1 the broader picture chapter 12 panko, corporate computer and network security copyright 2004...

1

The Broader Picture

Chapter 12

Panko, Corporate Computer and Network SecurityCopyright 2004 Prentice-Hall

2

The Broader Picture

Laws Governing Hacking and Other Computer Crimes

Consumer Privacy

Employee Workplace Monitoring

Government Surveillance

Cyberwar and Cyberterror

Hardening the Internet Against Attack

3

Figure 12-1: Laws Governing Hacking

U.S. National Laws Title 18, Section 1030

Enabling Legislation

Computer Fraud and Abuse Act of 1986

National Information Infrastructure Protection Act of 1996

Homeland Security Act of 2002

4



Prohibitions

Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)

5



Prohibitions

Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)

6



Punishment

For first offenses, usually 1-5 years; usually 10 years for second offenses

For theft of sensitive government information, 10 years, with 20 years for repeat offense

For attacks that harm or kill people, up to life in prison

7


U.S. National Laws Title 47

Electronic Communications Privacy Act of 1986 (ECMA)

Prohibits the reading of information in transit and in storage after receipt

Other federal laws for fraud, etc.

8


U.S. State Laws

Federal laws only protect some computers

State laws for purely intrastate crimes vary widely

9


Laws Around the World Vary

The general situation: lack of solid laws in many countries

Major virus attacks were not prosecuted in Taiwan and the Philippines for lack of relevant law

10



Cybercrime Treaty of 2001

Signatories must agree to create computer abuse laws and copyright protection

Nations must agree to work together to prosecute attackers

11

The Broader Picture


Consumer Privacy





12

Figure 12-2: Consumer Privacy

Introduction

Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!”

But privacy is strong in European Union countries and many other countries

13


Credit Card Fraud and Identity Theft Widespread Concern (Gartner)

One in 20 consumers had suffered credit card number theft in 2002

One in 50 consumers had suffered identity theft in 2002

Only about a fifth of this is online, but online theft is growing the most rapidly

14


Credit Card Fraud

“Carders” steal credit card numbers

Many merchants fail to protect credit card numbers stored on their servers

Carders test and sell credit card numbers

Criminals make unauthorized purchases

In U.S., limited to $50 loss if report promptly

Merchants also suffer fraud from carders

15


Identity Theft Fraud Criminals steal or compile considerable information

about a person—name, credit card numbers, date of birth, social security number, address, etc.

Impersonate the victim to get buy things, get loans, etc.

With credit card fraud, victims find a problem in their next statement; but with identity theft, they may not know until they discover much later that their credit rating is ruined

16


Tracking Customer Behavior

Within a website and sometimes across websites

Some information is especially sensitive (health, political leanings, etc.)

Access to data and analysis tools are revolutionizing the ability to learn about people

17


Tracking Customer Behavior What consumers wish for

Disclosure of policies for

What information will be collected?

How this information will be used by the firm collecting the data?

Whether and with whom the information will be shared

18


Tracking Customer Behavior What consumers wish for

Ability of consumer to see and correct inaccurate personal information

Limiting collection and analysis to operational business needs

Limiting these needs

Opt in: No use unless customer explicitly agrees

19


Corporate Responses

Privacy disclosure statements

TrustE certifies that corporate privacy behavior is consistent with the company’s stated privacy policy

NOT that the policy is good for consumers

Platform for Privacy Preferences (P3P); Standard format for searches of policy statements

20


Corporate Responses

Federal Trade Commission

Enforces privacy statements

Does not specify what should be in the privacy statement

Imposes fines and required long-term auditing

21


Corporate Responses

Opt out: Customer must take action to stop data collection and sharing

No opt: No way to stop data collection and sharing

Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively

22


Consumer Reactions Checking privacy disclosure statements (rare)

Not accepting cookies (rarer)

Anonymous websurfing services (extremely rare)

23


U.S. Privacy Laws No general law

Health Information Portability and Accountability Act (HIPAA) of 1996

Protects privacy in hospitals and health organizations

Focuses on protected information that identifies a patient

24


U.S. Privacy Laws

Gramm-Leach-Bliley Act (GLBA) of 1999

Protects financial data

Allows considerable information sharing

Opt out can stop some information sharing

25


U.S. Privacy Laws

Children’s Online Privacy Protection Act of 1998

Protects the collection of personal data from children under 13

Applies in child-oriented sites and any site that suspects a user is under 13. No protection for older children

State privacy laws vary widely

26


International Laws

European Union Charter of Fundamental Rights

Right to protection of personal information

Personal information must be processed for specific legitimate purposes

Right to see and correct data

Compliance overseen by independent authority

27


International Laws

E.U. Data Protection Directive of 1995

Implements Charter privacy protections

Opt out with opt in for sensitive information

Access for review and rectification

Independent oversight agency

Data can be sent out of an EU country only to countries with “adequate” protections

28


International Laws

Safe harbor

Rules that U.S. firms must agree to follow to get personal data out of Europe

Are GLBA rules to be considered in financial industries? E.U. is resisting.

29

The Broader Picture


Consumer Privacy





30

Figure 12-3: Employee Workplace Monitoring

Monitoring Trends

American Management Association survey

E-mail monitoring use grew from 15% to 46% between 1997 and 2001

Internet connections in 2001: 63% monitored

In 2001, 76% had disciplined an employee; 31% had terminated an employee

31


Why Monitor? Loss of productivity because of personal Internet

and e-mail use

Significant personal Internet and e-mail use is occurring

Employees and companies generally agree that a small amount of personal use is acceptable

Biggest concern is abnormally heavy personal use

Some employees are addicted to personal use

32


Why Monitor? Harassment

Title VII of the Civil Rights Act of 1964: sexual and racial harassment

Pornography, other adult content are fairly common

Monitoring for keywords can reduce pornography and harassment and provide a legal defense

33


Why Monitor?

Viruses and other malware due to unauthorized software

Trade secrets: Both sending and receiving must be stopped

Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws

34


The Legal Basis for Monitoring Electronic Privacy Communications Act of 1986

Allows reading of communications by service provider (firm)

Allows reading if subject agrees (make condition of employment)

Courts have ruled that employee has no right to privacy when using corporate computers

35


The Legal Basis for Monitoring

In United States, at-will employees can be disciplined, dismissed easily

Must not discriminate by selective monitoring of target individual

36


The Legal Basis for Monitoring

Unions often limit disciplining, agreement to be monitored

However, new hires usually can be required to submit to monitoring as a condition of employment

In multinational firms, stronger privacy and employment rules might exist

37


Should a Firm Monitor? Danger of backlash

Are the negative consequences worth the gain?

38


Computer and Internet Use Policy Should Specify the Following No expectation of privacy Business use only (or very limited private use) No unauthorized software No pornography and harassment Damaging communication behavior Punishment for violating the policy

Employee Training in Policy is Crucial

39

The Broader Picture


Consumer Privacy





40

Figure 12-4: Government Surveillance

U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution

Fourth Amendment: No unreasonable searches and seizures

Can search only with probable cause

Can only search specific things

FBI misuse of data collection during Hoover’s leadership

41


Telephone Surveillance Wiretapping

Federal Wiretap Act of 1968 for domestic crimes

Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments

Need warrant with probable cause and inability to get information by other means

42


Telephone Surveillance

Pen registers and trap and trace orders

Pen registers: List of outgoing telephone numbers called

Trap and trace: List of incoming telephone numbers

Not as intrusive as wiretap because content of the call is not captured

43



Pen registers and trap and trace orders

Electronic Communications Privacy Act of 1986 allows

Must be based on information to be collected being likely to be relevant to ongoing investigation (weak)

Judge cannot turn down warrant

44



Communications Assistance for Law Enforcement Act (CALEA) of 1994

Requires communication providers to install the technology needed to be able to provide data in response to warrants

45



Patriot Act of 2001

Extends roving wiretaps to FISA—follow the target across media

Get billing information from telecommunications providers

Get information on library usage

46


Internet Surveillance

Extends pen register and trap and trace to Internet traffic

Same weak justification as for telephone traffic

But much more intrusive: e-mail addresses, URLs (which can be visited), etc.

47


Carnivore

Monitoring computer placed at ISP

FBI installs Carnivore computer, collects information

Can limit filtering to restrictions of warrant

No accountability through audit trails

48


The Possible Future of Government Surveillance

Intrusive airport security through face scanning

Possible national ID cards

New ability to gather and analyze information from many databases

49

The Broader Picture


Consumer Privacy





50

Figure 12-5: Cyberwar and Cyberterror

Threats

Attacking the IT infrastructure

Using computers to attack the physical infrastructure (electrical power, sewage, etc.)

Using the Internet to coordinate attacks

51


Cyberwar Conducted by governments

Direct damage

Disrupting command and control

Intelligence gathering

Propaganda

Industrial espionage

Integrating cyberwar into war-fighting doctrines

52


Cyberterrorism

By semi-organized or organized groups

Psychological focus

Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks)

Goals are publicity and recruitment

Indiscriminate damage

53


Cyberterrorism

Hacktivism—politically motivated attacks by unorganized or loosely organized groups

Who is a terrorist? Spectrum from activism to full cyberterror

54

The Broader Picture


Consumer Privacy





55


Building a National and International Response Strategy National governments

Coordinated responses Intelligence gathering Research and training Economic incentives

56


Building a National and International Response Strategy

Private enterprise

Importance of hardening individual firms

Requiring hardening to meet responsibilities

57


Hardening the Internet

Hardening the telecommunications infrastructure with decentralization and other methods

International cooperation is needed because of worldwide attackers

Hardening the underlying telecommunications system

Adding security to dialogs with VPNs

58


Hardening the Internet Hardening Internet protocols

IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols

The decision to do this is called the Danvers Doctrine

Generally not using digital certificates in a public key infrastructure for strongest authentication

59


Hardening the Internet Making the Internet forensic

ISPs might be forced to collect and retain data for long periods of time

ISPs might be forced to do egress filtering to stop attacks at the source

The cost to ISPs would be high

60

Topics Covered


U.S. National Laws

Title 18, Section 1030 for hacking, DoS, and viruses—only for “protected” computers

Title 47 Prohibits the reading of information in transit and in storage after receipt

State laws for other computers vary widely

61

Topics Covered



The general situation: lack of solid laws in many countries

Cybercrime Treaty of 2001 requires signatories to create laws, cooperate in enforcement

62

Topics Covered

Consumer Privacy

Consumer Privacy Concerns

Credit card fraud: steal and use credit card numbers

Identity theft: impersonate individual to take out loans, etc.

Sensitive personal information (medical records, etc.)

Tracking during website visits

63

Topics Covered

Consumer Privacy Consumers want disclosure of policies for what

information is collected and how it is used and shared

Opting Opt in Opt out No opt

64

Topics Covered

Consumer Privacy Corporate Responses

Privacy disclosure statements Federal Trade Commission enforces privacy

disclosure statements but does not specify what is in them

Consumer Responses Rarely check privacy disclosure statements;

even more rarely refuse cookies or do anonymous surfing

65

Topics Covered

Consumer Privacy U.S. Privacy Laws

No privacy protection in U.S. Constitution No general privacy law HIPAA for medical information Gramm-Leach-Bliley Act (GLBA) for financial

information Children’s Online Privacy Protection Act of 1998

(courts have denied enforcement) State laws vary widely

66

Topics Covered

Consumer Privacy European Union

European Union Charter of Fundamental Rights guarantees privacy protections

E.U. Data Protection Directive of 1995 implements these protections

U.S. compliance through Safe Harbor behavior

In rest of the world, varies widely

67

Topics Covered

Employee Workplace Monitoring Widespread Internet workplace monitoring and job

actions as a result of infractions

Why monitor? Loss of productivity To stop harassment, guard against lawsuits Stop viruses and worms Prevent leakage of trade secrets, commercially

damaging communication

68

Topics Covered

Employee Workplace Monitoring Legal Basis for Monitoring

Electronic Privacy Communications Act of 1986

Can monitor own network, especially if employee signs acceptance

Also, courts have ruled that employee has no right to privacy when using corporate computers

69

Topics Covered

Employee Workplace Monitoring In United States, at-will employees can be

disciplined, dismissed easily

Unions may restrict this, but hiring contracts can limit union actions

Multinational companies may follow frequently stricter international standards for discipline

70

Topics Covered

Employee Workplace Monitoring Should a firm monitor?

Danger of backlash

Need clear computer and Internet use policy

Need strong employee training

71

Topics Covered

Government Surveillance U.S. Tradition of Protection from Improper

Searches No privacy protection in Constitution

Fourth Amendment: Searches and seizures only for probable cause

Wiretapping Federal Wiretap Act of 1968 for domestic crimes

Foreign Intelligence Surveillance Act of 1978 (FISA)

Need warrant with probable cause

72

Topics Covered


Pen registers and trap and trace orders Pen registers: List of outgoing telephone numbers called

Trap and trace: List of incoming telephone numbers

Less intrusive than wiretaps, so weaker justification is OK

Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the

technology needed to be able to provide data in response to warrants

73

Topics Covered


Patriot Act of 2001 extends information collection, including to library usage

Extends trap and trace and pen registers to Internet traffic

More intrusive than telephone trap and trace (URLs give content visited)

Communications Assistance for Law Enforcement Act (CALEA) of 1994 Requires communication providers to install the

technology needed to be able to provide data in response to warrants

74

Topics Covered

Government Surveillance The Possible Future of Government Surveillance

Intrusive airport security through face scanning

Possible national ID cards

New ability to gather and analyze information from many databases

75

Topics Covered

Cyberwar and Cyberterror Threats

Attacking the IT infrastructure

Using computers to attack the physical infrastructure (electrical power, sewage, etc.)

Using the Internet to coordinate attacks

Cyberwar is conducted by governments

Cyberterror is conducted by organized terrorists, hactivist groups, and even individuals

76

Topics Covered

Hardening the Internet Against Attack Building a National and International Response

Strategy

Not happening

Hardening the telecommunications infrastructure

Hardening Internet protocols (Danvers Doctrine)

Requiring ISPs to collect forensic data and stop attacks at ingress

1 the broader picture chapter 12 panko, corporate computer and network security copyright 2004...

Documents