CISSP Chapter 7: Legal, Regulations, Compliance and investigations

The 7th Chapter of the CISSP exam. This topic is all about the legal ethnic surrounding of data.
September 10, 2012
CISSP

The US and Global legal system

Categories of the common US laws

  • Criminal Law: To protect the public (could be jail time)
  • Civil Law: (a.k.a Tort Law) Sorts out disputes (no possible prison)
  • Administrative Law: Regulations

International Property Laws
This lists the intellectual property enforced on a global scale
  • Trade Secret: Like the Coke-Cola recipe (it's a kept secret from the public)
  • Copyright: The expression of the idea, though not the idea itself.
  • Patents: Protection for the idea (saves people copying your idea)
  • Trademark: The look and feel of the company
  • Digital Millenium Copyright Act (DMCA): A new property law that protects the copyright of digital source code. When you have a source code then compile it, it's then protected by DMCA


Privacy

Privacy laws and protection fo personal information
US laws legal system laws

  • Privacy Act 1974: Data held on individuals by the government
  • Electronic Communication Privacy Act 1986: Protects unauthorised eavesdropping
  • HIPPA: Protect electronic data within the health care
Computer Crime Laws
Privacy laws and protection fo personal information
  • Computer Fraud and abuse act 1986:Deals with computers used by the federal government
  • Federal Sentencing Guidelines of 1991: Guidelines for judges to sentence criminals
  • Economic Espionage Act of 1996: Defines the efforts around espionage
  • US Child Pornography Prevention Act of 1996:
  • US Patriot Act of 2001: Related to computer crime laws
Software Privacy Organisations
  • Software Protection Association (SPA): Software vendors working together
  • Business Software Alliance (BSA): International group in Washington DC
  • Federation Against Software Theft (FAST): International group in London
ISC code of ethnics
The ISC guidelines on how you should behave as a CISSP individuals. Basically, don't hurt anyone, be a good person then try and be a good CISSP then promote the idea of a CISSP.
  • Do no harm
  • Be a good person
  • Be a good CISSP
  • Promote the profession


Trying to trap the bad guy

Enticement
Legal attempt to lure a criminal into carrying out a crime (like a carrot on a stick)

    Honey Pot: Virtual Machine with noticeable vulnerabilities
    Pseudo flaw: Deliberate loopholes in the OS
    Honey Pot: A virtual computer that looks vulnerable. Often resides within the Padded Call
    Padded Cell: Virtual machine used to confine intruders without them knowing it

Entrapment
Illegal action. When you go one step over the line of enticement. Example, pointing the user to the site that could be attacked then charging them with trespassing


Type of attacks

Type of attacks

  • Botnets: Controlling many zombie computers @ the same time (commonly used for DDOS)
  • Phishing: Lure individuals into providing you their information. Example, creating a website that looks like a bank website
  • Pharming: Misuses the DNS protocol. Example, when someone requests for a bank.com, with the DNS service compromised, it can direct it to somewhere else
  • Identity TheftTaking the identity from someone
  • Salami: Taking unnoticeable, small slices of money at a time from bank accounts
  • Data Diddling: 'Cooking the books' my making alterations to the data
  • Dumpster Diving: Going through the rubbish bins looking for data. Legal because no one owns the property of information
  • War Dialling: Old-School attack on modems
  • DNS Spoofing: goagle.com instead of google.com
  • War driving: Driving around buildings trying to find a building submitting a wireless signal
  • Phreaker: Telephone fraud
    • Red Box: Simulates the 'sound' of coins dropping for the operator to listen
    Blue Box: The analog tone being sent. Most common was captain crunch and the '2600 group'
    Black Box: Voltage Alterations

    PBX Attacks: People attacking the PBX remotely to make long distance calls


    Dealing with a response: Investigation Response Team

    https://technicalconfessions.com/images/postimages/postimages/_60_5_Incident Support Team.png

    This consolidated team that will recognise and deal with attacks

    • 1x Senior Management
    • 1x Network Administrator
    • 1x Programmer
    • 1x Security Officer
    • 1x HR representative

    How is the Evidence Processed?
    • Discovery: Stop the bleeding
    • Protection: Protect the crime scene
    • Recording: Record the evidence by taking photos, taking a copy of the HDD etc
    • Analysis: Electronic format should be @ the bit level and duplicated to be analysed
    • Storage, preservation and transport it to the lab: Ensure the integrity (chain of custody) - Each and every time someone touches it, it should be recorded
    • Present in Court:
    • Return to owner:

    How to hide the data
      Hidden Files: <-- 'H' attribute so it doesn't show in the directory
      Streams:
      Deleted Files: Isn't actually removed, it's only removed from the table contents (the file name and which partition). Replaces the 1st character of the file is changed to a '?' to show it's deleted
      Slack Space: leftover of the a cluster
      Malware:
      Extract data from the swap file in windows:

    Investigation of any crime
    • Motive: why would someone want to do this crime
    • Opportunity: The opportunity to commit the crime
    • Means : Was the person capable?

    Type of evidence
    • Real: Physical Evidence (knife, hard drive, DVD's etc)
    • Heresy: Like Real through copies of it
    • Secondary: Like Heresy evidence though cannot be used as best evidence
    • Circumstantial: Indirect proof (someone seeing someone else run seconds after an incident
    • Corroborate: Not evidence at all, only supports circumstantial evidence


    Trying to trap the bad guy

    Enticement
    Legal attempt to lure a criminal into carrying out a crime (like a carrot hanging over a hole)

      Honey Pot: Virtual Machine with noticeable vulnerabilities
      Pseudo flaw: Deliberate loopholes in the OS
      Honey Pot: Resides within the Padded Call
      Padded Cell: Virtual machine used to confine intruders without them knowing it

    Entrapment
    One step over the line (entrapment) which is illegal
    The extension of enticement
    Pointing the user to the site then charging them with trespassing


    Hidden Secrets: How to hide data

    Hidden Secrets: How to hide data

      Hidden Files: <-- 'H' attribute so it doesn't show in the directory
      Streams:
      Deleted Files: Isn't actually removed, it's only removed from the table contents (the file name and which partition). Replaces the 1st character of the file is changed to a '?' to show it's deleted
      Slack Space: leftover of the a cluster
      Malware:
      Extract data from the swap file in windows:

    About the author

    Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
    Daniel has built from scratch this blog as well as technicalconfessions.com
    Follow Daniel on twitter @nervouswiggles

    Comments

    Other Posts

    AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

    phpsmtpaws

    February 6, 2020
    Created by: Daniel Redfern
    AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
    Read More...

    SOLUTION: no headers files (.h) found in softwareserial - Arduino

    Arduino

    February 24, 2019
    Created by: Daniel Redfern
    The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
    Read More...

    NameID element must be present as part of the Subject in the Response message

    ShibbolethSAML

    August 7, 2018
    Created by: Daniel Redfern
    NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
    Read More...

    HOW TO provision AD group membership from OpenIDM

    OpenIDMICFAD-connector

    June 15, 2018
    Created by: Daniel Redfern
    For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
    Read More...

    ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

    ICFIDMOpenIDMOpenICF

    November 8, 2017
    Created by: Daniel Redfern
    In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
    Read More...

    org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

    IDMsync.confforgerockopenidm

    November 8, 2017
    Created by: Daniel Redfern
    org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
    Read More...

    ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

    OpenIDMsync.confForgeRock

    September 17, 2017
    Created by: Daniel Redfern
    ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
    Read More...

    Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

    OpenIDMForgeRockICFConnector

    September 17, 2017
    Created by: Daniel Redfern
    When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
    Read More...

    ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

    OpenIDMForgeRockICFConnectorAD

    September 17, 2017
    Created by: Daniel Redfern
    In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
    Read More...

    ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

    OpenIDMIDMGoogleGoogle-AppsICFreconciliation

    September 12, 2017
    Created by: Daniel Redfern
    During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
    Read More...