Tag archive for "CLEs"
attorneys, Events, Presentations
http://nycla.org/index.cfm?section=CLE&page=CLE_Detail&itemID=2682&dateID=20120515
Location: 14 Vesey Street
Faculty:
Program Co-sponsor: NYCLA’s Cyberspace Committee
Faculty: Raj Goel, brainlink.com and Natalie Sulimani, Law Offices of Natalie Sulimani
CFO/CSO/CPO, CISSP, Events, Presentations
http://www.dhses.ny.gov/ocs/awareness-training-events/conference/2012/index.cfm
June 5, 2012, 11 am
Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.
We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.
We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.
According to surveys of U.S. and U.K. matrimonial attorneys, more and more of them are asking (or requiring) their clients to disclose Facebook, Twitter, LinkedIn, and other social media credentials to the attorney start of the case. The retained counsel has no wish to be surprised in court, by finding out that his or her client said or posted things online that are detrimental to the case.1
As a Cyberforensics consultant, I ask the following questions when working with lawyers in order for my clients to get the best results possible when fighting matrimonial cases:
1) Does your client (the wife, husband or partner) have a legal right to the computer or smartphone? If the device is jointly owned, then we can image and analyze it. If the device is owned by the other person’s employer, or is somehow construed as private property, then we do not have the legal right to analyze it, without a court order.
2) Has a PRESERVATION LETTER been issued to the opposing side?
3) Has either side retained an expert to acquire multiple copies of legally compliant forensics images? If both sides agree that the image is forensically sound, then both sides can invest resources in evidence analysis, not re-acquisition.
4) How many devices are owned by the couple? Computers, laptops, smartphones, etc.
5) Do they have any shared passwords to e-mail, online banking, Facebook, LinkedIn, etc? If yes, then we ask the attorney retaining us to determine (and advise us in writing) whether their client still has a legal right to those passwords, now that the divorce process has started.
6) What are we looking for? Financial records? Evidence of online romances? Deleted files and documents?
The best way to minimize forensics costs is to limit what we need to look for.
Every client has something to hide.
Guide your forensics investigator – frame the request as narrowly as possible. For example, “find me financial records” or “we suspect he’s hiding funds offshore” or “she’s got a shopping addiction” or “we suspect he’s having an affair.”
7) Has anyone used non-forensics software to try an undelete files or used a non-forensic computer technician to gather evidence? If so, then there’s a possibility that the evidence is spoiled and cannot be used in court. Based on my experience, even when the evidence cannot be presented in court, it often results in negotiated settlements.
8 ) Is there any suspicion of child pornography (CP) on the device(s)?
Under current Federal laws, if we encounter more than three items of CP, we are legally obligated to stop work and report it to the FBI, Secret Service and ICE. Unlike any other form of evidence, mere possession of CP by an attorney (or their consultants) is illegal under federal law2,3 and attorneys have been prosecuted for possessing CP while they were conducting research on behalf of their clients.
See the case of Attorney Leo Thomas Flynn at www.brunolaw.com/prosecutionserves-as-warning.html.
Below are several case studies that illustrate the above points:
1) In a case, the family kept using the shared computer(s) months after the divorce was filed. Analysis of the data revealed that the husband had lied to the wife, and his attorney, about what he did with the couple’s sex tapes, which were on the shared computer. Since the entire family (husband, wife, children, guests, etc.) used the same user name and password to log in to the computer, it was forensically impossible to tell who created, modified or deleted files — this evidence was considered polluted and could not be used in court. While this evidence could not be used in court, it assisted the wife’s attorney in negotiating a favorable settlement.
2) In another case, the husband fled from his native country to the U.S. 18 months ago. The wife followed suit six months later. She brought the family laptop with her, and presented it to her U.S. attorney as evidence. Having established the dates of his departure, and her departure from their native country, we started the analysis. We located some financial records. We also found large stashes of adult imagery from dating sites–both male and female dating profiles. The initial conclusion we drew was that the husband was having a homosexual affair, or was bisexual, due to the prevalence of both male and female dating profiles. Upon review, the wife rejected the analysis. The discrepancies in the dates of profiles led us to re-interview the wife, with counsel present. During this re-interview, we discovered that after the husband had fled, the wife’s sister has used the laptop to engage in online dating for the intervening six months. Because the client allowed her sister to use the laptop for six months, and did not communicate this with the attorney, all digital evidence had to be thrown out, because it was spoiled.
Defending Against Cyber Evidence
When defending against cyber-evidence, determine the legality of the evidence. In most cases, the evidence was spoiled or may have been collected illegally. Determine the correctness of evidence – the data may have been collected legally – but was it collected and analyzed correctly?
In one case, the client was charged with 107 counts, based on the fact that he clicked on one link, and the popup downloaded 50 images on the hard drive. Analysis by the author was able to prove that these were the result of popups downloading multiple images per click, and should therefore be counted as one violation per popup or web page. In the end, the client was charged with five counts–a far cry from the initial 107.
Social Media and Cloud Evidence
While we cannot gather forensic evidence from cloud providers (Facebook, Gmail, Twitter, World-of-Warcraft (WOW), Farmville, etc.), in many cases, once references to these services have been located on the clients’ hard drives, you can subpoena log files from these providers. Facebook, WOW, and EZ-pass are great places to acquire digital evidence.
Raj Goel is founder and CTO of Brainlink International, Inc. Learn more at www.RajGoel.com andwww.Brainlink.com.
References
1. www.guardian.co.uk/technology/2011/mar/- 08/facebook-us-divorces,
http://www.dailymail.co.uk/femail/article-2080398/Facebook-cited-THIRD-divorces.html,
http://kotaku.com/5576262/farmville-world-of-warcraft-are-divorce-lawyers-latest-weapons-in-court
2. www.orangecountycriminaldefenselawyerblog.com/2011/02/in-orange-county-ca-whathappe.html
3. www.brunolaw.com/prosecution-serves-as-warning.html
This article appears in the April 2012 issue of New York County Lawyers Association (NYCLA) Newspaper on pages 5 & 15. The PDF is available at http://www.brainlink.com/whitepapers/2012-04-04-New-York-County-Lawyer-April-2012-Cyberforensics.pdf
Update on Cybersecurity Issues: What do Attorneys need to know about CyberForensics
Tuesday, April 24, 2012,
6:00 PM – 9:00 PM
Member Price: $125Non-Member
Attorney Price: $175
Location: 14 Vesey Street
Course ID: C042412
Credits: 3 MCLE
Credits3 MCLE
Credits: 1 Ethics; 2 PP; Transitional and Non-transitional also NJ
Register at http://nycla.org/index.cfm?section=CLE&page=CLE_Detail&itemID=2683&dateID=20120424
Course Description:Developments involving cybersecurity issues are changing at an explosive rate. Join the Cyberspace Committee in exploring the recent developments affecting cybersecurity including a discussion of real world case studies, examination of current technology trends and their current and impending erosion of 4th and 5th Amendment protections, recent guidance from the courts, FTC and other regulatory bodies, the impact of major federal and private information security laws and regulations and more.
Faculty:
Program Co-sponsor: NYCLA’s Cyberspace Committee
Faculty: Raj Goel, brainlink.com and Natalie Sulimani, Law Offices of Natalie Sulimani
accountants, Articles, attorneys, Events, Presentations
The Nassau County Bar Attorneys Accountants Committee has asked me to present on selected Cyber-Security topics.
When; Feb 27, 2012
Where: Nassau County Bar Association
One of the topics we discussed is the role of the of the Cyberforensics examiner when encountering Child Porn (CP).
The consensus from the Attorneys, Accountants and CFEs was that anything found during the examination is covered by attorney-client privilege.
That view conflicts with federal laws. Unlike any other type of evidence, merely possessing more than 3 pieces of CP is a Federal Offense.
Attorneys have been prosecuted for possessing CP while they were conducting research on behalf of their client. See the case of Attorney Leo Thomas Flynn at http://www.brunolaw.com/prosecution-serves-as-warning.html
My reading of the Leo Flynn case says that he won on a technicality – South Dakota state laws allow Attorneys to view/research CP during an active case. As do several other states.
However, Federal law offers no such immunity.
Most Forensics Examiners, myself included, will notify Law Enforcement if/when I encounter CP during the course of a forensics examination.
Unlike attorneys, Cyberforensics Examiners, Accountants, etc do NOT have a attorney-client privilege shield, and CP is one of the exemptions to Attorney-client privilege.
In my opinion, I think the fundamental error that attorneys have with CP is that they think that if someone downloaded CP, it is a crime that occurred in the past.
If a client commits a crime and tells his or her attorney about a past-deed, the attorney is legally and morally obligated to stay silent about it.
However, having CP stored on your harddrive is NOT a crime in the past. It is a crime in the present.
Therefore, if you as the attorney take
Think of CP as plutonium – if you found plutonium and put it in your pocket, the activity of finding plutonium occurred in the past. The damage caused by radiation however, is an ongoing and present danger. Similar rules apply here. The client may have downloaded or acquired CP in the past, but the mere possession of it by anyone NOT in Law Enforcement, is illegal.
So attorneys, CFEs, etc, please interview your clients regarding CP before you take on the case – or as soon as you suspect it.
You CANNOT shield your client if they have more than 3 items of CP.
Possessing CP is an active crime, and must be reported to law enforcement asap. Otherwise, the DAs office, FBI or Secret Service will put you through years of litigation hell, as they did Leo Thomas Flynn – http://www.brunolaw.com/prosecution-serves-as-warning.html
Learn More
http://www.brunolaw.com/prosecution-serves-as-warning.html
http://www.giancolalaw.com/news/Duty-Privilege-and-Immunity.html
http://sogweb.sog.unc.edu/blogs/ncclaw/?p=1346
http://www.americanbar.org/newsletter/publications/youraba/201203article04.html
On Feb 21, 2012, Raj Goel, CISSP (NYIT ’95) addressed the Surrey Board Of Trade on selected Information Security Topics.
We ( students and Faculty of NYIT-Vancouver) discussed the challenges to Privacy, Security and Civil Rights, and the role colleges can play today in developing the workforce, technologists, and civil libertarians of tomorrow.
Slides are available here - 2012-02-21-NYIT-Vancouver-RajGoel-v3.pdf
This 31-minute webinar shows you how
Please share this webinar with
accountants, attorneys, CFO/CSO/CPO, CISSP, Events
Cloud Privacy Concerns – Over sharing and Over Collecting
Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages enterprise security. In this presentation we’ll explore strategies for managing the risks associated with:
We’ll examine the basic law that governs ALL internet activity in the US.
We’ll further delve into KEY FTC decisions that impact online activity.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college degrees, fortunes and freedom through social media.
We’ll investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations.
And finally, we’ll review success stories from the past 300 years, where lone individuals and committed groups have improved security, society and human life spans.
3 CPEs will be offered.
Register at: https://isc2.brighttalk.com/node/914
Oct 19, 2011 – Full Day ISC2 Local Event
Oversharing: Managing Risk in the Social Age
Co-presented by Raj Goel and Brandon Dunlap
Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages
enterprise security. In this day-long, interactive event, we’ll explore strategies for managing the risks associated with:
We’ll also outline the cultural effects of Social Media on the enterprise as Generation Y, the Millenials, begin entering the workplace with expectations of open sharing.Many of the tools to protect our organizations and users are deployed and in use already. Join us as we share techniques from our peers in making the best use of our past investments to mitigate these risks.
Download the file here:
2011-10-19-RajGoel-ISC2-Secure_Boston_Cloud_Computing_Oversharing_OverCollecting.pdf
And with the recent penalties against UCLA Health System ($ 865,000), Rite-Aid ( $ 1M), CVS ($ 2.25M), Massachusetts General ($ 1M) and Cignet ($ 4.3M), the Office of Civil Rights is finally showing that it means business.
Several key requirements for HIPAA compliance are
- backups and records retention.
- Disaster Recovery
- Business Continuity
This webinar, by Raj Goel, a renowned expert on HIPAA/HITECH Compliance, will give you an overview of how AppAssure helps health care providers meet HIPAA/HITECH compliance, while solving critical business challenges, effectively.
Speakers: Harry Brelsford and Raj Goel
Register here!: https://www1.gotomeeting.com/register/516144041
 |
Raj Goel, CISSPCTOBrainlink International, Inc.raj@brainlink.com
917-685-7731 |
This article appeared on LAW.com |
John Edwards (no, not THAT John Edwards) did a great job of summarizing various backup tools available for CLOUD backups, and some risks inherent in it.
My opinion is that law firms should NOT be using public or hybrid clouds, as dangers to client-confidentiality and potential litigation liabilities out-weigh any short-term savings.
PRIVACY
Rajesh Goel, chief technology officer at Brainlink International, a New York-based compliance security consulting firm, warns that storing data in the cloud could, under some circumstances, pose a privacy risk to client data. “If a firm is large enough and they have the financial and technical resources to build their own private cloud, then the advantages of cloud computing are compelling,” he says. “For firms lured by the low cost/save money siren song of public and hybrid clouds, there’s danger ahead.”
Goel observes that while the Electronic Communications Privacy Act assures that e-mail has a 180-day right to privacy, information held in databases has zero days of privacy protection. “All online applications … can be classified as databases, under the strict definition of ECPA,” Goel asserts.
Goel says that attorneys also need to be aware of another potential privacy threat. “The Patriot Act allows law enforcement to use National Security Letters to obtain information about individuals and companies from service providers,” he says. “Most NSLs forbid the service provider from notifying their clients that they have released information to law enforcement, based on NSLs.”
Goel adds that lawyers with clients in highly regulated areas, such as health care and financial services, also need to fully investigate their situation and privacy risk potential before sending files into the cloud.
Full Article is available at http://www.law.com/jsp/article.jsp?id=1202509461694&Backing_Up_Documents_in_the_Cloud&slreturn=1&hbxlogin=1
Raj Goel, CISSP, is chief technology officer of Brainlink International, an IT services firm. He is located in New York and can be reached at raj@brainlink.com.
Each of my talks runs from 45-120 minutes.
I present the specific topic in 45 minutes, or really dive into it for 2 hours.
Multiple topics can also be combined into 2,3,4 or 6-hour sessions for 1/2-day and full-day events.
The agendas/descriptions for each of the topics is:
1) Perils of Social Media – How Facebook, Google, Twitter, Social Media & Cloud Computing are creating Threats to Privacy, Security and Liberty
Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.
We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.
We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.
2) Trends in Financial Crimes
This interactive and lively discussion presents an overview of US laws (HIPAA, Sarbanes Oxley (SOX), Gramm Leach Bliley Act (GLBA), PCI CISP Credit Card Compliance, the growing number of US state data breach notification laws). We trace the history of information security regulations and ID Theft. We examine credit theft and the threat it poses to the American banking industry, as well as the global economy and what governments around the world are doing to combat these crimes.
Special attention is paid to trends and growth in financial crimes, including:
* ID Theft
* Mortgage/Title Fraud
* SPAM /Botnet for Hire
* Credit Fraud
* Case Studies from around the world
Length: 50 minutes
3) Are you Googling your Clients’ privacy away?
This presentation addresses how various services offered by Google can become a threat to your companies’ privacy and confidentiality policies.
It deals with Google’s capabilities to capture and aggregate information with or without user knowledge. Special attention is given to Google’s key offerings such as:
* Google Searches
* GMail
* Orkut
* Google Toolbar
* Google Desktop
* Android
* Chrome Browser
* Case Studies from around the world
Length: 50 Minutes
4) Expanding your practice using LinkedIn
* This seminar will discuss Common myths about LinkedIn
* Proper uses and misuses of LinkedIn
* The power of LinkedIn Groups
* Case Studies examine different LinkedIn profiles, and how to create effective profiles
Length: 50 Minutes
5) Living in a MultiCompliance World – Part I HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and PCI-DSS compliance
This presentation provides an overview of the major federal and private information security laws and regulations in the United States.
Case studies examine the real-world impact of non-compliance, analysis of documented cases and guidance on implementing multi-compliance effectively.
Length: 90 minutes
6) Living in a MultiCompliance World – Part II
This presentation provides an ovewview of the impact the 37+ state privacy breach laws have on the federal regulations and PCI-DSS compliance. We examine the New York State Privacy Breach law in depth.
Length: 90 minutes
7) Lessons Learned From the FTC
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
Over the last decade, in the absence of a national Consumer Privacy Watchdog/Czar, the Federal Trade Commission (FTC) has set the standard for what it considers acceptable, and unacceptable behavior for companies and organizations conducting business within the United States.
The FTC doesn’t involve itself in the minutae of security standards ‘ala HIPAA, PCI, etc, nor does it dictate what protocols or technologies companies need to use. Rather, the FTC uses it’s Constitutional and Congressional mandate for regulating Interstate Commerce to hold companies accountable for their breaches.
This presentation will examine the FTC’s track record, put the sanctions in a larger context of privacy and security breaches, and most importantly, we will look at where the FTC is trending with the FTC Health Breach and RED FLAG regulations.
Length: 90 minutes
8 ) PCI Compliance is an expensive, moving target.
Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.
Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.
Pay NOW for effective, common-sense based compliance, or pay LATER in FTC fines, PCI fines and lawsuits.
Either way, you’re going to pay.
This presentation looks at a Dollars and Cents approach to PCI compliance.PCI Compliance is an expensive, moving target.
Length: 45 minutes
9) Privacy and Security Challenges With Cloud Computing for Attorneys, Accountants and Business Owners
Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.
Individual consumers and complete corporations moving to Social Media and the cloud has had a resounding impact on how our profession manages enterprise security. In this interactive event, we’ll explore strategies for managing the risks associated with:
- Data Loss Prevention
- Brand Protection
- Privacy Erosion
- Malware Protection
- FTC’s regulatory sanctions
- Guidance from the Courts, FTC, HHS and other regulatory bodies on Cloud Computing and Social Media
This has been presented twice at NYCLA(New York County Lawyers Association) and makes for a great ETHICS CLE for your law practice or Bar association.
Length: 45-90 minutes
10) Case Studies in Privacy and Security failures from around the globe
We examine large breaches from around the world (US, Canada, Japan, South Korea, Israel, UK, etc), focusing on the historical, cultural and social factors that contributed to the breach.
We also draw out the common threads that tie these breaches together, into a comprehensive narrative.
Length: 45-90 minutes
http://www.brighttalk.com/webcast/586/4565
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
ISC(2) SecureSanAntonio – Jan 19, 2012
ISC(2) SecureDallas – Jan 20 2012
© 2012 Raj Goel, CISSP. Powered by WordPress.
