No matter what state your organization is in, check with local law enforcement and with your organization’s general counsel so that you understand the ramifications of the local laws.. 5
Trang 1As you can see from the table, the concept of what constitutes a crime varies from state to state Some states require that there must be an intent to permanently deprive the owner of access to information for computer theft to occur Other states require that the owner of the information must actually be deprived of the information (so a backup
of the information might negate the violation of the law)
There is also a big difference when it comes to accessing systems Some states require that the system must actually be accessed for the crime to occur Other states make the unauthorized attempt to be the crime Texas goes so far as to require the perpetrator to know that a security system is in place to prevent unauthorized access for there to be a crime Finally, some states make the modifying or forging of e-mail headers to be a crime This type of statute is directed at bulk e-mail or spam
No matter what state your organization is in, check with local law enforcement and with your organization’s general counsel so that you understand the ramifications of the local laws This will directly impact when you may choose to notify law enforcement of a computer incident
EXAMPLES OF LAWS IN OTHER COUNTRIES
Computer crime laws in the United States vary from state to state Internationally, laws vary from country to country Many countries have no computer crime laws at all For ex-ample, when the ILOVEYOU virus was traced to an individual who lived in the Philip-pines, he could not be prosecuted because the Philippines did not have a law that made it
a crime to write and distribute a computer virus
Computer crime laws in other countries may have an effect on computer crime inves-tigations in the United States as well If an investigation shows that the attack came from a computer system in another country, the FBI will attempt to get assistance from the law enforcement organizations in that country If the other country has no computer crime laws, it is unlikely that they will assist in the investigation
The following sections provide brief discussions of computer crime laws in three other countries More specific information can be found by asking representatives of the foreign government (at an embassy or consulate) or by contacting the FBI
50 Network Security: A Beginners‘s Guide
Wisconsin Offenses against computer data
and programs; offenses against computers, computer equipment,
or supplies
Copying of information
is a crime
Table 4-1. Summary of State Computer Crime Laws(continued)
Team-Fly®
Trang 2Australian federal law specifies that unauthorized access to data in computers is a crime
punishable by six months in jail (see Commonwealth Laws, Crimes Act 1914, Part VIA—
Offences Relating to Computers) The punishment goes up to two years if the intent was to
defraud or if the information was government-sensitive, financial, or trade secrets It is also
against the law for someone to gain unauthorized access to computers across facilities
pro-vided by the Commonwealth or by a carrier No minimum damage amounts are specified
The punishment is based on the type of information that is accessed
The Netherlands
Criminal Code Article 138a defines a crime called a breach of computer peace A person
found guilty of this crime can be sent to prison for up to six months or receive a fine of
10,000 guilders To be guilty of the crime, the perpetrator must break into a system or
impersonate an authorized user
The punishment does not change based on the damage to the system or the type of
information that is accessed
United Kingdom
Computer crime statues for the United Kingdom can be found in the Computer Misuse
Act 1990, Chapter 18 The law defines unauthorized access to computer material as a
crime This access has to have intent and the individual who performs the act must know
that the access is unauthorized It is also a crime to cause unauthorized modifications or
to cause a denial-of-service condition The penalties for any modification or denial of
ser-vice do not change based on whether the attack is temporary or permanent
For a summary conviction, the penalties are up to six months in prison or a fine If the
individual is convicted on an indictment, the prison term may not exceed five years and
there may also be a fine
PROSECUTION
If your organization is the victim of computer crime, your organization might choose to
contact law enforcement in order to prosecute the offenders This choice should not be
made in the heat of the incident Rather, detailed discussion of the options and how the
organization may choose to proceed should be discussed during the development of
the organization’s incident response procedure (see Chapter 5) During the development
of this procedure, your organization should involve legal counsel and also seek advice
from local law enforcement Your discussion with local law enforcement will provide
information on their capabilities, their interest in computer crimes, and the type of
dam-age that must be done before a crime actually occurs (remember 18 US Code 1030 requires
a minimum of $5,000 in damage) As the incident occurs, your organization’s general
counsel should be consulted before law enforcement is contacted
Trang 3Evidence Collection
Whether your organization chooses to prosecute or not, there are a number of things that can be done while the incident is investigated and the systems are returned to operation First, we should dispel one myth that is prevalent in the security industry The myth is that special precautions must be taken to preserve “evidence” if the perpetrator is to be prosecuted and if any of the information from the victim can be used in the prosecution There are actually two parts to the correct information regarding this situation First, if normal business procedures are followed, any information can be used to prose-cute the perpetrator This means that if you normally make backups of your systems and those backups contain information that shows where the attack came from or what was done, this information can be used In this case, no special precautions need to be taken to safeguard the information as “evidence.” That is not to say that making extra copies before system administrators do anything to fix the system is not a good idea However, it is not necessary
The second point is a little more tricky If your organization takes actions such as call-ing an outside consultant to perform a forensic examination of the system, you are now taking actions that are not part of normal business practices In this case, your organiza-tion should take appropriate precauorganiza-tions These may include
▼ Making at least two image copies of the computer’s hard drives
■ Limiting access to one of the copies and bagging it so that any attempts to tamper with it can be identified
▲ Making secure checksums of the information on the disks so that changes to the information can be identified
In any case, the procedure to be followed should be developed prior to the event and should be created with the advice of organization counsel and law enforcement
One other point to consider is that information on the victim computer system may not be the only location for information about the attack Log files from network equip-ment or network monitoring systems may also provide information about the attack Since the organization is the owner and operator of the computer network, this informa-tion can be gathered without violating the wire tap laws (18 US Code 2511 and 2701)
Contacting Law Enforcement
You should get your organization general counsel involved before law enforcement is contacted The general counsel should be available to speak with law enforcement when they come on-site
Once law enforcement is contacted and comes on-site to investigate, the rules change Law enforcement will be acting as officers of the court and as such are bound by rules that must be followed in order to allow information that is gathered to be used as evidence When law enforcement takes possession of backup copies or information from a system, they will control access to it and protect it as evidence according to their procedures
Trang 4Likewise, if further information is to be gathered from the network, law enforcement
will have to get a subpoena or a warrant to gather more information This document will
either allow them to request logs from a service provider or to install monitoring
equip-ment of their own Without the warrant they will not be able to gather information off the
network Here again, they will follow their own procedures
NOTE: Law enforcement does not require a warrant if the information is provided willingly (by the
or-ganization, for example) However, if law enforcement wants information from your site, it may be more
appropriate for your organization to require a subpoena as this may protect you from some liability, for
example, if you are an ISP and law enforcement wants your logs of an activity that traversed your
net-work In any case, a request for tapes or logs from law enforcement should be run through your
organi-zation’s legal office
CIVIL ISSUES
Anyone can file a civil lawsuit against anyone for anything That said, there is the potential
for civil lawsuits when it comes to computers and the information they store In this section
of the chapter, I will be identifying some of the potential exposures that organizations may
encounter However, none of the following is intended to provide legal advice For all legal
advice, you should see your own attorney or the organization’s general counsel
Employee Issues
Computers and computer networks are provided by an organization for the business use
of employees This simple concept should be spelled out to all employees (see Chapter 5
for a discussion of computer use policies) This means that the organization owns the
sys-tems and the network and any information on the syssys-tems may be accessed by the
organi-zation at any time and so any employees should have no expectation of privacy To make
sure that your policy on this matter complies with applicable laws, make sure that the
or-ganization’s general counsel is involved in the drafting of the policy Privacy laws do
dif-fer from state to state
Internal Monitoring
As the provider of the network and computer services, the organization is permitted to
monitor information on the network and how the network is used (this is an exception
to the wire tap laws) Employees should be informed that such activity may occur and
this should be communicated to them via policy and via a login banner A banner such
as this may be appropriate:
This system is owned by <organization name> and provided for the use of authorized
individuals All actions on this computer or network may be monitored Anyone using
this system consents to this monitoring There is no expectation of privacy on this system.
All information on this or any organization computer system is the property of
Trang 5<organization name> Evidence of illegal activities may be turned over to the proper law enforcement authorities.
A second point that should be made in the banner and in policies is that there is no ex-pectation of privacy when using an organization computer system The employee should
be made aware of the fact that monitoring may and will happen and that files may and will
be examined during the normal course of administration duties The employee should have no expectation of privacy when using the organization’s computers or networks
Policy Issues
Organization policy defines the appropriate operation of systems and behavior of em-ployees If employees violate organization policy, they may be disciplined or terminated
To alleviate some potential legal issues, all employees should be provided copies of orga-nization policies (including information and security policies) and asked to sign that they have received and understood the policies This procedure should reoccur periodically (every year) so that the employee is reminded of the existing policies These policies should restate the information in the login banner (no expectation of privacy, monitoring will happen, and so on)
Some employees may be sensitive to signing such documents This activity should
be coordinated with the Human Resources Department and with the organization’s gen-eral counsel
Downstream Liability
A risk that should be taken into account when performing a risk assessment of an organiza-tion is the potential for downstream liability The concept is that if an organizaorganiza-tion (Organization A) does not perform appropriate security measures and one of their systems
is successfully penetrated, this system might then be used to attack another organization (Organization B) In this case, Organization A might be held liable by Organization B (see Figure 4-2) The question will be whether Organization A took reasonable care and appro-priate measures to prevent this from occurring
Reasonable care and appropriate measures will be determined by existing standards (such as the proposed ISO 17799) and best business practices (see Chapter 8) Once again, the information security staff of the organization should discuss this issue with the orga-nization’s general counsel
PRIVACY ISSUES
Privacy issues on the Internet are becoming a hot topic We have already touched on the privacy issues when dealing with employees This is not the only privacy issue that needs
to be examined and handled properly It is very possible that there will be legislation in the near future that defines how organizations should handle customer information and there will soon be detailed regulations on the handling of health information
Trang 6Customer Information
Customer information does not belong to you or your organization Customer
informa-tion belongs to the customer Therefore, the organizainforma-tion should take appropriate steps
to safeguard customer information from unauthorized disclosure This is not to say that
customer information cannot be used, but care must be taken to make sure that customer
information is used appropriately This is one reason why many Internet sites notify the
customer that some information may be used in mailing lists Customers may also be
given the option to keep their information from being used in this manner
The issue that I wish to raise here is the issue of customer information being disclosed
if the security of an organization is compromised How can an organization decide if they
have taken appropriate steps to prevent this type of disclosure? As with liability, the
information security staff must work with the organization’s general counsel to
under-stand the issues involved and to identify the appropriate measures to take
Figure 4-2. Downstream liability
Trang 7Health Information
On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law This law places the responsibility for creating and enforcing the standards for the protection of health information under the Department of Health and Human Services The act calls for the standardization of patient health information, unique identifiers for individuals, and most importantly, security standards for protecting the confidentiality and integrity of patient health information
All healthcare organizations such as insurance companies, billing agencies, hospitals, doctors, employers, and any other organization that handles patient health information will be affected by these regulations Violations may be punishable by civil and criminal penalties including fines up to $250,000 and imprisonment of up to ten years for know-ingly misusing patient health information At this time, it is expected that compliance will be required by 2003 depending on when the regulations are actually published The regulations require compliance in the following areas:
▼ Administrative procedures
■ Physical safeguards
■ Technical security services
▲ Technical security mechanisms
It is expected that the regulations will specify appropriate mechanisms for everything from encryption of information to authentication The need for procedures to safeguard the privacy of the information is also noted and defined
Any organization that handles health care information should examine the regula-tions in detail to learn what must be done to be in compliance with the regularegula-tions It is expected that health care organizations will expend significant resources in bringing their systems and procedures up to the regulations The information security staff will need to work with the HIPAA compliance officer and the organization’s general counsel
to make sure the organization meets the requirements