Identity Theft
Identity theft involves the unauthorized acquisition and use of personal information, such as a person’s name, Social Security number, or credit card details, without the owner’s consent. This stolen information is often used to commit fraud, including making unauthorized purchases, applying for loans, or obtaining government benefits. In many cases, identity thieves sell this sensitive information on the black market. A common precursor to identity theft is a data breach, where sensitive data is accidentally exposed or accessed by unauthorized individuals.
A notable example occurred in 2015 when a significant data breach at Ashley Madison, a website catering to married individuals seeking extramarital affairs, exposed 37 million customer records. The compromised data, including names and addresses, was publicly posted, leading to multiple lawsuits against the company for its failure to safeguard personal information.
To combat online credit card fraud, most e-commerce websites employ encryption technology to protect information as it is transmitted from consumers. Additionally, some sites use address verification systems, cross-referencing the address submitted during a transaction with the one on file with the issuing bank. However, this can sometimes mistakenly flag legitimate orders, such as when a customer ships a gift to a different address. Another common security measure is the card verification value (CVV), a three-digit number on the back of a credit card, which helps prevent the unauthorized use of stolen card numbers for online purchases. Moreover, some websites utilize transaction-risk scoring software to monitor customers’ shopping patterns and flag transactions that deviate from their typical behavior. For instance, if a credit card is suddenly used for a large transaction at a casino in the middle of the night, the system might decline the transaction due to its high-risk score.
Cyberespionage
Cyberespionage refers to the covert use of malware to steal sensitive data from organizations, including government agencies, military contractors, political groups, and manufacturing firms. The stolen data often grants the perpetrator an unfair competitive advantage and is usually protected by patents, copyrights, or trade secrets. The types of data targeted include sales, marketing, and product development plans, detailed product designs, employee personal information, customer data, and confidential partner agreements.
Tensions between China and the United States have long been fueled by allegations of cyberespionage. U.S. experts argue that cyberespionage has allowed China to fast-track its research and development, significantly reducing the time needed to acquire new technology across various industries. Alleged targets include aluminum and steel producers, nuclear power plant designers, solar panel manufacturers, and aircraft manufacturers. In response, China’s Foreign Ministry has accused the United States of hypocrisy, citing alleged U.S. cyberespionage activities, including cybertheft, wiretapping, and surveillance against Chinese entities. In 2015, President Obama and Chinese President Xi reached an agreement on initial norms of cyber activities, pledging that neither nation would engage in cybertheft of intellectual property for commercial gain. However, the long-term impact of this agreement remains uncertain.
Cyberterrorism
Cyberterrorism involves using information technology to intimidate or coerce governments or civilian populations by disrupting critical national infrastructure—such as energy, transportation, financial systems, and law enforcement—to achieve political, religious, or ideological objectives. It is a growing global concern, with U.S. President Obama stating in 2015 that cyber threats pose a significant national security danger to the United States.
The Department of Homeland Security (DHS) is a large federal agency with over 240,000 employees and an annual budget of nearly $65 billion. Its primary goal is to ensure a safer, more secure America. The DHS’s Office of Cybersecurity and Communications, part of the National Protection and Programs Directorate, is responsible for enhancing the security, resilience, and reliability of the U.S. cyber and communications infrastructure. The office works to prevent or minimize disruptions to critical information infrastructure, thereby protecting the public, the economy, and government services. The DHS website allows users to report cyber incidents processed by the U.S. Computer Emergency Readiness Team (US-CERT). Established in 2003, US-CERT protects the nation’s internet infrastructure from cyberattacks and serves as a clearinghouse for information on new viruses, worms, and other computer security topics.
Cyberterrorists often try to gain unauthorized access to critical sites, including the computers of intelligence agencies in the U.S., UK, Israel, and other countries. Companies in the oil and gas industry are particularly high-value targets for cyberterrorists, as they seek to disrupt the flow of oil and natural gas, potentially leading to devastating consequences such as energy shortages during winter or soaring gas prices.
In late 2015, cyberterrorists attacked two electric utility companies in western Ukraine, causing a three-hour power outage that affected 80,000 customers. The attackers also froze the data on operators’ screens, preventing them from recognizing the outage, and launched a telephone denial-of-service attack to block customers from reporting the issue. The attackers activated KillDisk malware, which destroyed the operators’ machines, further prolonging the outage.
Federal Laws for Prosecuting Computer Attacks
Over the years, several federal laws have been enacted to prosecute computer-related crimes. These include the Computer Fraud and Abuse Act, which addresses fraud and related activities involving computers; the Identity Theft and Assumption Deterrence Act, which makes identity theft a federal crime with penalties of up to 15 years in prison and a $250,000 fine; and the USA Patriot Act, which defines cyberterrorism and imposes penalties of 5 to 20 years in prison for those convicted.
Critical Thinking Exercise: Hiring a Black Hat Hacker
As a member of the Human Resources Department at a software manufacturer with annual revenue exceeding $500 million, the team is faced with a request from the software development manager to hire a notorious black hat hacker. The hacker would probe the company’s software products for vulnerabilities, providing an opportunity to develop patches before any exploits occur. While the idea is to get ahead of potential threats, there is unease regarding the hiring of someone with a criminal background and ties to the hacker community. A decision must be made on whether to approve the hire, weighing the potential benefits against the ethical concerns and risks of bringing such an individual into the organization.
Implementing Secure, Private, Reliable Computing
Organizations increasingly demand secure, private, and reliable computing experiences based on sound business practices. This need has become a top priority for software and hardware manufacturers, consultants, and system designers. A robust security program begins with assessing the threats to an organization’s computers and networks, identifying actions to address the most severe vulnerabilities, and educating users on the risks and necessary precautions to prevent security incidents. The organization’s IS security group plays a critical role in leading efforts to prevent breaches by implementing security policies and procedures and effectively using available hardware and software tools. However, since no security system is foolproof, continuous monitoring for possible intrusions and a clear plan for responding to incidents should include steps for notification, evidence protection, maintaining activity logs, containment, eradication, and recovery.
Risk Assessment
Risk assessment evaluates security-related risks to an organization’s computers and networks, considering internal and external threats that could prevent the organization from achieving its key business objectives. Risk assessment aims to determine which investments of time and resources will best protect the organization from its most likely and severe threats. In the context of IS, an asset could be any hardware, software, information system, network, or database essential for achieving business objectives. A loss event is any incident that negatively impacts an asset, such as a virus infection or a distributed denial-of-service (DDoS) attack.
The general steps in a security risk assessment process include:
1. Identifying critical IS assets.
2. Recognizing potential loss events or threats, such as insider fraud or DDoS attacks.
3. Assessing the likelihood of each threat occurring.
4. Determining the impact of each potential threat.
5. Exploring ways to mitigate each threat, focusing on the most likely and with the highest potential impact.
6. Evaluating the feasibility of implementing mitigation strategies.
7. Conduct a cost-benefit analysis to ensure the mitigation efforts are cost-effective.
8. Deciding whether to implement specific countermeasures, possibly reassessing the threat if a countermeasure is too costly.
This process helps organizations focus their security efforts on areas where they will have the most significant impact, balancing the cost of prevention with the potential risk of a breach.
Establishing a Security Policy
A security policy defines an organization’s security requirements, and the controls and sanctions needed to meet those requirements. A well-crafted security policy outlines the responsibilities of the organization’s members and the expected behavior without specifying the technical details of how to accomplish these goals. Templates and guidelines for creating various policies, such as acceptable use, email, password protection, and remote access policies, are available from resources like the SANS Institute.
Whenever possible, automated system rules should reflect the organization’s written policies. For example, if a policy requires passwords to be changed every 30 days, systems should be configured to enforce this automatically. However, users may attempt to circumvent or ignore these policies, and system administrators must ensure that default usernames and passwords are changed to prevent unauthorized access.
As mobile devices become increasingly integral to business operations, special security requirements should be included in security policies. For example, users may be required to use a virtual private network (VPN) to access the corporate network securely.
Educating Employees and Contract Workers
Training employees and contract workers about security policies is crucial for maintaining a secure environment. Users must understand their role in the security system and the importance of following security policies. This can be achieved by discussing recent security incidents and emphasizing the responsibilities of users, such as protecting passwords, applying strict access controls, and reporting unusual activity.
A self-assessment security test can help employees and contractors evaluate their adherence to security practices, such as keeping their operating systems updated, using strong passwords, and following the organization’s policies for accessing corporate systems from remote locations.
Prevention
No organization can be completely secure from attack, so implementing a layered security approach is essential. In a layered solution, if an attacker breaches one layer, they must overcome additional layers to achieve their goal. Standard preventive measures include installing corporate firewalls, utilizing security dashboards, installing antivirus software, and implementing safeguards against attacks by malicious insiders.
A corporate firewall acts as a barrier between the organization’s internal network and the internet, controlling access based on the organization’s policies. Next-generation firewalls (NGFWs) offer advanced protection by inspecting packet contents for harmful activities, such as known vulnerabilities and malware.
Security dashboards provide a comprehensive view of an organization’s security status, consolidating data from various sources, including security audits, firewalls, and servers. This helps reduce the effort required to monitor threats and enables timely action.
Antivirus software is essential for scanning computers regularly for viruses, worms, and other malicious code. Keeping antivirus software updated with the latest virus signatures is crucial, as most attacks exploit known vulnerabilities.
To mitigate the risk of insider attacks, organizations should promptly delete user accounts of departing employees, separate vital responsibilities, and create user accounts with permissions limited to specific job roles. Regularly rotating employees in sensitive positions and conducting periodic IT security audits are preventive measures.
Detection
Even with preventive solid measures, organizations are not entirely immune to attacks. Therefore, implementing detection systems to catch intruders in the act is essential. Intrusion detection systems (IDS) monitor system and network activities, alerting security personnel when they detect suspicious activity.
IDS can use knowledge-based or behavior-based approaches to identify potential intrusions. Knowledge-based IDS detects specific attacks by recognizing known vulnerabilities, while behavior-based IDS identifies anomalies by comparing current activity against a model of normal behavior.
In conclusion, achieving secure, private, and reliable computing requires a comprehensive approach that includes risk assessment, policy establishment, employee education, prevention, and detection. By implementing these strategies, organizations can better protect their assets and minimize the impact of potential security incidents.
Response
Organizations must prepare for the potential occurrence of a cyberattack that could circumvent their defenses, potentially inflicting damage on data and information systems. Developing a comprehensive response plan in advance is critical to manage such incidents effectively. This plan requires approval from the legal department and senior management and is essential for retaining control during a technical and emotional breach.
When a security breach happens, the primary goal is to regain control and minimize damage rather than pursuing or trying to catch the intruder. System administrators sometimes see the discovery of an intruder as a personal challenge, leading them to spend valuable time on a pursuit that detracts from the more critical task of restoring normal operations.
Incident Notification
A vital element of any response plan involves clearly defining who gets notified about a security incident and who does not. This includes deciding which internal stakeholders need updates, the necessary information they require, and planning how to inform significant customers and suppliers about the disruption without causing undue alarm. The plan must also specify when to involve local authorities or the FBI.
Security experts generally recommend sharing specific breach details in public forums, such as news reports, conferences, or online discussion groups. It is crucial to keep everyone involved in the response effort informed. However, communication should happen over systems not connected to the compromised network since the intruder might monitor these systems to assess the organization’s reaction.
Organizations are ethically obligated to notify customers and others whose personal data may have been compromised. While hiding this information might seem appealing to avoid negative publicity and customer loss, such actions are unethical. Consequently, many state and federal laws now mandate that organizations disclose breaches to affected individuals.
Protection of Evidence and Activity Logs
When resolving a security incident, it is crucial to document all relevant details. This documentation provides valuable evidence for potential future legal action and essential information for the incident eradication and follow-up phases. Logging all system events, specific actions taken (including what, when, and by whom), and all external communications in a logbook is essential. Since this documentation may be used as court evidence, organizations should establish proper document-handling procedures, with guidance from the legal department.
Incident Containment
Swift action is often required to contain an attack and prevent the situation from worsening. The response plan should clearly define the criteria for determining whether an attack is severe enough to justify shutting down or disconnecting critical systems from the network. The plan should also outline the decision-making process, including how quickly decisions must be made and who is authorized to make them.
Eradication
Before beginning the eradication process, the IT security team must gather and log all potential criminal evidence and verify that all necessary backups are current, complete, and free of malware. Creating a forensic disk image of each compromised system on write-only media can be helpful in later analysis and as evidence. A new backup should be created after the virus or malware has been eradicated. Throughout this process, it is essential to maintain a log of all actions taken to ensure the problem does not recur and to aid in the incident follow-up phase. Regular backups are critical, but many organizations find that their backup processes need to be improved when restoring data after an incident. Backups should be frequent enough to allow for a complete and quick restoration of data, and the restoration process must be tested regularly to ensure its effectiveness.
Incident Follow-Up
A crucial aspect of incident follow-up is understanding how the organization’s security was compromised to prevent a recurrence. Sometimes, the fix may be as simple as applying a software patch from a vendor. However, it is essential to look beyond the immediate fix and understand why the incident occurred in the first place. If a software patch could have prevented the breach, why wasn’t it installed before the incident?
After an incident, a review should be conducted to evaluate what happened and how the organization responded. One practical approach is to write a formal incident report that includes a detailed chronology of events, an analysis of the incident’s impact, and identification of any mistakes made during the response. This report should be used to update and revise the organization’s security incident response plan. Critical elements of a formal incident report include:
– IP address and name of the host computer(s) involved
– Date and time when the incident was discovered
– Duration of the incident
– How the incident was discovered
– Method used to gain access to the host computer
– Detailed discussion of vulnerabilities exploited
– Determination of whether the host was compromised
– Nature of the data stored on the computer (customer, employee, financial, etc.)
– Assessment of whether the accessed data is personal, private, or confidential
– Number of hours the system was down
– Overall impact on the business
– Estimate of total monetary damage from the incident
– Detailed chronology of all events associated with the incident
Creating a detailed chronology of events will also document the incident for potential future legal action. It is essential to estimate the monetary damage caused by the incident, including lost revenue, decreased productivity, and the costs of addressing it, such as replacing data, software, and hardware.
Another important consideration is the effort that should be devoted to identifying and apprehending the perpetrator. If a website was defaced, restoring the HTML can quickly resolve the issue. However, the organization may need to invest substantial resources to track the perpetrators if the attackers cause more significant damage, such as erasing critical source code or stealing trade secrets. This decision should also consider the potential negative publicity resulting from public trials and the associated costs in public relations. Additionally, organizations must consider whether they have an ethical or legal obligation to inform customers or clients if a cyberattack has put their personal data or financial resources at risk.
As these threats continue to grow, it is imperative that organizations and governments alike implement robust security measures and collaborate on international agreements to mitigate these risks. The comprehensive approach to incident response, including preparation, containment, eradication, and follow-up, ensures that organizations can effectively manage and recover from security incidents while minimizing the risk of future breaches.
References
- Identity Theft Resource Center. (2023). What is Identity Theft? https://www.idtheftcenter.org/
- U.S. Department of Homeland Security. (2023). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/
- U.S. Federal Bureau of Investigation (FBI). (2023). Cyber Crime. https://www.fbi.gov/investigate/cyber
- Rapid7. (2023). What is Cyber Espionage? https://www.rapid7.com/fundamentals/cyber-espionage/
- Identity Theft Resource Center. (2023). Major Data Breaches. https://www.idtheftcenter.org/data-breaches/
- National Cybersecurity and Communications Integration Center (NCCIC). (2023). Incident Response Best Practices. https://us-cert.cisa.gov/nccic
- U.S. Department of Justice. (2023). Computer Crime and Intellectual Property Section (CCIPS). https://www.justice.gov/criminal-ccips
- Pew Research Center. (2022). Cyberattacks, Data Breaches, and Cybersecurity: Concerns for Individuals and Businesses. https://www.pewresearch.org/
+ There are no comments
Add yours