350 likes | 564 Views
Computer Ethics & Social Issues. Computer & Internet Crime. Anarchy in Cyberspace. “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” Eric Schmidt, former Google CEO How is this true??.
E N D
Computer Ethics & Social Issues Computer & Internet Crime
Anarchy in Cyberspace • “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” • Eric Schmidt, former Google CEO • How is this true??
Hackers, Hacktivists, Cybercriminals • Hackers • Discover vulnerabilities and exploit them in computer systems and software, may be criminal in action but not necessarily motive • Hacktivists • Hackers who perform their activities in pursuit of a political or social goal • Cybercriminals • Hackers or otherwise perpetrators of illegal activity with the goal of personal gain
Further classifications… • Malicious Insider • Employees, contractors, or consultants who have inside access to a system and perform damage for personal gain • Industrial Spy • Captures trade secrets, competitive advantage • Cyberterrorist • Destroys critical infrastructure components of financial systems, utilities, and emergency response • All provide increasing levels of threat to EVERY businessand government entity
The Reality is… http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
All IT Security Incidents are a Concern • Malware infection • Denial-of-Service (DoS) attack • Password sniffing • Web site defacement • Physical theft of computing devices • Laptops • Mobile devices • Phones
Phases of an Attack • Planning • Why attack? For what purpose? • Scoping • How do you measure victory or failure? • Reconnaissance • Who, what, when, where, why, how? • Scanning • Find vulnerabilities in software, system, and/or organization • Exploitation • Deliver the attack, receive the result
Planning, Scoping, Recon • Not always perfomed!! • Is this a targeted attack? • Deliberate attempts against a specific target almost always involve these three steps • UNLESS performed by less educated, ethically or morally motivated hacktivists or script kiddies • Is this a random drive-by? • Generally more automated and wide-reaching • Spam • Phishing • Botnet
Planning, Scoping, Recon • Threat landscape • Does the target have ties to political, social, or financial institutions? • Has a higher threat value • Threat impact • Would the disruption of service have political, social, or financial repercussions? • Has a higher threat value • Threat resilience • Does the target actively protect itself from information gathering or does it offer organizational data willingly? • Facebook, Linkedin, Twitter, Social engineering • Websites displaying employee contact information or information security policies, etc.
Scanning • Enumerate vulnerabilities • Software • Out of date or unpatched OS or applications • Applications with known vulnerabilities • Flash, Java, Adobe Reader, etc. • System • Network access vulnerabilities • Unsecured wireless, easy access to network ports • Computer access vulnerabilities • Boots to USB, DVD, or via network
Exploitation • Take advantage of discovered vulnerabilities through the use of one or more of the following: • Malware • DoS • Rootkits • Spam • Phishing • Other methods beyond the scope of this course: • SQL injection, Cross-Site Scripting, Man-in-the-Middle, Cryptographic attacks, etc., etc., etc.
Types of Malware • Virus • Stand-alone program, payload or macro which causes a computer to behave in an unexpected and usually undesirable manner • Worm • Self-replicating stand-alone program which propagates itself via email • Trojan Horse • Malicious program which hides itself within another program which appears benign • Logic Bomb • A type of Trojan which only executes its malicious code as a result of a specific event
DoS Attack • Denial-of-Service • Communication flood sent from an attacker machine to a victim machine • Ping of Death • “Are we there yet?” • Abuse of TCP/IP handshake • SYN/ACK flood
Botnet • Large collection of computers housing small software clients which are actively in communication with one or more remote controllers. • Botnet “infected” machines are called zombies • Capable of large-scale Distributed DoS (DDoS) • Example: The Low-Orbit Ion Cannon & Operation Payback
Rootkits • Set of programs which enable its user to gain admin rights to a target computer without the end-user’s consent or knowledge • RAT – remote administration tool • Some are legitimate – Go To My PC • Some are not – Poison Ivy • Jail breaking or Rooting phones
Spam • Abuse of email systems to send unsolicited email to large numbers of people • Low-cost commercial advertising • “Tired of the college bookstore prices? Get a better deal at…” • Not necessarily malicious • Porn, get-rich-quick schemes, stock info • Entices recipient to navigate to a malicious website or access a malicious attached file
Phishing • The act of fraudulently using email to try to get the recipient to disclose personal data • Con artist scam • The Nigerian Prince • “I can transfer $1,000,000 to your account…” • The Account Update • “Your information is out of date. Just click here…” • The New Email System • “Click here to access your new email. Just provide your old login and password…” • Spear-phishing Target UNG’s new email system
Federal Laws • USA PATRIOT Act • Defines cyberterrorism and its penalties • Identity Theft and Assumption Deterrance Act • Makes identity theft a federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000
Federal Laws • Fraud and Related Activity in Connection with Access Devices Statute • Criminalizes the possession, trafficking and or use of counterfeit communications devices • Stored Wire and Electronic Communications and Transactional Records Access Statutes • Criminalizes unlawful access to stored communications to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage
Federal Laws • Computer Fraud and Abuse Act • Criminalizes fraud and related activities in association with computers: • Accessing a computer without authorization or exceeding authorized access • Transmitting a program, code, or command that causes harm to a computer • Trafficking of computer passwords • Threatening to cause damage to a protected computer
Laws outside of the U.S.A • Germany • Section 303b. Computer Sabotage • 5 years imprisonment or fines are imposed for interfering with essential data processing to another business, another's enterprise or an administrative authority • Malaysia • Computer Crimes Act • Unauthorized modification of the contents of any computer results in 10 years imprisonment for each offense
Cybercrime is Bad • Deterrents exist via legal systems • So why is there still so much crime? • ID Theft • DoS • Espionage • Child Pornography • Extortion • Fraud • It is easy to perform and get away with it, relative to other crimes due to virtualization
Risk Assessments • Process of assessing security-related risks to an organization’s computers and networks from both internal and external threats • Schedule regular internal audits • Hire outside consultants to perform fresh assessments every few years • Reasonable Assurance • The cost of the control does not exceed the system’s benefits or the risks involved
Security Policy • Defines an organization’s security requirements as well as the controls and sanctions needed to meet those requirements • Ethics Policy • Information Sensitivity Policy • Risk Assessment Policy • Personal Communications Devices Policy
Employee Education • User awareness • Is the Ethics Policy well understood or is it just another item in the handbook, unread? • Have you ever read a Employee (or Student) Handbook? • Being constantly reminded about password policies can be annoying, but effective • Adherence to policy • If Big Brother is watching, are you more cautious?
Prevention of Cyberattack • Firewalls • Actively blocks communication via identified ports and protocols • Intrusion Prevention System (IPS) • Actively blocks malware, malformed packets and other threats via signature database comparison • Antivirus Software • Identity Management • Keep current on current vulnerabilities • US-CERT • Security Audits
Detection and Response • Intrusion Detection System (IDS) • Software/Hardware which monitors computer and network behavior for malicious activity • Passive • Requires after-action audit to identify & respond • Incident Response • Contain malicious activity or damage done • Remove the offensive activity or repair damage in a timely fashion • Follow up with a detailed after-action review for future defense or quicker detection/response
Computer Forensics • Discipline which combines elements of law and computer science to identify, collect, examine, and preserve data from computer systems, networks, and storage devices in a manner that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.
Applicable Constitutional Amendments and Statutes • Fourth Amendment • Protects against unreasonable search and seizure • Fifth Amendment • Protects against self-incrimination • Wiretap Act • Pen Registers and Trap and Trace Devices Statute • Stored Wired and Electronic Communications Act
Questions • When are certain communications illegal? • Think DoS vs email • When is an electronic communication malicious and when is it not? Who decides? • Whose responsibility is it to secure a computing system? • Are the IT guys responsible for locking your computer while you are away from your desk? • Is there a policy stating that they must?