Computer Security: Principles and Practice: Fourth Edition, Global Edition By: William Stallings and Lawrie Brown

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 50

Computer Security:

Principles and Practice


Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown


Chapter 19
Legal and Ethical Aspects
Cybercrime and Computer
Crime
Previous measures can significantly enhance computer security but
cannot guarantee complete success in detection and prevention.
Hence we need law enforcement as a deterrent factor
“Computer crime, or
cybercrime, is a term used
broadly to describe criminal
activity in which computers
or computer networks are a
tool, a target, or a place of
criminal activity.”
--From
the New York Law School Course on
Cybercrime, Cyberterrorism, and Digital
Law Enforcement
Types of Computer Crime
• The U.S. Department of Justice categorizes computer
crime based on the role that the computer plays in the
criminal activity:

Computers as
Computers as storage
Computers as targets communications
devices
tools
Using the computer to Crimes that are
store stolen password committed online,
Involves an attack on lists, credit card or such as fraud,
data integrity, system calling card numbers, gambling, child
integrity, data proprietary corporate pornography, and the
confidentiality, privacy, information, illegal sale of
or availability pornographic image prescription drugs,
files, or pirated controlled substances,
commercial software alcohol, or guns
Law Enforcement
Challenges
• The deterrent effect of law enforcement on computer
and network attacks correlates with the success rate of
criminal arrest and prosecution
• Law enforcement agency difficulties:
• Lack of investigators knowledgeable and experienced in dealing with
this kind of crime
• Required technology may be beyond their budget
• The global nature of cybercrime
• Lack of collaboration and cooperation with remote law enforcement
agencies
• Convention on Cybercrime introduces a common
terminology for crimes and a framework for
harmonizing laws globally
Table 19.1

Cybercrimes
Cited
in the
Convention
on
Cybercrime

(page 1 of 2)
Table 19.1
Cybercrimes Cited in the Convention on
Cybercrime (page 2 of 2)
Table 19.2

CERT 2007
E-Crime
Watch
Survey
Results

(Table can be found on page


582 in the textbook)
The lack of success in bringing
them to justice has led to an
increase in their numbers,
boldness, and the global scale
of their operations

Cybercriminals
Are difficult to profile

Tend to be young and


very computer-savvy

Range of behavioral
characteristics is wide

No cybercriminal
databases exist that can
point to likely suspects
Are influenced
by the success
of
cybercriminals Cybercrime
and the lack of
success of law
enforcement
Victims

Reporting rates tend


to be low because of
Many of these a lack of confidence
organizations have in law enforcement,
not invested concern about
sufficiently in corporate reputation,
technical, physical, and a concern about
and human-factor civil liability
resources to
prevent attacks
Working with Law
Enforcement
• Executive management and security administrators
need to look upon law enforcement as a resource
and tool
• Management needs to:
• Understand the criminal investigation process
• Understand the inputs that investigators need
• Understand the ways in which the victim can contribute positively to
the investigation
Intellectual Property
Computer security aspects of Intellectual Property (IP)
Patents
Unauthorized Intellectual property:
making, Any intangible asset
using orselling
that consists of human
knowledge
Trademarks and ideas.
Unauthorized use or
colorable imitation
Examples include
software, data, novels,
Copyrights sound recordings, the
design of a new type of
Unauthorized use
mousetrap, or a cure
for a disease

Figure 19.1 Intellectual Property Infringement


Copyright
• Protects tangible or fixed expression of an idea but not the
idea itself
• Creator can claim and file copyright at a national
government copyright office if:
• Proposed work is original
• Creator has put original idea in concrete form
• The Copyright Act 1987 and the Copyright (Amendment
Act 1997) governs Copyright Law in Malaysia
• There is not much case law on Copyright and the Internet
in Malaysia due to its infancy. Hence, other common law
jurisdiction like the U.K. and U.S are normally referred.
Copyright Rights
• Examples include: • Copyright owner has
these exclusive rights,
• Literary works
protected against
• Musical works
infringement:
• Dramatic works
• Pantomimes and • Reproduction right
choreographic works • Modification right
• Pictorial, graphic, and • Distribution right
sculptural works
• Motion pictures and other
• Public-performance right
audiovisual works • Public-display right
• Sound recordings
• Architectural works
• Software-related works
Patent
• Grant a property right to the inventor
• “The right to exclude others from making, using, offering
for sale, or selling” the invention in the United States or
“importing” the invention into the United States
• Similar wording appears in the statutes of other nations.
• Types:
Utility Design Plant

• Any new and • New, original, • Discovers and


useful process, and ornamental asexually
machine, article design for an reproduces any
of manufacture, article of distinct and
or composition manufacture new variety of
of matter plant
• A word, name, symbol, or
device
Trademark
• Used in trade with goods
• Indicates source of goods
• Distinguishes them from
goods of others
• Trademark rights may be
used to:
• Prevent others from using a
confusingly similar mark
• But not to prevent others
from making the same
goods or from selling the
same goods or services
under a clearly different
mark
Intellectual Property Relevant to
Network and Computer Security
• A number of forms of intellectual property are relevant
in the context of network and computer security
• Examples of some of the most prominent:

Software Databases Digital content Algorithms


•Programs produced •Data that is collected •Includes audio and •An example of a
by vendors of and organized in video files, patentable algorithm
commercial software such a fashion that it multimedia is the RSA public-
•Shareware has potential courseware, Web site key cryptosystem
•Proprietary software commercial value content, and any
created by an other original digital
organization for work
internal use
•Software produced
by individuals
U.S. Digital Millennium
Copyright ACT (DMCA)
• Has a profound effect on the protection of digital
content rights in the US and worldwide
• Implements World Intellectual Property
Organization (WIPO) treaties to strengthen
protections of digital copyrighted materials
• Encourages copyright owners to use
technological measures to protect their
copyrighted works
• Measures that prevent access and copying to/of the work
• Prohibits attempts to bypass the measures
• Both criminal and civil penalties apply to attempts to circumvent
DMCA Exemptions
• Certain actions are exempted from the provisions of the
DMCA and other copyright laws including:

Fair use Reverse Encryption Security Personal


engineering research testing privacy

• Considerable concern exists that DMCA inhibits


legitimate security and encryption research
• Feel that innovation and academic freedom is stifled and open source
software development is threatened
Digital Rights Management
(DRM)
• Systems and procedures that ensure that holders of
digital rights are clearly identified and receive
stipulated payment for their works
• May impose further restrictions such as inhibiting printing or
prohibiting further distribution
• No single DRM standard or architecture
• Objective is to provide mechanisms for the complete
content management life cycle
• Provide persistent content protection for a variety of
digital content types/platforms/media
Protected
Content content
provider Distributer

Usage Paying Protected


rules royalty fees Paying content
distribution

Digital
license
Clearinghouse Consumer
Requiring license
and paying

Information flow

Money flow

Figure 19.2 DRM Components


ROLES
hts
Rig rs vice ers
Ser ers sum
de vid n
Hol Pro Co

——————————————————————————————
SERVICES

ntit
y tent hts
Ide ment Con ment Rig ent
e e em
nag nag nag
Ma Ma Ma

——————————————————————————————
FUNCTIONS

n/
y/
urit n ticatio ing/
ec
S ptio hen tion Bill nts iver
y
ry Aut horiza me Del
Enc Aut Pay

Figure 19.3 DRM System Architecture


Privacy
Overlaps with computer security
Privacy
• Dramatic increase of interconnectedness of information
collected and stored
• Motivated by law enforcement, national security, economic incentives
• Individuals have become increasingly aware of access
and use of personal information and private details
about their lives
• Concerns about extent of privacy compromise have led
to a variety of legal and technical approaches to
reinforcing privacy rights
European Union (EU)
Directive on Data Protection
• Adopted in 1998 to:
• Ensure member states protect fundamental privacy rights when
processing personal information
• Prevent member states from restricting the free flow of personal
information within EU
• Organized around principles of:

Notice Consent Consistency Access

Onward
Security Enforcement
transfer
United States Privacy Initiatives
Privacy Act of 1974

• Deals with personal information collected and used by


federal agencies
• Permits individuals to determine records kept
• Permits individuals to forbid records being used for other
purposes
• Permits individuals to obtain access to records and to
correct and amend records as appropriate
• Ensures agencies properly collect, maintain, and use
personal information
• Creates a private right of action for individuals

Also have a range of other privacy laws


Malaysia Personal Data
Protection Act 2010
• To provide protection for an individual's personal information to
be processed for the purposes of commercial transactions.
• Contains seven principles of information handling practices that
must be followed, namely:

1. General Principle: can only be processed consent


2. Notice and Choice Principle: subjects must be informed
3. Disclosure Principle: may not be disclosed without consent
4. Security principles: to protect data
5. Retention Principle: shall not be kept longer than necessary
6. Data Integrity Principle: to ensure that personal data is accurate
7. Access Principle: access to own personal data
What is Personal Data?
• Generally, “personal data” covered by the Act is
information that relates to a data subject who is
identifiable from that information.
• This broad definition will typically cover
information like names, contact details, national
registration identity card numbers, and passport
numbers.
• Also includes any sensitive personal data such as
the physical or mental health of that data subject,
his political opinions and religious beliefs, and
criminal convictions among others.
ISO 27002 states . . .
“An organization’s data policy for privacy and protection
of personally identifiable information should be developed
and implemented. This policy should be communicated to all
persons involved in the processing of personally identifiable information.
Compliance with this policy and all relevant legislation and regulations
concerning the protection of the privacy of people and the protection of
personally identifiable information requires appropriate management
structure and control. Often this is best achieved by the appointment of a
person responsible, such as a privacy officer, who should provide
guidance to managers, users and service providers on their individual
responsibilities and the specific procedures that should be followed.
Responsibility for handling personally identifiable information and
ensuring awareness of the privacy principles should be dealt with in
accordance with relevant legislation and regulations. Appropriate
technical and organizational measures to protect personally identifiable
information should be implemented.”
Common Criteria Specification
• Includes a definition of a set of functional requirements
in a Privacy Class, which should be implemented in a
trusted system.
• The purpose of the privacy functions is to provide a
user protection against discovery and misuse of identity
by other users.
• This specification is a useful guide to how to design
privacy support functions as part of a computer system.
• Figure 19.4 shows a breakdown of privacy into four
major areas with specific functions:
Privacy

Anonymity Anonymity Anonymity without soliciting information

Reversible pseudonymity

Pseudonymity Pseudonymity

Alias pseudonymity

Unlinkability Unlinkability

Unobservability

Allocation of information impacting unobservability

Unobservability Unobservability without soliciting information

Authorised user observability

Figure 19.4 Common Criteria Privacy Class Decomposition


Privacy and Data Surveillance
• The demands of big business, government and law
enforcement have created new threats to personal privacy
• Scientific and medical research data collection for analysis
• Law enforcement data surveillance
• Private organizations profiling
• This creates tension between enabling beneficial outcomes is areas including
scientific research, public health, national security, law enforcement and efficient
use of resources, while still respecting an individual’s right to privacy

• Another areas of particular concern is the rapid rise in the use


of public social media sites
• Sites such as FB gather, analyze, and share large amounts of data on individuals
and their interactions with other individuals and organizations
• Many people willingly upload large amounts of personal information, including
photos and status updates
• This data could potentially be used by current and future employers, insurance
companies, private investigators, and others, in their interactions with the
individual
Privacy Protection
• Both policy and technical approaches are needed to protect
privacy
• In terms of technical approaches, the requirements for
privacy protection for data stored on information systems
can be addresses in part using the technical mechanisms
developed for database security
• With regard to social media sites, technical controls
include:
• The provision of suitable privacy settings to manage who can view data on
individuals
• Notification when one individual is referenced or tagged in another’s content
• Although social media sites include some form of these controls, they are
constantly changing, causing frustration for users who are trying to keep up
with these mechanisms

• Another approach for managing privacy concerns in big


data analysis is to anonymize the data, removing any
personally identifying information before release to
researchers or other organizations for analysis
Data Privacy Policy
• In terms of policy, guidelines are needed to manage the use and reuse of
big data, ensuring suitable constraints are imposed in order to preserve
privacy
• Consent
• Ensuring participants can make informed decisions about their
participation in the research
• Privacy and confidentiality
• Privacy is the control that individuals have over who can access their
personal information
• Confidentiality is the principle that only authorized persons should
have access to information
• Ownership and authorship
• Addresses who has responsibility for the data, and at what point does
an individual give up their right to control their personal data
• Data sharing – assessing the social benefits of research
• The social benefits that result from data matching and reuse of data
from one source or research project in another
• Governance and custodianship
• Oversight and implementation of the management, organization,
access, and preservation of digital data
Ethical Issues
“A system of moral principles that relates to the benefits and
harms of particular actions, and to the rightness and wrongness
of motives and ends of those actions.”
Introduction to Ethics
• Because of the ubiquity and importance of information
systems in organization of all types, there are many
potential misuses and abuses of information and
electronic communication that create privacy and security
problems.
• In addition to questions of legality, misuse and abuse
raise concerns of ethics.
• Ethics refers to a system of moral principles that relates to
the benefits and harms of particular actions, and to the
rightness and wrongness of motives and ends of those
actions.
Ethics and IT Professions
• Many potential misuses and abuses of information and
electronic communication that create privacy and security
problems
• Basic ethical principles developed by civilizations apply
• Unique considerations surrounding computers and
information systems
• Computer technology makes possible scale of activities not possible before
• Creation of new types of entities for which no agreed ethical rules have
previously been formed
• Those with special knowledge or skills have additional ethical
obligations to all humanity
,
tegrity
Hu In ness,
ma fair e, ...
nity car

e,
of car
Pro er ng
fess e r ord ell-bei
h
ion Hig cietal w
alis so
m

ue
-uniq
Eac ion nd ds
hp rofess ards a andar ics
rofe P and st th
ssio st alism, de of e
n ion co
rofess ssion's
p ofe
r
in p

Figure 19.5 The Ethical Hierarchy


Ethical Issues Related to Computers
and Information Systems
• Some ethical issues from computer use:
• Repositories and processors of information
• Producers of new forms and types of assets
• Instruments of acts
• Symbols of intimidation and deception
• Those who understand, exploit technology,
and have access permission, have power
over these
Professional/Ethical
Responsibilities
• Concern with balancing professional responsibilities
with ethical or moral responsibilities
• Types of ethical areas a computing or IT professional
may face:
• Ethical duty as a professional may come into conflict with loyalty to employer
• “Blowing the whistle”
• Expose a situation that can harm the public or a company’s customers
• Potential conflict of interest
• Organizations have a duty to provide alternative,
less extreme opportunities for the employee
• In-house ombudsperson coupled with a commitment not to penalize employees for
exposing problems

• Professional societies should provide a mechanism


whereby society members can get advice on how
to proceed
Codes of Conduct
• Ethics are not precise laws or sets of facts
• Many areas may present ethical ambiguity
• Many professional societies have adopted ethical codes of
conduct which can:

1
• Be a positive stimulus and instill confidence

2
• Be educational

3
• Provide a measure of support

4
• Be a means of deterrence and discipline

5
• Enhance the profession's public image
Comparison of Codes of Conduct
• All three codes place their emphasis on the responsibility of
professionals to other people
• Do not fully reflect the unique ethical problems related to the
development and use of computer and IT technology
• Common themes:
• Dignity and worth of other people

• Personal integrity and honesty

• Responsibility for work

• Confidentiality of information

• Public safety, health, and welfare

• Participation in professional societies to improve standards of the profession

• The notion that public knowledge and access to technology is equivalent to


social power
The Rules
• Collaborative effort to develop a short list of guidelines
on the ethics of computer systems
• Ad Hoc Committee on Responsible Computing
• Anyone can join this committee and suggest changes to the
guidelines
• Moral Responsibility for Computing Artifacts
• Generally referred to as The Rules
• The Rules apply to software that is commercial, free, open
source, recreational, an academic exercise or a research tool
• Computing artifact
• Any artifact that includes an executing computer program
As of this writing, the rules are as follows:
1) The people who design, develop, or deploy a computing artifact are morally responsible
for that artifact, and for the foreseeable effects of that artifact. This responsibility is
shared with other people who design, develop, deploy or knowingly use the artifact as
part of a sociotechnical system.

2) The shared responsibility of computing artifacts is not a zero-sum game. The


responsibility of an individual is not reduced simply because more people become
involved in designing, developing, deploying, or using the artifact. Instead, a person’s
responsibility includes being answerable for the behaviors of the artifact and for the
artifact’s effects after deployment, to the degree to which these effects are reasonably
foreseeable by that person.

3) People who knowingly use a particular computing artifact are morally responsible for
that use.

4) People who knowingly design, develop, deploy, or use a computing artifact can do so
responsibly only when they make a reasonable effort to take into account the
sociotechnical systems in which the artifact is embedded.

5) People who design, develop, deploy, promote, or evaluate a computing artifact should
not explicitly or implicitly deceive users about the artifact or its foreseeable effects, or
about the sociotechnical systems in which the artifact is embedded.
Summary
• Cybercrime and • Privacy
computer crime • Privacy law and regulation
• Types of computer crime • Organizational response
• Law enforcement challenges • Computer usage privacy
• Working with law enforcement • Privacy, data surveillance, big
data, and social media
• Intellectual property
• Ethical issues
• Types of intellectual property
• Intellectual property relevant to
• Ethics and the IT professions
network and computer security • Ethical issues related to
computers and information
• Digital millennium copyright act
systems
• Digital rights management
• Codes of conduct
• The rules

You might also like