16. FIRST We are faced with weak underlying technology and inherently vulnerable software
17. Also improperly configured Internet servers, firewalls and routers, and relying primarily on firewalls for protection without intrusion detection and prevention systems
18. SECOND Issues such as users anonymity coupled with uninformed, misguided, and malicious users contribute to the problem
19. FINALLY Weak or non-existent legal, regulatory, and policy environments limit many countries’ ability to tackle cyber crimes
21. Cyber criminals come in many forms. Most harmful can be malicious insiders, and disgruntled or uninformed employees
22. The Internet has its share of professional criminals like hackers, organized crime and pedophiles, who make a living off of their well honed skills and criminal endeavours
23. Competing businesses, governments and terrorists will also turn to the internet to undermine the “competition” or further their cause
25. There is no one solution, be it technological or otherwise, to address cyber crime. It exists for a multitude of reasons and requires a multifaceted approach to combat
26. HUMAN FACTORS Industry, government and educators must first address human behaviour that allows cyber crime to thrive and/or undermine security efforts
27. A significant number of security breaches are in part caused by human actions, whether intentional or otherwise
28. Examples include: Use of weak passwords Divulging passwords Use of unauthorised software Opening of unknown email Unauthorised use of network
29. Breaches are not limited to novice or inexperienced users. Incidents have been caused by network administrators
30. Outlining acceptable network use, authorised software, along with awareness campaigns and training, can help mitigate against human errors
31. TECHNOLOGY FACTORS Technology plays a key role in securing computers and networks, but only if properly deployed and maintained
32. There is a panoply of security tools at your disposal. If used properly they will shield your organization from many common cyber attacks
33. Security ranges from the basics like limiting access to the network , forcing users to change passwords at regular intervals, to physically limiting access to certain computers
34. A step up would involve virus scanners that inspect incoming files for viruses, to firewalls , which limit incoming and outgoing network traffic
35. To sophisticated tools like intrusion detection systems , which constantly analyze network traffic and send out alerts or shut off access in the event of anomalies
36. If information must be sent over the Internet, encryption technology can shield sensitive data when it must be transmitted
37. POLICY FACTORS Ensure laws, regulations and policies provide the necessary support and focus that can complement cyber security endeavours
38. It must also ensure that countries are able to investigate, arrest and prosecute cyber criminals
39. A strong legal framework sends a message that cyber crime will be dealt with seriously and that limits on online conduct will be imposed
40. A well articulated regulatory scheme will ensure that key players such as TSPs, government and industry understand their roles in ensuring a secure environment
41. Well articulated policies that outline the roles, responsibilities and commitments of users, TSP and governments will bring all this together
43. INDUSTRY POLICIES Should address acceptable usage, minimum security standards, and commitments by organisation to educate and support users
44. GOVERNMENT POLICIES Identify short and mid term security objectives, support to key players, investments in security technology and training, and awareness initiatives
Notas del editor
In my opinion this is low. To me what this says is that there are 10% of the companies with an Internet connection that either don’t know they’ve suffered some form of attack or aren’t reporting it. Either way it’s not a good sign.
This would represent an individual cost of around $2,400 for each Internet user in the US. CIA World Factbook estimates 159,000,000 internet users in the US in 2002. When taken together, I think what these stats tell us is that the evolution of cyber crime is away from targeting large companies which can afford sophisticated security technology and capitalize on the Internets ability to render otherwise meaningless endeavours into lucrative business ventures. In Western countries, we have seen a shift from attacks in financial institutions and instead targeting the clients with relatively similar results. More on that later.
This would represent an individual cost of around $2,400 for each Internet user in the US. CIA World Factbook estimates 159,000,000 internet users in the US in 2002. When taken together, I think what these stats tell us is that the evolution of cyber crime is away from targeting large companies which can afford sophisticated security technology and capitalize on the Internets ability to render otherwise meaningless endeavours into lucrative business ventures. In Western countries, we have seen a shift from attacks in financial institutions and instead targeting the clients with relatively similar results. More on that later.
I want to briefly focus on some of the technological and societal issues that have contributed to the birth and growth of cyber crime.
What I want to illustrate by this, is the rapid growth of such a complicated system. We must remember that this was uncharted territory for all involved. This growth has more or less continued unabated since then.
One of the legacies of the original ARPANET was the creation of Transmission Control Protocol (TCP) which controls network communication, and Internet Protocol (IP) which routes information, this combination is commonly referred to as TCP/IP . First, I am not an engineer, so my explanations are meant to assist in a simple understanding of the technology in laymen’s terms. For the engineers in the room, I sincerely apologies for what I’m about to say. “ It all start with a handshake”: This may seem rather innocuous but it has serious implications. Originally, when the protocols were designed, they assumed that the computer they were communicating with could be inherently trusted. This was a formality to establish a connection and then determine how they would transmit the desired data/information. Cyber criminals soon capitalized on this misguided trust and used it against computers to contaminate them, or take control of the systems to use for other criminal endeavours. This ARPANET legacy exist today, however, attempts through new versions of IP (IPV.6) insert checks and balances to ensure the host computers are the intended target, are trustworthy and so forth. It should be mentioned that TCP/IP was selected not because it was the best protocol, it was simply the most widely used and available. Had a little forethought been put into the choice, we might not be dealing with the security problems we have today. But hindsight is always 20/20. This legacy has been the bane of many security experts. There have been calls to completely change the standards but that, according to most experts, is an unrealistic solution. Another well intentioned design was that the network would constantly analyse the integrity of the physical lines and when any anomalies were detected, it will search out an alternative path to ensure the information is successfully transmitted. Because the successful transmission of the data is it primary objective, the system will find by any means necessary the path it needs to meet it goal. It will retransmit the data several times over a certain period of time until it has achieved this objective. In the face of failure it will notify the sender that the transmission has failed. The network never analyses the content to determine if it poses a potential risk to the internal system. So therefore, it will unknowingly ensure the successful delivery of files and data that may, in turn, take down part of the network it relies on. So basically, you are faced with a system that is designed to transmit information regardless of whether or not it could inflict internal damage to the system, This is in part what we are up against.
It started out with a group of trusted users, who all had a common interest and objective, as well as a common need for it to work well. Once it was opened up, it became a target, since you could no longer insure that everyone could be trusted.
This is a simple illustration of how the information is transmitted.
Unlike other instances in history where individuals have capitalized on certain events or situations to commit existing crimes, the Internet has not only facilitated these existing forms of criminal activity, it has led to a whole new type of crime which could not exist without the Internet, and would disappear if the Internet were to cease to exist.
Passive attacks are particular in that once the necessary malicious code has been developed and distributed, it is left to travel the net on its own to occasionally surface in its current form or in a variation meant to circumvent the tools created to combat it. These attacks truly capitalize on the Nets inherent desire to successfully transmit it data. Passive attacks are the fastest growing type of cyber threat because they require little effort design, launch and “upkeep”. However, they are no longer as serious as they previously were as security tools have improved and are better at detecting them. Active attacks require the intervention of an individual or individuals who try and break into large secured servers or launch large-scale denial of service attacks against major networks. Even here much of the process has been automated to facilitate the hackers efforts, but they are notable because of their sophistication and require a significant amount of knowledge and talent to undertake. Although less prevalent, if successful the damage they cause can be catastrophic to the intended and unintended targets. Examples Denial of Service Buffer Overflow Port Attack MALICIOUS CODE The following slides will look at some of the more prevalent computer crimes and how they function. A virus is a small piece of software that piggybacks on real programs. Computer viruses are called viruses because they share some of the traits of biological viruses. They pass from computer to computer like a biological virus passes from person to person. A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents. For example, a virus might attach itself to a program such as Microsoft Word. Each time Word runs, the virus also runs, and it has the chance to reproduce by attaching to other programs or wreak havoc. Email viruses are currently the most popular method of spreading a virus. Similar to a virus, it moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's email address book. In 1999, the Melissa email virus was the fastest-spreading virus ever seen. It forced a number of large companies to shut down their email systems. For example, someone creates the virus and sends it by email as an attachment to some unknown victim. Anyone who opens the document will trigger the virus. The virus then sends the document (and therefore itself) in an e-mail message to the first 50 people in the victim's address book. The e-mail message often contains a friendly note that includes the victim's name, so the recipient opens the document thinking it is harmless. The virus then creates 50 new messages from the second victim's machine. The worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001. A Trojan horse is simply a computer program that claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Unlike viruses, Trojan horses have no way to replicate automatically. The ILOVEYOU virus, which appeared on May 4, 2000, was very simple. It contained a piece of code as an attachment in an email with the heading I Love You. It was sent as an e-mail virus and people who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. HACKING Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.) Hacking is a felony in most countries. Hackers will attempt to exploit network, computer, and software flaws. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. Denial of Service Attack: A hacker sends a request, from an untraceable location, to a server to connect to it. When the server tries to responds and establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl and sometimes crash. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash. Buffer Overflow Attack: A buffer overflow occurs when a program tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Buffers are created to contain a limited amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, it is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. Examples: In 2000, a vulnerability to buffer overflow attack was discovered in Microsoft Outlook and Outlook Express. A programming flaw made it possible for an attacker to compromise the integrity of the target computer by simply it sending an e-mail message. Unlike the typical e-mail virus, users could not protect themselves by not opening attached files; in fact, the user did not even have to open the message to enable the attack. The programs' message header mechanisms had a defect that made it possible for senders to overflow the area with extraneous data, which allowed them to execute whatever type of code they desired on the recipient's computers. Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. Microsoft has since created a patch to eliminate the vulnerability. Port Attack: Network servers make services (*) available using numbered ports, one for each service they provide. Internet services are available on port 80, however, file sharing (peer-to-peer) services such as Edonkey and Gnutella offer their services over ports 4662 and 6346. If vulnerabilities are found in either application, hackers can exploit these flaws to gain access to network. (*) Services include email, Internet browsing, peer-to-peer file sharing, online chatting, Voice over IP Communications.
TRADITIONAL CRIMES The increasing speed and size at which files can be transferred on the Internet has lead to an increase in certain types of crimes that have always existed but for technical reasons were never conducted on a large scale. Theft of digital content: Since the invention of tape recorders, vinyl records and tapes have been passed around amongst friends and copied. However the quality and limited selection meant that such crimes were small in scale and never attracted the attention of recording studios. The same is also applies to movies on VHS video. The evolution of music and movies to a digital format and the creation of peer-to-peer networks coupled with broadband Internet in North America, Europe and Asia, has made the trading of movies, music and software so prevalent that the recording, movie and software industries have been able to track the decrease in sales of their products with the growth in popularity of file sharing applications such as Napster, Gnutella and EDonkey. Despite aggressive tactics by all these industries as one program declines in popularity another is there to takes its place with a new approach and tricks to avoid detection or prevent file sharing. Credit Card Fraud: Such crimes have existed since the advent of credit cards, the scale is significantly higher since the Internet came along. There are several was to conduct this crime but most involve tricking a person into giving them their credit card number and expiry date. Most thefts occur through online auctions like Ebay. New measures, such as trusted third parties to handle the exchange of money, have been promoted to reduce the occurrences. Identity Theft: Involves any instance where a person uses someone else's identification documents or other identifiers in order to impersonate that person. In 2002, an estimated 10 million people in the US were victims of identity theft. Identities are stolen to commit some of the following crimes: Financial fraud including bank fraud, credit card fraud and computer and telecommunications fraud. Financial identity theft is the most prevalent (of the approximate 10,000 financial crime arrests in the US, 94% involved identity theft.) Criminal activities involves taking on someone else's identity in order to commit a crime, enter a country, get special permits, hide one's own identity, or commit acts of terrorism. Child Exploitation and Pornography: Computers and the Internet is very popular with young people as a way to keep in touch with friends and learn about the latest fashion and music. Child molesters know this and are using the internet as a tool to lure young children away from the security of their homes and sexually assault them. Basically they find a website that is popular with young children and start a conversation by pretending to be a child of the same age as their victim. Since the victim can’t see the person, they don’t know that this person is lying about their age. After some time, the child may start to trust this imposter and agree to meet them at a location away from safety of their home to finally meet their new friend. Unfortunately, this is often when the child finds out that the person is lying and is taken against their will and molested. These crimes are happening with frightening frequency in the US and molesters are finding new ways to attract potential victims with offers of money, toys, and anything else children like.
As many of you may know, Phishing is a new crime whereby the criminal “spoofs” the login web page of a financial institution. When unsuspecting customers enter their card number and PIN, a copy is sent to the criminal and then the “spoofed” page redirects the users to the actual web page of that financial institution. Banks have always been a favourite target of criminals, however, bar none, Banks invest more money in security than any other industry sector. This is just as true for e-security. Even in Africa, Banks have clearly sensed the potential threat to their interest and are manoeuvring themselves to be prepared once Africans start taking up online banking. Criminals have therefore decided to go after the next best thing, the clients, whose money the banks are safeguarding. What more disconcerting is that prior to the Internet, such crimes, required that the criminal find a victim with deep pockets to make such a venture worthwhile. Also it required an enormous amount of effort to gain the trust and confidence of an individual so that you could be in a position to gain access to their money. The Internet has almost eliminated such requirements. First, criminals can indiscriminately target any victim, regardless of whether they have 100s, 1,000s or 1,000,000s in their account. We are dealing with economies of scale. Also, many bank clients almost never visit the bank and therefore, the bank has not established any personal relationship with the client. If a criminal does need to visit the bank, they will most likely go unnoticed. PHISHING AND EMAIL SCAMS Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for illicit financial gain or other fraudulent purposes. Phishing is a serious threat, not only to consumers but also to e-commerce companies, financial institutions, and other organizations that conduct transactions over the Internet. Phishers often use spoofed email, malicious Web sites, or Trojans delivered surreptitiously through a Web browser to trick users into disclosing sensitive data, such as credit card numbers, online banking information and other confidential information. If consumers lose confidence in the security of transactions conducted over the Internet, businesses and organizations that rely on such transactions could suffer serious financial losses.
As I previously mentioned, the Internet was not designed with security in mind, so now we are playing catch up. Additionally, in an effort to meet consumer expectations, software developers are releasing new products which has inherent flaws that, if discovered, could be used to commit crimes. We continue to accept the approach that we will release products now and deal with the flaws as they arise. I want to take a moment to talk about open-source vs proprietary applications. There is a belief that open source is more secure than proprietary applications. This idea is perpetuated based on the notion that there is a large community of programmers constantly reviewing the applications and therefore “fixing” problems, unlike their closed counter part which is limited to a defined group of developers. I would like to partially dispel this “myth”. First if we are comparing Linux versus some small proprietary software, this argument may hold water, but when comparing apples to apples, I for one don’t think it flies. Microsoft employs in the US alone 10 of thousands of developers, who are tasked with reviewing the software they produce. Although they will shift their attentions to “bugs” of the day, they monitor everything. Recent analysis of open-source blogs and newsgroups, has demonstrated that developers focus primarily on issues of the day, and that unfortunately the nature of open-source does not lend itself to coordination and systematic approaches to improve software. Also, as OS apps are more widely adopted, such a Firefox, experts have seen a marked increase in the number of successful attacks and flaws. I’m not advocating Microsoft over Linux, I’m simply saying don’t be mislead into the notion that open-source will resolve your security issues. Pick the application that suites your needs.
Unlike other instances in history where individuals have capitalized on certain events or situations to commit existing crimes, the Internet has not only facilitated these existing forms of criminal activity, it has led to a whole new type of crime which could not exist without the Internet, and would disappear if the Internet were to cease to exist.
Law enforcement have document a growth in the number of online crimes being committed by individuals who would not under normal circumstances be predisposed to criminal activity. Many psychologists opine that this may be in part because the Internet provides a false sense of anonymity to its users who may feel empowered and less inhibited when faced with the opportunity to commit a crime. It should be noted that such crimes are not restricted to copying music and movies, but range from harassment, fraud, pyramid schemes, to sexual assault.
We’ve talked about cyber crime and the intentional attempts by insiders and outsiders to inflict damage on networks or steal information. Unfortunately, if those were the only problems faced we would have it easy. The reality is that most problems start within by unsuspecting users. Above are some of the more common problems but what it all points to is raising awareness amongst employees that their habits will greatly determine how secure the networks are. I know it’s tempting at this point to say, I’ve got the perfect solution, confine the “networked” computers to a secure location and monitor usage and limit access to trained staff only. The problem is that as Internet becomes more prevalent you will be faced with inexperienced users who are now forced to deal with a connected computer.
Because they have ultimate access to the systems and because few if any senior officers have the level of understanding of the systems, they can unknowingly open up the network to attacks. Also, experienced cyber criminals are resorting to social engineering to increase the success rate of an attack. One of the best examples was the “I Love You” virus. Because it was an auto-emailing virus, it would scan peoples address books and resend itself to people known to you. If your wife, husband, child, mother or ‘lover’ received it they were most likely overjoyed at receiving such a beautiful email and never for one second thought it contained a virus. They also prey on other human weaknesses as seen with the Anna Kornikova virus which promised nude pictures of the tennis star. Many were disappointed.
You will notice that I do not mention penalties for failure to comply. I think that this should be approach very cautiously. I once attended a conference where a participant suggested that any breach of policy should be met with dismissal. The presenter cautioned that if certain expertise is scarce and it just happens to be the person with those skills that breaches the policy, firing them may prove to be rather short sighted, when important contracts or complex work is required. Think it through before.
When considering cyber security, costs are a fundamental issue. Luckily, there are a number of things that most companies can do to secure their networks at little or no additional cost. Utilising basic tools in network operating software is extremely effective in limiting what employees can do from their computers. Incorporating minimum password standards and physically limiting access to servers will also greatly reduce the number breaches to your network.
For a relatively small investment companies should invest in software or hardware that will monitor incoming and outgoing files for known viruses as well as disable access to and from your network to ports and web sites that can increase the likelihood of contamination. This includes file-sharing applications like eDonkey.