Docstoc

CSCE Secure Database Systems

Document Sample
CSCE Secure Database Systems Powered By Docstoc
					 Legal and Ethical
Issues in Computer
     Security
CSCE 522
        Readings and Assignments
          Pfleeger:   Chapter 11




Lecture 19                      CSCE 522 - Farkas   2
Law and Computer Security
 International, national, state, and city laws:
  affect privacy and secrecy
 Laws: regulate the use, development, and
  ownership of data and programs
 Laws: affect actions that can be taken to
  protect the secrecy, integrity, and
  availability of computing resources

Lecture 19          CSCE 522 - Farkas          3
Lack of Legislation
 Reactive procedures
 Not addressed improper acts
 Lack of technical expertise of legal
  personnel




Lecture 19         CSCE 522 - Farkas     4
Protection of Computer Systems

 Protecting computing systems against
  criminals
 Protecting code and data
 Protecting programmers’ and employers’
  rights
 Protecting users of programs



Lecture 19       CSCE 522 - Farkas         5
Protecting Programs and Data
 Copyright
 Patents
 Trade secrets
 Protection for computer objects




Lecture 19        CSCE 522 - Farkas   6
Copyrights
   Protect the expression of ideas
   1978: U.S. copyright law
            Updated in 1998: Digital Millennium Copyright Act (DMCA) –
             deals with computers and other electronic media
   Give the copyright holder the exclusive right to make
    copies of the expression and sell them to the public
   Simple procedure to register copyright
   U.S. copyright expires 70 years beyond the death of last
    surviving holder



Lecture 19                         CSCE 522 - Farkas                      7
Intellectual Property
   Copyright
       Does  not cover the idea being expressed
       applies to original work and it must be in
        some tangible medium of expression
   Originality of work!




Lecture 19               CSCE 522 - Farkas           8
Fair Use
 The purchaser has the right to use the
  product in the manner for which it was
  intended and in a way that does not
  interfere with the author’s right.
 Piracy
 First sale
 Copyright infringement


Lecture 19        CSCE 522 - Farkas        9
Copyright for Digital Objects
   Digital Millennium Copyright Act
       Digital  objects can be copyrighted
       It is a crime to circumvent or disable anti-piracy
        functionality
       It is a crime to manufacture, sell, or distribute devices
        that disable anti-piracy functionality or that copy
        digital objects
                Exempt: when used for educational and research purposes
       It is
            legal to make a backup to protect against loss
       Libraries can make three backups


Lecture 19                         CSCE 522 - Farkas                       10
Patents
   Protects inventions – results of science,
    technology, and engineering
   Requirement of novelty
       Trulynovel and unique  only one patent for a given
        invention
       Non-obvious
   U.S. Patent and Trademark Office: register
    patent
       Patent     attorney: verifies that the invention has not
             been patented and identifies similar inventions


Lecture 19                       CSCE 522 - Farkas                 11
Patent Infringement
   Copyright: holder can decide which violations
    prosecute
   Patent: all violations must be prosecuted or
    patent can be lost
   Suing for patent infringement may cause the
    patent owner to loose the paten. Infringer may
    argue that:
       This isn’t infringement (different inventions)
       The patent is invalid (a prior infringement was   not
        opposed)
       The invention is not novel
       The infringer invented the object first

Lecture 19                  CSCE 522 - Farkas                   12
Trade Secret
   Information that gives one company a
    competitive edge over the others
   Must always be kept secret
   If someone obtains it improperly, the owner can
    recover
       Profits
       Damages
       Lost revenues
       Legal cost
   Reverse Engineering!

Lecture 19              CSCE 522 - Farkas             13
Protection of Computer Objects
 Look at Table 11-1 on page 660 to
  compare copyright, patent, and trade
  secret
 Protecting hardware, firmware, object
  code software, source code software,
  documentation, web content, domain
  names, etc.

Lecture 19        CSCE 522 - Farkas       14
Computer Crime
 Least clear area of law in computing
 Separate category for computer crime
       No  access to the physical object  Is it a
        serious crime?
       Rules of evidence  How to prove the
        authenticity?
       Threats to integrity and confidentiality  How
        to measure loss of privacy?
       Value of data  How to measure it?

Lecture 19              CSCE 522 - Farkas            15
Why Computer Crime is Hard to
Prosecute?
 Lack of understanding
 Lack of physical evidence
 Lack of recognition of assets
 Lack of political impact
 Complexity of case
 Age of defendant



Lecture 19        CSCE 522 - Farkas   16
Laws for Computer Crime
   U.S. Computer Fraud and Abuse Act
   U.S. Economic Espionage Act
   U.S. Electronic Fund Transfer Act
   U.S. Freedom of Information Act
   U.S. Privacy Act
   U.S. Electronic Communication Privacy Act
   Gramm-Leach-Bliley Act
   HIPAA
   USA Patriot Act
   CAN SPAM Act


Lecture 19               CSCE 522 - Farkas      17
Ethical Issues
 Ethic: objectively defined standard of right
  and wrong
 Ultimately, each person is responsible for
  deciding what to do in a specific situation
 Ethical positions can and often do come
  into conflict


Lecture 19         CSCE 522 - Farkas         18
Ethics vs. Law
Law                                  Ethics
Formal, written document             Unwritten principles
Interpreted by courts                Interpreted by each individual
Established by legislatures          Presented by philosophers,
                                     religious, professional groups
Applicable to everyone               Personal choice
Priority decided by court            Priority determined by
                                     individual
Court makes final decision           No external decision maker
Enforceable by police and            Limited enforcement
courts
 Lecture 19                   CSCE 522 - Farkas                       19
Case Studies
 Case II: Privacy Rights
 Case III: Denial of Service
 Case VI: Fraud




Lecture 19         CSCE 522 - Farkas   20
    Final Exam Review
 Comprehensive: everything we covered
  this semester
 Closed book
 3 hrs
 Dec. 10, 2:00 pm




Lecture 19       CSCE 522 - Farkas       21
  Final Exam Review
       Reading list:
          Lecture  notes
          Required reading
          Text book chapters: 1, 2, 3 (+ handout on
           secure SW development), 4.3, 4.4, 4.5,
           5.2, 5.3, 5.4, 5.5, 6 (except 6.3), 7 (focus
           on 7.4, 7.5), 8, 9, and 11 (no case studies)


Lecture 19                CSCE 522 - Farkas               22
The following
presentation is
Recommended Only
         THEMIS: Threat Evaluation
         Metamodel for Information
                 Systems
                   Csilla Farkas
                 Thomas Wingfield
                 James B. Michael
                Duminda Wijesekera



Lecture 19           CSCE 522 - Farkas   24
 Attacks Against Critical
 Infrastructures
     Swedish hacker jammed 911 in central Florida in 1997
     Juvenile hacker penetrated and disabled a telco computer
      servicing Worcester Airport in March 1997
     Brisbane hacker used radio transmissions to create raw
      sewage overflows on Sunshine coast in 2000
     Hackers broke into Gazprom’s system controlling gas
      flows in pipelines in 1999
     Hackers got into California Independent Service Operator
      (ISO) development network for regional power grid in
      spring 2001
     Numerous denial-of-service attacks against ISPs – some
      shut down                                  Source: D. Denning Information Warfare


Lecture 19                          CSCE 522 - Farkas                              25
             Rules Defining the Use of Force
                    Schmitt Analysis
        Sources:
        Thomas Wingfield: The Law of Information Conflict:
        National Security Law in Cyberspace
        Michael N. Schmitt: Computer Network Attack and the
        Use of Force in International Law: Thoughts on a
        Normative Framework


Lecture 19                  CSCE 522 - Farkas                 26
Lecture 19   CSCE 522 - Farkas   27
             Spectrum of Conflict




Lecture 19         CSCE 522 - Farkas   28
             Spectrum of Conflict




Lecture 19         CSCE 522 - Farkas   29
                  Spectrum of Conflict

             Art. 39




             The Security Council shall determine the existence of
             any threat to the peace, breach of the peace, or act of
             aggression and shall make recommendations, or decide
             what measures shall be taken in accordance with
             Articles 41 and 42, to maintain or restore international
             peace and security.




Lecture 19                     CSCE 522 - Farkas                        30
                 Spectrum of Conflict

                                 Art. 2(4)




             All members shall refrain in their international
             relations from the threat or use of force against
             the territorial integrity or political independence
             of any state, or in any other manner inconsistent
             with the Purposes of the United Nations.




Lecture 19                    CSCE 522 - Farkas                    31
                      Spectrum of Conflict

                                                               Art. 51


             Nothing in the present Charter shall impair the inherent right of
             individual or collective self-defense if an armed attack occurs
             against a Member of the United Nations, until the Security Council
             has taken measures necessary to maintain international peace and
             security. Measures taken by Members in the exercise of this right of
             self-defense shall be immediately reported to the Security Council
             and shall not in any way affect the authority and responsibility of
             the Security Council under the present Charter to take at any time
             such action as it deems necessary in order to maintain or restore
             international peace and security.




Lecture 19                          CSCE 522 - Farkas                               32
             Rules Defining the Use of Force

              Art. 39               Art. 2(4)               Art. 51

                                          Threat of force     Use of force
 R                                                            Armed attack
 E                      Threat to
 S                      the peace
                                           Hostile intent       Hostile act
 P
 O
 N
 S                                          Anticipatory       Self-defense
 E                                          self-defense
                            Jus ad bellum applies            Jus in bello applies

                            Peacetime regime applies



Lecture 19                    CSCE 522 - Farkas                                 33
                 Use of Force in Cyberspace

                Cyber vs. Kinetic Attack
                Academic State-of-the-Art: Effects-Based
                 Analysis
                Problem: Charter Paradigm Means-Based
                The Schmitt Reconciliation
                   Distinguishing Military from Diplomatic
                    and Economic Coercion
                   Seven Factors



Lecture 19                     CSCE 522 - Farkas              34
                        Schmitt Factors


                Severity
                Immediacy
                Directness
                Invasiveness
                Measurability
                Presumptive Legitimacy
                Responsibility


Lecture 19                    CSCE 522 - Farkas   35
                              Severity

  Armed attacks threaten                              How many people were
  physical injury or             People Killed;
                                  People Killed;      killed?
  destruction of property       Severe Property
                             Severe Property Damage
                                    Damage            How large an area was
  to a much greater extent
                                                      attacked? (Scope)
  than other forms of
  coercion. Physical                                  How much damage was
  well-being usually           People Injured;        done within this area?
  occupies the [lowest,          Moderate
                                                      (Intensity)
                              Property Damage
  most basic level] of the
  human hierarchy of
  need.
                              People Unaffected;
                               No Discernable
                              Property Damage




Lecture 19                     CSCE 522 - Farkas                              36
                           Immediacy

  The negative                                      Over how long a period
  consequences of armed         People Killed;      did the action take
                            Seconds to Minutes
  coercion, or threat      Severe Property Damage   place? (Duration)
  thereof, usually occur
                                                    How soon were its
  with great immediacy,
                                                    effects felt?
  while those of other
  forms of coercion                                 How soon until its
                              Hours to Days
  develop more slowly.                              effects abate?




                            Weeks to Months




Lecture 19                   CSCE 522 - Farkas                           37
                              Directness

  The consequences of                                  Was the action distinctly
  armed coercion are          Action SoleKilled; of
                                   People Cause        identifiable from
  more directly tied to the           Result
                              Severe Property Damage   parallel or competing
  actus reus than in other                             actions?
  forms of coercion,
                                                       Was the action the
  which often depend on
                              Action Identifiable as   proximate cause of the
  numerous contributory       One Cause of Result,     effects?
  factors to operate.          and to an Indefinite
                                     Degree


                                Action Played No
                               Identifiable Role in
                                      Result




Lecture 19                       CSCE 522 - Farkas                              38
                                  Invasiveness

In armed coercion, the act                                  Did the action involve
causing the harm usually            Border Physically       physically crossing the
                                        People Killed;
crosses into the target state,     Crossed; Action Has
                                   Severe Property Damage   target country’s
whereas in economic warfare            Point Locus
                                                            borders?
the acts generally occur
beyond the target’s borders.                                Was the locus of the
As a result, even though                                    action within the target
                                   Border Electronically
armed and economic acts
                                  Crossed; Action Occurs    country?
may have roughly similar
                                    Over Diffuse Area
consequences, the former
represents a greater intrusion
on the rights of the target
state and, therefore, is more      Border Not Crossed;
likely to disrupt international       Action Has No
stability.                         Identifiable Locus in
                                      Target Country



Lecture 19                            CSCE 522 - Farkas                                39
                                 Measurability

  While the consequences of           Effects Can Be         Can the effects of the
  armed coercion are usually      Quantified Immediately     action be quantified?
                                        People Killed;
  easy to ascertain (e.g., a       Severe Property Means
                                   by Traditional Damage
  certain level of                 (BDA, etc.) with High     Are the effects of the
  destruction), the actual          Degree of Certainty      action distinct from the
  negative consequences of                                   results of parallel or
  other forms of coercion are     Effects Can Be Estimated   competing actions?
  harder to measure. This            by Rough Order of
  fact renders the                     Magnitude with        What was the level of
  appropriateness of                 Moderate Certainty      certainty?
  community condemnation,
  and the degree of
  vehemence contained                Effects Cannot be
  therein, less suspect in the    Separated from Those of
  case of armed force.             Other Actions; Overall
                                     Certainty is Low



Lecture 19                            CSCE 522 - Farkas                               40
                     Presumptive Legitimacy

  In most cases, whether under                              Has this type of action
  domestic or international       Action Accomplished by    achieved a customary
  law, the application of               People Killed;
                                     Means of Kinetic
  violence is deemed
                                   Severe Property Damage   acceptance within the
                                           Attack
  illegitimate absent some                                  international
  specific exception such as                                community?
  self-defense. The cognitive     Action Accomplished in
  approach is prohibitory. By         Cyberspace but        Is the means
  contrast, most other forms of      Manifested by a        qualitatively similar to
  coercion—again in the             “Smoking Hole” in       others presumed
  domestic and international          Physical Space        legitimate under
  sphere—are presumptively
  lawful, absent a prohibition                              international law?
  to the contrary. The            Action Accomplished in
  cognitive approach is           Cyberspace and Effects
  permissive.                        Not Apparent in
                                      Physical World



Lecture 19                            CSCE 522 - Farkas                                41
                                 Responsibility

  Armed coercion is the                                        Is the action directly or
  exclusive province of              Responsibility for
                                         People Killed;
                                   Action Acknowledged         indirectly attributable to
  states; only they may                                        the acting state?
  generally engage in uses of
                                   Severe Property Degree
                                  by Acting State;Damage
                                   of Involvement Large
  force across borders, and in                                 But for the acting state’s
  most cases only they have                                    sake, would the action
  the ability to do so with       Target State Government
                                   Aware of Acting State’s     have occurred?
  any meaningful impact.
  By contrast, non-              Responsibility; Public Role
  governmental entities are      Unacknowledged; Degree
  often capable of engaging       of Involvement Moderate
  in other forms of coercion
  (propaganda, boycotts,           Action Unattributable
  etc.).                          to Acting State; Degree
                                    of Involvement Low




Lecture 19                             CSCE 522 - Farkas                                42
             Overall Analysis

                                         Have enough of the
                 Use People Killed;
                     of Force Under      qualities of a use of
                     Article 2(4)
                Severe Property Damage   force been identified to
                                         characterize the
                                         information operation as
                                         a use of force?
               Arguably Use of Force
                      or Not




                 Not a Use of Force
                 Under Article 2(4)




Lecture 19        CSCE 522 - Farkas                            43
                        THEMIS

             Threat Evaluation Metamodel for
                   Information Systems




Lecture 19              CSCE 522 - Farkas      44
                 THEMIS

   Attack Response Policy (ARP) language
            ARP alphabet and predicates to represent attacks,
             consequences, and legal concepts
 Interoperable legal ontologies
 Attack evaluation and response rules
 SWRL - A Semantic Web Rule Language
  combining OWL and RuleML


Lecture 19                     CSCE 522 - Farkas                 45
             Security Policy Specification
                                             Interoperable
                                             Ontologies




             Conflict
                          ARP
             resolution     specification
                    Default
                    policy


Lecture 19               CSCE 522 - Farkas                   46
   THEMIS FUNCTIONALITY
             OFFENSE                            DEFENSE

                                                          Computer
                         Attack                           System
                                         Cascading
                                         Effects

                                                          Affected
                                                          Assets
             Attacker
                                   Characteristics



                                                          Policy
                        Response



Lecture 19                  CSCE 522 - Farkas                        47
    Attack Response Policy (ARP)

 ARP alphabet: constant symbols, variables,
  functions, and terms
 ARP predicates: used to build rules
 ARP rules: reason about the damages, express
  legal restrictions, and determine legitimacy of
  counter actions


Lecture 19          CSCE 522 - Farkas           48
Example
   Predicates:
      attack(a-id, a-name, orig, targ)
      consequence(a-id, c-type, targ)
      causes(c-type1, targ1, c-type2, targ 2)
   Rule:
      attack(a-id, a-name, orig, targ1) 
                        attack(a-id, a-name, orig, targ)
                        consequence(a-id, c-type, targ)
                        causes(c-type, targ, c-type1, targ1)

Lecture 19                   CSCE 522 - Farkas                 49
              Conclusions

    Automated decision support system
    Attack Response Policy Language
          Alphabet
          Predicates
          Rules

      Schmitt Analysis

Lecture 19              CSCE 522 - Farkas   50

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:9/30/2011
language:English
pages:50