Legal Issues in Information security
Ownership is a legal term agreed on by a body of people to specify under what conditions something may be possessed and the benefits and liabilities of that possession. Possession does not necessarily result in ownership except as legally stated (e.g., “possession is nine-tenths of the law”). Likewise, ownership does not always result in possession under legally or otherwise agreed-upon specified constraints.
Ownership of an organization’s information assets by a member of the organization is often recognized for information security purposes as designating the person as being accountable to the organization for the information but not the legal owner. In this case, possession means having operational or processing control over the information, including giving it or its control to others, but not legal control whether in hand or not. The information may be in the hands of custodians, service providers, or users, but they take their direction from the owner about safeguarding it in conformance with or beyond the standard of organizational safeguards and due care. Every person, whether directed by the owner or not, has a due care responsibility over information as long as it has some value and could affect others.
Possession is an extrinsic property of information similar to confidentiality in this regard. The information may or may not be possessed or held confidential, but this has no effect on the information itself. Examination of the information does not necessarily identify who possesses the information or if anyone possesses it; it could be in the public domain. In addition, the information may contain the ownership identity but not the identity of the current possessor.
For information security purposes, ownership should be considered a form of possession, and ownership means possession or the right to possess unless denied by a higher authority. For example, a judge could rule that a computer criminal has the right to own a data base, but it must be held in the possession of some authority for the purpose of selling it or giving it away. Under agreement, one party may possess information but another may own it. Stealing information may be different from stealing the ownership of information. To have adequate controls, all of these issues must be considered in aspects of information security.
Possession of information has important meanings and implications for information systems security and deserves to be considered as one of the six purposes of preserving information security (the other five elements being availability and utility, integrity and authenticity, and confidentiality.) Safeguards are often required to protect the possession of information by. a person or organization of persons. Such safeguards include user authorization for access, locks and cables, locked storage facilities, classification and labeling, audit logs, encryption, digital signatures, and communication acknowledgments. All of these safeguards concern control of people and their actions.
In automated systems, data may be created, assigned meaning to become information, processed, used, communicated, stored, and possibly destroyed without ever being known or in any other way possessed (in hand or under control) by a person except in the legal ownership sense of benefits derived or liabilities assumed. DCE 1.1 will allow “proxiable” tickets to use another system. This creates layers of programs acting for a user upon his or her information.
For security purposes in such circumstances, the information should be considered to be artificially possessed by processes or computer programs or objects (as in object-oriented programming) that access and use the information. This is a necessary assignment of possession in order to understand security needs, because automated intentional and accidental misuse or harm can occur to the information caused by programs that are acting for criminals. Therefore, we must deal with programs that abuse information. The purposes for which information exists may be several times removed from the direct control of the user, and adequate security controls in terms of the immediate artificial possessors must be applied. In the broader scope, people will always be ultimately accountable for any harm done or will be the victims of that automated processing.
These concepts are particularly important now because abusive acts are being committed by people using automated methods. Trojan horse methods are well-known especially in the common form of computer viruses. Now, in client-server systems, daemons represent a new means of engaging in automated abuses. A daemon is a program that performs a system task and usually runs in background operating mode most of the time. These programs were named first in UNIX systems by Mick Bailey, a British programmer working on the CTSS programming staff at MIT during the early 1960s. Daemons made their way from CTSS to Multics to UNIX, where, according to Cheswick and Bellovin, they are so numerous they need a super-daemon to manage them.[ 2]
Sniffers are daemons that are placed in background operating mode to analyze incoming or outgoing packets and collect passwords from session sign-on communications. Theoretically, an attack could be completely automated, as was the intention with the Internet worm case in 1988. Once the sniffer finds a user ID and password, it or another program can gain access to the matching computer, download a specified data file to the perpetrator’s computer, and erase evidence of the session. This can all be done before any person can react and before the perpetrator makes any direct gain from the act. Conversion to gain can be a follow-on act again before any other person can react. The only defense is to avoid executing the daemon software in the first place or to execute software that could detect, mitigate, or stop it or to take retaliatory or recovery action in a timely, automated manner without human intervention.
Where, how, and under what control or possession each process and conversion to gain takes place will have important implications for where, what, and how automated safeguards should be placed for security. For example, safeguards are seen to be needed by criminals to protect the confidentiality, possession, utility, and availability of information necessary to plan and perpetrate an act causing a loss of integrity or authenticity to information and its possessor. Also, the place and time where irreversible conversion to unauthorized gain occurs is a critical, last-chance location for safeguards. The type and location of safeguards must also anticipate that possession occurs before loss of confidentiality.
Cheswick, W. & Bellovin, S. “Firewalls and Internet Security” (Reading, MA, Addison-Wesley, 1994), p. 403.
Paliotta, Allan R. “Beyond the Maginot-Line Mentality: A Total-Process View of Information Security Risk Management”. Information Systems Security, Jul/Aug2001, Vol. 10 Issue 3, p21
Parker, D. “Demonstrating the Elements of Information Security With Threats,” Proceedings of the 17th National Computer Security Conference (October 1994).