41914F / 4A & 4B Laws, Investigations & Ethical Issues in Security (CIM3562) Test 1 Revision

Laws, Investigations & Ethical Issues in Security (CIM3562) Date: 11th April 2013 (Monday), Week 32 Venue: CW/305 Duration : 1 hr. during Lecture (10:20am – 11:20am) Coverage : Chapter 0 to Chapter 3 (up to Slide 61 – up to 3.4.7) Section A : Multiple Choice (30%) Section B : Short Questions (50%) Section C : Long Questions (20%) – Case Study

Chapter 0 – HK Legal System Classification of Laws Criminal Law & Civil Law The Court Hierarchy Magistracy, District Court, High Court, Court of Appeal Highest Level – Court of Final Appeal Major Sources of HK Laws Basic Law HK Ordinances Case Law

Chapter 1 What is a computer? What is an information system? defined in HK Ordinance – Evidence Ordinance (Cap.8 S.22A) “Computer” is defined as “any device for storing, processing or retrieving information”. What is an information system? defined in HK Ordinance – Electronic Transaction Ordinance (Cap.553) … … … => Check it out! What is computer related crime? Computer crime (computer related crime, technology crime, cyber crime) refer to any illegal act committed by application of computer technologies or usage of such technology as a means in the commission of the offence.

Chapter 1 Three major categories of computer related crime? Crime that is directly targeted at the computer e.g. hacking Crime that uses the Internet e.g. online gambling, pornography Crime that involves the retrieval of digital data of evidential value e.g. fraud-data storage or payment record Impacts of computer crime Loss of data and Information Damage of IT resources Wasting bandwidth Unavailability of service … … … Tools for fighting computer crime Firewall, IDS/IPS, risk assessment, Auditing Security for Server / Network => IPS/IDS, Firewall, Log, … … Client machine (e.g. MS Windows XP, MS Windows 7)

Chapter 2 Governance of HKSAR Computer / Cyber Crime Ordinances 3 major principles => a follower of global trend, Maintain stability & prosperity, a free trading port Computer / Cyber Crime Ordinances Telecommunications Ordinance Crime Ordinance Theft Ordinance How to apply these ordinances in real cases? Identify which ordinance should be used Identify the key elements (with reference to corresponding section(s) of the ordinance)

Chapter 2 TWO perspective to view cyber crime Criminological, Computer Security HK Ordinance for advancement of Internet Technology Copyright Ordinance, Control of Obscene and Indecent Articles Ordinance, Gambling Ordinance, Personal Data (Privacy) Ordinance 5 group of users for policing of cyberspace (with examples) Internet users and Internet user group Internet service providers Private police agencies State-funded non-public police organization State funded police organization

Chapter 3 What is information security? Refer to the protection of information in order to achieve “C-I-A” Confidentiality, Integrity and Availability Examples of threats and related security concerns e.g. Denial of service attack – availability … … … … What are the three parties in e-Service? Individual (including customers and citizens), Business (including public organization) and Government (C, B and G) B2B, B2C, G2C, G2B, G2B Security tools for electronic services Secure Socket Layer (SSL), Secure Electronic Transaction (SET),Public Key Infrastructure (PKI) and Digital Certificate

Chapter 3 TEN Common Vulnerabilities in Web Applications (OWASP) Cross site scripting (XSS), Injection Flaws, Malicious File Execution, Insecure Direct Object Reference, Cross Site Request Forgery (CSRF), Information Leakage and Improper Error Handling, Broken Authentication and Session Management, Insecure Cryptographic Storage, Insecure Communications, Failure to Restrict URL Access Security Certification – Product Neutral Security Certification – Product Oriented

Chapter 3 Security Certification – Product Neutral DRI Internationals Business Continuity Professional Certificate (BCP) => CBCP, ABCP, CFCP, MBCP SANS Global Information Security Assurance Certifications (GIAC) => GCFW, GCIA, GCIH, GCSC, GBLC, GSAE (ISC)2 Information Security Certifications => CISSP, CSSLP, SSCP, CAPCM Information Systems Audit and Control Association (ISACA) Certifications => CISA, CISM, CGEIT ProfSoft Training’s Certified Internet Webmaster (CIW) Security Analyst => CIW Certified Wireless Security Professional (CWSP) The Security Certified Program (SCP) => SCNS, SCNO, SCNA

Chapter 3 Security Certification – Product Oriented Symantec Certifications => CCSA, CCSE Cisco Certifications => CCSP, CCIE(Security) Wireless Network Service Set Identifier (SSID) Wire Equivalent Privacy Protocol (WEP) – Clear text during authentication process, phasing out Wi-Fi Protected Access (WPA) & Wi-Fi Protected Access 2 (WPA2) –using TKIP & support 802.1X (much better security) Public Key Infrastructure Technology : digital certificate CA in HK : Hong Kong Post Advantage – Low deployment cost Disadvantage – extend beyond the physical boundaries of the area they intend to cover => parking lot attack

Materials Note: (0) CIM3562_Intro Legal System(HK).ppt (1) CIM3562_Ch01.ppt (2) CIM3562_Ch02.ppt (3) CIM3562_Ch03.ppt (up to slide 61 only) Tutorials Tutorial 1 Tutorial 2 Tutorial 3 Tutorial 4 (Case Studies)