Law, Investigation, and Ethics
The topics encompassed by law, investigation, and ethics are not only those that practitioners taking the certification examination experience trouble with, but they are also the everyday parts of an information security program that one way or another can cause much embarrassment if not handled appropriately. Although these three subjects are related, to some extent they are different areas of expertise. Each is important in its own realm and can lead to problems if neglected in the administration of a security program.
The first section in Domain 6 presents Legal and Regulatory Issues. It is very important that the information systems security professional have a clear understanding of the laws and issues that affect their field and the kinds of criminal attacks they may experience against their systems. Chapter 6-1-1s essay on Computer Abuse Methods and Detection provides insights to the methods, possible types of perpetrators, likely evidence of the use of the methods, as well as detection and prevention methods. Although several of the abuse methods can be rather complex, enough detail is provided so that security practitioners can apply them to specific instances they may encounter.
Chapter 6-1-2s discussion of Federal and State Computer Crime Laws presents those laws that apply specifically to computers used in the perpetration of various types of crimes against computers. A thorough discussion of the types of offenses and the seriousness of each under the law is provided. Included is an explanation of the differences between federal and state computer crime law.
Section 6-2 deals with the task of investigating computer incidents. There are those security practitioners who have had to conduct investigations and those who ultimately will. A botched investigation can turn out to be severely career limiting, so this is a must section for security professionals. Chapter 6-2-1, Computer Crime Investigation and Computer Forensics is a very thorough discussion of this critical subject.
Information Ethics is the focus of Section 6-3. Chapter 6-3-1 describes common fallacies of the computer generation and includes a very detailed action plan to encourage the ethical use of computers in organizations.
Legal and Regulatory Issues
Computer Abuse Methods and Detection
Donn B. Parker
This chapter describes 17 computer abuse methods in which computers play a key role. Several of the methods are far more complex than can be described here in detail; in addition, it would not be prudent to reveal specific details that criminals could use. These descriptions should facilitate a sufficient understanding of computer abuse for security practitioners to apply to specific instances. Most technologically sophisticated computer crimes are committed using one or more of these methods. The results of these sophisticated and automated attacks are loss of information integrity or authenticity, loss of confidentiality, and loss of availability or utility associated with the use of services, computer and communications equipment or facilities, computer programs, or data in computer systems and communications media. The abuse methods are not necessarily identifiable with specific statutory offenses. The methods, possible types of perpetrators, likely evidence of their use, and detection and prevention methods are described in the following sections.
EAVESDROPPING AND SPYING
Eavesdropping includes wiretapping and monitoring of radio frequency emanations. Few wiretap abuses are known, and no cases of radio frequency emanation eavesdropping have been proved outside government intelligence agencies. Case experience is probably so scarce because industrial spying and scavenging represent easier, more direct ways for criminals to obtain the required information.
On the other hand, these passive eavesdropping methods may be so difficult to detect that they are never reported. In addition, opportunities to pick up emanations from isolated small computers and terminals, microwave circuits, and satellite signals continue to grow.
One disadvantage of eavesdropping, from the eavesdroppers point of view, is that the perpetrators often do not know when the needed data will be sent. Therefore, they must collect relatively large amounts of data and search for the specific items of interest. Another disadvantage is that identifying and isolating the communications circuit can pose a problem for perpetrators. Intercepting microwave and satellite communications is even more difficult, primarily because complex, costly equipment is needed for interception and because the perpetrators must determine whether active detection facilities are built into the communications system.
Clandestine radio transmitters can be attached to computer components. They can be detected by panoramic spectrum analysis or second-harmonic radar sweeping. Interception of free-space radiation is not a crime in the United States unless disclosure of the information thus obtained violates the Electronic Communications Privacy Act of 1986 (the ECPA) or the Espionage Act. Producing radiation may be a violation of FCC regulations.
Intelligible emanations can be intercepted even from large machine rooms and at long distances using parametric amplifiers and digital filters. Faraday-cage shielding can be supplemented by carbon-filament adsorptive covering on the walls and ceilings. Interception of microwave spillage and satellite footprints is different because it deals with intended signal data emanation and could be illegal under the ECPA if it is proved that the information obtained was communicated to a third party.
Spying consists of criminal acquisition of information by covert observation. For example, shoulder surfing involves observing users at computer terminals as they enter or receive displays of sensitive information (e.g., observing passwords in this fashion using binoculars). Frame-by-frame analysis of video recordings can also be used to determine personal ID numbers entered at automatic teller machines.