Chapter 10. Legal, Regulations, Investigations, and Compliance
This chapter covers the following topics:
• Computer crime concepts: This section covers the different types of computer crimes, including computer-assisted crime, computer-targeted crime, incidental computer crime, and other computer crime concepts.
• Major legal systems: This includes civil code law, common law, criminal law, civil/tort law, administrative/regulatory law, customary law, religious law, and mixed law.
• Intellectual property law: This section describes intellectual property, including patents, trade secrets, trademarks, copyrights, software piracy and licensing issues, and internal protection.
• Privacy: This includes a discussion of personally identifiable information (PII), laws and regulations, and compliance.
• Liability: This section covers due care versus due diligence, negligence, and liability issues with personal information, hackers, third-party outsourcing, and contracts and procurement.
• Incident response: This section explains events versus incidents, incident response team and incident investigations, rules of engagement, and procedures.
• Forensics and digital investigations: This section explains how to identify, preserve, collect, examine, and analyze evidence and how to present findings. It also covers the IOCE/SWGDE, crime scene, MOM, chain of custody, and interviewing.
• Evidence: This section discusses the five rules of evidence, types of evidence, surveillance, search and seizure, media analysis, software analysis, network analysis, and hardware/embedded device analysis.
• Security professional ethics: This includes (ISC)2 Code of Ethics, Computer Ethics Institute, Internet Architecture Board, and Organizational Ethics.
Understanding applicable laws and regulations is a necessary part of any security professional’s training. The security practices that an organization adopts are usually directly affected by the laws and regulations from local, state, and federal government. Tied in with this need to understand laws and regulations is the security professional’s need to understand how to perform investigations. Even if the perpetrator of a security incident is discovered, the perpetrator cannot be held accountable for any crime if the individuals who performed the investigation did not adhere to appropriate investigatory laws and regulations. In the United States, the Secret Service and the Federal Bureau of Investigations (FBI) share the task of investigating computer crimes.
Computers have brought new opportunities for criminal acts to occur. Criminals are always looking for new ways to illegally break into networks and individual systems. But as we have discussed before, most security issues within an organization are perpetuated by its employees. Disgruntled employees in particular pose the greatest threat for an organization. The security professional’s job is to ensure that all devices are updated in a timely manner and protected from attacks both from within and without. As we have mentioned before, there is no way to fully protect a network or system 100% of the time against 100% of the attacks, but security professionals must ensure that their organizations practice due care and due diligence as part a comprehensive security plan.
Also keep in mind that the organization must provide a means for employees to report any computer incident or crime that they witnessed or are aware of while ensuring that employees feel safe doing so. In most cases, employees do not want to report incidents because they are afraid of being pulled into something with which they do not want to be involved. They are also often afraid of being accused of doing something that they did not do. Finally, employees might not report an incident or crime because they are not aware of the organization’s security policies and procedures. Organizations should establish a culture that provides appropriate training and a means for reporting incidents.
This chapter covers all the topics regarding the legal, regulations, investigations, and compliance domain for the CISSP exam. It includes an explanation of computer crime concepts, major legal systems, intellectual property law, privacy, liability, incident response, evidence, and security professional ethics.
Foundation Topics
Computer Crime Concepts
Computer crimes today are usually made possible by a victim’s carelessness. If a computer crime has occurred, proving criminal intent and causation is often difficult. Investigating and prosecuting computer crimes is made even more difficult because evidence is mostly intangible. Further affecting computer crime investigation is the fact that obtaining a trail of evidence of activities performed on a computer is hard.
Because of these computer crime issues, it is important that security professionals understand the following computer crime concepts:
Computer-Assisted Crime
A computer-assisted crime occurs when a computer is used as a tool to help commit a crime. This type of crime could be carried out without a computer but uses the computer to make committing the crime easier. Think of it this way: Criminals can steal confidential organizational data in many different manners. This crime is possible without a computer. But when criminals use computers to help them steal confidential organizational data, then a computer-assisted crime has occurred.
Computer-Targeted Crime
A computer-targeted crime occurs when a computer is the victim of an attack that’s sole purpose is to harm the computer and its owner. This type of crime could not be carried out without a computer being used. Computer crimes that fit into this category include denial of service (DoS) and buffer overflow attacks.
Incidental Computer Crime
An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer being used as a zombie in a botnet is part of an incidental computer crime.
Computer Prevalence Crime
A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world. This type of crime occurs only because computers exist. Software piracy is an example of this type of crime.
Hackers versus Crackers
Hacker and cracker are two terms that are often used interchangeably in media but do not actually have the same meaning. Hackers are individuals who attempt to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or commit crimes. Crackers, on the other hand, are individuals who attempt to break into secure systems without using the knowledge gained for any nefarious purposes.
In the security world, the terms white hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. A white hat does not have any malicious intent. A black hat has malicious intent. A gray hat is considered somewhere in the middle of the two. A gray hat will break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee.
Major Legal Systems
Security professionals must understand the different legal systems that are used throughout the world and the components that make up the systems.
These systems include the following:
• Administrative/regulatory law
Civil Code Law
Civil code law, developed in Europe, is based on written laws. It is a rule-based law and does not rely on precedence in any way. The most common legal system in the world, civil code law does not require lower courts to follow higher-court decisions.
Note
Do not confuse the civil code law of Europe with the United States civil/tort laws.
Common Law
Common law, developed in England, is based on customs and precedent because no written laws were available. Common law reflects on the morals of the people and relies heavily on precedence. In this system, the lower court must follow any precedents that exist due to higher-court decisions. This type of law is still in use today in the United Kingdom, the United States, Australia, and Canada.
Today, common law uses a jury-based system, which can be waived so the case is decided by a judge. But the prosecution must provide guilt beyond a reasonable doubt. Common law is divided into three systems: criminal law, civil/tort law, and administrative-regulatory law.
Criminal Law
Criminal law covers any actions that are considered harmful to others. It deals with conduct that violates public protection laws. In criminal law, guilty parties might be imprisoned and/or fined. Criminal law is based on common law and statutory law. Statutory law is handed down by federal, state, or local legislating bodies.
Civil/Tort Law
In civil law, the liable party owes a legal duty to the victim. It deals with wrongs that have been committed against an individual or organization. Under civil law, the victim is entitled to compensatory, punitive, and statutory damages. Compensatory damages are those that compensate the victim for his losses. Punitive damages are those that are handed down by juries to punish the liable party. Statutory damages are those that are based on damages established by laws.
In civil law, the liable party has caused injury to the victim. Civil laws include economic damages, liability, negligence, intentional damage, property damage, personal damage, nuisance, and dignitary torts.
In the United States, civil law allows senior officials of an organization to be held liable for any civil wrongdoing by the organization. So if an organization is negligent, the senior officials can be pursued by any parties that were wronged.
Administrative/Regulatory Law
In administrative law, standards of performance or conduct are set by government agencies for organizations and industries to follow. Common areas that are covered by administrative law include public utilities, communications, banking, environment protection, and healthcare.
Customary Law
Customary law is based on the customs of a country or region. Customary law is not used in most systems in isolation, but rather incorporated into many mixed law systems, such as those used in many African countries, China, and Japan. Monetary fines or public service is the most common form of restitution in this legal system.
Religious Law
Religious law is based on religious beliefs. Although most religious law will be based on a particular religion and its primary written rules, cultural differences can vary from country to country and will affect the laws that are enforced.
Mixed Law
Mixed law combines two or more of the other law types. The most often mixed law uses civil law and common law.
Intellectual Property Law
Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. Intellectual property is a tangible or intangible asset to which the owner has exclusive rights.
The intellectual property covered by this type of law includes the following:
• Patent
• Software piracy and licensing issues
This section explains these types of intellectual properties and the internal protection of these properties.
Patent
A patent is granted to an individual or company to cover an invention that is described in the patent’s application. When the patent is granted, only the patent owner can make, use, or sell the invention for a period of time, usually 20 years. Although it is considered one of the strongest intellectual property protections available, the invention becomes public domain after the patent expires, thereby allowing any entity to manufacture and sell the product.
Patent litigation is common in today’s world. You commonly see technology companies, such as Apple, Hewlett-Packard, and Google, filing lawsuits regarding infringement on patents (often against each other). For this reason, many companies involve a legal team in patent research before developing new technologies. Being the first to be issued a patent is crucial in today’s highly competitive market.
Any product that is produced that is currently undergoing the patent application process will usually be identified with the Patent Pending seal, shown in Figure 10-1.
Figure 10-1. Patent Pending Seal
Trade Secret
A trade secret ensures that proprietary technical or business information remains confidential. A trade secret gives an organization a competitive edge. Trade secrets include recipes, formulas, ingredient listings, and so on that must be protected against disclosure. After the trade secret is obtained by or disclosed to a competitor or the general public, it is no longer considered a trade secret.
Most organizations that have trade secrets attempt to protect these secrets using non-disclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret. Anyone who signs an NDA will suffer legal consequences the organization is able to prove that the signer violated it.
Trademark
A trademark ensures that a symbol, sound, or expression that identifies a product or an organization is protected from being used by another organization. This trademark allows the product or organization to be recognized by the general public.
Most trademarks are marked with one of the designations shown in Figure 10-2.
Figure 10-2. Trademark Designations
If the trademark is not registered, an organization should use a capital TM. If the trademark is registered, an organization should use a capital R that is encircled.
Copyright
A copyright ensures that a work that is authored is protected for any form of reproduction or use without the consent of the copyright holder, usually the author or artist who created the original work. A copyright lasts longer than a patent. Although the U.S. Copyright Office has several guidelines to determine the amount of time a copyright lasts, the general rule for works created after January 1, 1978, is the life of the author plus 70 years.
In 1996, the World Intellectual Property Organization (WIPO) standardized the treatment of digital copyrights. Copyright management information (CMI) is licensing and ownership information that is added to any digital work. In this standardization, WIPO stipulated that CMI included in copyrighted material cannot be altered.
The symbol shown in Figure 10-3 denotes a work that is copyrighted.
Software Piracy and Licensing Issues
To understand software piracy and licensing issues, professionals should understand the following terms that are used to differentiate between the types of software available:
• Freeware: Software available free of charge, including all rights to copy, distribute, and modify the software.
• Shareware: Software that is shared for a limited time. After a certain amount of time (the trial period), the software requires that the user purchase the software to access all the software’s features. This is also referred to as trialware.
• Commercial software: Software that is licensed by a commercial entity for purchase in a wholesale or retail market.
Software piracy is the unauthorized reproduction or distribution of copyrighted software. Although software piracy is a worldwide issue, it is much more prevalent in Asia, Europe, Latin America, and Africa/Middle East. Part of the problem with software piracy stems from the cross-jurisdictional issues that arise. Obtaining the cooperation of foreign law enforcement agencies and government is often difficult or impossible. Combine this with the availability of the hardware needed to create pirated software and the speed with which it can be made, and you have a problem that will only increase over the coming years.
Security professionals and the organizations they work with must ensure that the organization takes measures to ensure that employees understand the implications of installing pirated software. In addition, large organizations might need to utilize an enterprise software inventory application that will provide administrators with a report on the software that is installed.
Internal Protection
As mentioned earlier in this chapter, employees are the greatest threat for any organization. For this reason, organizations should take measures to protect confidential resources from unauthorized internal access. Any information that is part of a patent, trade secret, trademark, or copyright should be marked and given the appropriate classification. Access controls should be customized for this information, and audit controls should be implemented that alert personnel should any access occur. Due care procedures and policies must be in place to ensure that any laws that protect these assets can be used to prosecute an offender.
Privacy
When considering technology and its use today, privacy is a major concern of users. This privacy concern usually covers three areas: which personal information can be shared with whom, whether messages can be exchanged confidentially and whether and how one can send messages anonymously. Privacy is an integral part of any security measures that an organization takes.
As part of the security measures that organizations must take to protect privacy, personally identifiable information (PII) must be understood, identified, and protected. Organizations must also understand the privacy laws that governments have adopted. Finally, organizations must ensure that they comply with all laws and regulations regarding privacy.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any piece of data that can be used alone or with other information to identify a single person. Any PII that an organization collects must be protected in the strongest manner possible. PII includes full name, identification numbers (including driver’s license number and Social Security numbers), date of birth, place of birth, biometric data, financial account numbers (both bank account and credit card numbers), and digital identities (including social media names and tags).
Keep in mind that different countries and levels of government can have different qualifiers for identifying PII. Security professionals must ensure that they understand international, national, state, and local regulations and laws regarding PII. As the theft of this data becomes even more prevalent, you can expect more laws to be enacted that will affect your job.
A complex listing of PII is shown in Figure 10-4.
Laws and Regulations
Security professionals are usually not lawyers. As such, they are not expected to understand all the specifics of the laws that affect their organization. However, security professionals must be aware of the laws and at minimum understand how those laws affect the operations of their organization. For example, a security professional at a health care facility would need to understand all security guidelines in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Patient Protection and Affordable Care Act (PPACA) and Health Care and Education Reconciliation Act of 2010, commonly known as Obamacare.
Note
At the time of publication of this book, Obamacare was not specifically part of the CISSP exam. The authors of this book are including Obamacare in anticipation of future revisions to the CISSP content.
This section discusses many of the laws that will affect a security professional. For testing purposes, you need not worry about all the details of the law. You simply need to understand the law’s name(s), purpose, and the industry it affects (if applicable).
Sarbanes-Oxley (SOX) Act
The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly known as the Sarbanes-Oxley (SOX) Act, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearing houses. It is enforced by the Office of Civil Rights of the Department of Health and Human Services. It provides standards and procedures for storing, using, and transmitting medical information and healthcare data. HIPAA overrides state laws unless the state laws are stricter.
Gramm-Leach-Bliley Act (GLBA) of 1999
The Gramm-Leach-Bliley Act (GLBA) of 1999 affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing financial information with third parties. This act directly affects the security of PII.
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) of 1986 affects any entities that might engage in hacking of “protected computers” as defined in the Act. It was amended in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, in 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. A “protected computer” is a computer used exclusively by a financial institution or the United States government or used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the inter-state nature of most Internet communication, any ordinary computer has come under the jurisdiction of the law, including cellphones. The law includes several definitions of hacking, including knowingly accessing a computer without authorization, intentionally accessing a computer to obtain financial records, U.S. government information, or protected computer information, and transmitting fraudulent commerce communication with the intent to extort.
Federal Privacy Act of 1974
The Federal Privacy Act of 1974 affects any computer that contains records used by a federal agency. It provides guidelines collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies on collecting, maintaining, using, and distributing PII that is maintained in systems of records by federal agencies.
Federal Intelligence Surveillance Act (FISA) of 1978
The Federal Intelligence Surveillance Act (FISA) of 1978 affects law enforcement and intelligence agencies. It was the first act to give procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers” and only applied to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.
Electronic Communications Privacy Act (ECPA) of 1986
The Electronic Communications Privacy Act (ECPA) of 1986 affects law enforcement and intelligence agencies. It extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications. It was amended by the Communications Assistance to Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act of 2001, and the FISA Amendments Act of 2008.
Computer Security Act of 1987
The Computer Security Act of 1987 was superseded by the Federal Information Security Management Act of 2002. This Act was the first law written to require a formal computer security plan. It was written to protect and defend any of the sensitive information in the federal government systems and provide security for that information. It also placed requirements on government agencies to train employees and identify sensitive systems.
United States Federal Sentencing Guidelines of 1991
The United States Federal Sentencing Guidelines of 1991 affects individuals and organizations convicted of felonies and serious (Class A) misdemeanors. It provides guidelines to prevent sentencing disparities that existed across the United States.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
The Communications Assistance for Law Enforcement Act (CALEA) of 1994 affects law enforcement and intelligence agencies. It requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities. This allows federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) affects how private sector organizations collect, use, and disclose personal information in the course of commercial business in Canada. The Act was written to address European Union concerns over the security of PII in Canada. The law requires organizations to obtain consent when they collect, use, or disclose personal information and to have personal information policies that are clear, understandable, and readily available.
Basel II
Basel II affects financial institutions. It addresses minimum capital requirements, supervisory review, and market discipline. Its main purpose is to protect against risks the banks and other financial institutions face.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder information for the major credit card companies. The latest version is version 2.0. To prove compliance with the standard, an organization must be reviewed annually. Although it is not a law, this standard has affected the adoption of several state laws.
Federal Information Security Management Act of 2002
The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency. It requires the federal agencies to develop, document, and implement an agency-wide information security program.
Economic Espionage Act of 1996
The Economic Espionage Act of 1996 covers a multitude of issues because of the way the Act was structured. But for the purposes of the CISSP exam, this Act affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities. A trade secret does not need to be tangible to be protected by this Act. Per this law, theft of a trade secret is now a federal crime, and the United States Sentencing Commission must provide specific information in its reports regarding encryption or scrambling technology that is used illegally.
USA PATRIOT Act
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including e-mail communications, telephone records, Internet communications, medical records, and financial records. When this law was enacted, it amended several other laws, including FISA and the Electronic Communications Privacy Act of 1986.
Although the USA PATRIOT Act does not restrict private citizen use of investigatory tools, exceptions include if the private citizen is acting as a government agent (even if not formally employed), if the private citizen conducts a search that would require law enforcement to have a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to help the government.
Health Care and Education Reconciliation Act of 2010
The Health Care and Education Reconciliation Act of 2010 affects health care and educational organizations. For the CISSP exam, this Act increased some of the security measures that must be taken to protect health care information.
Employee Privacy Issues and Expectation of Privacy
Employee privacy issues must be addressed by all organizations to ensure that the organization is protected. However, organizations must give employees the proper notice of any monitoring that might be used. Organizations must also ensure that the monitoring of employees is applied in a consistent manner. Many organizations implement a No Expectation of Privacy policy that the employee must sign after receiving the appropriate training. Keep in mind that this policy should specifically describe any unacceptable behavior. Companies should also keep in mind that some actions are protected by the Fourth Amendment. Security professionals and senior management should consult with legal counsel when designing and implementing any monitoring solution.
European Union
The European Union (EU) has implemented several laws and regulations that affect security and privacy. The European Union Principles on Privacy includes strict laws to protect private data. The EU’s Data Protection Directive provides direction on how to follow the laws set forth in the principles. The EU then created the Safe Harbor Privacy Principles to help guide United States organization in compliance with the EU Principles on Privacy. Some of the guidelines include the following:
Data should be collected in accordance with the law.
Information collected about an individual cannot be shared with other organizations unless given explicit permission by the individual.
Information transferred to other organizations can only be transferred if the sharing organization has adequate security in place.
Data should be used only for the purpose for which it was collected.
Data should be used only for a reasonable period of time.
Note
Do not confuse the term safe harbor with data haven. According to the EU, a safe harbor is an entity that conforms to all the requirements of the EU Principles on Privacy. A data haven is a country that fails to legally protect personal data with the main aim being to attract companies engaged in the collection of the data.
The EU Electronic Security Directive defines electronic signature principles. In this directive, a signature must be uniquely linked to the signer and to the data to which it relates so that any subsequent data change is detectable. The signature must be capable of identifying the signer.
Export/Import Issues
Many organizations today develop trade relationships with organizations that are located in other countries. Organizations must be aware of the export and import laws of the countries of both the source and destination countries. Encryption technologies are some of the most restricted technologies in regard to import and export laws. Although the United States does limit the export of encryption technologies for national security reasons, other countries, such as China and Russia, limit the import of these same technologies because the countries do not want their citizens to have access to them.
Any organization that engages in export and import activities with entities based in other countries should ensure that legal counsel is involved in the process to ensure that all laws and regulations are followed.
Compliance
Organizations must ensure that they are in compliance with all laws and regulations, including international regulations and laws. Senior management can no longer claim ignorance in regard to negligence of the organization. Because laws and regulations are constantly being enacted by government agencies, organizations must ensure that security professionals obtain the proper training to ensure compliance. As mentioned earlier in this section, the organization should obtain proper legal counsel to provide adequate protection against future prosecution, both for the organization and its senior management.
Liability
Liability is the status of being legally responsible to another entity because of your actions or negligence. With the advent of recent laws that hold senior management responsible for organizational liability, organizations and their senior management can no longer afford to turn a blind eye to security issues. Liability is one of the most important concepts in law so security professionals should be aware of its implications.
Security professionals must understand several liability concepts:
Due diligence versus due care
Negligence
Liability issues, including personal information, hackers, third-party outsourcing, contracts, procurements, and vendors
Due Diligence Versus Due Care
Due diligence and due care are two related terms that affect liability. Due diligence means that an organization understands the security risks that it faces. Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur. Due care and due diligence often go hand-in-hand but must be understood separately before they can be considered together.
Due diligence is all about gathering information. Organizations must institute the appropriate procedures to determine any risks to organizational assets. Due diligence then provides the information necessary to ensure that the organization practices due care. Without adequate due diligence, due care cannot occur.
Due care is all about action. Organizations must institute the appropriate protections and procedures for all organizational assets, especially intellectual property. In due care, failure to meet minimum standards and practices is considered negligent. If an organization does not take actions that a prudent person would have taken under similar circumstances, the organization is negligent.
As you can see, due diligence and due care have a dependent relationship. When due diligence occurs, organizations will recognize areas of risk. Examples include an organization determining that regular personnel do not understand basic security issues, that printed documentation is not being discarded appropriately, and that employees are accessing files to which they should not have access. When due care occurs, organizations take the areas of identified risk and implement plans to protect against the risks. For the identified due diligence examples, due care examples to implement include providing personnel security awareness training, putting procedures into place for proper destruction of printed documentation, and implementing appropriate access controls for all files.
Note
Risk is a term that is commonly associated with due diligence and due care. For more information on risk management, refer to Chapter 4, “Information Security Governance and Risk Management.”
Negligence
Negligence means that an organization was careless and as a result of being careless, some person or organization was injured. Negligence serves as a basis for lawsuits. On any given day, examples exist of organizations who are being accused of negligence, and often these negligence suits involve legal action against senior management. Under the principle of culpable negligence, senior management can be held liable for losses that result from computer system breaches if senior management did not ensure that the organization exercised due care in protecting computer resources.
Penalties that an organization can accrue due to negligence can include both civil and criminal penalties. Civil penalties usually result in compensation being paid to the victim, and criminal penalties can result in fines and jail time. For this reason, organizations must ensure that unreasonable risks are prevented. Proximate cause is a term that is associated with negligence. Proximate cause proves that an injury to one party occurred due to the negligence of another party.
Liability Issues
As stated earlier, liability is the status of being legally responsible to another entity because of your actions or negligence. But often liability is not thoroughly understood because organizations do not fully analyze downstream liability.
Downstream liability refers to liability that an organization accrues due to partnerships with other organizations and customers. For example, consider an organization that does not have the appropriate procedures in place to ensure that its firewall has the security updates that it needs. If hackers later break into the network through this security hole and steal data used for identity theft, the customers can then sue the organization for negligence. This is an example of a downstream liability. Liability issues that an organization must consider include personal information, hackers, third-party outsourcing, and contracts and procurements.
As mentioned in the earlier section on PII, organizations have a legal obligation to protect any PII that it is collecting as well as the assets on which the PII resides. Organizations must also ensure that the appropriate procedures are in place to ensure that personnel do not inadvertently disclose PII by training personnel on proper handling procedures.
Hackers are most often interested in seeing how far their skills will take them. They often deviate from the accepted norms of security. Security professionals must ensure that they keep up with the latest techniques and tools used by hackers. Hackers often use tools such as Crack, John the Ripper, Nessus, Saint, Nmap, and LOphtCrack. Security professionals can then use these tools in an ethical manner to perform their own internal penetration testing.
Third-party outsourcing is also a liability that many organizations do not consider as part of their risk assessment. Any outsourcing agreement must ensure that the information that is entrusted to the other organization is protected by the proper security measures to fulfill all the regulatory and legal requirements.
Similar to third-party outsourcing, contract and procurement processes must be formalized. Organizations should establish procedures for managing all contracts and procurements to ensure that they include all the regulatory and legal requirements. Periodic reviews should occur to ensure that the contractual organization is complying with the guidelines of the contract.
Incident Response
Incident response is vital to every organization to ensure that any security incidents are detected, contained, and investigated. Incident response is the beginning of any investigation. After an incident has been discovered, incident response personnel perform specific tasks. During the entire incident response, the incident response team must ensure that they follow proper procedures to ensure that evidence is preserved.
As part of incident response, security professionals must understand the difference between events and incidents (see the following section). The incident response team must have the appropriate incident response procedures in place to ensure that the incident is handled, but the procedures must not hinder any forensic investigations that might be needed to ensure that parties are held responsible for any illegal actions. Security professionals must understand the rules of engagement and the authorization and scope of any incident investigation.
Note
Incident response, particularly incident response procedures, is discussed in more detail in Chapter 8, “Operations Security.”
Event Versus Incident
In regard to incident response, a basic difference exists between events and incidents. An event is a change of state that occurs. Whereas events include both negative and positive events, incident response focuses more on negative events—events that have been deemed as negatively impacting the organization. An incident is a series of events that negatively impact an organization’s operations and security.
Events can only be detected if an organization has established the proper auditing and security mechanisms to monitor activity. A single negative event might occur. For example, the auditing log might show that an invalid login attempt occurred. By itself, this login attempt is not a security concern. However, if many invalid login attempts occur over a period of a few hours, the organization might be undergoing an attack. The initial invalid login is considered an event, but the series of invalid login attempts over a few hours would be an incident, especially if it is discovered that the invalid login attempts all originated at the same IP address.
Incident Response Team and Incident Investigations
When establishing the incident response team, organization must consider the technical knowledge of each individual. The members of the team must understand the organization’s security policy and have strong communication skills. Members should also receive training in incident response and investigations.
When an incident has occurred, the primary goal of the team is to contain the attack and repair any damage caused by the incident. Security isolation of an incident scene should start immediately when the incident is discovered. Evidence must be preserved, and the appropriate authorities should be notified.
The incident response team should have access to the incident response plan. This plan should include the list of authorities to contact, team roles and responsibilities, an internal contact list, securing and preserving evidence procedures, and a list of investigations experts who can be contacted for help. A step-by-step manual should be created that the incident response team must follow to ensure that no steps are skipped. After the incident response process has been engaged, all incident response actions should be documented.
If the incident response team determines that a crime has been committed, senior management and the proper authorities should be contacted immediately.
Rules of Engagement, Authorization, and Scope
An organization ought to document the rules of engagement, authorization, and scope for the incident response team. The rules of engagement define which actions are acceptable and unacceptable if an incident has occurred. The authorization and scope provides the incident response team with the authority to perform an investigation and with the allowable scope of any investigation they must undertake.
The rules of engagement act as a guideline for the incident response team to ensure that they do not cross the line from enticement into entrapment. Enticement occurs when the opportunity for illegal actions is provided (luring) but the attacker makes his own decision to perform the action, and entrapment means to encourage someone to commit a crime that the individual might have had no intention of committing. Enticement is legal but does raise ethical arguments and might not be admissible in court. Conversely, entrapment is illegal.
Incident Response Procedures
When performing incident response, it is important that the incident response team follow incident response procedures. Depending on where you look, you might find different steps or phases included as part of the incident response process.
For the CISSP exam, you need to remember the following steps:
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident, and document all findings.
The actual investigation of the incident occurs during the respond, report, and recover steps. Following appropriate forensic and digital investigation processes during the investigation can ensure that evidence is preserved.
The incident response process is shown in Figure 10-5.
Figure 10-5. Incident Response Process
Note
To learn more about the incident response procedures, refer to the “Incident Response Management” section in Chapter 8, “Operations Security.”
Forensic and Digital Investigations
Computer investigations require different procedures than regular investigations because the timeframe for the investigator is compressed and an expert might be required to assist in the investigation. Also, computer information is intangible and often requires extra care to ensure that the data is retained in its original format. Finally, the evidence in a computer crime is much more difficult to gather.
After a decision has been made to investigate a computer crime, you should follow standardized procedures, including the following:
• Identify what type of system is to be seized.
• Identify the search and seizure team members.
• Determine the risk that the suspect will destroy evidence.
After law enforcement has been informed of a computer crime, the organization’s investigator’s constraints are increased. Turning the investigation over to law enforcement to ensure that evidence is preserved properly might be necessary.
When investigating a computer crime, evidentiary rules must be addressed. Computer evidence should prove a fact that is material to the case and must be reliable. The chain of custody must be maintained. Computer evidence is less likely to be admitted in court as evidence if the process for producing it must be documented.
Any forensic investigation involves the following steps:
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision
The forensic investigation process is shown in Figure 10-6.
Figure 10-6. Forensic Investigation Process
The following sections cover these forensic investigation steps in detail as well as explain IOCE/SWGDE, the crime scene, MOM, the chain of custody, and interviewing.
Identify Evidence
The first step in any forensic investigation is to identify and secure the crime scene and identify the evidence. Identifying the evidence is done through reviewing audit logs, monitoring systems, analyzing user complaints, and analyzing detection mechanisms. Initially, the investigators might be unsure of which evidence is important. Preserving evidence that you might not need is always better than wishing you had evidence that you did not retain.
Identifying the crime scene is also part of this step. In digital investigations, the attacked system is considered the crime scene. In some cases, the system from which the attack originated can also be considered part of the crime scene. However, fully capturing the attacker’s systems is not always possible. For this reason, you should ensure that you capture any data that can point to a specific system, such as capturing IP addresses, user names, and other identifiers.
Preserve and Collect Evidence
The next steps in forensic investigations include preserving and collecting evidence. This involves making system images, implementing chain of custody (which is discussed in detail in its own section later), documenting the evidence, and recording timestamps.
Before collecting any evidence, consider the order of volatility. This order ensures that investigators collect evidence from the components that are most volatile first.
The order of volatility is as follows:
1. Memory contents
2. Swap files
3. Network processes
4. System processes
5. File system information
6. Raw disk blocks
To make system images, you need to use a tool that creates a bit-level copy of the system. In most cases, you must isolate the system and remove it from production to create this bit-level copy. You should ensure that two copies of the image are retained. One copy of the image will be stored to ensure that an undamaged, accurate copy is available as evidence. The other copy will be used during the examination and analysis steps. Message digests should be used to ensure data integrity.
Although the system image is usually the most important piece of evidence, it is not the only piece of evidence you need. You might also need to capture data that is stored in cache, process tables, memory, and the registry. When documenting a computer attack, you should use a bound notebook to keep notes.
Remember that using experts in digital investigations to ensure that evidence is properly preserved and collected might be necessary. Investigators usually assemble a field kit to help in the investigation process. This kit might include tags and labels, disassembly tools, and tamper-evident packaging. Commercial field kits are available, or you could assemble your own based on organizational needs.
Examine and Analyze Evidence
After evidence has been preserved and collected, the investigator then needs to examine and analyze the evidence. While examining evidence, any characteristics, such as timestamps and identification properties, should be determined and documented. After the evidence has been fully analyzed using scientific methods, the full incident should be reconstructed and documented.
Present Findings
After and examination and analysis of the evidence, it must be presented as evidence in court. In most cases when presenting evidence in court, presenting the findings in a format the audience can understand is best. Although an expert should be used to testify as to the findings, it is important that the expert be able to articulate to a non-technical audience the details of the evidence.
Decide
At the end of the court proceeding, a decision will be made as to the guilt or innocence of the accused party. At that time, evidence will no longer need to be retained. However, documenting any lessons learned from the incident is important. Any individuals involved in any part of the investigation should be a part of this lessons-learned session.
IOCE/SWGDE
The International Organization on Computer Evidence (IOCE) and Scientific Working Group on Digital Evidence (SWGDE) are two groups that study digital forensics and help to establish standards for digital investigations. Both groups release guidelines on many formats of digital information, including computer data, mobile device data, automobile computer systems data, and so on. Any investigators should ensure that they comply with the principles from these groups.
The main principles as documented by IOCE are as follows:
• The general rules of evidence should be applied to all digital evidence.
• Upon seizing digital evidence, actions taken should not change that evidence.
• When a person needs to access original digital evidence, that person should be suitably trained for the purpose.
• All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
• An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession.
Crime Scene
A crime scene is the environment in which potential evidence exists. After the crime scene has been identified, steps should be taken to ensure that the environment is protected, including both the physical and virtual environment. To secure the physical crime scene, an investigator might need to isolate the systems involved by removing them from a network. However, the systems should NOT be powered down until the investigator is sure that all digital evidence has been captured. Remember: Live computer data is dynamic and is possibly stored in several volatile locations.
Access to the crime scene should be tightly controlled and limited only to individuals who are vital to the investigation. As part of the documentation process, make sure to note anyone who has access to the crime scene. After a crime scene is contaminated, no way exists to restore it to the original condition.
MOM
Documenting motive, opportunity, and means (MOM) is the most basic strategy for determining suspects. Motive is all about why the crime was committed and who committed the crime. Opportunity is all about where and when the crime occurred. Means is all about how the crime was carried out by the suspect. Any suspect that is considered must possess all three of these qualities. For example, a suspect might have a motive for a crime (being dismissed from the organization) and an opportunity for committing the crime (user accounts were not disabled properly) but might not possess the means to carry out the crime.
Understanding MOM can help any investigator to narrow down the list of suspects.
Chain of Custody
At the beginning of any investigation, you should ask the questions who, what, when, where, and how. These questions can help to get all the data needed for the chain of custody. The chain of custody shows who controlled the evidence, who secured the evidence, and who obtained the evidence. A proper chain of custody must be preserved to successfully prosecute a suspect. To preserve a proper chain of custody, the evidence must be collected following pre-defined procedures in accordance with all laws and regulations.
The primary purpose of the chain of custody is to ensure that evidence is admissible in court. Law enforcement officers emphasize chain of custody in any investigations that they conduct. Involving law enforcement early in the process during an investigation can help to ensure that the proper chain of custody is followed.
Interviewing
An investigation often involves interviewing suspects and witnesses. One person should be in charge of all interviews. Because evidence needs to be obtained, ensuring that the interviewer understands what information needs to be obtained and all the questions to cover is important. Reading a suspect his rights is ONLY necessary if law enforcement is performing the interview. Recording the interview might be a good idea to provide corroboration later when the interview is used as evidence.
If an employee is suspected of a computer crime, a representative of the human resources department should be involved in any interrogation of the suspect. The employee should only be interviewed by an individual who is senior to that employee.
Evidence
For evidence to be admissible, it must be relevant, legally permissible, reliable, properly identified, and properly preserved. Relevant means that it must prove a material fact related to the crime in that it shows a crime has been committed, can provide information describing the crime, can provide information regarding the perpetuator’s motives, or can verify what occurred. Reliability means that it has not been tampered with or modified. Preservation means that the evidence is not subject to damage or destruction.
All evidence must be tagged. When creating evidence tags, be sure to document the mode and means of transportation, a complete description of evidence including quality, who received the evidence, and who had access to the evidence.
Any investigator must ensure that evidence adheres to the five rules of evidence. In addition, the investigator must understand each type of evidence that can be obtained and how each type can be used in court. Investigators must follow surveillance, search, and seizure guidelines. Finally, investigators must understand the differences between media, software, network, and hardware/embedded device analysis.
Five Rules of Evidence
When gathering evidence, an investigator must ensure that the evidence meets the five rules that govern it:
• Be authentic.
• Be accurate.
• Be complete.
• Be convincing.
• Be admissible.
Because digital evidence is more volatile than other evidence, it still must meet these five rules.
Types of Evidence
An investigator must be aware of the types of evidence used in court to ensure that all evidence is admissible. Sometimes the type of evidence determines its admissibility.
The types of evidence that you should understand are as follows:
• Best evidence
• Secondary evidence
• Direct evidence
• Conclusive evidence
• Circumstantial evidence
• Corroborative evidence
• Opinion evidence
• Hearsay evidence
Best Evidence
The best evidence rule states that when evidence, such as a document or recording, is presented, only the original will be accepted unless a legitimate reason exists for why the original cannot be used. In most cases, digital evidence is not considered best evidence because investigators must capture copies of the original data and state.
However, courts may apply the best evidence rule to digital evidence in a case-by-case basis, depending on the evidence and the situation. In this situation, the copy must be proved by an expert witness who can testify as to the contents and confirm that it is an accurate copy of the original.
Secondary Evidence
Secondary evidence has been reproduced from an original or substituted for an original item. Copies of original documents and oral testimony are considered secondary evidence.
Direct Evidence
Direct evidence proves or disproves a fact through oral testimony based on information gathered through the witness’s senses. A witness can testify on what he saw, smelled, heard, tasted, or felt. This is considered direct evidence. Only the witness can give direct evidence. No one else can report on what the witness told them because that is considered hearsay evidence.
Conclusive Evidence
Conclusive evidence does not require any other corroboration and cannot be contradicted by any other evidence.
Circumstantial Evidence
Circumstantial evidence provides inference of information from other intermediate relevant facts. This evidence makes a jury come to a conclusion by using a fact to imply that another fact is true or untrue. An example is implying that a former employee committed an act against an organization due to his dislike of the organization after his dismissal.
Corroborative Evidence
Corroborative evidence supports another piece of evidence. For example, if a suspect produces a receipt to prove he was at a particular restaurant at a certain time and then a waitress testifies that she waited on the suspect, then the waitress provides corroborating evidence through her testimony.
Opinion Evidence
Opinion evidence is based on what the witness thinks, feels, or infers regarding the facts. However, if an expert witness is used, that expert is able to testify on a fact based on his knowledge in a certain area. For example, a psychiatrist can testify as to conclusions on a suspect’s state of mind. Expert testimony is not considered opinion evidence because of the expert’s knowledge and experience.
Hearsay Evidence
Hearsay evidence, as mentioned earlier, is evidence that is secondhand where the witness does not have direct knowledge of the fact asserted but knows it only from being told by someone. In some cases, computer-based evidence is considered hearsay, especially if an expert cannot testify as to the accuracy and integrity of the evidence.
Surveillance, Search, and Seizure
Surveillance, search, and seizure are important facets of any investigation. Surveillance is the act of monitoring behavior, activities, or other changing information, usually of people. Search is the act of pursuing items or information. Seizure is the act of taking custody of physical or digital components.
Two types of surveillance are used by investigators: physical surveillance and computer surveillance. Physical surveillance occurs when a person’s actions are reported or captured using cameras, direct observance, or closed-circuit TV. Computer surveillance occurs when a person’s actions are reported or captured using digital information, such as audit logs.
A search warrant is required in most cases to actively search a private site for evidence. For a search warrant to be issued, probable cause that a crime has been committed must be proven to a judge. The judge must also be given corroboration regarding the existence of evidence. The only time a search warrant does not need to be issued is during exigent circumstances, which are emergency circumstances that are necessary to prevent physical harm, the evidence destruction, the suspect’s escape, or some other consequence improperly frustrating legitimate law enforcement efforts. Exigent circumstances will have to be proven when the evidence is presented in court.
Seizure of evidence can only occur if the evidence is specifically listed as part of the search warrant unless the evidence is in plain view. Evidence specifically listed in the search warrant can be seized, and the search can only occur in areas specifically listed in the warrant.
Search and seizure rules do not apply to private organizations and individuals. Most organizations warn their employees that any files stored on organizational resources are considered property of the organization. This is usually part of any no-expectation-of-privacy policy.
Media Analysis
Investigators can perform many types of media analysis, depending on the media type.
The following types of media analysis can be used:
• Disk imaging: Creates an exact image of the contents of the hard drive.
• Slack space analysis: Analyzes the slack (marked as empty or reusable) space on the drive to see whether any old (marked for deletion) data can be retrieved.
• Content analysis: Analyzes the contents of the drive and gives a report detailing the types of data by percentage.
• Steganography analysis: Analyzes the files on a drive to see whether the files have been altered or to discover the encryption used on the file.
Software Analysis
Software analysis is a little harder to perform because it often requires the input of an expert on software code.
Software analysis techniques include the following:
• Content analysis: Analyzes the content of software, particularly malware, to determine for which purpose the software was created.
• Reverse engineering: Retrieves the source code of a program to study how the program performs certain operations.
• Author identification: Attempts to determine the software’s author.
• Context analysis: Analyzes the environment the software was found in to discover clues to determining risk.
Network Analysis
Network analysis involves the use of networking tools to provide logs and activity for evidence.
Network analysis techniques include the following:
• Communications analysis: Analyzes communication over a network by capturing all or part of the communication and searching for particular types of activity.
• Log analysis: Analyzes network traffic logs.
• Path tracing: Tracing the path of a particular traffic packet or traffic type to discover the route used by the attacker.
Hardware/Embedded Device Analysis
Hardware/embedded device analysis involves using the tools and firmware provided with devices to determine the actions that were performed on and by the device. The techniques used to analyze the hardware/embedded device vary based on the device. In most cases, the device vendor can provide advice on the best technique to use depending on what information you need. Log analysis, operating system analysis, and memory inspections are some of the general techniques used.
Security Professional Ethics
Ethics for any profession are the right and wrong actions that are the moral principle of that occupation. Security professionals, particularly those who hold the CISSP certification, should understand the ethics that are published by (ISC)2, the Computer Ethics Institute, the Internet Architecture Board (IAB), and the organization they are employed by.
(ISC)2 Code of Ethics
(ISC)2 provides a strict Code of Ethics for its certificate holders. All certificate holders must follow the Code of Ethics. Any reported violations of the code are investigated. Certificate holders who are found to be guilty of violation will have their certification revoked.
The four mandatory canons for the Code of Ethics are as follows:
• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.
Any certificate holders are required to report any actions by other certificate holders that they feel are in violation of the Code. If a certificate holder is reported, a peer review committee will investigate the actions and make a decision as to the certificate holder’s standing.
Certification is a privilege that must be earned and maintained. Certificate holders are expected to complete certain educational requirements to prove their continued competence in all aspects of security. They are also expected to promote the understanding and acceptance of prudent information security measures.
Computer Ethics Institute
The Computer Ethics Institute created the Ten Commandments of Computer Ethics. The following list summarizes these ten ethics:
• Do not use a computer for harm.
• Do not interfere with the computer work of other people.
• Do not snoop around in the computer files of other people.
• Do not use a computer to steal.
• Do not use a computer to lie.
• Do not install and use licensed software unless you have paid for it.
• Do not use another person’s computer unless you have permission or have paid the appropriate compensation for said usage.
• Do not appropriate another person’s intellectual output.
• Consider the consequences of the program you are writing or the system you are designing.
• Always use a computer in ways that ensure consideration and respect of other people and their property.
Internet Architecture Board
The Internet Architecture Board (IAB) oversees the design, engineering, and management of the Internet. This board meets regularly to review Internet standardization recommendations. Internet ethics is just a small part of the area they cover. Ethics statements issued by the IAB usually details any acts that they deem irresponsible. These actions include wasting resources, destroying data integrity, compromising privacy, and accessing resources that users are not authorized to access.
Request for Comments (RFC) 1087, called Ethics and the Internet, is the specific IAB document that outlines unethical Internet behavior. Refer to http://tools.ietf.org/html/rfc1087 for more information.
Organizational Ethics
Organizations should develop an internal ethics statement and ethics program. By adopting a formal statement and program, the organization is stressing to its employees that they are expected to act in an ethical manner in all business dealings.
Several laws in the United States can affect the development and adoption of an organizational ethics program. If an organization adopts an ethic program, the liability of the organization is often limited, even when the employees are guilty of wrongdoing, provided the organization ensures that personnel have been instructed on the organization’s ethics.
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 10-1 lists a reference of these key topics and the page numbers on which each is found.
Table 10-1. Key Topics for Chapter 10
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
computer-assisted crime
computer-targeted crime
incidental computer crime
computer prevalence crime
civil code law
common law
civil/tort law
compensatory damages
punitive damages
statutory damages
criminal law
administrative law
regulatory law
customary law
religious law
mixed law
patent
trade secret
trademark
copyright
software piracy
freeware
shareware
trialware
commercial software
personally identifiable information (PII)
Public Company Accounting Reform and Investor Protection Act of 2002
Sarbanes-Oxley (SOX) Act
Health Insurance Portability and Accountability Act (HIPAA)
Kennedy-Kassebaum Act
Gramm-Leach-Bliley Act (GLBA) of 1999
Computer Fraud and Abuse Act (CFAA) of 1986
protected computer
Federal Privacy Act of 1974
Federal Intelligence Surveillance Act (FISA) of 1978
Electronic Communications Privacy Act (ECPA) of 1986
Computer Security Act of 1987
United States Federal Sentencing Guidelines of 1991
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Personal Information Protection and Electronic Documents Act (PIPEDA)
Basel II
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Security Management Act (FISMA) of 2002
Economic Espionage Act of 1996
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001
Health Care and Education Reconciliation Act of 2010
liability
downstream liability
crime scene
MOM
best evidence rule
secondary evidence
direct evidence
conclusive evidence
circumstantial evidence
corroborative evidence
opinion evidence
hearsay evidence
surveillance
search
seizure
physical surveillance
computer surveillance
disk imaging
slack space analysis
content analysis, and steganography analysis.
Review Questions
1. Which type of crime occurs when a computer is used as a tool to help commit a crime?
a. computer-assisted crime
b. incidental computer crime
c. computer-targeted crime
d. computer prevalence crime
2. Which type of law system is based on written laws and does not use precedence?
a. common law
b. civil code law
c. criminal law
d. customary law
3. Which of the following protects intellectual property such as a symbol, sound, or expression that identifies a product or an organization from being used by another organization?
a. patent
b. copyright
c. trademark
d. trade secret
4. What is another name for the Public Company Accounting Reform and Investor Protection Act of 2002?
a. Kennedy-Kassebaum Act
b. USA PATRIOT
c. Obamacare
d. Sarbanes-Oxley Act
5. Which term is the status of being legally responsible to another entity because of your actions or negligence?
a. liability
b. due care
c. due diligence
d. negligence
6. What is the first step of the incident response process?
a. Respond to the incident.
b. Detect the incident.
c. Report the incident.
d. Recover from the incident.
7. What is the second step of the forensic investigations process?
a. Identification
b. Collection
c. Preservation
d. Examination
8. Which of the following is NOT one of the five rules of evidence?
a. Be accurate.
b. Be complete.
c. Be admissible.
d. Be volatile.
9. Which type of evidence has been reproduced from an original or substituted for an original item?
a. secondary evidence
b. best evidence
c. hearsay evidence
d. direct evidence
10. Which of the following is NOT one of the four mandatory canons of the (ISC)2 Code of Ethics?
a. Provide diligent and competent service to principals.
b. Always use a computer in ways that ensure consideration and respect of other people and their property.
c. Advance and protect the profession.
d. Act honorably, honestly, justly, responsibly, and legally.
Answers and Explanations
1. a. A computer-assisted crime occurs when a computer is used as a tool to help commit a crime. An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world.
2. b. Civil code law is based on written laws and does not use precedence. Common law is the type of law based on customs and precedent because no written laws were available. Criminal law is the type of law that covers any actions that are considered harmful to others. Customary law is the type of law based on the customs of a country or region.
3. c. A trademark ensures that a symbol, sound, or expression that identifies a product or an organization is protected from being used by another organization. A patent is granted to an individual or company to cover an invention that is described in the patent’s application. A copyright ensures that a work that is authored is protected from any form of reproduction or use without the consent of the copyright holder, usually the author or artist that created the original work. A trade secret gives an organization a competitive edge. Trade secrets include recipes, formulas, ingredient listings, and so on that must be protected against disclosure.
4. d. Another name for the Public Company Accounting Reform and Investor Protection Act of 2002 is the Sarbanes-Oxley Act. The Health Insurance Portability and Accountability Act is also known as the Kennedy-Kassebaum Act. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act is also known as the USA PATRIOT Act. The Health Care and Education Reconciliation Act of 2010 is also known as Obamacare.
5. a. Liability is the status of being legally responsible to another entity because of your actions or negligence. Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage is security breaches occur. Due diligence means that an organization understands the security risks that it faces. Negligence means that an organization was careless and as a result of being careless, some person or organization was injured.
6. b. The steps of the incident response process are as follows:
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident, and document all findings.
7. c. The steps of the forensic investigation process are as follows:
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision
8. d. The five rules of evidence are as follows:
Be authentic.
Be accurate.
Be complete.
Be convincing.
Be admissible.
9. a. Secondary evidence has been reproduced from an original or substituted for an original item. Best evidence is an original item, such as an original document. Hearsay evidence is secondhand where the witness does not have direct knowledge of the fact asserted but knows it only from being told by someone. Direct evidence proves or disproves a fact through oral testimony based on information gathered through the witness’s senses.
10. b. The four mandatory canons of the (ISC)2 Code of Ethics are as follows:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.