Term
|
Definition
| where a computer was used as a tool to help carry out a crime. |
|
|
Term
|
Definition
| incidents where a computer was the victim of an attack crafted to harm it (and its owners) specifically |
|
|
Term
|
Definition
| where a computer is not necessarily the attacker or the attackee, but just happened to be involved when a crime was carried out |
|
|
Term
|
Definition
| compromised systems or computers |
|
|
Term
|
Definition
| the software installed on the compromised computers to control them |
|
|
Term
|
Definition
| when an attacker has several compromised systems |
|
|
Term
| advanced persistent threat (APT) |
|
Definition
| it is commonly a group of attackers, not just one hacker, who combines knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multilevel foothold in the environment. |
|
|
Term
| Council of Europe (CoE) Convention on Cybercrime |
|
Definition
an attempt
to create a standard international response to cybercrime. In fact, it is the first
international treaty seeking to address computer crimes by coordinating national laws
and improving investigative techniques and international cooperation. |
|
|
Term
| Organization for Economic Co-operation and Development (OECD) |
|
Definition
| an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. |
|
|
Term
| European Union Principles on Privacy |
|
Definition
set of principles addresses using and transmitting information considered
private in nature |
|
|
Term
| Data Protection Directive. |
|
Definition
European Union Privacy principles and how they are to be followed. All states in Europe must abide by these principles
to be in compliance, and any company wanting to do business with an EU company,
which will include exchanging privacy type of data, must comply with this
directive. |
|
|
Term
|
Definition
A construct that outlines how U.S.-based companies can comply with the EU privacy
principles |
|
|
Term
|
Definition
| implements export controls for “Conventional Arms and Dual-Use Goods and Technologies.” It is currently made-up of 40 countries and lays out rules on how items can be exported from country to country: |
|
|
Term
|
Definition
| Civil law system is rule-based law not precedence based. |
|
|
Term
|
Definition
| Based on previous interpretations of laws: |
|
|
Term
|
Definition
deals with wrongs against individuals or companies
that result in damages or loss |
|
|
Term
|
Definition
used when an individual’s conduct violates the government laws,
which have been developed to protect the public. |
|
|
Term
| Administrative/regulatory law |
|
Definition
deals with regulatory standards that regulate performance
and conduct. |
|
|
Term
|
Definition
something that is proprietary to a company and important for its survival and profitability. An example of a trade secret is the formula used for a soft
drink, such as Coke or Pepsi. |
|
|
Term
|
Definition
protects the right of an author to control the public
distribution, reproduction, display, and adaptation of his original work. The law covers
many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime,
motion picture, sculptural, sound recording, and architectural. |
|
|
Term
|
Definition
used to protect a word,
name, symbol, sound, shape, color, or combination of these. The reason a company
would trademark one of these, or a combination, is that it represents their company
(brand identity) to a group of people or to the world. |
|
|
Term
|
Definition
given to individuals or companies to grant them legal ownership of, and
enable them to exclude others from using or copying, the invention covered by the patent. |
|
|
Term
|
Definition
software that is publicly
available free of charge and can be used, copied, studied, modified, and redistributed
without restriction. |
|
|
Term
| Shareware, or trial ware, |
|
Definition
used by vendors to market their software.
Users obtain a free, trial version of the software. Once the user tries out the program,
the user is asked to purchase a copy of it. |
|
|
Term
Software Protection Association
(SPA) |
|
Definition
formed by major companies to enforce proprietary rights of
software. The association was created to protect the founding companies’ software developments,
but it also helps others ensure that their software is properly licensed |
|
|
Term
Digital Millennium Copyright
Act (DMCA) |
|
Definition
makes it illegal to create products that circumvent copyright protection
mechanisms. |
|
|
Term
| Personally identifiable information (PII) |
|
Definition
data that can be used to uniquely identify,
contact, or locate a single person or can be used with other sources to uniquely
identify a single individual |
|
|
Term
|
Definition
applies to any company that is publicly
traded on U.S. markets. Much of the law governs accounting practices and the methods
used by companies to report on their financial status. However, some parts, Section 404
in particular, apply directly to information technology.
SOX provides requirements for how companies must track, manage, and report on
financial information. This includes safeguarding the data and guaranteeing its integrity
and authenticity. |
|
|
Term
| Health Insurance Portability and Accountability Act (HIPAA), |
|
Definition
U.S. federal regulation,
has been mandated to provide national standards and procedures for the storage,
use, and transmission of personal medical information and healthcare data. |
|
|
Term
| Health Information Technology for Economic and Clinical Health (HITECH) |
|
Definition
was signed
into law to promote the adoption and meaningful use of health information technology. |
|
|
Term
| Gramm-Leach-Bliley Act of 1999 (GLBA) |
|
Definition
requires financial institutions to develop
privacy notices and give their customers the option to prohibit financial institutions
from sharing their information with nonaffiliated third parties |
|
|
Term
| Computer Fraud and Abuse Act |
|
Definition
| the primary U.S. federal antihacking statute |
|
|
Term
| Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
Definition
a Canadian
law that deals with the protection of personal information. One of its main goals is to
oversee how the private sector collects, uses, and discloses personal information in
regular business activities |
|
|
Term
|
Definition
determining the actual exposure to risk of each financial institution
and taking risk mitigation into consideration to provide an incentive for member institutions
to focus on and invest in security measures.
Basel II is built on three main components, called |
|
|
Term
Payment Card
Industry Data Security Standard (PCI DSS). |
|
Definition
applies to any entity that processes, transmits, stores, or accepts credit
card data. Varying levels of compliance and penalties exist and depend on the size of
the customer and the volume of transactions |
|
|
Term
| Federal Information Security Management Act (FISMA) |
|
Definition
a U.S. law
that requires every federal agency to create, document, and implement an agency-wide
security program to provide protection for the information and information systems
that support the operations and assets of the agency, including those provided or managed
by another agency, contractor, or other source. It explicitly emphasizes a “risk based
policy for cost-effective security.” |
|
|
Term
| Economic Espionage Act of 1996 |
|
Definition
| provides the necessary structure when dealing with corporate espionage |
|
|
Term
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act of 2001 (aka Patriot Act) |
|
Definition
Reduced restrictions on law enforcement agencies’ ability to search telephone,
e-mail communications, medical, financial, and other records |
|
|
Term
|
Definition
a company did all it could have reasonably
done, under the circumstances, to prevent security breaches, and also took
reasonable steps to ensure that if a security breach did take place, proper controls or
countermeasures were in place to mitigate the damages. In short, due care means that
a company practiced common sense and prudent management and acted responsibly. |
|
|
Term
|
Definition
the company properly investigated all of its possible weaknesses
and vulnerabilities. |
|
|
Term
Statement on Auditing Standards No. 70: Service
Organizations (SAS 70) |
|
Definition
an audit that is carried out by a third party to assess the internal
controls of a service organization |
|
|
Term
| legally recognized obligation, |
|
Definition
duty, to protect the plaintiff from unreasonable risks and that the defendant’s failure
to protect the plaintiff from an unreasonable risk (breach of duty) was the proximate
cause of the plaintiff’s damages |
|
|
Term
| vendor management governing process |
|
Definition
includes performance
metrics, service level agreements (SLAs), scheduled meetings, a reporting structure,
and someone who is directly responsible. |
|
|
Term
International
Organization on Computer Evidence (IOCE) |
|
Definition
created to develop international
principles dealing with how digital evidence is to be collected and handled so
various courts will recognize and use the evidence in the same manner |
|
|
Term
|
Definition
a control copy
that is stored in a library |
|
|
Term
|
Definition
| used for analysis and evidence collection |
|
|
Term
|
Definition
very strict and organized procedures
when collecting and tagging evidence in every single case |
|
|
Term
|
Definition
| the primary evidence used in a trial because it provides the most reliability |
|
|
Term
|
Definition
not viewed as reliable and strong in proving innocence or guilt (or
liability in civil cases) when compared to best evidence. Oral evidence, such as a witness’s
testimony, and copies of original documents are placed in the secondary evidence
category. |
|
|
Term
|
Definition
can prove a fact all by itself and does not need backup information to refer to. One example of
direct evidence is the testimony of a witness who saw a crime take place. |
|
|
Term
|
Definition
irrefutable and cannot be contradicted. Conclusive evidence is
very strong all by itself and does not require corroboration. |
|
|
Term
|
Definition
can prove an intermediate fact that can then be used to deduce
or assume the existence of another fact. This type of fact is used so the judge or jury will
logically assume the existence of a primary fact. For example, if a suspect told a friend
he was going to bring down eBay’s web site, a case could not rest on that piece of evidence
alone because it is circumstantial. However, this evidence can cause the jury to
assume that because the suspect said he was going to do it, and hours later it happened,
maybe he was the one who did the crime. |
|
|
Term
|
Definition
supporting evidence used to help prove an idea or point. It
cannot stand on its own but is used as a supplementary tool to help prove a primary
piece of evidence. |
|
|
Term
|
Definition
dictates that she must testify to only the facts
of the issue and not her opinion of the facts. |
|
|
Term
|
Definition
pertains to oral or written evidence presented in court that is secondhand
and has no firsthand proof of accuracy or reliability |
|
|
Term
| four characteristics of evidence to provide a foundation for a case |
|
Definition
| relevant, complete, sufficient, and reliable |
|
|
Term
|
Definition
pertains to security
cameras, security guards, and closed-circuit TV (CCTV), which may capture evidence.
Physical surveillance can also be used by an undercover agent to learn about the
suspect’s spending activities, family and friends, and personal habits in the hope of
gathering more clues for the case |
|
|
Term
|
Definition
pertains to auditing events, which passively monitors events
by using network sniffers, keyboard monitors, wiretaps, and line monitoring |
|
|
Term
| Enticement vs. entrapment |
|
Definition
Entrapment does not prove
that the suspect had the intent to commit a crime; it only proves she was successfully
tricked. |
|
|
Term
|
Definition
the attacker commits several small crimes with the
hope that the overall larger crime will go unnoticed |
|
|
Term
|
Definition
refers to the alteration of existing data. Many times, this modification
happens before the data is entered into an application or as soon as it completes processing
and is outputted from an application. For instance, if a loan processor is entering
information for a customer’s loan of $100,000, but instead enters $150,000 and
then moves the extra approved money somewhere else, this would be a case of data
diddling. |
|
|
Term
|
Definition
sniffing network traffic with the
hope of capturing passwords being sent between computers. |
|
|
Term
|
Definition
| change the IP address within a packet to show a different address |
|
|
Term
|
Definition
the concept of rummaging through a company or individual’s
garbage for discarded documents, information, and other precious items that
could then be used in an attack against that company or person |
|
|
Term
|
Definition
when someone purchases a domain name with the goal
of hurting a company with a similar domain name or to carry out extortion |
|
|
Term
| Internet Architecture Board (IAB) |
|
Definition
the coordinating committee for Internet design,
engineering, and management. |
|
|
