries, for example, the law is based on the rules of the Koran. The law, however, is different in every Islamic country.

WRONG C is incorrect because civil (code) law is rule-based and, for the most part, is focused on codified law, i.e., laws that are written down. Civil law is the most widespread legal system in the world and the most common legal system in Europe. It is established by states or nations for self-regulation; thus, civil law can be divided into subdivisions such as French civil law, German civil law, etc.

WRONG D is incorrect because common law is based on previous interpretations of laws. In the past, judges would walk throughout the country enforcing laws and settling disputes. They did not have a written set of laws, so they based their laws on custom and precedent. This system reflects the community’s morals and expectations.

91

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), a U.S. federal regulation, has been mandated to provide national standards and procedures for the storage, use, and transmission of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

92

Electronic Assets

Another complexity that the digital world has brought upon society is defining what has to be protected and to what extent. We have gone through a shift in the business world pertaining to assets that need to be protected. Fifteen years ago and more, the assets that most companies concerned themselves with protecting were tangible ones (equipment, building, manufacturing tools, inventory). Now companies must add data to their list of assets, and data are usually at the very top of that list: product blueprints, Social Security numbers, medical information, credit card numbers, personal information, trade secrets, military deployment and strategies, and so on. Although the military has always had to worry about keeping their secrets secret, they have never had so many entry points to the secrets that had to be controlled. Companies are still having a hard time not only protecting their data in digital format, but defining what constitutes sensitive data and where that data should be kept.

93

1. Cyberlaw categorizes computer-related crime into three categories. Which of the following is an example of a crime in which the use of a computer would be categorized as incidental?

A. Carrying out a buffer overflow to take control of a system

B. The electronic distribution of child pornography

C. Attacking financial systems to steal funds

D. Capturing passwords as they are sent to the authentication server

Extended Questions:

CORRECT B. Laws have been created to combat three categories of crime: computer-assisted, computer-targeted, and computer is incidental. If a crime falls into the "computer is incidental" category, this means a computer just happened to be involved in some secondary manner, but its involvement is insignificant. The digital distribution of child pornography is an example of "computer is incidental." The actual crime is obtaining and sharing child pornography pictures or graphics. The pictures could be stored on a file server, or they could be kept in a physical file in someone’s desk. So if a crime falls within this category, the computer is not attacking another computer, and a computer is not being attacked, but the computer is still used in some manner. Thus, the computer is a source of additional evidence related to the crime.

WRONG A is incorrect because carrying out a buffer overflow to take control of a system is an example of a computer-targeted crime. A computer-targeted crime concerns incidents where a computer was the victim of an attack crafted to harm it (and its owners) specifically. Other examples of computer-targeted crimes include distributed denial-of-service attacks, installing malware with the intent to cause destruction, and installing rootkits and sniffers for malicious purposes.

WRONG C is incorrect because attacking financial systems to steal funds is an example of a computer-assisted crime. A computer-assisted crime is where a computer was used as a tool to help carry out a crime. Other examples of computer-assisted crimes include obtaining military and intelligence material by attacking military systems, and carrying out information warfare activities by attacking critical national infrastructure systems.

WRONG D is incorrect because capturing passwords as they are sent to the authentication server is an example of a computer-targeted crime. Some confusion typically exists between the two categories, "computer-assisted crimes" and "computer-targeted crimes," because intuitively it would seem any attack would fall into both of these categories. One way to look at it is that a computer-targeted crime could not take place without a computer, while a computer-assisted crime could. Thus, a computer-targeted crime is one that did not, and could not, exist before computers became of common use. In other words, in the good old days, you could not carry out a buffer overflow on your neighbor, or install malware on your enemy’s system. These crimes require that computers be involved.

94

Motive, Opportunity, and Means

MOM did it.

Today’s computer criminals are similar to their traditional counterparts. To understand the "whys" in crime, it is necessary to understand the motive, opportunity, and means—or MOM. This is the same strategy used to determine the suspects in a traditional, noncomputer crime.

95

4. Widgets Inc. wishes to protect its logo from unauthorized use. Which of the following will protect the logo and ensure that others cannot copy and use it?

A. Patent

B. Copyright

C. Trademark

D. Trade secret

Extended Questions:

CORRECT C. Intellectual property can be protected by several different laws, depending upon the type of resource it is. A trademark is used to protect a word, name, symbol, sound, shape, color, or combination of these—such as a logo. The reason a company would trademark one of these, or a combination, is that it represents their company (brand identity) to a group of people or to the world. Companies have marketing departments that work very hard in coming up with something new that will cause the company to be noticed and stand out in a crowd of competitors, and trademarking the result of this work with a government registrar is a way of properly protecting it and ensuring others cannot copy and use it.

WRONG A is incorrect because a patent covers an invention, whereas a trademark protects a word, name, symbol, sound, shape, color, or combination thereof. Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious. A patent is the strongest form of intellectual property protection.

WRONG B is incorrect because in the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomimes, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource. It protects the expression of the idea of the resource instead of the resource itself. A copyright law is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation.

WRONG D is incorrect because trade secret law protects certain types of information or resources from unauthorized use or disclosure. For a company to have its resource qualify as a trade secret, the resource must provide the company with some type of competitive value or advantage. A trade secret can be protected by law if developing it requires special skill, ingenuity, and/or expenditure of money and effort.

96

Types of Legal Systems

As stated earlier, different countries often have different legal systems. In this section, we will cover the core components of these systems and what differentiates them.

97

Means

Means pertains to the abilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, keyboard, and a word processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person may have the means to commit this crime much more successfully than the other two individuals.

98

9. A suspected crime has been reported within your organization. Which of the following steps should the incident response team take first?

A. Establish a procedure for responding to the incident.

B. Call in forensics experts.

C. Determine that a crime has been committed.

D. Notify senior management.

Extended Questions:

CORRECT C. When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure uniformity in their approach and make sure no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. At this point, the company must decide if it wants to conduct its own forensics investigation or call in external experts.

WRONG A is incorrect because a procedure for responding to an incident should be established before an incident takes place. Incident handling is commonly a recovery plan that responds to malicious technical threats. While the primary goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage, other objectives include detecting a problem, determining its cause, resolving the problem, and documenting the entire process.

WRONG B is incorrect because calling in a forensics team does not occur until the incident response team has investigated the report and verified that a crime has occurred. Then the company can decide if it wants to conduct its own forensics investigation or call in external experts. If experts are going to be called in, the system that was attacked should be left alone in order to try and preserve as much evidence of the attack as possible.

WRONG D is incorrect because the incident response team must first determine that a crime has indeed been carried out before it can notify senior management. There is no need to alarm senior management if the report is false.

99

22. Great care must be taken to capture clues from a computer or device during a forensics exercise. Which of the following does not correctly describe the efforts that should be taken to protect an image?

A. The original image should be hashed with MD5 or SHA-256.

B. Two time-stamps should be created.

C. New media should be properly purged before images are created on them.

D. Some systems must be imaged while they are running.

Extended Questions:

CORRECT D. Acquiring evidence on live systems and those using network storage complicates matters because you cannot turn off the system in order to make a copy of the hard drive. Business-critical systems commonly cannot suffer downtime. So these systems and others, such as those using on-the-fly encryption, must be imaged while they are running. Thus, the answer, "Some systems must be imaged while they are running," is correct in and of itself. However, this measure is not one that is taken to protect an image, as the question specifies. It is taken to avoid interrupting business operations.

WRONG A is incorrect because hashing the original image with MD5 or SHA-256 is a measure that is taken to protect the original image during the investigative process. To ensure that the original image is not modified, it is important to create message digests for files and directories before and after the analysis to prove the integrity of the original image. MD5 and SHA-256 are just two of the hashing algorithms that can be used to ensure the integrity of image data.

WRONG B is incorrect because two time-stamps should be created to ensure the integrity of the data during the investigative process. The original media should have two copies created: a primary image (a control copy that is stored in a library) and a working image (used for analysis and evidence collection). These should be time-stamped to show when the evidence was collected. The investigator works from the duplicate image because it preserves the original evidence, prevents inadvertent alteration of original evidence during examination, and allows re-creation of the duplicate image if necessary.

WRONG C is incorrect because when newly created images need to be saved to a new medium, the medium has to be "clean" of any residual data. Purging a new medium before an image is created and saved to it is a necessary measure to ensure that any old data does not contaminate the images. The investigator must make sure the new medium has been properly purged, meaning it does not contain any residual data. Some incidents have occurred where drives that were new and right out of the box (shrink-wrapped) contained old data not purged by the vendor.

100

23. Which of the following is not true about dumpster diving?

  A. It is legal.

  B. It is illegal.

  C. It is a breach of physical security.

  D. It is gathering data from places people would not expect to be raided.

23. B. Dumpster diving is the act of going through someone’s trash with the hope of uncovering useful information. Dumpster diving is legal if it does not involve trespassing, but it is unethical.

101

The full set of (ISC)2 Code of Ethics for the CISSP is listed on the (ISC)2 site at www.isc2.org. The following list is an overview, but each CISSP candidate should read the full version and understand the Code of Ethics before attempting this exam:

  • Act honorably, honestly, justly, responsibly, and legally, and protect society.
  • Work diligently, provide competent services, and advance the security profession.
  • Encourage the growth of research—teach, mentor, and value the certification.
  • Discourage unnecessary fear or doubt, and do not consent to bad practices.
  • Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures.
  • Observe and abide by all contracts, expressed or implied, and give prudent advice.
  • Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are fully qualified to perform.
  • Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals.

102

2. Intentionally accessing a computer without authorization to obtain:

  • Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
  • Information from any department or agency of the United States.
  • Information from any protected computer if the conduct involves an interstate or foreign communication.

103

11. Which of the following is a correct statement regarding computer forensics?

A. It is the study of computer technology.

B. It is a set of hardware-specific processes that must be followed in order for evidence to be admissible in a court of law.

C. It encompasses network and code analysis, and may be referred to as electronic data discovery.

D. Computer forensics responsibilities should be assigned to a network administrator before an incident occurs.

Extended Questions:

CORRECT C. Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data that could have been affected by a criminal act. It is the coming together of computer science, information technology, and engineering with the legal system. When discussing computer forensics with others, you might hear the terms digital forensics, network forensics, electronic data discovery, cyber forensics, and forensic computing. (ISC)2 uses computer forensics as a synonym for all of these other terms, so that’s what you will most likely see on the CISSP exam. Computer forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire.

WRONG A is incorrect because computer forensics involves more than just the study of information technology. It encompasses the study of information technology but stretches into evidence gathering and protecting and working within specific legal systems.

WRONG B is incorrect because computer forensics does not refer to hardware or software. It is a set of specific processes relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data, and computer usage that must be followed in order for evidence to be admissible in a court of law.

WRONG D is incorrect because computer forensics should be conducted by people with the proper training and skill set, which could or could not be the network administrator. Digital evidence can be fragile and must be worked with appropriately. If someone reboots the attacked system or inspects various files, it could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left.

104

Economic wrongs

Examples include patent, copyright, and trademark infringement.

105

6. If your company gives you a new PC and you find residual information about confidential company issues, what should you do based on the (ISC)2 Code of Ethics?

  A. Contact the owner of the file and inform him about it. Copy it to a disk, give it to him, and delete your copy.

  B. Delete the document because it was not meant for you.

  C. Inform management of your findings so it can make sure this type of thing does not happen again.

  D. e-mail it to both the author and management so everyone is aware of what is going on.

6. C. When dealing with the possible compromise of confidential company information or intellectual property, management should be informed and be involved as soon as possible. Management members are the ones who are ultimately responsible for this data and who understand the damage its leakage can cause. An employee should not attempt to address and deal with these issues on his own.

106

Safeguards Rule

Develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.

107

Enforcement

There must be effective means of enforcing these rules.

108

The Computer Ethics Institute

The Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means.

109

7. Why is it difficult to investigate computer crime and track down the criminal?

  A. Privacy laws are written to protect people from being investigated for these types of crimes.

  B. Special equipment and tools are necessary to detect these types of criminals.

  C. Criminals can hide their identity and hop from one network to the next.

  D. The police have no jurisdiction over the Internet.

7. C. Spoofing one’s identity and being able to traverse anonymously through different networks and the Internet increase the complexity and difficulty of tracking down criminals who carry out computer crimes. It is very easy to commit many damaging crimes from across the country or world, and this type of activity can be difficult for law enforcement to track down.

110

Federal Privacy Act of 1974

In the mid-1960s, a proposal was made that the U.S. government compile and collectively hold in a main federal data bank each individual’s information pertaining to the Social Security Administration, the Census Bureau, the Internal Revenue Service, the Bureau of Labor Statistics, and other limbs of the government. The committee that made this proposal saw this as an efficient way of gathering and centralizing data. Others saw it as a dangerous move against individual privacy and too "Big Brother." The federal data bank never came to pass because of strong opposition.

111

Gramm-Leach-Bliley Act of 1999 (GLBA)

The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties. The act dictates that the board of directors is responsible for many of the security issues within a financial institution, that risk management must be implemented, that all employees need to be trained on information security issues, and that implemented security measures must be fully tested. It also requires these institutions to have a written security policy in place.

112

Access

Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

113

Discover’s program

Discover Information Security and Compliance program (DISC)

114

Motive

Motive is the "who" and "why" of a crime. The motive may be induced by either internal or external conditions. A person may be driven by the excitement, challenge, and adrenaline rush of committing a crime, which would be an internal condition. Examples of external conditions might include financial trouble, a sick family member, or other dire straits. Understanding the motive for a crime is an important piece in figuring out who would engage in such an activity. For example, in the past many hackers attacked big-name sites because when the sites went down, it was splashed all over the news. However, once technology advanced to the point where attacks could not bring down these sites, or once these activities were no longer so highly publicized, the individuals eventually stopped initiating these types of attacks because their motives were diminished.

115

Secondary Evidence

Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.

116

11. The chain of custody of evidence describes who obtained the evidence and __________.

  A. Who secured it and stole it

  B. Who controlled it and broke it

  C. Who secured it and validated it

  D. Who controlled it and duplicated it

11. C. The chain of custody outlines a process to ensure that under no circumstance was there a possibility for the evidence to be tampered with. If the chain of custody is broken, there is a high probability that the evidence will not be admissible in court. If it is admitted, it will not carry as much weight.

117

The incident response team should have the following basic items available:

  • A list of outside agencies and resources to contact or report to.
  • Roles and responsibilities outlined.
  • A call tree to contact these roles and outside entities.
  • A list of computer or forensics experts to contact.
  • Steps on how to secure and preserve evidence.
  • A list of items that should be included on a report for management and potentially the courts.
  • A description of how the different systems should be treated in this type of situation. (For example, the systems should be removed from both the Internet and the network and powered down.)

118

Password Sniffing

I think I smell a password!

Password sniffing is just what it sounds like—sniffing network traffic with the hope of capturing passwords being sent between computers. Several tools are available on the Internet that provide this functionality. Capturing a password is tricky, because it is a piece of data that is usually only used when a user wants to authenticate into a domain or access a resource. Some systems and applications do send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a file containing all users’ password hash values, not the passwords themselves, and when the authenticating system is asked to verify a user’s password, it compares the hashing value sent to what it has in its file.

119

Laws, Directives, and Regulations

Regulation in computer and information security covers many areas for many different reasons. Some issues that require regulation are data privacy, computer misuse, software copyright, data protection, and controls on cryptography. These regulations can be implemented in various arenas, such as government and private sectors for reasons dealing with environmental protection, intellectual property, national security, personal privacy, public order, health and safety, and prevention of fraudulent activities.

120

While often overlooked, it is critical that information security issues are addressed in many of the contracts organizations use or enter into during regular business activities. Security considerations should be taken for at least the following contracts types:

  • Outsourcing agreements
  • Hardware supply
  • System maintenance and support
  • System leasing agreements
  • Consultancy service agreements
  • Web site development and support
  • Nondisclosure and confidentiality agreements
  • Information security management agreements

121

The IAB considers the following acts as unethical and unacceptable behavior:

  • Purposely seeking to gain unauthorized access to Internet resources
  • Disrupting the intended use of the Internet
  • Wasting resources (people, capacity, and computers) through purposeful actions
  • Destroying the integrity of computer-based information
  • Compromising the privacy of others
  • Conducting Internet-wide experiments in a negligent manner

122

Corporate Ethics Programs

More regulations are requiring organizations to have an ethical statement and potentially an ethical program in place. This has been brought on by a lot of slimy things that have taken place in the past that were known about and encouraged by executive management, even if they don’t admit it. The ethical program is to serve as the "tone at the top," which means that the executives need to not only ensure that their employees are acting ethically, but that they themselves are following their own rules. The main goal is to ensure that the motto "succeed by any means necessary" is not the spoken or unspoken culture of a work environment. Certain structures can be put into place that provide a breeding ground for unethical behavior. If the CEO gets more in salary based on stock prices, then he may find ways to artificially inflate stock prices, which can directly hurt the investors and shareholders of the company. If managers can only be promoted based on the amount of sales they bring in, these numbers may be fudged and not represent reality. If an employee can only get a bonus if a low budget is maintained, he might be willing to take shortcuts that could hurt company customer service or product development. Although ethics seem like things that float around in the ether and make us feel good to talk about, they have to be actually implemented in the real corporate world through proper business processes and management styles.

123

relevant

For evidence to be relevant, it must have a reasonable and sensible relationship to the findings. If a judge rules that a person’s past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Therefore, the prosecuting lawyer cannot even mention them in court.

124

containment

The next stage is containment. In the medical world, if you were found to have tuberculosis, you would be put in an isolation room because no one wants to catch your cooties. In the containment phase, the damage must be mitigated. In the computer world, this could mean that an infected server is taken off the network, firewall configurations are changed to stop an attacker, or the system that is under attack is disconnected from the Internet.

125

Choice

Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.

126

30. Which of the following has an incorrect definition mapping?

i. Best evidence is the primary evidence used in a trial because it provides the most reliability.

ii. Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence.

iii. Conclusive evidence is refutable and cannot be contradicted.

iv. Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.

v. Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability.

  A. i

  B. ii

  C. iii

  D. v

30. C. The following has the proper definition mappings:

i. Best evidence is the primary evidence used in a trial because it provides the most reliability.

ii. Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence.

iii. Conclusive evidence is irrefutable and cannot be contradicted.

iv. Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.

v. Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability.

127

Patents

Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious—which means, for example, that a company could not patent air. Thank goodness. If a company figured out how to patent air, we would have to pay for each and every breath we took!

128

Stephanie has been put in charge of developing incident response and forensics procedures her company needs to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging software, and other associated tools.

30. Which of the following best describes the organization that developed the best practices that Stephanie needs to ensure her company’s procedures map to?

A. Internet Activities Board

B. International Organization on Computer Evidence

C. Department of Defense Forensics Committee

D. International Forensics Standards Board

Extended Questions:

CORRECT B. The International Organization on Computer Evidence (IOCE) was appointed to draw up international principles for the procedures relating to digital evidence, to ensure the harmonization of methods and practices among nations, and to guarantee the ability to use digital evidence collected by one national state in the courts of another state. The principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes:

• Consistency with all legal systems

• Allowance for the use of a common language

• Durability

• Ability to cross international and state boundaries

• Ability to instill confidence in the integrity of evidence

• Applicability to all forensic evidence

• Applicability at every level, including that of individual, agency, and country

WRONG A is incorrect because the Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering, and management. It is responsible for the architectural oversight of the Internet Engineering Task Force (IETF) activities, Internet Standards Process oversight and appeal, and editor of Request for Comments (RFCs). This organization used to be called the Internet Activities Board but now goes under the new name of Internet Architecture Board.

WRONG C is incorrect because this is a distracter answer. There is no official group with this name.

WRONG D is incorrect because this is a distracter answer. There is no official group with this name.

31. Which of the following best describes what Stephanie needs to build for the deployment teams?

A. Local and remote imaging system

B. Forensics field kit

C. Chain of custody procedures and tools

D. Digital evidence collection software

CORRECT B. When forensics teams are deployed to investigate a potential crime, they should be properly equipped with all of the tools and supplies needed. The following are some of the common items in the forensics field kits:

• Documentation tools—Tags, labels, and timelined forms

• Disassembly and removal tools—Antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on

• Package and transport supplies—Antistatic bags, evidence bags and tape, cable ties, and others

WRONG A is incorrect because imaging software and tools only make up some of the tools that a forensics team needs. These types of tools do not include the items identified in the question, which are labels, tags, evidence bags, cable ties, imaging software, and other associated tools. These items should be organized and be in a field kit.

WRONG C is incorrect because chain of custody procedures and tools only make up some of the components that a forensics team needs. These types of tools do not include the items identified in the question, which are labels, tags, evidence bags, cable ties, imaging software, and other associated tools. These items should be organized and be in a field kit. A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

WRONG D is incorrect because digital evidence collection tools only make up some of the components that a forensics team needs. These types of tools do not include the items identified in the question, which are labels, tags, evidence bags, cable ties, imaging software, and other associated tools. These items should be organized and be in a field kit. There are specialized software suites that allow forensics personnel to properly collect, analyze, and manage digital evidence through its life cycle. They are important, but only one component of an overall forensics kit.

129

Jan’s company develops software that provides cryptographic functionality. The software products provide functionality that allows companies to be compliant with its privacy regulations and laws.

28. Which of the following groups should Jan suggest that her company join for software piracy issues?

  A. Software Protection Association

  B. Federation Against Software Theft

  C. Business Software Association

  D. Piracy International Group

28. A. Software Protection Association (SPA) has been formed by major companies to enforce proprietary rights of software. The association was created to protect the founding companies’ software developments, but it also helps others ensure that their software is properly licensed. These are huge issues for companies that develop and produce software, because a majority of their revenue comes from licensing fees.

130

Hacker Intrusion

A financial institution, Cheapo, Inc., buys the necessary middleware to enable it to offer online bank account transactions for its customers. It does not add any of the necessary security safeguards required for this type of transaction to take place over the Internet.

131

Package and transport supplies

Antistatic bags, evidence bags and tape, cable ties, and others

132

20. During what stage of incident response is it determined if the source of the incident was internal or external, and how the offender penetrated and gained access to the asset?

A. Analysis

B. Containment

C. Tracking

D. Follow-up

Extended Questions:

CORRECT C. Incident response begins with triage. During triage, the scope and severity of the incident is assessed. If it is determined that an incident has indeed occurred, then the incident response team moves to the investigation stage. This stage involves the collection of data, as well as analysis, interpretation, reaction, and recovery. The next stage is containment. The team isolates the systems involved in the incident to buy time to conduct a full investigation. During analysis, more data is collected and analyzed to determine the root cause of the incident. Once we have as much information as we can get in the analysis stage and answered as many questions as we can, we then move to the tracking stage. We determine if the source of the incident was internal or external and how the offender penetrated and gained access to the asset.

WRONG A is incorrect because during analysis data is gathered (audit logs, video captures, human accounts of activities, system activities) to try to figure out the root cause of the incident.

WRONG B is incorrect because the purpose of containment is to isolate the incident to prevent further damage and buy the incident response team time to conduct their investigation.

WRONG D is incorrect because the follow-up or recovery stage occurs after the incident is understood. It involves implementing the necessary fix to ensure this type of incident cannot happen again. This may require blocking certain ports, deactivating vulnerable services or functionalities, switching over to another processing facility, or applying a patch. This is properly called "following recovery procedures," because just arbitrarily making a change to the environment may introduce more problems. The recovery procedures may state that a new image needs to be installed, backup data need to be restored, the system needs to be tested, and all configurations are properly set.

133

Federal Sentencing Guidelines for Organizations (FSGO)

The Federal Sentencing Guidelines for Organizations (FSGO) is outline for ethical requirements, and in some cases will reduce the criminal sentencing and liability if ethical programs are put in place. This was updated with requirements that made it much more important for the senior executives and board members of an organization to actively participate and be aware of the ethics program in an organization. The intent is to enforce and foster a sense of due diligence that will detect criminal activity as well as protect against it and deter it from happening. Aspects of the Sarbanes-Oxley Act of 2002 are intended to function in much the same manner but with regard to accounting and truthfulness in corporate reporting.

134

Jan’s company develops software that provides cryptographic functionality. The software products provide functionality that allows companies to be compliant with its privacy regulations and laws.

27. Which of the following issues does Jan’s team need to be aware of as it pertains to selling its products to companies that reside in different parts of the world?

  A. Convergent technologies advancements

  B. Wassenaar Arrangement

  C. Digital Millennium Copyright Act

  D. Trademark laws

27. B. Wassenaar Arrangement implements export controls for "Conventional Arms and Dual-Use Goods and Technologies." The main goal of this arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. Cryptography is a technology that is considered a dual-use good under these export rules.

135

4. After a computer forensics investigator seizes a computer during a crime investigation, what is the next step?

  A. Label and put it into a container, and then label the container.

  B. Dust the evidence for fingerprints.

  C. Make an image copy of the disks.

  D. Lock the evidence in the safe.

4. C. Several steps need to be followed when gathering and extracting evidence from a scene. Once a computer has been confiscated, the first thing the computer forensics team should do is make an image of the hard drive. The team will work from this image instead of the original hard drive so it stays in a pristine state and the evidence on the drive is not accidentally corrupted or modified.

136

Request for Proposals

The acquisition of a solution (system, application, or service) often includes a Request for Proposals (RFP), which is usually designed to get vendors to provide solutions to a business problem or requirement, bring structure to the procurement decision, and allow the risks and benefits of a solution to be identified clearly upfront. It is important that the RFP conveys the necessary security requirements and elicits meaningful and specific responses that describe how the vendor will meet those requirements. Federal and state legal requirements, regulation, and business contractual obligations must be thought through when constructing the requirements laid out in the RFPs.

137

The foundation of admissibility is based on the following items:

  • Procedures for collecting and maintaining evidence
  • Proof of how errors were avoided
  • Identification of custodian and skill set
  • Reasonable explanations for
  • Why certain actions were taken
  • Why specific procedures were bypassed

138

The Crux of Computer Crime Laws

Computer crime laws (sometimes referred to as cyberlaw) around the world deal with some of the core issues: unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the use of malware (malicious software).

139

3. Which of the following does the Internet Architecture Board consider unethical behavior?

  A. Internet users who conceal unauthorized accesses

  B. Internet users who waste computer resources

  C. Internet users who write viruses

  D. Internet users who monitor traffic

3. B. This question is similar to Question 1. The IAB has declared wasting computer resources through purposeful activities unethical because it sees these resources as assets that are to be available for the computing society.

140

Incident Response Procedures

A hacker just made our server explode. What do we do now?

In the preceding sections, it is repeatedly stated that there should be a standard set of procedures for the team to follow, but what are these procedures? Although different organizations may define these procedures (or stages) a little differently, they should accomplish the exact same thing. To further complicate matters, incident response is a dynamic process. Oftentimes stages are conducted in parallel, even as one stage depends on the output of another. The important thing is that your organization uses a methodical approach. This allows for proper documentation that may be important in later stages of the incident response process or if the case goes to trial and you are asked whether you followed a standard procedure and whether any steps were left out. A documented checklist of your incident response procedure will help ensure admissibility in court.

141

12. Which of the following dictates that all evidence be labeled with information indicating who secured and validated it?

A. Chain of custody

B. Due care

C. Investigation

D. Motive, Opportunity, and Means

Extended Questions:

CORRECT A. A crucial piece in the digital forensics process is keeping a proper chain of custody of the evidence. Because evidence from these types of crimes can be very volatile and easily dismissed from court due to improper handling, it is important to follow very strict and organized procedures when collecting and tagging evidence in every single case. Furthermore, the chain of custody should follow evidence through its entire life cycle, beginning with identification and ending with its destruction, permanent archiving, or return to owner. When copies of data need to be made, this process must meet certain standards to ensure quality and reliability. Specialized software for this purpose can be used. The copies must be able to be independently verified and must be tamperproof. Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned. The piece of evidence should then be sealed in a container, which should be marked with the same information. The container should be sealed with evidence tape, and if possible, the writing should be on the tape so that a broken seal can be detected.

WRONG B is incorrect because due care means to carry out activities that a reasonable person would be expected to carry out in the same situation. In short, due care means that a company practiced common sense and prudent management, and acted responsibly. If a company does not practice due care in its efforts to protect itself from computer crime, it can be found negligent and legally liable for damages. A chain of custody, on the other hand, is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

WRONG C is incorrect because investigation involves the proper collection of relevant data during the incident response process and includes analysis, interpretation, reaction, and recovery. The goals of this stage are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what was learned to prevent the incident from recurring. It is also at this stage where it is determined whether a forensics investigation will take place. The chain of custody dictates how this material should be properly collected and protected during its life cycle of being evidence.

WRONG D is incorrect because Motive, Opportunity, and Means is a strategy used to understand why a crime was carried out and by whom. This is the same strategy used to determine the suspects in a traditional, noncomputer crime. Motive is the "who" and "why" of a crime. Understanding the motive for a crime is an important piece in figuring out who would engage in such an activity. For example, many hackers attack big-name sites because when the sites go down, it is splashed all over the news. However, once these activities are no longer so highly publicized, the individuals will eventually stop initiating these types of attacks because their motive will have been diminished. Opportunity is the "where" and "when" of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. If a company does not have a firewall, hackers and attackers have all types of opportunities within that network. Once a crime fighter finds out why a person would want to commit a crime (motive), she will look at what could allow the criminal to be successful (opportunity). Means pertains to the capabilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, a keyboard, and a word processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person may have the means to commit this crime much more successfully than the other two individuals.

142

Hearsay evidence

Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability. If a witness testifies about something he heard someone else say, it is too far removed from fact and has too many variables that can cloud the truth. If business documents were made during regular business routines, they may be admissible. However, if these records were made just to be presented in court, they could be categorized as hearsay evidence.

143

Gramm-Leach-Bliley Act of 1999 (GLBA)

The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties. The act dictates that the board of directors is responsible for many of the security issues within a financial institution, that risk management must be implemented, that all employees need to be trained on information security issues, and that implemented security measures must be fully tested. It also requires these institutions to have a written security policy in place.

144

Health Information Technology for Economic and Clinical Health (HITECH) Act

In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act, was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

145

Personal Privacy Protection

End users are also responsible for their own privacy, especially as it relates to protecting the data that are on their own systems. End users should be encouraged to use common sense and best practices. This includes the use of encryption to protect sensitive personal information, as well as firewalls, antivirus software, and patches to protect computers from becoming infected with malware. Documents containing personal information, such as credit card statements, should also be shredded. Also, it’s important for end users to understand that when data are given to a third party, they are no longer under their control.

146

Notice

Individuals must be informed that their data is being collected and about how it will be used.

147

6. There are different types of approaches to regulations. Which of the following is an example of self-regulation?

A. The Health Insurance Portability and Accountability Act

B. The Sarbanes-Oxley Act

C. The Computer Fraud and Abuse Act

D. PCI Data Security Standard

Extended Questions:

CORRECT D. Privacy is becoming more threatened as the world relies more and more on technology. There are several approaches to addressing privacy, including regulations created and enforced by the government and self-regulatory regulations. The Payment Card Industry Data Security Standard (PCI DSS) is an example of a self-regulatory approach. It is mandated by the credit card companies and applies to any entity that processes, transmits, stores, or accepts credit card data. Varying levels of compliance and penalties exist and depend on the size of the customer and the volume of transactions. However, credit cards are used by millions and accepted almost anywhere, which means just about every business in the world must comply with the PCI DSS. PCI DSS is not a government-created and enforced regulation. While the CISSP exam does not require you to know specific regulations, you must understand the different approaches to regulations.

WRONG A is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal regulation that applies to any organization that is in possession of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

WRONG B is incorrect because the Sarbanes-Oxley Act (SOX) was created by the U.S. government in the wake of corporate scandals and fraud which cost investors billions of dollars and threatened to undermine the economy. The regulation applies to any company that is publicly traded on U.S. markets. Much of the law governs accounting practices and the methods used by companies to report on their financial status. However, some parts, Section 404 in particular, apply directly to information technology.

WRONG C is incorrect because the Computer Fraud and Abuse Act is the primary U.S. federal antihacking statute. It prohibits seven forms of computer activity and makes them federal crimes. These acts range from felonies to misdemeanors with corresponding small to large fines and jail sentences. One example is the knowing access of a protected computer without authorization or in excess of authorization with the intent to defraud. While the CISSP exam does not require you to know specific laws and regulations, you do need to understand why various laws and regulations are put into place and why they are used.

148

The U.S. Office of Budget and Management’s definition of PII components are listed here:

  • Full name (if not common)
  • National identification number
  • IP address (in some cases)
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Birthday
  • Birthplace
  • Genetic information

149

31. Which of the following has an incorrect definition mapping?

i. Civil (code) law - Based on previous interpretations of laws

ii. Common law - Rule-based law, not precedence-based

iii. Customary law - Deals mainly with personal conduct and patterns of behavior

iv. Religious law - Based on religious beliefs of the region

  A. i, iii

  B. i, ii, iii

  C. i, ii

  D. iv

31. C. The following has the proper definition mappings:

i. Civil (code) law Civil law is rule-based law, not precedence-based

ii. Common law Based on previous interpretations of laws

iii. Customary law Deals mainly with personal conduct and patterns of behavior

iv. Religious law Based on religious beliefs of the region

150

Incident Management

Many computer crimes go unreported because the victim, in many cases, is not aware of the incident or wants to just patch the hole the hacker came in through and keep the details quiet in order to escape embarrassment or the risk of hurting the company’s reputation. This makes it harder to know the real statistics of how many attacks happen each day, the degree of damage caused, and what types of attacks and methods are being used.

151

Computer surveillance

Computer surveillance pertains to auditing events, which passively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitoring. In most jurisdictions, active monitoring may require a search warrant. In most workplace environments, to legally monitor an individual, the person must be warned ahead of time that her activities may be subject to this type of monitoring.

152

Dumpster diving

Dumpster diving refers to the concept of rummaging through a company or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. The intruder would have to gain physical access to the premises, but the area where the garbage is kept is usually not highly guarded. Dumpster diving is unethical, but it’s not illegal. Trespassing is illegal, however, and may be done in the process of dumpster diving. (Laws concerning this may vary in different jurisdictions.)

153

• Cover all aspects of human life, but commonly divided into:

  • Cover all aspects of human life, but commonly divided into:
  • Responsibilities and obligations to others.
  • Religious duties.
  • Knowledge and rules as revealed by God, which define and govern human affairs.
  • Rather than create laws, lawmakers and scholars attempt to discover the truth of law.
  • Law, in the religious sense, also includes codes of ethics and morality, which are upheld and required by God. For example, Hindu law, Sharia (Islamic law), Halakha (Jewish law), and so on.

154

Wiretapping

Most communications signals are vulnerable to some type of wiretapping or eavesdropping. It can usually be done undetected and is referred to as a passive attack. Tools used to intercept communications include cellular scanners, radio receivers, microphone receivers, tape recorders, network sniffers, and telephone-tapping devices.

155

Onward Transfer

Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

156

Administrative/regulatory law

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals within those specific industries. Some examples of administrative laws could be that every building used for business must have a fire detection and suppression system, must have easily seen exit signs, and cannot have blocked doors, in case of a fire. Companies that produce and package food and drug products are regulated by many standards so the public is protected and aware of their actions. If a case was made that specific standards were not abided by, high officials in the companies could be held accountable, as in a company that makes tires that shred after a couple of years of use. The people who held high positions in this company were most likely aware of these conditions but chose to ignore them to keep profits up. Under administrative, criminal, and civil law, they may have to pay dearly for these decisions.

Intellectual Property Laws

157

17. Which of the following statements is not true of dumpster diving?

A. It is legal.

B. It is unethical.

C. It is illegal.

D. It is a nontechnical attack.

Extended Questions:

CORRECT C. Dumpster diving refers to the concept of rummaging through a company’s or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that person or company. Dumpster diving is legal. Trespassing is illegal, however, and may be done in the process of dumpster diving. Industrial spies can raid corporate dumpsters to find proprietary and confidential information. Credit card thieves can go through dumpsters to retrieve credit card information from discarded receipts. Phreakers have been known to dumpster-dive at telephone companies, hoping to find manuals on how the internals of the telephone systems work.

WRONG A is incorrect because dumpster diving is considered legal. Trespassing, on the other hand, is illegal. While the area where garbage is kept is usually not highly guarded, physical access to the premises is required and dump-sters are often located on private property. Trespassing laws concerning dumpster diving vary in different states, as well as how rigorously they are upheld.

WRONG B is incorrect because dumpster diving is perceived as unethical if used for malicious purposes. Just because something is legal, like dumpster diving, does not make it right. An interesting relationship exists between law and ethics. Most often, laws are based on ethics and are put in place to ensure that others act in an ethical way. However, laws do not apply to everything—that is when ethics should apply. Some things may not be illegal, but that does not necessarily mean they are ethical.

WRONG D is incorrect because it is true that dumpster diving is a nontechnical attack. Dumpster diving is the act of going through someone’s trash with the hope of uncovering useful information.

158

Direct Evidence

Direct evidence can prove a fact all by itself and does not need backup information to refer to. When direct evidence is used, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.

159

Wrongs against a person

Examples include car accidents, dog bites, and a slip and fall.

160

laws

• Civil legal systems should not be confused with the civil (or tort) laws found in the United States.

161

Ron is a new security manager and needs to help ensure that his company can easily work with international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.

24. Which of the following should Ron ensure that his company’s legal team is aware of pertaining to cybercrime issues?

  A. Business exemption rule of evidence

  B. Council of Europe (CoE) Convention on Cybercrime

  C. Digital Millennium Copyright Act

  D. Personal Information Protection and Electronic Documents Act

24. B. Council of Europe (CoE) Convention on Cybercrime is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation.

162

14. If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be called?

  A. Incident recovery response

  B. Entrapment

  C. Illegal

  D. Enticement

14. D. Companies need to be very careful about the items they use to entice intruders and attackers, because this may be seen as entrapment by the court. It is best to get the legal department involved before implementing these items. Putting a honeypot in place is usually seen as the use of enticement tools.

163

The core principles defined by the OECD are as follows:

  • Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject.
  • Personal data should be kept complete and current, and be relevant to the purposes for which it is being used.
  • Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose.
  • Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated.
  • Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
  • Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.
  • Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied requests to do so.
  • Organizations should be accountable for complying with measures that support the previous principles.

164

Cops or No Cops? : Management needs to make the decision as to whether law enforcement should be called in to handle the security breach. The following are some of the issues to understand if law enforcement is brought in:

  • Company loses control over investigation once law enforcement is involved.
  • Secrecy of compromise is not promised; it could become part of public record.
  • Effects on reputation need to be considered (the ramifications of this information reaching customers, shareholders, and so on).
  • Evidence will be collected and may not be available for a long period of time. It may take a year or so to get into court.

165

Personally Identifiable Information

Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.

166

16. When would an investigator’s notebook be admissible in court?

  A. When he uses it to refresh memory

  B. When he cannot be present for testimony

  C. When requested by the judge to learn the original issues of the investigations

  D. When no other physical evidence is available

16. A. Notes that are taken by an investigator will, in most cases, not be admissible in court as evidence. This is not seen as reliable information and can only be used by the investigator to help him remember activities during the investigation.

167

21. Which of the following is not true of a forensics investigation?

A. The crime scene should be modified as necessary.

B. A file copy tool may not recover all data areas of the device that are necessary for investigation.

C. Contamination of the crime scene may not negate derived evidence, but it should still be documented.

D. Only individuals with knowledge of basic crime scene analysis should have access to the crime scene.

Extended Questions:

CORRECT A. The principles of criminalistics are included in the forensic investigation process. They are identification of the crime scene, protection of the environment against contamination and loss of evidence, identification of evidence and potential sources of evidence, and collection of evidence. In regard to minimizing the degree of contamination, it is important to understand that it is impossible not to change a crime scene—be it physical or digital. The key is to minimize changes and document what you did and why, and how the crime scene was affected.

WRONG B is incorrect because it is true that a file copy tool may not recover all data areas of the device necessary for investigation. During the examination and analysis process of a forensics investigation, it is critical that the investigator works from an image that contains all of the data from the original disk. It must be a bit-level copy, sector by sector, to capture deleted files, slack spaces, and unallocated clusters. These types of images can be created through the use of specialized tools such as FTK Imager, DD, EnCase, and Safeback, or the -dd Unix utility.

WRONG C is incorrect because it is true that if a crime scene becomes contaminated, that should be documented. While it may not negate the derived evidence, it will make investigating the crime and providing useful evidence for court more challenging. Whether the crime scene is physical or digital, it is important to control who comes in contact with the evidence of the crime to ensure its integrity.

WRONG D is incorrect because the statement is true. Only authorized individuals should be allowed to access the crime scene, and these individuals should have knowledge of basic crime scene analysis. Other measures to protect the crime scene include documenting who is at the crime scene and the last individuals to interact with the system. In court, the integrity of the evidence may be in question if there are too many people milling around.

168

8. There are three different types of incident response teams. Which of the following correctly describes a virtual team?

A. It consists of experts who have other duties within the organization.

B. It can be cost prohibitive to smaller organizations.

C. It is a hybrid model.

D. Core members are permanently assigned to the team.

Extended Questions:

CORRECT A. All organizations should develop an incident response team, as mandated by the incident response policy, to respond to the large array of possible security incidents. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place. There are three different types of incident response teams. A virtual team is made up of experts who have other duties and assignments within the organization or are outside consultants. A virtual team is commonly developed and used when a company cannot afford to dedicate specific individuals to only deal with incidents. The team can be made up of employees who have other jobs within the company and/or outside consultants that would be called in when an incident takes place.

WRONG B is incorrect because a permanent team of dedicated employees who are dedicated strictly to incident response can be cost prohibitive to smaller organizations. A virtual team is made up of individuals who are called upon when needed but have other responsibilities other than just incident management. A virtual team is commonly a more affordable approach.

WRONG C is incorrect because a hybrid model has aspects of both a virtual model and permanent model. It is similar to a virtual model in that some team members are called as needed and have other responsibilities. It is similar to a permanent model in that certain core members are permanently assigned to the team and incident management is their full-time job and responsibility. In a hybrid situation both permanent and virtual people are used when an incident takes place.

WRONG D is incorrect because a virtual team is created specifically when an organization cannot afford to have employees who are dedicated to incident management only. In larger organizations that have high threat levels, there can be dedicated staff members whose only job is incident management, but most organizations cannot afford this and instead use virtual teams.

169

If You Are Not a Lawyer—You Are Not a Lawyer

Many times security professionals are looked to by organizations to help them figure out how to be compliant with the necessary laws and regulations. While you might be aware of and have experience in some of these, there is a high likelihood that you are not aware of all the necessary federal and state laws, regulations, and international requirements your company must meet. Each of these laws, regulations, and directives morph over time and new ones are added, and while you think you may be interpreting them correctly, you may be wrong. It is critical that an organization get their legal department involved with compliancy issues. I have been in this situation many times over many years. Sometimes the company would get their lawyer in our meetings, who would stare blankly like a deer in headlights. Many companies have lawyers who do not know enough about all of these issues to ensure the company is properly protected. In this situation, advise the company to contact outside counsel to help them with these issues.

170

New and Improved SAS 70

SAS 70 is a set of standards that auditors use to evaluate the controls of a service organization as it relates to customers’ internal control over financial reporting. The industry stretched the use of the SAS 70 beyond its original intended purpose. Organizations needed to make sure that their service providers were providing the necessary protection of their digital assets, but the industry did not have a specific standard for this type of evaluation, so we all used SAS 70, which was really just for financial control evaluation.

171

Strict liability

Examples include a failure to warn of risks and defects in product manufacturing or design.

172

Controlling the Crime Scene : Whether the crime scene is physical or digital, it is important to control who comes in contact with the evidence of the crime to ensure its integrity. The following are just some of the steps that should take place to protect the crime scene:

  • Only allow authorized individuals access to the scene. These individuals should have knowledge of basic crime scene analysis.
  • Document who is at the crime scene.
  • In court, the integrity of the evidence may be in question if there are too many people milling around.
  • Document who were the last individuals to interact with the systems.
  • If the crime scene does become contaminated, document it. The contamination may not negate the derived evidence, but it will make investigating the crime more challenging.

173

13. There are several categories of evidence. How is a witness’s oral testimony categorized?

A. Best evidence

B. Secondary evidence

C. Circumstantial evidence

D. Conclusive evidence

Extended Questions:

CORRECT B. Several types of evidence can be used in a trial, such as written, oral, computer-generated, and visual or audio. Oral evidence is testimony of a witness. Visual or audio is usually a captured event during the crime or right after it. Not all evidence is equal in the eyes of the law and some types of evidence have more clout, or weight, than others. Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s testimony, and copies of original documents are placed in the secondary evidence category.

WRONG A is incorrect because there is no firsthand reliable proof that supports oral evidence’s validity. Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract.

WRONG C is incorrect because circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s Web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.

WRONG D is incorrect because conclusive evidence is irrefutable and cannot be contradicted. A witness’s testimony can be refuted. Conclusive evidence is very strong all by itself and does not require corroboration.

174

10. During an incident response, what stage involves mitigating the damage caused by an incident?

A. Investigation

B. Containment

C. Triage

D. Analysis

Extended Questions:

CORRECT B. A proper containment strategy buys the incident response team time to properly investigate and determine the incident’s root cause. The containment strategy should be based on the category of the attack (i.e., whether it was internal or external), the assets affected by the incident, and the criticality of those assets. Containment strategies can be proactive or reactive. Which is best depends on the environment and the category of the attack. In some cases, the best action might be to disconnect the affected system from the network. Disconnecting the affected system from the network is a reactive strategy, not a proactive strategy. The system is taken offline after it is attacked. If it was taken offline before it was attacked (you’d need some indication that the system was going to be attacked), then the strategy would be proactive.

WRONG A is incorrect because the investigation stage involves the proper collection of relevant data and includes analysis, interpretation, reaction, and recovery. The goals of this stage are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what was learned to prevent the incident from recurring. It is also at this stage where computer forensics comes into play. Management must decide if law enforcement should be brought in to carry out the investigation, if evidence should be collected for the purposes of prosecution, or if the hole should just be patched.

WRONG C is incorrect because triage involves taking information about the incident, investigating the incident’s severity, and setting priorities on how to deal with it. This begins with an initial screening of the reported event to determine whether it is indeed an incident and whether the incident handling process should be initiated. If the event is determined to be a real incident, it is identified and classified. Incidents should be categorized according to their level of potential risk, which is influenced by the type of incident, the source, its rate of growth, and the ability to contain the damage. This, in turn, determines what notifications are required during the escalation process, and sets the scope and procedures for the investigation.

WRONG D is incorrect because the analysis stage involves gathering data such as audit logs, video captures, human accounts of activities, etc., to try and figure out the root cause of the incident. The goals are to figure out who did this, how they did it, when they did it, and why. Management must be continually kept abreast of these activities because they will be the ones making the big decisions on how the incident is to be handled.

175

incident response team

All organizations should develop an incident response team, as mandated by the incident response policy, to respond to the large array of possible security incidents. The purpose of having an incident response team is to ensure that there is a group of people who are properly skilled, who follow a standard set of procedures, and who are singled out and called upon when this type of event takes place. The team should have proper reporting procedures established, be prompt in their reaction, work in coordination with law enforcement, and be an important element of the overall security program. The team should consist of representatives from various business units, such as the legal department, HR, executive management, the communications department, physical/corporate security, IS security, and information technology.

176

Direct evidence

Direct evidence can prove a fact all by itself and does not need backup information to refer to. When direct evidence is used, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.

177

Conclusive evidence

Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.

178

Employee Privacy Issues

We are continuing with our theme of privacy, because it is so important and there are so many aspects of it. Within a corporation, several employee privacy issues must be thought through and addressed if the company wants to be properly protected. An understanding that each state and country may have different privacy laws should prompt the company to investigate exactly what it can and cannot monitor before it does so.

179

how

While it is important to know what laws and regulations your company needs to be compliant with, it is also important to know how to ensure that compliance is being met and how to properly convey that to the necessary stakeholders. A compliance program should be developed, which outlines what needs to be put into place to be compliant with the necessary internal and external drivers, and then an audit team will assess how well the organization is doing to meet the identified requirements.

180

Common Internet Crime Schemes

  • Auction fraud
  • Counterfeit cashier’s check
  • Debt elimination
  • Parcel courier e-mail scheme
  • Employment/business opportunities
  • Escrow services fraud
  • Investment fraud
  • Lotteries
  • Nigerian letter, or "419"
  • Ponzi/pyramid
  • Reshipping
  • Third-party receiver of funds

181

1. D. The Internet Architecture Board (IAB) is a committee for Internet design, engineering, and management. It considers the use of the Internet to be a privilege that should be treated as such. The IAB considers the following acts unethical and unacceptable behavior:

  • Purposely seeking to gain unauthorized access to Internet resources
  • Disrupting the intended use of the Internet
  • Wasting resources (people, capacity, and computers) through purposeful actions
  • Destroying the integrity of computer-based information
  • Compromising the privacy of others
  • Negligence in the conduct of Internet-wide experiments

182

Investigations

Since computer crimes are only increasing and will never really go away, it is important that all security professionals understand how computer investigations should be carried out. This includes legal requirements for specific situations, understanding the "chain of custody" for evidence, what type of evidence is admissible in court, incident response procedures and escalation processes.

183

What Can We Learn from This? : Closure of an incident is determined by the nature or category of the incident, the desired incident response outcome (for example, business resumption or system restoration), and the team’s success in determining the incident’s source and root cause. Once it is determined that the incident is closed, it is a good idea to have a team briefing that includes all groups affected by the incident to answer the following questions:

  • What happened?
  • What did we learn?
  • How can we do it better next time?

184

You should understand the following set of procedures (stages) for incident response:

  • Triage
  • Investigation
  • Containment
  • Analysis
  • Tracking
  • Recovery

185

The Forensics Investigation Process : To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure the evidence is admissible. Figure 9-5 illustrates the phases through a common investigation process. Each team or company may commonly come up with their own steps, but all should be essentially accomplishing the same things:

  • Identification
  • Preservation
  • Collection
  • Examination
  • Analysis
  • Presentation
  • Decision

186

Circumstantial Evidence

Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. For example, if a suspect told a friend he was going to bring down eBay’s web site, a case could not rest on that piece of evidence alone because it is circumstantial. However, this evidence can cause the jury to assume that because the suspect said he was going to do it, and hours later it happened, maybe he was the one who did the crime.

187

The investigator works from the duplicate image because it preserves the original evidence, prevents inadvertent alteration of original evidence during examination, and allows re-creation of the duplicate image if necessary. Most media are "magnetic based," and the data are volatile and can be contained in the following:

  • Registers and cache
  • Process tables and ARP cache
  • System memory (RAM, ROM)
  • Temporary file systems
  • Special disk sectors

188

Incident Investigators

Incident investigators are a breed of their own. Many people suspect they come from a different planet, but to date that hasn’t been proven. Good incident investigators must be aware of suspicious or abnormal activities that others might normally ignore. This is because, due to their training and experience, they may know what is potentially going on behind some abnormal system activity, while another employee would just respond, "Oh, that just happens sometimes. We don’t know why."

189

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) of 2002 is a U.S. law that requires every federal agency to create, document, and implement an agency-wide security program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. It explicitly emphasizes a "risk-based policy for cost-effective security."

190

Software Piracy

Software piracy occurs when the intellectual or creative work of an author is used or duplicated without permission or compensation to the author. It is an act of infringement on ownership rights, and if the pirate is caught, he could be sued civilly for damages, be criminally prosecuted, or both.

191

17. Disks and other media that are copies of the original evidence are considered what?

  A. Primary evidence

  B. Reliable and sufficient evidence

  C. Hearsay evidence

  D. Conclusive evidence

17. C. In most cases, computer-related evidence falls under the hearsay category, because it is seen as copies of the original data that are held in the computer itself and can be modified without any indication. Evidence is considered hearsay when there is no firsthand proof in place to validate it.

192

23. Which of the following attacks can be best prevented by limiting the amount of electrical signals emitted from a computer system?

A. Salami attack

B. Emanations capturing

C. Password sniffing

D. IP spoofing

Extended Questions:

CORRECT B. Every electrical device emits electrical radiation into the surrounding environment. These waves contain information, comparable to how wireless technologies work. This radiation can be carried over a distance, depending on the strength of the signals and the material and objects in the surrounding area. Attackers have used devices to capture this radiation and port them to their own computer systems so that they can access information not intended for them. Companies that have information of such sensitive nature that attackers would go through this much trouble usually have special computer systems with shielding that permit only a small amount of electrical signals to be emitted. The companies can also use material within the walls of the building to stop these types of electrical waves from passing through them.

WRONG A is incorrect because a salami attack is one in which the attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. It has nothing necessarily to do with electrical signals. Salami attacks usually take place in the accounting departments of companies, and the most common example of a salami attack involves subtracting a small amount of funds from many accounts with the hope that such an insignificant amount would be overlooked. For example, a bank employee may alter a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and move this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $30,000 a year.

WRONG C is incorrect because password sniffing involves sniffing network traffic with the hope of capturing passwords being sent between computers or devices. It has nothing necessarily to do with capturing electrical signals. Capturing a password is tricky, because it is a piece of data that is usually only used when a user wants to authenticate into a domain or access a resource. Some systems and applications do send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the user’s workstation performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a file containing all users’ password hash values, not the passwords themselves, and when the authenticating system is asked to verify a user’s password, it compares the hashing value sent to what it has in its file.

WRONG D is incorrect because IP spoofing does not involve the capturing of electrical signals. IP spoofing involves either manually changing the IP address within a packet to show a different address or, more commonly, using a tool that is programmed to provide this functionality for the attacker. Several attacks that take place use spoofed IP addresses, which give the victim little hope of finding the real system and individual who initiated the attack.

193

Password sniffing

Password sniffing is just what it sounds like—sniffing network traffic with the hope of capturing passwords being sent between computers. Several tools are available on the Internet that provide this functionality. Capturing a password is tricky, because it is a piece of data that is usually only used when a user wants to authenticate into a domain or access a resource. Some systems and applications do send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a file containing all users’ password hash values, not the passwords themselves, and when the authenticating system is asked to verify a user’s password, it compares the hashing value sent to what it has in its file.

194

Ron is a new security manager and needs to help ensure that his company can easily work with international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.

25. Ron needs to make sure the executives of his company are aware of issues pertaining to transmitting privacy data over international boundaries. Which of the following should Ron be prepared to brief his bosses on pertaining to this issue?

  A. OECD Guidelines

  B. Exigent circumstances

  C. Australian Computer Emergency Response Team’s General Guidelines

  D. International Organization on Computer Evidence

25. A. Global organizations that move data across other countries’ boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines, which deal with the protection of privacy and transborder flows of personal data.

195

Business Records Exception

A legal exception to the U.S. hearsay rule of the Federal Rules of Evidence (FRE) is called the business records exception rule or business entry rule.

196

Software Protection Association (SPA)

Not every country recognizes software piracy as a crime, but several international organizations have made strides in curbing the practice. The Software Protection Association (SPA) has been formed by major companies to enforce proprietary rights of software. The association was created to protect the founding companies’ software developments, but it also helps others ensure that their software is properly licensed. These are huge issues for companies that develop and produce software, because a majority of their revenue comes from licensing fees.

197

19. What type of common law deals with violations committed by individuals against government laws, which are created to protect the public?

A. Criminal law

B. Civil law

C. Tort law

D. Regulatory law

Extended Questions:

CORRECT A. Criminal law is used when an individual’s conduct violates the government’s laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim. For example, in the O.J. Simpson case, he was first tried and found not guilty in the criminal law case, but then was found liable in the civil law case. This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases.

WRONG B is incorrect because civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. Examples include trespassing, betray, negligence, and products liability. A civil lawsuit would result in financial restitution and/or community service instead of jail sentences. When someone sues another person in civil court, the jury decides upon liability instead of innocence or guilt. If the jury determines the defendant is liable for the act, then the jury decides upon the punitive damages of the case.

WRONG C is incorrect because tort law is another name for civil law, which deals with wrongs committed against individuals or companies that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution.

WRONG D is incorrect because regulatory law deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are applied to companies and organizations within those specific industries. Some examples of regulatory laws could be that every building used for business must have a fire detection and suppression system, must have easily seen exit signs, and cannot have blocked doors, in case of a fire. Companies that produce and package food and drug products are regulated by many standards so the public is protected and aware of their actions.

198

Some examples of computer-assisted crimes are

  • Attacking financial systems to carry out theft of funds and/or sensitive information
  • Obtaining military and intelligence material by attacking military systems
  • Carrying out industrial spying by attacking competitors and gathering confidential business data
  • Carrying out information warfare activities by attacking critical national infrastructure systems
  • Carrying out hactivism, which is protesting a government or company’s activities by attacking their systems and/or defacing their web sites.

199

25. What concept states that a criminal leaves something behind and takes something with them?

A. Modus Operandi

B. Profiling

C. Locard’s Principle of Exchange

D. Motive, Opportunity, and Means

Extended Questions:

CORRECT C. Locard’s Principle of Exchange provides information that is useful for profiling. The principle states that a criminal leaves something behind and takes something with him. This principle is the foundation of criminalistics. Even in an entirely digital crime scene, Locard’s Principle of Exchange can shed light on who the perpetrator(s) may be.

WRONG A is incorrect because Modus Operandi (MO) refers to a distinct method criminals use to carry out their crime that can be used to help identify them. For example, an MO for computer criminals may include the use of specific hacking tools, or targeting specific systems or networks. The method usually involves repetitive signature behaviors, such as sending e-mail messages or programming syntax. Knowledge of the criminal’s MO and signature behaviors can be useful throughout the investigative process. Law enforcement can use the information to identify other offenses by the same criminal, for example.

WRONG B is incorrect because profiling (or psychological crime scene analysis) is an investigative technique that involves developing behavioral or characteristic patterns of an attacker who has not been caught. By creating an outline of an attacker’s characteristics, the investigative team may gain insight into the attacker’s thought processes that can then be used to identify him or, at the very least, the tool he used to conduct the crime. Locard’s Principle of Exchange, which states that a criminal leaves something behind and takes something with him, provides information that is useful for profiling.

WRONG D is incorrect because Motive, Opportunity, and Means is a strategy used to determine the suspects of a crime. Motive refers to the "who" and "why" of a crime. Determining the motive for a crime can help investigators identify who would carry out the activity. Opportunity refers to the "where" and "when" of a crime. This is usually a vulnerability or weakness in the environment that allowed the criminal to be successful. Means refers to the capabilities required for the criminal’s activities to be successful. Does the criminal have the skills required to hack into a system, for example?

200

19. What is one reason why successfully prosecuting computer crimes is so challenging?

  A. There is no way to capture electrical data reliably.

  B. The evidence in computer cases does not follow best evidence directives.

  C. These crimes do not always fall into the traditional criminal activity categories.

  D. Wiretapping is hard to do legally.

19. C. We have an infrastructure set up to investigate and prosecute crimes: law enforcement, laws, lawyers, courts, juries, judges, and so on. This infrastructure has a long history of prosecuting "traditional" crimes. Only in the last ten years or so have computer crimes been prosecuted more regularly; thus, these types of crimes are not fully rooted in the legal system with all of the necessary and useful precedents.

201

Opinion Evidence

When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so they can help the judge and jury better understand the matters of the case.

202

Internal Protection of Intellectual Property

Ensuring that specific resources are protected by the previously mentioned laws is very important, but other measures must be taken internally to make sure the resources that are confidential in nature are properly identified and protected.

203

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) of 2002 is a U.S. law that requires every federal agency to create, document, and implement an agency-wide security program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. It explicitly emphasizes a "risk-based policy for cost-effective security."

204

28. The common law system is broken down into which of the following categories?

A. Common, civil, criminal

B. Legislation, bills, regulatory

C. Civil, criminal, regulatory

D. Legislation, bills, civil

Extended Questions:

CORRECT C. The common law system is broken down into the following:

• Criminal

• Based on common law, statutory law, or a combination of both.

• Addresses behavior that is considered harmful to society.

• Punishment usually involves a loss of freedom, such as incarceration, or monetary fines.

• Civil/tort

• Offshoot of criminal law.

• Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a "reasonable man of ordinary prudence" would do to prevent foreseeable injury to the victim.

• Administrative (regulatory)

• Laws and legal principles created by administrative agencies to address a number of areas, including international trade, manufacturing, environment, and immigration.

WRONG A is incorrect because it only lists two categories of a common law system and incorrectly lists the third category as "common." The correct third category is regulatory.

WRONG B is incorrect because this answer does not list categories of a legal system. Legislation (or "statutory law") is law that has been enacted by a legislature or other governing body. A bill is a proposed law under consideration by a legislature. Regulatory relates to administrative regulation laws that are enforced by a governing body. These are components that make up a legal system, but do not represent the specific categories of a common law system.

WRONG D is incorrect because this answer does not list categories of a legal system. Legislation (or "statutory law") is law that has been enacted by a legislature or other governing body. A bill is a proposed law under consideration by a legislature. The answer does list civil, which is one category of the common law system.

205

trade secret

A trade secret is something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft drink, such as Coke or Pepsi. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could also be a new form of mathematics, the source code of a program, a method of making the perfect jelly bean, or ingredients for a special secret sauce. A trade secret has no expiration date unless the information is no longer secret or no longer provides economic benefit to the company.

206

Copyright

In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource, as does trade secret law. It protects the expression of the idea of the resource instead of the resource itself. A copyright is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Computer programs and manuals are just two examples of items protected under the Federal Copyright Act. The item is covered under copyright law once the program or manual has been written. Although including a warning and the copyright symbol (©) is not required, doing so is encouraged so others cannot claim innocence after copying another’s work.

207

Personally identifiable information (PII)

Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities.

208

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), a U.S. federal regulation, has been mandated to provide national standards and procedures for the storage, use, and transmission of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

209

Security

Reasonable efforts must be made to prevent loss of collected information.

210

Financial Privacy Rule

Provide each consumer with a privacy notice that explains the data collected about the consumer, where that data are shared, how that data are used, and how that data are protected. The notice must also identify the consumer’s right to opt out of the data being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.

211

FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. Requirements of FISMA are as follows:

  • Inventory of information systems
  • Categorize information and information systems according to risk level
  • Security controls
  • Risk assessment
  • System security plan
  • Certification and accreditation
  • Continuous monitoring

212

Federal Sentencing Guidelines for Organizations (FSGO)

The Federal Sentencing Guidelines for Organizations (FSGO) is outline for ethical requirements, and in some cases will reduce the criminal sentencing and liability if ethical programs are put in place. This was updated with requirements that made it much more important for the senior executives and board members of an organization to actively participate and be aware of the ethics program in an organization. The intent is to enforce and foster a sense of due diligence that will detect criminal activity as well as protect against it and deter it from happening. Aspects of the Sarbanes-Oxley Act of 2002 are intended to function in much the same manner but with regard to accounting and truthfulness in corporate reporting.

213

20. When can executives be charged with negligence?

  A. If they follow the transborder laws

  B. If they do not properly report and prosecute attackers

  C. If they properly inform users that they may be monitored

  D. If they do not practice due care when protecting resources

20. D. Executives are held to a certain standard and are expected to act responsibly when running and protecting a company. These standards and expectations equate to the due care concept under the law. Due care means to carry out activities that a reasonable person would be expected to carry out in the same situation. If an executive acts irresponsibly in any way, she can be seen as not practicing due care and be held negligent.

214

29. Privacy is becoming more threatened as the world relies more and more on technology. There are several approaches to addressing privacy, including the generic approach and regulation by industry. Which of the following best describes these two approaches?

A. The generic approach is vertical enactment. Regulation by industry is horizontal enactment.

B. The generic approach is horizontal enactment. Regulation by industry is vertical enactment.

C. The generic approach is government enforced. Regulation by industry is self-enforced.

D. The generic approach is self-enforced. Regulation by industry is government enforced.

Extended Questions:

CORRECT B. The generic approach is horizontal enactment—rules that stretch across all industry boundaries. It affects all industries, including government. Regulation by industry is vertical enactment. It defines requirements for specific verticals, such as the financial sector and health care.

WRONG A is incorrect because the generic approach is horizontal enactment. Regulation by industry is vertical enactment. This answer has the two definitions switched.

WRONG C is incorrect because generic and vertical approaches to regulatory enforcement can be government or industry. Generic just means that privacy protection is enforced across various industries. Vertical means that privacy protection is specific to one industry.

WRONG D is incorrect because generic and vertical approaches can be enforced by the government or carried out through self-enforcement. The terms "generic" and "vertical" have nothing to do with who enforces the privacy protection rules; they just specify if a specific industry is targeted or if the rules apply to several industries in the same manner.

The following scenario will be used for questions 30 and 31.

215

Hearsay Evidence

Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability. If a witness testifies about something he heard someone else say, it is too far removed from fact and has too many variables that can cloud the truth. If business documents were made during regular business routines, they may be admissible. However, if these records were made just to be presented in court, they could be categorized as hearsay evidence.

216

key performance indicators (KPI)

It is common for organizations to develop governance, risk, and compliance (GRC) programs, which allow for the integration and alignment of the activities that take place in each one of these silos of a security program. If the same key performance indicators (KPI) are used in the governance, risk, and compliance auditing activities, then the resulting reports can effectively illustrate the overlap and integration of these different concepts. For example, if an organization is not compliant with various HIPAA requirements, this is a type of risk that management must be aware of so that the right activities and controls can be put into place. Also, how does executive management carry out security governance if it does not understand the risks the company is facing and the outstanding compliance issues? It is important for all of these things to be understood by the decision makers in a holistic manner so that they can make the best decisions pertaining to protecting the organization as a whole. The agreed-upon KPI values are commonly provided to executive management in dashboards or scorecard formats, which allow them to quickly understand the health of the organization from a GRC point of view.

217

Organisation for Economic Co-operation and Development (OECD)

Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data rules. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business get more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data are properly protected and everyone follows the same type of rules.

218

26. Which of the following was the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation?

A. Council of Global Convention on Cybercrime

B. Council of Europe Convention on Cybercrime

C. Organisation for Economic Co-operation and Development

D. Organisation for Cybercrime Co-operation and Development

Extended Questions:

CORRECT B. The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions.

WRONG A is incorrect because it is a distracter answer. The official name for the treaty is Council of Europe Convention on Cybercrime. It serves as a guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation between state parties to this treaty.

WRONG C is incorrect because the Organisation for Economic Co-operation and Development (OECD) is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data are properly protected and everyone follows the same type of rules.

WRONG D is incorrect because this is a distracter answer. There is no official entity with this name.

219

The Many Facets of Cyberlaw

Legal issues are very important to companies because a violation of legal commitments can be damaging to a company’s bottom line and its reputation. A company has many ethical and legal responsibilities it is liable for in regard to computer fraud. The more knowledge one has about these responsibilities, the easier it is to stay within the proper boundaries.

220

• Based on previous interpretations of laws:

  • Based on previous interpretations of laws:
  • In the past, judges would walk throughout the country enforcing laws and settling disputes.
  • They did not have a written set of laws, so they based their laws on custom and precedent.
  • In the 12th century, the King of England imposed a unified legal system that was "common" to the entire country.
  • Reflects the community’s morals and expectations.
  • Led to the creation of barristers, or lawyers, who actively participate in the litigation process through the presentation of evidence and arguments.
  • Today, the common law system uses judges and juries of peers. If the jury trial is waived, the judge decides the facts.
  • Typical systems consist of a higher court, several intermediate appellate courts, and many local trial courts. Precedent flows down through this system. Tradition also allows for "magistrate’s courts," which address administrative decisions.
  • The common law system is broken down into the following:
  • Criminal.
  • Based on common law, statutory law, or a combination of both.
  • Addresses behavior that is considered harmful to society.
  • Punishment usually involves a loss of freedom, such as incarceration, or monetary fines.
  • Civil/tort
  • Offshoot of criminal law.
  • Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a "reasonable man of ordinary prudence" would do to prevent foreseeable injury to the victim.
  • The defendant’s breach of that duty causes injury to the victim; usually physical or financial.
  • Categories of civil law: