Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Last updated: Saturday 09 August 2025 @ 08:55:10

Law and Cybersecurity

In today's interconnected digital environments, organisations rely heavily on secure authentication, system monitoring, and access control policies. Despite these safeguards, internal breaches remain one of the most difficult threats to detect and mitigate — especially when they involve privileged accounts and trusted employees.

In this lab, you will take on the role of a cybersecurity analyst working in partnership with legal and compliance teams to investigate a suspected internal data breach.

1. Scenario Brief

On Sunday morning at 03:15, a security monitoring system triggered an alert: a privileged admin account had logged in from a non-standard IP address outside business hours. This session involved multiple file accesses and downloads of .zip files containing potentially sensitive data.

The login was not authorised or logged as scheduled maintenance. No change tickets were open at the time. Within hours, questions were raised by staff about suspicious activity, and an internal tip-off prompted further scrutiny.

Note

You can download the following files:

1.1 Your Objectives

  • Reconstruct the timeline of events using the artefacts provided

  • Assess whether a breach has occurred and what data may be affected

  • Identify applicable UK laws (e.g., Computer Misuse Act, GDPR)

  • Recommend next steps from both a technical and legal perspective

  • Reflect on challenges such as attribution, data privacy, and evidence handling

2. Technical Artefact Analysis

In this section, you will perform a preliminary forensic review using simplified artefacts that simulate what would be available during the early stages of an internal security investigation.

2.1 What You Have

You’ve been provided with a small set of technical artefacts drawn from internal systems:

  • Access Log: Contains timestamps, usernames, source IPs, and activity types (e.g., login, file access).

  • ZIP File: A suspicious .zip archive downloaded during the flagged session. The filenames inside may be misleading.

  • Internal Email: A message from a concerned employee, sent days before the alert, referencing unusual admin behaviour.

  • Alert JSON: A structured log entry generated by the monitoring system, capturing metadata about the file downloads.

2.2 Your Task

  1. Review the access log

    • Identify:

      • Which user accounts were active around the time of the incident

      • Any off-hours or anomalous behaviour

      • The IP addresses and actions that stand out

  2. Inspect the alert file

    • What file was accessed or downloaded?

    • Was this action expected for a privileged account?

    • Are there any risk tags (e.g., off_hours, sensitive)?

  3. Interpret the internal email

    • What warning signs did the employee raise?

    • Is there a clear reference to the current incident?

  4. Examine the .zip archive

    • What file names are used?

    • Do they match the download event in the logs?

    • Are the contents clearly sensitive or disguised?

  5. Build an Incident Timeline

    • Using the downloaded artefacts, reconstruct a brief timeline (bullet points or table) showing:

      • When key actions occurred

      • Which users were involved

      • What data was accessed

      • Any indicators of suspicious behaviour

3. Legal Application: CMA + GDPR

Goal

Your goal is to determine:

  • What laws may have been broken?

  • What legal responsibilities the organisation now holds?

  • How evidence should be handled to support future action?

Now that you’ve reviewed the technical artefacts and built an incident timeline, it’s time to assess the legal implications of what has occurred.

  1. Which sections of the Computer Misuse Act 1990 (CMA) may apply? Review the incident and consider:

    • Was access to a system gained without proper authorisation? (Section 1)

    • Was the access used with intent to extract or modify data? (Section 2 or 3)

    • Were actions taken that could impair the system or disrupt data integrity? (Section 3)

    Hint

    Note whether the intent appears malicious, opportunistic, or accidental.

4. Ethics & Attribution Challenge

In groups discuss the personal grievance email from a recently disciplined employee. Is this enough to assign blame? Discuss:

  • Attribution pitfalls
  • Chain of custody
  • Defamation risk

5. Mini Report

Students draft a one-page internal briefing answering:

  • What happened?
  • What laws apply?
  • What’s our immediate legal/technical risk?
  • What should we do next?