Legal, Regulations, Investigations and Compliance

2 Domain Objectives Discuss the world’s various major legal systems Describe the differences and similarities between common law and civil law Explain laws and regulations affecting information technology Discuss computer related crime and its importance to information assurance and security

3 Describe the importance of international cooperation in relation to computer crime Explain an incident response methodology Discuss the importance of digital evidence management and handling Describe general guidelines for computer forensic investigations Domain Objectives

4 Availability Confidentiality Integrity Information Security Information Security TRIAD

5 Domain Agenda Major Legal Systems Information Technology Laws and Regulations Incident Response Computer Forensics

6 Major Legal Systems Common Law Civil Law Customary Law Religious Law Mixed Law

7 Common Law Roots in England Based on Legal Precedents, Past Decisions, and Societal Traditions

8 Common Law Overview of Common Law Courts Judges Common Law Countries

9 Common Law: Criminal Law Based on common law, statutory law, or a combination of both Deals with behavior or conduct Typically the punishment meted out by the criminal courts involves some loss of personal freedom for the guilty party

10 Common Law: Tort Law Definition Punishment Traces its origin to criminal law

11 Common Law: Tort Law Principles of a Tort Categories of a Tort

12 Law created by administrative agencies by way of rules, regulations, orders, and decisions Areas covered by Administrative Law Common Law: Administrative Law

13 Civil Law Traces its roots back to two beginnings: Roman Empire Napoleonic Code of France Characteristics Presents various sub-divisions Common law as opposed to Civil law Methodological approach difference Judges’ role difference

14 Customary Law Regionalized systems Reflects the society’s norms and values Most countries combine customary law with another legal system

15 Religious Law Traditional Islamic law (Sharia) Guided by the Qur’an or Sunnah Covers all aspects of a person’s life

16 Convergence of two or more legal systems Examples of mixed law Mixed Law

17 Source: WorldLegalSystems World Legal Systems

18 Domain Agenda Major Legal Systems Information Technology Laws and Regulations Incident Response Computer Forensics

19 Information Technology Law & Regulations Intellectual Property Law Patent Trademark Copyright Trade Secret Licensing Issues Privacy Liability Computer Crime International Cooperation

20 Intellectual Property Laws Purpose Two categories Industrial Property Copyright

21 Intellectual Property: Patent Definition Advantages

22 Characteristics of a Trademark Word Name Symbol Purpose of a Trademark Color Sound Product shape Intellectual Property: Trademark ™

23 © Intellectual Property: Copyright Covers the expression of ideas Writings Recordings Computer programs Weaker than patent protection

24 Intellectual Property: Trade Secret Should be confidential Protection of Trade Secret

25 Intellectual Property: Software Licensing Issues Categories of software licensing: Freeware Shareware Commercial Academic Master agreements and end user licensing agreements (EULAs)

26 Rights and Obligations Individuals Organizations Privacy Laws and Regulations

27 Generic Approach Regulation by Industry The overall objective is to: Protect citizen’s personal information Balance the business and governmental need to collect and use this information Privacy Initiatives

28 Privacy and the OECD The Organization for Economic Co-operation and Development (OECD) 7 core principles

29 Employee Monitoring Authorized Usage Policies Internet usage Telephone (i.e., VoIP) Employee Privacy

30 Responsibilities of end users Encourage use of: Encryption Anti-virus Patches Shredding Privacy: Personal Protection

31 Liability Legal Responsibility Penalties Civil Criminal Penalties Negligence is often used to establish liability

32 Acting without care Due care Negligence

33 Ethereal concept often judged against a continually moving benchmark Requires a commitment to an ongoing risk analysis and risk management process Due Care vs. Due Diligence Due Diligence

34 Computer Crimes Often divided into 3 categories Computers as a Tool Computers as the Target of Crime Computer Incidental to the Crime

35 Insider abuse Viruses White collar/Financial fraud Corporate espionage Hacking Child Pornography Stalking Organized crime Terrorism Identity Theft Social Engineering Computer Crimes

36 Initiatives related to International Cooperation in dealing with Computer Crime The Council of Europe (CoE) Cybercrime Convention International Cooperation

37 Domain Agenda Major Legal Systems Information Technology Laws and Regulations Incident Response Computer Forensics

38 Response capability Policy and guidelines Response Incident response Triage Containment Investigation Analysis and Treatment Recovery Debriefing Metrics Public Disclosure Incident Response: Overview

39 Incident response in its simplest form is the practice of: Detecting a problem Determining its cause Minimizing the damage it causes Resolving the problem Documenting each step of the response for future reference Incident Response Objectives

40 The foundation for Incident Response (IR) is comprised of: Policy Procedures Guidelines Management of evidence Response Capability

41 Incident Response Policy Escalation Process Interaction with third party entities

42 Response Team Staffing and training Virtual Team Permanent Team Hybrid of the Virtual and Permanent Response Team Members

43 Incident Response and Handling Incident Approved Handling Process

44 Incident Response and Handling Phases Triage Investigation Containment Analysis and tracking

45 Triage encompasses: Detection Classification Notification Triage

46 Triage - Detection Initial Screening False Positives

47 Incident Hierarchy General Classifiers Source (internal vs. external) More Granular or Specific Characteristics (i.e., worm vs. spam) Triage - Classification

48 Investigation Phase Components Components of this phase: Analysis Interpretation Reaction Recovery

49 Investigation Phase Objectives Desired outcomes of this phase are: Reduce the impact Identify the cause Get back up and running in the shortest possible time Prevent the incident from re-occurring

50 Investigation Considerations The investigative phase must consider: Adherence to company policy Applicable laws and regulations Proper evidence management and handling

51 Containment Reduce the potential impact of the incident Systems, devices, or networks that can become “infected” The containment strategy depends on: Category of the attack Asset(s) affected Criticality of the data or system

52 Containment Strategies Disconnecting the system from the network Virtually isolating the systems through network segmentation Implementing a firewall or filtering router with the appropriate rule sets Installation of Honeynets/Honeypots

53 Containment Documentation Incident and evidence handling procedures Sources of evidence Risk of Entrapment vs. Enticement

54 Analysis and Tracking The Concept of Root Cause Determines actual initial event Attempts to identify the true source and actual point of entry

55 Analysis and Tracking Goals Obtain sufficient information to stop the current incident Prevent future “like” incidents from occurring Identify what or whom is responsible

56 Analysis and Tracking Team Heterogeneous and/or Eclectic Skills Solid understanding of the systems affected Real World, Applied Experience

57 Analysis and Tracking Logs Dynamic Nature of the Logs Feeds into the tracking process Working Relationship with other Entities

58 Recovery Phase Goal To get back up and running The Business (worst case) Affected Systems (best case) Protect evidence

59 Recovery and Repair Recovery into production of affected systems Ensure system can withstand another attack Test for vulnerabilities and weaknesses

60 Closure of the Incident Incident response is an iterative process Closure to the incident

61 Debriefing/Feedback Formal process Include all of the team members Use output to adapt or modify policy and guidelines

62 Communications of the Incident Public disclosure of an incident can: Compound the negative impact Provide an opportunity regain public trust Communication handled by authorized personnel only

63 Major Legal Systems Information Technology Laws and Regulations Incident Response Computer Forensics Domain Agenda

64 Computer Forensics Key Components Crime scenes Digital evidence Guidelines

65 Computer Forensics: The Law The inclusion of the “law”, introduces concepts that may be foreign to many information security professionals Crime scene Chain of custody Best evidence Admissibility requirements Rules of evidence

66 Computer Forensics: Evidence Computer Forensics includes: Evidence or potential evidence Falls under the larger domain of Digital Forensic Science Research Workshop Deals with evidence and the legal system

67 Computer Forensics: Evidence Correctly identifying the crime scene, evidence, and potential containers of evidence Collecting or acquiring evidence: Adhering to the criminalistic principles Keeping contamination and the destruction of the scene to a minimum

68 Computer Forensics: Evidence Using the scientific methods: Determine characteristics of the evidence Comparison of evidence Event reconstruction Presentation of findings: Interpreting and analysis of the examination Articulating these in a format appropriate for the intended audience

69 Crime Scene Prior to identifying evidence, the larger crime scene needs to be addressed A crime scene is nothing more than: The environment in which potential evidence may exist Digital crime scenes follow the same principles

70 Crime Scene The principles of criminalistics apply to both digital and physical crime scenes: Identify the scene Protect the environment Identify evidence and potential sources of evidence Collect evidence Minimize the degree of contamination

71 Crime Scene: Physical vs. Virtual The Crime Scene Environment Physical Virtual or Cyber

72 Locard’s Principle Locard’s Principle of Exchange When a crime is committed, the Perpetrator Leaves something behind Takes something with them This principle allows us to identify aspects of the person or persons responsible, even with a purely digital crime scene

73 Behavior Investigation or Root Cause Analysis Means, Opportunity, and Motives (MOM) Modus Operandi (MO) Criminal computer behavior is no different than typical criminal behavior

74 Behavior of Computer Criminals Computer criminals have specific MO’s Hacking software/tools Types of systems or networks attacked, etc. Signature behaviors MO & Signature behaviors Profiling Interviewing

75 Crime Scene Analysis Protect the ‘crime scene’ from unauthorized individuals Once a scene has been contaminated, there is no undo or redo button to push The damage is done!

76 Digital Evidence The exact requirements for the admissibility of evidence vary Evidence

77 Digital Evidence: 5 Rules Admissible Authentic Complete Accurate Convincing

78 Digital Evidence: Hearsay Hearsay Second-hand evidence Normally not admissible Business records exceptions: Computer generated information can fall into this category May require someone to attest to the how the records/information were created

79 Digital Evidence: Life Span Digital evidence Volatile and “fragile” May have a short “life span” Collect quickly By order of volatility (i.e., most volatile first) Document, document, document!

80 Digital Evidence: Chain of Custody Chain of Custody Who What When Where How

81 Digital Evidence: Accuracy and Integrity Ensuring the accuracy and integrity of evidence is critical! The current protocol for demonstrating accuracy and integrity relies on hash functions MD5 SHA 256

82 General Guidelines IOCE/SWGDE 6 principles for computer forensics and digital/electronic evidence When dealing with digital evidence, all of the general forensic and procedural principles must be applied Upon seizing digital evidence, actions taken should not change that evidence When it is necessary for a person to access original digital evidence, that person should be trained for the purpose

83 Six IOCE/SWGDE Principles All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles

84 General Guidelines: Dos and Don’ts Minimize Handling/Corruption of Original Data Account for Any Changes and Keep Detailed Logs of Your Actions Comply with the Five Rules for Evidence Do Not Exceed Your Knowledge Follow Your Local Security Policy and Obtain Written Permission

85 General Guidelines: Dos and Don’ts Capture as Accurate an Image of the System as Possible Be Prepared to Testify Ensure Your Actions are Repeatable Work Fast Proceed From Volatile to Persistent Evidence Don't Run Any Programs on the Affected System

86 General Guidelines: Dos and Don’ts Act ethically In good faith Attempt to do no harm Do not exceed one’s knowledge, skills, and abilities

87 Domain Summary Know local laws and regulations Have an approved procedure for handling of incidents Ensure that all handling of sensitive information is compliant with regulation Follow best practices and document all steps of an investigation

“Security TranscendsTechnology”