1 the broader picture chapter 12 panko, corporate computer and network security copyright 2004...
TRANSCRIPT
1
The Broader Picture
Chapter 12
Panko, Corporate Computer and Network SecurityCopyright 2004 Prentice-Hall
2
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
3
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Enabling Legislation
Computer Fraud and Abuse Act of 1986
National Information Infrastructure Protection Act of 1996
Homeland Security Act of 2002
4
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Prohibitions
Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)
5
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Prohibitions
Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)
6
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Punishment
For first offenses, usually 1-5 years; usually 10 years for second offenses
For theft of sensitive government information, 10 years, with 20 years for repeat offense
For attacks that harm or kill people, up to life in prison
7
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 47
Electronic Communications Privacy Act of 1986 (ECMA)
Prohibits the reading of information in transit and in storage after receipt
Other federal laws for fraud, etc.
8
Figure 12-1: Laws Governing Hacking
U.S. State Laws
Federal laws only protect some computers
State laws for purely intrastate crimes vary widely
9
Figure 12-1: Laws Governing Hacking
Laws Around the World Vary
The general situation: lack of solid laws in many countries
Major virus attacks were not prosecuted in Taiwan and the Philippines for lack of relevant law
10
Figure 12-1: Laws Governing Hacking
Laws Around the World Vary
Cybercrime Treaty of 2001
Signatories must agree to create computer abuse laws and copyright protection
Nations must agree to work together to prosecute attackers
11
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
12
Figure 12-2: Consumer Privacy
Introduction
Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!”
But privacy is strong in European Union countries and many other countries
13
Figure 12-2: Consumer Privacy
Credit Card Fraud and Identity Theft Widespread Concern (Gartner)
One in 20 consumers had suffered credit card number theft in 2002
One in 50 consumers had suffered identity theft in 2002
Only about a fifth of this is online, but online theft is growing the most rapidly
14
Figure 12-2: Consumer Privacy
Credit Card Fraud
“Carders” steal credit card numbers
Many merchants fail to protect credit card numbers stored on their servers
Carders test and sell credit card numbers
Criminals make unauthorized purchases
In U.S., limited to $50 loss if report promptly
Merchants also suffer fraud from carders
15
Figure 12-2: Consumer Privacy
Identity Theft Fraud Criminals steal or compile considerable information
about a person—name, credit card numbers, date of birth, social security number, address, etc.
Impersonate the victim to get buy things, get loans, etc.
With credit card fraud, victims find a problem in their next statement; but with identity theft, they may not know until they discover much later that their credit rating is ruined
16
Figure 12-2: Consumer Privacy
Tracking Customer Behavior
Within a website and sometimes across websites
Some information is especially sensitive (health, political leanings, etc.)
Access to data and analysis tools are revolutionizing the ability to learn about people
17
Figure 12-2: Consumer Privacy
Tracking Customer Behavior What consumers wish for
Disclosure of policies for
What information will be collected?
How this information will be used by the firm collecting the data?
Whether and with whom the information will be shared
18
Figure 12-2: Consumer Privacy
Tracking Customer Behavior What consumers wish for
Ability of consumer to see and correct inaccurate personal information
Limiting collection and analysis to operational business needs
Limiting these needs
Opt in: No use unless customer explicitly agrees
19
Figure 12-2: Consumer Privacy
Corporate Responses
Privacy disclosure statements
TrustE certifies that corporate privacy behavior is consistent with the company’s stated privacy policy
NOT that the policy is good for consumers
Platform for Privacy Preferences (P3P); Standard format for searches of policy statements
20
Figure 12-2: Consumer Privacy
Corporate Responses
Federal Trade Commission
Enforces privacy statements
Does not specify what should be in the privacy statement
Imposes fines and required long-term auditing
21
Figure 12-2: Consumer Privacy
Corporate Responses
Opt out: Customer must take action to stop data collection and sharing
No opt: No way to stop data collection and sharing
Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively
22
Figure 12-2: Consumer Privacy
Consumer Reactions Checking privacy disclosure statements (rare)
Not accepting cookies (rarer)
Anonymous websurfing services (extremely rare)
23
Figure 12-2: Consumer Privacy
U.S. Privacy Laws No general law
Health Information Portability and Accountability Act (HIPAA) of 1996
Protects privacy in hospitals and health organizations
Focuses on protected information that identifies a patient
24
Figure 12-2: Consumer Privacy
U.S. Privacy Laws
Gramm-Leach-Bliley Act (GLBA) of 1999
Protects financial data
Allows considerable information sharing
Opt out can stop some information sharing
25
Figure 12-2: Consumer Privacy
U.S. Privacy Laws
Children’s Online Privacy Protection Act of 1998
Protects the collection of personal data from children under 13
Applies in child-oriented sites and any site that suspects a user is under 13. No protection for older children
State privacy laws vary widely
26
Figure 12-2: Consumer Privacy
International Laws
European Union Charter of Fundamental Rights
Right to protection of personal information
Personal information must be processed for specific legitimate purposes
Right to see and correct data
Compliance overseen by independent authority
27
Figure 12-2: Consumer Privacy
International Laws
E.U. Data Protection Directive of 1995
Implements Charter privacy protections
Opt out with opt in for sensitive information
Access for review and rectification
Independent oversight agency
Data can be sent out of an EU country only to countries with “adequate” protections
28
Figure 12-2: Consumer Privacy
International Laws
Safe harbor
Rules that U.S. firms must agree to follow to get personal data out of Europe
Are GLBA rules to be considered in financial industries? E.U. is resisting.
29
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
30
Figure 12-3: Employee Workplace Monitoring
Monitoring Trends
American Management Association survey
E-mail monitoring use grew from 15% to 46% between 1997 and 2001
Internet connections in 2001: 63% monitored
In 2001, 76% had disciplined an employee; 31% had terminated an employee
31
Figure 12-3: Employee Workplace Monitoring
Why Monitor? Loss of productivity because of personal Internet
and e-mail use
Significant personal Internet and e-mail use is occurring
Employees and companies generally agree that a small amount of personal use is acceptable
Biggest concern is abnormally heavy personal use
Some employees are addicted to personal use
32
Figure 12-3: Employee Workplace Monitoring
Why Monitor? Harassment
Title VII of the Civil Rights Act of 1964: sexual and racial harassment
Pornography, other adult content are fairly common
Monitoring for keywords can reduce pornography and harassment and provide a legal defense
33
Figure 12-3: Employee Workplace Monitoring
Why Monitor?
Viruses and other malware due to unauthorized software
Trade secrets: Both sending and receiving must be stopped
Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws
34
Figure 12-3: Employee Workplace Monitoring
The Legal Basis for Monitoring Electronic Privacy Communications Act of 1986
Allows reading of communications by service provider (firm)
Allows reading if subject agrees (make condition of employment)
Courts have ruled that employee has no right to privacy when using corporate computers
35
Figure 12-3: Employee Workplace Monitoring
The Legal Basis for Monitoring
In United States, at-will employees can be disciplined, dismissed easily
Must not discriminate by selective monitoring of target individual
36
Figure 12-3: Employee Workplace Monitoring
The Legal Basis for Monitoring
Unions often limit disciplining, agreement to be monitored
However, new hires usually can be required to submit to monitoring as a condition of employment
In multinational firms, stronger privacy and employment rules might exist
37
Figure 12-3: Employee Workplace Monitoring
Should a Firm Monitor? Danger of backlash
Are the negative consequences worth the gain?
38
Figure 12-3: Employee Workplace Monitoring
Computer and Internet Use Policy Should Specify the Following No expectation of privacy Business use only (or very limited private use) No unauthorized software No pornography and harassment Damaging communication behavior Punishment for violating the policy
Employee Training in Policy is Crucial
39
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
40
Figure 12-4: Government Surveillance
U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution
Fourth Amendment: No unreasonable searches and seizures
Can search only with probable cause
Can only search specific things
FBI misuse of data collection during Hoover’s leadership
41
Figure 12-4: Government Surveillance
Telephone Surveillance Wiretapping
Federal Wiretap Act of 1968 for domestic crimes
Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments
Need warrant with probable cause and inability to get information by other means
42
Figure 12-4: Government Surveillance
Telephone Surveillance
Pen registers and trap and trace orders
Pen registers: List of outgoing telephone numbers called
Trap and trace: List of incoming telephone numbers
Not as intrusive as wiretap because content of the call is not captured
43
Figure 12-4: Government Surveillance
Telephone Surveillance
Pen registers and trap and trace orders
Electronic Communications Privacy Act of 1986 allows
Must be based on information to be collected being likely to be relevant to ongoing investigation (weak)
Judge cannot turn down warrant
44
Figure 12-4: Government Surveillance
Telephone Surveillance
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Requires communication providers to install the technology needed to be able to provide data in response to warrants
45
Figure 12-4: Government Surveillance
Telephone Surveillance
Patriot Act of 2001
Extends roving wiretaps to FISA—follow the target across media
Get billing information from telecommunications providers
Get information on library usage
46
Figure 12-4: Government Surveillance
Internet Surveillance
Extends pen register and trap and trace to Internet traffic
Same weak justification as for telephone traffic
But much more intrusive: e-mail addresses, URLs (which can be visited), etc.
47
Figure 12-4: Government Surveillance
Carnivore
Monitoring computer placed at ISP
FBI installs Carnivore computer, collects information
Can limit filtering to restrictions of warrant
No accountability through audit trails
48
Figure 12-4: Government Surveillance
The Possible Future of Government Surveillance
Intrusive airport security through face scanning
Possible national ID cards
New ability to gather and analyze information from many databases
49
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
50
Figure 12-5: Cyberwar and Cyberterror
Threats
Attacking the IT infrastructure
Using computers to attack the physical infrastructure (electrical power, sewage, etc.)
Using the Internet to coordinate attacks
51
Figure 12-5: Cyberwar and Cyberterror
Cyberwar Conducted by governments
Direct damage
Disrupting command and control
Intelligence gathering
Propaganda
Industrial espionage
Integrating cyberwar into war-fighting doctrines
52
Figure 12-5: Cyberwar and Cyberterror
Cyberterrorism
By semi-organized or organized groups
Psychological focus
Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks)
Goals are publicity and recruitment
Indiscriminate damage
53
Figure 12-5: Cyberwar and Cyberterror
Cyberterrorism
Hacktivism—politically motivated attacks by unorganized or loosely organized groups
Who is a terrorist? Spectrum from activism to full cyberterror
54
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
55
Figure 12-5: Cyberwar and Cyberterror
Building a National and International Response Strategy National governments
Coordinated responses Intelligence gathering Research and training Economic incentives
56
Figure 12-5: Cyberwar and Cyberterror
Building a National and International Response Strategy
Private enterprise
Importance of hardening individual firms
Requiring hardening to meet responsibilities
57
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet
Hardening the telecommunications infrastructure with decentralization and other methods
International cooperation is needed because of worldwide attackers
Hardening the underlying telecommunications system
Adding security to dialogs with VPNs
58
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet Hardening Internet protocols
IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols
The decision to do this is called the Danvers Doctrine
Generally not using digital certificates in a public key infrastructure for strongest authentication
59
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet Making the Internet forensic
ISPs might be forced to collect and retain data for long periods of time
ISPs might be forced to do egress filtering to stop attacks at the source
The cost to ISPs would be high
60
Topics Covered
Laws Governing Hacking and Other Computer Crimes
U.S. National Laws
Title 18, Section 1030 for hacking, DoS, and viruses—only for “protected” computers
Title 47 Prohibits the reading of information in transit and in storage after receipt
State laws for other computers vary widely
61
Topics Covered
Laws Governing Hacking and Other Computer Crimes
Laws Around the World Vary
The general situation: lack of solid laws in many countries
Cybercrime Treaty of 2001 requires signatories to create laws, cooperate in enforcement
62
Topics Covered
Consumer Privacy
Consumer Privacy Concerns
Credit card fraud: steal and use credit card numbers
Identity theft: impersonate individual to take out loans, etc.
Sensitive personal information (medical records, etc.)
Tracking during website visits
63
Topics Covered
Consumer Privacy Consumers want disclosure of policies for what
information is collected and how it is used and shared
Opting Opt in Opt out No opt
64
Topics Covered
Consumer Privacy Corporate Responses
Privacy disclosure statements Federal Trade Commission enforces privacy
disclosure statements but does not specify what is in them
Consumer Responses Rarely check privacy disclosure statements;
even more rarely refuse cookies or do anonymous surfing
65
Topics Covered
Consumer Privacy U.S. Privacy Laws
No privacy protection in U.S. Constitution No general privacy law HIPAA for medical information Gramm-Leach-Bliley Act (GLBA) for financial
information Children’s Online Privacy Protection Act of 1998
(courts have denied enforcement) State laws vary widely
66
Topics Covered
Consumer Privacy European Union
European Union Charter of Fundamental Rights guarantees privacy protections
E.U. Data Protection Directive of 1995 implements these protections
U.S. compliance through Safe Harbor behavior
In rest of the world, varies widely
67
Topics Covered
Employee Workplace Monitoring Widespread Internet workplace monitoring and job
actions as a result of infractions
Why monitor? Loss of productivity To stop harassment, guard against lawsuits Stop viruses and worms Prevent leakage of trade secrets, commercially
damaging communication
68
Topics Covered
Employee Workplace Monitoring Legal Basis for Monitoring
Electronic Privacy Communications Act of 1986
Can monitor own network, especially if employee signs acceptance
Also, courts have ruled that employee has no right to privacy when using corporate computers
69
Topics Covered
Employee Workplace Monitoring In United States, at-will employees can be
disciplined, dismissed easily
Unions may restrict this, but hiring contracts can limit union actions
Multinational companies may follow frequently stricter international standards for discipline
70
Topics Covered
Employee Workplace Monitoring Should a firm monitor?
Danger of backlash
Need clear computer and Internet use policy
Need strong employee training
71
Topics Covered
Government Surveillance U.S. Tradition of Protection from Improper
Searches No privacy protection in Constitution
Fourth Amendment: Searches and seizures only for probable cause
Wiretapping Federal Wiretap Act of 1968 for domestic crimes
Foreign Intelligence Surveillance Act of 1978 (FISA)
Need warrant with probable cause
72
Topics Covered
Government Surveillance
Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called
Trap and trace: List of incoming telephone numbers
Less intrusive than wiretaps, so weaker justification is OK
Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the
technology needed to be able to provide data in response to warrants
73
Topics Covered
Government Surveillance
Patriot Act of 2001 extends information collection, including to library usage
Extends trap and trace and pen registers to Internet traffic
More intrusive than telephone trap and trace (URLs give content visited)
Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the
technology needed to be able to provide data in response to warrants
74
Topics Covered
Government Surveillance The Possible Future of Government Surveillance
Intrusive airport security through face scanning
Possible national ID cards
New ability to gather and analyze information from many databases
75
Topics Covered
Cyberwar and Cyberterror Threats
Attacking the IT infrastructure
Using computers to attack the physical infrastructure (electrical power, sewage, etc.)
Using the Internet to coordinate attacks
Cyberwar is conducted by governments
Cyberterror is conducted by organized terrorists, hactivist groups, and even individuals