Appendix A: Cyber Security – A Legal Perspective¶
Cybercrime Security:¶
Collective processes and mechanisms by which people, sensitive and valuable information, products and services are protected from damage, publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. Computer security aims at the protection of persons, information and property from theft, misuse, corruption, tampering, unauthorized disclosure, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users
Background:¶
- In the early 1980s law enforcement agencies faced the dawn of the computer age with growing concern about the lack of criminal laws available to fight emerging computer crimes.
- In response, Congress included in the Comprehensive Crime Control Act (CCCA) of 1984 provisions to address the unauthorized access and use of computers and computer networks
- Throughout 1985, both the House and the Senate held hearings on potential computer crime bills, continuing the efforts begun the year before. These hearings culminated in the Computer Fraud and Abuse Act (CFAA)
Current Legal Environment:¶
- The Primary guide in most federal hacking cases in still the Computer
- Fraud and Abuse Act (CFAA - passed by U.S. Congress in 1986)
- Other federal statutes used for prosecuting Cybercrime are:
- Wiretap Act
- Unlawful Access to Stored Communications Act
- Identity Theft and Aggravated Identity Theft Act
- Access Device Fraud Act
- CAN-SPAM Act
- Wire Fraud
- Communication Interference Act
Other considerations¶
In addition, most every state has its own Computer Crime Statutes. Each state also has its own prosecutorial system. Some states are much more active in the area of cybersecurity enforcement than others, but typically the states will cooperate with federal authorities. Some state laws are more restrictive than federal, i.e. in areas such as State Laws Addressing “Phishing” and State Spyware Laws. The laws are a complex web. Only skilled lawyers are capable of figuring out the full meaning revealed in case law interpretations of the state and federal laws.
Legal vs. Illegal hacking¶
Cracker vs Hacker
- A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Hackers are most often programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They might discover holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never intentionally damage data.
- A cracker is one who breaks into or otherwise violates the system integrity of remote machines with malicious intent. Having gained unauthorized access, crackers destroy vital data, deny legitimate users service, or cause problems for their targets. Crackers can easily be identified because their actions are malicious.
Clear Dividing Line¶
- Congress needs to enact a clearer, more technologically current law to rationally and fairly divide the line between legal and illegal hacking. The complete rewrite should include different Acts for criminal and civil rules and enforcement, and should tie into privacy and security legislation.
- Need a clearer / more dependable way to distinguish between “ethical” and “malicious” hacking
- Malicious hacking is always negative and destructive. Ethical hacking’s goal is to contribute to the security community and to improve overall security
White / Grey / Black(cracker) Hat Hacking¶
- All of them exploit weaknesses in computer systems and networks
- Black Hat Hackers, computer criminals whose malicious activities serve their own ends ranging from financial gain to simply causing chaos
- White Hat (“ethical”) Hackers are usually those that carry out their craft with no apparent criminal intention in mind
- Grey Hat Hackers sit in the middle, often hacking into a system just to prove they can, but afterwards usually notifying the vendor or owner of the weakness
White Hat Hacking¶
- Usually hired by companies to carry out vulnerability assessments and penetration testing, a technique that helps to determine how secure the company’s systems are.
- It’s a necessary business service that allows businesses identify their weaknesses and shore up their defences against real criminals (Crackers / Black Hats)
Is Ethical Hacking Legal? – It depends!¶
- Companies believe that authorizing an ethical hacker to test a company’s defences is enough legal protection to justify ethical hacking. Ethical Hackers believe they are justified by the fact that they are acting in the best interests of the company who hired them
- However, what needs to be considered is how far the hacker is willing to go to test the systems. Or worse, to switch into grey hat mode, determined to break in just to prove they can
Ethical hacking pitfalls¶
- Often, Ethical Hackers break laws in order to conduct their activities:
- Obtaining a user’s PII (i.e. social engineering)
- Gain access to the system using someone else’s credentials (obtained Illicitly)
- Gain access to confidential information
- Gain access to customer/employee information
- Probe / “White Hat”-hack other avenues to the company being tested i.e. access via their business partners. Unless the business partner has been included in the scope of the penetration test, the ethical hacker has strayed outside the boundaries of the law to achieve their aims
Remarks¶
- “Ethical Hackers” aim to test businesses’ security in a constructive way in order to improve it
- Companies hire ethical hackers because they need to test their security. By granting their permission to the pentest, they effectively cover their corporate eyes and ears while these actions are carried out
- However, often neither the company or the hacker know if/what laws are being broken
- So it is a Grey Area – Ethical Hackers are not granted immunity – they need to ensure that the actions they take do not break the laws outlined in the Law Acts and Statuses
Worlwide View¶
- No single international framework for cybersecurity law, but some multi‐lateral efforts
- Budapest Convention on Cybercrime (2001)
- Council of Europe’s effort to harmonize disparate national cybercrime laws
- EU Network and Information Security (NIS) Directive
- PRIVACY – Proposed EU General Data Protection Regulation
- New law would apply to any company that controls or processes the personal data of Europeans through the offering of goods and services – even if company has no physical presence in Europe.
- Fines of up to 4% of company’s annual global revenue or €20 million for violations
- Other countries each have Cybersecurity laws
Tensions in Global Cyberspace¶
- The rapid growth of the Internet and sophistication of cybercrime continues to outpace the ability of the legal
- system to respond. The attribution problem makes policing and accountability particularly difficult.
- Cyber assets are distributed between the public sector and private sector, and the private sector is comprised of a
- wide range of disparate entities.
- There is a lack of international coordination on cyber issues. As a result, there is no centralized international cyber
- threat information sharing or common computer incident response teams.
- Different values among countries; different levels of preparedness; different degrees of interest and risks.
- Companies and governments face overlapping and conflicting sets of laws:
- Harmonization vs. divergence of regional and national laws
- Personal data laws and system/infrastructure obligations are not integrated or reconciled
- Quality of company’s cybersecurity depends in part on visibility into traffic on its own network, but such insight can
- be in tension with cultural and sometimes legal barriers to electronic monitoring of employees.
- Approach to implementation: market‐driven vs. regulatory
- Governance: government‐centric vs. multi‐stakeholder
Certified Ethical Hacking Certification¶
A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.
The purpose of the CEH credential is to:
- Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.
- Inform the public that credentialed individuals meet or exceed the minimum standards.
- Reinforce ethical hacking as a unique and self-regulating profession.
About the Exam
Number of Questions: 125
Test Duration: 4 Hours
Test Format: Multiple Choice
Test Delivery: ECC EXAM, VUE
Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)
Learn More¶
Sign up for an account on https://f5.com/labs to stay up to date
Notes:
F5 Networks, Inc. | f5.com |
---|
US Headquarters: 401 Elliott Ave W, Seattle, WA 98119 | 888-882-4447 // Americas: info@f5.com // Asia-Pacific: apacinfo@f5.com // Europe/Middle East/Africa: emeainfo@f5.com // Japan: f5j-info@f5.com ©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You may not share these training materials and documentation with any third party without the express written permission of F5. |