Table of Contents
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
Legal and Ethical Issues of Security
- Legal Recourse
- Legal Controversies
- Legal Controversies Part 2: Purpose of the DMCA
- Legal Controversies Part 3: Search and Seizure
- Legal Controversies Part 4: The Patriot Act
- Full Disclosure
- Computer Privacy
- Maltego: Exploiting the Internet
- Confessions of an IT Staffer: Spying on Management
- The HIPAA Security Standard
- HIPAA Compliance Deadlines
- Securing Remote Transcription under HIPAA
- Administrative Policies for HIPAA Compliance
- HIPAA Compliance: Chain of Trust Partner Agreement
- Administrative Policies for HIPAA Compliance, Continued
- Physical Safeguards To Guard Data Confidentiality, Integrity, and Availability
- Physical Access Controls and HIPAA Compliance
- HIPAA Security Review
- HIPPA Technical Network Security Mechanisms
- HIPAA-Required Controls for Open Systems
- HIPAA Requirements: Electronic (Digital) Signatures
- Computer Crime Legislation
- Law Enforcement Agencies
- Lost Interview with the Deceptive Duo
- Ethics, Hacking, and Religion
- Information Warfare
- Securing the Electronic Health Record (EHR)
- Google Health Features for Managing EHRs
- Where Virus Writers Go to Die
- Security Issues of Going Out Of Business
- Warez My Software Going?
- Home User Security
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Last updated May 23, 2003.
Even though there are big headlines about computer crime, nearly everyone who works in the computer industry knows that the crimes making these headlines are a tiny fraction of the crimes that are committed. Many companies resist pursuing legal recourse for fear of the damage that publicizing the crime might cause the company. They understand that there is an inequity between how physically committed crimes and computer crimes are prosecuted. Companies also know that successful prosecution is difficult and time-consuming and they often feel that the perpetrators get a mere slap on the wrist, given the damages they cause.
It has been noted that if a bank is robbed by someone with a gun, the criminal will be hunted to the ends of the earth with whatever means necessary. But if a bank is robbed by someone with a computer, it is likely that the bank will not even acknowledge that a crime has been committed in order to avoid the publicity. Here are some statistics [John Tartaglia, "Introduction to Network Security," Computer Security Institute's Conference, November 9, 1993.] that illustrate the point.
The average armed robber will get $2,500 to $7,500 with the risk of being shot and killed.
Fifty to 60 percent of armed robbers will be caught and 80 percent of those will be convicted and sentenced to an average of five years of hard time.
The average computer criminal will get $50,000 to $500,000 with a risk of being fired or going to jail.
Ten percent of those computer criminals that are discovered are caught, with only 15 percent of those caught being reported to authorities.
Over 50 percent of these reported never go to trial due to a lack of evidence or a desire to avoid publicity.
Fifty percent of those who do go to trial are convicted and sentenced to five years of relatively easy time.
However, things are changing. More laws are being written that address computer crime directly. Law enforcement agencies are becoming trained in the processes necessary to investigate computer crimes. The punishment for computer crimes is increasing. Companies are realizing that the publicity from prosecuting a computer crime, if handled correctly, can send some strong, positive messages. For example, it provides a forum for the company to show that it is being proactive and protecting its customers. It is improving its securityactivities which its competitors may not be doingand saving its customers money, by reducing losses due to crime.
It is imperative that we, as an industry, and you, as a corporate representative, be willing to prosecute computer criminals. Today, very few computer criminals pay for their crimes and most of them know the chances of punishment are slim. Increased prosecution and its surrounding publicity may make some potential computer criminals drop their plans.
If you are interested in pursuing any type of investigation or legal prosecution, you should first discuss the activity with your organization's management and legal counsel and notify any appropriate law enforcement agencies (in accordance with any policies or guidelines at your site) to see if they want to pursue an investigation.
Keep in mind that unless one of the parties involved contacts law enforcement, any efforts to trap or trace the intruder may be to no avail. You should contact law enforcement before attempting to set a trap or tracing an intruder.
For legal advice, it is recommended that you consult with your legal counsel. Your legal counsel can provide you with legal options (both civil and criminal) and courses of action based on your organization's needs.
Before you get started on your recovery, your organization needs to decide if pursuing a legal investigation is an option.
Criminal courts deal with issues of violations of the law. In the U.S., federal, state, and local courts address federal, state, and local laws. Computer crime laws exist in each of these jurisdictions. Cooperation between the organizations that investigate and prosecute at each of these levels is required for smooth legal recourse.
It's up to you how you want to pursue this incident. You may want to secure your systems or to contact law enforcement to investigate the case. Rules of evidence must be followed carefully if the technical evidence is to be used to prosecute the hacker.
U.S. sites interested in an investigation can contact their local Federal Bureau of Investigation (FBI) field office. NonU.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
Civil courts address issues where financial harm has been done. If the victim is able to show to the satisfaction of juries and judges that he or she was financially damaged, then the judge or jury may settle the claim from the resources of the defendant, which may include future resources. If the jurisdiction allows, the judge may demand that the defendant pay actual restitution to the victim, recovering his or her losses. In the case of a civil suit, damages may be more than actual losses, with the court ordering the defendant to pay punitive damages to the victim as a means of punishment. In a case where damage is done to an individual or company, even if the person is criminally charged, it is still possible to proceed with civil processes. Although sometimes it requires more legal involvement, both tracks may be pursued, with the victim(s) receiving restitution from a criminal sentence and a financial settlement as part of a civil suit.
A security incident has many legal considerations. The organization's legal department should be notified early in the process so that it can provide input regarding the legal ramifications of various steps taken to protect information resources. The legal department can also provide input into the types of documentation that may be required for future legal action.
Legal recourse can be either criminal or civil. In a criminal prosecution, the value of the time and effort that it takes to restore the system to its initial condition may be a consideration as part of the penalty phase to determine restitution. In a civil case, you will have to itemize damages to be able to recover those damages.
Prosecution of a particular abuse may serve as a deterrent to future abuse. Deterrence may be particularly warranted if the method being used is already generally known by the public. The true value of deterrence is questionable. Many perpetrators act with irrational motives. Few are actually concerned with the chances of being caught, prosecuted, and incarcerated.
Prosecution is very important in deterring hacking. Not only will the hacker be aware that other hackers have been prosecuted for the same activities in which he was planning to participate, but each case helps define the scope of the laws and makes subsequent cases that much easier to prosecute.
Many companies are wary of legal prosecution. They fear the costs in time and personnel that will be involved, and the public perception. These fears are not unfounded, but they may be overstated. To help understand the real scope of these fears, MIS managers and computer security management should contact their company's legal office (if they have one), the local prosecutor's office, or the local law enforcement investigation bureau. Be sure to ask if there is a computer or high-tech unit.
Getting to know these people before you need them is very useful. You will better understand their processes and procedures and when and how to get them involved. This will help you understand what the impact of prosecution will be on your company.