Tải bản đầy đủ - 0 (trang)
Chapter 2. Legal and Ethical Considerations

Chapter 2. Legal and Ethical Considerations

Tải bản đầy đủ - 0trang

EthicsofPenetrationTesting

Imaginethatyouwereaskedbyyourneighborstostealthebicycleoftheirchild.

Thechilddoesnotknowthatyouaregoingtoattempttostealit,buttheparents

wanttojudgehowdifficultitwouldbeifsomeoneweretotrytostealit.You

knowthatstealingisillegal,andyouwonderifitisstillwrongiftheparents

authorizeyoutodoit.Theparentsaskyoutodothemthisfavorandtellthem

theresults.

Penetrationtestingisnodifferentfromthisanalogy.Youarebeingaskedto

performataskthatwouldotherwisebeillegal.Often,theemployeesofthe

companyhavenoideawhatyouareupto,beingunawarethatthemanagement

hasrequestedapenetrationtesttobedone.InformingemployeesespeciallyIT

staffmightleadtoinaccurateresultsbecausetheymightattempttohardentheir

systemstopreventyouraccess.

Goingbacktotheanalogy,whatifintheprocessofstealingthebicycleyou

discoverthatthebacktirelooksloose?Ifthetirecomesundone,itcouldcause

harmtotherider.Youwonderifyoushouldattempttotakethetireofftoseeifit

iseasilyundone,eventhoughtheownershavenotaskedyouto.

Inpenetrationtesting,youmightdiscoverthatahostappearssusceptibleto

denialofservice(DoS)attacks.ADoSattackisanattackthatpreventsahost

fromfunctioninginaccordancewithitsintendedpurpose.Suchattackscanhave

asevereimpactondailyoperations,preventingusersfromworkingor

preventingcustomersfromaccessingthecompanywebsite.Becauseofthe

severeimpactofDoSattacks,theyarenotusuallyallowedinpenetrationtesting.

Whentheyare,theyareusuallyperformedafterhourswhentheirimpactwould

beminimal.

ItisunethicaltoperformaDoSattackonyourtargetifthetestingcontractdoes

notallowforsuch.Yourcontractshouldstate,however,thatyoucannot

guaranteeagainstDoSduringtestingbecausetheunexpecteddoeshappen.

Sometimesscanningtoolsthatwouldotherwisebeharmlesscauseunexpected

results.HaveadisclaimerclauseandcommunicatetoyourclientthatDoS

attackswillnotbewillfullytestedbutthattheymightoccurintheprocessof



othertests.

Note

Forexample,theNMaptool,usedtoscanhostsforopenports,has

beenknowntocauseDoSattacksinadvertentlyonOpenBSD2.7

systemsthatarerunningIPSec.WhenyourunnmapwiththesO

option,youcausetheOpenBSDsystemtocrashwiththefollowing

output:

panic:m_copydata:nullmbuf

Stoppedat_Debugger+0x4:leave

_panic(....

m_copydata(...

_ipsec_common_input(...

_esp4_input(....

_ipv4_input(....

_ipintr(...

Badframepointer:0xe3b55e98



PortscanshavealsobeenknowntocauseDoSattacksonEfficient

NetworksRouters,pcAnywhere9.0,andWindows95and98with

NovellintraNetWareClientinstalled.IfDoSattacksarenotallowed

inthetest,putadisclaimerinyourcontractofservicethatstatesyou

willnotwillfullycommitaDoSattack.However,makeitcleartothe

clientthatDoSattacksmightbecausedinadvertently,asinthe

exampleslistedhere.



Yourethicalresponsibilitiesdonotstopwhenthetestisdone,however.Afterthe

testiscompleted,youshouldperformduediligencetoensuretheconfidentiality

ofthetestresults.Somepenetrationtestingfirmshavebeenknowntocirculate

testresultstoothercompaniesassamplesoftheirwork.Theseresultscontain

detailedstepsonhowtobreakintoane-financewebsiteforaparticularfinancial

institutionandcollectsensitivecustomerdata.Youcanimaginetheshockofthe

institutionwhenitdiscoveredthesecontentsbeingdistributedtoitscompetitors!

Therefore,asapenetrationtester,youareunderanethicalobligationtokeepthe

detailsofthereportconfidential.Shredanyhardcopiesofthereport,anddelete

allsoftcopiesusingawipingutilitysuchasPGPorAxcrypt.



TheTenCommandmentsofComputer

Ethics

TheComputerEthicsInstituteisanonprofit501(3)researchandpolicystudy

organizationmadeupoftheBrookingsInstitute,IBM,TheWashington

ConsultingGroup,andtheWashingtonTheologicalConsortium.Theyhave

publishedtheTenCommandmentsofComputerEthics,whichareasfollows:

1. Thoushaltnotuseacomputertoharmotherpeople.

2. Thoushaltnotinterferewiththecomputerworkofotherpeople.

3. Thoushaltnotsnooparoundinthecomputerfilesofotherpeople.

4. Thoushaltnotuseacomputertosteal.

5. Thoushaltnotuseacomputertobearfalsewitness.

6. Thoushaltnotcopyoruseproprietarysoftwareforwhichyouhavenot

paid.

7. Thoushaltnotusethecomputerresourcesofotherpeoplewithout

authorizationorpropercompensation.

8. Thoushaltnotappropriatetheintellectualoutputofotherpeople.

9. Thoushaltthinkaboutthesocialconsequencesoftheprogramyouare

writingorthesystemyouaredesigning.

10. Thoushaltalwaysuseacomputerinwaysthatensureconsiderationand

respectforyourfellowhumans.



Laws

Goingoutsideofyourcontractualboundariesisnotonlyunethical,itisalso

illegal.Penetrationtestersneedtobeawareoflawsthatmightimpactthetypeof

teststheyperform.

Throughouthistory,societyhasbeenplaguedwithdifferentcrimescrimes

againstpeopleandcrimesagainstproperty.Cybercrimeisunlawfulactivity

performedthroughtheuseoftechnology.Commontypesofcybercrimeinclude

thetheftofpasswords,networkintrusions,possessionofillegalmaterial(child

pornography),fraud,DoSattacks,eavesdropping,piracy,informationwarfare

(cyberterrorism),malware(malicioussoftwaresuchasviruses),identitytheft,

andespionage.WiththeexceptionofperhapsDoSattacks,cybercrimepresents

nonewtypesofunlawfulactivity.Cybercrimestillconstitutescrimesagainst

peopleandproperty,justbydifferentmeans.

Cybercrimedoesposesomenewissues,however.Unliketraditionalcrime,

cybercrimedoesnothavephysicalconstraints.Ifyouweretorobabank,you

wouldhavetoarriveatthebankinperson.Ifyouwereto"rob"anonlinebank,

youcouldbeanywhereintheworld.Cybercrimealsomakescapturingphysical

evidenceharder.Evidenceisusuallyvolatileandisoftencoveredupbythe

perpetrator.Becausecybercriminalscanbeanywhereintheworld,lawofficials

fromdifferentcountriesmighthavetoworkwitheachothertotrackdownthe

cybercriminals.

Tocounteractthislastdifficulty,nationshavesoughttoreachaconsensus.The

EuropeanCouncilConventiononCybercrimeactedtoharmonizecomputer

crimelawsacrossEuropeannations.Althoughnobleintheirattempt,reachinga

consensushasbeenanythingbutharmonious.Gettingmorethan180countriesto

agreeonasinglestandardforsecurityimplementationsisadauntingtask.At

best,therecanonlybeguidelinesfornationstouseas"best-practices"

recommendations.

TheOrganisationforEconomicCo-OperationandDevelopment(OECD)

promotespoliciesgearedtowardproducingsustainableeconomicgrowth.You

canreadaboutparticipatingcountriesbyvisitingtheOECDwebsiteat



http://www.oecd.org.In1992,theOECDpublishedGuidelinesfortheSecurity

ofInformationSystemsandNetworks:TowardsaCultureofSecurity.OnJuly2,

2002,thisdocumentwasupdatedtoreflectchangesininformationsecurity

practices.Thisdocumentisbasedonnumerousprinciples,buttheonemost

relevanttopenetrationtestingisthereassessmentprinciple,whichstatesthe

following:

Participantsshouldreviewandreassessthesecurityofinformationsystems

andnetworksandmakeappropriatemodificationstosecuritypolicies,

practices,measures,andprocedures.(page12)

Securityassessmentsareessentialtocompaniestoday,andthosethatwantto

followtheOECDguidelinesshouldintegrateregularpenetrationteststoassess

theirsecurityinfrastructure.

TheOECDguidelinesprovideaninitialframeworkforcountriestothen

establishgovernmentstandardsandlaws.In1995,theCouncilDirectiveonData

ProtectionfortheEuropeanUniondeclaredthateachEuropeannationisto

createprotectionssimilartothosespelledoutintheOECDguidelines.

IntheUnitedStates,penetrationtestersshouldbeawareoftwocategoriesof

laws:

Lawspertainingtohacking

Regulatorylawsthatproducetheneedforpenetrationtesting



U.S.LawsPertainingtoHacking

Followingareexamplesoftheselaws:

1973U.S.CodeofFairInformationPractices

1986ComputerFraudandAbuseAct(CFAA)

StateLaws



Note

Atpresstime,theoneandonlycomputercrimelawoftheUnited

Kingdomisthe1990ComputerMisuseAct.Wehopeforrapid

successintheongoingeffortstoimproveontheUnitedKingdom

legislationoncomputercrime.



Thesectionsthatfollowprovidedetailsonthelawsintheprecedinglistand

otherlawspertainingtohacking.

1973U.S.CodeofFairInformationPractices

TheCodeofFairInformationPracticeswasdevelopedbytheHealth,Education,

andWelfare(HEW)AdvisoryCommitteeonAutomatedDataSystems.Itis

basedonthefollowingfiveprinciples:

1. Theremustbenopersonaldatarecord-keepingsystemswhosevery

existenceissecret.

2. Theremustbeawayforapersontofindoutwhatinformationaboutthe

personisinarecordandhowitisused.

3. Theremustbeawayforapersontopreventinformationabouttheperson

thatwasobtainedforonepurposefrombeingusedormadeavailablefor

otherpurposeswithouttheconsentofthatperson.

4. Theremustbeawayforapersontocorrectoramendarecordof

identifiableinformationabouttheperson.

5. Anyorganizationcreating,maintaining,using,ordisseminatingrecordsof

identifiablepersonaldatamustensurethereliabilityofthedatafortheir

intendeduseandmusttakeprecautionstopreventmisusesofthedata.

Althoughthislawpredatesthecurrenttrendsinpenetrationtesting,itisstill

pertinenttoprofessionalsinthefield.Thefifthprinciplestatesthatorganizations



musttakeprecautionstopreventmisuseofthedata.Asapenetrationtester,you

mightgainaccesstosensitivepersonalidentifiableinformation(PII)thatyou

needtoprotectasifitwereyourowninformation.Whenapenetrationtestis

finished,youshouldshredorincineratePIIdatawithawitnesstoverifythatit

hasbeendestroyed.

1986ComputerFraudandAbuseAct(CFAA)

Ifthereeverwereonedefinitivecomputercrimelaw,itwouldbethe18§U.S.C.

1030ComputerFraudandAbuseAct(CFAA).Originallybasedonthe1984

FraudandAbuseActandratifiedin1996,morecomputerhackingcrimesare

prosecutedunderthislawthanunderanyother.Becauseofitsimmediate

relevance,asignificantportionisquotedhere:

(a)Whoever-(1)havingknowinglyaccessedacomputerwithout

authorizationorexceedingauthorizedaccess,andbymeansofsuch

conducthavingobtainedinformationthathasbeendeterminedbythe

UnitedStatesGovernmentpursuanttoanExecutiveorderorstatuteto

requireprotectionagainstunauthorizeddisclosureforreasonsofnational

defenseorforeignrelations,oranyrestricteddata,asdefinedin

paragraphy.ofsection11oftheAtomicEnergyActof1954,withreasonto

believethatsuchinformationsoobtainedcouldbeusedtotheinjuryofthe

UnitedStates,ortotheadvantageofanyforeignnationwillfully

communicates,delivers,transmits,orcausestobecommunicated,

delivered,ortransmitted,orattemptstocommunicate,deliver,transmitor

causetobecommunicated,delivered,ortransmittedthesametoany

personnotentitledtoreceiveit,orwillfullyretainsthesameandfailsto

deliverittotheofficeroremployeeoftheUnitedStatesentitledtoreceive

it;

(2)intentionallyaccessesacomputerwithoutauthorizationorexceeds

authorizedaccess,andtherebyobtains-(A)informationcontainedina

financialrecordofafinancialinstitution,orofacardissuerasdefinedin

section1602(n)oftitle15,orcontainedinafileofaconsumerreporting

agencyonaconsumer,assuchtermsaredefinedintheFairCredit

ReportingAct(15U.S.C.1681etseq.);(B)informationfromany



departmentoragencyoftheUnitedStates;orinformationfromany

protectedcomputeriftheconductinvolvedaninterstateorforeign

communication;

(3)intentionally,withoutauthorizationtoaccessanynonpubliccomputer

ofadepartmentoragencyoftheUnitedStates,accessessuchacomputer

ofthatdepartmentoragencythatisexclusivelyfortheuseofthe

GovernmentoftheUnitedStatesor,inthecaseofacomputernot

exclusivelyforsuchuse,isusedbyorfortheGovernmentoftheUnited

StatesandsuchconductaffectsthatusebyorfortheGovernmentofthe

UnitedStates;

(4)knowinglyandwithintenttodefraud,accessesaprotectedcomputer

withoutauthorization,orexceedsauthorizedaccess,andbymeansofsuch

conductfurtherstheintendedfraudandobtainsanythingofvalue,unless

theobjectofthefraudandthethingobtainedconsistsonlyoftheuseofthe

computerandthevalueofsuchuseisnotmorethan$5,000inany1-year

period;

(5)(A)(i)knowinglycausesthetransmissionofaprogram,information,

code,orcommand,andasaresultofsuchconduct,intentionallycauses

damagewithoutauthorization,toaprotectedcomputer;(ii)intentionally

accessesaprotectedcomputerwithoutauthorization,andasaresultof

suchconduct,recklesslycausesdamage;or(iii)intentionallyaccessesa

protectedcomputerwithoutauthorization,andasaresultofsuchconduct,

causesdamage;and(B)byconductdescribedinclause(i),(ii),or(iii)of

subparagraph(A),caused(or,inthecaseofanattemptedoffense,would,if

completed,havecaused)-(i)lossto1ormorepersonsduringany1-year

period(and,forpurposesofaninvestigation,prosecution,orother

proceedingbroughtbytheUnitedStatesonly,lossresultingfromarelated

courseofconductaffecting1ormoreotherprotectedcomputers)

aggregatingatleast$5,000invalue;(ii)themodificationorimpairment,

orpotentialmodificationorimpairment,ofthemedicalexamination,

diagnosis,treatment,orcareof1ormoreindividuals;(iii)physicalinjury

toanyperson;(iv)athreattopublichealthorsafety;or(v)damage

affectingacomputersystemusedbyorforagovernmententityin

furtheranceoftheadministrationofjustice,nationaldefense,ornational

security;



(6)knowinglyandwithintenttodefraudtraffics(asdefinedinsection

1029)inanypasswordorsimilarinformationthroughwhichacomputer

maybeaccessedwithoutauthorization,if-(A)suchtraffickingaffects

interstateorforeigncommerce;or(B)suchcomputerisusedbyorforthe

GovernmentoftheUnitedStates;[1]"r".

(7)withintenttoextortfromanypersonanymoneyorotherthingofvalue,

transmitsininterstateorforeigncommerceanycommunicationcontaining

anythreattocausedamagetoaprotectedcomputer;shallbepunishedas

providedinsubsectionofthissection.(b)Whoeverattemptstocommitan

offenseundersubsection(a)ofthissectionshallbepunishedasprovided

insubsectionofthissection.

Thislawmakesitacrimetoknowinglyaccessacomputerandthereby

intentionallycausedamagewithoutauthorizationtoaprotectedcomputer.The

keywordhereisintent.IfapenetrationtesterweretounknowinglycauseaDoS

attackonaclientandthecontractdoesnotpermitsuchattacks,thepenetration

testerwouldnotbeguiltyofthiscrime(althoughtheremightbeconsequences

withcivillawiftherewereabreachofcontract).Actscommittedbynegligence

arenotcoveredunderthislaw.

Securityprofessionalswhoareknowledgeableofthetoolsandtechniques

coveredinthisbookaresometimestemptedtotrythemattheirworkplaceor

againstotherorganizations.Theseoffensescomewithseriouspenalties,

however.BrettO'Keefe,theformerpresidentofacomputersecurityconsulting

firm,wasindictedinSeptember2003forgainingaccessandstealingfiles

belongingtoNASA,theU.S.Army,theU.S.Navy,theDepartmentofEnergy,

andtheNationalInstituteofHealthbyusingsomeofthesametechniques

mentionedinthisbook.Hiscaseisongoing,buthefacesapotential30yearsin

prisonanda$250,000fine.

Violatorsof18§U.S.C.1030canfacefinesandimprisonmentupto20years.

Note

Becauseofsentencingguidelines,however,itisraretofindcriminals

sentencedtomorethan5years.PeterBorghard,forexample,was



sentencedtoonly5monthsinprisoninJune2004forcrackinginto

theInternetserviceprovider(ISP)NetlineServicesandcausinga15hourdisruptioninservicetoitscustomers.DavidSmith,thecreator

oftheMelissavirus(1999)thatcaused$80millionindamage,was

sentencedtoonly20monthsinfederalprison.Thesecasesdiffer

fromtheBrettO'Keefecase,however,inthatthesearenotattacks

againstU.S.governmentormilitaryfacilities.



StateLaws

Moststateshavetheirowncomputercrimelaws.Generally,statesdividetheir

hackingandcrackinglawsintosimplehackingcrimes(basicunauthorized

access)andaggravatedhacking(unauthorizedaccessthatresultsinthe

commissionoffurthercriminalactivity).Simplecrackinglawsaretypically

misdemeanors,whereasaggravatedhackingcrimesarefelonies.Hawaiiisan

exceptiontothisbecauseitextendsunauthorizedaccessintofirst-degree,

second-degree,andthird-degreecomputerdamage.

Casesprosecutedunderstatelawarerare,however.Assoonasamalicious

attackcrossesstatelines,itbecomesafederaloffense.BecausetheInternetisa

globalnetwork,andtheInternetistheprimarymeansthatmalicioushackersuse

toperformtheirattacks,mostcasesareprosecutedinfederalcourts.Casescan

betriedinbothfederalandstatecourt.Doublejeopardylawsthatpreventbeing

triedtwiceforthesamecrimedonotapplyifthecriminalchargesaredifferent.

Therefore,computercrimecouldbebroughtbeforebothstateandfederalcourts.

Tocomparestatelaws,seehttp://nsi.org/Library/Compsec/computerlaw.



RegulatoryLaws

Intheprecedingsection,youreadaboutlawspertainingtocomputerhacking.

Thissectionexaminesthefollowingregulatorylawsthatcanleadtotheneedfor

penetrationtesting:



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 2. Legal and Ethical Considerations

Tải bản đầy đủ ngay(0 tr)

×