• Description: Laws are important for protecting IT users. Being aware of some legal aspects is useful for protecting yourself and your custom. • Alexandra RUIZ – [email protected]Legal Aspects in Infosec SecurIMAG 2012-01-12 ¡¡_ (in)security we trust _!! Grenoble INP Ensimag
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
• Description: Laws are important for protecting IT users. Being aware of some legal aspects is useful for protecting yourself and your custom.
2 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Lexsi Group is an international consulting group specialized in protecting information assets, strongly driven towards innovation.
• Our 130 talented and dedicated experts, analysts and consultants have built the first independent, pioneer, risk management and information security provider.
• Lexsi is located in France (Paris and Lyon), Canada and Singapour
LEXSI
3 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
VEILLE & CYBERCRIME 1er CERT privé européen • Veille en vulnérabilités • Enquêtes et réponses à incidents • Lu<e contre la cybercriminalité
CONSEIL 60 consultants • Risk Management • Résilience & conEnuité d’acEvité • Assistance à maitrise d’ouvrage • Accompagnement SSI, ISO 2700x... • Gouvernance et stratégie • SoluEons et architectures de sécurité
AUDIT 5 missions par semaine • Audit stratégique • Audit de conformité • Audit technique & pentest • Audit de code
FORMATION Plus de 800 RSSI formés • Partenaire SANS InsEtute (GIAC) • Parcours RSSI • Nombreux modules experts
4 mé7ers
@MargaretZelle
4 SecurIMAG - title - author - date
Halt, who are you?! • Licence in Law • Master 2 in business intelligence • Currently:
• Work: Legal assistant at LEXSI, Lyon • Student:
o Master 2 in digital technology law o University degree in cybercriminality
• Hobbies: • Books • Photos • Shopping
5 SecurIMAG - title - author - date
Why do you need law ?
Introduction
6 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Focus on principal concerns • Aspects of IT french law
Table of contents
7 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Introduction in an information system : Godefrain, Pentesting
• New french transposition : Telecom Package • Cloud Computing • HADOPI • LOPPSI II • CNIL • Employer’s power of control
Introduction in an information system
8 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Some articles : • Fraudulent access or preservation in an IS is punished
by 2 years jail and 30 000€ fine (art. 323-1 penal code)
• When it results the deletion or the modification of data, or a functioning system change : 3 years jail and 45 000€ fine (art. 323-1 penal code)
• Obstacle or wrongly : 5 years jail and 75 000€ fine (art. 323-2 penal code)
• Introducing deceitfully data or deleting them or modifying : 5 years jail and 75 000€ fine (art. 323-3 penal code)
Introduction in an information system
9 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Some articles (same sanctions of the principal offense): • The fact, without justifiable motive, of importing,
detaining, offering, giving up or to give an equipment, an instrument, an IT program or any data conceived or specially adapted to commit one or some offenses (art. 323-3-1 penal code)
• Participation to a group or to an agreement established with the aim of the preparation, characterized by one or several material facts, of one or some offenses (art. 323-4 penal code)
• Offence attempt (art. 323-7 penal code)
Ref : Loi Godfrain du 05/01/1988 n°88-19 sur la protection des SI contre la fraude informatique et l’intrusion
Introduction in an information system
10 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Exemples : • Serge HUMPICH demonstrated that crédit
cards have some vulnerabilities : 10 months suspended and 1F for damages (Fraudulent access and data introduction in an IS)
• V u l n e r a b i l i t i e s : A m a n publishes exploits of unpatched vulnerabilities (0-days) on his website. He was condamned because he has competencies to know that it could be used for damages (2009)
Introduction in an information system
11 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Exemples : • Radiocom 2000 : To win a game, a men used his
employer’s lines. He has distorted SI operation with radiophones to prevent securité procedure outbreak : for him and his associates 4 and 18 months suspended and 2 000 à 10 000F and 1 900 000F (acces and fraudulent preservation in an IS and data modifications after functioning system change
Introduction in an information system
12 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Pentesting : • You can’t introduce yourself in an IS without
autorisation
• But you can test your IS.
• Compagnies specialize in pentesting
• How is it possible ? This compagnies have a contract with client. This contract is really important to protect themself.
Introduction in an information system
13 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Pentesting : • Contract has to state some important points :
• Autorisation
• Perimeter
• No responsabil i t ies delegation (possibil i ty of a responsabilities limitation)
• SO : If you want to test vulnerability of korben’s website, it’s forbidden. If you want to test your own website, you can.
• If someone ask you to test his website, always make a contract
Telecom Package
14 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
What is it ? • European Law of 2002 modified in 2009 • French transposition of August 24th 2011
Two main aspects : • Cookies must be accepted expressly by user
who visited a website ( if you’ve a website !) • Internet service provider must informed CNIL
in case of data breach Ref : Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques
Cloud
15 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Legal aspects of Cloud :
• Contract : Who is responsible for personal data ?
• Data breach • Use of public or private Cloud ? • Audit
If you are a big client, you can negociate with Google for your Cloud If you’re not, you can only sign
HADOPI
16 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Who ? Owner of an Internet acces (people, firms) • What ? Obligation of protection • Why ? In order to protect
authors • Measures ? Protect your
wifi with a password (and a security software labelised by HADOPI => Not really usefull in fact only business)
HADOPI
17 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Sanctions ? Gradual answer : email, letter (6 month af ter) , 1 500€ and, possibly, suspension of the subscription (by the juge since 2009)
• What to do ? If you’re not responsible, you could send observations to the authors protection’s commission only if you have a sanction (step 3)
• Evolution ? Government wanted to sanction streaming
HADOPI
18 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Concretely : • Martin Hack, a french teenager, download Braquo
(french serie) with his parents connexion • TMG raise Mr and Mrs Hack IP • Legal successors give this IP to HADOPI • HADOPI send an mail to Mr and Mrs Hack on the adress they gave to their ISP (will they read it one day ?) • If Martin was punish very hardly and promise to never download again (during 6 month) All is good…
HADOPI
19 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• If Martin is a rebel and download again and TMG raise IP… HADOPI will send a letter to Mr and Mrs Hack parents.
• After 1 year, if nothing happened, nothing will happened.
• If (stupid) Martin download again, HADOPI decided if it will ask or not juge
• If Hack’s familly is really unlucky, juge could condamn them to pay 1500€ and, if juge is really angry, suspend their connection during one month.
Conclusion : Lot of mails but no sanction yet Ref : Loi « Création et Internet » dite HADOPI, du 13/05/2009, promulguée le 12/06/2009 et Loi relative à la Protection Pénale de la Propriété Littéraire et Artistique sur Internet dite HADOPI 2, du 22 /10/2009
LOPPSI II
20 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Main points :
• Identity theft : 1 year and 15 000€
• Be careful if you want to make some joke ! • Selling tickets in order to make profit : 15 000€ • CCTV : more power for CNIL
• More CCTV are authorize and government could imposed it
• CNIL will control CCTV but couldn’t give sanctions
LOPPSI II
21 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
Main points : • Website blocking
• A black list of website will be made and a juge decision could obliged ISP to block this sites
• Introduction of spywar by the police for catching some data without consent of the owner • Police is authorized by the juge in charge of
instructions to introduce a spyware in suspects’ computer
• They exploit vulnerabilities present in those computers
CNIL
22 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Personal data protector since 2004 • Protection and control of all data treatment :
• Exemption of declaration for somme treatment • Simplify declaration for current treatment • Ordinary declaration for others • Authorization ask for treatment with risk
• Could control all treatment • Actualy, legislator give more and more power of
control and sanctions Loi « Informatique et Libertés » du 06/01/1978 relative à l’informatique, aux fichiers et aux libertés (modifiée par la loi du 06/08/2004)
Employer’s power of control
23 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Charter limit and inform about measures
implement by the employer : • Annex to the contract with employee signature • Annex to the interior reglement with opinion of staff
representative and validation of factory inspectorate
• Employee must be informed of every measures limiting his private life
Employer’s power of control
24 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Phone call control : • Only duration and cost • Could use phone bugging if employee are informed
and if it’s necessary for the firm • SMS could be a proof
• Messaging control : • All mails in professional messaging are professional
except if they are identified as « personnal » • Number of mail, origin and addressee • Could filter some mails
Employer’s power of control
25 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12
• Internet control : • Limitation of some website (social network, porn…) • Using for personal use is tolerated but you could be
sanctioned for an excessive use • Captation of trafics logs ( problem of confidentiality
with some websites)
• This informations must be kept during one year.
26 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12