jessica cassano

1

Jessica Cassano

497-00-6092www.umsl.edu/~lacity/int480a.htm

2

The CYBER GANG

www.umsl.edu/~lacity/int480a.htm

3

A Comprehensive Approach to Managing Cyber-Security

(including Privacy Considerations)

Darin HancockLaWanda Jones(2007 PMBA UMSL Cohorts)11/2005

Prepared for:

IS6800

4

Common Types of Potential Cyber Threats

VIRUSWORM

TROJANDoS (Denial of Service)

SPAMSALAMI

PHISHINGPHREAKING

ONLINE FRAUD, IDENTITY & DATA THEFTDUMPSTER DIVING

SOCIAL ENGINEERINGNATURAL DISASTER

www.thefreedictionary.com viewed 10/05

5

DefinitionsAn infectious program that reproduces itself, destroying data along the way.

VIRUSThe practice of sifting refuse from an office or technical installation to extract confidential data.

DUMPSTER DIVINGAn infectious program that reproduces itself over & over using up memory.

WORMA network assault that floods the system with multiple requests.

DENIAL OF SERVICE (DoS)A program that appears legitimate, but performs some illicit activity when it is run.

TROJANAn anonymous or disguised, unsolicited email sent in mass delivery.

SPAMA scam to steal info thru the use of “official” looking emails or websites.

PHISHINGA series of minor computer crimes that together result in a larger crime.

SALAMI ATTACKThe art and science of cracking the telephone network..

PHREAKINGAn emergency situation posing significant danger to life and property that results from a natural cause.

NATURAL DISASTERIntentional deception resulting in injury to another person .

ONLINE FRAUD, IDENTITY & DATA THEFTTo trick people into revealing passwords or other sensitive information.

SOCIAL ENGINEERING

www.thefreedictionary.com viewed 10/05

6

7

The Melissa Virus• Date of Attack – March 26, 1999

• Attacker – 30 year old David Smith

• Victims – thousands of Microsoft Word 97 and Word 2000 email users

• Damage - $80 million

http://www.usdoj.gov/criminal/cybercrime/melissa.htm viewed 10/05www.viruslist.com viewed 10/05

8

The WANK Worm• Date of Attack – October 16, 1989; 2 days prior to a scheduled

space shuttle take off mission• Attacker – 2 teenagers, Electron & Phoenix, from Melbourne,

Australia• Victim - NASA• Damage – initial network infection at the Kennedy Space

Station in Florida, then weeks later to other sites around the globe, including other agencies:US Dept. of Energy’s Fermi National Accelerator Lab (IL, US)European Center for Nuclear Research (Switzerland)Riken Accelerator Facility (Japan)

www.theage.com.au/articles/2003/05/24 viewed 11/05

9

SPAM• Date of Attack – 1997 to present

• Attacker – Commercial Advertisers

• Victim – All email users

• Damage – Valuable time expended to sort thru mail that penetrated anti-spam filtration

Case: James Burdis, Smurfit Stone Sr. VP & CIO, estimates that of

the 1.2 million emails received monthly, 80% is spam; and approx. 82% of the 80% penetrates their anti-spam blocks.

www.viruslist.com viewed 10/05

10

Cisco Systems Data Theft

• Date of Attack – April 2001

• Attacker – 2 Cisco employees

• Victim - Cisco

• Damage – approx. $6.3 million of stolen stock shares

www.depts.washington.edu viewed 10/05

11

Losses(quantified & unquantified)

• Productivity Disruption• Time Delays• Redirection of Staff Tasks• Down & Damaged Networks• Data Corruption• Profit Loss• Disclosure of Sensitive Data• Damage to Interdependent Companies• Loss of Customers

MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005

12

RED ALERT!!!

13

You Have Been Hacked Hacking first began as a positive execution of

computer improvements Although not widely used, “Cracking” is the

term for abusive hacking Ill intent hacking occurred as early as the 1970s

case: in 1991 Cap N Crunch hacker, John Draper used a toy whistle from a cereal box to obtain free phone usage

Occurrences increase each year New terms: cyberterrorism, information

warfare, economic espionage, data pirating

www.cert.org viewed 10/05www.viruslist.com/en/hackers viewed 10/05

14

Parties Involved in the Cyber-Security World

Hackers

Computer Researchers

Companies

Individuals

15

Key Points

Hackers

Why hack ?“… I was hacking for the curiosity,

and the thrill to get a bite of the

forbidden fruit of knowledge.”

Kevin Mitnick,a famous reformed hacker

The Underworld•Hacking Guides/

Conferences•Organized Gangs (ex: Shadow Gang4000 worldwide

members)

Punishment•Detention (kids)

•Prison•Death

www.cnn.com/2005/TECH/internet viewed 10/05www.businessweek.com viewed 10/05 www.viruslist.com viewed 10/05

16

Key PointsComputer Researcher

OOPs it was an Accident

Case: Nov. 1988, the Morris Worm erroneously launched by Robert Morris infected several thousand systems around the country

www.viruslist.com/en/hackers viewed 10/05

17

Key PointsCompanies – the Victims

High profile companies are hacker targets “I’d begun targeting specific systems I saw as high profile or high challenge.” Electron – NASA break

Hesitant to disclose attacks to public On the average, companies have meager security

standards Security & Privacy is ranked the top 3rd

management concern Although, companies are the shepards of massive

amounts of sensitive information, information mismanagement is frequent

www.theage.com.au/articles/2003/05/24 viewed 11/05MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005

18

19

20

21

Invasion of the Privacy Snatchers

22

Action Frequent Types of Mismanagement

Collection & Storage •More data collection than needed

•Unclear or obfuscating about future uses of data

Secondary Use •Policies/practices ignore privacy implications of internal data re-use

•Inattentiveness to privacy implications of external data sharing

•Excessive liberalism regarding “affiliate sharing”

Data Accuracy •Lax security controls (enable deliberate errors)

•Quality control lapses in data collection or manipulation (accidental errors)

Authorized Access •Weak security controls (technical)

•Inattentiveness to “need to know” implementation

Automated Judgment •Excessive reliance on implementation of standard operating procedures (w/o rational referrals for human judgment)

Profiling •Lack of clarity regarding provisions on external sharing of data (or violations of clear provisions)

Information Mismanagement

MISQ Information Privacy and its Management Vol. 3 No.4/December 2004

23

Key PointsIndividuals – the Indirect Victims

Rarely targeted directly “There are attacks that can be done, but its unlikely that I’ll be targeted as an individual.” Kevin Mitnick, hacker poster boy

Indirect Victims primarily due to lax company security measures & practices

Privacy concerns raised because of frequent company information mis-management

www.cnn.com/2005/TECH/internet viewed 10/05

24

To the Rescue - RESOURCES

LAW1986 Computer Fraud & Abuse Act, Gramm Leach Bliliy & Sarbane Oxley

Government AgenciesFBI/NIPC, USCERT, Homeland Security

EducationSANS Institute, MITRE, Conferences

PartnershipsISACs – Information Sharing & Analysis Centers

Insurance ProvidersAIG, CISCO, CHUBB, Counterpane

Security ProfessionalsSymantec, Unysis

www.cert.org viewed 10/05

25

26

27

28

The Future

• Continued Hacking at an increased pace with more sophistication,thought: potential for large grids of electricity to be damaged thereby crippling thousands of people, businesses, & emergency services

• Enhanced cyber-security technology,• Additional privacy concerns with new wireless technology

(RFIDs),• Increased company spending expected for cyber-security

defenses,• Stronger alliances, • Additional regulations/laws expected, and• Better international collaboration anticipated.

29

Best Practices

Company Executives

ALL Users

Agency Strategic Plan Cyber-Security Plan

GOOD ACTION

BETTER ACTION

BEST ACTION

30

Best Practices

Company Executives ALL Users

Agency Strategic Plan Fundamental Standards

GOOD Utilize applications for perimeter defenses:

FirewallIDS – Intrusion Detection SystemAnti-spamAnti-virusVPN – Virtual Private NetworkEncryption

www.cleanlink.com/sm/article viewed 10/05

31

32

Best Practices

Company Executives ALL Users

Agency Strategic Plan Cbyer-Security Plan

BETTER Shred PaperPassword Protection/ Better SelectionSystem Removal (old employees)TrainingEstablish process for all users (identify steps; answer who, what, how)Track attacksBetter Information ManagementTop level buy in

www.cleanlink.com/sm/article viewed 10/05www.toptechnews.com/story viewed 10/05

33

Best Practices

Company Executives ALL Users

Agency Strategic Plan Comprehensive Management Cbyer-Security Plan

BEST Assessments: self penetration testsDuring IT design stage link security with business strategiesUnderstand can’t provide 100% protection, therefore set security goals according to classificationKeep abreast of current news/ join partnershipsOngoing Process

www.toptechnews.com/story viewed 10/05www.cleanlink.com/sm/article viewed 10/05MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005

34

35

36

SUMMARY

Sensitive transactions call for increased security. More sophisticated hacking calls for increased security. Awareness: Know what’s going on in the cyber-security community. Emerging policies logical for companies to interact to provide their

input vs being strictly mandated to.Create a company specific comprehensive security plan.Plan align with business strategy.Plan to indicate proper management of information to help eliminate

privacy concerns.Understand that security plan should concentrate on the process not

the technological applications.And that this process is ongoing.

“You have to continue to train and implement new security. It needs to be something you do everyday.” Steve Epner of Brown Smith Wallace, a St. Louis technology consulting firm

www.cleanlink.com/sm/article viewed 10/05