COMPUTER AND INTERNET CRIME

INTRODUCTION: IT SECURITY INCIDENTS ARE A

MAJOR CONCERN

The security of information technology used in business is of utmost importance.

Confidential business data and private customer and employee information
must be safeguarded, and systems must be protected against malicious acts of
theft or disruption. Although the necessity of security is obvious, it must
often be balanced against other business needs. Business managers, IT
professionals, and IT users all face a number of ethical decisions regarding
IT security

Why Computer Incidents Are So Prevalent

Some of the factors making incidents so prevalent include:
a) increasing complexity of today’s computing environment
b) higher user expectations
c) expanding and changing system
d) growing reliance on software with known vulnerabilities
85

Increasing Complexity Increases Vulnerability

The computing environment has become enormously complex. Networks,
computers, operating systems, applications, Web sites, switches, routers, and
gateways are interconnected and driven by hundreds of millions of lines of
code. This environment continues to increase in complexity every day. The
number of possible entry points to a network expands continually as more
devices are added, increasing the possibility of security breaches.
To further complicate matters, workers in many organizations operate in a
cloud computing environment in which software and data storage are services
provided via the Internet (“the cloud”); the services are run on another
organization’s computer hardware and are accessed via a Web browser.

Virtualization also introduces further complications into today’s computer

environment. Virtualization software operates in a software layer that runs on
top of the operating system. It enables multiple virtual machines—each with
their own operating system—to run on a single computer.

Higher Computer User Expectations

Today, time means money, and the faster computer users can solve a problem,
the sooner they can be productive. As a result, computer help desks are under
intense pressure to respond very quickly to users’ questions. Under duress, help
desk personnel sometimes forget to verify users’ identities or to check whether
they are authorized to perform a requested action. In addition, even though
most have been warned against doing so, some computer users share their login
ID and password with other coworkers who have forgotten their own
passwords. This can enable workers to gain access to information systems and
data for which they are not authorized.

Expanding and Changing Systems Introduce New Risks

Business has moved from an era of stand-alone computers, in which critical
data was stored on an isolated mainframe computer in a locked room, to an era
in which personal

computers connect to networks with millions of other computers, all capable of

sharing information. Businesses have moved quickly into e-commerce, mobile
computing, collaborative work groups, global business, and interorganizational
information systems. Information technology has become ubiquitous and is a
necessary tool for organizations
to achieve their goals. However, it is increasingly difficult to keep up with the
pace of technological change, successfully perform an ongoing assessment of
new security risks, and implement approaches for dealing with them.

Bring Your Own Device

Bring your own device (BYOD) is a business policy that permits, and in some
cases encourages, employees to use their own mobile devices (smartphones,
tablets, or laptops) to access company computing resources and applications,
including email, corporate databases, the corporate intranet, and the Internet.
Proponents of BYOD say it improves employee productivity by allowing
workers to use devices with which they are already familiar—while also
helping to create an image of a company as a flexible and progressive
employer. Most companies have found they simply cannot entirely prevent
employees from using their own devices to perform work functions. However,
this practice raises many potential security issues as it is highly likely that such
devices are also used for nonwork activity (browsing Web sites, blogging,
shopping, visiting social networks, and so on) that exposes them to malware
much more frequently than a device used strictly for business purposes. That
malware may then be spread throughout the company.

Increased Reliance on Commercial Software with Known Vulnerabilities

In computing, an exploit is an attack on an information system that takes advantage of a
particular system vulnerability. Often this attack is due to poor system design or
implementation. Once the vulnerability is discovered, software developers create and issue
a “fix,” or patch, to eliminate the problem. Users of the system or application are
responsible for obtaining and installing the patch, which they can usually download from
the Web.

Of special concern is a zero-day attack that takes place before the security
community or software developer knows about the vulnerability or has
been able to repair it. One would hope that the dis-coverer of a zero-day
vulnerability would provide his knowledge to the original software
manufacturer so that a fix can be created for the problem.

TYPES OF EXPLOITS
There are numerous types of computer attacks, with new varieties being
invented all the time. Some of the more common attacks including: the
 virus, worm, Trojan horse, spam, distributed denial-of-service, rootkit,
phishing, spear-phishing, smishing, and vishing.
Viruses
Technically, a virus is a piece of programming code, usually disguised as
something else, that causes a computer to behave in an unexpected and usually
undesirable manner. Often a virus is attached to a file, so that when the
infected file is opened, the virus executes. Other viruses sit in a computer’s
memory and infect files as the computer opens, modifies, or creates them. Most
viruses deliver a “payload,” or malicious software that causes the computer to
perform in an unexpected way. For example, the virus may be programmed to
display a certain message on the computer’s display screen, delete or modify a
certain document, or reformat the hard drive.
A true virus does not spread itself from computer to computer. A virus is
spread to other machines when a computer user opens an infected email
attachment, downloads an infected program, or visits infected Web sites. In
other words, viruses spread by the action of the “infected” computer user.
Macro viruses have become a common and easily created form of virus.
Attackers use an application macro language (such as Visual Basic or
VBScript) to create programs that infect documents and templates.

Worms
Unlike a computer virus, which requires users to spread infected files to other
users, a worm is a harmful program that resides in the active memory of the
computer and dupli-cates itself. Worms differ from viruses in that they can
propagate without human inter-vention, often sending copies of themselves to
other computers by email.

Trojan Horses
A Trojan horse is a program in which malicious code is hidden inside a
seemingly harmless program. The program’s harmful payload might be
designed to enable the hacker to destroy hard drives, corrupt files, control the
computer remotely, launch attacks against other computers, steal passwords or
Social Security numbers, or spy on users by recording keystrokes and
transmitting them to a server operated by a third party.
A Trojan horse can be delivered as an email attachment, downloaded from
a Web site, or contracted via a removable media device such as a CD/DVD or
USB memory stick.

Once an unsuspecting user executes the program that hosts the Trojan horse, the
malicious payload is automatically launched as well—with no telltale signs.
Common host programs include screen savers, greeting card systems, and games.
 Another type of Trojan horse is a logic bomb, which executes when it is triggered
by a specific event. For example, logic bombs can be triggered by a change in a
particular file, by typing a specific series of keystrokes, or by a specific time or
date.

Spam
Email spam is the abuse of email systems to send unsolicited email to large
numbers of people. Most spam is a form of low-cost commercial advertising,
sometimes for question-able products such as pornography, phony get-rich-quick
schemes, and worthless stock. Spam is also an extremely inexpensive method of
marketing used by many legitimate organizations.

Distributed Denial-of-Service (DDoS) Attacks

A distributed denial-of-service (DDoS) attack is one in which a malicious
hacker takes over computers via the Internet and causes them to flood a target
site with demands for data and other small tasks. A distributed denial-of-service
attack does not involve infiltra-tion of the targeted system. Instead, it keeps the
target so busy responding to a stream of automated requests that legitimate
users cannot get in

Rootkits
A rootkit is a set of programs that enables its user to gain administrator-level
access to a computer without the end user’s consent or knowledge. Once installed,
the attacker can gain full control of the system and even obscure the presence of
the rootkit from legitimate system administrators.
When it is determined that a computer has been infected with a rootkit, there is little
to do but reformat the disk; reinstall the operating system and all applications; and
recon-figure the user’s settings, such as mapped drives.

Phishing
Phishing is the act of fraudulently using email to try to get the recipient to reveal
personal data. In a phishing scam, con artists send legitimate-looking emails urging
the recipient to take action to avoid a negative consequence or to receive a reward.

Smishing and Vishing

Smishing is another variation of phishing that involves the use of Short Message Service
(SMS) texting. In a smishing scam, people receive a legitimate-looking text message on
their phone telling them to call a specific phone number or to log on to a Web site. This is
often done under the guise that there is a problem with their bank account or credit card
that requires immediate attention. However, the phone number or Web site is phony and is
used to trick unsuspecting victims into providing personal information such as a bank
account number, personal identification number, or credit card number.

Vishing is similar to smishing except that the victims receive a voice mail telling them to
call a phone number or access a Web site.

Hacktivists and Cyberterrorists

Hacktivism, a combination of the words hacking and activism, is hacking to
achieve a political or social goal. A cyberterrorist launches computer-based
attacks against other computers or networks in an attempt to intimidate or
coerce an organization in order to advance certain political or social objectives.
Cyberterrorists are more extreme in their goals than hacktivists, although there
is no clear demarcation line.

Federal (US) Laws for Prosecuting Computer Attacks

Computers came into use in the 1950s. Initially, there were no laws that
pertained strictly to computer-related crimes.

Over the years, several laws have been enacted to help prosecute those
responsible for computer-related crime; these are summarized in Table 3-6. For
example, the USA Patriot Act defines cyberterrorism as hacking attempts that
cause $5,000 in aggregate damage in one year to medical equipment, or that
cause injury to any person. Those convicted of cyberterrorism are subject to a
prison term of 5 to 20 years.

TABLE 3-6 Federal laws that address computer crime (USA)

Federal law Subject area

USA Patriot Act Defines cyberterrorism and associated penalties

Identity Theft and Assumption Makes identity theft a federal crime with
Deterrence penalties up
to 15 years imprisonment and a maximum fine
Act (U.S. Code Title 18, Section 1028) of
$250,000

False claims regarding unauthorized use of

Fraud and Related Activity in Connection credit
with Access Devices Statute (U.S. Code
Title cards
18, Section 1029)

Computer Fraud and Abuse Act (U.S.

Code Fraud and related activities in association with
Title 18, Section 1030) computers:
Accessing a computer without
• authorization or
exceeding authorized access
Transmitting a program, code, or
• command
that causes harm to a computer
• Trafficking of computer passwords
Threatening to cause damage to a
• protected
computer

Stored Wire and Electronic Unlawful access to stored communications to

Communications obtain,
and Transactional Records Access
Statutes alter, or prevent authorized access to a wire or
electronic communication while it is in
(U.S. Code Title 18, Chapter 121) electronic
storage

Source Line: Course Technology/Cengage Learning.

 IMPLEMENTING TRUSTWORTHY COMPUTING
Trustworthy computing is a method of computing that delivers secure,
private, and reliable computing experiences based on sound business
practices—which is what organizations worldwide are demanding today.
Software and hardware manufacturers, consultants, and programmers all
understand that this is a priority for their customers.
The security of any system or network is a combination of technology,
policy, and people and requires a wide range of activities to be effective.
Risk Assessment
Risk assessment is the process of assessing security-related risks to an
organization’s computers and networks from both internal and external threats.
Such threats can prevent an organization from meeting its key business
objectives. The goal of risk assessment is to identify which investments of time
and resources will best protect the organization from its most likely and serious
threats. In the context of an IT risk assessment, an asset is any hardware,
software, information system, network, or database that is used by the
organization to achieve its business objectives. A loss event is any occurrence
that has
a negative impact on an asset, such as a computer contracting a virus or a
Web site undergoing a distributed denial-of-service attack.

Establishing a Security Policy

A security policy defines an organization’s security requirements, as well as the
controls and sanctions needed to meet those requirements. A good security policy
delineates responsibil-ities and the behavior expected of members of the
organization. A security policy outlines what needs to be done but not how to do
it. The details of how to accomplish the goals of the policy are typically provided
in separate documents and procedure guidelines.

Educating Employees and Contract Workers

An ongoing security problem for companies is creating and enhancing user
awareness of security policies. Employees and contract workers must be
educated about the importance of security so that they will be motivated to
understand and follow the security policies.
 Prevention
No organization can ever be completely secure from attack. The key is to
implement a layered security solution to make computer break-ins so difficult
that an attacker eventually gives up. In a layered solution, if an attacker breaks
through one layer of security, there is another layer to overcome.

a) Installing a Corporate Firewall

Installation of a corporate firewall is the most common security precaution
taken by businesses. A firewall stands guard between an organization’s
internal network and the Internet, and it limits network access based on the
organization’s access policy.

Firewalls can be established through the use of software, hardware, or a

combination of both. Any Internet traffic that is not explicitly permitted into the
internal network is denied entry. Similarly, most firewalls can be configured so
that internal network users can be blocked from gaining access to certain Web
sites based on such content as sex and violence. Most firewalls can also be
configured to block instant messaging, access to news-groups, and other Internet
activities.

Note that a firewall cannot prevent a worm from entering the network as an email
attach-ment. Most firewalls are configured to allow email and benign-looking
attachments to reach their intended recipient.

b) Intrusion Detection Systems

An intrusion detection system (IDS) is software and/or hardware that monitors
system and network resources and activities, and notifies network security
personnel when it detects network traffic that attempts to circumvent the
security measures of a networked computer environment
c) Installing Antivirus Software on Personal Computers
Antivirus software should be installed on each user’s personal computer to scan
a compu-ter’s memory and disk drives regularly for viruses. Antivirus software
scans for a specific sequence of bytes, known as a virus signature, that indicates
the presence of a specific virus.
 d) Implementing Safeguards Against Attacks by Malicious Insiders 10
User accounts that remain active after employees leave a company are 9
another potential security risk. To reduce the threat of attack by
malicious insiders, IT staff must promptly delete the computer
accounts, login IDs, and passwords of departing employees and
contractors.
Organizations also need to define employee roles carefully and
separate key responsibilities properly, so that a single person is not
responsible for accomplishing a task that has high security
implications.

e) Addressing the Most Critical Internet Security Threats

The overwhelming majority of successful computer attacks takes advantage of
well-known vulnerabilities. Computer attackers know that many organizations
are slow to fix problems, which makes scanning the Internet for vulnerable
systems an effective attack strategy.
The rampant and destructive spread of worms, such as Blaster, Slammer, and Code Red,
was made possible by the exploitation of known but unpatched vulnerabilities.

f) Conducting Periodic IT Security Audits

Another important prevention tool is a security audit that evaluates whether an
organization has a well-considered security policy in place and if it is being
followed. For example, if a policy says that all users must change their
passwords every 30 days, the audit must check how well that policy is being
implemented. The audit should also review who has access to particular
systems and data and what level of authority each user has.

g) Detection
Even when preventive measures are implemented, no organization is
completely secure from a determined attack. Thus, organizations should
implement detection systems to
catch intruders in the act. Organizations often employ an intrusion detection system to
minimize the impact of intruders.

Response
An organization should be prepared for the worst—a successful attack that
defeats all or some of a system’s defenses and damages data and information
systems. A response plan should be developed well in advance of any incident
and be approved by both the organi-zation’s legal department and senior
management. A well-developed response plan helps keep an incident under
technical and emotional control.

Computer Forensics
Computer forensics is a discipline that combines elements of law and computer
science to identify, collect, examine, and preserve data from computer systems,
networks, and stor-age devices in a manner that preserves the integrity of the
data gathered so that it is admissible as evidence in a court of law. A computer
forensics investigation may be opened in response to a criminal investigation or
civil litigation. It may also be launched for a variety of other reasons, for
example, to retrace steps taken when data has been lost, to assess damage
following a computer incident, to investigate the unauthorized disclosure of
personal or corporate confidential data, or to confirm or evaluate the impact of
industrial espionage.