Not only must security professionals be skilled in many areas of security execution, they must be prepared to assist
companies in bringing wrongdoers to justice. To do this, security professionals must be knowledgeable on laws pertaining to privacy, civil and criminal activity. This encompasses understanding the issues of investigating computer crimes, the role of forensics, types of evidence and how to ensure that companies are compliant to applicable laws. Above all, security professionals must be prepared to apply prudent judgment, often in tense situations, so that appropriate decisions will be made. This domain of the CISSP® Common Body of Knowledge covers the following topics:
- Professional ethics: Ethics as they pertain to security professionals and best practices
- Cyberlaw and crimes: Types of computer crimes, and the laws and acts put into effect to fight computer crime
- Motives and profiles of attackers: Attack profiles, types and objectives
- Incident handling and investigation techniques: Computer crime investigation procedures, including types of evidence and handling procedures
Security professionals are expected to know and respect the laws and regulations governing the use of computers and information. Ethics are the rules that we fall back on when the letter of the law does not pertain to a particular situation or does not provide clear direction for a particular circumstance.
When becoming a CISSP, one must agree to accept and uphold the (ISC)2 Code of Professional Ethics, which set standards of behavior for security professionals. They range from commonsense guidance, such as "act honestly, justly, responsibly and protect society" to "stay current on skills…" These obligations are essential to building trust in the security profession that engenders respect from management and other professionals. Without this respect and trust, it is difficult to do the job to its f ull extent.
Several other organizations also offer ethical guidance and are covered in the law, investigation and ethics domain. These organizations include The Computer Ethics Institute, the Internet Architecture Board (IAB) and those of the Generally Accepted Information Security Principles (GAISP) Committee. They all provide similar expectations. As an information security professional, your behavior and actions are expected to be above reproach. Part of your responsibility is to demonstrate good information security behavior, to work to protect the privacy of others and to protect the assets of your organization. This domain also dispels some of the common ethical myths, such as "hacking is only illegal if you profit by it." Unauthorized hacking is a crime under most circumstances, and it is up to security professionals to help dispel such myths.
Cyberlaw and crime
Cyberlaw is still in its formative stages and has not kept up with the rapid progress of technology. This poses problems for law enforcement and the court systems. One of the complexities of investigating computer crimes is jurisdiction issues. If an attacker in New York bounces his traffic through three other countries and attacks a merchant in California, what law enforcement agency needs to be involved? We have moved from more traditional physical crimes to intangible crimes that are not restricted by state or country boundaries. Some countries are beginning to understand the global economic ramifications of widespread computer crime and are beginning to cooperate in investigations – but many are not.
The framework for cybercrime prosecution of any kind depends on the proper investigation and collection of evidence. Therefore, CISSP-certified security professionals are expected to be fully knowledgeable of corporate security and privacy policies, and understand what is considered acceptable behavior for employees. They should be aware of pertinent laws and regulations at the state and national level, understand incident handling procedures, what constitutes computer abuse in their protection domain, and how to gather, identify and control evidence. This is important not only for successful prosecution of the perpetrator, but it also shows due care and due diligence on the part of the organization to properly protect the assets of the corporation on behalf of the owners or stockholders. The CISSP exam covers these items in depth, including a list of actions that prove due care. If such steps are not taken, the company could be charged with negligence.
There are differences between civil, criminal and administrative/regulatory law that must be properly understood by a security professional because of the laws' continual increase in importance in the industry. Many civil cases pertain to intellectual property law, which includes trade secrets, copyright, trademarks and patents, because most often the value of a corporation is embodied in these. Each has a value, which should be classified to ensure that the proper level of security is applied in their protection.
Many types of laws are covered in the CISSP exam, including the implications of import and export laws and transborder information flow; privacy laws including the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Privacy Act and the European Union Principles on Privacy; and general computer security laws including the Computer Fraud and Abuse Act, and the Computer Security Act of 1989. The United States began to get serious about computer security in the 1990s with the passage of Federal Sentencing Guidelines that encompass computer crimes related to fraud, antitrust and other related white collar crimes, and with passage of the Economic Espionage Act, which provided the framework that allows the FBI to investigate corporate and industrial espionage.
Motives and profiles of attackers
People often say there is "nothing new under the sun." So too where information security is concerned; the types of crimes we face are not much different than those we faced before the computer age. Fraud, embezzlement and theft are the main motivations for criminal hackers. Computer crimes are getting more sophisticated, with hackers working in groups to steal funds, credit card information, private personal identity information and military secrets. While not every hacker has criminal intent — there are lots of curious script kiddies just testing their skills — as security professionals we must regard even the most innocent mischief as deviant behavior that should be discouraged.
There are several categories of common computer crimes: obtaining excessive privileges on a system, thereby allowing unauthorized persons the ability to alter existing data (data diddling); carrying out smaller attacks so that the larger crime goes unnoticed (as in salami attacks); and executing or distributing code that could cause a denial-of-service attack. Password sniffing, IP spoofing, signal-emanation capture and wiretapping can also be used to gather information useful in the execution of crimes. However, not all strategies involve technology. Criminals can simply hunt through discarded garbage for credit card receipts and other personal information or trick people into giving them confidential personal information, as with social engineering attacks. Security awareness programs and proper disposal of waste cannot be overlooked.
It is important the security professionals be aware of the types of crimes that can be executed within their environments and what the consequences for such actions can be.
Incident handling and investigation techniques
Mishandled evidence can negate any opportunity for prosecution. Forensic investigation of computer crime scenes is a precise science with methodical steps that must be followed. Very often a company will call in specialized consultants to conduct the crime scene investigation. Nevertheless, all security professionals should understand the basics of how to preserve a crime scene for further investigation. To avoid any mistakes that could taint evidence, an incident response policy should detail how to handle specific types of systems in the event of a computer crime.
Some companies have incident response teams that respond to information security incidents. While their main focus is to minimize damage, they must also consider the consequences of actions that could taint or damage evidence. Some systems can be safely removed from the network, while removal of others can cause loss or damage to data essential to a criminal investigation. In the very least, security professionals charged with incident handling should have a list of law enforcement agencies and resources, along with a list of computer forensic experts and advisors they can call upon to provide counsel on serious events. Specialized forensics tools are available for mining evidence safely from compromised machines, but a forensics specialist also uses tools such as a camera, imaging software, clean containers and evidence tags. By labeling evidence, recording it properly and sealing it in a container with tamperproof tape, a chain of custody is started that is trustworthy and hopefully admissible as evidence in a court of law.
There are different kinds of evidence categories. Best evidence is evidence that is undisputable, such as an original contract, as opposed to hearsay evidence, which does not have first hand proof to ensure its accuracy. Several other types of evidence are also relevant to security professionals and CISSP test-takers.
It is also important that security professionals understand the limits imposed by law on surveillance, search and seizure, and are able to distinguish between enticement — which is legal -- and entrapment, which is not. There are also subtle differences between interviewing and interrogating. Security professionals who must gather firsthand information from bystanders or victims should be aware of the difference and know how to plan and conduct these in a way that protects information about the crime.
- Now that you've been introduced to the key concepts of Domain 8, watch the Domain 8: Laws, Investigations and Ethics video
- Return to the CISSP Essentials Security School main page
- See all SearchSecurity.com's resources on CISSP certification training
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2).