legal aspects in infosec - ensimag

•  Description: Laws are important for protecting IT users. Being aware of some legal aspects is useful for protecting yourself and your custom.

•  Alexandra RUIZ – [email protected]

Legal Aspects in Infosec!

SecurIMAG

2012-01-12

¡¡_ (in)security we trust _!!!

Grenoble INP Ensimag

LEXSI

2 SecurIMAG – Legal Aspects in Infosec – A. RUIZ – 2012-01-12

•  Lexsi Group is an international consulting group specialized in protecting information assets, strongly driven towards innovation.

•  Our 130 talented and dedicated experts, analysts and consultants have built the first independent, pioneer, risk management and information security provider.

•  Lexsi is located in France (Paris and Lyon), Canada and Singapour

LEXSI


VEILLE & CYBERCRIME 1er CERT privé européen •  Veille en vulnérabilités •  Enquêtes et réponses à incidents •  Lu<e contre la cybercriminalité

CONSEIL 60 consultants •  Risk Management •  Résilience & conEnuité d’acEvité •  Assistance à maitrise d’ouvrage •  Accompagnement SSI, ISO 2700x... •  Gouvernance et stratégie •  SoluEons et architectures de sécurité

AUDIT 5 missions par semaine •  Audit stratégique •  Audit de conformité •  Audit technique & pentest •  Audit de code

FORMATION Plus de 800 RSSI formés •  Partenaire SANS InsEtute (GIAC) •  Parcours RSSI •  Nombreux modules experts

4 mé7ers

@MargaretZelle

4 SecurIMAG - title - author - date

Halt, who are you?! •  Licence in Law •  Master 2 in business intelligence •  Currently:

•  Work: Legal assistant at LEXSI, Lyon •  Student:

o  Master 2 in digital technology law o  University degree in cybercriminality

•  Hobbies: •  Books •  Photos •  Shopping

5 SecurIMAG - title - author - date

Why do you need law ?

Introduction


•  Focus on principal concerns •  Aspects of IT french law

Table of contents


•  Introduction in an information system : Godefrain, Pentesting

•  New french transposition : Telecom Package •  Cloud Computing •  HADOPI •  LOPPSI II •  CNIL •  Employer’s power of control

Introduction in an information system


Some articles : •  Fraudulent access or preservation in an IS is punished

by 2 years jail and 30 000€ fine (art. 323-1 penal code)

•  When it results the deletion or the modification of data, or a functioning system change : 3 years jail and 45 000€ fine (art. 323-1 penal code)

•  Obstacle or wrongly : 5 years jail and 75 000€ fine (art. 323-2 penal code)

•  Introducing deceitfully data or deleting them or modifying : 5 years jail and 75 000€ fine (art. 323-3 penal code)



Some articles (same sanctions of the principal offense): •  The fact, without justifiable motive, of importing,

detaining, offering, giving up or to give an equipment, an instrument, an IT program or any data conceived or specially adapted to commit one or some offenses (art. 323-3-1 penal code)

•  Participation to a group or to an agreement established with the aim of the preparation, characterized by one or several material facts, of one or some offenses (art. 323-4 penal code)

•  Offence attempt (art. 323-7 penal code)

Ref : Loi Godfrain du 05/01/1988 n°88-19 sur la protection des SI contre la fraude informatique et l’intrusion



Exemples : •  Serge HUMPICH demonstrated that crédit

cards have some vulnerabilities : 10 months suspended and 1F for damages (Fraudulent access and data introduction in an IS)

•  V u l n e r a b i l i t i e s : A m a n publishes exploits of unpatched vulnerabilities (0-days) on his website. He was condamned because he has competencies to know that it could be used for damages (2009)



Exemples : •  Radiocom 2000 : To win a game, a men used his

employer’s lines. He has distorted SI operation with radiophones to prevent securité procedure outbreak : for him and his associates 4 and 18 months suspended and 2 000 à 10 000F and 1 900 000F (acces and fraudulent preservation in an IS and data modifications after functioning system change



Pentesting : •  You can’t introduce yourself in an IS without

autorisation

•  But you can test your IS.

•  Compagnies specialize in pentesting

•  How is it possible ? This compagnies have a contract with client. This contract is really important to protect themself.



Pentesting : •  Contract has to state some important points :

•  Autorisation

•  Perimeter

•  No responsabil i t ies delegation (possibil i ty of a responsabilities limitation)

•  SO : If you want to test vulnerability of korben’s website, it’s forbidden. If you want to test your own website, you can.

•  If someone ask you to test his website, always make a contract

Telecom Package


What is it ? •  European Law of 2002 modified in 2009 •  French transposition of August 24th 2011

Two main aspects : •  Cookies must be accepted expressly by user

who visited a website ( if you’ve a website !) •  Internet service provider must informed CNIL

in case of data breach Ref : Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques

Cloud


Legal aspects of Cloud :

•  Contract : Who is responsible for personal data ?

•  Data breach •  Use of public or private Cloud ? •  Audit

If you are a big client, you can negociate with Google for your Cloud If you’re not, you can only sign

HADOPI


•  Who ? Owner of an Internet acces (people, firms) •  What ? Obligation of protection •  Why ? In order to protect

authors •  Measures ? Protect your

wifi with a password (and a security software labelised by HADOPI => Not really usefull in fact only business)

HADOPI


•  Sanctions ? Gradual answer : email, letter (6 month af ter) , 1 500€ and, possibly, suspension of the subscription (by the juge since 2009)

•  What to do ? If you’re not responsible, you could send observations to the authors protection’s commission only if you have a sanction (step 3)

•  Evolution ? Government wanted to sanction streaming

HADOPI


•  Concretely : •  Martin Hack, a french teenager, download Braquo

(french serie) with his parents connexion •  TMG raise Mr and Mrs Hack IP •  Legal successors give this IP to HADOPI •  HADOPI send an mail to Mr and Mrs Hack on the adress they gave to their ISP (will they read it one day ?) •  If Martin was punish very hardly and promise to never download again (during 6 month) All is good…

HADOPI


•  If Martin is a rebel and download again and TMG raise IP… HADOPI will send a letter to Mr and Mrs Hack parents.

•  After 1 year, if nothing happened, nothing will happened.

•  If (stupid) Martin download again, HADOPI decided if it will ask or not juge

•  If Hack’s familly is really unlucky, juge could condamn them to pay 1500€ and, if juge is really angry, suspend their connection during one month.

Conclusion : Lot of mails but no sanction yet Ref : Loi « Création et Internet » dite HADOPI, du 13/05/2009, promulguée le 12/06/2009 et Loi relative à la Protection Pénale de la Propriété Littéraire et Artistique sur Internet dite HADOPI 2, du 22 /10/2009

LOPPSI II


Main points :

•  Identity theft : 1 year and 15 000€

•  Be careful if you want to make some joke ! •  Selling tickets in order to make profit : 15 000€ •  CCTV : more power for CNIL

•  More CCTV are authorize and government could imposed it

•  CNIL will control CCTV but couldn’t give sanctions

LOPPSI II


Main points : •  Website blocking

•  A black list of website will be made and a juge decision could obliged ISP to block this sites

•  Introduction of spywar by the police for catching some data without consent of the owner •  Police is authorized by the juge in charge of

instructions to introduce a spyware in suspects’ computer

•  They exploit vulnerabilities present in those computers

CNIL


•  Personal data protector since 2004 •  Protection and control of all data treatment :

•  Exemption of declaration for somme treatment •  Simplify declaration for current treatment •  Ordinary declaration for others •  Authorization ask for treatment with risk

•  Could control all treatment •  Actualy, legislator give more and more power of

control and sanctions Loi « Informatique et Libertés » du 06/01/1978 relative à l’informatique, aux fichiers et aux libertés (modifiée par la loi du 06/08/2004)

Employer’s power of control


•  Charter limit and inform about measures

implement by the employer : •  Annex to the contract with employee signature •  Annex to the interior reglement with opinion of staff

representative and validation of factory inspectorate

•  Employee must be informed of every measures limiting his private life



•  Phone call control : •  Only duration and cost •  Could use phone bugging if employee are informed

and if it’s necessary for the firm •  SMS could be a proof

•  Messaging control : •  All mails in professional messaging are professional

except if they are identified as « personnal » •  Number of mail, origin and addressee •  Could filter some mails



•  Internet control : •  Limitation of some website (social network, porn…) •  Using for personal use is tolerated but you could be

sanctioned for an excessive use •  Captation of trafics logs ( problem of confidentiality

with some websites)

•  This informations must be kept during one year.


Thank you for your attention !

legal aspects in infosec - ensimag

Documents