Upload
duongminh
View
224
Download
3
Embed Size (px)
Citation preview
Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 18 Chapter 18 –– Legal and Ethical Legal and Ethical AspectsAspects
Legal and Ethical AspectsLegal and Ethical Aspects
touch on a few topics including:touch on a few topics including:cybercrime and computer crimecybercrime and computer crimeintellectual property issuesintellectual property issuesprivacy privacy ethical issuesethical issues
Cybercrime / Computer CrimeCybercrime / Computer Crime
““criminal activity in which computers or computer criminal activity in which computers or computer networks are a tool, a target, or a place of criminal networks are a tool, a target, or a place of criminal activityactivity””categorize based on computercategorize based on computer’’s role:s role:
as targetas targetas storage deviceas storage deviceas communications toolas communications tool
more comprehensive categorization seen in more comprehensive categorization seen in Cybercrime Convention, Computer Crime SurveysCybercrime Convention, Computer Crime Surveys
Law Enforcement ChallengesLaw Enforcement Challenges
Intellectual PropertyIntellectual Property
CopyrightCopyrightprotects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itselfis automatically assigned when createdis automatically assigned when createdmay need to be registered in some countriesmay need to be registered in some countriesexists when:exists when:
proposed work is originalproposed work is originalcreator has put original idea in concrete formcreator has put original idea in concrete forme.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works, pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, softwarearchitectural works, software--related works.related works.
Copyright RightsCopyright Rights
copyright owner has these exclusive copyright owner has these exclusive rights, protected against infringement:rights, protected against infringement:
reproduction rightreproduction rightmodification rightmodification rightdistribution rightdistribution rightpublicpublic--performance rightperformance rightpublicpublic--display rightdisplay right
PatentsPatentsgrant a property right to the inventorgrant a property right to the inventor
to exclude others from making, using, offering for sale, to exclude others from making, using, offering for sale, or selling the inventionor selling the invention
types:types:utility utility -- any new and useful process, machine, article of any new and useful process, machine, article of manufacture, or composition of mattermanufacture, or composition of matterdesign design -- new, original, and ornamental design for an new, original, and ornamental design for an article of manufacturearticle of manufactureplant plant -- discovers and asexually reproduces any distinct discovers and asexually reproduces any distinct and new variety of plantand new variety of plant
e.g. RSA publice.g. RSA public--key cryptosystem patentkey cryptosystem patent
TrademarksTrademarks
a word, name, symbol, or device a word, name, symbol, or device used in trade with goodsused in trade with goodsindicate source of goods indicate source of goods to distinguish them from goods of othersto distinguish them from goods of others
trademark rights may be used to:trademark rights may be used to:prevent others from using a confusingly similar markprevent others from using a confusingly similar markbut not to prevent others from making the same but not to prevent others from making the same goods or from selling the same goods or services goods or from selling the same goods or services under a clearly different markunder a clearly different mark
Intellectual Property Issues Intellectual Property Issues and Computer Securityand Computer Security
software programssoftware programsprotect using copyright, perhaps patentprotect using copyright, perhaps patent
database content and arrangementdatabase content and arrangementprotect using copyrightprotect using copyright
digital content audio / video / media / webdigital content audio / video / media / webprotect using copyrightprotect using copyright
algorithmsalgorithmsmay be able to protect by patentingmay be able to protect by patenting
U.S. Digital Millennium U.S. Digital Millennium Copyright ACT (DMCA)Copyright ACT (DMCA)
implements WIPO treaties to strengthens implements WIPO treaties to strengthens protections of digital copyrighted materialsprotections of digital copyrighted materialsencourages copyright owners to use encourages copyright owners to use technological measures to protect their technological measures to protect their copyrighted works, including:copyrighted works, including:
measures that prevent access to the work measures that prevent access to the work measures that prevent copying of the workmeasures that prevent copying of the work
prohibits attempts to bypass the measuresprohibits attempts to bypass the measureshave both criminal and civil penalties for thishave both criminal and civil penalties for this
DMCA ExemptionsDMCA Exemptions
certain actions are exempted from the certain actions are exempted from the DMCA provisions:DMCA provisions:
fair usefair usereverse engineeringreverse engineeringencryption researchencryption researchsecurity testingsecurity testingpersonal privacypersonal privacy
considerable concern exists that DMCA considerable concern exists that DMCA inhibits legitimate security/crypto researchinhibits legitimate security/crypto research
Digital Rights Management Digital Rights Management (DRM)(DRM)
systems and procedures ensuring digital rights systems and procedures ensuring digital rights holders are clearly identified and receive holders are clearly identified and receive stipulated payment for their worksstipulated payment for their works
may impose further restrictions on their usemay impose further restrictions on their use
no single DRM standard or architectureno single DRM standard or architecturegoal often to provide mechanisms for the goal often to provide mechanisms for the complete content management lifecyclecomplete content management lifecycleprovide persistent content protection for a variety provide persistent content protection for a variety of digital content types / platforms / media of digital content types / platforms / media
DRM ComponentsDRM Components
DRM System ArchitectureDRM System Architecture
PrivacyPrivacy
overlaps with computer securityoverlaps with computer securityhave dramatic increase in scale of info have dramatic increase in scale of info collected and storedcollected and stored
motivated by law enforcement, national motivated by law enforcement, national security, economic incentivessecurity, economic incentives
but individuals increasingly aware of but individuals increasingly aware of access and use of personal / private infoaccess and use of personal / private infoconcerns on extent of privacy compromise concerns on extent of privacy compromise have seen a range of responseshave seen a range of responses
EU Privacy LawEU Privacy Law
European Union Data Protection Directive European Union Data Protection Directive was adopted in 1998 to:was adopted in 1998 to:
ensure member states protect fundamental ensure member states protect fundamental privacy rights when processing personal infoprivacy rights when processing personal infoprevent member states from restricting the prevent member states from restricting the free flow of personal info within EUfree flow of personal info within EU
organized around principles of:organized around principles of:notice, consent, consistency, access, security, notice, consent, consistency, access, security, onward transfer, enforcementonward transfer, enforcement
US Privacy LawUS Privacy Law
have Privacy Act of 1974 which:have Privacy Act of 1974 which:permits individuals to determine records keptpermits individuals to determine records keptpermits individuals to forbid records being permits individuals to forbid records being used for other purposes used for other purposes permits individuals to obtain access to recordspermits individuals to obtain access to recordsensures agencies properly collect, maintain, ensures agencies properly collect, maintain, and use personal info and use personal info creates a private right of action for individualscreates a private right of action for individuals
also have a range of other privacy lawsalso have a range of other privacy laws
Organizational ResponseOrganizational Response““An organizational data protection and privacy policy should be An organizational data protection and privacy policy should be developed and implemented. This policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of communicated to all persons involved in the processing of personal information. Compliance with this policy and all personal information. Compliance with this policy and all relevant data protection legislation and regulations requires relevant data protection legislation and regulations requires appropriate management structure and control. Often this is bestappropriate management structure and control. Often this is bestachieved by the appointment of a person responsible, such as a achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to data protection officer, who should provide guidance to managers, users, and service providers on their individual managers, users, and service providers on their individual responsibilities and the specific procedures that should be responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulatiodealt with in accordance with relevant legislation and regulations. ns. Appropriate technical and organizational measures to protect Appropriate technical and organizational measures to protect personal information should be implemented.personal information should be implemented.””
Common Criteria Privacy ClassCommon Criteria Privacy Class
Privacy and Data SurveillancePrivacy and Data Surveillance
Ethical IssuesEthical Issueshave many potential misuses / abuses of have many potential misuses / abuses of information and electronic communication information and electronic communication that create privacy and security problemsthat create privacy and security problemsethics:ethics:
a system of moral principles relating benefits a system of moral principles relating benefits and harms of particular actions to rightness and harms of particular actions to rightness and wrongness of motives and ends of themand wrongness of motives and ends of them
ethical behavior here not uniqueethical behavior here not uniquebut do have some unique considerationsbut do have some unique considerations
in scale of activities, in new types of entitiesin scale of activities, in new types of entities
Ethical HierarchyEthical Hierarchy
Ethical Issues Related to Ethical Issues Related to Computers and Info Systems Computers and Info Systems some ethical issues from computer use:some ethical issues from computer use:
repositories and processors of informationrepositories and processors of informationproducers of new forms and types of assetsproducers of new forms and types of assetsinstruments of actsinstruments of actssymbols of intimidation and deceptionsymbols of intimidation and deception
those who understand / exploit technology, and those who understand / exploit technology, and have access permission, have power over thesehave access permission, have power over theseissue is balancing professional responsibilities issue is balancing professional responsibilities with ethical or moral responsibilitieswith ethical or moral responsibilities
Ethical Question ExamplesEthical Question Examples
whistlewhistle--blowerblowerwhen professional ethical duty conflicts with when professional ethical duty conflicts with loyalty to employerloyalty to employere.g. inadequately tested software producte.g. inadequately tested software productorganizations and professional societies organizations and professional societies should provide alternative mechanismsshould provide alternative mechanisms
potential conflict of interestpotential conflict of intereste.g. consultant has financial interest in vendor e.g. consultant has financial interest in vendor which should be revealed to client which should be revealed to client
Codes of ConductCodes of Conductethics not precise laws or sets of factsethics not precise laws or sets of factsmany areas may present ethical many areas may present ethical ambiguityambiguitymany professional societies have ethical many professional societies have ethical codes of conduct which can:codes of conduct which can:
1.1. be a positive stimulus and instill confidencebe a positive stimulus and instill confidence2.2. be educationalbe educational3.3. provide a measure of supportprovide a measure of support4.4. be a means of deterrence and disciplinebe a means of deterrence and discipline5.5. enhance the profession's public imageenhance the profession's public image
Codes of ConductCodes of Conductsee ACM, IEEE and AITP codessee ACM, IEEE and AITP codesplace emphasis on responsibility other peopleplace emphasis on responsibility other peoplehave some common themes:have some common themes:
1.1. dignity and worth of other peopledignity and worth of other people2.2. personal integrity and honestypersonal integrity and honesty3.3. responsibility for workresponsibility for work4.4. confidentiality of informationconfidentiality of information5.5. public safety, health, and welfarepublic safety, health, and welfare6.6. participation in professional societies to improve participation in professional societies to improve
standards of the professionstandards of the profession7.7. the notion that public knowledge and access to the notion that public knowledge and access to
technology is equivalent to social powertechnology is equivalent to social power
SummarySummary
reviewed a range of reviewed a range of topics:topics:cybercrime and computer crimecybercrime and computer crimeintellectual property issuesintellectual property issuesprivacy privacy ethical issuesethical issues