Ethics in Information Technology, Fourth Edition: Computer and Internet Crime

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 69

Ethics in Information

Technology, Fourth Edition

Chapter 3
Computer and Internet Crime
Objectives

• As you read this chapter, consider the following


questions:
– What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?
– Why has there been a dramatic increase in the
number of computer-related security incidents in
recent years?
– What are the most common types of computer
security attacks?

Ethics in Information Technology, Fourth Edition


Objectives (cont’d.)
– Who are the primary perpetrators of computer crime,
and what are their objectives?
– What are the key elements of a multilayer process
for managing security vulnerabilities based on the
concept of reasonable assurance?
– What actions must be taken in response to a security
incident?
– What is computer forensics, and what role does it
play in responding to a computer incident?

Ethics in Information Technology, Fourth Edition


IT Security Incidents: A Major Concern

• Security of information technology is of utmost


importance
– Safeguard:
• Confidential business data
• Private customer and employee data
– Protect against malicious acts of theft or disruption
– Balance against other business needs and issues
• Number of IT-related security incidents is
increasing around the world

Ethics in Information Technology, Fourth Edition


Why Computer Incidents Are So
Prevalent
• Increasing complexity increases vulnerability
– Computing environment is enormously complex
• Continues to increase in complexity
• Number of entry points expands continuously
• Cloud computing and virtualization software
• Higher computer user expectations
– Computer help desks under intense pressure
• Forget to verify users’ IDs or check authorizations
• Computer users share login IDs and passwords

Ethics in Information Technology, Fourth Edition


Why Computer Incidents Are So
Prevalent (cont’d.)
• Expanding/changing systems equal new risks
– Network era
• Personal computers connect to networks with
millions of other computers
• All capable of sharing information
– Information technology
• Ubiquitous(present, appearing, or found
everywhere.)
• Necessary tool for organizations to achieve goals
• Increasingly difficult to match pace of
technological change
Ethics in Information Technology, Fourth Edition
Why Computer Incidents Are So
Prevalent (cont’d.)
• Increased reliance on commercial software with
known vulnerabilities
– Exploit
• Attack on information system
• Takes advantage of system vulnerability
• Due to poor system design or implementation
– Patch
• “Fix” to eliminate the problem
• Users are responsible for obtaining and installing
• Delays expose users to security breaches
Ethics in Information Technology, Fourth Edition
Why Computer Incidents Are So
Prevalent (cont’d.)
• Zero-day attack
• A zero day vulnerability refers to a hole in software that is unknown to the
vendor. This security hole is then exploited by hackers before the vendor
becomes aware and hurries to fix it—this exploit is called a zero day
attack. Uses of zero day attacks can include infiltrating malware, spyware
or allowing unwanted access to user information. The term “zero day”
refers to the unknown nature of the hole to those outside of the hackers,
specifically, the developers. Once the vulnerability becomes known, a race
begins for the developer, who must protect use
– Before a vulnerability is discovered or fixed
• U.S. companies rely on commercial software with
known vulnerabilities(the quality or state of being exposed to
the possibility of being attacked or harmed, either physically or
emotionally)
Ethics in Information Technology, Fourth Edition
Types of Exploits

• Computers as well as smartphones can be target


• Types of attacks
– Virus
– Worm
– Trojan horse
– Distributed denial of service
– Rootkit
– Spam
– Phishing (spear-phishing, smishing, and vishing)

Ethics in Information Technology, Fourth Edition


Viruses

• Pieces of programming code


• Usually disguised as something else
• Cause unexpected and undesirable behavior
• Often attached to files
• Deliver a “payload”(infected info)
• Spread by actions of the “infected” computer user
• Infected e-mail document attachments
• Downloads of infected programs
• Visits to infected Web sites

Ethics in Information Technology, Fourth Edition


Examples of virus

• The Morris worm


• In 1998 Robert Morris, a university student,
unleashed a worm which affected 10 per cent of all
the computers connected to the internet (at the
time the net was estimated to consist of 60,000
computers), slowing them down to a halt. Morris is
now an associate professor at MIT.

Ethics in Information Technology, Fourth Edition


• ILOVEYOU
• The Love Bug flooded internet users with
ILOVEYOU messages in May 2000, forwarding
itself to everybody in the user's address book. It
was designed to steal internet access passwords
for its Filipino creator

Ethics in Information Technology, Fourth Edition


• Storm worm
• The Storm worm, originally posing as breaking
news of bad weather hitting Europe, infected
computers around the world in 2007. Millions of
infected PCs were taken over by hackers and used
to spread spam and steal identities.

Ethics in Information Technology, Fourth Edition


• http://heartbleed.com/
• http://indiatoday.intoday.in/education/story/dangero
us-virus/1/465130.html
• https://en.wikipedia.org/wiki/WannaCry_ransomwar
e_attack

Ethics in Information Technology, Fourth Edition


Worms

• Harmful programs
– Reside in active memory of a computer
– Duplicate themselves
• Can propagate without human intervention
• Negative impact of worm attack
– Lost data and programs
– Lost productivity
– Additional effort for IT workers

Ethics in Information Technology, Fourth Edition


Example of worms
• In 2000, the ILOVEYOU worm was spread as an email attachment.
Clicking the attachment resulted in an infection, rather than an
expression of affection. This infection could overwrite most of the
data on the infected computer. Another worm began to spread
soon after - Code Red was released in 2001, and it exploited a
weakness in a popular Microsoft Web server.
• The all-around worst, though, was MSBlast. Spread during 2003, it
is said to be the most damaging, malicious software in history. It
resulted in the infection of 25 million computers, a nightmare for
Microsoft's tech support center (3 million callers within five days of
MSBlast's release), and the arrest and imprisonment of at least
one person. The one who was imprisoned only wrote a minor
variant of it,

Ethics in Information Technology, Fourth Edition


Trojan Horses

• Malicious code hidden inside seemingly harmless


programs
• Users are tricked into installing them
• Delivered via email attachment, downloaded from a
Web site, or contracted via a removable media
device
• Logic bomb
– Executes when triggered by certain event
– (example by a change in a particular file, by typing a
specific series of keystrokes.)

Ethics in Information Technology, Fourth Edition


Distributed Denial-of-Service (DDoS)
Attacks
• Malicious hacker takes over computers on the Internet and causes
them to flood a target site with demands for data and other small
tasks
– The computers that are taken over are called zombies
– Botnet is a very large group of such computers controlled by
hackers
• Does not involve a break-in at the target computer
– Target machine is busy responding to a stream of automated
requests
– users cannot access target machine(example dialing a
telephone number repeatedly so that other callers hear a busy
signal)

Ethics in Information Technology, Fourth Edition


Ethics in Information Technology, Fourth Edition
Rootkits(root access)

• Set of programs that enables its user to gain


administrator-level access to a computer without
the end user’s consent or knowledge
• Attacker can gain full control of the system and
even obscure the presence of the rootkit
• Fundamental problem in detecting a rootkit is that
the operating system currently running cannot be
trusted to provide valid test results
• The rootkits disguise themselves as drivers.

Ethics in Information Technology, Fourth Edition


Spam
• Abuse of email systems to send unsolicited email
to large numbers of people
– Low-cost commercial advertising for questionable
products
– Method of marketing also used by many legitimate
organizations
• Completely Automated Public Turing Test to Tell
Computers and Humans Apart (CAPTCHA)
– Software generates tests that humans can pass but computer
programs cannot.
– It consider your IP address /cookie activity and a lot more system
information.
– They record the movement of the mouse perform clicking on the I m a
robot button.
Ethics in Information Technology, Fourth Edition
Phishing

• Act of using email fraudulently to try to get the


recipient to reveal personal data
• Legitimate-looking emails lead users to counterfeit
Web sites
• Spear-phishing
– Fraudulent emails to an organization’s employees
• Smishing
– Phishing via text messages
• Vishing
– Phishing via voice mail messages
Ethics in Information Technology, Fourth Edition
Ethics in Information Technology, Fourth Edition
Ethics in Information Technology, Fourth Edition
Ethics in Information Technology, Fourth Edition
Types of Perpetrators(a person who carries out
a harmful, illegal, or immoral act.)
• Perpetrators include:
– Thrill seekers wanting a challenge
– Common criminals looking for financial gain
– Industrial spies trying to gain an advantage
– Terrorists seeking to cause destruction
• Different objectives and access to varying
resources
• Willing to take different levels of risk to accomplish
an objective

Ethics in Information Technology, Fourth Edition


Types of Perpetrators (cont’d.)

Ethics in Information Technology, Fourth Edition


Hackers and Crackers

• Hackers
– Test limitations of systems out of intellectual curiosity
• Some smart and talented
• termed “lamers” or “script kiddies”
• Crackers
– Cracking is a form of hacking
– Clearly criminal activity

Ethics in Information Technology, Fourth Edition


• DEF CON (also written as DEFCON, Defcon, or
DC) is one of the world's largest annual hacking
conferencehacker con.

Ethics in Information Technology, Fourth Edition


Malicious Insiders

• Major security concern for companies


• Fraud within an organization is usually due to
weaknesses in internal control procedures
• Collusion
– Cooperation between an employee and an outsider
• Insiders are not necessarily employees
– Can also be consultants and contractors
• Extremely difficult to detect or stop
– Authorized to access the very systems they abuse
• Negligent insiders have potential to cause damage
Ethics in Information Technology, Fourth Edition
Industrial Spies

• Use illegal means to obtain trade secrets from


competitors
• Trade secrets are protected by the Economic
Espionage Act of 1996
• Competitive intelligence
– Uses legal techniques
– Gathers information available to the public
• Industrial espionage
– Uses illegal means
– Obtains information not available to the public
Ethics in Information Technology, Fourth Edition
Cybercriminals
• Hack into corporate computers to steal
• Engage in all forms of computer fraud
• Chargebacks are disputed transactions
• Example transferring money from one account to
another
• Loss of customer trust has more impact than fraud
• To reduce potential for online credit card fraud:
– Use encryption technology
– Verify the address submitted online against the
issuing bank
– Use transaction-risk scoring software
Ethics in Information Technology, Fourth Edition
Cybercriminals (cont’d.)

• Smart cards
– Contain a memory chip
– Updated with encrypted data each time card is used
– Used widely in Europe
– Not widely used in the U.S.

Ethics in Information Technology, Fourth Edition


Hacktivists and Cyberterrorists

• Hacktivism
– Hacking to achieve a political or social goal
• Cyberterrorist
– Attacks computers or networks in an attempt to
intimidate a government in order to advance certain
political or social objectives
– Seeks to cause harm rather than gather information
– Uses techniques that destroy or disrupt services

Ethics in Information Technology, Fourth Edition


Federal Laws for Prosecuting
Computer Attacks

Ethics in Information Technology, Fourth Edition


Implementing Trustworthy Computing
• Trustworthy computing
– Delivers secure, private, and reliable computing
– Based on sound business practices

Ethics in Information Technology, Fourth Edition


Implementing Trustworthy Computing
(cont’d.)
• Security of any system or network
– Combination of technology, policy, and people
– Requires a wide range of activities to be effective
• Systems must be monitored to detect possible
intrusion
• Clear reaction plan addresses:
– Notification, evidence protection, activity log
maintenance, containment, eradication, and
recovery

Ethics in Information Technology, Fourth Edition


• Security:-the protection of information systems against unauthorized
access to or modification of information, whether in storage, processing or
transit, and against the denial of service to authorized users or the
provision of service to unauthorized users, including those measure
necessary to detect, document, and counter such threats.
• Privacy:-the quality or state of being apart from company or observation b)
freedom from unauthorized intrusion.
• Reliability- the extent to which an experiment, test, or measuring
procedure yields the same results on repeated trials. Relaibiltiy in the
content of Trustworthy Computing is presented by Microsoft as more then
just reliable software and provding support. Microsoft believes it means
being a reliable business partner, maintaining an open dialogue with our
customers and industry partners, and seeking feedback about how we can
improve our software and services.
• Integrity- the quality or state of being complete or undivided.
• A company must display and earn the trust with the client. Trust is assured
reliance on the character, ability, strength, of a business . · Character
feedback and opinions from clients and team members will display
leadership and open up ideas for improvement

Ethics in Information Technology, Fourth Edition


MCQ
• A(n) ____ takes place before the security community or
software developer knows about the vulnerability or has
been able to repair it.
• a. Zero-day attack
b. Hacking
c. Spying
d. System testing.
• Technically inept hackers are referred to as ___
a. Script kiddies
b. Lamers
c. None of the above
d. Both a & b
Ethics in Information Technology, Fourth Edition
• Which of the following is not the type of exploits?
a. Worms
b. Virus
c. Spam
d. firewall
• _____ is a piece of code that causes a computer to
behave in an unexpected and usually undesirable
manner.
a. Worms
• b. Trojan Horses
c. Viruses
d. DDoS Attacks

Ethics in Information Technology, Fourth Edition


Questions
• Types of exploits
• Four pillars of trustworthy computing
• Types of Perpetrators

Ethics in Information Technology, Fourth Edition


Risk Assessment

• Process of assessing security-related risks:


– To an organization’s computers and networks
– From both internal and external threats
• Identifies which investments of time and resources
will best protect from most likely and serious
threats
• Focuses security efforts on areas of highest payoff
• An asset is any hardware or
software,network,database that is used by org. to
achieve its business objectives
Ethics in Information Technology, Fourth Edition
Risk Assessment (cont’d.)

• Eight-step risk assessment process


– #1 Identify assets of most concern
– #2 Identify loss events that could occur
– #3 Assess likelihood of each potential threat
– #4 Determine the impact of each threat
– #5 Determine how each threat could be mitigated
– #6 Assess feasibility of mitigation options
– #7 Perform cost-benefit analysis
– #8 Decide which countermeasures to implement

Ethics in Information Technology, Fourth Edition


• Step 1:- assets that supports the org mission and the
meeting of its primary goals.
• Step 2:- Identify the loss events or risks that could
occur such as Ddos attack.
• Step 3:-Asses the frequency of threats example insider
fraud are more likely to occur than others
• Step 4:- determine the impact of each threat occurring.
Would it have a minor impact or major impact.
• Step 5:-determine how each threat can be
mitigated(action of reducing the seriousness) so that it
becomes much less likely to occur example antivirus.
• Step 6:- Feasibility(the state or degree of being easily
or conveniently done.)of implementing the
mitigation(act of reducing seriousness) options

Ethics in Information Technology, Fourth Edition


• Step 7:- Perform a cost benefit analysis to ensure
that your efforts will be cost effective.
• The concept of reasonable assurance recognizes
that managers must use their judgement to ensure
that the cost of control does not exceed the
system’s benefit risk or risk involved.
• Step 8:- Make decision on whether or not to
implement a particular countermeasure. If you
decide against implementing a particular
countermeasure,you need to reassess if the threat
is truly serious, if so identify a less costly counter
measure

Ethics in Information Technology, Fourth Edition


Risk Assessment (cont’d.)

Ethics in Information Technology, Fourth Edition


Risk Assessment (cont’d.)

Ethics in Information Technology, Fourth Edition


Establishing a Security Policy

• A security policy defines:


– Organization’s security requirements
– Controls and sanctions needed to meet the
requirements
• Describe responsibilities and expected behavior
• Outlines what needs to be done
– Not how to do it
• Automated system policies should mirror written
policies

Ethics in Information Technology, Fourth Edition


Establishing a Security Policy (cont’d.)
• Trade-off (compromise)between:
– Ease of use
– Increased security
• Areas of concern
– Email attachments(block an email with attachment)
– Wireless devices
• VPN(virtual private network) uses the Internet to
relay communications but maintains privacy
through security features
• Additional security includes encrypting originating
and receiving network addresses
Ethics in Information Technology, Fourth Edition
Educating Employees, Contractors,
and Part-Time Workers
• Educate and motivate users to understand and
follow policy
• Discuss recent security incidents
• Help protect information systems by:
– Guarding passwords
– Not allowing sharing of passwords
– Applying strict access controls to protect data
– Reporting all unusual activity
– Protecting portable computing and data storage
devices
Ethics in Information Technology, Fourth Edition
Prevention
• Implement a layered security solution
– Make computer break-ins harder
– If any attacker breaks one layers their will be another
layer to protect it.
• Installing a corporate firewall
– Limits network access
• Intrusion prevention systems
– Block viruses, malformed packets, and other threats
• Installing antivirus software
– Scans for sequence of bytes or virus signature
– United States Computer Emergency Readiness Team
(US-CERT)
Ethics in Information serves
Technology, as clearinghouse to protect
Fourth Edition
internet infrastructure from cyber attack
Prevention (cont’d.)

Ethics in Information Technology, Fourth Edition


Prevention (cont’d.)

Ethics in Information Technology, Fourth Edition


Prevention (cont’d.)

• Safeguards against attacks by malicious insiders


• Departing employees and contractors
– Promptly delete computer accounts, login IDs, and
passwords
• Carefully define employee roles and separate key
responsibilities
• Create roles and user accounts to limit authority

Ethics in Information Technology, Fourth Edition


Prevention (cont’d.)

• Defending against cyberterrorism


– Department of Homeland Security and its National
Cyber Security Division (NCSD) is a resource
• Builds and maintains a national security
cyberspace response system
• Implements a cyber-risk management program
for protection of critical infrastructure, including
banking and finance, water, government
operations, and emergency services

Ethics in Information Technology, Fourth Edition


Prevention (cont’d.)

• Conduct periodic IT security audits


– Evaluate policies and whether they are followed
– Review access and levels of authority
– Test system safeguards
– Information Protection Assessment kit is available
from the Computer Security Institute

Ethics in Information Technology, Fourth Edition


Detection
• Detection systems
– Catch intruders in the act
• Intrusion detection system
– Monitors system/network resources and activities
– Notifies the proper authority when it identifies:
• Possible intrusions from outside the organization
• Misuse from within the organization
– Knowledge-based approach
– Contains information about specific attack
– Behavior-based approach
– Any change in the behavior when compared with
original model.
Ethics in Information Technology, Fourth Edition
Response

• Response plan
– Develop well in advance of any incident
– Approved by:
• Legal department
• Senior management
• Primary goals
– Regain control and limit damage
– Not to monitor or catch an intruder

Ethics in Information Technology, Fourth Edition


Response (cont’d.)
• Incident notification defines:
– Who to notify
– Who not to notify
• Security experts recommend against releasing
specific information about a security compromise in
public forums, conference or seminar.( it should be
shared with other groups but not through corrupted
system))
• Document all details of a security incident
– All system events
– Specific actions taken
– All external conversations
Ethics in Information Technology, Fourth Edition
Response (cont’d.)

• Act quickly to contain an attack


• Eradication effort(the complete destruction of
something.)
– Collect and log all possible criminal evidence
– Verify necessary backups are current and complete
– Create new backups
• Follow-up
– Determine how security was compromised
• Prevent it from happening again

Ethics in Information Technology, Fourth Edition


Response (cont’d.)

• Review
– Determine exactly what happened
– Evaluate how the organization responded
• Weigh carefully the amount of effort required to
capture the perpetrator
• Consider the potential for negative publicity

Ethics in Information Technology, Fourth Edition


Computer Forensics

• Combines elements of law and computer science


to identify, collect, examine, and preserve data and
preserve its integrity so it is admissible as evidence
• Computer forensics investigation requires
extensive training and certification and knowledge
of laws that apply to gathering of criminal evidence

Ethics in Information Technology, Fourth Edition


• http://tips4pc.com/computer_tips_and_tricks/6-
juicy-criminal-cases-that-used-computer-
forensics.htm
• http://forensicswiki.org/wiki/Famous_Cases_Involvi
ng_Digital_Forensics

Ethics in Information Technology, Fourth Edition


Summary

• Ethical decisions in determining which information


systems and data most need protection
• Most common computer exploits
– Viruses
– Worms
– Trojan horses
– Distributed denial-of-service attacks
– Rootkits
– Spam
– Phishing, spear-fishing, smishing, vishing
Ethics in Information Technology, Fourth Edition
Summary (cont’d.)

• Perpetrators include:
– Hackers
– Crackers
– Malicious insider
– Industrial spies
– Cybercriminals
– Hacktivist
– Cyberterrorists

Ethics in Information Technology, Fourth Edition


Summary (cont’d.)

• Must implement multilayer process for managing


security vulnerabilities, including:
– Assessment of threats
– Identifying actions to address vulnerabilities
– User education
• IT must lead the effort to implement:
– Security policies and procedures
– Hardware and software to prevent security breaches
• Computer forensics is key to fighting computer
crime in a court of law
Ethics in Information Technology, Fourth Edition
Mcq

• Pillars of trustworthy computing


a. Security, Privacy, Reliability, Business Integrity
b. Security, Protection, Reliability, Business
Integrity
c. Speed, Protection, Reliability, Business Integrity
d. Safety, Privacy, Reliability, Business Integrity
• _____ is the one in which organization receive
fraudulent emails
a. Spear -Phishing
b. Smishing
c. Vishing
d.in Phishing
Ethics Information Technology, Fourth Edition
• Which among following is not the vendor of firewall
a. F-Secure Corporation
b. NiT kernel Resources
c. Panda Security
d. Check Point Software Technologies ltd.

• IPS stands for


a. Intrusion Protection System
b. Internet Prevention System
c. Intrusion Precaution System
d. Intrusion Prevention System
Ethics in Information Technology, Fourth Edition
• Template defines the means to establish a culture
of openness, trust, and integrity in business
practices.
a. Information Sensitivity Policy
b. Ethics Policy
c. Risk Assessment Policy
d. Voicemail Policy

Ethics in Information Technology, Fourth Edition

You might also like