ISA 562
Objectives
Discuss computer crime Discuss laws and regulation for IT Differences and similarities between common law and Civil law Incident response technology Forensics And many more .
Introduction
Addresses computer crimes laws and regulations Decide on a suitable set of investigation procedures (involving techniques and measures) that can be used to determine if a crime has been committed Have methods to gather evidence Develop a set of incident-handling capabilities to react quickly and efficiently to malicious threats or suspicious incidents
Common Law
English roots Common law originally developed from court decisions based on customs, traditions and precedents. The book has more details.
Criminal Law (for more info read book) Tort Law (for more info read book) Administrative Law (for more info read book)
Civil Law
Roots go back to roman empire and Napoleonic code of France Body of laws established by state or nation for its own regulations (read the book)
Customary Law
Religious Law
Mixed Law
Specifically designed to protect tangible items, intangible items and property from those wishing to copy or use it without due compensation to the inventor or creator, it has two categories
Some definitions
Patent: an idea (protects novels, useful, etc) Copyright: an expression of an idea Trademark: a symbol representing an idea ( used to identify goods and distinguish them from those made or sold by others) Trade secrets: refers to proprietary business or technical information, processes, etc that are confidential and critical to business Software Licensing types
Privacy: address the rights and obligations of individuals and organizations Initiatives
Generic approaches
Regulation by industry
Horizontal enactment across all industries Vertical Enactment Requirements for financial sectors, healthcare, government etc
Personal protection
End user responsibilities by encourage them to use specific technologies like : encryption , anti-virus, etc
Other Concerns
Liability
Negligence
Legal Responsibilities , etc Acting without care The degree of prudence that might be properly expected from a reasonable person put in the given circumstances Read more in the book on computer crime categories Computer crime examples
Due Diligence
Computer Crimes
International cooperation
8
Incident Response
Incident : any event that has the potential to negatively impact the business or its assets The need for Incident response
Root cause analysis Discover a problem an resolving it Minimize damage Document the steps
Policy (Escalation Process), procedures, guidelines and management evidence
Establish a Team
Virtual, permanent or a combination of the two Each situations has its pros and cons
9
Phases
Triage: done as the first step in incident handling Contains detection, classification and notification
Detection step recognizes false positives and false negatives Classification step assigns a severity for events (eg. high, medium, low) Notification step, notifies identified entities depending on the events severity
Analysis : could be automated or manual Interpretation: explanation for the event Reaction: What to do in case of the event Recovery: Specific procedures to recovery from the event
10
Objectives
Considerations
Containment
Reducing the potential impact of the incident Depends on the attack, what has been affected, etc Strategies used:
System Isolation System Disconnection Implementing a security product (like firewalls) Documentation for Handling procedures, source of evidence, etc.
11
Computer forensics
Evidence
Digital, electronic, storage or wire Computer forensics is very young only abut 25 years old, latent fingerprint analysis goes back to the 1800s
Acquiring evidence
Crime scene
Where potential evidence of the crime may exist Could be physical, virtual or cyber
Means, Opportunity and Motives (MOM) Modus Operandi (MO): Eg, Hacking - signature behaviors
The scene should be preserved, no unauthorized individuals / procedures in place. Contamination cannot be undone!
13
Digital Evidence
Rules:
Admissibility criteria varies Should have some probative value Relevant to the case at hand
Admissible and Authentic Complete, Accurate and Convincing An out of court statement offered as proof of an assertion (second hand evidence) Normally not admissible One exception: computer generated information
Hearsay
14
Life span
Volatile May have short life span, etc Evidence handling Who, what, where, when & how Requires following a formal process that is well documented Examples are MD5 & SHA
15
Chain of custody
All activity to the seizure, access, etc should be fully document Minimize handling/corruption of original data Be prepared to testify Work fast Comply with evidence rules Act ethically, In good faith etc
16
References
17