Embed Size (px)
Citation preview
Chapter 9 – Legal, Privacy, and Chapter 9 – Legal, Privacy, and Ethical Issues in Computer SecurityEthical Issues in Computer Security Program and data protection by Program and data protection by
patents, copyrights, and trademarkspatents, copyrights, and trademarks Computer CrimeComputer Crime PrivacyPrivacy Ethical Analysis of computer security Ethical Analysis of computer security
situationssituations Codes of professional ethicsCodes of professional ethics
Motivation for studying legal issuesMotivation for studying legal issues
Know what protection the law Know what protection the law provides for computers and dataprovides for computers and data
Appreciate laws that protect the Appreciate laws that protect the rights of others with respect to rights of others with respect to computers, programs, and datacomputers, programs, and data
Understand existing laws as a basis Understand existing laws as a basis for recommending new laws to for recommending new laws to protect compuuters, programs, and protect compuuters, programs, and datadata
Aspects of Protection of the Aspects of Protection of the security of computerssecurity of computers
Protecting computing systems Protecting computing systems against criminalsagainst criminals
Protecting code and data (Protecting code and data (copyright...)copyright...) Protecting programmers’ and Protecting programmers’ and
employers’ rightsemployers’ rights Protecting private data about Protecting private data about
individualsindividuals Protecting users of programsProtecting users of programs
Protecting Programs and DataProtecting Programs and Data
Copyrights – designed to protect the Copyrights – designed to protect the expressionexpression of ideas (not the idea!!!) of ideas (not the idea!!!)• Copyright law of 1978; Digital Millennium Copyright law of 1978; Digital Millennium
Copyright Act of 1998Copyright Act of 1998• Copyright gives the author Copyright gives the author exclusiveexclusive right to right to
make copies of the expression and sell them to make copies of the expression and sell them to the publicthe public
• ““original works of authorship fixed in any original works of authorship fixed in any tangible medium of expression,… from which tangible medium of expression,… from which they can be perceived, reproduced, or they can be perceived, reproduced, or otherwise communicated.”otherwise communicated.”
CopyrightsCopyrights
Public domainPublic domain- work owned by the - work owned by the public, (e.g. government)public, (e.g. government)
Work must be original to the authorWork must be original to the author ““fair usefair use of a copyrighted work, including of a copyrighted work, including
such use by reproduction I copies…for such use by reproduction I copies…for purposes such as criticism, comment, purposes such as criticism, comment, news reporting, teaching (including news reporting, teaching (including multiple copies for classroom use), multiple copies for classroom use), scholarship or research.”scholarship or research.”
New owner can give away or sell objectNew owner can give away or sell object
CopyrightCopyright Each copy mist be marked with the Each copy mist be marked with the
copyright symbol © or the word copyright symbol © or the word CopyrightCopyright, , the year and the author’s namethe year and the author’s name
U.S. copyright lasts for 70 years beyond U.S. copyright lasts for 70 years beyond death of last surviving author or 95 years death of last surviving author or 95 years after publication for a companyafter publication for a company
Copyright InfringementCopyright Infringement Copyrights for computer software (cannot Copyrights for computer software (cannot
copyright the algorithm)copyright the algorithm) You do not purchase a piece of software, You do not purchase a piece of software,
just the license to use it.just the license to use it. Computer menu design can be Computer menu design can be
copyrighted, but not “look and feel”copyrighted, but not “look and feel”
Digital Millennium Copyright ActDigital Millennium Copyright Act Digital objects can be subject to copyrightDigital objects can be subject to copyright Crime to circumvent/disable antipiracy Crime to circumvent/disable antipiracy
functionalityfunctionality Crime to manufacture, sell, or distribute Crime to manufacture, sell, or distribute
devices that disable antipiracy devices that disable antipiracy functionalityfunctionality
Antipiracy devices can be used for Antipiracy devices can be used for research and educational purposesresearch and educational purposes
Acceptable to make a backup copyAcceptable to make a backup copy Libraries can make up to three copies for Libraries can make up to three copies for
lending to other librarieslending to other libraries
PatentsPatents
Protect inventions, tangible objects, or Protect inventions, tangible objects, or ways to make them, not works of the ways to make them, not works of the mind.mind.
Patent designed to protect the device or Patent designed to protect the device or process for process for carrying outcarrying out an idea, not the an idea, not the idea itself.idea itself.
Patent goes to person who invented the Patent goes to person who invented the object firstobject first
Algorithms are inventions and can be Algorithms are inventions and can be patentedpatented
Trade SecretsTrade Secrets
Information that gives one company Information that gives one company a competitive edge over othersa competitive edge over others
Reverse engineeringReverse engineering – study – study finished object to determine how it is finished object to determine how it is manufactured or how it worksmanufactured or how it works
Trade secret protection can apply to Trade secret protection can apply to softwaresoftware
Protection for Computer ObjectsProtection for Computer Objects
Hardware can be patentedHardware can be patented Firmware (hardware patent; code Firmware (hardware patent; code
protected as a trade secret)protected as a trade secret) Object code – copyrightedObject code – copyrighted Source code – either trade secret or Source code – either trade secret or
copyrightcopyright Documentation – copyrightDocumentation – copyright COPYLEFT COPYLEFT
((http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft)http://www.gnu.org/copyleft/copyleft.html#WhatIsCopyleft)
Information and the LawInformation and the Law
Information as an ObjectInformation as an Object• Information is not depletableInformation is not depletable• Information can be replicatedInformation can be replicated• Information has a minimal marginal costInformation has a minimal marginal cost• Value of information is often time Value of information is often time
dependentdependent• Information is often transferred Information is often transferred
intangiblyintangibly
Legal Issues Relating to Legal Issues Relating to InformationInformation
Information CommerceInformation Commerce• Copy protection, freeware, controlled Copy protection, freeware, controlled
distribution, mobile code/appletsdistribution, mobile code/applets Electronic PublishingElectronic Publishing Protecting Data in a Database Protecting Data in a Database (who (who
owns?)owns?) Electronic CommerceElectronic Commerce
Protecting InformationProtecting Information
Criminal and Civil Law – statuesCriminal and Civil Law – statues Tort Law (harm not occurring from Tort Law (harm not occurring from
violation of a stature or from breach violation of a stature or from breach of a contract) – Fraudof a contract) – Fraud
Contract Law (agreement between Contract Law (agreement between two parties) – requirestwo parties) – requires• OfferOffer• AcceptanceAcceptance• considerationconsideration
Rights of Employees and Rights of Employees and EmployersEmployers
Ownership of ProductsOwnership of Products Ownership of Patent – Ownership of Patent – inventor owns the workinventor owns the work Ownership of Copyright – Ownership of Copyright – author is presumed author is presumed
owner of the workowner of the work Work for hire – Work for hire – “employer has right to “employer has right to
patent/copyright if the employee’s job function patent/copyright if the employee’s job function included inventing the product”included inventing the product”
Trade Secret ProtectionTrade Secret Protection Employment ContractsEmployment Contracts
Software FailuresSoftware Failures
What are the legal issues in selling What are the legal issues in selling correct and usable software?correct and usable software?
What are the moral or ethical issues What are the moral or ethical issues in producing correct and usable in producing correct and usable software?software?
What are the moral or ethical issues What are the moral or ethical issues in finding, reporting, publicizing, and in finding, reporting, publicizing, and fixing flaws?fixing flaws?
““Responsible” Vulnerability Responsible” Vulnerability ReportingReporting
Vendor must acknowledge a vulnerability report Vendor must acknowledge a vulnerability report confidentially to the reporterconfidentially to the reporter
Vendor must agree that the vulnerability exits (or Vendor must agree that the vulnerability exits (or argue otherwise) to the reporterargue otherwise) to the reporter
Vendor must inform users of the vulnerability and Vendor must inform users of the vulnerability and any available countermeasures within 30 daysany available countermeasures within 30 days
Vendor may request from the reporter a 30-day Vendor may request from the reporter a 30-day quiet period to allow users time to install patchesquiet period to allow users time to install patches
At the end of quiet period, vendor and report At the end of quiet period, vendor and report agree upon a release dateagree upon a release date
Vendor shall credit reporter with having located Vendor shall credit reporter with having located vulnerabilityvulnerability
Computer CrimeComputer Crime
Rules of PropertyRules of Property Rules of EvidenceRules of Evidence Threats to Integrity and Threats to Integrity and
ConfidentialityConfidentiality Value of DataValue of Data Acceptance of Computer Acceptance of Computer
TerminologyTerminology
Computer CrimeComputer Crime
Why Computer Crime is Hard to DefineWhy Computer Crime is Hard to Define Why Computer Crime is Hard to ProsecuteWhy Computer Crime is Hard to Prosecute
• Lack of understandingLack of understanding• Lack of physical evidenceLack of physical evidence• Lack of recognition of assetsLack of recognition of assets• Lack of political impactLack of political impact• Complexity of caseComplexity of case• JuvenilesJuveniles
2002 Computer Crime and Security 2002 Computer Crime and Security Survey – CSI/FBI ReportSurvey – CSI/FBI Report
Ninety percent of respondents detected computer Ninety percent of respondents detected computer security breaches within the last twelve months. security breaches within the last twelve months.
Eighty percent acknowledged financial losses due Eighty percent acknowledged financial losses due to computer breaches.to computer breaches.
Forty-four percent (223 respondents) were willing Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in These 223 respondents reported $455,848,000 in financial losses. financial losses.
For the fifth year in a row, more respondents For the fifth year in a row, more respondents (74%) cited their Internet connection as a (74%) cited their Internet connection as a frequent point of attack than cited their internal frequent point of attack than cited their internal systems as a frequent point of attack (33%). systems as a frequent point of attack (33%).
Thirty-four percent reported the intrusions to law Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.) reporting intrusions to law enforcement.)
Examples of StatutesExamples of Statutes U.S. Computer Fraud and Abuse Act (1984)U.S. Computer Fraud and Abuse Act (1984) U.S. Economic Espionage ActU.S. Economic Espionage Act U.S. Electronic Funds Transfer ActU.S. Electronic Funds Transfer Act U.S. Freedom of Information ActU.S. Freedom of Information Act U.S. Privacy ActU.S. Privacy Act U.S. Electronic Communications Privacy U.S. Electronic Communications Privacy
ActAct USA Patriot ActUSA Patriot Act International DimensionsInternational Dimensions
Computer CrimeComputer Crime
Why Computer Criminals Are Hard to Why Computer Criminals Are Hard to CatchCatch• No international laws on computer crimeNo international laws on computer crime• Complexity of crimeComplexity of crime
What Computer Crime Does Not AddressWhat Computer Crime Does Not Address• Courts must interpret what a computer isCourts must interpret what a computer is• Courts must determine the value of the lossCourts must determine the value of the loss
Cryptography and the LawCryptography and the Law
Controls on Use of CryptographyControls on Use of Cryptography Controls on Export of CryptographyControls on Export of Cryptography Cryptography and Free SpeechCryptography and Free Speech Cryptographic Key EscrowCryptographic Key Escrow
• Clipper, Capstone, FortezzaClipper, Capstone, Fortezza Current Policy (1998)Current Policy (1998)
PrivacyPrivacy
IDENTITY THEFTIDENTITY THEFT Threats to privacyThreats to privacy Aggregation and Data miningAggregation and Data mining Poor Security System (due diligence)Poor Security System (due diligence) Government ThreatsGovernment Threats Computer useComputer use Societal GoalSocietal Goal Corporate Rights and Private BusinessCorporate Rights and Private Business Privacy for SalePrivacy for Sale
Controls Protecting PrivacyControls Protecting Privacy
AuthenticationAuthentication Anonmity Anonmity ((anonymizers)anonymizers) Computer VotingComputer Voting Pseudonymity Pseudonymity (Swiss bank account)(Swiss bank account) Legal ControlsLegal Controls
• E.U. Data Protection Act (1998)E.U. Data Protection Act (1998)• Gramm-Leach-Biley Act (1999)Gramm-Leach-Biley Act (1999)• HIPAAHIPAA
Ethical IssuesEthical Issues
Difference between law and ethicsDifference between law and ethics• Ethic – objectively defined standard of right Ethic – objectively defined standard of right
and wrong (ethics are personal)and wrong (ethics are personal) Studying EthicsStudying Ethics
• Ethics and ReligionEthics and Religion• Ethical Principles are not universalEthical Principles are not universal• Ethics does not provide answers (ethical Ethics does not provide answers (ethical
pluralism)pluralism)• Ethical ReasoningEthical Reasoning
CASE STUDIES OF ETHICSCASE STUDIES OF ETHICS
CODE OF ETHICSCODE OF ETHICS
IEEE (pg. 623)IEEE (pg. 623) ACM (pg. 624)ACM (pg. 624) Computer Ethics Institute (pg. 625)Computer Ethics Institute (pg. 625)
Social EngineeringSocial Engineering
““we have met the enemy and they we have met the enemy and they are us” - POGOare us” - POGO
Social Engineering – “getting people Social Engineering – “getting people to do things that they wouldn’t to do things that they wouldn’t ordinarily do for a stranger” – ordinarily do for a stranger” – The The Art of DeceptionArt of Deception, Kevin Mitnick, Kevin Mitnick
ControlsControls
Reduce and contain the risk of Reduce and contain the risk of security breachessecurity breaches
““Security is not a product, it’s a Security is not a product, it’s a process” – Bruce Schneier [Using any process” – Bruce Schneier [Using any security product without security product without understanding what it does, and does understanding what it does, and does not, protect against is a recipe for not, protect against is a recipe for disaster.]disaster.]
Education & MisinformationEducation & Misinformation
SQL Slammer infected through MSDE SQL Slammer infected through MSDE 2000, a lightweight version of SQL Server 2000, a lightweight version of SQL Server installed as part of many applications from installed as part of many applications from Microsoft (e.g. Visio) as well as 3rd parties.Microsoft (e.g. Visio) as well as 3rd parties.
CodeRed infected primarily desktops from CodeRed infected primarily desktops from people who didn't know that the "personal" people who didn't know that the "personal" version of IIS was installed.version of IIS was installed.
Educate programmers and future Educate programmers and future programmers of the importance of programmers of the importance of checking for buffer overflows.checking for buffer overflows.
ConclusionsConclusions
Every organization MUST have a security Every organization MUST have a security policypolicy• Acceptable use statementsAcceptable use statements• Password policyPassword policy• Training / EducationTraining / Education
Conduct a risk analysis to create a Conduct a risk analysis to create a baseline for the organization’s securitybaseline for the organization’s security
Create a cross-functional security teamCreate a cross-functional security team““You are the weakest link”You are the weakest link”
