CIIS451 Legal & Ethical

Use of Information
Technology
Lesson 3: Computer and
Internet Crime

Instructor: Thomas Henaku

 Learning
 What keyObjectives
trade-offs and ethical issues
are associated with the safeguarding
of data and information systems?
 Why has there been a dramatic increase in
the number of computer-related security
incidents in recent years?
 What are the most common types of
computer security attacks?
 Who are the primary perpetrators of
computer crime, and what are their
objectives? 2
 Learning Objectives
 What(cont.)
are the key elements of a multilayer
process for managing security
vulnerabilities based on the concept of
reasonable assurance?
 What actions must be taken in
response to a security incident?
 What is computer forensics, and what role
does it play in responding to a computer
incident?

3
Ethical Decisions Regarding IT
Security
 To deal with computer crime, the firm
should:
 Pursue prosecution of the criminals at all costs
 Maintain a low profile to avoid the negative
publicity
 Inform affected customers or take some other
action
 Following decisions should be taken by the
firm
 How much resources should be spent to
safeguard against computer crime
4

 Why Computer Incidents are
So Prevalent
 Increasing complexity increases
vulnerability
 Number of entry points to a network
expands continually, increasing the
possibility of security breaches
 Cloud computing: Environment where
software and data storage are provided via the
Internet
 Virtualization software: Operates in a
software layer that runs on top of the operating
system
 Enables multiple virtual machines to run on a
5
single
 Why Computer Incidents are
So Prevalent (cont.)
 Higher computer user expectations
 Not verifying users’
 Sharing of login IDs and passwords by users
 Expanding and changing systems require
one to:
 Keep up with the pace of technological change
 Perform an ongoing assessment of new
security risks
 Implementing approaches for dealing with
them
6
 Why Computer Incidents are
So Prevalent
 Bring your own device (BYOD):
Business policy that permits employees
to use their own mobile devices to
access company computing resources
and applications
 Increased reliance on commercial
software with known vulnerabilities
 Exploit: Attack on an information system
that takes advantage of a particular system
vulnerability
 Zero-day attack: Takes place before the
security community or software developer 7
 Types of
Exploits
Virus

• Piece of programming code, disguised as something

else, that causes a computer to behave in an
unexpected and undesirable manner

Worm

• Harmful program that resides in the active memory of

the
computer and duplicates itself

Trojan Horse

• Program in which malicious code is hidden inside a

seemingly
harmless program
8
• Logic bomb: Executes when it is triggered by a
 Types of
Spam Exploits
• Abuse of email systems to send unsolicited email to large numbers
of people
• CAPTCHA (Completely Automated Public Turing Test
to Tell Computers and Humans Apart)
• Generates and grades tests that humans can pass but
computer programs
cannot
Distributed Denial-of-Service (DDoS) Attack
• Causes computers to flood a target site with demands for data and
other small tasks
Rootkit
• Enables user to gain administrator-level access to a computer
without the end
user’s consent
Phishing
• Fraudulently using email to try to get the recipient to reveal 9
 Botn
et which are controlled
 Group of computers
from one or more remote locations by
hackers, without the knowledge or consent
of their owners
 Zombies: Computers that are taken over
 Used to distribute spam and malicious code

10
 Types of
Phishing Phisher sends
 Spear-phishing:
fraudulent
emails to a certain organization’s
employees
 Emails are designed to look like they came
from high-
level executives within the organization
 Smishing: Legitimate-looking text
message sent to people, telling them to
call a specific phone number or to log on
to a Web site
 Vishing: Victims receive a voice mail 11
 Types of
Perpetrators
Thrill seekers wanting a challenge

Common criminals looking for financial gain

Industrial spies trying to gain a competitive

advantage Terrorists seeking to cause destruction

to further their cause 12

Classifying Perpetrators of
Computer Crime

13
 Types of
Perpetrators
 Hackers: Test the limitations of
information systems out of intellectual
curiosity
 Lamers or script kiddies: Terms used to
refer to
technically inept hackers
 Malicious insiders
 Employees, consultants, or contractors
 Have some form of collusion
 Collusion: Cooperation between an employee
and an outsider
 Negligent insiders: Poorly trained and 14
 Types of
Perpetrators
 Industrial spies
 Competitive intelligence: Legally
obtained data gathered using sources
available to the public
 Industrial espionage: Using illegal means to
obtain information that is not available to the
public
 Cybercriminals
 Hack into computers to steal and engage in
computer fraud
 Data breach: Unintended release of sensitive
data or the access of sensitive data by 15
 Types of
Perpetrators
 Hacktivists: Hack to achieve a political or
social goal
 Cyberterrorists: Launch computer-based
attacks to intimidate or coerce an
organization in order to advance certain
political or social objectives
 Use techniques that destroy or disrupt services
 Consider themselves to be at war
 Have a very high acceptance of risk
 Seek maximum impact
16
Strategies to Reduce Online
Credit Card
Fraud
 Use encryption technology
 Verify the address submitted online
against the issuing bank
 Request a card verification value (CVV)
 Use transaction-risk scoring software
 Use smart cards
 Smart cards: Memory chips are
updated with encrypted data every time
the card is used

17
 Trustworthy
Computing

Delivers secure, private, and

reliable computing experiences
based on sound business
practices

18
Actions taken by Microsoft to
support trustworthy
computing
 Risk
Assessmentrisks to an
 Assessing security-related
organization’s computers and
networks from internal and external
threats
 Identify investments that will protect the
organization from most likely and serious
threats
 Asset - Hardware, software, information
system, network, or database used by an
organization to achieve its business
objectives
20
 General Security Risk
Assessment

Source Line: General Security Risk Assessment Guidelines, ASIS International (2003). See the Standards and Guidelines page of the ASIS International website
(www.asisonline.org) for revisions and/or updates. Reprinted by permission.

21
 Security
Policy
 Defines an organization’s security
requirements and the controls and
sanctions needed to meet those
requirements
 Delineates responsibilities and expected
behavior
 Outlines what needs to be done and not
how it should be done

22
 Establishing a Security
Policy
 Areas of concern
 Use of email attachments
 Use of wireless devices
 Virtual private network (VPN):
Works by using the Internet to relay
communications
 Encrypts data at the sending end and decrypts
it at the receiving end

23
 Educating Employees and
Contract Workers
 Motivates them to understand and
follow the security policies
 Users must help protect an
organization’s
information systems and data by:
 Guarding their passwords
 Prohibiting others from using their
passwords
 Applying strict access controls
 Reporting all unusual activity to the
organization’s IT
24
security group
 Preventi
on
Install a corporate firewall
• Limits network access based on the
organization’s access
policy
Intrusion detection system (IDS)
• Monitors system and network resources and
activities
• Notifies network security personnel when
network traffic
attempts to circumvent the security measures
Antivirus software
• Scans for a specific sequence of bytes, known as
25
 Preventi
on
Implement safeguards against attacks by malicious
insiders
• Promptly delete the computer accounts, login IDs, and
passwords of
departing employees and contractors
Defend against cyberterrorism
• Department of National Security:Aims to secure critical
infrastructure and information systems
Address critical internet security threats
• High-impact vulnerabilities should be fixed on priority basis

Conducting periodic it security audits

• Security audit: Evaluates whether an organization has a well-
considered security policy in place and if it is being followed 26
 Intrusion Detection
Systems

Minimize
Catch the
Intruders Impact of
in the Act
Intruders
27
 Response
Plan
 Incident notification
 Define who to notify and who not to notify
 Refrain from giving out specific information
about a
compromise in public forums
 Protection of evidence and activity logs
 Document all details of a security incident to
help with future prosecution and incident
eradication
 Incident containment
 Determine if an attack is dangerous enough to
28
warrant shutting down the systems
 Response Plan
(cont.)
 Eradication
 Collect and log all criminal evidence from the
system
 Verify that all backups are current, complete,
and free of
any virus
 Incident follow-up
 Determine how the security was compromised
 Conduct a review to evaluate how the
organization responded
 Create a detailed chronology of all events
29

 Computer
 CombinesForensics
elements of law and computer
science to:
 Identify, collect, examine, and preserve data
from
computer systems
 Collect data in a manner that preserves the
integrity of the data gathered so that it is
admissible as evidence in a court of law

30
 Summa
ryin determining
 Ethical decisions
which information systems and
data most need protection
 Most common computer exploits
 Viruses and worms
 Trojan horses
 Distributed denial-of-service attacks
 Rootkits and spam
 Phishing and spear-fishing
 Smishing and vishing
31
 Summa
 Perpetrators ry
include:
 Hackers
 Crackers
 Malicious insider
 Industrial spies
 Cybercriminals
 Hacktivist
 Cyberterrorists

32
 Summa
 Must implementry
multilayer process for
managing security vulnerabilities,
including:
 Assessment of threats
 Identifying actions to address vulnerabilities
 User education
 IT must lead the effort to implement:
 Security policies and procedures
 Hardware and software to prevent security
breaches
 Computer forensics is key to fighting 33