0% found this document useful (0 votes)
65 views53 pages

Module 12 - Security and Law

Uploaded by

Don Jino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
65 views53 pages

Module 12 - Security and Law

Uploaded by

Don Jino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

Administrators need to write a guideline on what steps to

take and what procedures to follow in the pursuit of security.

Each of computer systems requires its own series of


administrative practices and each requires careful
development security policies for its usage.
Categories of Administrative Security

❑ Overall security planning and administration


• includes working with management to set a security policy for your organization, publicizing it
and gaining management support for it

❑ Day-to-day security administration


• includes creating accounts and assigning security profiles for users

❑ Day-to-day system administration


• includes keeping the system running, doing daily backups, trolling for breaches, and testing the
condition of hardware and software used to sustain operations in times of stress or attack
Role of Security Administrators

❑ Training users
❑ Administrating passwords
❑ Backing up system-critical file
❑ Setting up and tuning firewalls and IDS
❑ Examining audit logs
Analyzing Costs and Risks

❑ There must be a balance the cost of the product against the risk of doing without it

❑ Risk Analysis
• a procedure used to estimate potential losses that may result from system vulnerabilities and to quantify the damage
that may result if certain threats occur

❑ The ultimate goal is to select cost-effective safeguards that reduce risks to an acceptable level

❑ Questions to ask to evaluate organization information


• What information do you have, and how important is it?
• How vulnerable is the information?
• What is the cost of losing or compromising the
information?
• What is the cost of protecting the information
• Who are you going to call?
Planning for Disaster

❑ A disaster recovery plan is a plan for keeping your computer equipment and information
available in case of an emergency

❑ Involve activities such as:


• backing up data for storage at remote secure facilities
• arranging for the formal or informal use of other computer facilities or equipment in case of an
emergency.

❑ May greatly increase public confidence in your organization’s your ability to safeguard data and
continue to provide service.

❑ Remember to keep backups so that when a disaster occurs you'll be able to recover eventually
Security Rules for Employees

❑ Ensure a well-trained system administration staff

❑ Monitor employees’ security practices

❑ Write an understandable and agreeable security policy

❑ Pre-check employees before hiring or assigning security-related tasks

❑ Limit access of users to equipment and information

❑ When an employees leave the organization, revoke his/her authorizations


immediately, deactivate account, and save his/her file for proof-keeping.
Training Users

❑ The users in your organization have to take some responsibility for security

❑ Teach your users how to use the hardware and software

❑ Make sure they understand your organization's security policy

❑ Impress upon them the importance of observing good security practices.

❑ Be sure they know how to recognize security problems and what to do if they
occur.
Individual User Security Guidelines

❑ Obey the security policy

❑ Never leave your computer, workstation, or terminal unattended.

❑ Sanitize the hard drives on old computers before you discard them.

❑ Don't eat or drink near your computer or any computer media.

❑ Be careful not to damage your disks and other media.

❑ Use any security controls and products available to you.

❑ Be careful about leaving sensitive documents within easy access.

❑ Use physical security, such as a firewall, IDS, or antivirus software.


Keeping your computers and networks running smoothly by maintaining
equipment

Making sure there is sufficient space on the system disks

Protecting the system and its software from damage

Performing backups
Hardware and Software Security Tools

❑ Firewall - monitor the ports used by a communications session

❑ IntrusionDetection System (IDS) - take note if any unusual activity is


taking place

❑ Honeypot – decoy that records the activities of unauthorized users

❑ PenetrationTesting – also known as pentesting which is a


programmed series of attacks to locate overlooked vulnerabilities
Performing a Security Audit

❑ A security audit searches through the system for security problems and vulnerabilities.

❑ Checks systems files, system logs or audit reports for:

• Accounts without passwords


• Accounts with easily guessed passwords
• Group accounts
• Dormant accounts
• New accounts
• Default accounts
• Recent changes in file protection
• Suspicious user activity
The principle that emphasizes on the advantage of assigning pieces of security-
related tasks to several specific individuals

Related to the least privilege security principle where users and the processes in a
system should have the least number of privileges and for the shortest amount of
time needed to do their work

Three distinct administrative function for highly secure systems:

❑ System administrator
❑ Security administrator
❑ Operator

The three roles meet the objective of Two-man control - It is less likely that two
people will conspire to breach security
Typical system administrator/operator functions
include:
❑ Installing system software
❑ Starting up and shutting down the servers in the system
❑ Adding and removing system users
❑ Performing backup and recovery
❑ Handling and servicing printers

Typical security administrator functions include:


❑ Setting user clearances, initial passwords, and other security characteristics for new users, and
changing security profiles for existing users
❑ Setting or changing file sensitivity labels
❑ Setting security characteristics of devices and
communications channels
❑ Reviewing audit data
United States Law

❑ Three principles of the U.S. encryption export control policy are:


• Review of encryption products prior to sale
• Streamlined post-export reporting
• License review of certain exports of strong encryption to foreign government end users

❑ The current set of U.S. rules require notification to the BIS for export in all cases, but the restrictions
are significantly lessened for “Mass Market” products as defined by all of the following:
• They are generally available to the public by being sold, without restriction, from stock at retail selling points
by any of these means:

– Over-the-counter transactions
– Mail-order transactions
– Electronic transactions
– Telephone call transactions
• The cryptographic functionality cannot easily be
changed by the user.
• They are designed for installation by the user without further substantial support by the
supplier.
• When necessary, details of the items are accessible and will be provided, upon request, to
the appropriate authority in the exporter’s country in order to ascertain compliance with
export regulations.

Non-U.S. Laws

❑ Wassenaar Arrangement
• an international agreement on export controls for conventional arms and dual-use goods
and technologies
• launched in order to contribute to regional and international security and stability, by
promoting transparency and greater responsibility in transfers of conventional arms and
dual-use goods and technologies
Electronic Signatures in Global and National
Commerce Act (E-Sign Law)

❑ implements a simple principle: a signature, contract, or other record may not be


denied legal effect, validity, or enforceability because it is in electronic form.

Uniform Electronic Transactions Act (UETA)

❑ provides a legal framework for electronic transactions. It gives electronic signatures


and records the same validity and enforceability as manual signatures and paper-
based transactions.
Digital Rights Management
❑ application of technology to protect intellectual property and copyrighted material
(this has included items such as music and videos)

Digital Millennium Copyright Act (DMCA)


❑ covers a wide range of legal issues surrounding the protection of intellectual
property rights in a digital age.
• The person lawfully obtained the encrypted copy, phonorecord, performance, or display of the
published work
• The person made a good faith effort to obtain authorization before the circumvention
• Such act does not constitute infringement under this title or a violation of application law other than
this section, including section 1030 of title 18 and those provisions of title 18 amended by the
Computer Fraud and Abuse Act of 1986.
United States Laws
❑ Electronic Communications Privacy Act
(ECPA)
• sets out the provisions for access, use, disclosure, interception and privacy protections of electronic
communications

❑ Patriot Act of 2001


• passed after the September 11, 2001 Terrorist Attacks
• expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the United
States and abroad
• extended the tap and trace provisions of existing wiretap statutes to the Internet and mandated certain
technological modifications at ISPs to facilitate electronic wiretaps on the Internet

❑ Gramm-Leach-Bliley Act
• signed by President Clinton and passed by Congress in 1999
• a US law containing provisions that require all financial institutions to disclose to consumers and customers
their policies and practices for protecting the privacy of nonpublic personal information
❑ Health Insurance Portability & Accountability Act (HIPAA)
• a Federal law that guarantees health care plan eligibility for people who change
jobs, if the new employer offers group insurance
• significant restrictions of data transfers to ensure privacy including security
standards and electronic signature provisions

❑ California Senate Bill 1386


• designed to help users fight identity theft through early notification of the loss of
control of personal information stored in computer systems
European Laws

❑ European governments have developed a comprehensive concept of privacy


administered via a set of statutes known as data protection laws.

❑ Privacy laws in Europe are built around the concept that privacy is a fundamental
human right that demands protection through government administration.

❑ The Data Protection Directive has a provision allowing the European Commission
to block transfers of personal data to any country outside the EU that has been
determined to lack adequate data protection policies.

❑ Safe Harbor is a mechanism or self-regulation that can be enforced through trade


practice law via the Federal Trade Commission.
Computer Trespass
❑ unauthorized entry into a computer system via any means, including remote
network connections, and treated as a crime in many countries

Convention on Cybercrime
❑ the first international treaty on crimes committed
via the Internet and other computer networks
❑ pursue a common criminal policy aimed at the protection of society against
cybercrime, especially by adopting appropriate legislation and fostering
international cooperation
❑ deals particularly with violations of copyright, computer-related fraud, child
pornography, and violations of network security
❑ contains a series of powers and procedures
Computer Law
❑ complex and emerging rather rapidly as it tries to keep up with the rapid technological
advances in and enabled by computing
❑ affect programmers, designers, users, and maintainers of computing systems and
computerized data banks
❑ also protect and regulate the behavior of people who use computers

Relationship of Law and Computer Security


❑ International, national, state, and city laws can affect privacy and secrecy
❑ Laws regulate the use, development, and ownership of data and programs.
❑ Laws affect actions that can be taken to protect the secrecy, integrity, and availability of
computer information and service.
Copyright
❑ gives the author the exclusive right to make copies of the expression and sell them to the public
❑ must apply to an original work, and it must be in some tangible medium of expression.
❑ indicates that the copyrighted object is subject to fair use and lasts for only a limited period of time
❑ has the concept of a first sale - the new owner
can resell the copyrighted object
❑ 1976 copyright law was amended in 1980 to include an explicit definition of computer software
Piracy
❑ unfair use of a copyrighted item
Copyright Infringement
❑ substantial copying of independent work
U.S. No Electronic Theft (NET) Act of 1997
❑ reproduction or distribution of copyrighted works
is a criminal offense
Patents
❑ protect inventions, tangible objects, or ways to make them, not works of the mind
❑ intended to apply to the results of science,
technology, and engineering
❑ designed to protect the device or process for carrying out an idea, not the idea
itself
❑ law states that a patent cannot be obtained if the object is obvious to a person having
ordinary skill
❑ In 1981, two cases from Diamond V. Bradley and Diamond V. Diehr won patents for a
process that used computer software
❑ patent law has expanded to include computer software, recognizing that
algorithms, like processes and formulas, are inventions
Trade Secrets

❑ An information kept secret to the public and gives the organization a competitive edge
over others

❑ Some examples are the formula for a soft drink, mailing list of customers, or
information about a product due to be announced

❑ can vanish by reverse engineering where one studies a finished object to determine
how it is manufactured or how it works

❑ confidentiality of a trade secret must be ensured


with adequate safeguards
Guidelines for using the law to protect computer objects:

❑ Hardware, such as chips, disk drives, or floppy disk media, can be patented. The
medium itself can be patented, and someone who invents a new process for
manufacturing it can obtain a second patent.
❑ The documentation is distinct from the program and must be copyrighted
separately.
❑ Content on the web media is appropriately protected through a copyright. This
copyright would also protect software you write to animate or otherwise affect the
display of your web page. And, in theory, if your web page contains malicious code,
your copyright covers that, too.
❑ Domain names, URLs, company names, product names, and commercial symbols
are protected by a trademark, which gives exclusive rights of use to the owner of
such identifying marks
Characteristics of Information
❑ an object that is deemed as valuable and a commercial commodity
❑ not depleting and thus can be sold repeatedly without loosing stock or diminishing
quality
❑ can be replicated many times
❑ has a minimal marginal cost which is the cost to reproduce the information
❑ value is often time dependent
❑ can be transferred intangibly

Legal issues relating to information


❑ Information commerce
❑ Electronic publishing
❑ Protecting data in database
❑ Electronic commerce
Protecting Information through Contract and Civil Law

❑ Statutes
• laws that state explicitly certain actions are illegal
• violation of a statute will result in a criminal trial, in which the government argues
for punishment because an illegal act has harmed the desired nature of society
• statute law is written by legislators and is interpreted by the courts
• The goal of a criminal case is to punish the criminal, usually by depriving him or her
of rights in some way

❑ Civil Law
• anyone can be involved such as an individual, organization, company, or group
• The goal of a civil case is restitution: to appease the victim by repairing the harm.
Protecting Information through Tort Law

❑ Tort
• a harm not occurring from violation of a statute or from breach of a
contract but instead from countering the accumulated body of
precedents
❑ Tort Law
• unwritten but evolves through court decisions that become precedents
for cases that follow
• Fraud is a common example of tort harm.
Protecting Information through Contract Law

❑ Contract
• an agreement between two parties
• involves an offer, an acceptance and a consideration
• must include the consideration of money or other valuables
• ideal for protecting the transfer of information because they can
specify any conditions
• Computer contracts typically involve the development and use of
software and computerized data.
• help fill the voids among criminal, civil, and tort law
Employers hire employees to generate ideas and make
products.

The protection offered by copyrights, patents, and trade secrets


appeals to employers because it applies to the ideas and
products.

Ownership
❑a computer security concern because it relates to the rights of an
employer to protect the secrecy and integrity of works produced by the
employees
Work for Hire Arrangement

❑ the employer, not the employee, is considered the author of a work


❑ highly advantageous to the employer
❑ can be considered if some or all of the following conditions are true:
• The employer has a supervisory relationship, overseeing the manner in which the
creative work is done.
• The employer has the right to fire the employee.
• The employer arranges for the work to be done before the work was created
• A written contract between the employer and employee states that the employer
has hired the employee to do certain work.
Licenses
❑ the programmer develops and retains full ownership of the software
❑ can be granted for a definite or unlimited period of time, for one copy or
for an unlimited number, to use at one location or many, to use on one
machine or all, at specified or unlimited times
❑ Highly advantageous to the employee
Trade Secret Protection
❑ different from either a patent or a copyright in that there is no registered inventor or author
❑ no registration office for trade secrets
❑ the company owns the trade secrets of its business-confidential data

Employment Contract
❑ specifies that the employee be hired to work as a programmer exclusively for the benefit of the
company
❑ company typically claims all rights to any programs developed, including all copyright rights and the
right to market
❑ employee agrees not to compete by working in the same field for a set period of time after
termination
❑ desirable both for employees and employers as
they understand and agree on each others’ rights and responsibilities
Selling Correct Software
❑A refund can be obtained from the sale of computer software as cited
by U.S. Uniform Commercial Code (UCC) which governs transactions
between buyers and sellers in the United States.

❑ Reason why demands for mass market software quality are beyond the
scope of legal enforcement:
• Manufacturers often have permanent legal staff.
• Legal remedies typically result in monetary awards for damages, not a mandate to
fix the faulty software.
• The manufacturer has little incentive to fix small problems.
• legal remedies are most appropriate only for a large complaints
• The warranty would state that the manufacturer made a diligent search for
security vulnerabilities and had removed all known critical ones.
Reporting Software Flaws

❑ Open sharing of information is precisely what enables hackers to learn


about vulnerabilities and then exploit the Vendor’s interests.

❑ Vendorswould like to control if or when the report of a vulnerability


goes public to hold them until the next version.

❑ Users would announce the vulnerability to pressure vendors to come


up with the patches

❑ Responsible vulnerability reporting


Reasons why computer crime is hard to prosecute:

❑ Lack of understanding
❑ Lack of physical evidence
❑ Lack of recognition of assets
❑ Lack of political impact
❑ Complexity of case
❑ Maturity of defendant

Reasons why computer criminals are hard to catch:

❑ There are no international laws on computer crime


❑ Network attacks are hard to trace and investigate because they are complex, involving many steps
Computer Fraud and Abuse Act

❑ Primary federal statute of U.S. enacted in 1984


❑ prohibits the following:
• unauthorized access to a computer containing data protected for national defense or foreign
relations concerns
• unauthorized access to a computer containing certain banking or financial information
• unauthorized access, use, modification, destruction, or disclosure of a computer or information in
a computer operated on behalf of the U.S. government
• accessing without permission a "protected computer," which the courts now interpret to include
any computer connected to the Internet
• transmitting code that causes damage to a computer system or network
• Computer fraud and trafficking in computer passwords
Economic Espionage Act
❑ Started in 1996
❑ outlaws use of a computer for foreign espionage to benefit a foreign country or business or theft of trade
secrets.

Electronic Funds Transfer Act


❑ prohibits use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently
obtained debit instruments in interstate or foreign commerce

Freedom of Information Act


❑ public access to information collected by the executive branch of the federal government.
❑ requires disclosure of any available data, unless the data fall as national security or personal privacy
❑ applies only to government agencies
Privacy Act
❑ Enacted in 1974
❑ protects the privacy of personal data collected by the government

Electronic Communication Privacy Act


❑ Enacted in 1986
❑ protects against electronic wiretapping

USA Patriot Act


❑ law
enforcement need only convince a court that a target is probably an
agent of a foreign power in order to obtain a wiretap order
Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN SPAM) Act
❑ bans false or misleading header information.
❑ prohibits deceptive subject lines.
❑ requires commercial e-mail to give recipients an opt-out method.
❑ bans sale or transfer of e-mail addresses of
people who have opted out.
❑ requires that commercial e-mail be identified as an advertisement.

California Breach Notification


❑ first stated in California which took effect in 2003
❑ requires any company doing business in California to notify individuals of any breach
that has compromised personal information on any California resident.
Council of Europe Agreement EU Data Protection Act
on Cybercrime ❑ a model legislation for all member countries of
❑ signed by the United States, Canada, the European Union (EU) based on the
Japan, and European Privacy Directive
22 European countries on November 2001 ❑ establishes privacy rights and protection
❑ define cyber crime activities and support responsibilities for all citizens of member
investigation and prosecution across countries
national boundaries ❑ governs the collection and storage of personal
❑ requires the countries to adopt similar data about individuals, such as name, address,
criminal laws on hacking, computer- and identification numbers.
related fraud and forgery, unauthorized ❑ enacted in 1994 and was one of the first to
access, infringements of copyright, establish protection requirements for the privacy
network disruption, and child
pornography
Restricted Content

❑ Some countries have laws controlling Internet content allowed in their


countries.
❑ Some examples of this can be found in:
• Singapore where service providers filters allowed content
• China where material that disturbs social order or undermines social stability are
banned
• Tunisia which has a law that applies the same controls on critical speech as for
other media forms
Ethics
❑ a set of principles or norms for justifying what is right or wrong in a given situation.
❑ an objectively defined standard of right and wrong

Ethical System
❑ set of ethical principles

society relies on ethics or morals to prescribe generally accepted standards of proper


behavior

Ethical Pluralism
❑ recognizing or admitting that more than one position may be ethically justifiable even equally so in a
given situation
Differences between law and ethics

Law Ethics
described by formal, written documents described by unwritten principles

interpreted by courts interpreted by each individual

established by legislatures representing all presented by philosophers, religions,


people professional groups
applicable to everyone personal choice

priority determined by courts if two laws priority determined by an individual if


conflict two principles conflict
court is final arbiter of what is right no external arbiter

enforceable by police and courts limited enforcement


Ethical Theories:

❑ Consequence-based Principle
• based on positive results of every action
❑ Rule-based Principle
• based on certain duties of people

Consequence-based Principle
❑ Teleology
• refers to theory of behavior where the focus is set on the goal, outcome, or consequence of the action
❑ Two important forms:
• Egoism - a moral judgment is based on the
positive benefits to the person taking the action
• Utilitarianism - chooses that action that will bring the greatest collective good for all people with the least
possible negative for all
Rule-based Principle Summary of Ethical Theories
❑ Deontology
• states that certain Consequence- Rule-based
things are good in and based
of themselves
Based on rules
• an ethical theory that refers to
the natural goodness of Individual Based on acquired by the
certain things consequences individual from religion,
❑ Rule-deontology to individual experience, and
• school of ethical reasoning that analysis
believes certain universal, self- Based on Based on universal rules,
evident, natural rules specify Universal consequences evident to everyone
our proper conduct
to all of the society
Case 1: Use of Computer Services

❑ Dave writes and tests utility programs such as compilers for a large
software company. The company runs program development and online
applications during the day and completes batch production jobs at night.
Dave can access workload data and notice that batch runs in the evening
coincides his daytime programming tasks. Meaning, additional
programming task during night time will not have an adverse effect on the
computer performance of other users. As such, Dave comes back after
normal working hours to use the company’s resources in developing a
program for his own stock portfolio. He affects only a minimal drain on the
system uses very few expendable paper supplies. Is Dave's behavior
ethical?
Case 2: Privacy Rights

❑ Donald is working as a computer records clerk who has a complete access


to property tax records. Ethel, on the other hand is a scientific researcher
who has been granted access only on the numerical portion of the record
excluding the corresponding names associated with it. Ethel finds out that
she needs to get information on the some names and addresses together
with certain properties. Ethel requested Donald the retrieval of some
names and addresses so she can contact these people for more
information and permission to conduct a further study. Should Donald
release the names and addresses?
Case Study 3: Fraud

❑ Alicia was tasked by Ed, her supervisor, to write a program that


will affect access to the accounting books of the company. Alicia
knew that with the new program one person can alter crucial
amounts without being traced. She then raised this matter with
Ed who simply reminded her to write the programs as he
requires. Ed argued by saying that every now and then a record
is mistakenly inputted in the books which calls the company for a
change to correct the inaccurate figure.
Steps for Examining a Case for Ethical Issues

1. Understand the situation


2. Know several theories of ethical reasoning
3. List the ethical principles involved
4. Determine which principles outweigh other

Computer Ethics Institute


❑ Started in mid-1980s as a joint activity of IBM, the Brookings Institution, and the
Washington Theological Consortium
❑ nonprofit group that aims to encourage people to consider the ethical aspects of
their computing activities
❑ published its ethical guidance as ten commandments of computer ethics
The Ten Commandments of The Ten Commandments of
Computer Computer
Ethics (Computer Ethics Institute, Ethics (Computer Ethics Institute,
Washington Washington
D. C.) D. C.)
❑ Thou shalt not use a computer to harm ❑ Thou shalt not use other people's
other people. computer resources without
❑ Thou shalt not interfere with other people's authorization or proper
computer work. compensation.
❑ Thou shalt not snoop around in other ❑ Thou shalt not appropriate other people's
people's computer files. intellectual output.
❑ Thou shalt not use a computer to steal. ❑ Thou shalt think about the social
❑ Thou shalt not use a computer to bear false consequences of the program you are
witness. writing or the system you are designing.
❑ Thou shalt not copy or use proprietary ❑ Thou shalt always use a computer in
software for which you have not paid. ways that insure consideration and
respect for your fellow humans.

You might also like