Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security:CompTIA Security+® and Beyond, Third Edition

© 2012


Legal Issues and EthicsLegal Issues and Ethics

Chapter 24


© 2012


ObjectivesObjectives

• Explain the laws and rules concerning importing and exporting encryption software.

• Identify the laws that govern computer access and trespass.

• Identify the laws that govern encryption and digital rights management.

• Describe the laws that govern digital signatures

• Explore ethical issues associated with information security.


© 2012


Key TermsKey Terms• Administrative law

• Click fraud

• Common law

• Computer Fraud and Abuse Act (CFAA)

• Computer trespass

• Digital Millennium Copyright Act (DMCA)

• Electronic Communications Privacy Act (ECPA)

• Gramm-Leach-Bliley Act (GLBA)


© 2012


Key Terms Key Terms ((continuedcontinued))

• Payment Card Industry Data Security Standard (PCI DSS)

• Sarbanes-Oxley Act (SOX)

• Section 404• Statutory law• Stored Communications Act (SCA)• Wassenaar Arrangement


© 2012


CybercrimeCybercrime• Characteristics– Technology is constantly changing– Sophistication of computer crimes has increased– Generally focused on financial gain– Often run by organized crime– Low risk of being caught– Difficult to prosecute


© 2012


Types of CybercrimeTypes of Cybercrime

• Computer-involved crimes can be classified as– Computer-assisted– Computer-targeted– Computer-incidental


© 2012


Internet CrimeInternet Crime• Most computer crime revolves around money.

• Internet Crime Complaint Center (IC3):– FBI, NW3C, and BJA partnership– Produces common Internet crimes list and descriptions– Provides advice on how to prevent becoming a victim

of Internet crime


© 2012


Common Internet Crime SchemesCommon Internet Crime Schemes• Auction fraud

• Counterfeit cashier’s

check

• Credit card fraud

• Debt elimination

• Parcel courier e-mail

scheme

• Lotteries

• Escrow services fraud

• Identity theft

• Business opportunities

• Internet extortion

• Investment fraud

• Employment opportunities

• Nigerian Letter or “419”

• Phishing/spoofing

• Ponzi/pyramid

• Reshipping

• Spam

• Third-party receiver of funds


© 2012


Sources of LawsSources of Laws• Statutory law– Laws set by legislative bodies like Congress• Administrative law– Power granted to government agencies through

legislation• Common law– Laws derived from previous events or precedence


© 2012


Computer TrespassComputer Trespass• Unauthorized access of a computer system– Independent of access method

• Considered a crime in many countries– May warrant significant punishment– Treaties between countries regulate ways to deal with

the cyber offenders


© 2012


Convention on CybercrimeConvention on Cybercrime• First international treaty on Internet crimes– EU, U.S., Canada, Japan, and others• Created common policies to handle cybercrime• Focused on:– Copyright infringement– Computer-related fraud– Child pornography– Violations of network security


© 2012


Significant U.S. LawsSignificant U.S. Laws• Electronic Communications Privacy Act• Stored Communications Act• Computer Fraud and Abuse Act• Controlling the Assault of Non-Solicited

Pornography and Marketing Act• USA Patriot Act• Gramm-Leach-Bliley Act• Sarbanes-Oxley Act


© 2012


Electronics Communications Electronics Communications Privacy Act (ECPA)Privacy Act (ECPA)

• Addresses legal privacy issues related to computer use and telecommunications

• Warning Banners are common practice in:– Establishing the level of expected privacy– Serving notice of intent to monitor– Obtaining user’s consent to monitoring– Providing consent to law enforcement search


© 2012


Computer Fraud and Abuse Computer Fraud and Abuse Act (1986)Act (1986)

• Foundation of U.S. law on unauthorized access• Criminalizes activities such as:– Accessing government or interstate commerce systems– Using a computer in interstate crime– Trafficking in passwords or access information– Transmitting code, commands, or programs that result

in damage


© 2012


Controlling the Assault of Non-Solicited PornographyNon-Solicited Pornographyand Marketing Act of 2003 and Marketing Act of 2003

(CAN-SPAM)(CAN-SPAM)

• Established spam e-mail regulations• Provided rules of compliance– Unsubscribe, content, and sending behavior• Has had a poor track record of convictions


© 2012


USA Patriot ActUSA Patriot Act• Response to the 9/11 terrorist attacks• Altered U.S. laws on Internet wiretaps and

tracing– Requires ISPs to facilitate Internet monitoring– Provides for federal law enforcement investigation and

adjudication of computer intrusions• Supported changes in other supporting

computer misuse laws– ECPA and CFAA


© 2012


Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act (GLBA)(GLBA)

• Financial industry legislation to protect individual privacy.

– Created an opt-out method providing individual control over the use of personal information

– Enforced by state, federal and securities laws– Restricts information sharing with third-party firms


© 2012


Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)

• Overhaul of financial accounting standards– Targeted standards of publicly traded firms

• Section 404 controls– Internal controls on financial reporting processes– Audits required on a regular basis


© 2012


Payment Card Industry Data Payment Card Industry Data Security Standard (PCI DSS)Security Standard (PCI DSS)

• Contractual rules governing exchange of credit card data between banks and merchants

– Voluntary standard• Noncompliance may result in:– Higher transaction fees– Expensive fines– Inability to process credit cards


© 2012


Import/Export Encryption Import/Export Encryption RestrictionsRestrictions

• Includes use to secure network communications• U.S. export control laws– Administered by the Bureau of Industry and Security– Encryption rules found in Export Administration

Regulations (EAR)– Controls include presale product reviews, post-export

reporting, and export license reviews.


© 2012


Non-U.S. LawsNon-U.S. Laws• Wassenaar Arrangement– International agreement on export controls dealing

with dual-use goods and technologies.– Removed key length restrictions on encryption

products.• Cryptographic use restrictions– Many countries tightly restrict the use and possession

of cryptographic technology.


© 2012


U.S. Digital Signature LawsU.S. Digital Signature Laws• Means to show approval for electronic records– Cryptography provides integrity and non-repudiation.– Enables e-commerce transactions

• Examples:– Electronic Signatures in Global and National Commerce

Act– Uniform Electronic Transactions Act


© 2012


Other Digital Signature LawsOther Digital Signature Laws• United Nations– UN Commission on International Trade Law Model Law

on Electronic Commerce• Canada– Uniform Electronic Commerce Act• European Union– Electronic Commerce Directive


© 2012


Digital Millennium Copyright Digital Millennium Copyright Act (DMCA)Act (DMCA)

• Protects rights of recording artists.

• Identifies how new computer technology relates to copyright laws.

• Also regulates software and hardware designed to circumvent copyright protection controls.


© 2012


EthicsEthics• Globalization blurs ethical lines.– Social norms vary among diverse principalities.• Challenge for today’s businesses:– Code of ethics must be established.– Employees need to understand what is expected.• SANS published a set of IT ethical guidelines.


© 2012


Chapter SummaryChapter Summary• Explain the laws and rules concerning importing and

exporting encryption software.

• Identify the laws that govern computer access and trespass.

• Identify the laws that govern encryption and digital rights management.

• Describe the laws that govern digital signatures.

• Explore ethical issues associated with information security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Documents