Computer crime is a crime that is directed against, or directly involves, a computer.
Computer crimes are grouped into six categories: military, business, financial, terrorist, grudge, and thrill.
As soon as you discover an incident, you must being to collect evidence and as much information about the incident as possible. The evidence should be treated in a way that it can be legally used in court. Evidence collection can also assist you in determining the extent of damage.
Incidents should be defined in your security policy. Even though specific incidents may not be outlined, the existence of the policy sets the standard for the use of your system. An incident is any event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data.
An incident occurs when an attack or other violation of your security policy is carried out against your system. Incidents can be grouped into four categories: scanning, compromises, malicious code and DoS/DDoS.
Attacks will generate some activity that is not normal. Recognizing abnormal and suspicious activity is the first step toward detecting incidents.
You must have possession of equipment, software, or data to analyze it and use it as evidence. You must acquire the evidence without modifying it or allowing anyone else to modify it.
3 basic alternatives for confiscating evidence.
First, the person who owns the evidence could voluntarily surrender it. Second, a subpoena could be used to compel the subject to surrender the evidence. Thirdly, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it.
Use logging and store it for a reasonable amount of time as it may take some time to actually realize an incident has occurred.
Establish a working relationship with the corporate and law enforcement personnel with whom you will work to resolve an incident. When you have a need to report an incident, gather as much descriptive information as possible and make your report in a timely manner.
To be admissible, evidence must be relevant to a fact at issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected.
Real evidence consists of actual objects that can be brought into the courtroom. Documentary evidence consists of written documents that provide insight into the facts. Testimonial evidence consists of verbal or written statements made by witnesses.
Security practitioners are granted a very high level of authority and responsibility to execute their job functions. The potential for abuse exists, and without a strict code of personal behaviour, security practitioners could be regarded as having unchecked power. Adherence to a code of ethics helps ensure that such power is not abused.
RFC 1087 is about ethics and the (ISC)^2 has a code of ethics that CISSP candidates must subscribe to.