Chapter 3

Chapter 3Computer and Internet Crimess

IT SECURITY INCIDENTS: MAJOR CONCERNThe security of information technology used in business is of utmost importance. Confidential business data and private customer and employee information must be safeguarded, and systems must be protected against malicious acts of theft or disruption.Business managers, IT professionals, and IT users all face a number of ethical decisions regarding IT security:If their firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, maintain a low profile to avoid the negative publicity, inform their affected customers, or take some action?

How much effort and money should spent to safeguard againts computer crime? (How safe is safe enough)

If their firm produces software with defects that allow hackers to attack customer data and computers, what actions should they take?

What should be done if recommended computer security safeguards make life more difficult for customers and employees, resulting in lost sales and increased costs?WHY COMPUTER INCIDENTS ARE SO PREVALENTIn todays computing environment of increasing complexity, higher user expectations, expanding and changing systems, and increased reliance on software with known vulnerabilities, it is no wonder that the number, variety, and impact of security incidents are increasing dramatically.MOST COMMON SECURITY INCIDENTSSecurity Incident20042005200620072008Virus78%74%65%52%50%Insider abuse59%48%42%59%44%Laptop theft49%48%47%50%42%Unauthorized access37%32%32%25%29%Denial of service39%32%25%25%21%Instant messaging abuse25%21%Bots21%20% 2008 CSI Computer Crime and Security Survey.Increasing Complexity Increases Vulnerability

The computing environment has become enormously complex. Networks, computers, operating systems, applications, Web sites, switches, routers, and gateways are interconnected and driven by hundreds of millions of lines of code. This environment continues to increase in complexity every day. The number of possible entry points to a network expands continually as more devices are added, increasing the possibility of security breaches.Increasing Complexity Increases Vulnerability

The computing environment has become enormously complex. Networks, computers, operating systems, applications, Web sites, switches, routers, and gateways are interconnected and driven by hundreds of millions of lines of code. This environment continues to increase in complexity every day. The number of possible entry points to a network expands continually as more devices are added, increasing the possibility of security breaches.Higher Computer User Expectations

Today, time means money, and the faster computer user can solve a problem, the sooner they can be productive. As a result, computer help desks are under intense pressure to respond very quickly to users questions. In addition, event though they have been warned against doing so, some computer users share their login ID and password with other coworkers who have forgotten their passwords. This can enable workers to gain access to information systems and data for which they are not authorized.Expanding and Changing Systems Introduce New RisksBusiness has moved from era of stand-alone computers, in which critical data are stores on an isolated mainframe computer in a locked room, to an era in which personal computers connect to networks with millions of other computers, all capable of sharing information. Business have moved quickly into e-commerce, mobile computing, collaborative work group, global business, and interorganizational information systems. Information technology has become a necessary tool for organizations to achive their goals.Increased Reliance on Commercial Software with Known Vulnerabilities

In computing, an exploit is an attack on an information system that takes advantage of a particular system vulnerability. Once the vulnerability is discovered, software developers quickly create and issue a fix, or patch, to eliminate the problem. Users of the system or application are responsible for obtaining and installing patch, which they can usually download from the Web. Any delay in installing a patch exposes the user to a security breach.

TYPES OF EXPLOITSVirusesComputer virus has become an umbrella term to many types of malicious code. A virus is a piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner. is attached to a file, so that when the infected file is opened, the virus executesothers sit in a computers memory and infect files as the computer opens, modifies, or creates them.a virus is spread to other machines when a computer user opens an infected e-mail attachment, downloads an infected program, or visits infected Web sites. Macro virus have become a common and easily created form of virus. Attackers use an application macro language to create programs that infect documents and templates. After an infected document is opened, the virus is executed and infects the users application templates. Macros can insert unwanted words, numbers, or phrases into documents or alter command functions.

WormsA worm is a harmful program that resides in the active memory of the computer and duplicates itself. It can propagate without human intervention, sending copies of themselves to other computers by e-mail or Internet Relay Chat (IRC)- Negative impact: lost of data and programs, lost productivity due to workers being unable to use their computers, additional lost productivity as workers attempt to recover data and programs, and lots of effort for IT workers to clean up the mess and restore everything.COST OF IMPACT OF WORMSNAMEYEAR RELEASEDWORLDWIDE ECONIMIC IMPACTStorm2007> $10 billionILOVEYOU2000$8.75 billionCode Red2001$2.62 billionSirCam2001$1.15 billionMelissa1999$1.10 billionTrojan HorsesA Trojan horse is a program in which malicious code is hidden inside a seemingly harmless program. The programs harmful payload can enable the hacker to destroy hard drives, corrupt files, control the computer remotely, launch attacks against other computers, steal passwords or Social Security numbers, and spy on users by recording keystrokes and transmitting them to a server operated by a third party.It can be delivered as an e-mail atachment, downloaded from a Web site, or contracted via a removable media device such as a CD/DVD or USB memory stick. ( screen savers, greeting and card systems, and games)Another type of Trojan horse is a logic bomb, which executes when it is triggered by a specific event.For example, logic bombs can be triggered by a change in a particular life, by typing a specific series of keystrokes, or by a specific time or date.

BotnetsA botnets is a large group of computer controlled from one or more remote locations by hackers, without the knowledge or consent of their owners. - Are frequently used to distribute spam and malicious code.Cutwail, a large botnet, controlled approximately one million active bots at a time. In 2008, about 90 percent of spam was distributed by botnets, including the notorious Storm, Srizbi, and Cutwail botnets. Dealing with bot computers within an organizations network can be quite expensive. Average cost to repair the damage is $350,000.

Distributed Denial-of-Service (DDoS) AttacksA distributed denial-of-service attack (DDoS) is one in which a malicious hacker takes over computers on the Internet and causes them to flood a target site with demands for data and other small tasks. It does not involve infiltration of the targeted system.

RootkitsA roorkits is a set of programs that enables its user to gain administrator level access to a computer without the end users consent or knowledge.Attackers can use the rootkits to execute files, access logs, monitor users activity, and change the computers configuration. Rootkits are one part of a blended threat, consisting of the dropper, loader and rootkit.The dropper code gets the rootkit installation started and can be activated by clicking on a link toa malicious Web site in an e-mail or opening an infected .pdf fi The dropper launches the loader program and then deletes itself. Rootkits are designed so cleverly that it is difficult to even discover if they are installed on a computer. Here are some of the rootkit infections:The computer locks up or fails to respond to input from the keyboard or mouse.The screen saver changes without any action on the part of the user.The taskbar disappears.Network activities function extremely slowly.

* Reformat the disk, reinstall the OS and applications, reconfigure the users settings but all locally held data and settings may be lost.SpamE-mail spam is the abuse of e-mail systems to send unsolicited e-mail to large numbers of people.Most are in a form of low-cost commercial advertisingIt is also an extremely inexpensive method of marketing used by many legitimate organizations. It may also be used to deliver harmful worms or other malware.A partial solution is the use of CAPTCHA to ensure that only humans obtain free accounts. Completely Automated Public Turing Test to Tell Computers and Humans Apart software generates and grades test that human can pass but all but the most sophisticated computer programs cannot.

PhishingPhishing is the act of using e-mail fraudulently to try to get the recipient to reveal personal data. Con artist sends legitimate looking e-mails urging the recipients to take action to avoid a negative consequence or to receive a reward. (clicking a link to a Web site or opening an e-mail attachment)eBay, PayPal, and Citibank phishing spoof is most frequent Spear-phishing is a cariation of phishing in which the phisher sends fraudulent e-mails to a certain organizations employees. The phony e-mails are designed to look like they came from high-level executives within the organization. Employees are again directed to a fake Web site and then asked to enter personal information, such as name, Social Security number and the network password.Botnets have become the primary means for distributing spam, malware, and phishing scams

Types of PerpetratorsTypes of perpetratorTypical motivesHackerTest limits of system and/or gain publicityCrackerCause problems, steal data, and corrupt systemsMalicious insiderGain financially and/or disrupt companys information systems and business operationsIndustrial spyCapture trade secrets and gain competitive advantageCybercriminalGain financiallyHacktivistPromote political ideologyCyberterroristDestroy infrastructure components of financial institutions, utilities, and emergency response unitsIMPLEMENTING TRUSTWORTHY COMPUTINGTrustworthy computing is a method of computing that delivers secure, private, and reliable computing experience based on sound business practices.Ex. Microsoft has pledged to deliver on a trustworthy computing initiative designed to improve trust in its software products

MICROSOFTS FOUR PILLARS OF TRUST WORTHY COMPUTINGSECURITYPRIVACYRELIABILITYBUSINESS INTEGRITY

RISK ASSESSMENTRisk Assessment is the process of assessing security-related risks to an organizations computers and networks from both internal and external threats.The goal of risk assessment is to identify which investments of time and resources will best protect the organization from its likely and serious threats.An asset is any hardware, software, information system, network or database that is used by the organization to achieve its business objectives.A loss event is any occurrence that has a negative impact on an asset (computer contracting a virus or Web sites undergoing a distributed denial of service attack)ESTABLISHING A SECURITY POLICYA security policy defines an organizations requirements, as well as the control and sanctions needed to meet those requirements. A security policy outlines what needs to be done but not how to do it.Ex. The National Institute of Standards and Technology (NIST) is a nonregulatory federal agency within the US Department of Commerce. Its Computer Security Division develops security standards and technology against threats to the confidentiality, integrity and availability of information and services.NIST SP 800 series of documents which provides useful definitions, policies and guidelines related to IT security.Ex. if a written policy states that password must be changed every 30 days, the use of e-mail attachments, the use of wireless devicesA virtual private network (VPN) works by using the Internet to relay communications, it maintains privacy through security procedures and tunneling protocols, which encrypt data at the sending end and decrypt it at the receiving end.EDUCATING EMPLOYEES, CONTRACTORS, AND PART-TIME WORKERSEmployees, contractors, and part-time workers must be educated about the importance of security so that they will be motivated to understand and follow the security policies.

User must understand that they are a key part of the security system and that they have certain responsibilities.PREVENTIONSInstalling a Corporate FirewallA firewall stands guard between an organizations internal network and the Internet, and it limits network access based on the organizations access policy.Installing Prevention SystemsIntrusion prevention systems (IPS) work to prevent an attack by blocking viruses, malformed packets, and other threats from getting into the protected network. Its directly besides the firewall and examines all traffic passing through it.

Installing Antivirus SoftwareAntivirus software is a software that regularly scans a computers memory and disk drives for viruses. Antivirus software scans for a specific sequence of bytes, known as a virus signature, that indicates the presence of a specific virus.Norton AntiVirus from Symantec & Personal Firewall from McAfeeImplementing Safeguards Against Attacks by Malicious Insiders- Deletes employees account, password and login IDs

Conducting Periodic IT Security AuditsSecurity Audit is an important tool that evaluates whether an organization has a well-considered security policy in place and if it is being followedDetection - Intrusion detection systemResponseIncident NotificationProtection of Evidence and Activity LogsIncident ContainmentEradicationIncident Follow-up