Terms you'll need to understand:
Data diddling
Spoofing
Social engineering
United Nations Commission on International Trade Law (UNCITRAL)
The European Union (EU)
The World Trade Organization (WTO)
International Organization on Computer Evidence (IOCE)
Categories of law
RFC 1087
ISC2 Code of Ethics
Techniques you'll need to master:
Understanding incident response
Describing the chain of custody
Implementing forensic procedures
Crime has been around as long as man has inhabited Earth. Technology and computers have brought us many advances and also have changed the ways crimes are committed. Computers are usually found to be a component of modern crime. Problems such as identity theft, phishing schemes, and war driving were unheard of 25 years ago.
The Law, Investigations, and Ethics domain addresses computer crime, laws, regulations, and investigation techniques. Test candidates are expected to know not only whether a crime has been committed, but also the laws that apply to the crime, the ethical issues, and the code of conduct that all Certified Information Systems Security Professionals (CISSP) should abide by. CISSP candidates must be prepared to deal with these issues, understand major legal systems, have a general understanding of forensic procedures, and be familiar with the ISC2 Code of Ethics. These are the topics that are discussed in this chapter.
Some reports show that computers are used in as many as 80% of all crimes. Either a computer is used as a tool to commit the crime, a computer or network is the victim of a crime, or the computer is used in planning, tracking, and controlling the crime. So, although more computers are involved in the criminal process, it's commonly thought that only one-tenth or so of all the crimes committed against and using computer systems are detected.
How could this be true? It is difficult to develop accurate numbers regarding the detection and reporting of computer crime. Many crimes go undetected, and others that are detected are never reported to law-enforcement agencies or the general public. Some companies are worried about a possible negative image; others are afraid that it might make them appear vulnerable. Another big issue with computer crime is determining who has jurisdiction. If a user in country A hacks a computer in country B to attack a company in country C, who has the right or ability to prosecute the crime? The United States has proposed legislation that will claim jurisdiction over any criminal activity that travels through a U.S.-controlled portion of the Internet, regardless of starting or destination country.
The unauthorized copying and sharing of software is considered software piracy, which is illegal. Don't think that the copy of that computer game you gave a friend is hurting anyone? Software piracy is big business. The International Intellectual Property Alliance (IPPA) says that major U.S. copyright industries claimed in 1996 alone a loss of more than $2.8 billion domestically due to piracy. Internationally, the losses were more than $18 billion.
Major software companies are fighting back and have formed the Software Protection Association, which is one of the primary bodies that actively fights to enforce licensing agreements. Microsoft and others are also actively fighting to protect their property rights. The Business Software Alliance and The Federation Against Software Theft are both international groups targeting software piracy.
It would be hard to include a section such as this and not talk about terrorist attacks. These individuals are definitely in a category of their own. Their attacks typically target innocent civilians. Although not all terrorists directly target networked devices, known as cyberterrorism, most use computers in preparing their deeds. Attacks can also be carried out remotely, which means they are harder to detect and deter. In the end, no one knows exactly how terrorists will use the Internet in their next attack or exploit, but they likely will use computer systems in some way.
Although some debate might arise on the legality of adult porn, child pornography is illegal in the United States and most other countries. Child porn is not specifically a computer crime, but the Internet allows it to be distributed, so this falls under a computer crime activity. The individuals who deal in child porn are pedophiles and are directly tied to violent crime.
Child pornography is just part of the problem. Some reports have indicated that more than 200,000 individuals in the United States are hopelessly addicted to Internet porn. If that statistic doesn't capture your attention, this should: The same sources also found that about 70% of Internet porn traffic occurs between 9 a.m. and 5 p.m. This raises the question of acceptable use policies (AUPs). U.S. law requires companies to provide a safe workplace where employees are free from sexual harassment and offensive behavior. Therefore, companies that fail to enforce AUPs could find themselves in legal hot water.
Computers can be attacked in many different ways. A determined hacker can target your company for a low-tech social-engineering attack or attempt a very advanced technique such as a cross-site scripting attack. Depending on what their motives are, they can do a huge amount of damage if they are successful.
Keystroke logging is an attack that is accomplished with software or hardware devices. These devices can record everything a person types, including usernames, passwords, and account information. The hardware version of these devices is usually installed while users are away from their desks. Hardware keystroke loggers are completely undetectable except for their physical presence. Even then, they can be overlooked because they resemble a balum or extension. How many people do you know who pay close attention to the plugs on the back of their computer? Who even looks back there?
The software version of this device is basically a shim that sits between the operating system and the keyboard. Most of these software programs are very simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can be a serious threat to confidentiality.
Closely related to keystroke logging, wiretapping is used to eavesdrop on voice calls. A variety of tools is available for attackers to accomplish this—even scanners that no longer support cordless phone sniffing can be hacked or rewired to add such functionality. Wiretapping is illegal in the United States without a court order. Another related type of passive attack is the practice of sniffing. Sniffing operates on the same principle as wiretapping but is performed on data lines. The danger of both wiretapping and sniffing is that they are hard to detect.
Note
A traffic-analysis attack is a form of sniffing attack in which the data is encoded. By observing the victim's activities and analyzing traffic patterns, the attacker might be able to make certain assumptions. For example, if an attacker observes one financially strong company sending large amounts of communication to a financially weak company, the attacker might infer that they are discussing a merger.
Spoofing attacks take advantage of the fact that an attacker is changing his identity to avoid capture or to trick someone into believing he is someone else. Some examples are described here:
IP spoofing—. The intruder puts a wrong IP address in the source IP address field of the packets he sends out. It's a common practice when DoS tools are used to help the attacker mask his identity.
DNS spoofing—. This trusting protocol can be spoofed to point victims to the wrong domain. These attacks are possible because the client takes the domain name and queries the IP address. The returned IP address is trusted. If an attacker can control this mapping, he can establish the validity of any system under a given logical address.
ARP spoofing—. Normally, ARP works to resolve known IP addresses to unknown physical addresses. This information is used to address the Ethernet frame. After the two-step ARP process takes place, the results are stored in a cache for a short period of time. The ARP cache contains hardware-to-IP mapping information. The information maintained in the ARP cache can be corrupted if a hacker sends a bogus ARP response with his hardware address and an assumed IP address of a trusted host. Packets from the target are now routed to your hardware address. The target believes that your machine is the trusted host.
Hijacking—. This more advanced spoof attack works by subverting the TCP connection between a client and a server. If the attacker learns the initial sequence numbers and can get between the client and the server, he can use this information to hijack the already-established connection. At this point, the attacker has a valid connection to the victim's network and is authenticated with the victim's credentials.
Manipulation attacks can use different methods, but they have the same goal: manipulating data to steal money, embezzle funds, or change values. Some common forms of these attacks include the following:
Shopping cart attacks—. Hackers compromise shopping carts by tampering with the forms used to pass dollar values to e-commerce servers. This allows the attackers to get huge discounts on goods and services. This is possible if the victims use the
GETmethod for their forms or if they use hidden input tags in the order forms. Hackers save these pages to their hard drive, alter the price listed in the URL or the hidden tag, and then submit the order to the victim's site for processing.Salami attacks—. This form of attack works by systematically whittling away assets in accounts or other records with financial value. The small amounts are deducted from balances regularly and routinely, and might not be noticed, allowing the attacker to amass large amounts of funds.
Data diddling—. This type of attack occurs when the attacker enters a system or captures network traffic and makes changes to selected files or packets. He doesn't delete the files—he merely edits and corrupts the data in some fashion. This attack can do a lot of damage but might not be quick or easy to uncover.
Social engineering predates the computer era. Social engineering is much like an old-fashioned con game, in that the attacker uses the art of manipulation to trick a victim into providing private information or improper access. P. T. Barnum once said, “There's a sucker born every minute”—unfortunately, he was right.
One common social-engineering attack has targeted e-Bay, Hotmail, PayPal, and Citibank users. The attacker sends an official-sounding email asking users to verify their Internet password via return mail. When they do so, their passwords are sent to the attacker, who can then access the accounts at will. Another common social-engineering hack is to call an organization's help desk and pretend to be a high-ranking officer. The lowly help desk employee can often be bullied or scared into giving out a password or other important information.
The best defense against social engineering is to educate your users and staff to never give out passwords and user IDs over the phone, via email, or to anyone who isn't positively verified as being who they say the are. Training can go a long way toward teaching employees how to spot these scams.
Plenty of valuable information can be stolen the low-tech way. One popular technique is to retrieve passwords and other information by dumpster diving and looking for scraps of paper used to write down important numbers and then thrown in the trash. Although this is not typically illegal, it is considered an unethical practice.
This section reviews some of the ethical standards and codes that a CISSP should be aware of. Ethics are a set of principles of right conduct. Ethical standards are sometimes different than legal standards: Laws define what we must do, whereas ethics define what we should do. CISSPs should uphold high ethical standards and promote these ethical standards in others. Some of the ways CISSPs can help promote proper ethical behavior include making sure that organizations have guides to computer ethics, ensuring that ethical issues are included in employee handbooks, promoting computer ethics training, and helping to develop ethical policies on issues such as email and other privacy-related topics. With that being said, you must also remember that not everyone will always act ethically.
Some of the reasons you might hear include the following common ethical fallacies:
Computer game—. If they don't protect it, it's fair game to attack.
Law-abiding citizen—. It's not physical theft, so it's not illegal.
Shatterproof—. If I don't do damage or it can be repaired, what's the problem?
Candy-from-a-baby—. If it is that easy, how could it be wrong?
Hackers—. If I learn from this, it will benefit society and me.
Free information—. All information should be free.
It's a requirement for CISSP candidates to subscribe to and support the ISC2 Code of Ethics, which states that a CISSP should
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Note
Exam candidates must read the full Code of Ethics because the exam always includes one or two questions related to the code. It is located at www.isc2.org/cgi/content.cgi?category=12.
The Computer Ethics Institute is a group that focuses specifically on ethics in the technology industry. Its website, www.cosr.org, lists the following Ten Commandments of Computer Ethics:
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people's computer resources without authorization or proper compensation.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
RFC 1087 was published by the Internet Activities Board (IAB) in January 1987. Its goal is to characterize unethical and unacceptable behavior. It states that the following activities are unethical:
Seeking to gain unauthorized access to the resources of the Internet
Disrupting the intended use of the Internet
Wasting resources (people, capacity, computer) through such actions
Destroying the integrity of computer-based information
Compromising the privacy of users
Note
Print and review RFC 1087 before you attempt the CISSP exam. It is available at www.faqs.org/rfcs/rfc1087.html.
Although the laws discussed in the following list are specific to the United States, intellectual property is agreed upon and enforced worldwide by various organizations, including the United Nations Commission on International Trade Law (UNCITRAL), the European Union (EU), and the World Trade Organization (WTO).
Trade secret—. A trade secret is a confidential design, practice, or method that must be proprietary or business related. For a trade secret to remain valid, the owner must take certain security precautions.
Copyright—. A copyright is a legal device that provides the creator of a work of authorship the right to control how the work is used and protects that person's expression on a specific subject. This includes the reproduction rights, distribution rights, right to create, and right to public display.
Trademark—. A trademark is a symbol, word, name, sound, or thing that identifies the origin of a product or service in a particular trade. The ISC2 logo is an example of a trademarked logo. The term service mark is sometimes used to distinguish a trademark that applies to a service rather than to a product.
Patent—. A patent grants the owner a legally enforceable right to exclude others from practicing or using the invention's design for a defined period of time.
Privacy laws are of interest to many individuals because technology has made it much easier for large amounts of data to be accumulated about them. Commercial databases contain tremendous amounts of data that can be used to infringe on people's sense of privacy and anonymity. The misuse of these databases can lead to targeted advertising and disclosure of personal preferences that some individuals believe is intrusive. Privacy is increasingly being recognized as a fundamental right in many countries. The EU has been on the forefront in developing laws that protect individual privacy. EU privacy guidelines enacted in 1998 state the following:
Data is to be used only for the purposes for which it was collected and within a reasonable time.
If requested, individuals are entitled to receive a report on data about them.
An individual's personal data cannot be disclosed to third parties unless authorized by statute or consent of the individual.
Persons have a right to make corrections to their personal data.
Transmission to locations where equivalent personal data protection cannot be assured is prohibited.
Security incidents can come in many forms. It could be an honest mistake by an employee who thought he was helping, or it could be the result of an intentional attack. Whatever the motive or reason, the response should always be the same. Security breaches should be investigated in a structured, methodical manner. Most companies would not operate a business without training their employees how to respond to fires, but many companies do not build good incident-response and investigation procedures.
Investigating computer crime is a complex and involved one made up of these steps:
Plan and prepare by means of procedures, policies, and training.
Secure and isolate the scene, to prevent contamination.
Record the scene by taking photographs and recording data in an investigator's notebook.
Interview suspects and witnesses.
Systematically search for other physical evidence.
Collect or seize the suspected system or media.
Package and transport evidence.
Submit evidence to the lab for analysis.
Good incident-response procedures give the organization an effective and efficient means of dealing with the situation in a manner that reduces the potential impact. These procedures should also provide management with sufficient information to decide on an appropriate course of action. By having these procedures in place, the organization can maintain or restore business continuity, defend against future attacks, and deter attacks by prosecuting violators.
The primary goal of incident response is to contain the damage, find out what happened, and prevent it from reoccurring. This list identifies the basic steps of incident response:
Identify—. Detect the event. Is it a real event or simply a false positive? A range of mechanisms is used here, including IDS, firewalls, audits, logging, and employee observations.
Coordinate—. This is where preplanning kicks in, with the use of predeveloped procedures. The incident-response plan should detail what action is to be taken by whom. Your incident-response team will need to have had the required level of training to properly handle the response.
Mitigate—. The damage must be contained, and the next course of action must be determined.
Investigate—. What happened? When the investigation is complete, a report, either formal or informal, must be prepared. This is needed to evaluate any necessary changes to the incident response policies.
Educate—. At this final step, all those involved must review what happened and why. Most important is determining what changes must be put in place to prevent future problems. Learning from what happened is the only way to prevent it from happening again.
Computer forensics is a clear, well-defined methodology used to preserve, identify, recover, and document computer or electronic data. Although the computer forensics field is relatively new to the corporate sector, law enforcement has been practicing this science since the mid-1980s. Growth in this field is directly related to the ever-growing popularity of electronics.
Computers are one of the most targeted items of examination, but they are not the only devices subject to forensic analysis. Cellphones, PDAs, pagers, digital cameras, and just about any electronic device also can be analyzed. Attempted hacking attacks and allegations of employee computer misuse have added to the organization's need to examine and analyze electronic devices. Mishandling concerns can cost companies millions. Companies must handle each in a legal and defensible manner. Because electronic information can be easily changed, a forensic examination usually follows these three steps:
Acquire—. This is usually performed by means of a bit-level copy. A bit-level copy is an exact duplicate of the original data, allowing the examiner to scrutinize the copy while leaving the original copy intact.
Authenticate—. This process requires an investigator to show that the data is unchanged and has not been tampered with. Authentication can be accomplished through the use of checksums and hashes such as MD5 and SHA.
Analyze—. The investigator must be careful to examine the data and ensure that his actions are documented. The investigator usually recovers evidence by examining drive slack space, file slack space, hidden files, swap data, Internet cache, and other locations, such as the recycle bin. Copies of the original disks, drive, or data are usually examined to protect the original evidence.
The handling of evidence is of special importance to the forensic investigator. This is addressed through the chain of custody, a process that helps protect the integrity and reliability of the evidence by providing an evidence log that shows every access to evidence, from collection to appearance in court. A complete chain of custody report also includes any procedures or activities that were performed on the evidence.
Note
A primary image is the original image. It should be held in storage and kept unchanged. The working image is the one used for analysis purposes.
Locard's Exchange Principle states that whenever two objects come into contact, a transfer of material will occur. The resulting trace evidence left behind during this transfer can be used to associate objects, individuals, or locations to a crime. Simply stated, no matter how hard someone tries, some trace evidence always remains. Although criminals can make recovery harder by deleting files and caches, some trace evidence always remains.
Drive wiping is the process of overwriting all addressable locations on the disk. The Department of Defense (DoD) drive-wiping standard #5220-22M states, “All addressable locations must be overwritten with a character, its complement, then a random character and verify.” By making several passes over the media, an organization can further decrease the possibility of data recovery. Organizations worried about proper disposal of used media then get clean, unrecoverable media. In the hands of the criminal, drive wiping offers the chance to destroy evidence.
In March 1998, the International Organization on Computer Evidence (IOCE) was appointed to draw international principles for the procedures relating to digital evidence. The goal was to harmonize methods and practices among nations and guarantee the capability to use digital evidence collected by one state in the courts of another state. The IOCE (www.ioec.org) has established the following six principles to govern these activities:
When dealing with digital evidence, all generally accepted forensic and procedural principles must be applied.
Upon seizing digital evidence, actions taken should not change that evidence.
When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession.
Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Legal systems vary throughout the world in the rights of the accused, the role of the judge, the nature of evidence, and other essential legal concepts. These can be handled quite differently:
Civil (code) law—. Also known as Napoleonic law. This law evolved in Europe and is based on a comprehensive system of written rules of law.
Common law—. This form of law was developed in England and is present in the United States, Canada, United Kingdom, Australia, and New Zealand. It is based on the rule of reasonable doubt and that you are innocent until proven guilty.
Customary law—. Usually found to be combined with another legal system, it is based on the concept of what is customary and considered normal conduct.
Muslim law—. The Muslim legal system is an autonomous legal system based on religious tenants and references items found in the Qur'an.
Civil law—. In civil law, there is no prison time. Victims are compensated by means of financial awards of punitive, compensatory, or statutory damages.
Criminal law—. Criminal law exists to punish someone who violates the government's laws. Punishment can include financial penalties, imprisonment, or both.
Administrative law—. Administrative law establishes standards of performance and conduct expected by governmental agencies from industries, organizations, officials, and officers. Individuals and organizations that violate these laws can be punished by financial penalties and/or imprisonment. It is typically applied to industries such as health care, financial, industrial, and pharmaceutical.
The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. Evidence can be computer generated, oral, or written. Because computer evidence is easily altered, special care must be taken when handling it. Different types of evidence have different levels of validity in court. For evidence to be accepted in court, it must meet certain standards:
Relevant
Legally permissible
Reliable
Identifiable
Properly preserved and documented
There are also various types of evidence, different ways in which the evidence can be gathered, and legal and illegal ways in which those who break the law can be prosecuted:
Best evidence—. Best evidence is considered the most reliable form of evidence. Original documents are an example of best evidence.
Secondary evidence—. Although not as reliable or as strong as best evidence, secondary evidence can still be used in court. A copy of evidence and an oral description of its contents are examples of secondary evidence.
Hearsay evidence—. Hearsay is generally not admissible in court because it is considered secondhand information. Some computer-generated records and other business records fall under this category.
Direct evidence—. This form of evidence either proves or disproves a specific act through oral testimony. It is based on information gathered through the witness's five senses.
Enticement and entrapment—. Enticement is the legal activity of luring an individual to perform a questionable activity. Using a honeypot to observe and monitor individuals attempting to hack your network could be seen as an act of enticement. Entrapment occurs when individuals illegally induce or trick a person into committing a crime that he had not previously considered.
Basically two types of trials occur: one heard by a judge and the other heard by a jury. Most jury panels are composed of ordinary citizens from the court's surrounding geographical area. Computer crimes are difficult to prosecute in court because the advancement of technology is fast, whereas change in the legal system is slow. Trials also require a prosecutor with experience in computer crime. Even when cases are successful, computer criminals sometimes receive lighter sentences because this is considered a white-collar crime.
www.faqs.org/rfcs/rfc1087.html—. RFC 1087
www.cert.org/—. Computer Emergency Response Team
www.cybercrime.gov/—. DOJ site on cybercrime
www.2600.com/—. The Hacker Quarterly
www.defcon.org/—. Underground Hacking Event
https://www.isc2.org/cgi-bin/content.cgi?category=12—. ISC2 Code of Ethics
www.ioec.org—. Forensic procedure information
http://europa.eu.int/comm/internal_market/privacy/index_en.htm—. EU privacy laws
www.idtheftcenter.org/index.shtml—. Identity theft information