Upload
cameron-miller
View
217
Download
0
Embed Size (px)
Citation preview
1
The Broader Picture
Chapter 12
Copyright 2003 Prentice-Hall
2
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
3
Figure 12-1: Laws Governing Hacking U.S. National Laws
Title 18, Section 1030
Enabling Legislation
Computer Fraud and Abuse Act of 1986
National Information Infrastructure Protection Act of 1996
Homeland Security Act of 2002 Prohibitions
Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)
4
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Prohibitions
Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)
5
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 18, Section 1030
Punishment
For first offenses, usually 1-5 years; usually 10 years for second offenses
For theft of sensitive government information, 10 years, with 20 years for repeat offense
For attacks that harm or kill people, up to life in prison
6
Figure 12-1: Laws Governing Hacking
U.S. National Laws Title 47
Electronic Communications Privacy Act of 1986 (ECMA)
Prohibits the reading of information in transit and in storage after receipt
Other federal laws for fraud, etc.
7
Figure 12-1: Laws Governing Hacking
U.S. State Laws
Federal laws only protect some computers
State laws for purely intrastate crimes vary widely
8
Figure 12-1: Laws Governing Hacking
Laws Around the World Vary
The general situation: lack of solid laws in many countries
Cybercrime Treaty of 2001
Signatories must agree to create computer abuse laws and copyright protection
Nations must agree to work together to prosecute attackers
9
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
10
Figure 12-2: Consumer Privacy
Introduction
Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!”
But privacy is strong in European Union countries and some other countries
11
Figure 12-2: Consumer Privacy
Credit Card Fraud and Identity Theft Widespread Concern (Gartner)
One in 20 consumers had suffered credit card number theft in 2002
One in 50 consumers had suffered identity theft in 2002
Only about a fifth of this is online, but online theft is growing the most rapidly
12
Figure 12-2: Consumer Privacy
Credit Card Fraud and Identity Theft Carders steal credit card numbers
Many merchants fail to protect credit card numbers
Carders test and sell credit card numbers
Merchants also suffer fraud from consumers and carders
Identity theft: Set up accounts in person’s name Victim may not discover identity theft until long
afterward
13
Figure 12-2: Consumer Privacy
Tracking Customer Behavior
Within a website and sometimes across websites
Some information is especially sensitive (health, political leanings, etc.)
Access to data and analysis tools are revolutionizing the ability to learn about people
14
Figure 12-2: Consumer Privacy
Tracking Customer Behavior What consumers wish for
Disclosure of policies
What information will be collected?
How the information will be used by the firm collecting customer data?
Whether and with whom the information will be shared
15
Figure 12-2: Consumer Privacy
Tracking Customer Behavior What consumers wish for
Ability of consumer to see and correct inaccurate personal information
Limiting collection and analysis to operational business needs
Limiting these needs
Opt in: No use unless customer explicitly agrees
16
Figure 12-2: Consumer Privacy Corporate Responses
Privacy disclosure statements
TrustE certifies corporate privacy behavior
Platform for Privacy Preferences (P3P); Standard format for privacy questions
Federal Trade Commission
Enforces privacy statements
Imposes fines and required long-term auditing
Does not specify what should be in the privacy statement
17
Figure 12-2: Consumer Privacy
Corporate Responses
Opt out: Customer must take action to stop data collection and sharing
No opt: No way to stop data collection and sharing
Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively
18
Figure 12-2: Consumer Privacy
Consumer Reactions Checking privacy disclosure statements (rare)
Not accepting cookies (rarer)
Anonymous websurfing services (extremely rare)
19
Figure 12-2: Consumer Privacy
U.S. Privacy Laws No general law
Health Information Portability and Accountability Act (HIPPA) of 1996
Protects privacy in hospitals and health organizations
Focuses on protected information that identifies a patient
20
Figure 12-2: Consumer Privacy
U.S. Privacy Laws
Gramm-Leach-Bliley Act (GLBA) of 1999
Protects financial data
Allows considerable information sharing
Opt out can stop some information sharing
21
Figure 12-2: Consumer Privacy U.S. Privacy Laws
Children’s Online Privacy Protection Act of 1998
Protects the collection of personal data from children under 13
Applies in child-oriented sites and any site that suspects a user is under 13
No protection for older children
Registration for Kids.US domain is controlled
State privacy laws vary widely
22
Figure 12-2: Consumer Privacy
International Laws
European Union Charter of Fundamental Rights
Right to protection of personal information
Personal information must be processed for specific legitimate purposes
Right to see and correct data
Compliance overseen by independent authority
23
Figure 12-2: Consumer Privacy
International Laws
E.U. Data Protection Directive of 1995
Opt out with opt in for sensitive information
Access for review and rectification
Independent oversight agency
Data can be sent out of an EU country only to countries with “adequate” protections
24
Figure 12-2: Consumer Privacy
International Laws
Safe harbor
Rules that U.S. firms must agree to follow to get personal data out of Europe
Are GLBA rules to be considered in financial industries? E.U. is resisting.
25
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
26
Figure 12-3: Employee Workplace Monitoring
Monitoring Trends
American Management Association survey
E-mail monitoring use from 15% to 46% between 1997 and 2001
Internet connections in 2001: 63% monitored
In 2001, 76% had disciplined an employee; 31% had terminated an employee
27
Figure 12-3: Employee Workplace Monitoring
Why Monitor? Loss of productivity because of personal Internet
and e-mail use
Significant personal Internet and e-mail use is occurring
Employees and companies generally agree that a small amount of personal use is acceptable
Biggest concern is abnormally heavy personal use
Some employees are addicted to personal use
28
Figure 12-3: Employee Workplace Monitoring
Why Monitor? Harassment
Title VII of the Civil Rights Act of 1964: sexual and racial harassment
Pornography, other adult content are fairly common
Monitoring for keywords can reduce pornography and harassment and provide a legal defense
29
Figure 12-3: Employee Workplace Monitoring
Why Monitor?
Viruses and other malware due to unauthorized software
Trade secrets: Both sending and receiving must be stopped
Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws
30
Figure 12-3: Employee Workplace Monitoring
The Legal Basis for Monitoring Electronic Privacy Communications Act of 1986
Allows reading of communications by service provider (firm)
Allows reading if subject agrees (make condition of employment)
Employee has no right to privacy when using corporate computers
31
Figure 12-3: Employee Workplace Monitoring
The Legal Basis for Monitoring
In United States, at-will employees can be disciplined, dismissed easily
Must not discriminate by selective monitoring
Unions often limit disciplining, agreement to be monitored
In multinational firms, stronger privacy and employment rules might exist
32
Figure 12-3: Employee Workplace Monitoring
Should a Firm Monitor? Danger of backlash
Are the negative consequences worth the gain?
33
Figure 12-3: Employee Workplace Monitoring
Computer and Internet Use Policy Should Specify the Following No expectation of privacy Business use only No unauthorized software No pornography and harassment Damaging communication behavior Punishment for violating the policy
Employee Training in Policy is Crucial
34
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
35
Figure 12-4: Government Surveillance
U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution
Fourth Amendment: No unreasonable searches and seizures
Can search only with probable cause
Can only search specific things
FBI misuse of data collection during Hoover’s leadership
36
Figure 12-4: Government Surveillance
Telephone Surveillance Wiretapping
Federal Wiretap Act of 1968 for domestic crimes
Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments
Need warrant with probable cause and inability to get information by other means
37
Figure 12-4: Government Surveillance
Telephone Surveillance
Pen registers and trap and trace orders
Pen registers: List of outgoing telephone numbers called
Trap and trace: List of incoming telephone numbers
Not as intrusive as wiretap because content of the call is not captured
38
Figure 12-4: Government Surveillance
Telephone Surveillance
Pen registers and trap and trace orders
Electronic Communications Privacy Act of 1986 allows
Must be based on information to be collected being likely to be relevant to ongoing investigation (weak)
Judge cannot turn down warrant
39
Figure 12-4: Government Surveillance Telephone Surveillance
Communications Assistance for Law Enforcement Act of 1994
Requires communication providers to install the technology needed to be able to provide data in response to warrants
Patriot Act of 2001
Extends roving wiretaps to FISA—follow the target across media
Get billing information from telecommunications providers
40
Figure 12-4: Government Surveillance
Internet Surveillance
Extends pen register and trap and trace to Internet traffic
Same weak justification as for telephone traffic
But much more intrusive: e-mail addresses, URLs (which can be visited), etc.
41
Figure 12-4: Government Surveillance
Carnivore
Monitoring computer placed at ISP
FBI installs Carnivore computer, collects information
Can limit filtering to restrictions of warrant
No accountability through audit trails
42
Figure 12-4: Government Surveillance
The Possible Future of Government Surveillance
Intrusive airport security through face scanning
Possible national ID cards
New ability to gather and analyze information from many databases
43
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
44
Figure 12-5: Cyberwar and Cyberterror
Threats
Attacking the IT infrastructure
Using computers to attack the physical infrastructure (electrical power, sewage, etc.)
Using the Internet to coordinate attacks
45
Figure 12-5: Cyberwar and Cyberterror
Cyberwar Conducted by governments
Direct damage
Disrupting command and control
Intelligence gathering
Propaganda
Industrial espionage
Integrating cyberwar into war-fighting doctrines
46
Figure 12-5: Cyberwar and Cyberterror
Cyberterrorism
By semi-organized or organized groups
Psychological focus
Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks)
Goals are publicity and recruitment
Indiscriminate damage
47
Figure 12-5: Cyberwar and Cyberterror
Cyberterrorism
Hacktivism—politically motivated attacks by unorganized or loosely organized groups
Who is a terrorist? Spectrum from activism to full cyberterror
48
The Broader Picture
Laws Governing Hacking and Other Computer Crimes
Consumer Privacy
Employee Workplace Monitoring
Government Surveillance
Cyberwar and Cyberterror
Hardening the Internet Against Attack
49
Figure 12-5: Cyberwar and Cyberterror
Building a National and International Response Strategy National governments
Coordinated responses Intelligence gathering Research and training Economic incentives
Private enterprise
Importance of hardening individual firms
Requiring hardening to meet responsibilities
50
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet
Hardening the telecommunications infrastructure with decentralization and other methods
International cooperation is needed because of worldwide attackers
Hardening the underlying telecommunications system
Adding security to dialogs with VPNs
51
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet Hardening Internet protocols
IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols
Generally not using digital certificates in a public key infrastructure for strong authentication
52
Figure 12-5: Cyberwar and Cyberterror
Hardening the Internet Making the Internet forensic
ISPs might be forced to collect and retain data for long periods of time
ISPs might be forced to do egress filtering to stop attacks at the source
The cost to ISPs would be high