Policy and Legislation

1
Policy and Legislation

• (Slides from Aaron Rhys Shelmire)

2
Uniform Trade Secrets Act (UTSA)

• Secret must generate or have the potential to
  generate income
• Steps are taken to keep it secret
• Enacted by states (48 and D.C.)

3
Computer Fraud and Abuse Act

• prohibits access to protected computers without
  authorization
• Prohibits exceeding authorization levels granted

4
Electronic Communications Protection Act

• Prohibits the unauthorized and unjustified
  interception, disclosure, or use of
  communications, including electronic
  communications
• Title I - The Wiretap Act
• Title II - The Stored Communications Act
• Pen and Trace and Trap Statute

5
ECPA - Wiretap Act (1)

• Prohibits intentional or attempted interception
  of a wire, oral, or electronic communications as
  well as the disclosure of that information
• Certain Exceptions made
• interceptions by service providers acting within
  ordinary scope of their business, as necessary
  for rendering its services or protecting the
  service provider's rights or property
• interceptions authorized by court order or other
  lawful authority

6
ECPA - Wiretap Act (2)

• interceptions made by a party involved in the
  communication
• interceptions made with the consent of one party
  to the communication
• in some states it must be both parties

7
ECPA - Wiretap Act (3)

• interceptions of a computer trespasser's
  communications made to, through, or from a
  protected computer if the owner authorized
  interception, interception is part of an
  investigation, and the contents of communications
  are reasonably believed to be relevant to the
  investigation

8
ECPA - Stored Communications Act

• Wiretap Act does not cover Communications from
  Storage (i.e. websites email)
• imposes criminal and civil liability for the
  intentional, unauthorized access to an electronic
  communication service facility to obtain, alter,
  or prevent authorized access to a stored wire or
  electronic communication

9
ECPA - Pen and Trace and Trap Statute

• No person may install or use a pen register or a
  trap and trace device without first obtaining a
  court order
• Exceptions
• Service Provider
• Verification of Service
• Consent
• an ISP can disclose non-content (originator,
  receiver, dates, times, Layer-4 and below, et
  cetera) information, except to the government
• Government needs a warrant, a subpoena or the
  consent of subscriber

10
Federal Rules of Evidence (1)

• Hearsay
• A statement other than one made by the defendant
  while testifying offered as evidence
• Computer generated records
• Output of computer programs untouched by human
  hands
• Computer stored records
• Output generated by a person stored on a computer
• Exception
• Records of regularly conducted activity
• If it is defined in POLICY

11
Federal Rules of Evidence (2)

• Authentication of evidence
• Achieved by collector of that evidence testifying
  to its authenticity
• Best Evidence Rule
• If data are stored in a computer or similar
  device, any printout or other output readable by
  sight, shown to reflect the data accurately, is
  an original

12
4th Amendment

• Protects against unreasonable search by the
  government
• Does not protect against search from private
  individuals or companies
• Courts have ruled that a disk is akin to a
  closed container and that individuals expect
  similar privacy

13
5th Amendment

• No person shall be compelled in any criminal
  case to be a witness against himself
• Extends to cryptographic keys
• Dont have to give up memorized keys

14
Sarbanes Oxley (1)

• Chief executives of publicly traded companies
  must validate financial statements and other
  information
• CEOs and CFOs must affirm that their companies
  have proper internal controls
• IT systems keep control of everything
• IT systems must be secure to ensure proper
  internal controls
• Internally developed systems must be developed
  securely

15
Sarbanes Oxley (2)

• Secure Identity Management
• Identity Provisioning
• Policy-based access control
• Strong authentication
• Data Protection Integrity
• But it doesnt say how.

16
HIPAA (1)

• Health Insurance Portability and Accountability
  Act
• Applies to doctors, health-care providers,
  pharmacists, et cetera.
• Established in part to prevent unauthorized use
  and disclosure of Protected Health Information
  (PHI)

17
HIPAA(2)

• Part 160 General Administrative Requirements
• Part 162 Administrative Requirements
• Part 164 Security And Privacy Rules

18
HIPAA(3)

• Privacy rule the right of an individual to
  control the use of personal information.
• Security rule administrative, technical and
  physical safeguards specifically as they relate
  to electronic PHI (ePHI), the protection of ePHI
  data from unauthorized access, whether external
  or internal, stored or in transit.
• Implement Policies and Procedures
• Protect, Prevent, Detect, and Contain incidents
• Risk Analysis
• Risk Management
• Sanctions against violators
• Assign Security Responsibility

19
HIPAA(4)

• Methods to Authorize Access
• Methods to record the establishment of access and
  modification of information
• Security Awareness and Training
• Security reminders
• Log-in Monitoring
• Password Management
• Transmission Security
• Integrity controls
• Encryption/decryption

20
HIPAA(5)

• Security Incident Procedures
• Must respond and report/document
• Contingency Plan
• Data backup plan,
• Disaster recovery plan
• Emergency Mode Operation plan
• Testing and Revision procedures
• Applications and Data Criticality Analysis
• Periodic Evaluation

21
HIPAA(6)

• Technical Specifications
• Unique User Identification
• Emergency Access Procedure
• Automatic Logoff
• Encryption
• Audit Controls
• Integrity
• Mechanism to authenticate that electronic
  protected health information (E-PHI) has not been
  altered

22
Fair and Accurate Credit Transactions (FACT) Act
of 2003

• Extends Fair Credit Reporting Act of 1970 to
  provide protections from fraud and identity theft
  
• Merchants and credit agencies must have secure
  systems to handle consumer fraud complaints and
  protect sensitive information (credit cards) from
  unauthorized disclosure.

23
FACT

• Applies to more than consumer organizations
• Companies that use credit reports to screen new
  hires

24
Data Accountability and Trust Act (DATA)

• requires organizations to inform those whose data
  are "acquired by an unauthorized person" in the
  event of a data breach "if there is a reasonable
  basis to conclude that there is a significant
  risk of identity theft."
• Passed House Energy and Commerce Committee

25
DATA

• Federal Trade Commission enforces DATA
• requires data brokers to establish security
  policies
• requires audits by the FTC of organizations that
  experience security breaches.
• Similar to Californias SB 1386
• Does not require disclosure if data is encrypted

26
Cyber security research and development Act

• H.R. 3394
• To authorize funding for computer and network
  security research and development and research
  fellowship programs, and other purposes

27
Network Neutrality(1)

• Michael Powell stated consumers are entitled to 4
  freedoms
• access to the lawful Internet content of their
  choice
• entitled to run applications and services of
  their choice, subject to the needs of law
  enforcement (i.e. wiretapping)
• connect their choice of legal devices that do not
  harm the network
• entitled to competition among network providers,
  application and service providers, and content
  providers

28
Network Neutrality (2)

• Various Amendments to Telecom Act passed to
  solidify those concepts
• exceptions to allow providers to discriminate for
  security purposes, or offer specialized services
  such as "broadband video" service.
• Tiering not addressed
• What does this have to do with Information
  Assurance?

29
Liability(1)

• Company A sells a car that they know the back
  seat of the car was often engulfed in flames
  after a rear-end collision
• person dies,
• Company A is liable

30
Liability(2)

• Company B sells software. They know of a critical
  flaw in their software, and even have a patch for
  this flaw, but refuse to release it until
  fix-it-Friday. Your system is compromised through
  this flaw, and you loose 3.2 mil. What do you do?

31
Liability(3)

• in a test of major antivirus programs conducted
  by Brazils CERT the very best antivirus programs
  detected only 88 percent of the known keyloggers.
  
• In U.S. victims of fraudulent money transfers are
  typically limited to 50 in liability under the
  Federal Reserve's Regulation E, so long as they
  report the crime quickly enough within two
  days. If they report it within 60 days, their
  liability is capped at 500.

32
The Lopez Case

• Joe Lopez, the owner of a small computer supply
  company in Miami, sued Bank of America after
  cybercrooks were able to use a keylogging Trojan
  planted on his business computers to swipe bank
  account information and transfer 90,000 to
  Latvia.
• Bank of America says it does not need to cover
  the loss because Mr. Lopez was a business
  customer and because it is not the bank's fault
  that he did not practice good computer hygiene.
  Mr. Lopez claims he did, and that in any case,
  Bank of America should have done more to warn him
  of the risks of computer crime.

33
RaboDirect

• Ireland's online bank RaboDirect has become the
  first bank in the country to offer its customers
  a security guarantee customers are guaranteed
  they will not lose any money in the event of
  online theft. RaboDirect customers will have a
  token that generates a one-time use passcode to
  be used in their two-factor authentication
  scheme. - SANS newsbites Vol. 8 Issue 29

34
Insurance

• Buy a safe, you have insurance up to 10,000
• Power supply insurance up to 3,000
• Buy commercial database software, insurance that
  my data is safe within it.

35
Cell phone records debacle

• Pretexting - pretending to be a user to obtain
  phone records
• Consumer Phone Records Act
• Passed the House
• Illegal to acquire, use or sell a person's
  confidential phone records without that person's
  written consent.

36
Cookies?

• Only investigators are allowed to tap your phone,
  why are companies allowed to tap my web browsing?
• Does government have a right to that data?
• Google and the 2035 cookie?
• Gmail account google search tracked web search

37
Cyber Law Enforcement

• increased investment in law enforcement
• cross-border cooperation among investigators, who
  are overwhelmed by the global nature of
  cybercrime.
• "There are more criminals on the Internet street
  than policemen"

38
Internet police?

• Kid in sweden commits a hacking crime gets off
  with community service
• Need some way to fix this
• Put Internet into UN or some other international
  hands, no longer DARPA

39
Cybersecurity

• By exploiting vulnerabilities in our cyber
  systems, an organized attack may endanger the
  security of our Nations critical infrastructure
  - Cyberspace Strategy, page xi