1 The Broader Picture Chapter 12 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall
2 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
3 Figure 12-1: Laws Governing Hacking U.S. National Laws Title 18, Section 1030 Enabling Legislation Computer Fraud and Abuse Act of 1986 National Information Infrastructure Protection Act of 1996 Homeland Security Act of 2002
4 Figure 12-1: Laws Governing Hacking U.S. National Laws Title 18, Section 1030 Prohibitions Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)
5 Figure 12-1: Laws Governing Hacking U.S. National Laws Title 18, Section 1030 Prohibitions Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)
6 Figure 12-1: Laws Governing Hacking U.S. National Laws Title 18, Section 1030 Punishment For first offenses, usually 1-5 years; usually 10 years for second offenses For theft of sensitive government information, 10 years, with 20 years for repeat offense For attacks that harm or kill people, up to life in prison
7 Figure 12-1: Laws Governing Hacking U.S. National Laws Title 47 Electronic Communications Privacy Act of 1986 (ECMA) Prohibits the reading of information in transit and in storage after receipt Other federal laws for fraud, etc.
8 Figure 12-1: Laws Governing Hacking U.S. State Laws Federal laws only protect some computers State laws for purely intrastate crimes vary widely
9 Figure 12-1: Laws Governing Hacking Laws Around the World Vary The general situation: lack of solid laws in many countries Major virus attacks were not prosecuted in Taiwan and the Philippines for lack of relevant law
10 Figure 12-1: Laws Governing Hacking Laws Around the World Vary Cybercrime Treaty of 2001 Signatories must agree to create computer abuse laws and copyright protection Nations must agree to work together to prosecute attackers
11 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
12 Figure 12-2: Consumer Privacy Introduction Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!” But privacy is strong in European Union countries and many other countries
13 Figure 12-2: Consumer Privacy Credit Card Fraud and Identity Theft Widespread Concern (Gartner) One in 20 consumers had suffered credit card number theft in 2002 One in 50 consumers had suffered identity theft in 2002 Only about a fifth of this is online, but online theft is growing the most rapidly
14 Figure 12-2: Consumer Privacy Credit Card Fraud “Carders” steal credit card numbers Many merchants fail to protect credit card numbers stored on their servers Carders test and sell credit card numbers Criminals make unauthorized purchases In U.S., limited to $50 loss if report promptly Merchants also suffer fraud from carders
15 Figure 12-2: Consumer Privacy Identity Theft Fraud Criminals steal or compile considerable information about a person—name, credit card numbers, date of birth, social security number, address, etc. Impersonate the victim to get buy things, get loans, etc. With credit card fraud, victims find a problem in their next statement; but with identity theft, they may not know until they discover much later that their credit rating is ruined
16 Figure 12-2: Consumer Privacy Tracking Customer Behavior Within a website and sometimes across websites Some information is especially sensitive (health, political leanings, etc.) Access to data and analysis tools are revolutionizing the ability to learn about people
17 Figure 12-2: Consumer Privacy Tracking Customer Behavior What consumers wish for Disclosure of policies for What information will be collected? How this information will be used by the firm collecting the data? Whether and with whom the information will be shared
18 Figure 12-2: Consumer Privacy Tracking Customer Behavior What consumers wish for Ability of consumer to see and correct inaccurate personal information Limiting collection and analysis to operational business needs Limiting these needs Opt in: No use unless customer explicitly agrees
19 Figure 12-2: Consumer Privacy Corporate Responses Privacy disclosure statements TrustE certifies that corporate privacy behavior is consistent with the company’s stated privacy policy NOT that the policy is good for consumers Platform for Privacy Preferences (P3P); Standard format for searches of policy statements
20 Figure 12-2: Consumer Privacy Corporate Responses Federal Trade Commission Enforces privacy statements Does not specify what should be in the privacy statement Imposes fines and required long-term auditing
21 Figure 12-2: Consumer Privacy Corporate Responses Opt out: Customer must take action to stop data collection and sharing No opt: No way to stop data collection and sharing Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively
22 Figure 12-2: Consumer Privacy Consumer Reactions Checking privacy disclosure statements (rare) Not accepting cookies (rarer) Anonymous websurfing services (extremely rare)
23 Figure 12-2: Consumer Privacy U.S. Privacy Laws No general law Health Information Portability and Accountability Act (HIPAA) of 1996 Protects privacy in hospitals and health organizations Focuses on protected information that identifies a patient
24 Figure 12-2: Consumer Privacy U.S. Privacy Laws Gramm-Leach-Bliley Act (GLBA) of 1999 Protects financial data Allows considerable information sharing Opt out can stop some information sharing
25 Figure 12-2: Consumer Privacy U.S. Privacy Laws Children’s Online Privacy Protection Act of 1998 Protects the collection of personal data from children under 13 Applies in child-oriented sites and any site that suspects a user is under 13. No protection for older children State privacy laws vary widely
26 Figure 12-2: Consumer Privacy International Laws European Union Charter of Fundamental Rights Right to protection of personal information Personal information must be processed for specific legitimate purposes Right to see and correct data Compliance overseen by independent authority
27 Figure 12-2: Consumer Privacy International Laws E.U. Data Protection Directive of 1995 Implements Charter privacy protections Opt out with opt in for sensitive information Access for review and rectification Independent oversight agency Data can be sent out of an EU country only to countries with “adequate” protections
28 Figure 12-2: Consumer Privacy International Laws Safe harbor Rules that U.S. firms must agree to follow to get personal data out of Europe Are GLBA rules to be considered in financial industries? E.U. is resisting.
29 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
30 Figure 12-3: Employee Workplace Monitoring Monitoring Trends American Management Association survey monitoring use grew from 15% to 46% between 1997 and 2001 Internet connections in 2001: 63% monitored In 2001, 76% had disciplined an employee; 31% had terminated an employee
31 Figure 12-3: Employee Workplace Monitoring Why Monitor? Loss of productivity because of personal Internet and use Significant personal Internet and use is occurring Employees and companies generally agree that a small amount of personal use is acceptable Biggest concern is abnormally heavy personal use Some employees are addicted to personal use
32 Figure 12-3: Employee Workplace Monitoring Why Monitor? Harassment Title VII of the Civil Rights Act of 1964: sexual and racial harassment Pornography, other adult content are fairly common Monitoring for keywords can reduce pornography and harassment and provide a legal defense
33 Figure 12-3: Employee Workplace Monitoring Why Monitor? Viruses and other malware due to unauthorized software Trade secrets: Both sending and receiving must be stopped Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws
34 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring Electronic Privacy Communications Act of 1986 Allows reading of communications by service provider (firm) Allows reading if subject agrees (make condition of employment) Courts have ruled that employee has no right to privacy when using corporate computers
35 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring In United States, at-will employees can be disciplined, dismissed easily Must not discriminate by selective monitoring of target individual
36 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring Unions often limit disciplining, agreement to be monitored However, new hires usually can be required to submit to monitoring as a condition of employment In multinational firms, stronger privacy and employment rules might exist
37 Figure 12-3: Employee Workplace Monitoring Should a Firm Monitor? Danger of backlash Are the negative consequences worth the gain?
38 Figure 12-3: Employee Workplace Monitoring Computer and Internet Use Policy Should Specify the Following No expectation of privacy Business use only (or very limited private use) No unauthorized software No pornography and harassment Damaging communication behavior Punishment for violating the policy Employee Training in Policy is Crucial
39 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
40 Figure 12-4: Government Surveillance U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution Fourth Amendment: No unreasonable searches and seizures Can search only with probable cause Can only search specific things FBI misuse of data collection during Hoover’s leadership
41 Figure 12-4: Government Surveillance Telephone Surveillance Wiretapping Federal Wiretap Act of 1968 for domestic crimes Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments Need warrant with probable cause and inability to get information by other means
42 Figure 12-4: Government Surveillance Telephone Surveillance Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called Trap and trace: List of incoming telephone numbers Not as intrusive as wiretap because content of the call is not captured
43 Figure 12-4: Government Surveillance Telephone Surveillance Pen registers and trap and trace orders Electronic Communications Privacy Act of 1986 allows Must be based on information to be collected being likely to be relevant to ongoing investigation (weak) Judge cannot turn down warrant
44 Figure 12-4: Government Surveillance Telephone Surveillance Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants
45 Figure 12-4: Government Surveillance Telephone Surveillance Patriot Act of 2001 Extends roving wiretaps to FISA—follow the target across media Get billing information from telecommunications providers Get information on library usage
46 Figure 12-4: Government Surveillance Internet Surveillance Extends pen register and trap and trace to Internet traffic Same weak justification as for telephone traffic But much more intrusive: addresses, URLs (which can be visited), etc.
47 Figure 12-4: Government Surveillance Carnivore Monitoring computer placed at ISP FBI installs Carnivore computer, collects information Can limit filtering to restrictions of warrant No accountability through audit trails
48 Figure 12-4: Government Surveillance The Possible Future of Government Surveillance Intrusive airport security through face scanning Possible national ID cards New ability to gather and analyze information from many databases
49 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
50 Figure 12-5: Cyberwar and Cyberterror Threats Attacking the IT infrastructure Using computers to attack the physical infrastructure (electrical power, sewage, etc.) Using the Internet to coordinate attacks
51 Figure 12-5: Cyberwar and Cyberterror Cyberwar Conducted by governments Direct damage Disrupting command and control Intelligence gathering Propaganda Industrial espionage Integrating cyberwar into war-fighting doctrines
52 Figure 12-5: Cyberwar and Cyberterror Cyberterrorism By semi-organized or organized groups Psychological focus Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks) Goals are publicity and recruitment Indiscriminate damage
53 Figure 12-5: Cyberwar and Cyberterror Cyberterrorism Hacktivism—politically motivated attacks by unorganized or loosely organized groups Who is a terrorist? Spectrum from activism to full cyberterror
54 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack
55 Figure 12-5: Cyberwar and Cyberterror Building a National and International Response Strategy National governments Coordinated responses Intelligence gathering Research and training Economic incentives
56 Figure 12-5: Cyberwar and Cyberterror Building a National and International Response Strategy Private enterprise Importance of hardening individual firms Requiring hardening to meet responsibilities
57 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet Hardening the telecommunications infrastructure with decentralization and other methods International cooperation is needed because of worldwide attackers Hardening the underlying telecommunications system Adding security to dialogs with VPNs
58 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet Hardening Internet protocols IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols The decision to do this is called the Danvers Doctrine Generally not using digital certificates in a public key infrastructure for strongest authentication
59 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet Making the Internet forensic ISPs might be forced to collect and retain data for long periods of time ISPs might be forced to do egress filtering to stop attacks at the source The cost to ISPs would be high
60 Topics Covered Laws Governing Hacking and Other Computer Crimes U.S. National Laws Title 18, Section 1030 for hacking, DoS, and viruses—only for “protected” computers Title 47 Prohibits the reading of information in transit and in storage after receipt State laws for other computers vary widely
61 Topics Covered Laws Governing Hacking and Other Computer Crimes Laws Around the World Vary The general situation: lack of solid laws in many countries Cybercrime Treaty of 2001 requires signatories to create laws, cooperate in enforcement
62 Topics Covered Consumer Privacy Consumer Privacy Concerns Credit card fraud: steal and use credit card numbers Identity theft: impersonate individual to take out loans, etc. Sensitive personal information (medical records, etc.) Tracking during website visits
63 Topics Covered Consumer Privacy Consumers want disclosure of policies for what information is collected and how it is used and shared Opting Opt in Opt out No opt
64 Topics Covered Consumer Privacy Corporate Responses Privacy disclosure statements Federal Trade Commission enforces privacy disclosure statements but does not specify what is in them Consumer Responses Rarely check privacy disclosure statements; even more rarely refuse cookies or do anonymous surfing
65 Topics Covered Consumer Privacy U.S. Privacy Laws No privacy protection in U.S. Constitution No general privacy law HIPAA for medical information Gramm-Leach-Bliley Act (GLBA) for financial information Children’s Online Privacy Protection Act of 1998 (courts have denied enforcement) State laws vary widely
66 Topics Covered Consumer Privacy European Union European Union Charter of Fundamental Rights guarantees privacy protections E.U. Data Protection Directive of 1995 implements these protections U.S. compliance through Safe Harbor behavior In rest of the world, varies widely
67 Topics Covered Employee Workplace Monitoring Widespread Internet workplace monitoring and job actions as a result of infractions Why monitor? Loss of productivity To stop harassment, guard against lawsuits Stop viruses and worms Prevent leakage of trade secrets, commercially damaging communication
68 Topics Covered Employee Workplace Monitoring Legal Basis for Monitoring Electronic Privacy Communications Act of 1986 Can monitor own network, especially if employee signs acceptance Also, courts have ruled that employee has no right to privacy when using corporate computers
69 Topics Covered Employee Workplace Monitoring In United States, at-will employees can be disciplined, dismissed easily Unions may restrict this, but hiring contracts can limit union actions Multinational companies may follow frequently stricter international standards for discipline
70 Topics Covered Employee Workplace Monitoring Should a firm monitor? Danger of backlash Need clear computer and Internet use policy Need strong employee training
71 Topics Covered Government Surveillance U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution Fourth Amendment: Searches and seizures only for probable cause Wiretapping Federal Wiretap Act of 1968 for domestic crimes Foreign Intelligence Surveillance Act of 1978 (FISA) Need warrant with probable cause
72 Topics Covered Government Surveillance Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called Trap and trace: List of incoming telephone numbers Less intrusive than wiretaps, so weaker justification is OK Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants
73 Topics Covered Government Surveillance Patriot Act of 2001 extends information collection, including to library usage Extends trap and trace and pen registers to Internet traffic More intrusive than telephone trap and trace (URLs give content visited) Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants
74 Topics Covered Government Surveillance The Possible Future of Government Surveillance Intrusive airport security through face scanning Possible national ID cards New ability to gather and analyze information from many databases
75 Topics Covered Cyberwar and Cyberterror Threats Attacking the IT infrastructure Using computers to attack the physical infrastructure (electrical power, sewage, etc.) Using the Internet to coordinate attacks Cyberwar is conducted by governments Cyberterror is conducted by organized terrorists, hactivist groups, and even individuals
76 Topics Covered Hardening the Internet Against Attack Building a National and International Response Strategy Not happening Hardening the telecommunications infrastructure Hardening Internet protocols (Danvers Doctrine) Requiring ISPs to collect forensic data and stop attacks at ingress