There are several laws, standards, and organizations that affect intrusion prevention and detection. The beauty and danger of the cyberworld is that it respects no jurisdictional boundaries between states and countries. We can exchange information freely across borders. From a legal perspective, this offers unique challenges. For example, in the U.S. the Fourth Amendment allows only for limited search and seizures to target a specific piece of evidence, but this is usually not what is done in computer investigations. Investigators typically do not know what exactly they are looking for when they start searching. The U.S. constitution gives the United States government the right to regulate interstate and foreign commerce, and it is because of this regulation that many of the laws pertaining to the protection of networks are federal statutes.
Internationally the same is true. For example, the European Union Privacy Directive (EUPD), also known as the EU Data Protection Directive, took effect on October 25, 1998. This directive set forth privacy and data protection policies that have set the stage for international laws. The EUPD will be discussed in more detail later in this chapter.
It is important that we start off with a basic discussion of the primary legal systems that exist today. These are common law, civil law, and Islamic law. Both common and civil law characterize the majority of the legal systems used in the world today; the other 20% are based on Islamic law.
Common law started in the traditions of the English. Later these laws were written down and refined over hundreds of years. Common law is based on the historical precedents set by society over a period of time. Judgments are arrived at by looking over the facts and applying the legal precedents.
Common law is in force in England, Canada, and the United States. When settlers came from England to the United States, their common laws were adopted by most states as basic laws. Presently, most common law has been enacted into statutes with some modern variations by all the states with the exception of Louisiana, which is still influenced by the Napoleonic code.
The basic document of all civil law, Corpus Juris Civilis, came from the Byzantine Emperor Justinian I. Civil laws are codified laws, which mean they are an orderly arrangement of laws into understandable, compact volumes. The Romans prepared codes and revised obsolete laws from time to time. Civil laws work on the legal principles of free introduction and evaluation of evidence. The United States, countries on the continent of Europe, Latin American countries and many countries that have adopted Western legal systems, like Japan, follow civil law.
Islamic law controls the family and property interests of Muslims in countries where personal law is determined by religion. The church and state are not separated. This type of law is based on punishment. Crimes are considered “taazir” which means that one has the personality of a criminal. Under Islamic law, the religion of Islam and the government are one. Islamic law is controlled, ruled, and regulated by the Islamic religion.
There are several U.S. computer-related laws that are relevant to intrusion detection and prevention. This is by no means a comprehensive discussion of law affecting computer-related crimes, but simply a general look at how the law may affect the use of IDSs and IPSs.
In the United States, statutes are written by the government to help define criminal activity. The primary statute pertaining to computer-related crimes is 18 US Code 1030, the Computer Fraud and Abuse Act (CFAA).
The CFAA was enacted to protect any computer that is used in interstate or foreign communication. This essentially brings all computers in the United States that have Internet access into the scope of the statute. The statute criminalizes unauthorized access to computer systems, theft of information in computer systems, and unauthorized modification of data in computer systems.
The U.S. Congress, in response to the changing nature of technology, enacted Public Law 99-508 or the Electronic Communications Protection Act (ECPA) of 1986. The act is divided into two parts: 18 U.S.C. Title I (section 2500), Interception of Communications and Related Matters, and 18 U.S.C. Title II (section 2700), Stored Wire and Electronic Communications and Transactional Records Access. Title I restricting people from listening in on private communications, including computer communications. This key word here is private, as there are public communications, such as bulletin boards, that are freely accessible. Title II deals with accessing systems in which one is not authorized or even in which one has been authorized access but has exceeded the authorized level access on a system, such as gaining superuser privileges on a system in which only regular user privileges are authorized. This Act makes these kinds of access a federal offense and prescribes punishment for violations.
If you are using an IDS or IPS on your network, how do you justify looking at packets of private communications without breaking the law? An IDS or IPS will invariably capture personal data, such as social security numbers, drivers license numbers, credit card numbers, and so on. When you run an IDS/IPS on a network, it is typically a private network of the organization, not the individual using it. Therefore it is important that you make it clear to your organization’s users that all communications within the network are the property of your organization and not to be used for private/personal communications (except possibly for allowed “incidental use”). Advising users that anything they do when they are using a computer or network owned by your organization is subject to inspection and/or search is also critical. Warning banners on computer systems generally provide the best avenue for advising users of these policy provisions.
Title I 18 U.S.C. section 2703 allows law enforcement agencies to seize data, such as intrusion-detection data, and all hardware associated with those data. The ramifications for an ongoing intrusion detection effort are potentially huge—an ongoing IDS/IPS capability could conceivably be dismantled by a law enforcement agency acting in accordance with this lawThis is another good reason to have a second line of intrusion detection/ prevention capabilities in place.
The Sarbanes-Oxley Act
Corporate governance was changed in the wake of recent financial scandals. Congress enacted the Sarbanes-Oxley Act of 2002, which requires that organizations follow rigorous guidelines to validate the accuracy of their financial data and management due diligence. CEOs and CFOs must personally certify that their companies’ statements are complete and accurate. Large penalties, including imprisonment, are specified for violation of this act.
This act affects organizations using IDS and IPS because it requires that all evidence, including evidence stored on computers used in connection with intrusion detection and intrusion prevention, be properly preserved and cared for if that evidence is needed in a federal investigation. Taken literally, Sarbanes-Oxley might even require that bulk packet dumps gleaned by an IDS or IPS be preserved, something that would require massive archiving and storage capabilities. The “bottom line” here is that every organization that engages in intrusion detection and/or intrusion prevention needs to determine how the need to comply with the Sarbanes-Oxley Act affects the procedures used in connection with these activities are affected and then modify them accordingly.
For the improvement, privacy, and efficiency of the current health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was passed. HIPAA establishes a foundation of federal protections for the privacy of protected health information. HIPPA sets the foundation, but in no way replaces more in-depth and specific federal or state laws. Specifically, HIPAA requires thorough analysis of risk and of information-handling processes for information systems to help ensure the integrity of patient health information. Full compliance requires that health care companies to which this law applies comprehend the threats and liabilities to health-related data and that they put a range of safeguards and best practices in place. In addition HIPAA requires a clear way to detect and report security violations and specifies penalties for failure to comply.
Interpreting HIPAA
Few pieces of legislation have caused as much confusion in the health care and information security arenas as has HIPAA. HIPAA compliance requires five phased steps—specification of privacy rules for larger health providers, system testing, compliance with transactions and code sets, specification of privacy rules for small health providers, and final security compliance. Although HIPAA specifies what must be accomplished to meet the requirements of this law, how to do this is a matter of interpretation. Vendors have developed compliance methodologies and products such as SES HIPAA Compliance Product (visit http://www.sessecure.com/main.asp) to make compliance easier. But no on really know how the U.S. government will actually evaluate the degree to which each organization has complied with the requirements of this act.
HIPAA affects organizations IDS/IPS efforts in a similar manner to Sarbanes-Oxley, as the need for preserving logs and evidence is needed. “Due care” in the process and reporting of information is crucial to compliance to organizations dealing with health information such as hospitals, insurance companies and clinics.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, provides privacy protection against the sale of private financial information. GLBA includes three requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise consumers of their policies on the sharing of personal financial information. Third, they must give consumers the option to opt out of some sharing of personal financial information. There are fewer potential implications for intrusion detection and intrusion prevention than with the Sarbones-Oxley and HIPAA Acts. Nevertheless, organizations would be well-advised to examine the implications of the Gramm-Leach-Bliley Act if they sell or exchange intrusion detection data that may contain private financial information.
An entire book could be written about the different state laws that are in effect. Table 15-1 provides a partial list, by state, of computer-related laws in effect. California’s SB1386 statute has wide implications to other states but also other countries as well. A good source with which to research state laws can be found at http://nsi.org/Library/Compsec/ computerlaw/statelaws.html.
State |
Computer Crime Laws |
---|---|
AL |
Computer Crime Act, Code of Alabama, Sections 13A-8-100 to 13A-8-103 |
AK |
Statutes, Sections 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990 |
AZ |
Revised Statues Annotated, Sections 13-2301(E), 13-2316 |
CA |
Penal Code, Section 502, California Statute SB1386 |
CO |
Revised Statutes, Sections 18-5.5-101, 18-5.5-102 |
CT |
General Statutes, Sections 53a-250 to 53a-261, 52-570b |
DE |
Code Annotated, Title 11, Sections 931-938 |
FL |
Computer Crimes Act, Florida Statutes Annotated, Sections 815.01 to 815.07 |
GA |
Computer Systems Protection Act, Georgia Codes Annotated, Sections 16-9-90 to 16-9-95 |
HI |
Revised Statutes, Sections 708-890 to 780-896 |
ID |
Code, Title 18, Chapter 22, Sections 18-2201, 18-2202 |
IL |
Annotated Statutes (Criminal Code), Sections 15-1, 16-9 |
IN |
Code, Sections 35-43-1-4, 35-43-2-3 |
IO |
Statutes, Sections 716A.1 to 716A.16 |
KS |
Statutes Annotated, Section 21-3755 |
KY |
Revised Statutes, Sections 434.840 to 434.860 |
LA |
Revised Statutes, Title 14, Subpart D. Computer Related Crimes, Sections 73.1 to 73.5 |
ME |
Revised Statutes Annotated, Chapter 15, Title 17-A, Section 357 |
MD |
Annotated Code, Article 27, Sections 45A and 146 |
MA |
General Laws, Chapter 266, Section 30 |
MI |
Statutes Annotated, Section 28.529(1)-(7) |
MN |
Statutes (Criminal Code), Sections 609.87 to 609.89 |
MI |
Code Annotated, Sections 97-45-1 to 97-45-13 |
MS |
Revised Statutes, Sections 569.093 to 569.099 |
MT |
Code Annotated, Sections 45-2-101, 45-6-310, 45-6-311 |
NE |
Revised Statutes, Article 13(p) Computers, Sections 28-1343 to 28-1348 |
NV |
Revised Statutes, Sections 205.473 to 205.477 |
NH |
Revised Statutes Annotated, Sections 638:16 to 638:19 |
NJ |
Statutes, Title 2C, Chapter 20, Sections 2C:20-1, 2C:20-23 to 2C:20-34, and Title 2A, Sections 2A:38A-1 to 2A:38A-3 |
NM |
Statutes Annotated, Criminal Offenses, Computer Crimes Act, Sections 30-16A-1 to 30-16A-4 |
NY |
Penal Law, Sections 155.00, 156.00 to 156.50, 165.15 subdiv. 10, 170.00, 175.00 |
NC |
General Statutes, Sections 14-453 to 14-457 |
ND |
Century Code, Sections 12.1-06.1-01 subsection 3, 12.1-06.1-08 |
OH |
Revised Code Annotated, Sections 2901.01, 2913.01, 2913.04, 2913.81 |
OK |
Computer Crimes Act, Oklahoma Session Laws, Title 21, Sections 1951-1956 |
OR |
Revised Statutes, Sections 164.125, 164.377 |
PA |
Consolidated Statutes Annotated, Section 3933 |
RI |
General Laws (Criminal Offenses), Sections 11-52-1 to 11-52-5 |
SC |
Code of Laws, Sections 16-16-10 to 16-16-40 |
SD |
Codified Laws, Sections 43-43B-1 to 43-43B-8 |
TN |
Code Annotated, Computer Crimes Act, Sections 39-3-1401 to 39-3-1406 |
TX |
Codes Annotated, Title 7, Chapter 33, Sections 33.01 to 33.05 |
UT |
Computer Fraud Act, Utah Code Annotated, Sections 76-6-701 to 76-6-704 |
VA |
Computer Crime Act, Code of Virginia, Sections 18.2-152.1 to 18.2-152.14 |
WA |
Revised Code Annotated, Sections 9A.48.100, 9A.52.010, 9A.52.110 to 9A.52.130 |
WI |
Statutes Annotated, Section 943.70 |
WY |
Statutes, Sections 6-3-501 to 6-3-505 |
California’s Notice of Privacy Breech statute, usually referred to as SB1386, was passed on September 26, 2002, and took effect on July 1, 2003. This statute is broad in reach and intends to affect any organization anywhere in the world that does business in California and/or maintains personal data on California residents. If that information is acquired by an individual without authorization, or is reasonably believed to be acquired by an unauthorized person, the organization that has stored this information is subject to the statute and is required to notify every California customer of the breech in a timely manner. What “timely” means is a matter of interpretation; the punishment for violation is also not specified (although the law states that offenders can face civil lawsuits). Although how or even if this law can be enforced outside the United States is uncertain, SB1386 does set a potential precedent for international law.
Applying SB1386 to intrusion detection and intrusion prevention will be interesting to watch. As stated earlier, it is inevitable that data on individuals will be collected wherever IDS/IPSs are in place. There has been no court precedence set for SB1386 at the time this chapter was being written.
There are many laws that have been enacted internationally that affect computer crime and privacy, specifically relating to intrusion detection and prevention. This section covers some of the more notable ones.
The European Union Privacy Directive, also known as the EU Data Protection Directive, took effect on October 25, 1998. It requires that organizations set forth policies that will keep personal data private. The directive requires a host of policies to be followed, including these:
The United Kingdom Computer Misuse Act was created in 1990 and states that any attempted or actual computer access, without the proper authority, may be regarded as a breach of security. The act covers any incident where one or more components (for example, the user, telecommunications, or computer) are located within the United Kingdom.
The Federal Data Protection Commission (Bundesbeauftragte fr den Datenschutz) is responsible for supervision of the Data Protection Act or the Datenschutz law in Germany. The Datenschutz law prescribes jail time for those who fail to protect data adequately.
The Republic of China has two computer-related regulations that have an impact on computer crime: the Revised Provisional Regulations Governing the Management of Chinese Computer Information Networks Connected to International Networks and the Computer Information Network and Internet Security, Protection, and Management Regulations. These regulations set out specific guidelines that need to be followed for communications within the Republic of China.
Computer laws have come a long way in the past decade and are continuing to improve. The biggest problems are in applying them between international boundaries, because many countries still do not have substantive laws that specifically criminalize computer crimes. This can hinder the investigation and prosecution of computer crimes. An example is the U.S.-Philippine investigation of the suspected perpetrator of the ILOVEYOU virus, which bought down many e-mail systems worldwide. This investigation was restricted by the lack of specific computer-crime statutes.
The other problem is that there is a lack of case law and legal precedents in most countries for handling computer-related crimes. While there has been an effort to establish legislation to deal with computer-related issues, there is a lack of case law to create new legislation, which is how most legislation is produced. Because computer technology has grown very quickly, there hasn’t been enough time to get the legal precedents needed for jurisprudence. This will take time.
There are also issues of jurisdiction. It is very difficult to investigate and prosecute computer-related crimes. Who has jurisdiction if a crime is committed from one country and the victim is in another country? An attack may also be committed from multiple locations around the globe. Attackers may look to attack from a country with less or no legislation in effect, enabling them to elude prosecution.
In addition to the many laws that are in place to help guide you, there also many, sometimes competing, standards that have been developed in the IDS and IPS field. Standards help to set a common ground for interoperability between solutions, and they help to develop a more mature technology.
The result of these standards is that security professionals can communicate with each other using the same terminology and with an expectation of interoperability, even though they may have different IDSs or IPSs implemented.
This section provides a partial list of the main IDS- and IPS-related standards.
The Common Intrusion Detection Framework (CIDF) was the joint effort of a number of companies and organizations and the Defense Advanced Research Projects Agency (DARPA). The project was started in 1997 and is now dormant. The purpose of the group was to develop protocols and application programming interfaces (APIs) so that there could be a sharing of information between intrusion-detection research projects. Most of the contributions came from the United States, but there was growing international participation in the group. For more information about CIDF, go to http://www.isi.edu/ ~brian/cidf/.
Many of the ideas put forth by CIDF were picked up by an Internet Engineering Task Force (IETF) working group, named the Intrusion Detection Working Group (IDWG). The IDWG helped to develop a common format for IDS alerts and exchange procedures for sharing information with systems that need to interact with them.
Two interesting works that have come from the IDWG:
The MITRE Corporation maintains the Common Vulnerabilities and Exposures (CVE). CVE is a list of standardized names for vulnerabilities and other information-security exposures, developed in a collaborative effort. The goal is to standardize the names for all publicly known vulnerabilities and security exposures. This will help when sharing data across separate vulnerability databases. CVE is considered a dictionary of known vulnerabilities, not a database. It can be found at www.cve.mitre.org.
Following is an example of CVE vulnerability for Windows Media Player 7. You can see how it cross-references the vulnerability with other sources—in this case, BUGTRAQ (a posting to Bugtraq mailing list), MS (Microsoft), XF (X-Force Vulnerability Database), and BID (Security Focus Bugtraq ID database entry).
CVE-2001-0137 Windows Media Player 7 allows remote attackers to execute malicious Java applets in Internet Explorer clients by enclosing the applet in a skin file named skin.wmz, then referencing that skin in the codebase parameter to an applet tag, a.k.a. the Windows Media Player Skins File Download vulnerability. Reference: BUGTRAQ:20010115 Windows Media Player 7 and IE java vulnerability - executing arbitrary programs Reference: MS:MS01-010 Reference: XF:win-mediaplayer-arbitrary-code(5937) Reference: BID:2203
Whitehats.com has developed an online community resource called the “advanced reference archive of current heuristics for network intrusion detection systems,” or arachNIDS. The focus is to support open source security software.
The arachNIDS database has a comprehensive list of attack signatures, and lists of these signatures can be dynamically generated to be exported to IDS software such as Dragon, Snort, and Shoki. The database is a great resource if you are using the supported IDS software, or even if you want to do research into different security vulnerabilities. The database, shown in Figure 15-1, is fully searchable and it correlates to other security databases and listings, such as CVE and Bugtraq.
Figure 15-1: The arachnids search screen
The International Symposium on Recent Advances in Intrusion Detection (RAID) workshop series is an annual event dedicated to the sharing of information related to intrusion detection. RAID has been active since 1998, and it consists of experts from government, industry, and academia who gather to discuss state-of-the-art intrusion-detection technologies. The symposium is held in a different location every year, and it is intended to further progress in intrusion detection by promoting the exchange of ideas in a broad range of topics among researchers, system developers, and users, the symposium is held in a different location every year. Information about the past symposia is available at www.raid-symposium.org.
There are several organizations that deal with computer crimes. While they may not focus directly on intrusion detection and prevention, they are an invaluable resource for research, and they help to advance the information security field.
The National White Collar Crime Center (NW3C) is a federally-funded, non-profit corporation (www.nw3c.org). (The organization started in 1972 and worked under the name The Leviticus Project until 1992 when they changed the name.) The purpose of the organization is to train and research cybercrime issues, including economic crime and investigations, in an effort to support law enforcement agencies. In addition, the NW3C educates the general public on their research and explains how to avoid being victimized by cybercrimes. This is done through an effort to help individuals register Internet crime complaints and contact the appropriate authorities to deal with the situation.
The NW3C has computer databases that contain information on suspected criminal organizations and individuals. It also provides help in areas of financial crimes, such as check fraud, money laundering, and credit card fraud, as well as cyberstalking, identity theft, copyright law, and Internet gambling.
The National Cybercrime Training Partnership (NCTP) is a partnership that helps law enforcement agencies on a state and international level (www.nctp.org). The group has helped to set up guidelines, jurisdictional cooperation, and public education. At the time of writing, the NTCP’s activities have been in hiatus, pending the formation and initial meeting of the NW3C Cybercrime Advisory Board.
The High Technology Crime Investigation Association (HTCIA) is an organization that helps to train and research information relating to investigation techniques (http://htcia.org). To participate in the HTCIA as a member, one needs to be involved in investigations, whether from a legal, law enforcement, or corporate position. The HTCIA has individual local chapters that hold regular meetings to promote and educate individuals on different investigative or technological issues.
There are a number of web sites dedicated to the legalities of intrusion detection. Here are a few popular resources.
Lawguru.com has a vast resource of information relating to law of all types. It includes an extensive law library that is searchable on the web.
Findlaw provides a comprehensive set of legal resources on the Internet for legal professionals, businesses, and individuals. These resources include Web search utilities, cases and codes, legal news, and message boards.
THe LACC list discusses legal aspects of computer crime. It tends to have an English Common Law focus. This list was created in an attempt to mitigate the lack of tangible resources people involved with computer crime have at their disposal. To subscribe: mail lacc-request@suburbia.net, put “subscribe lacc” in text of message.
This chapter takes a look at the laws, standards, and organizations that affect computer-related crime and issues, in the U.S. and internationally. It also examines different standards that affect intrusion detection and prevention. Finally, it looks at the organizations that have an effect on the security industry as a whole.
Part I - Intrusion Detection: Primer
Part II - Architecture
Part III - Implementation and Deployment
Part IV - Security and IDS Management