Cybersecurity Fundamentals: Protocols, Laws, and Compliance

Posted on Apr 1, 2025 in Law & Jurisprudence

Common Network Protocol Ports

  • FTP: 21
  • SSH: 22
  • Telnet: 23
  • DNS: 53
  • HTTP: 80

Power Fluctuation Issues

Voltage Excesses (Spikes or Surges)

An increase in voltage.

  • Spike: A momentary increase.
  • Surge: A prolonged increase.

Voltage Shortages (Sags or Brownouts)

Low voltage conditions.

  • Sag: A momentary low voltage.
  • Brownout: A prolonged drop in voltage.

Power Losses (Faults or Blackouts)

A complete loss of power.

  • Fault: A momentary loss of power.
  • Blackout: A prolonged loss of power.

Common Software Development Problems

  • Buffer Overruns
  • Command Injection
  • Cross-Site Scripting (XSS)
  • Failure to Handle Errors
  • Failure to Protect Network Traffic
  • Failure to Store and Protect Data Securely
  • Failure to Use Cryptographically Strong Random Numbers
  • Format String Problems
  • Neglecting Change Control
  • Improper File Access
  • Improper Use of SSL
  • Information Leakage
  • Integer Bugs (Overflows/Underflows)
  • Race Conditions
  • SQL Injection
  • Trusting Network Address Resolution
  • Unauthenticated Key Exchange
  • Use of Magic URLs and Hidden Forms
  • Use of Weak Password-Based Systems
  • Poor Usability

Legal and Ethical Considerations

Laws, Ethics, and Cultural Mores

  • Laws: Rules that mandate or prohibit certain societal behavior.
  • Ethics: Define socially acceptable behavior.
  • Cultural Mores: Fixed moral attitudes or customs of a particular group; ethics based on these.

Difference Between Law and Ethics

  • Laws are typically written, approved, and enforced by a level of government.
  • Ethics are like unwritten rules of conduct. For example, doctors adhere to ethical practices because it’s the right thing to do.
  • Most occupations have associated ethics, which are not always formally documented.

Key Legal Concepts

  • Liability: The legal obligation of an entity extending beyond criminal or contract law, including the obligation to make restitution.
  • Restitution: To compensate for wrongs committed by an organization or its employees.
  • Due Care: Ensuring that employees know what constitutes acceptable behavior and understand the consequences of illegal or unethical actions.
  • Due Diligence: Making a valid effort to protect others and continually maintaining that level of effort.
  • Jurisdiction: A court’s right to hear a case if the wrong was committed in its territory or involved its citizens.
  • Long Arm Jurisdiction: The right of any court to impose its authority over an individual or organization if it can establish jurisdiction.

Workplace Policies

Policies: A body of expectations that describe acceptable and unacceptable employee behaviors in the workplace.

Criteria for Policy Enforcement

For a policy to be enforceable, it must meet the following five criteria, and the organization must demonstrate that it has done so:

  1. Dissemination (Distribution): Proof that the policy was made available.
  2. Review (Reading): Proof that it was provided in an intelligible form.
  3. Comprehension (Understanding): Proof that the employee understood the policy.
  4. Compliance (Agreement): Proof that the employee agreed to comply with the policy.
  5. Uniform Enforcement: Proof that enforcement is consistent regardless of employee status or assignment.

Categories of Law

  • Civil Law: Governs a nation or state; manages relationships and conflicts between organizational entities and people.
  • Criminal Law: Addresses violations harmful to society; actively enforced by the state.
  • Private Law: Regulates relationships between individuals and organizations.
  • Public Law: Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Key U.S. Legislation and Acts

Computer Fraud and Abuse Act of 1986 (CFAA)

The cornerstone of many computer-related federal laws and enforcement efforts.

National Information Infrastructure Protection Act of 1996

Modified several sections of the CFAA and increased the penalties (fines, imprisonment up to 20 years, or both) for selected crimes. The severity of penalties is judged based on the purpose:

  • For purposes of commercial advantage
  • For private financial gain
  • In furtherance of a criminal act

USA PATRIOT Act of 2001

Provides law enforcement agencies with broader latitude to combat terrorism-related activities.

USA PATRIOT Improvement and Reauthorization Act of 2006

Made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security (DHS) and the FBI in investigating terrorist activity. It also extended several sunset provisions of the Foreign Intelligence Surveillance Act (FISA) of 1978.

Computer Security Act of 1987

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

Federal Privacy Act of 1974

Regulates the government in the protection of individual privacy. It was created to ensure that government agencies protect the privacy of individuals’ and businesses’ information and to hold those agencies responsible if any portion of this information is released without permission. The following are exempt:

  • Bureau of the Census
  • National Archives and Records Administration
  • Congress
  • Comptroller General
  • Federal courts (with regard to specific issues under court order)
  • Credit Reporting Agencies
  • Individuals or organizations acting to protect the health of individuals

Electronic Communications Privacy Act of 1986 (ECPA)

Regulates the interception of wire, electronic, and oral communications. The ECPA works in conjunction with the Fourth Amendment of the US Constitution, which provides protections from unlawful search and seizure.

Health Insurance Portability and Accountability Act (HIPAA) 1996

Also known as the Kennedy-Kassebaum Act, HIPAA protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange. It provides stiff penalties for organizations, with fines up to $250,000 and/or 10 years imprisonment for knowingly misusing client information.

HIPAA Fundamental Principles:

  1. Consumer control of medical information.
  2. Boundaries on the use of medical information.
  3. Accountability for the privacy of private information.
  4. Balance of public responsibility for the use of medical information for the greater good, measured against the impact on the individual.
  5. Security of health information.

HIPAA Patient Rights:

It provides for patients’ right to know:

  • Who has access to their information.
  • Who has accessed their information.

Financial Services Modernization Act (Gramm-Leach-Bliley Act) 1999

Requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. It also requires due notice to customers so that they can request that their information not be shared with third parties. The act ensures that privacy policies are fully disclosed when a customer initiates a business relationship and are distributed at least annually thereafter.

Fraud and Related Activity (Title 18, U.S.C. ยง 1028)

Criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment. Penalties range from one to 25 years in prison and fines determined by the courts.

Economic Espionage Act of 1996 (EEA)

Attempts to prevent trade secrets from being illegally shared.

Security And Freedom Through Encryption Act of 1999 (SAFE)

Includes provisions about encryption that:

  • Reinforce the right to use or sell encryption algorithms without concern of key registration.
  • Prohibit the federal government from requiring key registration.
  • State that encryption use does not constitute probable cause in criminal activity.
  • Relax export restrictions on encryption.
  • Impose additional penalties for using encryption in the commission of a crime.

Copyright Legislation

  • Copyright Act of 1790: Established U.S. copyright with a term of 14 years plus a 14-year renewal.
  • Sonny Bono Copyright Term Extension Act of 1998: Extended copyright terms to 95 years for corporate works, 120 years for works created for hire, or the life of the author plus 70 years.

Sarbanes-Oxley Act of 2002 (SOX)

Affects the executive management of publicly traded corporations and public accounting firms, mandating accountability for financial reporting and internal controls.

Freedom of Information Act of 1966 (FOIA)

Allows access to federal agency records or information not determined to be a matter of national security. U.S. government agencies are required to disclose any requested information upon receipt of a written request, enforceable in court.

International Agreements

Agreement on Trade-Related Aspects of IP Rights (TRIPS)

Created by the World Trade Organization (WTO), TRIPS was the first significant international effort to protect intellectual property rights. It outlines requirements for governmental oversight and legislation providing minimum levels of protection for intellectual property.

User Authentication Methods

Four Levels of Proof

There are four levels of proof used to verify a user’s identity. In order of least to most secure, they are:

  1. What You Know: Passwords are common but only verify knowledge of the password, which can be shared or stolen.
  2. What You Have: Items like digital certificates or smart cards verify possession of a physical or digital token, but these can be lost or stolen.
  3. What You Are: Biometrics such as fingerprints and iris scans measure unique physical characteristics. These are harder to forge but not foolproof.
  4. What You Do: Dynamic biometrics analyze actions like handwriting or voice patterns. These are generally the most secure but can be vulnerable to replay attacks.