COMPUTER AND INTERNET CRIME

I.T. SECURITY INCIDENTS: A WORSENING PROBLEM The security of information technology used in business is of utmost importance. Confidential business data and private customer and employee information must be safe-guarded, and systems must be protected against malicious acts of theft or disruption.

Although the necessity of security is obvious, it often must be balanced against other business needs and issues. Business managers, IT professionals, and IT users all face a number of ethical decisions regarding IT security: y If their firm is a victim of a computer crime, should they pursue prosecution of the criminals at all costs, should they maintain a low profile to avoid the negative publicity, must they inform their affected customers, or should they take some other action? How much effort and money should be spent to safeguard against computer crime (how safe is safe enough?) If their firm produces software with defects that allow hackers to attack customer data and computers, what actions should they take? What tactics should management ask employees to use to gather competitive intelligence without doing anything illegal? What should be done if recommended computer security safeguards make life more difficult for customers and employees, resulting in lost sales and increased costs?

y y y y

Higher Computer User Expectations Today, time means money and the faster that computer users can solve a problem, the sooner they can be productive.

Increased Reliance on Commercial Software with Known Vulnerabilities In computing, an exploit is an attack on an information system that takes advantage of particular system vulnerability. Often, this attack is due to poor system design or implementation. Once the vulnerability is discovered, software developers quickly create and issue a fix or patch to eliminate the problem.

A zero-day attack takes place before the security community or a software developer knows about vulnerability or has been able to repair it. Although the potential foe damage from zero-day exploits is great, few such attacks have been documented as of this writing. y y y SQL Slammer Worm Blaster Worm Zotob Computer Worm

TYPES OF ATTACKS Security incidents can take many forms, but one of the most frequent is an attack on a networked computer from an outside source. There are numerous types of attacks, and new varities are being invented all the time. Most attacks involve a virus, worm, Trojan horse, or denial of service.

Viruses Computer virus has become an umbrella term for many types of malicious code. Technically, a virus is a piece of programming code, usually disguised as something else, that causes some unexpected and usually undesirable event. Often, a virus is attached to a file so that when the infected file is opened, the viruses executes. Other viruses sit in a computer s memory and infect files as the computer opens, modifies, or creates them. Most viruses deliver a payload or malicious act.

Worms Unlike a computer virus, which requires users to spread infected files to other users, worms are harmful programs that reside in the active memory of the computer and duplicate themselves. They differ from viruses because they can propagate without human invention, sending copies of themselves to other computers by e-mail or Internet Relay Chat (IRC).

TABLE 3-1 Cost Impact of Worms Name ILOVEYOU Code Red SirCam Melissa Year released 2000 2001 2001 1999 Worldwide economic impact $8.75 billion $2.62 billion $1.15 billion $1.10 billion

Trojan Horses A Trojan horse is a program that a hacker secretly installs on a computer. The program s harmful payload can allow the hacker to steal passwords or Social Security numbers, or spy on users by recording keystrokes and transmitting them to a server operated by a third party. The data may then be sold to criminals who use the information to obtain credit cards or pilfer bank accounts.

Denial-of-Service (DoS) Attacks A denial-of-service attack is one in which a malicious hacker takes over computers on the Internet and causes them to flood a target site with demands for data and other small tasks. A denial-ofservice attack does not involve a break-in at the target computer; instead, it just keeps the target machine so busy responding to a stream of automated requests that legitimate users cannot get in the Internet equivalent of dialing a telephone number repeatedly so that all other callers hear a busy signal. The target machine holds the line open while waiting for a reply that never comes, and eventually the requests exhaust all resources of the target.

The zombies are often programmed to put false return addresses on the packets they send put (known as spoofing) so that the sources of the attack are obscured and cannot be identified and turned off. Internet service providers (ISPs) can prevent incoming packets with false IP addresses from being passed on by a process called ingress filtering. Corporations with Internet connections can ensure that spoofed packets don t leave their corporate network using a process called egress filtering.

Perpetrators Computer criminals often have the same motive as other types of criminals thrill seekers wanting a challenge, common criminals looking for financial gain, industrial spies trying to gain a competitive advantage, and terrorists seeking to cause destruction to further their cause.

Type of Perpetrator Hacker

Objectives Test limits of system and gain publicity Cause problems, steal data, and corrupt systems Make money and disrupt company s information systems Capture trade secrets and gain competitive advantage Make money Destroy key infrastructure components

Resources available to perpetrator Limited

Level of risk acceptable to perpetrator Minimal

Frequency of attack High

Cracker

Limited

Moderate

Medium

Insider

Knowledge of systems and passwords Well funded and well trained

Moderate

Low

Industrial spy

Minimal

Low

Cyber-criminal Cyber-terrorist

Well funded and well trained Not necessarily well funded or well trained

Moderate Very High

Low Low

Hackers and Crackers Hackers test the limitations of systems out of intellectual curiosity to see whether they can gain access and how far they can go. They have at least a basic understanding of information systems and security features, and much of their motivation comes from a desire to learn even more. Today s hacker commonly is male, in his mid-20s or younger, has lots of spare time, has minimal financial resources, and is a social outsider. Some hackers are smart and talented, but many are technically inept and are referred to as lamers or script kiddies by more skilled hackers. Surprisingly, hackers have a wealth of available resources to hone their skills online chat groups, Web sites, downloadable hacker tools, and even hacker conventions (such as Defcon, an annual gathering in Las Vegas). Cracking is a form of hacking that is clearly criminal activity. Crackers break into other people s networks and systems, deface Web pages, crash computers, spread harmful programs or hateful messages, and write scripts and automated programs that let other people do the same things.

Malicious Insiders The top security concern for companies is the malicious insider an ever-present adversary. An estimated 85 percent of all fraud is perpetrated by employees, who account for more than $660 billion per year in losses, according to the Association of Certified Fraud Examiners (ACFE).

Insiders are not necessarily employees; they can also be consultants and contractors. However, the typical employee who commits fraud has many years with the company, is an authorized user, is in a non-technical position, has no record of being a problem employee, uses legitimate computer commands to commit the fraud, and does so mostly during business hours.

Industrial Spies Industrial spies use illegal means to obtain trade secrets from competitors of their firm. Trade secrets are protected by the economic Espionage Act of 1996, which makes it a federal crime for people to use a trade secret for their own benefit or another s benefit. Trade secrets are most often stolen by insiders, such as disgruntled employees and ex-employees.

Cybercriminals Information Technology provides a new and highly profitable venue for cybercriminals. They hack into corporate computers and steal, often by transferring money from one account to another to another leaving a hopelessly complicated trail for law enforcement officers to follow. Cybercriminals also engage in all forms of computer fraud stealing and reselling credit cards numbers, personal identities, and cell phone IDs. They can spend large sums of money to buy the technical expertise and access they need from unethical insiders.

Cyberterrorists Cyberterrorists intimidate or coerce a government or organization to advance their political or social objectives by launching computer-based attacks against other computers, networks, and the information stored on them. Such attacks could include sending a virus or worm or launching a denialof-service attack. Because of the internet, attacks can easily originate from foreign countries, making detection and retaliation much more difficult.

REDUCING VULNERABILITIES The security of any system or network is a combination of technology, policy, and people, and it requires a wide range of activities to be effective. A strong security program begins by assessing threats to the organization s computers and network, identifying actions that address the most serious vulnerabilities, and educating users about the risks involved and the actions they must take to prevent a security incident.

Risk Assessment A risk assessment is an organization s review of potential threats to its computers and network and the probability of those threats occurring. Its goal is to identify investments in time and resources that can best protect the organization from its most likely and serious threats. No amount of resources can guarantee a perfect security system, so organizations frequently have to balance the risk of a security breach with the cost of preventing one. The concept of reasonable assurance recognizes that mangers must use their judgment to ensure that the cost of control does not exceed the system s benefits or the risks involved. Estimated probability of such an event occurring 80% 70% Estimated cost of a successful attack $500,000 $200,000 Probability x cost= expected cost impact $400,000 $140,000 Assessment of current level of protection Poor Poor 1 2

Risk

Relative priority to be fixed

Denial-ofservice attack E-mail attachment with harmful worm Harmful virus Invoice and payment fraud

90% 10%

$50,000 $200,000

$45,000 $20,000

Good Excellent

3 4

Establishing a Security Policy A security policy defines an organization s security requirements and the controls and sanctions needed to meet those requirements. A good policy delineates responsibilities and expected behavior by members of the organization. A security policy outlines what needs to be done, but not how to do it. It should refer to procedure guides instead of outlining the procedures.

Educating employees, contractors, and part-time workers Employees, contractors, and part-time workers must be educated about the importance o security so they will be motivated to understand and follow the security policy. Often, this can be accomplished by discussing recent security incidents that affected the organization. Users must understand that they are a key part of the security system and that they have certain responsibilities. Users must help protect an organization s information systems and data by doing the following: y y Guarding their passwords to protect against unauthorized access to their accounts Not allowing others to use their passwords

y y

Applying strict access controls (file and directory permissions) to protect data from disclosure or destruction Reporting all unusual activity to the organization s IT security group

Prevention
Installing a Corporate firewall Installation of a corporate firewall is the most common security precaution taken by businesses. A firewall stands guard between your organization s internal network and the Internet and limits network access based on the organization s access policy.

Installing Antivirus Software on Personal Computers Antivirus software should be installed on each user s PC to regularly scan a computer s memory and disk drives for viruses. Antivirus software scans for a specific sequence of bytes, known as the virus signature.

Implementing Safeguards against Attacks by Malicious Insiders Corporate security managers believe some of their worst security breaches come from corporate users who access information they are not authorized to see. Another potential problem is leaving user accounts active after employees leave the company. To reduce the threat of attack by malicious insiders, IT staff must promptly delete the computer accounts, login IDs, and passwords od departing employees.

Detection
Even when preventive measures are implemented, no organization is completely secure from a determined attack. Thus, organizations should implement detection systems to catch intruders in the act. Organizations often employ an intrusion detection system, intrusion prevention system, or a honeypot to minimize the impact of intruders.

Intrusion Detection Systems An intrusion detection system monitors system and network resources and activities, and then notifies the proper authority when it identifies possible intrusions from outside the organization or

misuse from within the organization. There are two fundamentally different approaches to intrusion detection knowledge-based approaches and behavior-based approaches.

Intrusion Prevention Systems Intrusion prevention systems (IPSs) evolved from network intrusion detection systems; they work to prevent an attack by blocking viruses, malformed packets, and other threats from getting into the company network. The IPS sits directly behind the firewall and examines all the traffic passed by it.

Honeypots The idea of a network-based honeypot is to provide would-be hackers with the fake information about a network by means of a decoy server to confuse them, trace them, or keep a record for prosecution. The honeypot is well-isolated from the rest of the network and can extensively log the activities of intruders.