Exam Essentials: Chapter 19

Chapter 19: Investigations & Ethics

Know the definition of computer crime

• Computer crime is a crime (or violation of a law or regulations) that is directed against, or directly involves, a computer.

Be able to list & explain the six categories of computer crimes (TODO)

• Computer crimes are grouped into:
  • military & intelligence attack
  • business attack
  • financial attack
  • terrorist attack
  • grudge attack
  • thrill attack.
• Be able to explain the motive of each attack. (TODO)

Know the importance of collecting evidence

• As soon as you discover an incident, you must begin to collect evidence and as much information about the incident as possible.
• The evidence can be used in a subsequent legal action or in finding the identity of the attacker.
• Evidence can also assist you in determining the extent of damage.

Understand the eDiscovery process

• Organisations that believe they will be the target of a lawsuit have a duty to preserve digital evidence in a process known as electronic discovery, or eDiscovery.
• The eDiscovery process includes information governance, identification, preservarion, collection, processing, review, analysis, production & presentation activities.

Know how to investigate intrusions and how to gather sufficient information from the equipment, software & data

• You must have possession of equipment, software or data to analyse and use as evidence.
• You must acquire the evidence without modifying it or allowing anyone else to modify it.

Know the three basic alternatives for confiscating evidence and when each one is appropriate

• First, the person who owns the evidence could voluntarily surrender it.
• Second, a subpoena could be used to compel the subject to surrender the evidence.
• Third, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it.

Know the importance of investigatory data

• Because you will discover some incidents after they have occurred, you will lose valuable evidence unless you ensure that critical log files are retained for a reasonable period of time.
• You can retain log files and system status information either in place or in archives.

Know the basic requirements for evidence to be admissible in a court of law

• To be admissible, evidence must be relevant to a fact or issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected.

Explain the various types of evidence that may be used in a criminal or civil trial

• Real evidence consists of actual objects that can be brought into the courtroom.
• Documentary evidence consists of written documents that provide insight into the facts.
• Testimonial evidence consists of verbal or written statements made by witnesses.

Understand the importance of ethics to security personnel

• Security practitioners are granted a very high level of authority and responsibility to execute their job functions.
• The potential for abuse exists, and without a strict code of personal behaviour, security practioners could be regarded as having unchecked power.
• Adherence to a code of ethics helps ensure that such power is not abused.

Know the (ISC)² Code of Ethics & RFC 1087 “Ethics and the Internet” [TODO]

• All CISSP candidates should be familiar with the entire (ISC)² Code of Ethics because they have to agree to adhere to it. [TODO]
• In addition, be familiar with the basic statements of RFC 1087. [TODO]