1 / 44

Cybercrime

Cybercrime. Cybersecurity. The Triangle Effect. Security Policy. Jaishri Mehta. Mt. San Antonio College. Policy – Dictionary definition. Introduction. Cybercrimes drive security policy or cybersecurity drive security policy? Unfortunately, cybercrime does Reasons – Bork Case

ashleigh
Download Presentation

Cybercrime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybercrime Cybersecurity The Triangle Effect Security Policy Jaishri Mehta Mt. San Antonio College

  2. Policy – Dictionary definition

  3. Introduction • Cybercrimes drive security policy or cybersecurity drive security policy? • Unfortunately, cybercrime does • Reasons – • Bork Case • Policy can be broken into two categories: • System vulnerability – Cybersecurity • Human intervention (ethics) - Cybercrime

  4. Policies • Cannot stop cybercrime • Help deter cybercrime • Helps in prosecuting offenders • Cybersecurity vulnerabilities help to find where crime can be committed • Also helps hackers to find vulnerabilities • Cybercrime, Cybersecurity and Security Policy cannot function without each other

  5. Cybersecurity • Definition • Security of the data • Application of the data • Processes of the data and user intervention of the data • Security of the actual software • Security against the ability to allow upload software or input malicious data to intervene with the existing data

  6. How do these vulnerabilities exist? • Inherent? • Not careful planning? • Human factor? • Not tested properly?

  7. Behavior of Software How to Break Software Security by James A. Whittaker and Herbert H. Thompson

  8. Security Fault Model • The software functions does not work according to specifications – traditional bugs – purple part • The overlap is where the software works according specification • The gray part – is the part where the software does more than it is intended to do.

  9. Problem • Traditional bugs are tested and the product is created (sold) • The security bugs are not tested and therefore pose a security threat to the user of the software • Examples : Media player plays audio and video but writes to unencrypted temporary storage which software pirates are ready to exploit • Finding security bugs shows direct correlation to cybercrime and need for policy

  10. Break down of the fault model • Security and User Interface • Security and File System User • Security and the Operating System • Security and the Software User • Security inside the software

  11. Security and User Interface • Access to a software is through the user interface (input data) • The input data can also be a form of another program • Threat : • Access Control • Malicious input • Unauthorized access or Sabotage

  12. Threats • Access Controls: • User is authorized to enter but how much authority? • He may read files but does that stop him from copy/paste, print screen, etc. • Malicious Input • Buffer overflow occurs when the software fails to properly constrain input length • Input that is interpreted as code. • SQL injection

  13. Examples • Infamous Code Red II • Example of buffer overflow in sendmail • What did it do? • Exploited the buffer overflow vulnerability in the Microsoft’s Internet Information Server and infected the computers • Policies : also help the malicious user

  14. Security and File System Users • Files store sensitive data such as passwords, licenses etc. • The file must be tested for how it is retrieved stored or encrypted and managed • Threats: • Access to passwords • Sensitive data • piracy

  15. Threats • Access to sensitive data • Basically handing over the keys to the safe • Location of the file and how it is retrieved • Examples: • Passwords stolen • Denial of Service • Pirated Licenses • Policy for your users who have knowledge

  16. Security and the Operating-System User • Any interaction with an application must pass through memory sometime • Information that passes through memory encrypted is fine but it has to be unencrypted at some point • Where it is unencrypted and how the process takes place is important • The where and the how has to be protected

  17. Threats • Denial of Service (Dos) • Application may crash and the information (data) is in an inconsistent state. • Buffer Attacks • Source Routing attack • Spoofing

  18. Examples • The fifteen year old Canadian boy whose alias name was “Mafia Boy” who issued a series of Dos on e-commerce sites such as e-Bay, CNN. • Some of the sites were not functional for up to 24 hours resulting in loss of millions of dollars

  19. Security and the Software User • Every software component depends on another software component • This brings on another set of vulnerabilities • Looking at dependencies that naturally exist between the two software components • Components that depend on other software can fail, crash, or compromised which can affect your own security

  20. Examples • Ill-formed packets • Block access to libraries • Manipulate the application’s registry values • Replace the files that creates, reads, writes or executes • Force the application to work in low memory disk space

  21. Security Inside the Software • It is the software itself that has to be protected as it is that particular technology that gives them the advantage over other companies • Such as algorithms or optimizations • Where this software is compiled and who can access that is of concern

  22. Threats • Access to the proprietary software and its inner workings • Using tools to reverse the compiled code

  23. Security Policies • We looked at system vulnerabilities that can be caused by software or users • Can all of the bugs be found and fixed? • So policies are written to cover the company • Looking at the fault model – five categories • Ask if the different testing has been done • Cybercrime – Cybersecurity – Security Policy

  24. Security Policies cont. • Write policies to cover the different areas that are not tested or unknown • The language should be generic as not to give out information of vulnerabilities. • Do not post your system security policies on the web for everyone to look at. • Handing over the research to conduct an attack

  25. Security Policies cont. • Ensure that the language is consistent with legal language • Make sure that language is also consistent with law for your state.

  26. Ethics (Human Intervention) • Weakest link in the “cyber world” is the human • Why look at ethics? • What is ethical to one may not be ethical to the other in “cyber world” • Ethics are important so everyone understands what is considered right or wrong

  27. Existence of Codes of Ethics • ACM (Association for Computing Machinery) and IEEE-CS (Institute for Electric and Electronic Engineers) established a joint code of ethics for software engineers. • It consists of eight core principles • One of them deals with the integrity of your work

  28. Whistle-Blowing • Norman Bowie defines as “the act of an employee informing the public on the immoral behavior of an employee or supervisor” • According to Sisela Bok, “makes revelations meant to call attention to negligence, abuses , or dangers that threaten the public interest” • Both instances talk about wrongdoing about a company and protecting the public • Security for the public not the company

  29. Whistle-Blowing cont. • Case Illustration: • In the early ’70s BART (Bay Area Rapid Transit) were developing a new, computerized mass transit system. • It was over budget, behind schedule, and considered unsafe. • Three engineers went to the supervisors with their concern. • They received no satisfactions so they went to the board and received the no support. • Frustrated they went to the press with their concerns. • They were fired • This prompted the federal Whistle-blower Protection Act of 1989 (many states have their own laws as well) • It still considered very risky to “whistle blow” publicly

  30. Whistle-Blowing • This time the “cyber crime” is committed by the company and the individual(s) are trying to bring awareness. • Is there a policy in place to protect them? • Cybercrime, Cybersecurity and Policy – The Triangle Effect

  31. Privacy affects the Triangle Effect • Let us take examples: • Michael Scanlan describes how an independent computer consultant purchased data from the Oregon’s Department of Motor Vehicles for a fee • Then he took the data and made it electronic on the web. • For a fee anyone could enter a license plate and find the name and address of the owner registered to the vehicle

  32. Privacy affects the Triangle Effect cont. • You can see the security of the individuals was in jeopardy. • As a result of this information, crime could be committed (cyber related crime) • There was no policy in effect to protect these individuals.

  33. Cybercrime • Cybercrime is not defined concretely • Cybercrime defined by Forester and Morrison suggest that “a criminal act in which a computer is used as a principal tool” • Tavani divides Cybercrime into three categories

  34. Tavani’s definition Cybercrimes Cyberrelated Crimes Cyberspecific Cyberexacerbated Cyberassisted Cyberpiracy Cyberstalking Income tax Cybertresspass Internet pedophilia Physical assault Cybervandalism Internet pornography Property damage

  35. Cybercrimes cont • Cyberrelated crimes do not affect the other two apexes of triangle effect. They affect one of the apexes • Cybercrime supports the triangle effect • Examples: • Leon steals a computer – cyberrelated • Leon files a fraudulent tax return electronically • Curador and Identity Theft – cybercrime • Dimitri and Microsoft Corporation - cybercrime

  36. Intellectual Property rights • Case Illustration: • Dimitri Sklyarov’s Decryption Program • Program could decrypt the code for e-reading developed by Adobe • He was handcuffed on arriving in US for a conference for what he had in his briefcase • Sparked “Free Sklyarov” movement on the principle of “fair use” • Adobe dropped the charges • The principles involved in this case will be challenged again

  37. Intellectual Property • In the case of Sklyarov: • His program can be used to commit cybercrime • His program demonstrates vulnerability in the cybersecurity • Is there any policy in effect? No • Did Sklyarov commit the crime?

  38. Intellectual property and domain • If a “hacker” enters a system and discovers vulnerabilities in the system. • Tells company they have vulnerabilities • He will show the vulnerabilities for a fee • Has cybercrime being committed? • Cybersecurity violated? • Is there anything to protect the company?

  39. Intellectual property and domain cont. • He has certainly trespassed but not stolen anything • Asking for a fee for his findings is it bribery or a service? • The kinks still have not been worked out. • Companies do pay some of these people

  40. Risk Analysis • Cybersecurity is an ongoing process or product? • This process is the basis of risk analysis and risk management • Five categories: assets, threats, vulnerabilities, impact, and safeguards • The Triangle Effect

  41. Risk Analysis cont. • In order for us to sell cybersecurity, we need to consider risk-analysis • If we can show or determine cybersecurity in terms of $ and cents, we can convince them for funding • Just how insurance companies determine insurance as a risk-analysis, we should do the same • The Triangle Effect is one road-map

  42. Conclusion • The Triangle Effect demonstrates that each component is not independent when looking at a community in general • When Cybercrime and Cybersecurity and Policies are looked at together, we can forge policies that will not only help corporate companies but individuals and community as whole.

  43. Conclusion cont. • When cybersecurity and the cybercrimes are understood along with ethics: this will pave and understanding of what is right and wrong in “cyberspace” • Policies can be forged as guidelines • Hence The Triangle Effect

  44. Important facts • http://rissc.mtsac.edu • Books referenced • How To Break Software Security – James A. Whittaker and Thompson • Ethics and Technology – Tavani • Contact Jaishri Mehta Mount San Antonio College jmehta@mtsac.edu

More Related