CISSP All-in-One Exam Guide Chapter 3 - Compliance PDF

Summary

This chapter provides an overview of compliance in cybersecurity, discussing laws, regulations, and their application in a multinational context. It covers fundamental concepts of laws and regulations, types of legal systems, and relevant examples.

Full Transcript

Compliance CHAPTER 3 This chapter presents the following: Regulations, laws, and crimes involving computers In...

Compliance CHAPTER 3 This chapter presents the following: Regulations, laws, and crimes involving computers Intellectual property Data breaches Compliance requirements Investigations If you think compliance is expensive, try noncompliance. —Paul McNulty Rules, formal or otherwise, are essential for prosperity in any context. This is particu- larly true when it comes to cybersecurity. Even if our adversaries don’t follow the rules (and clearly they don’t), we must understand the rules that apply to us and follow them carefully. In this chapter, we discuss the various laws and regulations that deal with com- puter information systems. We can’t really address each piece of legislation around the world, since that would take multiple books longer than this one. However, we will offer as examples some of the most impactful laws and regulations affecting multinational enterprises. These include laws and regulations applicable to cybercrimes, privacy, and intellectual property, among others. The point of this chapter is not to turn you into a cyberlaw expert, but to make you aware of some of the topics about which you should have conversations with your legal counsel and compliance colleagues as you develop and mature your cybersecurity program. Laws and Regulations Before we get into the details of what you, as a cybersecurity leader, are required to do, let’s start by reviewing some foundational concepts about what laws and regulations are, exploring how they vary around the world, and then putting them into a holistic context. Law is a system of rules created by either a government or a society, recognized as binding by that group, and enforced by some specific authority. Laws apply equally to everyone in the country or society. It is important to keep in mind that laws are not always written down and may be customary, as discussed shortly. Regulations, by contrast, are written rules dealing with specific details or procedures, issued by an executive body 125 CISSP All-in-One Exam Guide 126 and having the force of law. Regulations apply only to the specific entities that fall under the authority of the agency that issues them. So, while any U.S.-based organization is subject to a U.S. law called the Computer Fraud and Abuse Act (CFAA), only U.S. organizations that deal with data concerning persons in the European Union (EU) would also be subject to the General Data Protection Regulation (GDPR). Types of Legal Systems Your organization may be subject to laws and regulations from multiple jurisdictions. As just mentioned, if your organization is based in the United States but handles data of citizens of the EU, your organization is subject to both the CFAA and the GDPR. It is important to keep in mind that different countries can have very different legal systems. Your legal department will figure out jurisdictions and applicability, but you need to be aware of what this disparity of legal systems means to your cybersecurity program. To this end, it is helpful to become familiar with the major legal systems you may come across. In this section, we cover the core components of the various legal systems and what dif- ferentiates them. Civil (Code) Law System System of law used in continental European countries such as France and Spain. Different legal system from the common law system used in the United Kingdom and United States. Civil law system is rule-based law, not precedent-based. For the most part, a civil law system is focused on codified law—or written laws. The history of the civil law system dates to the sixth century when the Byzantine emperor Justinian codified the laws of Rome. Civil legal systems should not be confused with the civil (or tort) laws found in the United States. The civil legal system was established by states or nations for self-regulation; thus, the civil law system can be divided into subdivisions, such as French civil law, German civil law, and so on. It is the most widespread legal system in the world and the most common legal system in Europe. Under the civil legal system, lower courts are not compelled to follow the decisions made by higher courts. Common Law System Developed in England. Based on previous interpretations of laws: In the past, judges would walk throughout the country enforcing laws and settling disputes. Chapter 3: Compliance 127 The judges did not have a written set of laws, so they based their laws on custom and precedent. PART I In the 12th century, the king of England (Henry II) imposed a unified legal system that was “common” to the entire country. Reflects the community’s morals and expectations. Led to the creation of barristers, or lawyers, who actively participate in the litigation process through the presentation of evidence and arguments. Today, the common law system uses judges and juries of peers. If the jury trial is waived, the judge decides the facts. Typical systems consist of a higher court, several intermediate appellate courts, and many local trial courts. Precedent flows down through this system. Tradition also allows for “magistrate’s courts,” which address administrative decisions. The common law system is broken down into criminal, civil/tort, and administrative. Criminal Law System Based on common law, statutory law, or a combination of both. Addresses behavior that is considered harmful to society. Punishment usually involves a loss of freedom, such as incarceration, or monetary fines. Responsibility is on the prosecution to prove guilt beyond a reasonable doubt (innocent until proven guilty). Civil/Tort Law System Offshoot of criminal law. Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a “reasonable person of ordinary prudence” would do to prevent foreseeable injury to the victim. The defendant’s breach of that duty causes injury to the victim; usually physical or financial. Categories of civil law: Intentional Examples include assault, intentional infliction of emotional distress, or false imprisonment. Wrongs against property An example is nuisance against landowner. Wrongs against a person Examples include car accidents, dog bites, and a slip and fall. Negligence An example is wrongful death. Nuisance An example is trespassing. CISSP All-in-One Exam Guide 128 Dignitary wrongs Include invasion of privacy and civil rights violations. Economic wrongs Examples include patent, copyright, and trademark infringement. Strict liability Examples include a failure to warn of risks and defects in product manufacturing or design. Administrative (Regulatory) Law System Laws and legal principles created by administrative agencies to address a number of areas, including international trade, manufacturing, environment, and immigration. Customary Law System Deals mainly with personal conduct and patterns of behavior. Based on traditions and customs of the region. Emerged when cooperation of individuals became necessary as communities merged. Not many countries work under a purely customary law system, but instead use a mixed system where customary law is an integrated component. (Codified civil law systems emerged from customary law.) Mainly used in regions of the world that have mixed legal systems (for example, China and India). Restitution is commonly in the form of a monetary fine or service. Religious Law System Based on religious beliefs of the region. In Islamic countries, the law is based on the rules of the Koran. The law, however, is different in every Islamic country. Jurists and clerics have a high degree of authority. Covers all aspects of human life, but commonly divided into Responsibilities and obligations to others. Religious duties. Knowledge and rules as revealed by God, which define and govern human affairs. Rather than create laws, lawmakers and scholars attempt to discover the truth of law. Law, in the religious sense, also includes codes of ethics and morality, which are upheld and required by God. For example, Hindu law, Sharia (Islamic law), Halakha (Jewish law), and so on. Mixed Law System Two or more legal systems are used together and apply cumulatively or interactively. Chapter 3: Compliance 129 Most often mixed law systems consist of civil and common law. A combination of systems is used as a result of more or less clearly defined fields PART I of application. Civil law may apply to certain types of crimes, while religious law may apply to other types within the same region. Examples of mixed law systems include those in Holland, Canada, and South Africa. Civil law Common law Religious law Mixed systems Asia North Europe America Middle Caribbean Africa East Southeast Central Asia America South America Oceania Common Law Revisited These different legal systems are certainly complex, and while you are not expected to be a lawyer to pass the CISSP exam, having a high-level understanding of the different types (civil, common, customary, religious, mixed) is important. The exam will dig more into the specifics of the common law legal system and its components. Under the common law legal system, civil law deals with wrongs against individuals or organizations that result in damages or loss. This is referred to as tort law. Examples include trespassing, battery, negligence, and product liability. A successful civil lawsuit against a defendant would result in financial restitution and/or community service instead of a jail sentence. When someone sues another person in civil court, the jury decides upon liability instead of innocence or guilt. If the jury determines the defendant is liable for the act, then the jury decides upon the compensatory and/or punitive damages of the case. Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases that result in conviction, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim. For example, in the O.J. Simpson case, the defendant was first tried and found CISSP All-in-One Exam Guide 130 not guilty in the criminal law case, but then was found liable in the civil law case. This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases. EXAM TIP Civil law generally is derived from common law (case law), cases are initiated by private parties, and the defendant is found liable or not liable for damages. Criminal law typically is statutory, cases are initiated by government prosecutors, and the defendant is found guilty or not guilty. Administrative/regulatory law deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals within those specific industries. Some examples of administrative laws could be that every building used for business must have a fire detection and suppression system, must have clearly visible exit signs, and cannot have blocked doors, in case of a fire. Companies that produce and package food and drug products are regulated by many standards so that the public is protected and aware of their actions. If an administrative law case determines that a company did not abide by specific regulatory standards, officials in the company could even be held accountable. For example, if a company makes tires that shred after a couple of years of use because the company doesn’t comply with manufacturing safety standards, the officers in that company could be liable under administrative, civil, or even criminal law if they were aware of the issue but chose to ignore it to keep profits up. Cybercrimes and Data Breaches So far, we’ve discussed laws and regulations only in a general way to provide a bit of con- text. Let’s now dive into the laws and regulations that are most relevant to our roles as cybersecurity leaders. Computer crime laws (sometimes collectively referred to as cyber- law) around the world deal with some of the core issues: unauthorized access, modifica- tion or destruction of assets, disclosure of sensitive information, and the use of malware (malicious software). Although we usually only think of the victims and their systems that were attacked during a crime, laws have been created to combat three categories of crimes. A computer- assisted crime is where a computer was used as a tool to help carry out a crime. A computer- targeted crime concerns incidents where a computer was the victim of an attack crafted to harm it (and its owners) specifically. The last type of crime is where a computer is not necessarily the attacker or the target, but just happened to be involved when a crime was carried out. This category is referred to as computer is incidental. Some examples of computer-assisted crimes are Exploiting financial systems to conduct fraud Stealing military and intelligence material from government computer systems Conducting industrial espionage by attacking competitors and gathering confidential business data Chapter 3: Compliance 131 Carrying out information warfare activities by leveraging compromised influential accounts PART I Engaging in hacktivism, which is protesting a government’s or organization’s activities by attacking its systems and/or defacing its website Some examples of computer-targeted crimes include Distributed denial-of-service (DDoS) attacks Stealing passwords or other sensitive data from servers Installing cryptominers to mine cryptocurrency on someone else’s computers Conducting a ransomware attack NOTE The main issues addressed in computer crime laws are unauthorized modification, disclosure, destruction, or access and inserting malicious programming code. Some confusion typically exists between the two categories—computer-assisted crimes and computer-targeted crimes—because intuitively it would seem any attack would fall into both of these categories. One system is carrying out the attacking, while the other system is being attacked. The difference is that in computer-assisted crimes, the computer is only being used as a tool to carry out a traditional type of crime. Without computers, people still steal, cause destruction, protest against organizations (for example, companies that carry out experiments upon animals), obtain competitor information, and go to war. So these crimes would take place anyway; the computer is simply one of the tools available to the attacker. As such, it helps that threat actor become more efficient at carrying out a crime. Computer-assisted crimes are usually covered by regular criminal laws in that they are not always considered a “computer crime.” One way to look at it is that a computer- targeted crime could not take place without a computer, whereas a computer-assisted crime could. Thus, a computer-targeted crime is one that did not, and could not, exist before use of computers became common. In other words, in the good old days, you could not carry out a buffer overflow on your neighbor or install malware on your enemy’s system. These crimes require that computers be involved. If a crime falls into the “computer is incidental” category, this means a computer just happened to be involved in some secondary manner, but its involvement is still significant. For example, if you have a friend who works for a company that runs the state lottery and he gives you a printout of the next three winning numbers and you type them into your computer, your computer is just the storage place. You could have just kept the piece of paper and not put the data in a computer. Another example is child pornography. The actual crime is obtaining and sharing child pornography pictures or graphics. The pictures could be stored on a file server or they could be kept in a physical file in someone’s desk. So if a crime falls within this category, the computer is not attacking another computer and a computer is not being attacked, but the computer is still used in some significant manner. CISSP All-in-One Exam Guide 132 Because computing devices are everywhere in modern society, computers are incidental to most crimes today. In a fatal car crash, the police may seize the drivers’ mobile devices to look for evidence that either driver was texting at the time of the accident. In a domestic assault case, investigators may seek a court order to obtain the contents of the home’s virtual assistant, such as Amazon Alexa, because it may contain recorded evidence of the crime. You may say, “So what? A crime is a crime. Why break it down into these types of categories?” The reason these types of categories are created is to allow current laws to apply to these types of crimes, even though they are in the digital world. Let’s say someone is on your computer just looking around, not causing any damage, but she should not be there. Should legislators have to create a new law stating, “Thou shall not browse around in someone else’s computer,” or should law enforcement and the courts just apply the already created trespassing law? What if a hacker got into a traffic- control system and made all of the traffic lights turn green at the exact same time? Should legislators go through the hassle of creating a new law for this type of activity, or should law enforcement and the courts use the already created (and understood) manslaughter and murder laws? Remember, a crime is a crime, and a computer is just a new tool to carry out traditional criminal activities. Now, this in no way means countries can just depend upon the laws on the books and that every computer crime can be countered by an existing law. Many countries have had to come up with new laws that deal specifically with different types of computer crimes. For example, the following are just some of the laws that have been created or modified in the United States to cover the various types of computer crimes: 18 USC 1029: Fraud and Related Activity in Connection with Access Devices 18 USC 1030: Fraud and Related Activity in Connection with Computers 18 USC 2510 et seq.: Wire and Electronic Communications Interception and Interception of Oral Communications 18 USC 2701 et seq.: Stored Wire and Electronic Communications and Transactional Records Access Digital Millennium Copyright Act Cyber Security Enhancement Act of 2002 EXAM TIP You do not need to know these laws for the CISSP exam; they are just examples. Complexities in Cybercrime Since we have a bunch of laws to get the digital bad guys, this means we have this whole cybercrime thing under control, right? Alas, cybercrimes have only increased over the years and will not stop anytime soon. Several contributing factors explain why these activities have not been properly stopped or even curbed. These include issues related Chapter 3: Compliance 133 to proper attribution of the attacks, the necessary level of protection for networks, and successful prosecution once an attacker is captured. PART I Many attackers are never caught because they spoof their addresses and identities and use methods to cover their digital footsteps. Many attackers break into networks, take whatever resources they were after, and clean the logs that tracked their movements and activities. Because of this, many organizations do not even know their systems have been violated. Even if an attacker’s activities are detected, it does not usually lead to the true identity of the individual, though it does alert the organization that a specific vulnerability was exploited. Attackers commonly hop through several systems before attacking their victim so that tracking down the attackers will be more difficult. This is exemplified by a threat actor approach known as an island-hopping attack, which is when the attacker compromises an easier target that is somehow connected to the ultimate one. For instance, consider a major corporation like the one depicted on the right side of Figure 3-1. It has robust cybersecurity and relies on a regional supplier for certain widgets. Since logistics are oftentimes automated, these two companies have trusted channels of communication between them so their computers can talk to each other about when more widgets might be needed and where. The supplier, in turn, relies on a small company that produces special screws for the widgets. This screw manufacturer employs just a couple of people working out of the owner’s garage and is a trivial target for an attacker. So, rather than target the major corporation directly, a cybercriminal could attack the screw manufacturer’s unsecured computers, use them to gain a foothold in the supplier, and then use that company’s trusted relationship with the well-defended target to ultimately get into its systems. This particular type of island-hopping attack is also known as a supply-chain attack because it exploits trust mechanisms inherent in supply chains. Many companies that are victims of an attack usually just want to ensure that the vulnerability the attacker exploited is fixed, instead of spending the time and money to go after and prosecute the attacker. This is a huge contributing factor as to why cybercriminals get away with their activities. Some regulated organizations—for instance, financial institutions—by law, must report breaches. However, most organizations do not have to report breaches or computer crimes. No company wants its dirty laundry out in the open for everyone to see. The customer base will lose confidence, as will Attack Attack Attack Trust Relationship Trust Relationship Small Business Regional Supplier Multinational Corporation Figure 3-1 A typical island-hopping attack CISSP All-in-One Exam Guide 134 the shareholders and investors. We do not actually have true computer crime statistics because most are not reported. Although regulations, laws, and attacks help make senior management more aware of security issues, when their company ends up in the headlines with reports of how they lost control of over 100,000 credit card numbers, security suddenly becomes very important to them. NOTE Even though some institutions must, by law, report security breaches and crimes, that does not mean they all follow this law. Some of these institutions, just like many other organizations, often simply fix the vulnerability and sweep the details of the attack under the carpet. The Evolution of Attacks Perpetrators of cybercrime have evolved from bored teenagers with too much time on their hands to organized crime rings with very defined targets and goals. In the early 1990s, hackers were mainly made up of people who just enjoyed the thrill of hacking. It was seen as a challenging game without any real intent of harm. Hackers used to take down large websites (e.g., Yahoo!, MSN, Excite) so their activities made the headlines and they won bragging rights among their fellow hackers. Back then, virus writers cre- ated viruses that simply replicated or carried out some benign activity, instead of the more malicious actions they could have carried out. Unfortunately, today, these trends have taken on more sinister objectives as the Internet has become a place of business. This evolution is what drove the creation of the antivirus (now antimalware) industry. Three powerful forces converged in the mid to late 1990s to catapult cybercrime forward. First, with the explosive growth in the use of the Internet, computers became much more lucrative targets for criminals. Second, there was an abundance of computer experts who had lost their livelihoods with the end of the Soviet Union. Some of these bright minds turned to cybercrime as a way to survive the tough times in which they found themselves. Finally, with increased demand for computing systems, many software developers were rushing to be first to market, all but ignoring the security (or lack thereof ) of their products and creating fertile ground for remote attacks from all over the world. These forces resulted in the emergence of a new breed of cybercriminal possessing knowledge and skills that quickly overwhelmed many defenders. As the impact of the increased threat was realized, organizations around the world started paying more attention to security in a desperate bid to stop their cybercrime losses. In the early 2000s, there was a shift from cybercriminals working by themselves to the formation of organized cybercrime gangs. This change dramatically improved the capabilities of these threat actors and allowed them to go after targets that, by then, were very well defended. This shift also led to the creation of vast, persistent attack infrastructures on a global scale. After cybercriminals attacked and exploited computers, they maintained a presence for use in support of later attacks. Nowadays, these exploited targets are known as malicious bots, and they are usually organized into botnets. These botnets can be used to carry out DDoS attacks, transfer spam or pornography, or do whatever the attacker commands the bot software to do. Figure 3-2 shows the many uses cybercriminals have for compromised computers. Chapter 3: Compliance 135 Phishing Site Spam Zombie Malware Download Site DDoS Extortion Zombie PART I Web Server Bot Activity Warez/Piracy Server Click Fraud Zombie Child Pornography Server Anonymization Proxy Spam Site CAPTCHA Solving Zombie HACKED PC Webmail Spam eBay/Paypal Fake Auctions Stranded Abroad Advance Scams Account Online Gaming Credentials E-mail Attacks Credentials Harvesting E-mail Contacts Website FTP Credentials Harvesting Associated Accounts Skype/VoIP Credentials Access to Corporate E-mail Client-Side Encryption Certificates Online Gaming Characters Bank Account Data Financial Online Gaming Goods/Currency Credit Card Data Virtual Goods Credentials PC Game License Keys Stock Trading Account Operating System License Key Mutual Fund/401(k) Account Facebook Fake Antivirus Twitter Ransomware Reputation Hijacking Hostage Attacks Linkedln E-mail Account Ransom Google+ Webcam Image Extortion Figure 3-2 Malicious uses for a compromised computer (Source: www.krebsonsecurity.com) EXAM TIP You may see the term script kiddies on the exam (or elsewhere). It refers to hackers who do not have the requisite skills to carry out specific attacks without the tools provided on the Internet or through friends. A recent development in organized cybercrime is the emergence of so-called Hacking as a Service (HaaS), which is a play on cloud computing services such as Software as a Service (SaaS). HaaS represents the commercialization of hacking skills, providing access to tools, target lists, credentials, hackers for hire, and even customer support. In the last couple of years, there has been a significant increase in the number of marketplaces in which HaaS is available. Many times hackers are just scanning systems looking for a vulnerable running service or sending out malicious links in e-mails to unsuspecting victims. They are just looking for any way to get into any network. This would be the shotgun approach to network attacks. Another, more dangerous, attacker has you in the proverbial crosshairs and is determined to identify your weakest point and exploit it. As an analogy, the thief that goes around rattling door knobs to find one that is not locked is not half as dangerous as the one who will watch you day in and day out to learn your activity patterns, where you work, what type of car you drive, and who your family is and patiently wait for your most vulnerable moment to ensure a successful and devastating attack. We call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is effectively a CISSP All-in-One Exam Guide 136 battleground, this term is more relevant each and every day. How an APT differs from the plain old vanilla attacker is that the APT is commonly a group of attackers, not just one hacker, that combine their knowledge and abilities to carry out whatever exploit will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with various different attack methods and then clandestinely hide its presence while achieving a well-developed, multilevel foothold in the environment. The “advanced” aspect of the term APT pertains to the expansive knowledge, capabilities, and skill base of the APT. The “persistent” component has to do with the fact that the group of attackers is not in a hurry to launch an attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well funded, which makes it the biggest threat of all. APTs commonly use custom-developed malicious code that is built specifically for its target, has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different “anchors” to make it hard to eradicate even if it is discovered. Once the code is installed, it commonly sets up a covert back channel (as regular bots do) so that it can be remotely controlled by the group of attackers. The remote control functionality allows the attackers to traverse the network with the goal of gaining continuous access to critical assets. APT infiltrations are usually very hard to detect with host-based solutions because the attackers put the code through a barrage of tests against the most up-to-date detection applications on the market. A common way to detect these types of threats is through network traffic changes. For example, changes in DNS queries coming out of your network could indicate that an APT has breached your environment and is using DNS tunneling to establish command and control over the compromised hosts. The APT will likely have multiple control servers and techniques to communicate so that if one connection gets detected and removed, the APT still has an active channel to use. The APT may implement encrypted tunnels over HTTPS so that its data that is in transmission cannot be inspected. Figure 3-3 illustrates the common steps and results of APT activity. The ways of getting into a network are basically endless (exploit a web service, induce users to open e-mail links and attachments, gain access through remote maintenance accounts, exploit operating systems and application vulnerabilities, compromise connections from home users, etc.). Each of these vulnerabilities has its own fixes (patches, proper configuration, awareness, proper credential practices, encryption, etc.). It is not only these fixes that need to be put in place; we need to move to a more effective situational awareness model. We need to have better capabilities of knowing what is happening throughout our network in near to real time so that our defenses can react quickly and precisely. The landscape continues to evolve, and the lines between threat actors are sometimes blurry. We already mentioned the difficulty in attributing an attack to a specific individual so that criminal charges may be filed. Something that makes this even harder is the practice among some governments of collaborating with criminal groups in their countries. Chapter 3: Compliance 137 PART I Figure 3-3 Gaining access into an environment and extracting sensitive data Common Internet Crime Schemes Business e-mail compromise Business fraud Charity and disaster fraud Counterfeit prescription drugs Credit card fraud Election crimes and security Identity theft Illegal sports betting Nigerian letter, or “419” Ponzi/pyramid Ransomware Sextortion Find out how these types of computer crimes are carried out by visiting https://www.fbi.gov/scams-and-safety/common-scams-and-crimes. CISSP All-in-One Exam Guide 138 Do You Trust Your Neighbor? Most organizations do not like to think about the fact that the enemy might be inside the organization and working internally. It is more natural to view threats as the faceless unknowns that reside on the outside of our environment. Employees have direct and privileged access to an organization’s assets, and they are commonly not as highly monitored compared to traffic that is entering the network from exter- nal entities. The combination of too much trust, direct access, and the lack of moni- toring allows for a lot of internal fraud and abuse to go unnoticed. There have been many criminal cases over the years where employees at various organizations have carried out embezzlement or have launched revenge attacks after they were fired or laid off. While it is important to have fortified walls to protect us from the outside forces that want to cause us harm, it is also important to realize that our underbelly is more vulnerable. Employees, contractors, and temporary workers who have direct access to critical resources introduce risks that need to be understood and countermeasured. The way it works is that the government looks the other way as long as the crimes are committed in other countries. When the government needs a bit of help to obfuscate what it’s doing to another government, it enlists the help of the cybercrime gang they’ve been protecting (or at least tolerating) and tell them what to do and to whom. To the target, it looks like a cybercrime but in reality it had nation-state goals. So while the sophistication of the attacks continues to increase, so does the danger of these attacks. Isn’t that just peachy? Up until now, we have listed some difficulties of fighting cybercrime: the anonymity the Internet provides the attacker; attackers are organizing and carrying out more sophisticated attacks; the legal system is running to catch up with these types of crimes; and organizations are just now viewing their data as something that must be protected. All these complexities aid the bad guys, but what if we throw in the complexity of attacks taking place between different countries? International Issues If a hacker in Ukraine attacks a bank in France, whose legal jurisdiction is that? How do these countries work together to identify the criminal and carry out justice? Which coun- try is required to track down the criminal? And which country should take this person to court? Well, the short answer is: it depends. When computer crime crosses international boundaries, the complexity of such issues shoots up considerably and the chances of the criminal being brought to any court decreases. This is because different countries have different legal systems, some countries have no laws pertaining to computer crime, jurisdiction disputes may erupt, and some governments may not want to play nice with each other. For example, if someone in Iran attacked a system in Israel, do you think the Iranian government would help Israel track down the attacker? What if someone in North Korea attacked a military system in the Chapter 3: Compliance 139 United States? Do you think these two countries would work together to find the hacker? Maybe or maybe not—or perhaps the attack was carried out by a government agency PART I pretending to be a cybercrime gang. There have been efforts to standardize the different countries’ approaches to computer crimes because they happen so easily over international boundaries. Although it is very easy for an attacker in China to send packets through the Internet to a bank in Saudi Arabia, it is very difficult (because of legal systems, cultures, and politics) to motivate these governments to work together. The Council of Europe (CoE) Convention on Cybercrime, also known as the Budapest Convention, is one example of an attempt to create a standard international response to cybercrime. In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. One of the requirements of the treaty is that signatories develop national legislation outlawing a series of cybercrimes, such as hacking, computer-related fraud, and child pornography. The convention’s objectives also include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions. As of April 2021, 68 countries around the world (not just in Europe) have signed or ratified the treaty, contributing to the global growth in effective cybercrime legislation that is internationally interoperable. According to the United Nations (UN), 79 percent of the world’s countries (that’s 154) now have cybercrime laws. All these laws vary, of course, but they may impact your own organization depending on where you do business and with whom. Data Breaches Among the most common cybercrimes are those relating to the theft of sensitive data. In fact, it is a rare month indeed when one doesn’t read or hear about a major data breach. Information is the lifeblood of most major corporations nowadays, and threat actors know this. They have been devoting a lot of effort over the past several years to compromising and exploiting the data stores that, in many ways, are more valuable to organizations than any vault full of cash. This trend continues unabated, which makes data breaches one of the most important issues in cybersecurity today. In a way, data breaches can be thought of as the opposite of privacy: data owners lose control of who has the ability to access their data. When an organization fails to properly protect the privacy of its customers’ data, it increases the likelihood of experiencing a data breach. It should not be surprising, therefore, that some of the same legal and regulatory issues that apply to privacy also apply to data breaches. It is important to note that data breaches need not involve a violation of personal privacy. Indeed, some of the most publicized data breaches have had nothing to do with personally identifiable information (PII) but with intellectual property (IP). It is worth pausing to properly define the term data breach as a security event that results in the actual or potential compromise of the confidentiality or integrity of protected information by unauthorized actors. Protected information can be PII, IP, protected health information (PHI), classified information, or any other information that can cause damage to an individual or organization. CISSP All-in-One Exam Guide 140 Personally Identifiable Information Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. PII needs to be highly protected because it is commonly used in identity theft, financial crimes, and various criminal activities. While it seems as though defining and identifying PII should be easy and straightforward, what different countries, federal governments, and state governments consider to be PII differs. The U.S. Office of Management and Budget in its memorandum M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” Determining what constitutes PII, then, depends on a specific risk assessment of the likelihood that the information can be used to uniquely identify an individual. This is all good and well, but doesn’t really help us recognize information that might be considered PII. Typical components are listed here: Full name (if not common) National identification number Home address IP address (in some cases) Vehicle registration plate number Driver’s license number Face, fingerprints, or handwriting Credit card numbers Digital identity Birthday Birthplace Genetic information The following items are less often used because they are commonly shared by so many people, but they can fall into the PII classification and may require protection from improper disclosure: First or last name, if common Country, state, or city of residence Age, especially if nonspecific Chapter 3: Compliance 141 Gender or race PART I Name of the school they attend or workplace Grades, salary, or job position Criminal record As a security professional, it is important to understand which legal and regulatory requirements are triggered by data breaches. To further complicate matters, most U.S. states, as well as many other countries, have enacted distinct laws with subtle but important differences in notification stipulations. As always when dealing with legal issues, it is best to consult with an attorney. This section is simply an overview of some of the legal requirements of which you should be aware. U.S. Laws Pertaining to Data Breaches We’ve already mentioned various U.S. federal statutes dealing with cybercrimes. Despite our best efforts, there will be times when our information systems are compromised and personal information security controls are breached. Let’s briefly highlight some of the laws that are most relevant to data breaches: California Consumer Privacy Act (CCPA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HI-TECH) Act Gramm-Leach-Bliley Act of 1999 Economic Espionage Act of 1996 It is worth recalling here that data breaches are not only violations of customer privacy. When a threat actor compromises a target corporation’s network and exposes its intellectual property, a breach has occurred. While the other laws we have discussed in this section deal with protecting customers’ PII, the Economic Espionage Act protects corporations’ IP. When you think of data breaches, it is critical that you consider both PII and IP exposure. Almost every U.S. state has enacted legislation that requires government and private entities to disclose data breaches involving PII. The most important of these is probably the California Consumer Privacy Act, which went into effect in 2020. The CCPA is perhaps the broadest and most far-reaching of U.S. state laws around PII breaches, but it is certainly not the only one. In almost every case, PII is defined by the states as the combination of first and last name with any of the following: Social Security number Driver’s license number Credit or debit card number with the security code or PIN CISSP All-in-One Exam Guide 142 Unfortunately, that is where the commonalities end. The laws are so different that compliance with all of them is a difficult and costly issue for most corporations. In some states, simple access to files containing PII triggers a notification requirement, while in other states the organization must only notify affected parties if the breach is reasonably likely to result in illegal use of the information. Many experts believe that the CCPA will set an example for other states and may provide a template for other countries. European Union Laws Pertaining to Data Breaches Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business get more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules. The core principles defined by the OECD are as follows: Collection Limitation Principle Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject. Data Quality Principle Personal data should be kept complete and current and be relevant to the purposes for which it is being used. Purpose Specification Principle Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose. Use Limitation Principle Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated. Security Safeguards Principle Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure. Openness Principle Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data. Individual Participation Principle Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied requests to do so. Accountability Principle Organizations should be accountable for complying with measures that support the previous principles. Chapter 3: Compliance 143 NOTE Information on the OECD Guidelines can be found at www.oecd.org/ PART I internet/ieconomy/privacy-guidelines.htm. Although the OECD Guidelines were a great start, they were not enforceable or uniformly applied. The European Union in many cases takes individual privacy much more seriously than most other countries in the world, so in 1995 it enacted the Data Protection Directive (DPD). As a directive, it was not directly enforceable, but EU member states were required to enact laws that were consistent with it. The intent of this was to create a set of laws across the EU that controlled the way in which European organizations had to protect the personal data and privacy of EU citizens. The Safe Harbor Privacy Principles were then developed to outline how U.S.-based organizations could comply with European privacy laws. For a variety of reasons, this system of directives, laws, and principles failed to work well in practice and had to be replaced. The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and became enforceable in May 2018. It protects the personal data and privacy of EU citizens. The GDPR, unlike a directive such as the DPD, has the full weight of a law in all 27 member states of the EU. This means that each state does not have to write its own version, which harmonizes data protection regulations and makes it easier for organizations to know exactly what is expected of them throughout the bloc. The catch is that these requirements are quite stringent, and violating them exposes an organization to a maximum fine of 4 percent of that organization’s global turnover. For a company like Google, that would equate to over $4 billion if they were ever shown to not be in compliance. Ouch! The GDPR defines three relevant entities: Data subject The individual to whom the data pertains Data controller Any organization that collects data on EU residents Data processor Any organization that processes data for a data controller The regulation applies if any one of the three entities is based in the EU, but it also applies if a data controller or processor has data pertaining to an EU resident. The GDPR impacts every organization that holds or uses European personal data both inside and outside of Europe. In other words, if your organization is a U.S.-based company that has never done business with the EU, but it has an EU citizen working as a summer intern, it probably has to comply with the GDPR or risk facing stiff penalties. The GDPR set of protected types of privacy data is more inclusive than regulations and laws outside the EU. Among others, protected privacy data includes Name Address ID numbers CISSP All-in-One Exam Guide 144 Web data (location, IP address, cookies) Health and genetic data Biometric data Racial or ethnic data Political opinions Sexual orientation To ensure this data is protected, the GDPR requires that most data controllers and data processors formally designate a Data Protection Officer (DPO). DPOs are internal compliance officers that act semi-independently to ensure that their organizations follow the letter of the regulation. While DPOs are not ultimately responsible if their organizations are not in compliance (at least according to the GDPR), in practice they are charged with monitoring compliance, advising controllers on when and how to conduct data protection impact assessments, and maintaining all required records. Key provisions of the GDPR include Consent Data controllers and data processors cannot use personal data without explicit consent of the data subjects. Right to be informed Data controllers and data processors must inform data subjects about how their data is, will, or could be used. Right to restrict processing Data subjects can agree to have their data stored by a collector but disallow it to be processed. Right to be forgotten Data subjects can request that their personal data be permanently deleted. Data breaches Data controllers must report a data breach to the supervisory authority of the EU member state involved within 72 hours of becoming aware of it. Other Nations’ Laws Pertaining to Data Breaches As might be expected, the rest of the world is a hodgepodge of laws with varying data breach notification conditions and requirements. As of this writing, the United Nations lists at least 62 countries that have no legally mandated notification requirements what- soever. This is concerning because unscrupulous organizations have been known to out- source their data-handling operations to countries with no data breach laws in order to circumvent the difficulties in reconciling the different country and state requirements. The EU’s GDPR, though it has been called too restrictive and costly by some, has served as a model for other countries to implement similar legislation. For example, the two newest data protection laws, which came into full effect in 2020, are Brazil’s General Personal Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) and Thailand’s Personal Data Protection Act (PDPA). Both apply to all organizations that handle the personal information of these countries’ residents, whether they are physically located within the country or not. Thailand’s PDPA further provides for jail time in particularly egregious cases. Chapter 3: Compliance 145 Again, you do not need to know all these international laws to become a CISSP. However, you need to be aware that they exist and may impact your business and PART I cybersecurity even if you didn’t know your organization had interests in those countries. It is best to consult your organization’s legal or compliance team to determine which laws apply to your own team. Import/Export Controls Another complexity that comes into play when an organization is attempting to work with organizations in other parts of the world is import and export laws. Each country has its own specifications when it comes to what is allowed in its borders and what is allowed out. For example, the Wassenaar Arrangement implements export controls for “Conventional Arms and Dual-Use Goods and Technologies.” It is currently made up of 42 countries and lays out rules on how the following items can be exported from country to country: Category 1 Special Materials and Related Equipment Category 2 Material Processing Category 3 Electronics Category 4 Computers Category 5 Part 1: Telecommunications Category 5 Part 2: Information Security Category 6 Sensors and Lasers Category 7 Navigation and Avionics Category 8 Marine Category 9 Aerospace and Propulsion The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. So, everyone is keeping an eye on each other to make sure no one country’s weapons can take everyone else out. The idea is to try and make sure everyone has similar offensive and defensive military capabilities with the hope that we won’t end up blowing each other up. One item the agreement deals with is cryptography, which is considered a dual-use good because it can be used for both military and civilian purposes. The agreement recognizes the danger of exporting products with cryptographic functionality to countries that are in the “offensive” column, meaning that they are thought to have friendly ties with terrorist organizations and/or want to take over the world through the use of weapons of mass destruction. If the “good” countries allow the “bad” countries to use cryptography, then the “good” countries cannot snoop and keep tabs on what the “bad” countries are up to. The specifications of the Wassenaar Arrangement are complex and always changing. Which countries fall within the “good” and “bad” categories changes, and what can be exported to whom and how changes. In some cases, no products that contain CISSP All-in-One Exam Guide 146 cryptographic functions can be exported to a specific country; some countries are allowed to import only products with limited cryptographic functions; some countries require certain licenses to be granted; and other countries (the “good” countries) have no restrictions. While the Wassenaar Arrangement deals mainly with the exportation of items, some countries (China, Russia, Iran, etc.) have cryptographic import restrictions that have to be understood and followed. These countries do not allow their citizens to use cryptography because they believe that the ability to monitor many aspects of a citizen’s online activities is essential to effectively governing people. This obviously gets very complex for companies who sell products that use integrated cryptographic functionality. One version of the product may be sold to China if it has no cryptographic functionality. Another version may be sold to Russia if a certain international license is in place. A fully functioning product can be sold to Canada, because who are they ever going to hurt? It is important to understand the import and export requirements your organization must meet when interacting with entities in other parts of the world. You could inadvertently break a country’s law or an international treaty if you do not get the right type of lawyers involved in the beginning and follow the approved processes. Transborder Data Flow While import and export controls apply to products, a much more common asset that constantly moves in and out of every country is data, and, as you might imagine at this point, there are laws, regulations, and processes that address what data can be moved where, when, why, how, and by whom. A transborder data flow (TDF) is the movement of machine-readable data across a political boundary such a country’s border. This data is generated or acquired in one country but may be stored and processed in other coun- tries as a result of TDFs. In a modern, connected world, this happens all the time. For example, just imagine all the places your personal data will go when you make an airline reservation to travel overseas, especially if you have a layover along the way. NOTE Transborder data flows are sometimes called cross-border data flows. Some governments control transborder data flows by enacting data localization laws that require certain types of data to be stored and processed within the borders of their respective country, sometimes exclusively. There are many reasons for these laws, but they pretty much boil down to protecting their citizens, either by ensuring a higher standard of privacy protection or by allowing easier monitoring of their actions (typically the things citizens try to do overseas). Data localization can increase the cost of doing business in some countries because your organization may have to provision (and protect) information systems in that country that it otherwise wouldn’t. Ironically, the very technology trend that initially fueled data localization concerns, cloud computing services, ultimately became an important tool to address those concerns Chapter 3: Compliance 147 in a cost-effective manner. At their onset, cloud computing services promised affordable access to resources around the globe, sometimes by shifting loads and storage from PART I one region to another. In recent years, the major cloud service providers have adapted to localization laws by offering an increasing number of regions (sometimes down to individual countries) where the data is guaranteed to remain. Privacy Privacy is becoming more threatened as the world increasingly relies on computing technology. There are several approaches to addressing privacy, including the generic approach and regulation by industry. The generic approach is horizontal enactment— rules that stretch across all industry boundaries. It affects all industries, including govern- ment. Regulation by industry is vertical enactment. It defines requirements for specific verticals, such as the financial sector and health care. In both cases, the overall objective is twofold. First, the initiatives seek to protect citizens’ personally identifiable information. Second, the initiatives seek to balance the needs of government and businesses to collect and use PII with consideration of security issues. In response, countries have enacted privacy laws. For example, although the United States already had the Federal Privacy Act of 1974, it has enacted new laws, such as the Gramm-Leach-Bliley Act of 1999 and HIPAA, in response to an increased need to protect personal privacy information. These are examples of a vertical approach to addressing privacy, whereas the EU’s GDPR, Canada’s Personal Information Protection and Electronic Documents Act, and New Zealand’s Privacy Act of 1993 are horizontal approaches. Most countries nowadays have some sort of privacy requirements in their laws and regulations, so we need to be aware of their impact on our information systems and their security to avoid nasty legal surprises. Licensing and Intellectual Property Requirements Another way to get into trouble, whether domestically or internationally, is to run afoul of intellectual property laws. As previously introduced, intellectual property (IP) is a type of property created by human intellect. It consists of ideas, inventions, and expressions that are uniquely created by a person and can be protected from unauthorized use by others. Examples are song lyrics, inventions, logos, and secret recipes. IP laws do not necessarily look at who is right or wrong, but rather how an organization or individual can protect what it rightfully owns from unauthorized duplication or use and what it can do if these laws are violated. So who designates what constitutes authorized use? The owner of the IP does this by granting licenses. A license is an agreement between an IP owner (the licensor) and somebody else (the licensee), granting that party the right to use the IP in very specific ways. For example, the licensee can only use the IP for a year unless they renew the license (presumably after paying a subscription fee). A license can also be, and frequently is, nontransferable, meaning only the licensees, and not their family members or friends, can use it. Another common provision in the agreement is whether or not the license will be exclusive to the licensee. CISSP All-in-One Exam Guide 148 Licenses can become moot if the IP is not properly protected by the licensor. An organization must implement safeguards to protect resources that it claims to be intellectual property and must show that it exercised due care (reasonable acts of protection) in its efforts to protect those resources. For example, if an employee sends a file to a friend and the company terminates the employee based on the activity of illegally sharing IP, then in a wrongful termination case brought by the employee, the company must show the court why this file is so important to the company, what type of damage could be or has been caused as a result of the file being shared, and, most important, what the company had done to protect that file. If the company did not secure the file and tell its employees that they were not allowed to copy and share that file, then the company will most likely lose the case. However, if the company implemented safeguards to protect that file and had an acceptable use policy in its employee manual that explained that copying and sharing the information within the file was prohibited and that the punishment for doing so could be termination, then the company could not be found liable of wrongfully terminating the employee. Intellectual property can be protected by different legal mechanisms, depending upon the type of resource it is. As a CISSP, you should be knowledgeable of four types of IP laws: trade secrets, copyrights, trademarks, and patents. These topics are addressed in depth in the following sections, followed by tips on protecting IP internally and combating software piracy. Trade Secret Trade secret law protects certain types of information or resources from unauthorized use or disclosure. For a company to have its resource qualify as a trade secret, the resource must provide the company with some type of competitive value or advantage. A trade secret can be protected by law if developing it requires special skill, ingenuity, and/or expenditure of money and effort. This means that a company cannot say the sky is blue and call it a trade secret. A trade secret is something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft drink, such as Coke or Pepsi. The resource that is claimed to be a trade secret must be confidential and protected with certain security precautions and actions. A trade secret could also be a new form of mathematics, the source code of a program, a method of making the perfect jelly bean, or ingredients for a special secret sauce. A trade secret has no expiration date unless the information is no longer secret or no longer provides economic benefit to the company. Many companies require their employees to sign a nondisclosure agreement (NDA), confirming that they understand its contents and promise not to share the company’s trade secrets with competitors or any unauthorized individuals. Companies require an NDA both to inform the employees of the importance of keeping certain information secret and to deter them from sharing this information. Having employees sign the NDA also gives the company the right to fire an employee or bring charges if the employee discloses a trade secret. Chapter 3: Compliance 149 A low-level engineer working at Intel took trade secret information that was valued by Intel at $1 billion when he left his position at the company and went to work at PART I his new employer, rival chipmaker Advanced Micro Devices (AMD). Intel discovered that this person still had access to Intel’s most confidential information even after starting work at AMD. He even used the laptop that Intel provided to him to download 13 critical documents that contained extensive information about the company’s new processor developments and product releases. Unfortunately, these stories are not rare, and companies are constantly dealing with challenges of protecting the very data that keeps them in business. Copyright In the United States, copyright law protects the right of the creator of an original work to control the public distribution, reproduction, display, and adaptation of that original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, lit- erary, pantomime, motion picture, sculptural, sound recording, and architectural. Copy- right law does not cover the specific resource, as does trade secret law. It protects the expression of the idea of the resource instead of the resource itself. A copyright is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Computer programs and manuals are just two examples of items protected under the Federal Copyright Act. The program or manual is covered under copyright law once it has been written. Although including a warning and the copyright symbol (©) is not required, doing so is encour- aged so others cannot claim innocence after copying another’s work. Copyright protection does not extend to any method of operations, process, concept, or procedure, but it does protect against unauthorized copying and distribution of a protected work. It protects the form of expression rather than the subject matter. A patent deals more with the subject matter of an invention; copyright deals with how that invention is represented. In that respect, copyright is weaker than patent protection, but the duration of copyright protection is longer. Copyright protection exists for the life of the creator plus 70 years. If the work was created jointly by multiple authors, the 70 years start counting after the death of the last surviving one. Computer programs can be protected under the copyright law as literary works. The law protects both the source code and object code, which can be an operating system, application, or database. In some instances, the law can protect not only the code but also the structure, sequence, and organization. The user interface is part of the definition of a software application structure; therefore, one vendor cannot copy the exact composition of another vendor’s user interface. Copyright infringement cases have exploded in numbers since the rise of “warez” sites that use the common BitTorrent protocol. BitTorrent is a peer-to-peer file sharing protocol and is one of the most common protocols for transferring large files. Warez is a term that refers to copyrighted works distributed or traded without fees or royalties, in general violation of the copyright law. The term generally refers to unauthorized releases by groups, as opposed to file sharing between friends. CISSP All-in-One Exam Guide 150 Once a warez site posts copyrighted material, it is very difficult to have it removed because law enforcement is commonly overwhelmed with larger criminal cases and does not have the bandwidth to go after these “small fish.” Another issue with warez sites is that the actual servers may reside in another country; thus, legal jurisdiction makes things more difficult and the country that the server resides within may not even have a copyright law. Film and music recording companies have had the most success in going after these types of offenders because they have the funds and vested interest to do so. Trademark A trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color, or combination of these. The reason a company would trademark one of these, or a combination, is that it represents the company (brand identity) to a group of people or to the world. Companies have marketing departments that work very hard to create something new that will cause the company to be noticed and stand out in a crowd of competitors, and trademarking the result of this work with a government registrar is a way of properly protecting it and ensuring others cannot copy and use it. Companies cannot trademark a number or common word. This is why companies create new names—for example, Intel’s Pentium and Apple’s iPhone. However, unique colors can be trademarked, as well as identifiable packaging, which is referred to as “trade dress.” Thus, Novell Red and UPS Brown are trademarked, as are some candy wrappers. Registered trademarks are generally protected for ten years, but can be renewed for another ten years indefinitely. In the United States, you must file paperwork with the U.S. Patent and Trademark Office (USPTO) between the fifth and sixth years showing that you are actually using the trademark. This means that you can’t just create a trademark you don’t ever use and still keep others from using it. You have to file another “Declaration of Use” between the ninth and tenth year, and then every nine to ten years thereafter. NOTE In 1883, international harmonization of trademark laws began with the Paris Convention, which in turn prompted the Madrid Agreement of 1891. Today, international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations. The United States is a party to this agreement. There have been many interesting trademark legal battles over the years. In one case a person named Paul Specht started a company named “Android Data” and had his company’s trademark approved in 2002. Specht’s company failed, and although he attempted to sell it and the trademark, he had no buyers. When Google announced that it was going to release a new mobile operating system called Android, Specht built a new website using his old company’s name to try and prove that he was indeed still using this trademark. Specht took Google to court and asked for $94 million in trademark infringement damages. The court ruled in Google’s favor and found that Google was not liable for damages. Chapter 3: Compliance 151 Patent PART I Patents are given to individuals or organizations to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the pat- ent. The invention must be novel, useful, and not obvious—which means, for example, that a company could not patent air. Thank goodness. If a company figured out how to patent air, we would have to pay for each and every breath we took! After the inventor completes an application for a patent and it is approved, the patent grants a limited property right to exclude others from making, using, or selling the invention for a specific period of time. For example, when a pharmaceutical company develops a specific drug and acquires a patent for it, that company is the only one that can manufacture and sell this drug until the stated year in which the patent is up (usually 20 years from the date of approval). After that, the information is in the public domain, enabling all companies to manufacture and sell this product, which is why the price of a drug drops substantially after its patent expires and generic versions hit the market. The patent process also applies to algorithms. If an inventor of an algorithm acquires a patent, she has full control over who can use the algorithm in their products. If the inventor lets a vendor incorporate the algorithm, she will most likely get a fee and possibly a license fee on each instance of the product that is sold. Patents are ways of providing economic incentives to individuals and organizations to continue research and development efforts that will most likely benefit society in some fashion. Patent infringement is huge within the technology world today. Large and small product vendors seem to be suing each other constantly with claims of patent infringement. The problem is that many patents are written at a very high level. For example, if Inge developed a technology that accomplishes functionality A, B, and C, you could actually develop your own technology in your own way that also accomplished A, B, and C. You might not even know that Inge’s method or patent existed; you just developed this solution on your own. Yet if Inge did this type of work first and obtained the patent, then she could go after you legally for infringement. EXAM TIP A patent is the strongest form of intellectual property protection. The amount of patent litigation in the technology world is remarkable. In October 2020, Centripetal Networks won a $1.9 billion award against Cisco Systems involving network threat detection technologies. In April of the same year, Apple and Broadcom were ordered to pay Caltech $1.1 billion because they infringed multiple Caltech patents pertaining to wireless error correction codes. Even though the amounts of these awards are certainly eye-popping, they are not the only notable ones. It turns out that 2020 was a pretty rough year for Apple, because it was also ordered to pay $506 million to PanOptis and another $109 million to WiLAN in two other infringement cases. This is just a brief list of recent patent litigation. These patent cases are like watching 100 Ping-Pong matches going on all at the same time, each containing its own characters and dramas, and involving millions and billions of dollars. CISSP All-in-One Exam Guide 152 Figure 3-4 Defendants added to litigation campaigns by year (Data provided by RPX Corporation on 12/14/20. © 2020 RPX Corporation) While the various vendors are fighting for market share in their respective industries, another reason for the increase in patent litigation is the emergence of nonpracticing entities (NPEs), also known as patent trolls. NPE (or patent troll) is a term used to describe a person or company who obtains patents, not to protect their invention, but to aggressively and opportunistically go after another entity that tries to create something based upon them. A patent troll has no intention of manufacturing an item based upon their patent, but wants to get licensing fees from an entity that does manufacture the item. For example, let’s say that Donald has ten new ideas for ten different technologies. He puts them through the patent process and gets them approved, but he has no intention of putting in all the money and risk it takes to actually create these technologies and attempt to bring them to market. He is going to wait until you do this and then he is going to sue you for infringing upon his patent. If he wins the court case, you have to pay him licensing fees for the product you developed and brought to market. It is important to do a patent search before putting effort into developing a new methodology, technology, or business method. As you can see in Figure 3-4, there is a lot of litigation due to patent infringement, and thousands of new defendants are being added to the party each year. These cases are very costly but can oftentimes be avoided with a bit of homework. Internal Protection of Intellectual Property Ensuring that specific resources are protected by the previously mentioned laws is very important, but other measures must be taken internally to make sure the resources that are confidential in nature are properly identified and protected. The resources protected by one of the previously mentioned laws need to be identified and integrated into the organization’s data classification scheme. This should be directed by management and carried out by the IT staff. The identified resources should have the necessary level of access control protection, auditing enabled, and a proper Chapter 3: Compliance 153 storage environment. If a resource is deemed secret, then not everyone in the organization should be able to access it. Once the individuals who are allowed to have access are PART I identified, their level of access and interaction with the resource should be defined in a granular method. Attempts to access and manipulate the resource should be properly audited, and the resource should be stored on a protected system with the necessary security mechanisms. Employees must be informed of the level of secrecy or confidentiality of the resource and of their expected behavior pertaining to that resource. If an organization fails in one or all of these steps, it may not be covered by the laws described previously, because it may have failed to practice due care and properly protect the resource that it has claimed to be so important to the survival and competitiveness of the organization. Software Piracy Software piracy occurs when the intellectual or creative work of an author is used or duplicated without permission or compensation to the author. It is an act of infringe- ment on ownership rights, and if the pirate is caught, he could be sued civilly for dam- ages, be criminally prosecuted, or both. When a vendor develops an application, it usually licenses the program rather than sells it outright. The license agreement contains provisions relating to the approved use of the software and the corresponding manuals. If an individual or organization fails to observe and abide by those requirements, the license may be terminated and, depending on the actions, criminal charges may be leveled. The risk to the vendor that develops and licenses the software is the loss of profits it would have earned. There are four categories of software licensing. Freeware is software that is publicly available free of charge and can be used, copied, studied, modified, and redistributed without restriction. Shareware, or trialware, is used by vendors to market their software. Users obtain a free, trial version of the software. Once the user tries out the program, the user is asked to purchase a copy of it. Commercial software is, quite simply, software that is sold for or serves commercial purposes. And, finally, academic software is software that is provided for academic purposes at a reduced cost. It can be open source, freeware, or commercial software. Some software vendors sell bulk licenses, which enable several users to use the product simultaneously. These master agreements define proper use of the software along with restrictions, such as whether corporate software can also be used by employees on their home machines. One other prevalent form of software licensing is the End User License Agreement (EULA). It specifies more granular conditions and restrictions than a master agreement. Other vendors incorporate third-party license-metering software that keeps track of software usability to ensure that the customer stays within the license limit and otherwise complies with the software licensing agreement. The information security officer should be aware of all these types of contractual commitments required by software companies. This person needs to be educated on the restrictions the organization is under and make sure proper enforcement mechanisms are in place. If an organization is found guilty of illegally copying software or using CISSP All-in-One Exam Guide 154 more copies than its license permits, the security officer in charge of this task may be primarily responsible. Thanks to easy access to high-speed Internet, employees’ ability—if not the temptation—to download and use pirated software has greatly increased. The June 2018 BSA Global Software Survey, a study conducted by the Business Software Alliance (BSA) and International Data Corporation (IDC), found that 37 percent of the software installed on personal computers globally was not properly licensed. This means that for every two dollars’ worth of legal software that is purchased, one dollar’s worth is pirated. Software developers often use these numbers to calculate losses resulting from pirated copies. The assumption is that if the pirated copy had not been available, then everyone who is using a pirated copy would have instead purchased it legally. Not every country recognizes software piracy as a crime, but several international organizations have made strides in curbing the practice. The Federation Against Software Theft (FAST) and the Business Software Alliance (author of the Global Software Survey) are organizations that promote the enforcement of proprietary rights of software. This is a huge issue for companies that develop and produce software, because a majority of their revenue comes from licensing fees. The study also estimates that the total economic damage experienced by the industry was $46.3 billion in losses in 2018. One of the offenses an individual or organization can commit is to decompile vendor object code. This is usually done to figure out how the application works by obtaining the original source code, which is confidential, and perhaps to reverse-engineer it in the hope of understanding the intricate details of its functionality. Another purpose of reverse-engineering products is to detect security flaws within the code that can later be exploited. This is how some buffer overflow vulnerabilities are discovered. Many times, an individual decompiles the object code into source code and either finds security holes to exploit or alters the source co

Use Quizgecko on...
Browser
Browser