Reverse Deception: Organized Cyber Threat Counter-Exploitation (50 page)

Ressler, R. and A. Burgess. (1985). The Split Reality of Murder. FBI Law Enforcement Bulletin 54.

Rogers, M. (2005).
The Development of a Meaningful Hacker Taxonomy: A Two Dimensional Approach
. Purdue: Center for Education and Research in Information Assurance and Security, Purdue University.

Rogers, M. (2010) . The Psyche of Cyber Criminals: A Psycho-Social Perspective. In Ghosh, S. and E. Turrini, Cybercrimes: A Multidisciplinary Perspective (pp. 217-238). Heidelberg, Germany: Springer-Verlag Law Division.

Rosen, J. (2002). “Total Information Awareness.”, New York Times Magazine, December 15, 2002.

Rossmo, D. (2000). Geographic Profiling. Boca Raton: CRC Press.

Shaw, E. (2004). “The Insider Threat: Can it be Managed?” In Parker, T. (Ed.), Cyber Adversary Characterization: Auditing the Hacker Mind (pp. 171–204). Rockland, MA: Syngress Publications.

Shaw. E., Ruby, K. and J. Post. (1998). “The Insider Threat to Information Systems.” Security Awareness Bulletin 2: 1–10.

Shaw, E., & Stroz, E. (2004). “WarmTouch software: Assessing Friend, Foe and Relationship.” In Parker, T. (Ed.), Cyber Adversary Characterization: Auditing the Hacker Mind, June. Syngress Publications, Rockland, Mass.

Turvey, B. (2008). Criminal Profiling: An Introduction to Behavioral Evidence Analysis. Burlington, MA: Academic Press.

¹
See
Theories of Social Order
, by Michael Hechter and Christine Horne (Stanford Social Sciences, 2009) for a more complete survey on the different perspectives and issues of social order.

²
One of the more sensationalized elements of Brussel’s profile was his pronouncement that the perpetrator wore a double-breasted suit. When captured, 54-year-old George Metesky was wearing his pajamas but did indeed own a double-breasted suit. When examined more closely, this revelation was not as astonishing as it might sound, as a large number of men of that era wore double-breasted suits.

³
During the period between 1982 and 1987, there was a series of seven murders involving young teenaged girls in or near train stations in the North London area of the United Kingdom. The victims were raped and then garroted. Police frustration and apprehension about this series of crimes led them to contact Professor Canter at Surrey University. After compiling details of the attack, Canter produced the first psychological offender profile (POP) used in British policing, which in turn led to the arrest of railway worker John Duffy. Post-arrest investigations proved the profile that Canter produced to be quite accurate (Canter, 1994).

⁴
The term
unethical
is used here because at the time there were few state or federal laws governing the lawful uses of computers or the newly minted technology of computer networks (near the end of the epoch). While Parker referred to these acts as crimes, there existed during this first epoch a very significant level of ambiguity concerning the legal status of many acts committed using a computer. While the legal system has made considerable progress over the years in defining illegal acts performed using the assistance of computers, this ambiguity still exists to a nontrivial extent today, as technology continues to outpace the laws enacted to provide a legal foundation for this domain.

⁵
These motivations form the acronym MEECES, a play on the old FBI’s acronym (MICE) for motivations for betraying a country: money, ideology, compromise, and ego.

⁶
There is currently a vigorous debate about the legality of various profiling programs in deployment within the United States. Typical of these programs under fire is the SPOT program deployed by the Transportation Safety Administration at airports for identifying individuals who are likely to pose a threat to aircraft (see Florence and Friedman, 2010 for a discussion of the legal aspects of this program). Other federal entities, such as the FBI and the National Security Agency, also face a number of restrictions on what kind of data can be collected and which classes of individuals it is permissible to collect data on.

⁷
Kilger recalls an experience a number of years ago where his organization had just purchased a company and he had made a trip to visit their IT facilities. When asked about what information security measures were in place, the IT director pointed to the Ethernet cable attached to a jack in the wall that connected the company’s network to the Internet and said that when he went home at night, he unplugged the cable, and he plugged it back in when he returned at 9 the next morning. His explanation was that computer hackers worked only at night, and so his strategy was to deny them his network when the nefarious folks were afoot. While a bit horrifying, you have to admit that his strategy was pretty effective against Internet-based attacks during the time the company network was actually disconnected. His errors in logic were many, but they were amplified by the fact that threats from the Internet are present 24/7. If you follow his incorrect and ill-fated logic about hackers being active only during the night, his strategy still ignored the more serious threats that occur from time zones where nighttime for the attacker is daytime for him.

⁸
In the recent spate of LulzSec attacks, for example, the same SQL injection tool that was used on the Public Broadcast Service website was also used in the hacking of the Sony Music website.

⁹
For a more in-depth examination of humans as social animals, the classic book
The Social Animal
, by Elliot Aronson, originally published in 1972 (and last updated in 2007), is a good, rigorous resource on social psychology for the more general audience.

¹⁰
A
honeypot
is a device—usually a computer server—that is purposely placed on a digital network in hopes that it will be compromised. There is special software on the honeypot that hides from any potential intruder and records every action that the intruder makes from the beginning of the compromise of the machine until the honeypot is pulled out of service.

¹¹
The Honeynet Project is an international not-for-profit information security project that develops research tools and conducts analyses of online threats and distributes these tools and results free of charge to the public. For more information, see
http://www.honeynet.org/
.

CHAPTER

5

Actionable Legal Knowledge for the Security Professional

Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win
.

—Sun Tzu,
The Art of War

S
tatistically speaking, if you are reading this book, or more precisely, this chapter of the book, chances are quite good you are not a lawyer. Chances are even better still that, in some significant way, dealing successfully with lawyers will have a big impact on your ability to do your job.

This chapter is intended to help the IT/cyberspace operations/information warfare/information operations/information dominance/network warfare/on net operations professional become a better partner with legal counsel. More specifically, the goal is to explain how to be more effective when dealing with the lawyers you’re likely to encounter while performing your job.

Often you will find, or at least it will appear, that the only thing standing between you and your operational objective is the law, or rather how a lawyer interprets the law in question. Mastering the art of collaborating with your lawyer is certainly among the most important steps in advancing yourself as a cyber professional. After all, it doesn’t matter what kind of killer, out-of-the-box approach or solution you’ve developed—if it doesn’t make it past the legal department, it’s not going to happen. Therefore, your lawyer can be your best friend or your worst nightmare, depending on how effective you are at conveying your operational objectives and getting approval.

Your ability to tell a cogent story, with just the right amount of technical jargon (usually as little as possible) is critical to your success. If the lawyer doesn’t understand exactly what you’re proposing, the lawyer is not likely to find a nuanced or novel approach to help realize your objective. This is not to suggest that there are no lawyers out there who understand cyberspace operations, hacking, IT, and so on, for many are quite technically skilled in addition to their legal acumen. However, in those instances when you are attempting to push the envelope, your legal counsel may be at a slight technological disadvantage. This situation can and should be avoided with tactful planning on your part.

You should make certain that you can explain your operational objective in the simplest terms possible. You’re both professionals, but you must remember that it is part of a lawyer’s professional training and development to be able to break down a law or regulation in terms that the layman can understand. Learn to reciprocate! Typically, it’s the departure from the norm that often presents the problem. If you are repeatedly doing the same kinds of operations under the same authorities, everyone involved, including legal counsel, gets into a comfort zone. Deviation breaks the rhythm and causes scrutiny. This is certainly not to suggest that you can pull a fast one on counsel to get approval for something patently unauthorized or illegal. Rather, it is far better to bring counsel into the planning process as early as possible and as often as practicable. Ideally, collaboration will lead to a productive partnership that leverages the skill and experience of the cyber professional and the attorney.

As it rarely happens that a man is fit to plead his own cause, lawyers are a class of the community, who, by study and experience, have acquired the art and power of arranging evidence, and of applying to the points at issue what the law has settled. A lawyer is to do for his client all that his client might fairly do for himself, if he could
.

—Samuel Johnson,
Boswell’s Life of Johnson