Leg, Inv and Comp Flashcards
(119 cards)
1
Q
What are the three major categories of law in the US
A
Civil, criminal and adminstrative
2
Q
Under criminal law, what does burden of proof mean?
A
Judge or jury must believe beyond a reasonable doubt that the defendant is guilty.
3
Q
Classifications in criminal law are split into two categories. What are they?
A
Felony and misdemeanour
4
Q
Civil Penalties do not provide a jail term, and instead provide financial restitution to the victim. True or False?
A
True
5
Q
What three types of civil penalties are there?
A
Compensatory (damages, legal fees, lost profits)
Punitive (punish the offender)
Statutory (violating the law)
6
Q
Under civil law, what does burden of proof mean?
A
Judge or Jury believes they are guilty based on evidence
7
Q
Liability and due care relate to civil law and which other type?
A
Administrative
8
Q
If the cost of implementing a safeguard is less than the cost of the estimated loss, could an organisation be held liable?
A
Yes
9
Q
What does proximate causation mean?
A
An action taken or not taken was part of a sequence of events that resulted in negative consequences.
10
Q
Which rule requires an individual to perform the following duties?
- In good faith
- In the best interests of the enterprise
- With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances
A
The Prudent Man Rule
11
Q
In information security the steps that an individual or organisations take to perform their duties and implement information security best practices are otherwise known as what?
A
Due care
12
Q
in the context of information security, research into risk identification and risk management can otherwise be known as what?
A
Due diligence
13
Q
What term is used to describe an organisation that fails to follow a standard of due care in the protection of its assets
A
Culpable Negligence
14
Q
Which type of law defines standards of performance and conduct for major industries, organisations and officials?
A
Administrative (Regulatory)
15
Q
What is a mixed law system otherwise known as, ie religious and civil for example?
A
Pluralistic
16
Q
A novice or less experienced hacker can otherwise be known as what?
A
Script Kiddie
17
Q
An ideological attack is commonly known by which term?
A
Hactivism
18
Q
Intellectual Property is protected under US law under which 4 classifications?
A
Trade Secrets
Copyright
Patents
Trademarks
19
Q
International protection for patents is otherwise known as?
A
The Patent Cooperation Treaty
20
Q
A newly granted patent is valid for how many years?
A
20
21
Q
The grant of a property right to an inventor is otherwise known as what?
A
Patent
22
Q
A word, name, symbol or device is commonly protected by what?
A
Trademark
23
Q
In the US which Act is used to protect trademarks?
A
The Trademark Law Treaty Implementation Act
24
Q
What term is used to protect authors of “original works of authorship” whether published or not?
A
Copyright
25
Object code or documentation would commonly be protect by what?
Copyright
26
Traditionally how long does a copyright of works last for?
An authors lifetime plus 70 years
27
In the US which Act is used to protect copyright?
The Copyright Act 1976
28
Proprietary or business related information that a company or individual uses and has exclusive rights to is commonly known as what?
Trade Secret
29
The following are requirements of which type of intellectual property?
- must be genuine and not obvious
- must provide the owner a competitive or economic advantage
- must be reasonably protect from disclosure
Trade Secret
30
The EU Privacy Rules define what requirements? 7 in total
- collected lawfully and fairly
- used for original purpose that it was collected for and for a reasonable period only
- must be accurate and up to date
- must be accessible to individuals whom data it is
- individuals have the right to correct their data
- cannot be disclosed to third parties unless required by law or consent granted by individual
- transmission of personal data to locations where the location does not have equivalent privacy laws is prohibited
31
The US Federal Privacy Act 1974 is used to protect what?
records and information maintained by US government agencies about US citizens and lawful permanent residents
32
The US Federal Privacy Act 1974 has which requirements? 3
- no agency may disclose information about an individual, unless written request received by individual
- provisions for individual access to their information
- provisions for amendments of that information by the individual concerned
33
The US Health Insurance Portability and Accountability Act 1996 (HIPAA) is used to protect what?
individually identifiable health information
34
Which 3 organisations must comply with HIPAA?
```
Health Insurers (Payers)
Health Providers (Hospitals)
Healthcare clearinghouses (public or private entity that facilitates or processes non-standard data elements of health information into standard data elements), e.g. data warehouse.
```
35
The following are provisions of which law?
- broadens the scope of HIPAA compliance to include additional third parties such as pharmacies, claims processing/billing companies, persons performing legal/accounting/admin work.
- promotes the adoption of electronic health records
- notification when the security/privacy of unsecured electronic healthcare information has been breached.
- issuance of technical guidance on the technologies/methodologies used to render electronic information unusable in the event that it's breached.
HITECH - US Health Information Technology for Economic and Clinical Health Act 2009
36
regarding HITECH, what are the two notification requirements depending on amount of data breached?
- if over 500, breach must be reported to HHS, media outlets and individuals affected.
- if less than 500, breach must be reported to HHS secretary annually and to individuals affected.
37
Which Act requires financial institutions to protect their customers personal identifiable information?
US Gramm-Leach-Bliley Financial Services Modernization Act PL 106-102 (GLBA)
38
What are the 3 rules of GLBA?
- Financial Privacy Rule
- Safeguard Rule
- Pretexting Protection
39
What is the financial privacy rule in relation to GLBA?
Requires each financial institution to provide information to each customer regarding the protection of each customers personal information
40
What is the safeguard rule in relation to GLBA?
Requires each financial institution to develop a formal written security plan
41
What is Pretexting Protection in relation to GLBA?
Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private customer information
42
What are the 8 principles of the data protection act?
- Information process fairly and lawfully
- obtained for one or more specified and lawful purposes and not processed other than for the original reason for which it was obtained
- personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
- Shall be accurate and up to date where necessary
- shall not be kept longer than necessary, ie purpose for which it was originally obtained
- shall be processed in accordance with the rights of the data subject
- appropriate technical/organisational measures taken to protect information
- Shall not be transferred to a country/territory outside the European Economic Area, unless they have equivalent privacy rights in place
43
What are the 6 principles of PCI-DSS
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regular monitor and test networks
6. Maintain an information security policy
44
What are the two requirements of PCI-DSS Principle 1: Build and maintain a secure network?
1. Install and maintain a firewall configuration to protect cardholder data.
2. Don't use vendor supplied defaults for system password or other security parameters
45
What are the two requirements of PCI-DSS Principle 2: Protect Cardholder data?
1. Protect stored cardholder data
| 2. Encrypt transmission of cardholder data across open/public networks.
46
What are the two requirements of PCI-DSS Principle 3: Maintain a vulnerability management program?
1. use and reguarly update Anti-virus software
| 2. Develop and maintain secure systems and applications
47
What are the three requirements of PCI-DSS Principle 4: Implement strong access control measures?
1. restrict access to cardholder data by business need to know
2. assign a unique ID to each person that has computer access
3. restrict physical access to cardholder data
48
What are the two requirements of PCI-DSS Principle 5: Reguarly monitor and test networks?
1. Track and monitor all access to network resources and cardholder data
2. reguarly test security systems and processes
49
What is the one requirement of PCI-DSS Principle 6: Maintain an information security policy?
1. maintain a policy that addresses information security
50
What is the main disclosure Act called in the US? (not currently legal)
Data Accountability and Trust Act (DATA)
51
Which Act covers the following 3 areas?
- classified national defence or foreign relation information
- records of financial institutions or credit reporting agencies
- government computers
The US Computer Fraud and Abuse Act 1986
52
What are the three offences established by the US Computer Fraud and Abuse Act 1986?
- Unauthorised access to a federal computer for purposes of fraud (felony)
- Altering, damaging or destroying information on a federal interest computer (felony)
- trafficking in computer passwords or similar information (Misdemeanour)
53
A "protected" computer is otherwise known as what in the Computer Fraud and Abuse Act 1986?
Federal
54
Amendments to the Computer Fraud and Abuse Act 1986 include what 5 provisions in relation to computer crime?
- Unauthorised access to a computer that results in disclosure of US defence information.
- unauthorised access to a "protected computer"
- unauthorised access to a "protected" computer that affects use of that computer
- unauthorised access to a "protected" computer causing damage or intentionally transmitting malicious code that causes damage to a "protected" computer
- transmission of interstate or foreign commerce communication threatening to cause damage to a "protected" computer.
55
What is the main computer crime act in the US?
The Computer Fraud and Abuse Act 1986
56
In the US which Act provides the legal basis for network monitoring?
The US Electronic Communications Privacy Act 1986 (ECPA)
57
Which Act provides the following:
- requires federal agencies to take extra measures to prevent unauthorised access to computers containing sensitive information
- identify and develop security plans for sensitive systems
- security-related awareness training for employees
- assigns formal government responsibility to NIST (National Institute of Standards and Technology) for computer security standards.
- assigns cryptography to the National Security Agency (NSA) for classified government/military systems
US Computer Security Act 1987
58
The US Federal Sentencing Guidelines 1991 provides which 3 things?
- written standards of conduct for organisations
- relief in sentencing for organisations that have demonstrated due diligence
- responsibility for due care on senior management
59
The US Economic Espionage Act 1996 provides what main thing?
industrial espionage, ie trade secrets from other organisations
60
Which act in the US targets Child pornography?
US Child Pornography Prevention Act 1996
61
The USA Patriot Act 2001 stands for what?
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001
62
Sections of relevance in the USA PATRIOT Act 2001
- Authority to intercept wire, oral and electronic communications relating to computer fraud and abuse offences
- Seizure of voicemail messages pursuant to warrants
- Scope of subpoenas for records of electronic communication
- Clarification of scope
- Emergency disclosure of electronic communication to protect life or limb
- Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act)
- Interception of Computer Trespasser Communications
- Nationwide service of search warrants for electronic evidence
- Deterrence and prevention of cyber-terrorism
- Additional defence to civil actions relating to preserving records in response to government requests
- development and support of cyber-security forensic capabilities
63
What is a pen/trap device?
pen register shows outgoing number called from a phone and a trap and trace device that shows incoming numbers to that phone.
64
Which act was introduced to create and strengthen existing standards for public corporations and public accounting firms including auditing, governance and financial disclosures?
The US Sarbanes-Oxley Act of 2002
65
What does the US CAN-SPAM Act 2003 (Controlling the Assault of Non-solicited Pornography and Marketing) provide?
Establishes standards for sending commercial email messages
66
Directive 95/46/EC on the protection of personal data (1995 EU) states what?
that personal data should not be processed at all unless certain conditions have been met. (relates to European citizens)
67
Which Act permits US based organisations to certify themselves as properly handling private data belonging to European citizens?
Safe Harbour Act 1998
68
What is the purpose of the Council of Europe's Convention on Cybercrime (2001)?
requires criminal laws to be established in signatory nations for computer hacking activities, child pornography and intellectual property violations. also attempts to improve international cooperation with respect to monitoring, investigations and prosecutions
69
What are the three offences relating to computer crime in the Computer Misuse Act 1990? UK (known as cybercrime act 2001 in Australia)
- unauthorised access whether successful or unsuccessful
- unauthorised modification
- hindering authorised access (Denial of Service)
70
Most evidence gathered in a computer crime case is generally categorised as what?
- Direct evidence
- Real evidence
- Documentary evidence
- Demonstrative evidence
- Documentary evidence
71
```
What is original, unaltered evidence defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
```
Best
72
```
What would a duplicate or copy of evidence such as tape backup, screen capture or photograph be defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
```
Secondary
73
```
What type of evidence supports or substantiates other evidence presented in a case?
Best
Secondary
Corroborative
Conclusive
Circumstantial
```
Corroborative
74
```
What type of evidence would be defined as irrefutable?
Best
Secondary
Corroborative
Conclusive
Circumstantial
```
Conclusive
75
```
What type of evidence would you associate relevant facts that you can't directly or conclusively connect to other events be commonly known as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
```
Circumstantial
76
Can data that's extracted from a computer be considered best evidence?
Yes, if it is a fair and accurate representation of the original data.
77
What type of rule defines evidence that is not based on personal, first-hand knowledge of a witness, but rather comes from other sources?
Hearsay rule
78
Do some courts consider a computer stored record containing a human statement as hearsay evidence?
Yes
79
Do some courts consider computer generated records untouched by humans as hearsay evidence?
No
80
What is the common applied test of admissibility for computer records called?
business records exception
81
What are the 5 criteria for business records exception?
- made at or near the time the event occurred
- made by or transmitted by a person who has knowledge of the business process
- made and relied on during regular conduct of the business
- kept for motives that tend to assure their accuracy
- in the custody of the witness on a regular basis
82
what is the difference between entrapment and enticement?
entrapment encourages someone to commit a crime whereas enticement lures someone towards some evidence after the crime has already occurred (honey pot)
83
What are the 5 stages of the evidence life-cycle?
1. Collection and identification
2. Analysis
3. Storage, preservation and transportation
4. Presentation in court
5. Return to victim (owner)
84
What are the 4 circumstances in which law enforcement agencies can seize computer's or electronic evidence?
1. Voluntary or consensual
2. Subpoena
3. Search Warrant or Writ of possession
4. Exigent circumstances
85
What is the difference between a subpoena and a search warrant?
Subpoena issued to individual and search warrant issued to law enforcement agency
86
What are exigent circumstances?
If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant
87
When recording information in an evidence log, what 3 things must be captured?
Description of evidence
Name of person that has collect evidence
date, time, location and circumstances
88
What 4 areas are mentioned in the guidelines for how information should be marked?
- Mark the evidence
- or use an evidence tag
- seal the evidence
- protect the evidence
89
What is a MOM test in relation to conducting investigations?
Did the suspect have the Motive, Opportunity and Means.
90
What are the 6 steps of incident response?
1. Determine whether a security incident has occurred
2. Notify the appropriate people about the incident
3. Contain the incident (or damage)
4. Assess the damage
5. Recover normal operations
6. Evaluate incident response effectiveness
91
What is the difference between an investigation and incident response?
Investigation involves the gathering of evidence for possible prosecution. incident response focuses on containing the damage and resuming normal operations
92
What is the computer game fallacy?
any computer, system or network that is not properly protected is fair game.
93
what is the law abiding citizen fallacy?
if no physical theft is involved, an activity isn't really stealing
94
What is the Shatterproof Fallacy?
Any damage done will have a limited effect
95
What is the candy from a baby fallacy?
It's so easy, it can't be wrong
96
What is the hackers fallacy?
Computers provide a valuable means of learning, that will in turn benefit society.
97
What is the difference between a hacker and a cracker?
A cracker always does it at the expense of others
98
What is the free information fallacy?
Any and all information should be free so should be obtained through any means
99
What are the four canons in the ISC code of ethics?
1. Protect society, the commonwealth and the infrastructure
2. Act honourably, honestly, justly, responsibly and legally
3. Provide diligent and competent service to principles
4. Advance and protect the profession
100
What is the Internet Architecture Board? (ethics and the internet RFC 1087)
defines unethical and unacceptable behaviour on the internet
101
What is the Computer Ethics Institute?
ten commandments of computer ethics.
102
Wat is Tort Law?
deals with civil wrongs against an individual or business entity. compensation normally involves monetary values
103
What is customary law?
regionalised systems that reflect the society's norms and values based on programmatic wisdom and traditions.
104
Computer crimes can often be categorised into which 3 categories?
Computer as a tool
computers as the target of the crime
computers incidental to the crime.
105
What is the Council of European (COE) COnvention on Cybercrime?
international response to criminal behaviours
106
What organisation oversees interantional patent and trademark efforts?
WIPO World Intellectual property Organisatoin
107
What is an EULA?
End User Licensing Agreement
108
What is the difference between a master agreement and EULA?
master agreement sets out general overall conditions whereas EULA is more granular.
109
What is PII?
Personally Identifiable Information
110
What is the OECD (Organisation for Economic Cooperation and Development?
defines principles for securing personal information. broadly classifies principles based on differing internal laws and regulations
111
What Legal principles can be used as a checklist to determine whether employee monitoring is justified?
EU Directive (7 principles)
112
In the US which Act outlines minimum ethic requirements for computer use?
The 1991 US Federal Sentencing Guidelines for Organisations. (FSGO)
113
What is CEI?
Computer Ethics Institute. 10 commandments
114
What is the Internet Activities/Architecture Board?
ethical behaviour on internet
115
What is the National Computer Ethics and Responsibilities Campaign? (NCERC)
goal is to foster computer ethics awareness and education.
116
What is the Golden rule with regards ethics?
treat others as you wish to be treated
117
What is Kant's categorical imperative with regards ethics?
if an action is not right for everyone it is not right for anyone.
118
What is Descarts rule of change with regards ethics?
if an action is not repeatable at all times, it is not right at any time.
119
ulitarian?
acheives the most good
