CISSP For Dummies

Given the difficulties in defining and prosecuting computer crimes, many prosecutors seek to convict computer criminals on more traditional criminal statutes, such as theft, fraud, extortion, and embezzlement. Intellectual property rights and privacy laws, in addition to specific computer crime laws, also exist to protect the general public and assist prosecutors.

 Remember   The CISSP candidate should understand that because of the difficulty in prosecuting computer crimes, prosecutors often use more traditional criminal statutes, intellectual property rights, and privacy laws to convict criminals. In addition, you should also realize that specific computer crime laws do exist.

Intellectual property

Intellectual property is protected by U.S. law under one of four classifications, as follows:

• Patents

• Trademarks

• Copyrights

• Trade secrets

Intellectual property rights worldwide are agreed, defined, and enforced by various organizations and treaties, including the World Intellectual Property Organization (WIPO), World Customs Organization (WCO), World Trade Organization (WTO), United Nations Commission on International Trade Law (UNCITRAL), European Union (EU), and Trade-Related Aspects of Intellectual Property Rights (TRIPs).

Licensing violations are among the most prevalent examples of intellectual property rights infringement. Other examples include plagiarism, software piracy, and corporate espionage.

Patents

A patent, as defined by the U.S. Patent and Trademark Office (PTO) is “the grant of a property right to the inventor.” A patent grant confers upon the owner “the right to exclude others from making, using, offering for sale, selling, or importing the invention.” Examples of computer-related objects that may be protected by patents are computer hardware and physical devices in firmware.

A patent is granted by the U.S. PTO for an invention that has been sufficiently documented by the applicant and that has been verified as original by the PTO. A patent is generally valid for 20 years from the date of application and is effective only within the U.S., including territories and possessions. The owner of the patent may then grant a license to others for use of the invention or its design, often for a fee.

U.S. patent (and trademark) laws and rules are covered in 35 U.S.C. and 37 C.F.R., respectively. The Patent Cooperation Treaty (PCT) provides some international protection for patents. More than 130 countries worldwide have adopted the PCT.

 Remember   Patent grants were previously valid for only 17 years, but have recently been changed, for newly granted patents, to 20 years.

Trademark

A trademark, as defined by the U.S. PTO, is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.” Computer-related objects that may be protected by trademarks include corporate brands and operating system logos. U.S. Public Law 105–330, the Trademark Law Treaty Implementation Act, provides some international protection for U.S. registered trademarks.

Copyright

A copyright is a form of protection granted to the authors of “original works of authorship,” both published and unpublished. A copyright protects a tangible form of expression rather than the idea or subject matter itself. Under the original Copyright Act of 1909, publication was generally the key to obtaining a federal copyright. However, the Copyright Act of 1976 changed this requirement, and copyright protection now applies to any original work of authorship immediately from the time that it’s created in a tangible form. Object code or documentation are examples of computer-related objects that may be protected by copyrights.

Copyrights can be registered through the Copyright Office of the Library of Congress, but a work doesn’t need to be registered to be protected by copyright. Copyright protection generally lasts for the lifetime of the author plus 70 years.

Trade secret

A trade secret is proprietary or business-related information that a company or individual uses and has exclusive rights to. To be considered a trade secret, the information must meet the following requirements:

• Must be genuine and not obvious: Any unique method of accomplishing a task would constitute a trade secret, especially if it is backed up by copyrighted, patented or copyrighted proprietary software or methods that give an organization a competitive advantage.

• Must provide the owner a competitive or economic advantage and, therefore, have value to the owner: Google’s indexing algorithms aren’t universally known. Some secrets are protected.

• Must be reasonably protected from disclosure: This doesn’t mean that it must be kept absolutely and exclusively secret, but the owner must exercise due care in its protection.

Software source code or firmware code are examples of computer-related objects that may be protected by trade secrets.

Privacy laws

Privacy laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse. Privacy laws are one area in which the United States lags behind many others, particularly the European Union (EU), which has defined more restrictive privacy regulations that prohibit the transfer of personal information to countries (including the United States) that don’t equally protect such information. The EU privacy rules include the following requirements about personal data and records:

• Must be collected fairly and lawfully.

• Must only be used for the purposes for which it was collected and only for a reasonable period of time.

• Must be accurate and kept up-to-date.

• Must be accessible to individuals who request a report on personal information held about themselves.

• Individuals must have the right to have any errors in their personal data corrected.

• Personal data can’t be disclosed to other organizations or individuals unless authorized by law or consent of the individual.

• Transmission of personal data to locations where equivalent privacy protection cannot be assured is prohibited.

Two important pieces of privacy legislation in the United States are the U.S. Federal Privacy Act of 1974 and the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996.

U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A

The Federal Privacy Act of 1974 protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents. Except under certain specific conditions, no agency may disclose any record about an individual “except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act also has provisions for access and amendment of individual records by the individual, except in cases of “information compiled in reasonable anticipation of a civil action or proceeding.” The Privacy Act provides individual penalties for violation including a misdemeanor charge and fines up to $5,000.

U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104-191

HIPAA was signed into law effective August 1996. The HIPAA legislation provided Congress three years from this date to pass comprehensive health privacy legislation. If Congress failed to pass legislation by this deadline, the Department of Health and Human Services (HHS) was given the authority to develop the privacy and security regulations for HIPAA. In October 1999, HHS released proposed HIPAA privacy and security regulations entitled “Privacy Standards for Individually Identifiable Health Information.” Organizations that must comply with HIPAA regulations are referred to as covered entities and include

• Payers (or health plan): An individual or group health plan that provides, or pays the cost of, medical care; for example, insurers

• Health care clearinghouses: A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements, such as data warehouses

• Health providers: A provider of medical or other health services, such as hospitals, HMOs, doctors, specialists, dentists, and counselors

Civil penalties for HIPAA violations include fines of $100 per incident, up to $25,000 per provision, per calendar year. Criminal penalties include fines up to $250,000 and potential imprisonment of corporate officers for up to 10 years. Additional state penalties may also apply.

U.S. Gramm-Leach-Bliley Financial Services Modernization Act, PL 106-102

Gramm-Leach-Bliley (usually known as GLBA) opened up competition among banks, insurance companies, and securities companies. GLBA also requires financial institutions to better protect their customers’ personally identifiable information (PII) with three rules:

• Financial Privacy Rule: Requires each financial institution to provide information to each customer regarding the protection of customers’ private information.

• Safeguards Rule: Requires each financial institution to develop a formal written security plan that describes how the institution will protect its customers’ PII.

• Pretexting Protection: Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private information about institutions’ customers.

Civil penalties for GLBA violations are up to $100,000 for each violation. Further, officers and directors of financial institutions are personally liable for civil penalties of not more than $10,000 for each violation.

Computer crime and information security laws

Important international computer crime and information security laws that the CISSP candidate should be familiar with include:

• U.S. Computer Fraud and Abuse Act of 1986

• U.S. Electronic Communications Privacy Act of 1986

• U.S. Computer Security Act of 1987

• U.S. Federal Sentencing Guidelines of 1991 (not necessarily specific to computer crime, but certainly relevant)

• U.S. Economic Espionage Act of 1996

• U.S. Child Pornography Prevention Act of 1996

• USA PATRIOT Act of 2001

• U.S. Sarbanes-Oxley Act of 2002

• U.S. CAN-SPAM Act of 2003

• The Council of Europe’s Convention on Cybercrime of 2001

• The Computer Misuse Act of 1990 (U.K.)

• Cybercrime Act of 2001 (Australia)

U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)

In 1984, the first U.S. federal computer crime law, the U.S. Computer Fraud and Abuse Act, was passed. This intermediate act was narrowly defined and somewhat ambiguous. The law covered

• Classified national defense or foreign relations information

• Records of financial institutions or credit reporting agencies

• Government computers

The U.S. Computer Fraud and Abuse Act of 1986 enhanced and strengthened the 1984 law, clarifying definitions of criminal fraud and abuse for federal computer crimes and removing obstacles to prosecution.

The act established two new felony offenses for the unauthorized access of federal interest computers and a misdemeanor for unauthorized trafficking in computer passwords.

Major provisions of the act established three new crimes (two felonies and one misdemeanor) as follows:

• Felony: Unauthorized access, or access that exceeds authorization, of a federal interest computer to further an intended fraud, shall be punishable as a felony [Subsection (a)(4)].

• Felony: Altering, damaging, or destroying information in a federal interest computer or preventing authorized use of the computer or information, that causes an aggregate loss of $1,000 or more during a one-year period or potentially impairs medical treatment, shall be punishable as a felony [Subsection (a)(5)]. This provision was stricken in its entirety and replaced with a more general provision, which we discuss later in this section, in the 1994 amendment.

• Misdemeanor: Trafficking in computer passwords or similar information if it affects interstate or foreign commerce or permits unauthorized access to computers used by or for the U.S. government [Subsection (a)(6)].

 Tip   A federal interest computer (actually the term was changed to protected computer in the 1996 amendments to the act) is defined in the act as a computer:

• “exclusively for the use of a financial institution or the United States government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States government and the conduct constituting the offense affect that use by or for the financial institution or the government;”

  or

• “which is used in interstate or foreign commerce or communication.”

Several minor amendments to the U.S. Computer Fraud and Abuse Act were made in 1988, 1989, and 1990, and more significant amendments were made in 1994, 1996 (by the Economic Espionage Act of 1996), and 2001 (by the USA PATRIOT Act of 2001). The act, in its present form, establishes seven specific computer crimes. In addition to the three that we discuss above, these include the following five provisions [Subsection (a)(5) is reintroduced here in its current form]:

• Unauthorized access, or access that exceeds authorization, to a computer that results in disclosure of U.S. national defense or foreign relations information [Subsection (a)(1)].

• Unauthorized access, or access that exceeds authorization, to a protected computer to obtain any information on that computer [Subsection (a)(2)].

• Unauthorized access to a protected computer, or access that exceeds authorization, to a protected computer that affects the use of that computer by or for the U.S. government [Subsection (a)(3)].

• Unauthorized access to a protected computer causing damage or reckless damage, or intentionally transmitting malicious code which causes damage to a protected computer [Subsection (a)(5), as amended].

• Transmission of interstate or foreign commerce communication threatening to cause damage to a protected computer for the purpose of extortion [Subsection (a)(7)].

We discuss major amendments to the U.S. Computer Fraud and Abuse Act of 1986 (as amended), introduced in 2001 in the upcoming “USA PATRIOT Act of 2001” section.

 Instant Answer   The U.S. Computer Fraud and Abuse Act of 1986 is the major computer crime law currently in effect. The CISSP exam will likely test your knowledge of the act in its original 1986 form, but you should also be prepared for revisions to the exam that may cover the more recent amendments to the act.

U.S. Electronic Communications Privacy Act (ECPA) of 1986

The ECPA complements the U.S. Computer Fraud and Abuse Act of 1986 and prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, and electronic communications. However, the ECPA does provide specific statutory exceptions, allowing network providers to monitor their networks for legitimate business purposes when the network users are notified of the monitoring process.

The ECPA was amended extensively by the USA PATRIOT Act of 2001. These changes are discussed in the upcoming “USA PATRIOT Act of 2001” section.

 Instant Answer   The U.S. Electronic Communications Privacy Act (ECPA) provides the legal basis for network monitoring.

U.S. Computer Security Act of 1987

The U.S. Computer Security Act of 1987 requires federal agencies to take extra security measures to prevent unauthorized access to computers holding sensitive information. In addition to identifying and developing security plans for sensitive systems, the act requires those agencies to provide security-related awareness training for their employees. The act also assigns formal government responsibility for computer security to the National Institute of Standards and Technology (NIST) for information security standards in general and to the National Security Agency (NSA) for cryptography in classified government/military systems and applications.

U.S. Federal Sentencing Guidelines of 1991

In November 1991, the United States Sentencing Commission published Chapter 8, Federal Sentencing Guidelines for Organizations, of the U.S. Federal Sentencing Guidelines. These guidelines establish written standards of conduct for organizations, provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on senior management officials with penalties for negligence including fines of up to $290 million.

U.S. Economic Espionage Act of 1996

The U.S. Electronic Espionage Act (EEA) of 1996 was enacted to curtail industrial espionage, particularly when such activity benefits a foreign entity. The EEA makes it a criminal offense to take, download, receive, or possess trade secret information that has been obtained without the owner’s authorization. Penalties include fines of up to $10 million, up to 15 years in prison, and forfeiture of any property used to commit the crime. The EEA also enacted the 1996 amendments to the U.S. Computer Fraud and Abuse Act, which we discuss earlier in the section “U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended).”

U.S. Child Pornography Prevention Act of 1996

The U.S. Child Pornography Prevention Act (CPPA) of 1996 was enacted to combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children.

 Warning   The USA PATRIOT Act of 2001, which we cover in the next section, changes many of the provisions in the computer crime laws, particularly the U.S. Computer Fraud and Abuse Act of 1986 (as amended) and the Electronic Communications Privacy Act of 1986, which we detail in the earlier section “U.S. Electronic Communications Privacy Act (ECPA) of 1986.” As a security professional, you must keep abreast of current laws and affairs to perform your job effectively.

USA PATRIOT Act of 2001

Following the terrorist attacks against the United States on September 11, 2001, the USA PATRIOT Act of 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was enacted in October 2001 and renewed in March 2006 (many provisions originally set to expire have since been made permanent under the renewed Act). This Act takes great strides to strengthen and amend existing computer crime laws, including the U.S. Computer Fraud and Abuse Act and the U.S. Electronic Communications Privacy Act (ECPA), as well as to empower U.S. law enforcement agencies, if only temporarily. U.S. federal courts have subsequently declared some of the Act’s provisions unconstitutional. The relevant sections of the Act are

• Section 202 - Authority to Intercept Wire, Oral, and Electronic Communications Relating to Computer Fraud and Abuse Offenses: Under previous law, investigators couldn’t obtain a wiretap order for violations of the Computer Fraud and Abuse Act. This amendment authorizes such action for felony violations of the Computer Fraud and Abuse Act.

• Section 209 - Seizure of Voice-Mail Messages Pursuant to Warrants: Under previous law, investigators could obtain access to e-mail under the ECPA but not voice-mail, which was covered by the more restrictive wiretap statute. This amendment authorizes access to voice-mail with a search warrant rather than a wiretap order.

• Section 210 - Scope of Subpoenas for Records of Electronic Communications: Under previous law, subpoenas of electronic records were restricted to very limited information. This amendment expands the list of records that can be obtained and updates technology-specific terminology.

• Section 211 - Clarification of Scope: This amendment governs privacy protection and disclosure to law enforcement of cable, telephone, and Internet service provider records that were extremely restrictive under previous law.

• Section 212 - Emergency Disclosure of Electronic Communications to Protect Life and Limb: Prior to this amendment, no special provisions existed that allowed a communications provider to disclose customer information to law enforcement officials in emergency situations, such as an imminent crime or terrorist attack, without exposing the provider to civil liability suits from the customer.

• Section 214 - Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act): This amendment clarifies law enforcement authority to trace communications on the Internet and other computer networks and authorizes the use of a pen/trap device nationwide instead of limiting it to the jurisdiction of the court.

• Section 217 - Interception of Computer Trespasser Communications: Under previous law, it was permissible for organizations to monitor activity on their own networks but not necessarily for law enforcement to assist these organizations in monitoring, even when such help was specifically requested. This amendment allows organizations to authorize persons “acting under color of law” to monitor trespassers on their computer systems.

• Section 220 - Nationwide Service of Search Warrants for Electronic Evidence: This removes jurisdictional issues in obtaining search warrants for e-mail. For an excellent example of this problem, read The Cuckoo’s Egg by Clifford Stoll (Doubleday).

• Section 814 - Deterrence and Prevention of Cyberterrorism: This amendment greatly strengthens the U.S. Computer Fraud and Abuse Act, including raising the maximum prison sentence from 10 years to 20 years.

• Section 815 - Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests: This amendment clarifies the “statutory authorization” defense for violations of the ECPA.

• Section 816 - Development and Support of Cybersecurity Forensic Capabilities: This statute requires the Attorney General to establish regional computer forensic laboratories, maintain existing laboratories, and provide forensic and training capabilities.

U.S. Sarbanes-Oxley Act of 2002 (SOX)

In the wake of several major corporate and accounting scandals, SOX was passed in 2002 to restore public trust in publicly held corporations and public accounting firms by establishing new standards and strengthening existing standards for these entities including auditing, governance, and financial disclosures.

SOX established the Public Company Accounting Oversight Board (PCAOB), which is a private-sector, nonprofit corporation responsible for overseeing auditors in the implementation of SOX. PCAOB’s “Accounting Standard 2” recognizes the role of information technology as it relates to a company’s internal controls and financial reporting. The Standard identifies the responsibility of Chief Information Officers for the security of information systems that process and store financial data and has many implications for information technology security and governance.

U.S. CAN-SPAM Act of 2003

The U.S. CAN-SPAM Act (Controlling the Assault of non-Solicited Pornography and Marketing Act) establishes standards for sending commercial e-mail messages, charges the U.S. Federal Trade Commission (FTC) with enforcement of the provision, and provides penalties that include fines and imprisonment for violations of the Act.

Directive 95/46/EC on the protection of personal data (1995, EU)

In 1995 the European Parliament ratified this essential legislation that protects personal information for all European citizens. The directive states that personal data should not be processed at all, except when certain conditions are met.

A legitimate concern about the disposition of European citizens’ personal data when it leaves computer systems in Europe and enters computer systems in the U.S. led to the creation of . . .

Safe Harbor (1998)

In an agreement between the European Union and the U.S. Department of Commerce in 1998, the U.S. Department of Commerce developed a certification program called Safe Harbor. This permits U.S.-based organizations to certify themselves as properly handling private data belonging to European citizens.

The Council of Europe’s Convention on Cybercrime (2001)

The Convention on Cybercrime is an international treaty, currently signed by more than 40 countries (the U.S. ratified the treaty in 2006), requiring criminal laws to be established in signatory nations for computer hacking activities, child pornography, and intellectual property violations. The treaty also attempts to improve international cooperation with respect to monitoring, investigations, and prosecution.

The Computer Misuse Act 1990 (U.K.)

The Computer Misuse Act 1990 (U.K.) defines three criminal offenses related to computer crime: unauthorized access (whether successful or unsuccessful), unauthorized modification, and hindering authorized access (Denial of Service).

Cybercrime Act 2001 (Australia)

The Cybercrime Act 2001 (Australia) establishes criminal penalties, including fines and imprisonment, for persons committing computer crimes, including unauthorized access, unauthorized modification, or denial of service, with intent to commit a serious offense.