Part 1 - An Introduction to legal considerations of incident response

Video Activity

This lesson offers and introduction into the legal considerations which must be taken during an incident response. Bottom line: the incident response MUST be legal as anything illegal may render evidence unusable during legal proceedings and it might cause even more harm to the organization than the incident. With incident response, remember the Fo...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson offers and introduction into the legal considerations which must be taken during an incident response. Bottom line: the incident response MUST be legal as anything illegal may render evidence unusable during legal proceedings and it might cause even more harm to the organization than the incident. With incident response, remember the Fourth Amendment, which has the ultimate goal of protecting privacy and freedom.

Video Transcription
00:03
>> Hello Cybrarians.
00:03
Welcome back to incident response
00:03
>> in advanced forensics.
00:03
>> My name is Max Alexander,
00:03
and I'll be your subject matter expert for
00:03
the legal aspects of incident response.
00:03
One of the first things we want to look at in
00:03
the legal aspects are
00:03
legal considerations when it
00:03
>> comes to incident response.
00:03
>> First and foremost, every type of action that you
00:03
perform during your incident response must be legal.
00:03
Any type of illegal action that
00:03
you're taking as you're going about
00:03
your incident response process could render any type of
00:03
evidence that you collect
00:03
inadmissible for future legal proceedings.
00:03
Going back to that first bullet point
00:03
of incident response must be legal.
00:03
Your organization may span different jurisdictions,
00:03
it may span globally.
00:03
As an incident responder,
00:03
you have to be aware of all the applicable laws,
00:03
rules, and procedures that
00:03
are applied to your organization.
00:03
That could be numerous laws and rules.
00:03
a s incident responders,
00:03
you have to be aware of those,
00:03
and you may not have to know every single one of them
00:03
because that's what your legal counsel's there for,
00:03
but you do have to be cognizant of some of
00:03
these basic rules and then know when
00:03
to actually seek out that legal counsel.
00:03
For instance, if you have something that
00:03
happens to your organization where
00:03
someone has stolen some type of data
00:03
or perpetrated some crime against your organization,
00:03
you may want to take that person to court,
00:03
either criminally or civilly.
00:03
If you do take certain actions that are illegal,
00:03
any evidence that you gather might
00:03
actually be thrown out of
00:03
court which could damage your case.
00:03
Worse, any type of
00:03
illegal action that you take might actually pose
00:03
a greater threat to
00:03
your organization than the initial incident itself.
00:03
If you go back to one of
00:03
our first discussions where we talked about
00:03
the damages posed by incidence to an organization,
00:03
one of the slides that I had
00:03
talked about or showed an iceberg,
00:03
and the tip of the iceberg had all
00:03
of the known damages and the
00:03
below the surface damages or
00:03
most of the cost of incident response had.
00:03
If you're conducting your incident response
00:03
in an illegal manner,
00:03
some of those hidden costs might be media relations,
00:03
if your incident response goes bad or illegal and it
00:03
gets out that your organization
00:03
>> wasn't following the law.
00:03
>> Also the individual whom
00:03
you're trying to build a case against,
00:03
if you violate that person's rights,
00:03
he may in fact bring legal action
00:03
against you and further damage your organization.
00:03
Another aspect in legal consideration
00:03
we want to talk about are hackbacks.
00:03
A hackback is essentially where
00:03
an organization is going to destroy
00:03
an information system or hack into
00:03
an information system that they believe hacked them.
00:03
Now, it doesn't happen often,
00:03
but it does happen.
00:03
There haven't been any prosecutions
00:03
that I'm aware of this occurring,
00:03
but nevertheless, it is illegal,
00:03
and it does set your organization up for some type of
00:03
legal ramification if and when
00:03
the federal prosecutors do want to pursue this.
00:03
Also on top of this,
00:03
if you're doing hackbacks,
00:03
you may not necessarily be harming
00:03
the actual attacker who's
00:03
taken information from your organization.
00:03
Often times in hackbacks or in these hacks,
00:03
individuals who perpetrate these crimes
00:03
are using someone else's server who is more than
00:03
likely unaware that their server
00:03
is being used for some type of malicious activity.
00:03
If your organization starts
00:03
destroying Mom and Pops server
00:03
who are trying to run
00:03
their small business in some small town,
00:03
and that gets out to the news media, well,
00:03
obviously that would be
00:03
>> pretty bad for your organization
00:03
>> and it might actually be
00:03
worse than the initial hack itself.
00:03
One of the first things we want to talk about
00:03
when securing evidence and
00:03
doing searches as it relates
00:03
to our incident response is the 4th Amendment.
00:03
The 4th Amendment is essentially the bedrock
00:03
of privacy when it comes to the US Constitution.
00:03
The 4th Amendment provides that the right of
00:03
the people to be secure in
00:03
>> their persons, houses, papers,
00:03
>> and effects against unreasonable searches and
00:03
seizures shall not be
00:03
violated and no warrants shall issue,
00:03
but upon probable cause
00:03
>> supported by oath or affirmation,
00:03
>> and particularly describing the place to be
00:03
searched and the persons or things to be seized.
00:03
A very short statement that actually contains a lot of
00:03
information that highlighted some very important points
00:03
when it comes to the 4th Amendment,
00:03
is that first of all,
00:03
the 4th Amendment protects
00:03
individuals from searches that are unreasonable.
00:03
There's lots of case law out there that
00:03
describes what is and what is not reasonable.
00:03
The 4th Amendment protects
00:03
individuals against unreasonable searches.
00:03
If you want to know what is and what is not reasonable,
00:03
it's best to consult
00:03
your legal counsel and they should have
00:03
a good idea and understanding of
00:03
the reasonableness of a particular search.
00:03
The next aspect that I've
00:03
>> highlighted is probable cause.
00:03
>> Essentially what probable cause is,
00:03
is the belief by
00:03
a reasonable and intelligent person
00:03
that a crime has been committed,
00:03
which would allow someone to be arrested,
00:03
or the person searched,
00:03
or a civil case to be brought against them.
00:03
Again, that goes to a reasonable person standard.
00:03
Then the last thing is particularly describing
00:03
the place to be searched and
00:03
the person or things to be seized.
00:03
If you do get a search warrant,
00:03
you can't just bill in and blatantly take everything in
00:03
the house or search
00:03
everything that you feel like searching,
00:03
if it does not actually
00:03
describe that within that warrant.
00:03
The warrant is going to
00:03
limit the scope of that government search,
00:03
and then you're going to have to
00:03
stay within the confines of that search.
00:03
Now a lot of this applies
00:03
to the government and or agents of the government.
00:03
In your organization, it may not specifically apply to
00:03
a corporation [NOISE] or a
00:03
>> non-governmental organization.
00:03
>> That being said, if you do have
00:03
a crime committed against your organization,
00:03
and you do hope to essentially bring that person to
00:03
prosecution and you're consulting
00:03
with law enforcement, at some point,
00:03
you may actually become an agent
00:03
of the government even if
00:03
the law enforcement agency is not actually
00:03
investigating the case but they're
00:03
providing some type of direction.
00:03
It's important to understand how
00:03
the 4th Amendment affects individual's rights.
00:03
The ultimate goal of
00:03
the 4th Amendment is to protect people's right
00:03
to privacy and freedom against
00:03
these arbitrary governmental intrusions.
00:03
Then private intrusions not acting in
00:03
the color of government
00:03
are exempt from the 4th Amendment.
00:03
Again, it's a very slippery slope
00:03
once you start involving
00:03
law enforcement and once you start going
00:03
about doing some of these activities,
00:03
it's very important that you
00:03
understand when the 4th Amendment comes into play.
00:03
I would highly suggest that if you
00:03
do come into some of these gray areas
00:03
that you consult with your legal counsel.
Up Next