C841 Task1 v1 - C841 Task 1 PDF

Preview

Summary

C841 Task 1...

Description

Western Governor’s University Legal Issues in Information Security C841

Brian Downs IHP3 Task 1: Legal Analysis

1

IHP3 Task 1: Legal Analysis

A1: Computer Fraud and Abuse Act, and Electronic Communications Privacy Act A1.1: Computer Fraud and Abuse Act (CFAA) Example In the CFAA example, it is shown how the Business Intelligence (BI) unit created two dummy user accounts for employees of TechFite that had not worked for over a year but were still in constant use at the request of the Applications Division head Carl Jaspers. The accounts were used to access other groups and units within the TechFite organization, across company departments, including legal, human resources, and finance without proper authorization. Reviewing the network logs showed regular network traffic going between the BI unit and other departments to locate and examine executive and financial documents and sensitive information from current, future, and potential clients. A1.2: Electronic Communications Privacy Act (ECPA) Example In the ECPA example, the act was violated by the employees purposely attacking the privacy of individuals from inside and outside the organization without having legal consent to access the information. Apart from the network traffic being monitored from inside the company, emails were sent to individuals who were not clients of the TechFite organization, referring to “dumpster diving” and “trash surveillance” to gain intelligence information. A2: Explanation of Laws, Regulations, or Legal Cases The Electronic Communications Privacy Act (ECPA) protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers (Electronic communications privacy act of 1986 (ECPA)). The act applies to 2

email, telephone conversations, and data stored electronically. It was found that the BI unit of TechFite created and used two dummy accounts to gain access to other departments outside its division and within the same company without appropriate authorization. The Business Intelligence unit violated the ECPA by gaining access to other departments without authorization. The act of gaining access to company information without proper authorization justifies any legal action brought forth. The Computer Fraud and Abuse Act (CFAA) refers to users that exceed their given authority on any network, internet, and information system and prohibits the users from unauthorized access to the system. What this implies is that users should not attempt to gain access to protected computers across the internet, exceed their authority, nor abuse privileges to gain access to information above their authorized security level. In the case of TechFite, Carl Jaspers authorized employees to create two dummy user accounts, for names of people no longer employed with the company for over a year. The authorization given violates the CFAA. In addition to the first instance, emails associated with the fake accounts were used to gain sensitive information from other organizations not affiliated with TechFite. With these two reasons, there is justification to go forth with legal action against Carl Jaspers for violating the CFAA that led to the negligent creation of fake user accounts and unauthorized access of information not affiliated with the TechFite company. The Sarbanes-Oxley Act of 2002 (SOX) is designed to protect shareholders and investors from financial fraud by requiring accurate, data-secured financial reporting for companies. After auditing the client list database in the TechFite case, three fictitious companies, Bebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Florida drew checks from Freeworkers’ Pennsylvania Bank in Scranton Pennsylvania. TechFite does not have 3

accounts nor conduct business with Freeworkers’ Pennsylvania Bank. The investigation indicated the bank possibly provided off-the-book payment methods to other places. There are multiple violations of the SOX act that occurred. TechFite was found to have inaccurate financial records nor did they conduct an annual financial audit. If TechFite had accurate audit information of the client database, the three fictitious companies doing illegal business would have been discovered. Each of these acts violates the SOX act and may result in future legal action being taken against TechFite. A3: Duty of Due Care The duty of due care is defined as a person’s obligation to avoid acts that can harm others. The level of duty that someone must take to another is based on the reasonable person standard. For instance, a person should behave in a way that a reasonable person would in a specific circumstance. Within the case study, the first occurrence of the lack of duty of due care found a lack of attention on the vital issue of safeguarding current, future, and previous clients' sensitive and proprietary information. There was no segregation of information between the companies' departments and the clients' information. Every workstation in the Business Intelligence Unit had full administrator rights with each unit having full visibility and access to the other. This demonstrates a complete lack of the principle of least privilege and separation of duties. In the second instance of lack of duty of due care, TechFites IT Security Analyst Nadia Johnson reviewed reports revealing the organization performed a credible job of protecting the division’s network against external threats. However, broad summaries were produced indicating there were no anomalies found in TechFites internal operations. It was discovered that missing from these reports were discussions of auditing users’ accounts, checking for escalations of privilege,

4

enforcing data loss prevention (DLP) on sensitive documents, and surveilling internal network traffic and activity. A4: Sarbanes-Oxley Act (SOX) After auditing the client list database for the division, which IT Security Analyst Nadia Johnson had never performed, it was found that three organizations—Bebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Florida were fictitious and not legitimate organizations. It was also found that all three companies paid for services at TechFite with checks drawn from the same bank, Freeworkers’ Pennsylvania Bank, in Scranton, Pennsylvania. With this information, these clients may not be real clients but simply a channel for transferring money into TechFite’s sales figures. Since TechFite does not have accounts nor do business with the bank, the bank may provide an off-the-books method of making payments elsewhere. With no annual audit completed on the client list database and TechFites inaccurate financial reports, both examples are violations of the SOX act. B1a. Criminal Activity, Actors and Victims After interviewing Noah Stevenson, CEO of Orange Leaf Software LLC and existing client of TechFite, it was discovered a nondisclosure agreement (NDA) executed by TechFite’s Applications Division head, Carl Jaspers, was violated by discussing proprietary information with competitors. During the pre-consultation, questionnaires were filled out by Orange Leaf’s CEO, CTO, and the lead software engineer which included technical information on Orange Leaf's products. For multiple reasons, Orange Leaf decided not to hire TechFite’s Applications Division. Several months later, an Orange Leaf competitor launched similar products discussed in the TechFite meeting, which was a clear violation of the NDA executed by Carl Jaspers.

5

Orange Leaf and CEO Noah Stevenson are the victims of Carl Jaspers breaking the NDA. This action has the potential of detrimentally impacting business for Orange Leaf since a competitor gained access to proprietary information. There are multiple people to blame for the NDA being broken and the proprietary information being leaked to a competitor. Carl Jaspers is the main threat because he went against the NDA and leaked information to a competitor. A second threat is the Applications Division for not holding Carl Jaspers accountable for his fraudulent actions in leaking the information. IT Security Analyst Nadia Johnson is the third threat. Although not a part of the Applications Division, she is in charge of monitoring employee activities, network traffic, and overseeing data loss prevention. The lack of duty of due care concerning internal security, monitoring, and reporting of activities of both employees and information was revealed. In turn, proprietary information belonging to Orange Leaf LLC now resides in the hands of a competitor. A second victim, also an existing client of TechFite, is Ana Capperson, CTO for Union City Electronic Ventures. Once TechFite Applications Division head, Carl Jaspers completed the NDA, Ana Capperson completed a questionnaire but decided against doing business with TechFite. Afterward, proprietary information from the questionnaire showed up at one of their competitors. Once again Carl Jaspers being the main threat violated the NDA and leaked the information to a competitor of Union City Electronic Ventures. By the nondisclosure agreement with TechFite being broken, it could have resulted in serious consequences to their business with the possibility of the company being forced to close if the case is serious enough. As with the first case, the IT Security Analyst, Nadia Johnson is a secondary threat. There was no oversight into the monitoring of sensitive documents, surveillance of employees' actions, and any action towards

6

data loss prevention. The lack of duty of due care makes Nadia Johnson just as responsible for the loss of proprietary information as Carl Jaspers and the Applications Division. B1b. Cybersecurity Policies & Procedures for Criminal Activity

The first policy I would institute is a user account creation policy documenting a clear separation of duties between hiring, account creation, and account expiration at the end of employment. Once a candidate has been chosen for a position, the HR department would send a user account creation request or work order using a program to track each step of the creation process. Once received, the IT Security Department would create the user account based on the role that person was filling. The security team would verify the user was not a former employee by checking the employee database for old and expired accounts. When the account gets created it should be disabled until the first day the employee starts. The account role should be created using the least privilege principle. This ensures the user only has the access rights needed to perform the necessary work for that position. If additional access rights are needed, another work order should be created and sent to the security team to be reviewed. If the request is accepted, the rights are given to the user; if denied, the user will not receive the access requested. Once an employee resigns or is terminated, HR would set up an exit interview with the outgoing employee. Afterward, the security team would disable the account and remove all access to company resources. The user account can not be reactivated without going through a re-hire process for employment. Each step in the process of hiring, account creation, role-based access rights authorization, and account expiration, should be documented so there is a clear audit trail for every action. This process would have helped in the case of Carl Jaspers from TechFite. If the company followed this procedure there would not have been the option to create user accounts for former employees that did not work at TechFite for 7

over a year. Those accounts were used to access sensitive and proprietary information from other departments across TechFite. This is a definite violation of the CFAA. The second policy that I would implement would be an annual Sarbanes-Oxley financial audit. The SOX Act requires all company financial reports to include an Internal Controls Report. At the end of the year, financial disclosure reports are also a requirement. This report shows that a company's financial data is accurate (within 5% variance) and sufficient controls are in place to protect financial data (Sarbanes Oxley Audit Requirements 2021). The violation of this act is about the three companies, Bebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Florida, that all gave payments for services at TechFite with checks drawn from the same bank, Freeworkers’ Pennsylvania Bank in Scranton, Pennsylvania. Since all three companies were registered by Yu Lee, a friend who attended graduate school with Carl Jaspers at Stanford University, these clients may not be actual clients but simply avenues for moving money into TechFite’s sales figures for the Applications Division. Since TechFite does not have accounts nor do business with the bank, they may provide an off-the-books method of making payments elsewhere. This is a violation of the Sarbanes-Oxley Act. With a SOX audit, these financial anomalies would have been caught and flagged as illegal. B2a. Negligent Activity, Actors and Victims The first negligent act was the failure of using a User Account Creation Policy. Carl Jaspers is the actor in this case, requested two dummy user accounts be created. The two accounts were for employees that have not been with the company for over a year. The accounts in question should have been deactivated once they left the company and not reused without going through the proper user creation policy and procedure. These accounts were given account escalation

8

privileges that were out of the scope of their position, allowing access to confidential documents in the Legal, HR, Financial divisions, and from the Executive team. The victims of this case are TechFite employees and executives. Sensitive and confidential information being leaked about other employees and company business could be detrimental to the well-being of the employees involved as well as the company as a whole concerning reputation and financial security. The second negligent act would be the lack of internal oversight when referring to the BI unit. There was a troubling lack of analysis on the issue of protecting sensitive and proprietary data belonging to existing, potential, and previous clients. There was no evidence of keeping the different clients’ data separated from each other. A Chinese Wall methodology would help in this instance. The BI unit saw that neither separation of duties nor principles of least privilege were enforced. Every workstation had full administrative rights. Within the BI unit associated with the marketing and sales units, the same person can create clients, report sales, and post sales on the same system. The victims, in this case, are the clients of TechFite. It would be easy to steal one client's proprietary data to use for profit and gain for a different one of the companies clients. B2b. Cybersecurity Policies & procedures for Negligent Activity The first cybersecurity policy I would use is an Acceptable Use Policy (AUP). This is a formal, documented access control policy that addresses the purpose, roles, and responsibilities of the employee (Access control policy and procedures - NIST). This procedure starts by identifying what type of group the employee needs access to, identifies what authorized users will be applied to the group, and grants the appropriate access rights to the relevant information to the authorized users. This is all applicable to the TechFite BI unit not enforcing principles of least privilege and not having any separation of duties. Every workstation and computer had full administrative

9

rights, users could access data and applications from across the marketing and sales units, and had full visibility into each unit and the information. The second cybersecurity policy I would implement is Data Loss Prevention Policy (DLP). Data loss can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation (Data loss prevention - TSAPPS at NIST). TechFite failed to use a DLP for the company. What was missing was a monitoring system that would have monitored insider threats or data exfiltration from the companies own internal systems and databases. With a DLP in place, the monitoring software would have alerted the IT Security Department when someone was trying to access or exfiltrate proprietary and sensitive information and they could have acted accordingly before any harm or data breach could happen. Since a DLP was not in place at TechFite, employees were able to access sensitive information and potentially send it to someone outside the company. C. Legal Compliance Summary for Management Computer Fraud and Abuse Act TechFite was found to not be compliant in this area. Dummy user accounts were created for former employees that had not worked for TechFite in over a year. These accounts were used to access other groups and units within the TechFite organization, across company departments, including legal, human resources, and finance without proper authorization. Electronic Communications Privacy Act TechFite was found to not be compliant in this area.

10

Metasploit, a system penetration software was installed on multiple machines in the BI unit. It was shown that recent penetration and scanning activity into several Internet-based companies and other companies' networks was performed by TechFite employees to gather information through unauthorized access. Sarbanes-Oxley Act TechFite was found to not be compliant in this area. It was found that the TechFite client list had three fake organizations and all three had checks drawn from a bank that TechFite is not a member of and does not have accounts with. This was possibly a conduit to move money into TechFite’s sales numbers for the division. The bank may be providing an off-the-books method of making payments someplace else.

11

References Sarbanes Oxley Audit Requirements. Sarbanes-Oxley. (2021). Retrieved October 8, 2021, from https://www.sarbanes-oxley-101.com/sarbanes-oxley-audits.htm. Access control policy and procedures - NIST. Technical Access Control AC-1 Access Control Policy and Procedures P1. (n.d.). Retrieved October 9, 2021, from https://nvd.nist.gov/download/800-53/800-53-controls.xml. Data loss prevention - TSAPPS at NIST. (n.d.). Retrieved October 10, 2021, from https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904672. Electronic communications privacy act of 1986 (ECPA). Bureau of Justice Assistance. (n.d.). Retrieved October 10, 2021, from https://bja.ojp.gov/program/it/privacy-civilliberties/authorities/statutes/1285.

12...