CISSP Essentials training: Domain 8, Law, Investigations and Ethics

 Not only must information security professionals be skilled in many areas of security execution, but they must

also be prepared to assist companies in bringing wrongdoers to justice. To do this, security pros must be knowledgeable on laws pertaining to privacy, civil and criminal activity.

In this CISSP Essentials Security School lesson, Domain 8, Laws, Investigations and Ethics, expert CISSP exam trainer Shon Harris details how the issues of investigating computer crimes, the role of forensics, types of evidence and how to ensure that companies are compliant to applicable laws. Above all, security professionals must be prepared to apply prudent judgment, often in tense situations, so that appropriate decisions will be made.

Before watching the special Domain 8, Laws, Investigations and Ethics video below, it's recommended that students first read the Domain 8 spotlight article, which provides an overview of the concepts presented in the video, such as professional ethics as they pertain to security professionals and best practices; types of computer crime and the traditional laws and cyberlaws put into effect to fight computer crime; attack profiles, hacker movites and objectives; and incident handling, investigation techniques and procedures, types of evidence and evidence handling.


    After watching the video, test your comprehension of this material with our Domain 8, Law, Investigations and Ethics quiz. Upon completion, return to the CISSP Essentials Security School table of contents to select your next lesson.

    About Shon Harris:
    Shon HarrisShon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Logical Security offers curriculum, virtual labs, instructor slides and tools for lease by training companies, security companies, military organizations, government sectors and corporations.

    Shon is also a security consultant, an engineer in the Air Force's Information Warfare unit, an entrepreneur and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is currently finishing her newest book, Gray Hat Hacking: The Ethical Hacker's Handbook.

    CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2).

    Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact

    CISSP Essentials training: Domain 8, Law, Investigations and Ethics

    Host: Welcome to SearchSecurity’s CISSP Essentials: Mastering the Common Body of Knowledge. This is the eighth in the series of ten classes exploring the fundamental concepts, technologies, and practices of information system security corresponding to the CISSP's common body of knowledge. In our last class we examined business continuity. Today we take a look at the eighth domain of the CDK: fraud, investigation, and ethics.

    Fraud, theft, and embezzlement have always been a fact of life, but the computer age has brought on new opportunities for thieves and crooks. While many security professionals focus on preventing cyber attacks, it's equally important to understand how to investigate a computer crime and gather evidence. This class also covers information security regulations, laws, and ethics that guide the practice.

    Shon Harris is a CISSP, MSCE, and President of Logical Security a firm specializing in security education and training. Logical Security provides training for corporations, individuals, government agencies, and many organizations. You can visit Logical Security at Shon is also security consultant, a former engineer in the Air Forces Information Warfare Unit, and an established author. She has authored two best selling CISSP books including, CISSP All In One Examine Guide and was a contributing author to the book, Hacker's Challenge. Shon is currently finishing her newest book, Gray Hat Hacking: Ethical Hackers Handbook. Thank you for joining us today Shon.

    Shon Harris: Thank you for having me.

    Host: Before we get started, I'd like to point out several resources that supplement today's presentation. On your screen the first link points to the library of our CISSP Essential classes where you can attend previous classes or register to attend future classes as they become available. The second link on your screen allows you to test what you've learned with a practice quiz on today's material. Finally, you'll find a link to the class eight spotlight, which features more details and information on this domain. And now we're ready to get started. It's all yours, Shon.

    Shon Harris: Thank you. Well I think this is one of the most interesting areas when we're looking at information security today because what has happened is that we have technology slamming into our legal system. What's very interesting is our legal system is in being developed slowly. We come up with laws slowly versus technology changes at the speed of light. So this is the first time that the technology and the legal system has really come together because of all of the types of the crimes that are taking place. The liability issues. The criminal and civil suits that are going on.

    There's a lot of, we're basically in grey in a lot of places on how to handle the types of crimes and the types of issues that are going on because our legal system has been developed to deal with more of the traditional crimes that deal with tangible evidence and types of crimes. So it's very challenging in the different processes that we'll talk about here which is identifying a type of crime that has taken place, the proper investigation steps, properly collecting tangible evidence and controlling it, getting it into when your going to actually try to prosecute someone you have to identify it, a lawyer that specializes in these types of crimes, and then presenting these issues to a judge and jury so they can understand the type of crime that has taken place and understand the complexities of the technology that has been used.

    So at one time, five years ago or so hacking and any type of activity that could go under the umbrella of hacking was not deemed as serious as it is today. If you actually look at a lot of the cyber bloggers that are available throughout the Internet, you'll see how serious the court systems are getting in dolling out punishment to criminals that use technology and computers as they're tools in their trade of carrying out misdeeds. So at one point it wasn't deemed as serious as it is today and it's still not looked at as serious by some corporations or some entities that are in the legal system mainly because of awareness and not truly understanding all of the possible damages that could take place through technology. Technology is just a tool, a new tool to carry out traditional crimes.

    So the reason that information security and the legal system coming together has escalated and everybody is working kind of at a feverishly pace to figure out how to deal with the issues that are coming up, has to do with a lot of the crimes that have been taking place. We've had a stream of malware that has been released that has cost companies around the world millions of billions of dollars. Denial of service attacks that has directly affected the capabilities of companies to carry out their functionality of selling their services or products.

    Wherever credit card information is being kept that's a huge target for criminals to gain access to this credit card information and there have been several extortion attempts carried out. Because what happens is a merchant has a database of credit card information, somebody hacked in and gets the credit card information, they contact their victim and say, "We want $150,000 or we're going to release these credit card numbers to the Internet." A lot of cases haven't been reported and this is called hush money to ensure that that doesn't take place. But some of the actual attempts have been reported where either the victim did not choose to go along with the extortion attempt and the credit card numbers have been released on the Internet or of course they got law enforcement involved and did their best to track down who was doing this.

    Identity theft is absolutely huge. The statistics on the amount of identify theft is phenomenal the increase of it and that's because of our data is available in so many different formats electronically all over the Internet through different companies, different financial institutions, merchants everywhere. So our data is all over the place and there's no types of phishing attacks, phishing attack is where somebody will try to fool you in giving up your information so they can actually steal your identify and then use your credit and such.

    Internal employee fraud is one of the most dangerous threats to a company and the common terminology is like the 80/20. 80% of a companies risk comes from inside and it's not just that all of the employees are malicious in nature and trying to carry out bad activities, it's that these internal employees have the most privileged access already that an outside intruder would have to work to get that level of privileged access. The internal employees can, a lot of the cost that directly deal with the internal threat has to do with mistakes more than with malicious activity, but there is, of course, malicious activity going on inside of companies and a lot of companies don't seem to take that as seriously versus being concerned about the exterior threats.

    So there's espionage that's been going on for years between countries and competitors so we just have a vast array of the types of attacks, the types of crimes that are taking place and what's kind of frustrating is that we don't even have real statistics on the amount of damage that's been going on because a lot of companies will not report when they've been hacked or when there's been some type of crime that's been carried out because they don't want others to know about their dirty laundry. They don't want to negatively affect their reputation. They also don't want to tell other hackers out there that they have some type of vulnerability. Even though we understand that computer crime is generally escalating we actually don't see the full picture because not everybody reports what's going on in their environment.

    Now there's a whole range of different types of attacks and [salami] attacks is really somebody is carrying out small crimes with the goal that their overall crime is not being identified. So you do a salami attack basically to stay under the radar of being detected and the common salami attack would be where you take a little bit of money from different accounts. You take a few pennies from different accounts and that's staying under the radar and it won't be identified. Individuals may not notice a few pennies missing from their account each month and maybe the institution is not tracking the level, that detail granular level and there's different types it's not just with accounts. Somehow skimming off a little bit of money here and there so that nobody will notice.

    A data diddling is just modifying the actual data before it actually goes into a program or right after it comes out of a program or a system. And data diddling is really is cooking the books. You're trying to modify the data to show a different reality. Possibly somebody's going to want credit so that they'll show that the numbers are different. A lot of companies have been busted lately because they have been cooking the books to try to show that their profit margins are larger and that their costs and expenses are smaller. So all of these types of things fall under different types of crimes.

    Dumpster diving just like it sounds like you go through somebody's trash to try and identify things that can be used against them and what most people don't realize is that everybody throws information away that can be directly used against you. This is actually how a lot of identity thefts is taking place where you're throwing out receipts, not shredding credit cards that have come, you're not shredding the things that you have to fill out to get new credit cards so people are using these items against you.

    Now in this domain we go through a lot of different laws not only the United States laws but also different parts of the world and look at the approaches and the overall similarities. Now some of the United States laws that deal directly with the privacy issues are listed here and of course, there is not all of them. The Privacy Act has been developed to protect United States citizens again the government agencies who are going to collect information on you. There are several different government agencies that are collecting information on the citizens for specific reasons. At one point, years ago, there was a movement to try and get all of the United States citizens data to be put in one centralized data base so that all of the agencies wouldn't have to go through the time and duplicate the efforts of gathering this data. But that was never happened because it was seen as way to Big Brother and dangerous that all of the data would be held in one location.

    So the different government agencies that are responsible for collecting data on citizens for their specific purposes and what this Act outlines is what the government agencies must meet to protect it's citizens. So the data that is collected must be, must have probable cause for collecting this type of data, it can only be used for the purpose it was collected, it cannot be shared with other agencies without the approval of the owner of this data, whoever the data is collected on they can actually see the data to identify any types of mistakes so they can correct them. There is a whole list of what the Privacy Act, it basically lays down the rules of what the agencies must go through. The European, there's European Privacy Principles that are very similar to the Privacy Act. European countries have taken privacy of data much more seriously than the United States for several years.

    [Nia] Electronic Communications Privacy Act that's basically has two Acts within it. The prior top laws have been around for a long time and it has to be continually updated because we are coming up with new ways of communication. So law enforcement has to be able to tap into these different types of communications so that they can carry out surveillance and investigations. So that is one piece of the Electronic Communications Privacy Act, the other piece is being able to look at the data as it's actually stored instead of transmission. Wire taped laws is allowing law enforcement to look at data while it's in transmission and with a court order and the other piece is looking at, being able to allow the law enforcement be able to look at stored data.

    And HIPPA and GOB most security oriented people are familiar with these two Acts that have come down. HIPPA's just basically looking at medical information that is now deemed as private information and has to be protected as such. HIPPA does not just affect medical institutions but affects doctor's office, insurance companies, if there's exterior lab companies, any type of organization that holds medical information now has to go through a lot of different steps and procedures to protect that properly. GOB is looking at not medical information but more of the financial information that is not public that institutions have to protect. And in this domain we talk about how employees should be properly monitored because since the, we have the 80/20 rule, meaning the 80% of the threat comes from the inside and companies should be proactive and properly monitor their employees and tracking and auditing the activities to detect any type of fraudulent activity or malicious activity that is going on. But before you do this, before a company actually sets up their monitoring policies several things have to take place. There's the company has to understand what it can do legally in the first place. Because we've got state laws that deal with privacy, we've got federal laws that deal with privacy. So first the corporation needs to understand what it can do within it's region legally and then make sure that it's complaint with the federal laws.

    So in employee monitoring we need to make sure that everyone is monitored equally. That you're not picking on specific individuals or you're not showing that your trying to just audit certain individuals and these people need to know that this monitoring can take place. That's why when you call into certain companies, especially when they have help desk type of functionality a recording will come on saying this call may be monitored for quality assurance purposes because the legally have to tell you that they could be monitoring that communication link. So employees have to know that this actually going to happen and there have been several court cases where employees have done things that the company did not want them to do and terminated them.

    The employee can come back and say that I didn't know that I wasn't supposed to do that and they could actually win that case if that corporation hasn't done what they're supposed to do, which is have a policy that outlines that this type of monitoring can happen and that the employee actually knew about this and the ways to inform employees would be through when they are logging onto their system they have a dialog box that comes up that they have to click okay to, which basically is saying that you understand that this property is company property, that your activities will be monitored, and that if you do things that are not acceptable that you can be terminated or prosecuted. Also true, posters on walls through security awareness training. So companies have to do their part ensuring that they're doing all of this legally and properly because when they need to take action against an employee they can actually lose a civil case if they have not done this right.

    So in this domain we go through several different types of laws and examples of laws that fall under civil, criminal, administrative. We look at profiles of the types of criminals that would carry out these types of crimes. So the comparing civil and criminal, now in civil law there is actually three types of civil law; there's is tort, contract, and property law. Tort law is really deals directly or can deal directly with a lot of the types of either crimes that are carrying out, but usually you use tort law when you find somebody liable for not carrying what they're supposed to carry out. So if somebody like a company is negligent in something that they are either not doing or that they are doing and it negatively affects individuals or another company, they can be brought to civil court and found not guilty, but found liable.

    That's different than criminal, criminal law because criminal law is actually there's laws written out by the government to protect the citizens of the country. Civil law is based on precedent where the, you look at past court cases and the outcomes of that to help make determination of how to interpret who is liable, who is negligent in the civil cases. Criminal you actually have laws written out by the government. It's not based on the precedents of the past as much when you compare to civil. Now another difference between civil and criminal is the burden of proof that has to be proven because criminal law has the ability to hand out much more strict punishments as in death or jail time which are not available under civil. Then you have a higher burden of proof and more strict burden of proof that has to be proven in criminal law versus civil.

    Then there's administrative law which there's different organizations that are regulated have to abide by the compliant with the regulations. The financials under the GOB Act has to be compliant with that. Health care has HIPPA. Food and drug have their own. So administrative law is when corporations or organizations are not meeting their responsibilities.

    Now there's different intellectual property laws that we need to know about. Trade Secrets is something that is proprietary to a company that must be properly protected. And there's different types of Acts of controls that we talked about that could be put in place to protect company's trade secrets and it depends on the company. For Coca Cola it would be the formula of their product. For a software development company it could be the actual source code of the product that they sell. So trade secret is something that makes the company competitive and must be properly protected, but you cannot, a company cannot try and prosecute somebody under the trade secret law if they have not gone through their proper steps of protecting this data that they indicate is so important to them. So company's have, there are certain things they have to do; identify trade secret information, classify the data, identify and implement the access controls that provide the necessary protection, inform the actual employees of what their expectations are when interacting with this type of data.

    Now copyright is different. Copyright is protection of the expression of ideas not the ideas themselves. So there's a lot of things that fall under the copyright law. Anything that's written and any paper, any books, source code, maladies, there's a lot of things that are protected under copyright law and a lot of things that make it difficult in today's world is the Internet itself, is when people put things up on their website it automatically actually falls under the copyright law. You don't have to register to protect your data. When it's posted it automatically goes under this law, but now that we have everything, a lot of things in electronic format it's flowing, data is flowing all over the place versus when it's in the traditional more tangible resources. So there's been many more types of suits because of misuse of people's copyrighted material.

    Trademark is kind of the look and feel that marketing people have come up with for companies. You have a company, you pay a marketing company or you have your own marketing resources that come up with your trademark. Maybe the large "M" in McDonald's, Gateway has the cow thing going on there, Toy's R Us the actual how they've written out Toy's R Us that's their trademark. If you study cyber law you see the complications that are actually involved. A lot of the stuff seems as though it's straight forward, but what happens when a company in Florida has come up with their own name of their company, maybe done some type of a trademark and another company in Wisconsin has come up individually and uniquely with the same type of look or feel or the same type of company name, now it's much more difficult because of jurisdiction issues with these types of items. In traditional law it's very easy to determine when there's some type of crime or some type of law that's been broken, what court it actually goes to. It usually goes to a local court. But when you're going across state boundaries and it usually goes up to a federal court but jurisdiction is a very slippery issue now when we're dealing with information security and Internet.

    Patent, there's several different types of patents because several things can be patented. It just allows the owner to have ownership, whoever comes up with an idea or an invention they have ownership of that invention and control who can use it for a specific period of time. The patent is only good for a specific time period.

    Now in this domain we spend a lot of time going through the actual investigation and prosecution steps which is much more difficult in the intangible world versus the tangible type of traditional crimes. Now and also we look at something that I'm not covering here, but it's validation analysis, or violation I'm sorry, violation analysis because before, let's say you have something say a system that's acting strangely or you think that there's been some type of an attack or computer crime, you need to ensure that it actually is an attack or computer crime before maybe you get the big guns in.

    Before you call law enforcement, before you call outside consultants. You go through this analysis to determine if something bad has taken place or if something is just misconfigured. I work with a lot of people who do forensic work and they all have very good stories about how they've been called frantically by their customers saying there's some type of an attack going on and they get there and they find out that really it's just that they don't understand their own technology. And maybe it's something that's been reconfigured or something.

    Now we'll work under the scenario that a crime has taken place, it's some type of attack, somebody penetrated an environment, what needs to happen is management has to make the decision on the next steps which is determining if law enforcement is actually going to get involved with the process. For management to make the decision if law enforcement is going to get involved they just have to understand what that means. If you bring law enforcement in then the actual investigation and the out come of that investigation could be part of public domain versus if you do your own internal investigation then you have more control over what type of information gets leaked to the public or available to the public. This is actually why we don't have statistics on the types of computer crimes because companies have decided that they want to keep everything as quiet as possible and they try to do their own internal, either their own internal investigation or they call in investigators and forensics from the public sector instead of law enforcement.

    Law enforcement has specific, we have different types of law enforcement that have their own jurisdictions, Secret Service is responsible for investigating certain types of computer crimes, FBI, and then your actual local law enforcement. So they have their specific jurisdictions. Secret Service jurisdiction has an activities within investigating these types of crimes have increased since Home Land Security. So management needs to make the decision on how their going to address the investigation. Some companies decide that they just want to identify how somebody got in and plug the hole and move on, but other companies want to actually carry out an investigation and try to track down the bad guy for possible prosecution.

    Now it's important to understand that evidence has an actual life cycle. That means that the life cycle of evidence when it's collected and when it's transported, when it's stored, when it's transported to court, and then back to the owner of that evidence. So that's the life cycle of evidence but it's the chain of custody that addresses through those different stages of the life cycle the evidence has to be properly protected or the evidence may not be admissible or the evidence could be contaminated. So the chain of evidence looks at who actually collected the evidence. If it was done legally and properly. How it was transported. How it was maintained and stored because if you don't properly protect the evidence or somebody could get in and modify it and a lot of evidence has been thrown out or not admissible because the investigators have not gone through the chain of custody.

    What really happens is that when you get your evidence, you bring your evidence into court and the other team which is most likely the defense, the teams are going to fight against each other. Prosecution and defense are going to fight against each other and the other team is going to try to identify any of the ways that you've fallen down in protecting your evidence. If they could show that you did not carry out the care in properly protecting it, then they can get your evidence thrown out of court.

    Now there's a whole list of different types of evidence types that we, there's a whole list of evidence types that we cover in the domain. This is just a very short list. You need to know what best evidence is, and secondary evidence, and direct evidence, and real evidence, and demonstrative evidence. So there's all of these basic categories that evidence can fall into depending upon the type of evidence it is, for example, the original signed contract would be considered best evidence and it has a lot of weight. The issue is how much weight does this evidence provide in the court case.

    So we have circumstantial evidence, this doesn't have as much weight if it's actually accepted because circumstantial means that somebody has to assume a fact that has not been properly proven to accept this evidence. So this means that you have to assume that something else is true to actually take the circumstantial evidence seriously.

    We have supplementary evidence, opinion evidence. Now opinion evidence is either a witness is testifying and must give, actually not their opinion but if a witness testifies they give the facts of what they've seen and that's different than an expert witness. An expert witness is actually there to give their opinion which is based on their education, their experience, and specific fields. Just like in any type of crime in computer crimes there is usually expert witnesses that are coming and especially in computer crimes they use a lot of expert witnesses to explain how these attacks, how these crimes can take place to the jury and to the judge and to provide credibility.

    And hearsay evidence has a low amount of weight. Again if it's actually accepted because it's more of a he said, she said. Bob told Sally that Joe was going to kill Sue. You don't have any first hand proof of this. Now how it comes into computer crimes is that any computer generated evidence is usually considered hearsay evidence because the computer generated evidence can be modified without anybody knowing it. There's exemption rules that you need to know about. Business record exemption rules. Dealing with computer generated evidence that would go into this domain and we look at companies need to come up with their own incident response team and this is where a lot of companies actually fall down.

    Companies will set up security programs, they'll develop their policies or procedures, put in active controls, and put in firewalls and intrusion detection systems and all of that, but a lot of them do not come up with an actual team to deal with issues when things go bad. Because things will go bad. People will try to attack you if you have some type of system that's connected to the Internet. People will try to get in. There's different types of criminals. There's Script Kitty's which mainly cost companies a lot of money in operational costs in just cleaning up and dealing with the Script Kitty's and there's more dedicated types of criminals that have chosen a specific target for a specific purpose and are very dedicated and will go through their stuff much more cleanly than a Script Kitty.

    The company needs to decide the actual threat that it faces. The types of enemies that they have. The types of attacks and crimes that can take place, but no matter what, no matter what you're risk level is you need to have an incident response team. What this team does, they're the ones that are called to the scene when something bad happens they're alerted. These people are alerted. The first thing that they need to do is ensure that the damage is contained if it's a virus, then that system needs to be taken off of the network. If it's an active attack going on, to ensure that the intruder cannot get into other systems and carry out damage. The company needs to determine if their internal and incident response team is actually going to try to carry out an investigation, collect evidence, go through forensics activities or if they're going to use outside entities. That's usually the case. Most companies, unless they're very large, most companies don't have the capability to carry out proper investigation steps and forensic activity, but they still need to have an incident response team to be involved with the actual incident.

    We see who should be on the team is not just the techies. We need to have management involved. That doesn't mean you have a manger there looking at a hard drive. It means that management needs to be in the loop and make the determinations of how these steps carried out. Okay, are we going to get law enforcement involved or not. They need to be updated. Human Resources and Legal have to be involved especially if the suspect is an internal employee. When some type of crime has taken place, there's full investigation steps that have to be carried out. This is just again a very short list of what you need to know for this domain, but you need to collect evidence and the first thing you do is photograph the area what's actually on the screen. Basically you're documenting this is what the scene looked like before we did anything. The team whoever it is, internal or external, needs to dump the memory from the system before it's shut down because if there has just been some type of activity attack or some type of crime then there could be very useful information in memory.

    Then the system needs to be pulled, powered down and it depends, the team has to decide how the powering down is going to happen. It's best if the team can just pull the plug and not let the system come down gracefully because when a system comes down gracefully it changes a lot of the time stamps and so you can't actually get the state. You want to get as much of the state of the system during the time of the crime. Versus if you let the system power down then there's a lot of state changes that happen. Again the team has to make that determination because UNIX systems don't necessarily enjoy just losing power like Window's systems are much more tolerable. So the evidence is collected properly and put into some type of containers and labeled and there's things that have to happen. The labeling has to have whose collected the evidence, the date, time, if law enforcement's involved then there is a case number that's assigned that must go on every label.

    And then computer forensic starts. Just like any type of forensics it's specialized skills, it's looking at the scene and try to identify evidence that can be collected and trying to piece together really what took place here. In computer forensics it's very specialized, the people who carry this out, anybody who's carrying out computer forensics have to be infinitely understand how operating systems work, the file systems, the types of attacks, the types of tools, the techniques, where data could be hidden and it's a very interesting but very different type of skill than most technical people have today. In the actual domain we usually go through several different examples of crimes and real world scenarios of how they've been investigated either properly or improperly and how that's directly affected the outcome of the court case.

    I think one of the more interesting forensics cases that I've know about is where a military officer was found dead at the scene and on the actual computer, on the screen was a suicide note. Now the investigators didn't know if the person was murdered and somebody just left the suicide note to try and make the team think it was a suicide or if it was actually a suicide. So computer forensics got involved and the looked, they found within slack space another, an older, suicide note. What slack space is when on your hard drive you have sectors that can hold a certain amount of data. So if you have a sector let's say it's 64 bytes and you save a file that's 30 bytes well you have some extra data, previously stored data and in this case they actually found an old suicide note in that slack space which can only be found by somebody who's skilled enough to look for that and have determined that was actually a suicide. But computer forensics is one of the, a field within information security that is exploding because of all the investigations that need to take place for the different types of crimes that are happening.

    Now a company has to take responsibility for what they're doing or not doing and that is accomplished in Due Diligence and Due Care. Due Diligence is that a company needs to understand all of these types of threats that they're faced with. Due Diligence is doing the research and the investigation of risk assessment, risk analysis. Due Care is doing the right thing, actually acting upon the outcome of the assessments or the analysis and doing the right thing by putting barriers to protect the actual company assets from a whole range of threats. In law the Prudent Person Rule, it used to be called the Prudent Man Rule, but I guess we had to get politically correct, but what the Prudent Person Rule basically says, is this is how we make our judgments, this is how we help determine if somebody's act reasonably or not. So let's say that you've been taken into court and the court, the judge and jury need to make a determination on if you could be held liable for a certain activity that's happen.

    So we have a Prudent Person which is somebody who doesn't actually exist, it's this person that we determine they're responsible and they're prudent and we say, how is this person react in a situation that is being scrutinized right now. How would this person act? Then we look at how you acted and make a determination on if you acted responsibly, if you acted in a prudent way. Now this is a very basic and kind of crude definition of the Prudent Person Rule, but it's conceptually explains to you that a company has to carry out Due Diligence and Due Care which just means that they're acting responsibly. Does it mean that they can protect themselves from everything? Absolutely not, but when you go into court they'll look at the steps that you've gone through and see if you've actually done what a reasonable and prudent person would be expected to do.

    And Downstream Liabilities has to do with negatively affecting somebody else or another company. These types of cases are becoming more prominent. Let's say for example you and I have, we have an extranet, we're partners and we have an extranet meaning we're sharing some types of resources. I do not ensure, maybe I'm not doing proper egress, filtering, which means looking at the data that's leaving my network and maybe there's a system that's compromised on my network that is attacking on your system and it negatively affects you. Well, I'm not carrying out Due Care. I'm not acting responsibly and that would be considered a Downstream Liability where you could actually sue me and be successful at it most likely.

    And in this domain we cover several steps of ethics and how they relate to law and how they relate to a lot of the activities that are going on today and this IC^2's credentials, this is all about obtaining the CISP credential. And before you can actually sit for the exam there is a long list of ethics that you must agree too and once you obtain your CISP credentials you must uphold. These are just the four cannons but the actual, there's a whole list of ethics that you need to understand before you commit to upholding them. Basically the overall goal is if you, if and when you obtain the CISP credential that you act professionally and you don't put yourself in places that could be seen as conflicts of interest. You don't accept jobs that you're not properly qualified for. You act as a professional so that anything that you carry out does not negatively show light on anybody else who has the CISP credentials. So it's all about keeping the integrity of the credential real.

    The Internet Activities Board is a committee that has different working groups developed to come up with new technology for the Internet, maintain the Internet. For example, the Internet Activities Board had a group that developed IP version 6. They come up with a new protocol standard and such. They also have a set of ethics that you need to be aware of. Basically they see the Internet as a privilege and must be treated as such. So they've outlined what they deem as unethical but it's important for you to be aware of when you're actually sitting for this exam.

    Now there's many, many things that we're not able to cover because this is just kind of a glimpse at the overall domain, but I think that this is one of the, a very interesting portion of the Common Body of Knowledge where we are today. It's hard to realize what all is going on around us right now because we're in these evolutionary steps trying to figure out how to deal with different types of computer crimes. So it's hard to be objective when you're right in the middle of things and a lot of people don't realize that a lot of things are being shaped right now in the legal arenas that are going to directly affect all of us in the upcoming years. There's different laws and acts that have been developed to try to deal with the types of crimes that are controversial right now. There's Computer Fraud and Abuse Act is the most commonly used law for prosecution of different types of crimes, but what's interesting is that that doesn't apply with all the types of crimes that can take place.

    For example, eBay had, there was a company that had bought, so their individual module had a little robot going over their site continuously extracting what's being auctioned right now for what price. So they had these bots that were continually basically sapping resources from their site and to properly use the Computer Fraud and Abuse Act you have to prove that you've lost at least $5,000. Well, their legal department couldn't show that they lost $5,000 at direct cost or that they lost $5,000 in customer revenue so what the legal team had to do is get creative and use state laws and try to retro fit these laws to map to this new type of crime. So the actual individual was charged with trespassing.

    So this is, computers and technology is just new tools to carry out traditional crimes. These issues are only going to become more and more important and as security professionals should definitely be up-to-date with these, how they affect maybe your own corporation or if you're a consultant, how it affects a range of customers that you'll be working with.

    Host: Thank you Shon. This concludes class eight of CISSP Essentials: Mastering The Common Body of Knowledge, Law, Investigation, and Ethics. Be sure to visit for additional class materials based on today's lesson and to register for our next class on physical security. Thanks again to our sponsor and thank you for joining us. Have a great rest of the day.

    This was first published in September 2008

    Dig deeper on CISSP Certification



    Enjoy the benefits of Pro+ membership, learn more and join.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: