no more cubes

Blog

  • Categories of Laws

    • Tort Law
      • England and Wales
      • Deals with individuals and their rights and obligations under the law
    • Mixed Law
      • Forms the basis of the legal system in Holland, Quebec, Louisiana, South Africa and Scotland
    • Civil Law
      • Central Europe, Asia

     

    • Administrative Law
      • Defines standards of performance and conduct that organizations and their employees should follow
    • Religious Law
      • Covers aspects of social and spiritual behavior within society
    • Criminal Law
      • Is meant to regulate individuals behavior towards society

  • Computer related crime characteristics

    • Trap doors – potential offenders are system and application programmers
    • Trojan horses, viruses, worms, salamis and logic bombs – can be detected by comparing program code with backup copies of the same program
    • Masquerading – can be detected through password violations
    • Scanning – potential offenders are spies trying to access systems for targeted data
    • Dumpster diving – may be detected by analyzing the data left over after the job execution.

     

    • Timing attacks – potential offenders are advanced system analysts and computer programmers
    • Wiretapping or eavesdropping – may be detected by tracing origins of equipment and items used to commit the crime
    • Software piracy – commercial software purchasers and users are potential offenders
    • Excess privileges – potentially programmers with access to computer operations staff
    • Data diddling – possible evidence includes source and transaction data

  • Intellectual Property Laws

    • Copyrights
      • Example: A marketing / design company wants to restrict usage of designs it created.
    • Trademarks
      • Example: A company wants exclusive rights to use a particular logo or slogan.
    • Trade Secrets
      • Example: The recipe for a caffeinate, refreshing lemonade.
    • Patents
      • Example: Exclusive rights to a pharmaceutical company for a new drug it created.

  • Categories of Computer Crimes

    Breach of data security: Information stored on network or computers is altered by attackers.
    Breach of operations security: Attackers take advantage of vulnerabilities within daily procedures to access or alter information through methods like password sniffing.
    Breach of personnel security: Sensitive company information is gained from an employee by attackers
    Breach of communication security: Information is being intercepted or altered on the way across a network.
    Breach of physical security: Attackers gain access to a building or to computer/networking hardware.
    Computer as an instrument. Attackers use computers to steal or commit fraud.
    Crimes associated with the prevalence of computers. Attackers illegally use or sell computer components, software and information.
    Computer as the target. Attackers disrupt or damage computers and networks, or steal data stored on computers.
    Computer as incidental to other crimes. Attackers may use computers to facilitate crime or to make crime difficult to detect.

  • Laws related to privacy

    • Freedom of Information Act, 5 U.S.C. §552, as amended
    • Guidance on Integrity Sharing of personal data – protecting personal privacy, OMB Memorandum, M-01-05
    • Gramm-Leach-Bliley Act of 1999

  • Laws related to Information Security

    • 18 U.S.C. § 1029. Fraud and related activity in connection with access devices
    • 18 U.S.C. § 2701 et seq. Stored Wire and electronic communications and transactional records access
    • 18 U.S.C. § 3121 et seq. Recoding of dialing, routing, addressing and signaling information.

  • Security Training

    Security job skills training

    • SSCP exam
    • A series of university courses in general information security

    Security awareness training

    • A series of newsletters, with general information security
    • Business-unit walk-through

  • Computer fallacies

    Fallacy vs. Principle

    Fallacy Principle
    Information wants to be free People are in control of what information is released or shared
    Laws are clear about the legality of all actions Users should take responsibility for their action
    Hacking is OK as long as it doesn’t hurt anybody It is unethical to access information without having permission to do so.
    Plagiarism doesn’t count on the internet. Piracy is illegal no matter what tool is used to copy the information.
    If a software program is working, it must be working correctly. Software is prone to human error.
    You can’t be sued for libel for the contents of a private email. People are responsible for their words and accusations on the internet.

  • Risk Response Types

    • Risk avoidance: shutdown of servers when there is suspicion of virus infection
    • Risk transfer: hardware insurance to theft, loss and fire damage
    • Risk acceptance: let employees receive private emails in company accounts
    • Risk mitigation: implement multi-factor authentication to protect trade-secrets

  • Stages of Risk Assessment Process

    • Risk Determination quantify the probability of attack, it’s impact, and the adequacy of current or planned controls.
    • Control recommendations considers the effectiveness, performance impacts, safety and reliability of control options.
    • Likelihood determination considers the capability and motivation of threat sources in terms of vulnerability.
    • Results documentation presents the threat and vulnerability pairings with associated cost-benefit data.
    • Impact Analysis quantifies or rates potential losses to integrity, availability and confidentiality of relevant data.