Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Broader Picture Chapter 12 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.

Published byWilla Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Broader Picture Chapter 12 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall."— Presentation transcript:

1 1 The Broader Picture Chapter 12 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall

2 2 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

3 3 Figure 12-1: Laws Governing Hacking U.S. National Laws  Title 18, Section 1030 Enabling Legislation  Computer Fraud and Abuse Act of 1986  National Information Infrastructure Protection Act of 1996  Homeland Security Act of 2002

4 4 Figure 12-1: Laws Governing Hacking U.S. National Laws  Title 18, Section 1030 Prohibitions  Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)

5 5 Figure 12-1: Laws Governing Hacking U.S. National Laws  Title 18, Section 1030 Prohibitions  Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)

6 6 Figure 12-1: Laws Governing Hacking U.S. National Laws  Title 18, Section 1030 Punishment  For first offenses, usually 1-5 years; usually 10 years for second offenses  For theft of sensitive government information, 10 years, with 20 years for repeat offense  For attacks that harm or kill people, up to life in prison

7 7 Figure 12-1: Laws Governing Hacking U.S. National Laws  Title 47 Electronic Communications Privacy Act of 1986 (ECMA) Prohibits the reading of information in transit and in storage after receipt  Other federal laws for fraud, etc.

8 8 Figure 12-1: Laws Governing Hacking U.S. State Laws  Federal laws only protect some computers  State laws for purely intrastate crimes vary widely

9 9 Figure 12-1: Laws Governing Hacking Laws Around the World Vary  The general situation: lack of solid laws in many countries Major virus attacks were not prosecuted in Taiwan and the Philippines for lack of relevant law

10 10 Figure 12-1: Laws Governing Hacking Laws Around the World Vary  Cybercrime Treaty of 2001 Signatories must agree to create computer abuse laws and copyright protection Nations must agree to work together to prosecute attackers

11 11 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

12 12 Figure 12-2: Consumer Privacy Introduction  Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!”  But privacy is strong in European Union countries and many other countries

13 13 Figure 12-2: Consumer Privacy Credit Card Fraud and Identity Theft  Widespread Concern (Gartner) One in 20 consumers had suffered credit card number theft in 2002 One in 50 consumers had suffered identity theft in 2002 Only about a fifth of this is online, but online theft is growing the most rapidly

14 14 Figure 12-2: Consumer Privacy Credit Card Fraud  “Carders” steal credit card numbers  Many merchants fail to protect credit card numbers stored on their servers  Carders test and sell credit card numbers  Criminals make unauthorized purchases  In U.S., limited to $50 loss if report promptly  Merchants also suffer fraud from carders

15 15 Figure 12-2: Consumer Privacy Identity Theft Fraud  Criminals steal or compile considerable information about a person—name, credit card numbers, date of birth, social security number, address, etc.  Impersonate the victim to get buy things, get loans, etc.  With credit card fraud, victims find a problem in their next statement; but with identity theft, they may not know until they discover much later that their credit rating is ruined

16 16 Figure 12-2: Consumer Privacy Tracking Customer Behavior  Within a website and sometimes across websites  Some information is especially sensitive (health, political leanings, etc.)  Access to data and analysis tools are revolutionizing the ability to learn about people

17 17 Figure 12-2: Consumer Privacy Tracking Customer Behavior  What consumers wish for Disclosure of policies for  What information will be collected?  How this information will be used by the firm collecting the data?  Whether and with whom the information will be shared

18 18 Figure 12-2: Consumer Privacy Tracking Customer Behavior  What consumers wish for Ability of consumer to see and correct inaccurate personal information Limiting collection and analysis to operational business needs  Limiting these needs Opt in: No use unless customer explicitly agrees

19 19 Figure 12-2: Consumer Privacy Corporate Responses  Privacy disclosure statements  TrustE certifies that corporate privacy behavior is consistent with the company’s stated privacy policy NOT that the policy is good for consumers  Platform for Privacy Preferences (P3P); Standard format for searches of policy statements

20 20 Figure 12-2: Consumer Privacy Corporate Responses  Federal Trade Commission Enforces privacy statements Does not specify what should be in the privacy statement Imposes fines and required long-term auditing

21 21 Figure 12-2: Consumer Privacy Corporate Responses  Opt out: Customer must take action to stop data collection and sharing  No opt: No way to stop data collection and sharing  Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively

22 22 Figure 12-2: Consumer Privacy Consumer Reactions  Checking privacy disclosure statements (rare)  Not accepting cookies (rarer)  Anonymous websurfing services (extremely rare)

23 23 Figure 12-2: Consumer Privacy U.S. Privacy Laws  No general law  Health Information Portability and Accountability Act (HIPAA) of 1996 Protects privacy in hospitals and health organizations Focuses on protected information that identifies a patient

24 24 Figure 12-2: Consumer Privacy U.S. Privacy Laws  Gramm-Leach-Bliley Act (GLBA) of 1999 Protects financial data Allows considerable information sharing Opt out can stop some information sharing

25 25 Figure 12-2: Consumer Privacy U.S. Privacy Laws  Children’s Online Privacy Protection Act of 1998 Protects the collection of personal data from children under 13 Applies in child-oriented sites and any site that suspects a user is under 13. No protection for older children  State privacy laws vary widely

26 26 Figure 12-2: Consumer Privacy International Laws  European Union Charter of Fundamental Rights Right to protection of personal information Personal information must be processed for specific legitimate purposes Right to see and correct data Compliance overseen by independent authority

27 27 Figure 12-2: Consumer Privacy International Laws  E.U. Data Protection Directive of 1995 Implements Charter privacy protections Opt out with opt in for sensitive information Access for review and rectification Independent oversight agency Data can be sent out of an EU country only to countries with “adequate” protections

28 28 Figure 12-2: Consumer Privacy International Laws  Safe harbor Rules that U.S. firms must agree to follow to get personal data out of Europe Are GLBA rules to be considered in financial industries? E.U. is resisting.

29 29 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

30 30 Figure 12-3: Employee Workplace Monitoring Monitoring Trends  American Management Association survey  E-mail monitoring use grew from 15% to 46% between 1997 and 2001  Internet connections in 2001: 63% monitored  In 2001, 76% had disciplined an employee; 31% had terminated an employee

31 31 Figure 12-3: Employee Workplace Monitoring Why Monitor?  Loss of productivity because of personal Internet and e-mail use Significant personal Internet and e-mail use is occurring Employees and companies generally agree that a small amount of personal use is acceptable Biggest concern is abnormally heavy personal use Some employees are addicted to personal use

32 32 Figure 12-3: Employee Workplace Monitoring Why Monitor?  Harassment Title VII of the Civil Rights Act of 1964: sexual and racial harassment Pornography, other adult content are fairly common Monitoring for keywords can reduce pornography and harassment and provide a legal defense

33 33 Figure 12-3: Employee Workplace Monitoring Why Monitor?  Viruses and other malware due to unauthorized software  Trade secrets: Both sending and receiving must be stopped  Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws

34 34 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring  Electronic Privacy Communications Act of 1986 Allows reading of communications by service provider (firm) Allows reading if subject agrees (make condition of employment)  Courts have ruled that employee has no right to privacy when using corporate computers

35 35 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring  In United States, at-will employees can be disciplined, dismissed easily  Must not discriminate by selective monitoring of target individual

36 36 Figure 12-3: Employee Workplace Monitoring The Legal Basis for Monitoring  Unions often limit disciplining, agreement to be monitored However, new hires usually can be required to submit to monitoring as a condition of employment  In multinational firms, stronger privacy and employment rules might exist

37 37 Figure 12-3: Employee Workplace Monitoring Should a Firm Monitor?  Danger of backlash  Are the negative consequences worth the gain?

38 38 Figure 12-3: Employee Workplace Monitoring Computer and Internet Use Policy Should Specify the Following  No expectation of privacy  Business use only (or very limited private use)  No unauthorized software  No pornography and harassment  Damaging communication behavior  Punishment for violating the policy Employee Training in Policy is Crucial

39 39 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

40 40 Figure 12-4: Government Surveillance U.S. Tradition of Protection from Improper Searches  No privacy protection in Constitution  Fourth Amendment: No unreasonable searches and seizures Can search only with probable cause Can only search specific things  FBI misuse of data collection during Hoover’s leadership

41 41 Figure 12-4: Government Surveillance Telephone Surveillance  Wiretapping Federal Wiretap Act of 1968 for domestic crimes Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments Need warrant with probable cause and inability to get information by other means

42 42 Figure 12-4: Government Surveillance Telephone Surveillance  Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called Trap and trace: List of incoming telephone numbers Not as intrusive as wiretap because content of the call is not captured

43 43 Figure 12-4: Government Surveillance Telephone Surveillance  Pen registers and trap and trace orders Electronic Communications Privacy Act of 1986 allows Must be based on information to be collected being likely to be relevant to ongoing investigation (weak) Judge cannot turn down warrant

44 44 Figure 12-4: Government Surveillance Telephone Surveillance  Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants

45 45 Figure 12-4: Government Surveillance Telephone Surveillance  Patriot Act of 2001 Extends roving wiretaps to FISA—follow the target across media Get billing information from telecommunications providers Get information on library usage

46 46 Figure 12-4: Government Surveillance Internet Surveillance  Extends pen register and trap and trace to Internet traffic  Same weak justification as for telephone traffic  But much more intrusive: e-mail addresses, URLs (which can be visited), etc.

47 47 Figure 12-4: Government Surveillance Carnivore  Monitoring computer placed at ISP  FBI installs Carnivore computer, collects information  Can limit filtering to restrictions of warrant  No accountability through audit trails

48 48 Figure 12-4: Government Surveillance The Possible Future of Government Surveillance  Intrusive airport security through face scanning  Possible national ID cards  New ability to gather and analyze information from many databases

49 49 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

50 50 Figure 12-5: Cyberwar and Cyberterror Threats  Attacking the IT infrastructure  Using computers to attack the physical infrastructure (electrical power, sewage, etc.)  Using the Internet to coordinate attacks

51 51 Figure 12-5: Cyberwar and Cyberterror Cyberwar  Conducted by governments  Direct damage  Disrupting command and control  Intelligence gathering  Propaganda  Industrial espionage  Integrating cyberwar into war-fighting doctrines

52 52 Figure 12-5: Cyberwar and Cyberterror Cyberterrorism  By semi-organized or organized groups  Psychological focus Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks) Goals are publicity and recruitment  Indiscriminate damage

53 53 Figure 12-5: Cyberwar and Cyberterror Cyberterrorism  Hacktivism—politically motivated attacks by unorganized or loosely organized groups  Who is a terrorist? Spectrum from activism to full cyberterror

54 54 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar and Cyberterror Hardening the Internet Against Attack

55 55 Figure 12-5: Cyberwar and Cyberterror Building a National and International Response Strategy  National governments Coordinated responses Intelligence gathering Research and training Economic incentives

56 56 Figure 12-5: Cyberwar and Cyberterror Building a National and International Response Strategy  Private enterprise Importance of hardening individual firms Requiring hardening to meet responsibilities

57 57 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet  Hardening the telecommunications infrastructure with decentralization and other methods  International cooperation is needed because of worldwide attackers  Hardening the underlying telecommunications system  Adding security to dialogs with VPNs

58 58 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet  Hardening Internet protocols IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols  The decision to do this is called the Danvers Doctrine Generally not using digital certificates in a public key infrastructure for strongest authentication

59 59 Figure 12-5: Cyberwar and Cyberterror Hardening the Internet  Making the Internet forensic ISPs might be forced to collect and retain data for long periods of time ISPs might be forced to do egress filtering to stop attacks at the source The cost to ISPs would be high

60 60 Topics Covered Laws Governing Hacking and Other Computer Crimes  U.S. National Laws Title 18, Section 1030 for hacking, DoS, and viruses—only for “protected” computers Title 47 Prohibits the reading of information in transit and in storage after receipt  State laws for other computers vary widely

61 61 Topics Covered Laws Governing Hacking and Other Computer Crimes  Laws Around the World Vary The general situation: lack of solid laws in many countries Cybercrime Treaty of 2001 requires signatories to create laws, cooperate in enforcement

62 62 Topics Covered Consumer Privacy  Consumer Privacy Concerns Credit card fraud: steal and use credit card numbers Identity theft: impersonate individual to take out loans, etc. Sensitive personal information (medical records, etc.) Tracking during website visits

63 63 Topics Covered Consumer Privacy  Consumers want disclosure of policies for what information is collected and how it is used and shared  Opting Opt in Opt out No opt

64 64 Topics Covered Consumer Privacy  Corporate Responses Privacy disclosure statements Federal Trade Commission enforces privacy disclosure statements but does not specify what is in them  Consumer Responses Rarely check privacy disclosure statements; even more rarely refuse cookies or do anonymous surfing

65 65 Topics Covered Consumer Privacy  U.S. Privacy Laws No privacy protection in U.S. Constitution No general privacy law HIPAA for medical information Gramm-Leach-Bliley Act (GLBA) for financial information Children’s Online Privacy Protection Act of 1998 (courts have denied enforcement) State laws vary widely

66 66 Topics Covered Consumer Privacy  European Union European Union Charter of Fundamental Rights guarantees privacy protections E.U. Data Protection Directive of 1995 implements these protections U.S. compliance through Safe Harbor behavior  In rest of the world, varies widely

67 67 Topics Covered Employee Workplace Monitoring  Widespread Internet workplace monitoring and job actions as a result of infractions  Why monitor? Loss of productivity To stop harassment, guard against lawsuits Stop viruses and worms Prevent leakage of trade secrets, commercially damaging communication

68 68 Topics Covered Employee Workplace Monitoring  Legal Basis for Monitoring Electronic Privacy Communications Act of 1986  Can monitor own network, especially if employee signs acceptance Also, courts have ruled that employee has no right to privacy when using corporate computers

69 69 Topics Covered Employee Workplace Monitoring  In United States, at-will employees can be disciplined, dismissed easily Unions may restrict this, but hiring contracts can limit union actions Multinational companies may follow frequently stricter international standards for discipline

70 70 Topics Covered Employee Workplace Monitoring  Should a firm monitor? Danger of backlash  Need clear computer and Internet use policy  Need strong employee training

71 71 Topics Covered Government Surveillance  U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution Fourth Amendment: Searches and seizures only for probable cause  Wiretapping Federal Wiretap Act of 1968 for domestic crimes Foreign Intelligence Surveillance Act of 1978 (FISA) Need warrant with probable cause

72 72 Topics Covered Government Surveillance  Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called Trap and trace: List of incoming telephone numbers Less intrusive than wiretaps, so weaker justification is OK  Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants

73 73 Topics Covered Government Surveillance  Patriot Act of 2001 extends information collection, including to library usage Extends trap and trace and pen registers to Internet traffic More intrusive than telephone trap and trace (URLs give content visited)  Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the technology needed to be able to provide data in response to warrants

74 74 Topics Covered Government Surveillance  The Possible Future of Government Surveillance Intrusive airport security through face scanning Possible national ID cards New ability to gather and analyze information from many databases

75 75 Topics Covered Cyberwar and Cyberterror  Threats Attacking the IT infrastructure Using computers to attack the physical infrastructure (electrical power, sewage, etc.) Using the Internet to coordinate attacks  Cyberwar is conducted by governments  Cyberterror is conducted by organized terrorists, hactivist groups, and even individuals

76 76 Topics Covered Hardening the Internet Against Attack  Building a National and International Response Strategy  Not happening  Hardening the telecommunications infrastructure  Hardening Internet protocols (Danvers Doctrine)  Requiring ISPs to collect forensic data and stop attacks at ingress

Download ppt "1 The Broader Picture Chapter 12 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall."

Similar presentations

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.

Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
1 The Broader Picture Chapter 12 Copyright 2003 Prentice-Hall.

1 The Broader Picture Chapter 12 Copyright 2003 Prentice-Hall.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 353-7848.

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
Chapter 10 Privacy and the Police State. Governmental Intrusion into Individual Privacy Affects written and oral communications Data-GPS coordinates Fourth.

Chapter 10 Privacy and the Police State. Governmental Intrusion into Individual Privacy Affects written and oral communications Data-GPS coordinates Fourth.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing Email that bites Paying for Privacy Pirates.

MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
Access to Electronic Media Acceptable Use Policy August 8, 2011 Meece Middle School.

Access to Electronic Media Acceptable Use Policy August 8, 2011 Meece Middle School.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Slides prepared by Cyndi Chie and Sarah Frye A Gift of Fire Third edition Sara Baase Chapter 2: Privacy.

Slides prepared by Cyndi Chie and Sarah Frye A Gift of Fire Third edition Sara Baase Chapter 2: Privacy.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Similar presentations

Ads by Google