Part 1 - An Introduction to legal considerations of incident response

Video Activity

This lesson offers and introduction into the legal considerations which must be taken during an incident response. Bottom line: the incident response MUST be legal as anything illegal may render evidence unusable during legal proceedings and it might cause even more harm to the organization than the incident. With incident response, remember the Fo...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 56 minutes
Video Description

This lesson offers and introduction into the legal considerations which must be taken during an incident response. Bottom line: the incident response MUST be legal as anything illegal may render evidence unusable during legal proceedings and it might cause even more harm to the organization than the incident. With incident response, remember the Fourth Amendment, which has the ultimate goal of protecting privacy and freedom.

Video Transcription
Hello, Siberians. Welcome back to incident. Where? Spots in advanced forensics. My name is Max Alexander, and I'll be your subject matter expert for the legal aspects of the incident. Response.
So one of the first things we want to look at in the illegal aspects or legal considerations when it comes to incident response. So first and foremost, every type of action that she performed during your incident response must be legal.
So any type of illegal action that you're taking a CZ you're going about your incident response process could render any type of evidence that you collect inadmissible future legal proceedings.
So going back to that first bullet point of incident response must be illegal.
your organization may span different jurisdictions that may span globally. So as an incident responders, you have to be aware of all the applicability, laws, rules and procedures that are applied to your organization. So that could be numerous laws and rules.
So this incident responders, you have to be aware of those.
They may not have to know every single one of them because that's what your legal counsel's. Therefore, But you do have to be cognisant up some of these basic rules and know when to actually seek out that legal counsel.
For instance, if you have something that happens to your organization, where someone has shown some type of data are perpetrated some crime against your organization,
you may want to take that person to court either criminally or civilly.
And if you if you do take certain actions that are illegal, any evidence that you gather might actually be thrown out of court, which could damage your case
worse. Any type of illegal action that you take might actually pose a greater threat to your organization in the initial incident itself.
And if you go back to one of our first discussions where we talked about the damages posed by incidents to an organization,
one of the slides that I had showed talked about or should an iceberg and the tip of the iceberg had all the known damages and kind of the below the surface damages were were most of the cost of incident response hurt.
So if you're conducting your incident response in an illegal manner, some of those hidden costs might be media relations. If your incident response kind of goes bad or illegal, and it gets out that your organization wasn't following the law.
So you are also
the individual whom you're trying to build a case against. If you go, I let that person's rights. He may in fact, bring legal action against you and further damage your organization.
So another aspect. Legal consideration. We want to talk about hack backs.
So a hack back is essentially where an organization is going to destroy an information system or hack into an information system that they believe
hacked them.
Now it doesn't happen often, but it does happen. There haven't been any prosecutions that I'm aware of this occurring, but nevertheless it is illegal and dust set your organization up for
some type of legal ramification if and when the federal prosecutors do want you to do this.
Uh, and also on top of this, if you're doing hacked back, you may not necessarily be harming left the actual attacker who's taken information from your organization Oftentimes in hack backs are these hacks.
Individuals who perpetrate these crimes are using someone else's server is more than likely unaware that their servers being used for some type of malicious activity. So if your organization starts destroying Mom and Pops server who are trying to run their small business
in some small town
on that gets up to the news media. Well, obviously, that would be pretty bad for your organization, and it might actually be worse than the initial hack itself.
So one of the first things that you want to talk about when securing evidence and doing search searches as it relates to our incident response is forthem it.
And the Fourth Amendment is essentially the bedrock of privacy when it comes to the U. S. Constitution
and the Fourth Amendment provides that the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated and no warrant shall issue, but upon probable cause, supported by the oath or affirmation
and particularly describing the place to be searched and the persons are things to be seized.
So very short statement that actually contains a lot of information of kind violated some very important points when it comes to the Fourth Amendment,
is that first of all,
the Fourth Amendment protects individuals from searches. That reason
and there's lots of case law out there that describes what is what is not reasonable.
The Fourth Amendment protects individuals against unreasonable searches. So if you want to know what is and what is not reasonable, it's best to consult your legal counsel, and they should have a good idea and understanding of the reasonableness of a particular search.
The next aspect that I've highlighted
is a probable cause. And essentially, what probable cause is is the belief
by a reasonable and intelligent person that a crime has been committed, which would allow someone to be arrested and or other person search or a civil case to be brought against them. So again, that goes to a reasonable person standard.
And then the last thing is particularly describing the place to be searched in the personal things to be seized.
So if you do get a search warrant,
you can't just go in and blanketly take everything in the house or search everything that you feel like searching if it does not actually describe that within that warrant. So the word is going to limit the scope of that government search,
and then you're going to have to stay within the confines of the search
now out of this applies to
the government and or agents of the government. So in your organization, it may not specifically apply to a corporation or a non governmental organization.
That being said, if you do have a crime committed against your organization, and you do hope to essentially bring that person to prosecution on your consulting with law enforcement some point you may actually become an agent of the government,
even if the law enforcement agency it's not actually
investigating the case. But they're providing some type of direction, it's important to understand how the Fourth Amendment affects individual's rights.
So the ultimate goal of the Fourth Amendment is to protect people's right to privacy and freedom against these arbitrary governmental intrusions. And then private intrusions not acting in the color of government are exempt from the Fourth Amendment. So again, it's a very slippery slope. Once you start involving along
force mint. Once you start going about doing some of these activities,
it's it's very important that you understand
when the Fourth Amendment comes into play. So I would highly suggest that if you do come into some of these gray areas that you consult with your legal counsel
Up Next