Computer and Internet Crime ICST108 Professional Ethics John Sixto G. Santos Ateneo de Naga University Department of Computer Science.

Computer and Internet Crime ICST108 Professional Ethics John Sixto G. Santos Ateneo de Naga University Department of Computer Science IT Security Incidents The security of computers in business is imperative. Confidential Business Data Private Customer Information Must be balanced with other business needs. Business managers and IT workers must face a number of ethical situations. IT Security Incidents If a firm is a victim of computer crime, should they pursue prosecution? At all costs? Low profile to avoid publicity? Inform affected customers? How much should be spent for protection? How safe is enough? IT Security Incidents If a firm produces a product open to attack, are they responsible for damages? What is their scope of responsibility? What if too much security measures impede functionality? Higher costs? Lost sales? IT Security Incidents Unfortunately, computer crime is on the rise. Not only in the US, but globally. Type of Attack Virus78%74%65%52%50% Insider Abuse59%48%42%59%44% Laptop Theft49%48%47%50%42% Unauthorized Access37%32% 25%29% Denial of Service39%32%25% 21% Instant Messaging Abuse25%21% Bots21%20% Complexity versus Vulnerability Computer systems have become increasingly complex. Computers connected by networks run by millions of lines of code. Still increasing today. The possible avenues for attack increases accordingly. Increases the possibility of security breaches. Higher Computer Expectations Time means money in business. The faster a computer can solve a problem the better. IT users are expected to respond to requests instantly. Forget to verify identity. Share passwords. Use accounts of co-workers. Reliance on Software with Vulnerabilities Business critical systems need to be deployed and maintained consistently. Loss of computer systems lead to lost profit. In this situations, an IT worker may opt to use software with known vulnerabilities. Use existing software in Windows? Or; Develop new software for Linux? Reliance on Software with Vulnerabilities Exploit An attack on an information system that takes advantage of a system vulnerability. Often a result of poor system implementation. Fixed by a software patch. Delay in installing a patch opens a system for a security breach. Reliance on Software with Vulnerabilities All these bugs and vulnerabilities are a significant workload for developers. Difficult to keep up with the amount of exploits discovered. Zero Day Attack An attack driven by a vulnerability before the developer knows of the vulnerability. Types of Exploits There are numerous type of exploits. A partial list of exploits contains: Virus Worm Trojan Horse Botnet DDOS Rootkit Spam Phishing Viruses Virus Refers to any piece of malicious code. Causes a computer to perform undesirable functions. When opened, it executes and proceeds to infect and spread to other computers. attachments are the most popular vector. Usual behavior: Display messages. Delete/Modify Files Format Disks. Viruses Brain.A The first known computer virus. The virus slows down the floppy drive and makes seven kilobytes of memory unavailable to DOS Anna Kournikova Virus Tempted users with a picture of the famous tennis player. Deleted files on the infected computer. Simile Changed system language to Hebrew. Worms Worm Similar to a virus. Does not need human interaction to infect and spread. Spreads byand by Internet Relay Chat (IRC) The biggest cause of lost profit in business attacks Worms NameYear ReleasedWorldwide Economic Impact Storm2007> $10 Billion (est.) ILOVEYOU2000$8.75 Billion Code Red2001$2.62 Billion SirCam2001$1.15 Billion Melissa1999$1.1 Billion Worms Storm The compromised machine becomes merged into a botnet. ILOVEYOU Overwrites files, and sent a copy of itself to the first 50addresses in the address book. Code Red Defaces an affected web site to display: HELLO! Welcome toHacked By Chinese! Trojan Horses Trojan Horse Malicious code hidden in a seemingly harmless program. Enables hackers to take control of computers, Communicates with a server, allowing transfer of keystrokes, passwords, etc. Usual vectors are screensavers, greeting cards, mouse pointers, free software. Usually found in pirated software. Botnets Botnets A large group of computers controlled from a remote location. Used to distribute malicious code and spam. Also used in extortion scams. Collective computing capacity exceeds the fastest supercomputers. Example: The Cutwail botnet contained more than 1 Million computers. DDOS Distributed Denial of Service Malicious hacker uses botnets to flood a website with requests. Keeping the telephone line busy. Also used in extortion scams and social activism. Major source of downtime for servers. Rootkits Rootkit A program that can has administrator privelages without user consent. Manipulates the operating system, rendering itself invisible. Very hard to detect, almost impossible to clean. Reformatting the disk is usually the only option. Rootkits Sony Rootkits Installed when you inserted a disk from Sony. Gathered PC information and sent them to Sony, PID witheld. SecuROM Installed when you insert a game protected by the technology. Digital rights management (DRM) for games to eliminate piracy. Spam Spam Abuse ofto send thousands of unsoliciteds. Low-cost commercial advertising. Also a legitimate way of small companies for gaining publicity. Usually a vector for spreading other malware. Phishing Phishing A fraudulent act of sending anwith the intention of getting personal data of recipients. Appears to be a legitimateencouraging the recipient to do something. Tricks recipients into divulging private information. Types of Perpetrators The types of perpetrators responsible for attacks are usually motivated by: Wanting Thrills Financial Gain Gaining a Competitive Edge Harm to Others Each type of perpetrator having access to varying amount of resources. Types of Perpetrators A partial list of perpetrators include: Hackers and Crackers Malicious Insiders Industrial Spies Cybercriminals Hacktivists and Cyberterrorists Hackers and Crackers Hackers Tests the limitations of computer systems out of intellectual curiosity. Can I gain access? How far into the system can I go? Desires to learn more about the system through exploration. Possesses a negative connotation in contemporary computing. Example: Hacked the Sony PSP to allow homebrew games to run. Hackers and Crackers Crackers Break into computer systems to cause direct harm. Defacing websites, crashing comptuers, spreading malware. Example: Found out that Twitter did not filter out JavaScript, filled twitter with onLoad() code that redirects to pornography sites. Malicious Insiders Malicious Insider An employee with access to the company IS colludes with an outsider. Occurs when a company has weak internal controls. Difficult to detect because they are often authorized users of the IS. Performs diversion of funds, theft of assets, credit card fraud, invoice fraud, etc. Malicious Insiders Ways to reduce the risks from Malicious Insiders: Thorough psych evaluation of employees. Regular drug testing and evaluation. Limit people who have access to the system. Carefully limit job roles. Rotate employees in sensitive positions. Revoke rights of access to new transfers. Implement regular auditing. Industrial Spies Industrial Spy An individual who means to obtain trade secrets from competitors for their sponsors. Uses illegal ways to obtain documents not available to the public. Targets include product designs, production data, marketing information, etc. Competitive Intelligence Legitimate way of conducting intelligence in business. Clean-rooms, reverse engineering, public information. Industrial Spies Shekhar Verma Employed by Geometric Software Solutions. Hired to debug SolidWorks2001. Stole the code and attempted to sell it to competitors. Unfortunately, Indian laws at the time did not consider trade secrets to include software code. He is free and still works as a programmer in India. Cybercriminals Cybercriminals Motivated by the potential for monetary gain. Hacks corporate computer systems to steal. Transfers money from accounts, extremely hard to track down. Also engages in computer fraud. Typically aims to obtain credit card information. Forced the implementation of zero liability programs for online purchases. Hacktivists and Cyberterrorists Hacktivist A combination of a hacker and an activist. Hacking as a means to effect social or political change. Example: Anonymous, LulzSec, WikiLeaks Cyberterrorist Launches computer-bases attacks. Attempts to intimidate governments and political organizations. Examples: Vitek Boden, Eurasian Youth Movement, Al-Queda Hacktivists and Cyberterrorists Cyberterrorists are more extreme in their goals. Vitek Boden manipulated a computer system to release sewage waste in Australia. The Eurasian Youth Movement defaced websites of European politicians. Hacktivists tend to perform acts of social disobedience. Anonymous released a list of online pedophiles from hacked databases. WikiLeaks releases socially relevant confidential information. US Laws Against Computer Crimes Computers came into popular use in the 1950s. No laws pertained strictly to computer crimes. Theft of computer code will be tried under traditional larceny laws. However larceny does not include intangible goods. Provided early computer criminals much room to operate. US Laws Against Computer Crimes Over the years, laws have been enacted to protect the people. US Patriot Act defined cyberterrorism as hacking that causes more than $5000 of damage. Up to 20 years imprisonment. US Laws Against Computer Crimes Trustworthy Computing Laws are there to protect organizations from attack. But how to prevent attacks and damage? Trustworthy Computing Computing that delivers secure, private and reliable business computing. The demand of global computing businesses. Security is a combination of technology, policy, and people. Microsoft Computing Policy Trustworthy Computing Strong security programs starts by assessing threats. Effort must be taken to prevent attacks from outsiders. Implementing policies, hardware and software barriers. However, no system is perfect. There must be a system in place to handle intrusions. Risk Assessment The process of assessing security related risks. Considers internal and external attacks. Identification of investments that secures an organization from likely and serious threats. Involves hardware, software and policy investments. Risk Assessment Step 1 Identify the set of IT assets which the organization is most concerned. Typically, systems that support a primary business goal. Step 2 Identify the lost business or threats that could occur. DDOS, Insider Abuse, etc. Risk Assessment Step 3 Assess the frequency and likelihood of threats. Insider abuse is most likely to happen than other threats. Step 4 Determine the impact of each threat. Is it a major or minor impact? Will it bring down a system for an extended period of time? Risk Assessment Step 5 Determine how each threat can be mitigated to reduce the potential damage. Example: Installing anti-virus and firewall software. 32-Bit system passwords. 6-hour password validity. Risk Assessment Step 6 Assess the feasibility of the mitigating options. Is a 6-hour password rotation policy possible? Step 7 Perform a cost-benefit analysis to ensure cost effectivity. Balance a security breach with the cost of preventing one. Aiming for Reasonable Assurance. Risk Assessment Step 8 Make a decision whether or not to implement a particular security measure. Reassess the situation if the current solution is not accepted. Risk Assessment Establishing a Security Policy Security Policy Defines an organizations security requirements. Defines the responsibilities and behaviours of members. Establishes what to do not how to do. Automated systems also follow the policy. Company policy states passwords change every 10 days; Software used in the company also changes every 10 days automatically. Educating Employees In a 2007 survey of companies: More awareness on security threats and policies to prevent them. Employees, contractors, managers must be educated on security. Understanding security risks and their impact. Following policy to prevent damage. Educating Employees Users must understand that they are a key part of a secure system. Example: Guarding their passwords. Prohibiting others from using their accounts. Applying strict control to files and data. Reporting unusual activities to proper channels. Prevention No security system or policy is perfect. Varying degrees of vulnerabilty. The key is to implement a layered security solution. Have multiple layers or protection. Make it hard for attackers to penetrate the system. Corporate Firewalls Firewall Most common security precaution employed by most companies. Stands between an organizations internal network and the internet. Limits network access based on company policy. Can be established by hardware, software or a combination of both. Corporate Firewalls Internet traffic is not explicitly allowed to enter the network is denied. Prevents websites from being accessed from within the network. Gaming, social, adult, violent website. Common personal firewalls: Corporate Firewalls Intrusion Prevention System Intrusion Prevention Systems (IPS) Prevents attacks by: Blocking viruses, Malformed Packets, attachment, etc. Detects attempts at intrusions. Works with a firewall. Alerts administrators. Anti-virus Software Should be installed in every computer. Scanning and updating should be automated. Scans for byte patterns called virus signatures. Effectiveness depends on the signature databases contents. Sometimes employ Heuristics. Estimates (calculated guess) whether a sequence of bytes is a part of a virus. Requires more computing resources. Can result in false-positives. Response to Attacks An organization should be prepared for the worst. A response plan should be developed and implemented. Approved by the administration. Keeps the organization stable, techically and emotionally, during attacks. Helps to regain control and control damage. Incident Notification A key element of an effective response is: Who to notify, Who not to notify. Who needs to be notified? What do they need to know? Should the company contact suppliers/customers? How do you inform them without alarming them? Should the authorities be contacted? Will the attackers be notified if you release information? Evidence and Activity Logs Document all details of an attack. It works to resolve the situation. Documentation captures valuable evidence. For further prosecution. Provides data for eradication and recovery after the attack. Capture data about the following: System Events and actions taken. External conversations. Should be standardized, could be used in court. Containment Often, a rapid response to an attack can prevent significant damage. The response plan should clearly say what to do if the situation is grave. Shutting down servers. Disconnecting from the internet. Formatting disks. Recovery Before recovery can begin, IT workers should collect all logs from the system. Verify all backup systems are complete and free from contamination. Create a backup of compromised systems on write-only media for evidence. Restore the system from a known good source. Backups from before the attack. Follow-Up Determine how the system was compromised. Make sure it does not happen again. Updates, software patches, policy changes, etc. Look deeper than an immediate fix. Evaluate how the organization responded to the attack. File an incident report with complete chronology and response. Follow-Up Compile all event logs and estimate an amount for monetary damages. Loss of revenue, productivity, salaries; Cost to replace hardware and software. Used as evidence in prosecution. Make an effort to identify your attacker. Though the possibility of negative publicity is present. Decision to inform clients of the attack.