policy and legislation (slides from aaron rhys shelmire)
Post on 20-Dec-2015
218 views
TRANSCRIPT
Policy and Legislation
(Slides from Aaron Rhys Shelmire)
Uniform Trade Secrets Act (UTSA)
• Secret must generate or have the potential to generate income
• Steps are taken to keep it secret
• Enacted by states (48 and D.C.)
Computer Fraud and Abuse Act
• prohibits access to protected computers without authorization
• Prohibits exceeding authorization levels granted
Electronic Communications Protection Act
• Prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications
• Title I - The Wiretap Act
• Title II - The Stored Communications Act
• Pen and Trace and Trap Statute
ECPA - Wiretap Act (1)
• Prohibits intentional or attempted interception of a wire, oral, or electronic communications as well as the disclosure of that information
• Certain Exceptions made:– interceptions by service providers acting within
ordinary scope of their business, as necessary for rendering its services or protecting the service provider's rights or property
– interceptions authorized by court order or other lawful authority
ECPA - Wiretap Act (2)
– interceptions made by a party involved in the communication
– interceptions made with the consent of one party to the communication
• in some states it must be both parties
ECPA - Wiretap Act (3)
• interceptions of a computer trespasser's communications made to, through, or from a protected computer if the owner authorized interception, interception is part of an investigation, and the contents of communications are reasonably believed to be relevant to the investigation
ECPA - Stored Communications Act
• Wiretap Act does not cover Communications from Storage (i.e. websites & email)
• imposes criminal and civil liability for the intentional, unauthorized access to an electronic communication service facility to obtain, alter, or prevent authorized access to a stored wire or electronic communication
ECPA - Pen and Trace and Trap Statute
• No person may install or use a pen register or a trap and trace device without first obtaining a court order
• Exceptions: – Service Provider – Verification of Service– Consent
• an ISP can disclose non-content (originator, receiver, dates, times, Layer-4 and below, et cetera) information, except to the government
• Government needs a warrant, a subpoena or the consent of subscriber
Federal Rules of Evidence (1)
• Hearsay– A statement other than one made by the defendant
while testifying offered as evidence• Computer generated records
– Output of computer programs untouched by human hands
• Computer stored records – Output generated by a person stored on a computer
– Exception:• Records of regularly conducted activity
– If it is defined in POLICY
Federal Rules of Evidence (2)
• Authentication of evidence– Achieved by collector of that evidence
testifying to it’s authenticity
• Best Evidence Rule:– If data are stored in a computer or similar
device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original”
4th Amendment
• Protects against unreasonable search by the government
• Does not protect against search from private individuals or companies
• Courts have ruled that a disk is akin to a “closed container” and that individuals expect similar privacy
5th Amendment
• “No person shall be compelled in any criminal case to be a witness against himself”
• Extends to cryptographic keys
• Don’t have to give up “memorized keys”
Sarbanes Oxley (1)
• Chief executives of publicly traded companies must validate financial statements and other information
• CEO’s and CFO’s must affirm that their companies have proper “internal controls”– IT systems keep control of everything– IT systems must be secure to ensure proper “internal
controls”– Internally developed systems must be developed
securely
Sarbanes Oxley (2)
• Secure Identity Management
• Identity Provisioning
• Policy-based access control
• Strong authentication
• Data Protection & Integrity
But it doesn’t say how.
HIPAA (1)
• Health Insurance Portability and Accountability Act
• Applies to doctors, health-care providers, pharmacists, et cetera.
• Established in part to prevent unauthorized use and disclosure of Protected Health Information (PHI)
HIPAA(2)
• Part 160: General Administrative Requirements
• Part 162: Administrative Requirements
• Part 164: Security And Privacy Rules
HIPAA(3)
• Privacy rule: the right of an individual to control the use of personal information.
• Security rule: administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI), the protection of ePHI data from unauthorized access, whether external or internal, stored or in transit.
• Implement Policies and Procedures– Protect, Prevent, Detect, and Contain incidents– Risk Analysis– Risk Management– Sanctions against violators
• Assign Security Responsibility
HIPAA(4)
• Methods to Authorize Access• Methods to record the establishment of access
and modification of information• Security Awareness and Training
– Security reminders– Log-in Monitoring– Password Management
• Transmission Security– Integrity controls– Encryption/decryption
HIPAA(5)
• Security Incident Procedures• Must respond and report/document
• Contingency Plan – Data backup plan, – Disaster recovery plan– Emergency Mode Operation plan– Testing and Revision procedures– Applications and Data Criticality Analysis
• Periodic Evaluation
HIPAA(6)
• Technical Specifications– Unique User Identification– Emergency Access Procedure– Automatic Logoff– Encryption– Audit Controls– Integrity
• Mechanism to authenticate that electronic protected health information (E-PHI) has not been altered
Fair and Accurate Credit Transactions (FACT) Act of 2003
• Extends Fair Credit Reporting Act of 1970 to provide protections from fraud and identity theft
• Merchants and credit agencies must have secure systems to handle consumer fraud complaints and protect sensitive information (credit cards) from unauthorized disclosure.
FACT
• Applies to more than consumer organizations
• Companies that use credit reports to screen new hires
Data Accountability and Trust Act (DATA)
• requires organizations to inform those whose data are "acquired by an unauthorized person" in the event of a data breach "if there is a reasonable basis to conclude that there is a significant risk of identity theft."
• Passed House Energy and Commerce Committee
DATA
• Federal Trade Commission enforces DATA• requires data brokers to establish security
policies • requires audits by the FTC of organizations that
experience security breaches.• Similar to California’s SB 1386• Does not require disclosure if data is encrypted
Cyber security research and development Act
• H.R. 3394 – “To authorize funding for computer and
network security research and development and research fellowship programs, and other purposes”
Network Neutrality(1)
• Michael Powell stated consumers are entitled to 4 freedoms…– access to the lawful Internet content of their choice– entitled to run applications and services of their choice, subject
to the needs of law enforcement (i.e. wiretapping)– connect their choice of legal devices that do not harm the
network– entitled to competition among network providers, application and
service providers, and content providers
Network Neutrality(2)
• Various Amendments to Telecom Act passed to solidify those concepts
• exceptions to allow providers to discriminate for security purposes, or offer specialized services such as "broadband video" service.
• Tiering not addressed• What does this have to do with Information
Assurance?
Liability(1)
• Company A sells a car that they know the back seat of the car was often engulfed in flames after a rear-end collision
• person dies,• Company A is liable
Liability(2)
• Company B sells software. They know of a critical flaw in their software, and even have a patch for this flaw, but refuse to release it until fix-it-Friday. Your system is compromised through this flaw, and you loose $3.2 mil. What do you do?
• in a test of major antivirus programs conducted by Brazil’s CERT the very best antivirus programs detected only 88 percent of the known keyloggers.
• In U.S. victims of fraudulent money transfers are typically limited to $50 in liability under the Federal Reserve's Regulation E, so long as they report the crime quickly enough — within two days. If they report it within 60 days, their liability is capped at $500.
Liability(3)
• Joe Lopez, the owner of a small computer supply company in Miami, sued Bank of America after cybercrooks were able to use a keylogging Trojan planted on his business computers to swipe bank account information and transfer $90,000 to Latvia.
• Bank of America says it does not need to cover the loss because Mr. Lopez was a business customer — and because it is not the bank's fault that he did not practice good computer hygiene. Mr. Lopez claims he did, and that in any case, Bank of America should have done more to warn him of the risks of computer crime.
The Lopez Case
RaboDirect
• “Ireland's online bank RaboDirect has become the first bank in the country to offer its customers a security guarantee; customers are guaranteed they will not lose any money in the event of online theft. RaboDirect customers will have a token that generates a one-time use passcode to be used in their two-factor authentication scheme.” - SANS newsbites Vol. 8 Issue 29
Insurance
• Buy a safe, you have insurance up to $10,000
• Power supply insurance up to $3,000
• Buy commercial database software, insurance that my data is safe within it.
Cell phone records debacle
• Pretexting - pretending to be a user to obtain phone records
• Consumer Phone Records Act – Passed the House
– Illegal to acquire, use or sell a person's confidential phone records without that person's written consent.
Cookies?
• Only investigators are allowed to tap your phone, why are companies allowed to tap my web browsing?
• Does government have a right to that data?
• Google and the 2035 cookie?– Gmail account + google search = tracked web search
• increased investment in law enforcement• cross-border cooperation among investigators, who are overwhelmed by the global nature of cybercrime.
• "There are more criminals on the Internet street than policemen"
Cyber Law Enforcement
Internet police?
• Kid in sweden commits a hacking crime gets off with community service
• Need some way to fix this• Put Internet into UN or some other international hands, no longer DARPA
Cybersecurity
• “By exploiting vulnerabilities in our cyber systems, an organized attack may endanger the security of our Nation’s critical infrastructure” - Cyberspace Strategy, page xi