Module 12 - Security and Law
Module 12 - Security and Law
❑ Training users
❑ Administrating passwords
❑ Backing up system-critical file
❑ Setting up and tuning firewalls and IDS
❑ Examining audit logs
Analyzing Costs and Risks
❑ There must be a balance the cost of the product against the risk of doing without it
❑ Risk Analysis
• a procedure used to estimate potential losses that may result from system vulnerabilities and to quantify the damage
that may result if certain threats occur
❑ The ultimate goal is to select cost-effective safeguards that reduce risks to an acceptable level
❑ A disaster recovery plan is a plan for keeping your computer equipment and information
available in case of an emergency
❑ May greatly increase public confidence in your organization’s your ability to safeguard data and
continue to provide service.
❑ Remember to keep backups so that when a disaster occurs you'll be able to recover eventually
Security Rules for Employees
❑ The users in your organization have to take some responsibility for security
❑ Be sure they know how to recognize security problems and what to do if they
occur.
Individual User Security Guidelines
❑ Sanitize the hard drives on old computers before you discard them.
Performing backups
Hardware and Software Security Tools
❑ A security audit searches through the system for security problems and vulnerabilities.
Related to the least privilege security principle where users and the processes in a
system should have the least number of privileges and for the shortest amount of
time needed to do their work
❑ System administrator
❑ Security administrator
❑ Operator
The three roles meet the objective of Two-man control - It is less likely that two
people will conspire to breach security
Typical system administrator/operator functions
include:
❑ Installing system software
❑ Starting up and shutting down the servers in the system
❑ Adding and removing system users
❑ Performing backup and recovery
❑ Handling and servicing printers
❑ The current set of U.S. rules require notification to the BIS for export in all cases, but the restrictions
are significantly lessened for “Mass Market” products as defined by all of the following:
• They are generally available to the public by being sold, without restriction, from stock at retail selling points
by any of these means:
– Over-the-counter transactions
– Mail-order transactions
– Electronic transactions
– Telephone call transactions
• The cryptographic functionality cannot easily be
changed by the user.
• They are designed for installation by the user without further substantial support by the
supplier.
• When necessary, details of the items are accessible and will be provided, upon request, to
the appropriate authority in the exporter’s country in order to ascertain compliance with
export regulations.
Non-U.S. Laws
❑ Wassenaar Arrangement
• an international agreement on export controls for conventional arms and dual-use goods
and technologies
• launched in order to contribute to regional and international security and stability, by
promoting transparency and greater responsibility in transfers of conventional arms and
dual-use goods and technologies
Electronic Signatures in Global and National
Commerce Act (E-Sign Law)
❑ Gramm-Leach-Bliley Act
• signed by President Clinton and passed by Congress in 1999
• a US law containing provisions that require all financial institutions to disclose to consumers and customers
their policies and practices for protecting the privacy of nonpublic personal information
❑ Health Insurance Portability & Accountability Act (HIPAA)
• a Federal law that guarantees health care plan eligibility for people who change
jobs, if the new employer offers group insurance
• significant restrictions of data transfers to ensure privacy including security
standards and electronic signature provisions
❑ Privacy laws in Europe are built around the concept that privacy is a fundamental
human right that demands protection through government administration.
❑ The Data Protection Directive has a provision allowing the European Commission
to block transfers of personal data to any country outside the EU that has been
determined to lack adequate data protection policies.
Convention on Cybercrime
❑ the first international treaty on crimes committed
via the Internet and other computer networks
❑ pursue a common criminal policy aimed at the protection of society against
cybercrime, especially by adopting appropriate legislation and fostering
international cooperation
❑ deals particularly with violations of copyright, computer-related fraud, child
pornography, and violations of network security
❑ contains a series of powers and procedures
Computer Law
❑ complex and emerging rather rapidly as it tries to keep up with the rapid technological
advances in and enabled by computing
❑ affect programmers, designers, users, and maintainers of computing systems and
computerized data banks
❑ also protect and regulate the behavior of people who use computers
❑ An information kept secret to the public and gives the organization a competitive edge
over others
❑ Some examples are the formula for a soft drink, mailing list of customers, or
information about a product due to be announced
❑ can vanish by reverse engineering where one studies a finished object to determine
how it is manufactured or how it works
❑ Hardware, such as chips, disk drives, or floppy disk media, can be patented. The
medium itself can be patented, and someone who invents a new process for
manufacturing it can obtain a second patent.
❑ The documentation is distinct from the program and must be copyrighted
separately.
❑ Content on the web media is appropriately protected through a copyright. This
copyright would also protect software you write to animate or otherwise affect the
display of your web page. And, in theory, if your web page contains malicious code,
your copyright covers that, too.
❑ Domain names, URLs, company names, product names, and commercial symbols
are protected by a trademark, which gives exclusive rights of use to the owner of
such identifying marks
Characteristics of Information
❑ an object that is deemed as valuable and a commercial commodity
❑ not depleting and thus can be sold repeatedly without loosing stock or diminishing
quality
❑ can be replicated many times
❑ has a minimal marginal cost which is the cost to reproduce the information
❑ value is often time dependent
❑ can be transferred intangibly
❑ Statutes
• laws that state explicitly certain actions are illegal
• violation of a statute will result in a criminal trial, in which the government argues
for punishment because an illegal act has harmed the desired nature of society
• statute law is written by legislators and is interpreted by the courts
• The goal of a criminal case is to punish the criminal, usually by depriving him or her
of rights in some way
❑ Civil Law
• anyone can be involved such as an individual, organization, company, or group
• The goal of a civil case is restitution: to appease the victim by repairing the harm.
Protecting Information through Tort Law
❑ Tort
• a harm not occurring from violation of a statute or from breach of a
contract but instead from countering the accumulated body of
precedents
❑ Tort Law
• unwritten but evolves through court decisions that become precedents
for cases that follow
• Fraud is a common example of tort harm.
Protecting Information through Contract Law
❑ Contract
• an agreement between two parties
• involves an offer, an acceptance and a consideration
• must include the consideration of money or other valuables
• ideal for protecting the transfer of information because they can
specify any conditions
• Computer contracts typically involve the development and use of
software and computerized data.
• help fill the voids among criminal, civil, and tort law
Employers hire employees to generate ideas and make
products.
Ownership
❑a computer security concern because it relates to the rights of an
employer to protect the secrecy and integrity of works produced by the
employees
Work for Hire Arrangement
Employment Contract
❑ specifies that the employee be hired to work as a programmer exclusively for the benefit of the
company
❑ company typically claims all rights to any programs developed, including all copyright rights and the
right to market
❑ employee agrees not to compete by working in the same field for a set period of time after
termination
❑ desirable both for employees and employers as
they understand and agree on each others’ rights and responsibilities
Selling Correct Software
❑A refund can be obtained from the sale of computer software as cited
by U.S. Uniform Commercial Code (UCC) which governs transactions
between buyers and sellers in the United States.
❑ Reason why demands for mass market software quality are beyond the
scope of legal enforcement:
• Manufacturers often have permanent legal staff.
• Legal remedies typically result in monetary awards for damages, not a mandate to
fix the faulty software.
• The manufacturer has little incentive to fix small problems.
• legal remedies are most appropriate only for a large complaints
• The warranty would state that the manufacturer made a diligent search for
security vulnerabilities and had removed all known critical ones.
Reporting Software Flaws
❑ Lack of understanding
❑ Lack of physical evidence
❑ Lack of recognition of assets
❑ Lack of political impact
❑ Complexity of case
❑ Maturity of defendant
Ethical System
❑ set of ethical principles
Ethical Pluralism
❑ recognizing or admitting that more than one position may be ethically justifiable even equally so in a
given situation
Differences between law and ethics
Law Ethics
described by formal, written documents described by unwritten principles
❑ Consequence-based Principle
• based on positive results of every action
❑ Rule-based Principle
• based on certain duties of people
Consequence-based Principle
❑ Teleology
• refers to theory of behavior where the focus is set on the goal, outcome, or consequence of the action
❑ Two important forms:
• Egoism - a moral judgment is based on the
positive benefits to the person taking the action
• Utilitarianism - chooses that action that will bring the greatest collective good for all people with the least
possible negative for all
Rule-based Principle Summary of Ethical Theories
❑ Deontology
• states that certain Consequence- Rule-based
things are good in and based
of themselves
Based on rules
• an ethical theory that refers to
the natural goodness of Individual Based on acquired by the
certain things consequences individual from religion,
❑ Rule-deontology to individual experience, and
• school of ethical reasoning that analysis
believes certain universal, self- Based on Based on universal rules,
evident, natural rules specify Universal consequences evident to everyone
our proper conduct
to all of the society
Case 1: Use of Computer Services
❑ Dave writes and tests utility programs such as compilers for a large
software company. The company runs program development and online
applications during the day and completes batch production jobs at night.
Dave can access workload data and notice that batch runs in the evening
coincides his daytime programming tasks. Meaning, additional
programming task during night time will not have an adverse effect on the
computer performance of other users. As such, Dave comes back after
normal working hours to use the company’s resources in developing a
program for his own stock portfolio. He affects only a minimal drain on the
system uses very few expendable paper supplies. Is Dave's behavior
ethical?
Case 2: Privacy Rights