Intro to Network Security - UW-P



Intro to Network Security

Legal Issues & Risk

Reading:

Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.

Chapter 30

Objectives:

The student shall be able to:

• Describe the main crimes covered in the Computer Fraud and Abuse Act.

• Describe the main crimes covered by the Electronic Communications Privacy Act

• Describe how to avoid copyright/trademark infringement, and child pornography handling violations.

• Describe how to reduce negligence relating to security in civil law suits.

• Describe the requirements that must proven in prosecuting hackers – and describe what a company must do to achieve such proof.

• Define copyright, patent, trade secret and the differences between these.

• Define Risk Exposure, Single Loss Expectancy, Annualized Loss Expectancy, and calculate: Value of safeguard, or Risk Leverage.

• Perform the six steps of risk analysis.

Class Time:

Lecture 1.5 hours

Risk Exercise 1 hour

Total: 2.5 hours

Computer Law

Computer Fraud and Abuse Act (CFAA): 18 U.S.C. Section 1030

Summary:

• Protects the confidentiality, integrity, and availability of data and systems

• Prohibited access includes: hacking, viruses, logic bombs, ping floods, other threats

• Violations can result in criminal case and/or civil suit

Criminal Acts:

• Unauthorized access of government, nonpublic and protected computer to commit fraud

• Intentional acts causing damage to computers

• Trafficking of passwords affecting interstate commerce or government computers

• Threats or extortion related to damage of protected computers

• Unauthorized access to national security information

‘Protected’ computer includes (1030(e)(2)):

• Computer used by a financial institution or the US govt., or

• Computer used in interstate or foreign commerce or communications or

• Computers outside of the US that affect US interstate commerce (2001 USA PATRIOT Act)

Required provisions:

• Access without or in excess of authorization

• Examples: Trespass or obtaining root access when not authorized

• Guilty: IRS auditor looking at taxpayer documents other than the case the agent is investigating

Damage: includes one or more of:

• At least $5,000 loss (includes cost of incident response, lost revenue, restoration of data/systems)

• Medical diagnosis, treatment, or care for one or more individuals

• Physical injury

• A threat to public health or safety

• Information relating to justice, national defense, or national security

Many states have their own cyber-crime statutes, particularly relating to trespass of non-government computers without damage.

Summary of Laws

|Law |Provisions |Charge |

|Computer Fraud & Abuse |Trespass ‘Protected’ Computer: |Misdemeanor: Maximum 1 year|

|Act: |Access computer without or in excess of authorization and obtaining financial|sentence |

|1030(a)(2) |information relating to interstate commerce or communication | |

| |In combination with $5000 damage, financial gain, commercial advantage, or |Felony |

| |criminal purposes | |

|1030(a)(3) |Trespass Government Computer: |First time offense: |

| |Any unauthorized access |Misdemeanor |

|1030(a)(4) |Fraud: |First time offense: Felony,|

| |Unauthorized access with intent to defraud |Maximum $250,000 fine, |

| | |5-year jail |

| |Trespass (use computer time), no damage |No offense |

|1030(a)(5) |Malware: |Felony |

| |Intentional release of worms and viruses, denial of service, intrusion | |

| |Reckless damage due to unauthorized access | |

| |Damage due to negligence and unauthorized access |Misdemeanor |

|Electronic Communication |Electronic Eavesdropping: Text or speech |Felony, |

|Privacy Act |Prohibits endeavoring to: |Civil suits for actual, |

|(ECPA) |intercept communication or |statutory, & punitive |

|18 USC Section 2511(a) |disclose or use information obtained illegally. |damages |

| |Example: Packet sniffers | |

| |Example: Monitoring VP’s emails without consent | |

| |Except in cases of self-defense or consent |No offense |

| |Employer can protect rights and property | |

| |Consent: Provide banner, organizational policies, and/or employee handbook | |

| |Example: Sys Admin watching hacker’s actions | |

|ECPA |Stored Communications |Misdemeanor |

|18 USC Section |Accessing information of any public or private communications provider (i.e. | |

|2701 |has email server), with unauthorized access (e.g., Sys Admin with cause is | |

| |ok) | |

| |Requirement: Company policy must define unauthorized access. | |

|Homeland Security Act |Extensions: |Felony |

|extensions |With Commercial gain, malicious destruction, or in furtherance of a criminal | |

| |or tortuous act | |

|Economic Espionage Act |Stealing/Obtaining proprietary trade secrets with the knowledge or intent |Civil cases are filed under|

|18 USC Sections 1831-39 |that the owner of the secret would suffer injury. Additional requirements |state trade-secret law. |

| |include: unauthorized access, relates to interstate commerce. Applicable to | |

| |insiders and outsiders. | |

|Criminal Infringement of |Copyright Infringement: |Fine and/or imprisonment |

|Copyright |Intentional electronic reproduction of copyrighted works with a value | |

|18 USC Section 2319-20 |exceeding $2500. | |

| |Criminal Trademark Infringement: |Fine and/or imprisonment |

| |Using/selling pirated copies of software or music with a counterfeited mark | |

| |Contraband stored by a hacker or internal user, against company policies, and|No fault |

| |company reacts quickly after offending material is discovered. | |

|Child Pornography |Child Pornography: |Felony |

|18 USC Section 2252/2252A|Prohibits knowing possession of any printed, video, or digital file | |

| |containing child pornography. | |

| |Requirement: Transported interstate, knowledge of minority, and knowledge of | |

| |sexually explicit material. (Unopened email ok.) However, must take | |

| |immediate action to delete when found. | |

|Gramm-Leach-Bliley |Banking/Financial Industry: | |

|Safeguards |Restrictions for banking/financial industry with aim (in general) to | |

| |“develop, implement, and maintain a comprehensive information security | |

| |program that is written in one or more readily accessible parts and contains | |

| |administrative, technical and physical safeguards that are appropriate to its| |

| |size and complexity, the nature and scope of its activities, and the | |

| |sensitivity of any customer information at issue.” | |

|Health Insurance |Personal Health: | |

|Portability and |Protection of personal health information, including appropriate | |

|Accountability Act |administrative, technical and physical safeguards. (Perform risk assessment | |

| |and adopt security measures commensurate with potential risk.) | |

|Sarbanes-Oxley 404 |Fraud: |Felony, jail. |

| |Annual audit must state responsibility of mgmt for establishing/maintaining | |

| |adequate internal control structure and assess the internal control | |

| |structure. | |

|Civil Suits |Companies are becoming liable for: | |

| |Vulnerability assessment, incident response plan, adoption of an information | |

| |security tailored to the organization’s risks, assignment of senior-level | |

| |employee(s) with security responsibilities, and periodic revision of security| |

| |plans in light of changing company risks. | |

Copyright, Patents, & Trade Secrets

Copyright: Protect expression of an implementation of an idea

• Copyright protects result of art, literature, written scholarship

• Creative work: Story, photograph, music, drawing

“original works of authorship fixed in any tangible medium of expression,… from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device” – U.S. copyright law

• Protects an individual’s right to make a living

• Allows author the exclusive right to sell copies of the expression

• Lasts for 70 years beyond author’s death or 95 years after date of publication for company/organization

• U.S. No Electronic Theft (NET) Act of 1997: Criminal offense to reproduce or distribute copyright works (even without charge): software/digital recordings

• Software Application: Copyright covers lines of code but not the algorithm

• Copying code is prohibited, but re-implementing the algorithm is permitted

• Condition: The work must be published/distributed.

• Digital Objects: Music, graphic images, database contents, programs

• Cannot disable antipiracy functionality in digital objects

• Digital objects can be distributed for research and educational purposes

• Can make a backup copy as protection against H/W or S/W failure

Example: Napster

• Napster operated a peer-to-peer file swapping service

• One person would register document

• One person would retrieve the registered object

• May 2000 US 9th Circuit Court found Napster guilty of illegally copying/distributing 45,000 audio CDs

• The copyright law: When you buy a CD, you are buying the right to use the CD.

• Use: Play it, lend it, give it or sell it (single copy).

Copyright Ownership Issues

• Author is the owner of the work except when work for hire

• In Work for Hire the following conditions are true:

• The employer has a supervisory relationship and oversees the work performed

• The employer can fire the employee

• The employer arranges for work to be done before the work was created (e.g. not a sale)

• A written contract states that the employee was hired to do certain work

Discussion:

• Is it legal to paint a copyrighted painting for your own home?

• Is it legal to load software on multiple computers at home? At the office?

Patents

• Patent protects results of science, technology, engineering

• Excludes: laws of nature and mental processes: 1+1=2

• Protects the device or process for carrying out an idea

• Patent goes to the person who first invented the idea – not the first patent applicant

• Patent infringement applies even if idea is produced independently

• Cannot promote an obvious use: cardboard as a book mark

• Owner of patent is author, unless employee’s job duties included inventing the product.

• Patent holder must oppose all infringement

• Copyright may choose to pursue sufficiently large court cases

• Patent infringement defense can include any of the following:

• No infringement: Ideas are sufficiently different

• Patent is invalid: Prior infringement was not opposed

• Invention is not novel: Idea is not worthy of patent

• Infringer invented object first: Infringer should be patent-holder

• Software: Patents accepted if software algorithm + novel process

• E.g.: No Patent: Conversion from decimal to binary

• E.g.: Patentable: Calculate the time to cure rubber seals

Trade Secret: Information that gives a company a competitive edge over others.

• Examples: Customer list, recipes.

• A trade secret must always be kept secret

• If a trade secret is improperly obtained and profited from, the owner can recover profits, damages, lost revenues and legal costs

• If someone discovers a trade secret independently, rights of trade secret evaporate

• Reverse engineering: Studying output or decoding object code

Software Piracy: Copy information without offering payment to owner

Licenses: Programmer grants a license to a company to use developed software for a fee.

• License defines period of time, number of copies, locations, instances of use.

Employment contracts often define:

• Employer claims rights to developed software including copyright and right to market

• Employer claims right to all inventions and copyrights, not just those that follow from employment.

• Contracts may define that employee cannot work for a competitor for a specified duration

• Not always enforceable: employee’s right to employment takes precedence over employer’s rights.

Discussion: Who owns rights?

• A contractor develops software for a company.

• A contractor works for a company and develops software in her spare time but using the company’s computers and library – re patent, copyright

• A contractor works for a company and develops software in his spare time on his own computers – re patent, copyright

Determine Culpability Exercise

Who would have the strongest case in the following situations: the defense or the prosecution? What law(s), if any, would be violated? What would the defense be liable for? (misdemeanor, felony, or no criminal offense). (Note: Wisconsin may have specific laws that are not documented in these notes.)

A student in a security audit of an external company

a) accesses records outside the scope of the audit?

b) modifies data to demonstrate vulnerability within the scope of the audit?

An employee of Ace Hardware looks at another employee’s medical records

a) and does not modify them?

b) and does modify them?

c) and does not modify them, but works for the city of Kenosha?

A hacker logs onto your computer without your knowledge

a) and changes nothing?

b) and copies files?

c) and runs programs which slow down your response time tremendously?

An ex-employee logs onto SC Johnson’s computers

a) and retrieves financial files?

b) and inadvertently changes non-financial, non-medical files?

An employee sends a damaging virus to his old place of employment

a) intentionally?

b) unintentionally?

You receive child pornography by email and you don’t open or delete it (but still on disk)

a) With email names such as “Exposing Tender Young Things”

b) With email names such as “Hi”

Lab on Risk Analysis

Risk analysis: Does it cost less to implement a control or to accept the expected loss incurred with the attack?

Arguments for Risk Analysis

• Improves awareness of security problems

• Relates security mission to management objectives: balance harm & control costs

• Identify assets, vulnerabilities, and controls

• Improve basis for decisions: Make intelligent & informed security/cost decisions

• Justify expenditures for security

Arguments against Risk Analysis:

• Hard to perform, due to difficulty and subjectivity

• Lack of accuracy

• Creates false sense of security, when numbers are actually unknown

Six Steps include:

• Identify Assets

• Determine Vulnerabilities

• Estimate Likelihood of Exploitation

• Compute Expected Loss

• Survey & Select New Controls

• Project Savings

Step One: Identify Assets

List the assets of the company. For this and later steps, need input from other departments.

Step 2: Determine the Vulnerabilities

Predict the loss that might occur to the assets and how losses might arise.

Losses can occur due to

• Unintentional error

• Malicious insiders

• Outsiders: hackers, viruses, etc.

• Natural or Physical Disasters

Where is the gold located within this company? Where would you attack if you were inclined? Where have others attacked previously?

|Asset |Confidentiality |Integrity |Availability |

|Hardware | | | |

|(processors & peripherals) | | | |

|Software | | | |

|(source code, purchased | | | |

|programs, utilities, OS) | | | |

|Data | | | |

|(In system, on media, logs, | | | |

|archives) | | | |

|People | | | |

|(Skills needed to run system or | | | |

|programs) | | | |

|Documentation | | | |

|(H/W, S/W, procedures) | | | |

|Supplies | | | |

|(Paper, media, printer fluid) | | | |

Step 3: Estimate Likelihood of Exploitation

• What is the probability that loss may occur (e.g. within the next year)?

• Time periods: Once within: a day; a week; a month; a quarter; a year; 2 years; 5 years; a decade.

Step 4: Compute Expected Loss

What is the likely loss if the exploitation occurs? Costs include:

• Replacement cost

• Downtime may result in lost opportunity

• Person-hours to recover

• Loss of information may result in liability: legal fees, criminal penalties.

• Released information can lead to embarrassment, lost customers

Risk Exposure = ProbabilityOfVulnerability * $LossIfVulnerabilityOccurs

Single Loss Expectancy: $ loss for each event of vulnerability

Annual Rate of Occurrence: Probability vulnerability will occur in one year

Annualized Loss Expectancy: Expected annual loss due to vulnerability

|Vulnerability |Probability of |Expected Loss in $ |Risk Exposure = |

| |Vulnerability (ARO) | |%Vuln. * $Loss |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

Step 5: Survey and Select New Controls

Three possible solutions:

• Risk Reduction or Mitigation:

• Install security controls and components

• Improve procedures

• Alter environment

• Provide early detection methods

• Produce a contingency plan

• Erect barriers to the threat

• Risk Assignment: Buy insurance to transfer risk

• Risk Acceptance: Accept risk and spend nothing on control

Which controls address the identified risks?

Control technique categories include:

• Resilience & Robustness: Hardening, redundancy, control of exposure, access, and output

• Intelligence, Self-Awareness: Attack detection, damage assessment, forensics.

• Counterintelligence: Deception for counterintelligence

• Deterrence & Punishment: Criminal penalties, law enforcement, preventative operations

Rating for each Vulnerability/Technique pair:

2: Control mitigates vulnerability significantly: Prime candidate for control

1: Control mitigates vulnerability somewhat: Secondary candidate for control

0: Control has no impact on vulnerability

-1, -2: Control worsens vulnerability somewhat or significantly.

Controls may include:

• Hardware: Firewall, IDS, etc.

• Software: SSH, SSL, IPSec, etc.

• People, Procedures: Guards, training

| |Technique 1: |Technique 2: |Technique 3: |

| | | | |

|Vulnerability: | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

Step 6: Project Savings

Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) /

(cost of risk reduction)

Value of safeguard = (ALE before safeguard)

- (ALE with safeguard)

- (Annual cost of safeguard)

Example: Cost of hacker bringing down Web server = $12,000

Cost of safeguard is $650

Value of safeguard is $8,350

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download