Legal and regulatory issues
Information compromise or security breach that could lead to civil or criminal liability on the part of an organization will be grouped under legal and regulatory issues. For example, if a hacker intrudes into a system, obtains Personally Identifiable Information (PII), and publishes the same in an Internet portal, then the liability for failure to protect such information falls on the organization.
The following list of issues may have legal or regulatory ramifications.
Computer crimes
A computer crime is a fraudulent activity that is perpetrated against computer or IT systems. The motivation could be for financial gain, competitive gain, popularity, fame, or adventure.
In computer crime, the term computer refers to the role it plays in different scenarios. Whether the crime is committed against a computer, whether the crime is committed using the computer, whether the computer is incidental in the crime, or a combination of all the three.
The following paragraphs provide some of the common computer crimes. Remember, CIA compromise or breach will be the end result of a crime.
Fraud
Manipulation of computer records, such as data diddling, salami slicing, or any other techniques, or a deliberate circumvention of computer security systems, such as cracking or unethical hacking for monitory gain, is termed as fraud.
Note
Data diddling is a malicious activity to change the data during input or processing stage of a software program to obtain financial gain. Salami slicing, also known as penny shaving, is a fraudulent activity to regularly siphon extremely small quantity of money so as to prevent from being observed or caught.
Hacking refers to the discovery of vulnerabilities, holes, or weaknesses in computer software and associated IT systems either to exploit the same for improvising the security or to prevent intentional fraud. Hackers are persons who do hacking. However, hacking is classified with different names to distinguish the objective:
- Black-hat hackers are people with malicious intent, who compromise the computer systems to commit crime. Such a hacker is called a cracker and the malicious hacking activity is termed as cracking.
- White-hat hackers or ethical hackers are people who try to compromise the computer systems to discover holes and improve the security.
- Grey-hat hackers are ambiguous wherein their actual intention is not known.
Theft
Identity theft is to steal someone's identity. The intention is to pretend to be someone else to commit fraud. Stealing passwords, login credentials, and credit card information are examples of identity theft.
Intellectual property theft is stealing software code or designs for financial gain.
Malware/malicious code
A malware is malicious software that is designed to compromise, damage, or affect the general functioning of computers, gain unauthorized access, collect private, and sensitive information and/or corrupt the data.
Writing or spreading malware is a computer crime. Viruses, worms, Trojan horses, spyware, such as Key logger, and so on are examples of malware and are explained as follows:
- A computer virus is a malicious program or a malicious code that attaches to files and can spread from one file to another file or from one computer to another computer. Technically, a virus can spread or infect the computer if the user opens the infected file.
- Worms are similar to viruses, but are self-replicating and propagating. Generally, worms do not require the human intervention of opening an infected file.
- A Trojan horse is a malware that hides its identity within a legitimate program. Users are tricked into opening the file containing the malware by way of social engineering.
Note
Social engineering is a type of nonintrusive attack in which humans are tricked into circumventing security controls. Some of the attacks, such as phishing and Cross Site Request Forgery (CSRF), use social engineering techniques. More details about CSRF are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
- Spyware is a malicious code that tracks the user actions. Examples of user actions include web browsing patterns, files opened, applications accessed, and so on. A spyware is best explained as a snooping software.
- Key loggers are a type of spyware that capture keystrokes and transmit them to an attacker's server. Sensitive information, such as username and passwords, are captured using key loggers. Key loggers can be a hardware or software.
Cyber crime
Criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks, are called as cyber crimes:
- Cyber terrorism is a type of cybercrime perpetrated against computers and computer networks and they generally are premeditated in nature. The objective of the attacks could be to cause harm based on social, ideological, religious, political, or similar objectives.
- Cyber stalking is a type of cybercrime in which the offender harasses or intimidates the victim using the Internet and other electronic means. It is a criminal offence under various state anti stalking, harassment laws.
- Information warfare is a type of cybercrime to destabilize the opponent, such as corporations and institutions, to gain a competitive advantage. For example, false propaganda, web page defacement, and so on.
- Denial-Of-Service (DoS) attack or Distributed Denial-Of-Service (DDoS) attacks are cybercrimes where websites or corporate systems of the corporations or computer systems of any user, made inaccessible by way of multiple services, request to overload the web and application servers. Eventually, the servers stops responding to genuine requests. (Ro)botnets are increasingly used for such crimes. A botnet is an army of computers listening to a control center system for executing orders. Generally, computers in a bot network are compromised systems through security vulnerability exploitation.
Tip
More details about botnets are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Making and digitally distributing child pornography is a cyber crime.
Digitally distributing and storing copyrighted materials of others without the copyright owner's explicit permission is a cyber crime.
Using e-mail communication to disrupt or send unsolicited commercial e-mails or induce the user to perform certain actions to steal information or money fall under cyber crime.
Following are examples of such crimes:
- Sending Unsolicited Commercial Email (UCE) is called spamming. It is a cyber crime that clogs the networks and intrudes into the privacy of the user.
- Phishing is a type of cyber crime wherein a user is lured to an attacker constructed illegitimate website that looks similar to actual website the user intended to visit. For example, online banking websites, e-mail login pages, and so on. A successful phishing attack would result in the capture of user credentials by the attacker.
- Pharming is a type of cyber attack wherein a user is redirected to a malicious website constructed by the attacker. Generally, this type of redirection happens without user acceptance or knowledge.
- SMiShing is a type of cyber attack using mobile networks. In this attack, Short Messaging Service (SMS) is used to lure the user to the attacker-constructed malicious websites. This is similar to phishing.
- Harassment in the form of cyberstalking, cyberbullying, hate crime, online predating, and trolling are crimes that target specific individuals.
Importing and exporting controls
Many countries have import and export restrictions pertaining to the encryption of data. For example, encryption items specifically designed, developed, configured, adapted, or modified for military applications, command, control, and intelligence applications are generally controlled based on munitions lists.
Transborder data flow
The transfer of computerized data across national borders, states or political boundaries are termed as transborder data flow. Data can be personal, business, technical, and organizational. Legal issues that arise out of such data is related to ownership and the usage.
Data breaches
By definition, a data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. It can also be owing to unintentional information disclosure, data leak, or data spill.
Data breach can happen owing to hacking (unethical means), organized crimes, negligence in the disposal of media, and so on.
Data breach is a security incident, and hence, many jurisdictions have passed data breach notification laws.
In the United States, data breach-related laws are categorized as security breach laws. National Conference of State Legislatures in the United States defines the provisions of such laws as:
Security breach laws typically have provisions regarding who must comply with the law (e.g. businesses, data/ information brokers, government entities, and so on); definitions of "personal information" (e.g. name combined with SSN, drivers license or state ID, account numbers, and so on.); what constitutes a breach (e.g. unauthorized acquisition of data); requirements for notice (e.g. timing or method of notice, who must be notified); and exemptions (e.g. for encrypted information).