This ranking has grown over the last several years due to computer systems, and the data they store, being constantly bombarded with attacks from cyber criminals known as hackers.. The C
Trang 1A Comprehensive Approach to Managing Cyber-Security
(including Privacy Considerations)
Darin Hancock () LaWanda Jones
2007 PMBA UMSL Cohorts/ IS6800December 9, 2005
Executive Summary
In 2004, Security and privacy issues were ranked 3 rd amongst CIOs and other IT
manager This ranking has grown over the last several years due to computer systems, and the data they store, being constantly bombarded with attacks from cyber criminals known as hackers Computers are used in nearly all facets of business today As the world becomes more
electronically interconnected through the use of the Internet, it is more important than ever for companies and government to protect the vast amounts of data that is stored electronically Hackers are attacking computer systems at increasing rates in order to steal confidential data or
to cause problems to computer networks Hackers have many weapons at their disposal to wreak havoc on computer networks and this paper defines those tools, and explains solutions to combat these attacks.
The Computer Crime Survey which is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation provided many statistics for this report Also, the 2003 and 2004 E-Crime Watch survey conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center provided additional data
In order for management to best devise a comprehensive plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security This includes a brief analysis of the source of cyber threats, the victims, and the available resource The source of cyber threats consist of individuals or sophisticated gang The victims are
primarily companies that characteristically do not like to share information regarding their attacks but at the same time are partly responsible because of their frequent mismanagement of information Then there is the victim by default, the individual, who screams- privacy please And the emerging resources consist of legislation, government agencies, educational institutions, partnerships, insurance providers and security professionals (some of which are reformed hackers).
Consequently, once managers become aware and considers the future expectations of increased hacking, better technology, stronger alliances, improved execution of legislation, in addition to the new and emerging acts such as economic espionage and cyber terrorism, managers must seriously take action and devise an effective security plan To do this, managers must also understand that there is no such thing as 100% security Therefore, expensive plans to secure everything are a waste A comprehensive plan best utilizes funds to safeguard the critical business components while implementing and reinforcing the simple processes to maintain security
Trang 2Best Practices for this ongoing process, also consist of various elements such as self or
outsourced assessments Assessment examples provided are exercises with Black Ice and Dark Screen Although, there are some global references made, this best practices of this report is primarily for United States managers
Trang 3MANAGER’S CONCERN FOR SECURITY & PRIVACY ISSUES
In 2004, according to a formal survey conducted by the Society for Information Management (SIM), security and privacy issues were ranked as the top third concern amongst CIOs and other IT managers.1 Approximately 10 years early, managers ranked security and privacy issues with an importance level of 19 Looking at similar trends andthe recent realities associated with security and privacy, the increased concern is
understandable There is no doubt that the September 11, 2001 tragedy spurred an awaking to this concern However there are thousands of other recorded and unrecorded accounts that have reinforced this importance
Notable Hacks
In 1989 an attack was launched against the National Aeronautics and Space
Administration (NASA) and exposed a weakness in the Agency’s computer network.2
On October 16, 1989, (two days before a scheduled space shuttle mission), two juveniles from Australia launched the WANK (Worms Against Nuclear Killers) Worm
against NASA The two youths managed to infect thousands of computers throughout the Agency by gaining access to the machines using default passwords that were included
in the systems when they were shipped from the manufacturer When the NASA
technicians installed the new hardware, they didn’t take the time to change the passwordsand this allowed the hackers access into the system Within weeks, the worm had spread
to various other agencies across the world
On March 26, 1999, a 30 year old computer programmer by the name of David Smith unleashed the Melissa Virus on unsuspecting users of Microsoft’s email program Outlook.3 The Melissa virus was distinct because it was the first macro virus that was spread through email Once a computer was infected, the virus would send copies of itself to the first 50 names in the user’s email address book When the recipient received the message, the subject line would read, “An important message from… ” The
recipient would then open the message thinking that it was something important from their acquaintance and then the process would start all over again Because of this uniqueway of distribution, the virus spread feverishly through thousands of computers As a result of the virus, many companies had to shut down their email servers, including Microsoft The total estimated damage caused by the Melissa Virus was approximately
$80 million and David Smith received approximately 20 months in prison
Even though the Melissa Virus is one of the most notorious virus attacks, it does notcompare to the estimated damage caused by some other lesser known viruses According
to a December 2004 Forbes article, the top 5 most costly viruses are listed below:
Sasser Virus—$17 billion
Klez Virus—$21 billion
SoBig Virus—$38 billion
1 MISQ Dark Screen: An Exercise in Cyber Security Vol 4 No.2/June 2005
2 http://www.theage.com.au/articles/2003/05/24 viewed 11/05
3 http://www.viruslist.com viewed 10/05
Trang 4 Netsky Virus—$63 billion
MyDoom Virus—$83 billion
In April 2001, even a computer network giant, Cisco Systems, was victimized.4 Two
of their ex employees transferred approximately 230,000 shares of Cisco stock into their own personal brokerage accounts The stock was valued at approximately $6.3 million and as a result of their brazen, and somewhat foolish act, the two ex employees spent approximately 34 months in prison
Spam, another type of cyber threat has recently emerged as a major problematic issue.Spam is an anonymous or disguised, unsolicited email sent in mass delivery Spam comes in all languages and accounts for 70 to 80 percent of all email traffic Spam first started to surface in 1997 with moderate amounts of deliveries Today it is not
uncommon for a company to receive approximately 100 million spam emails per month
In a recent October 2005 discussion, James Burdiss
Smurfit Stone VP and CIO estimated that of the 1.2 million Smurfit Stone emails received each month, 80 % is spam He further noted that approximately 82% of the 80%penetrates their anti-spam blocks At an estimated market value of $1095 million
annually it is likely that spam will continue to grow for some time With spam, the damage lies in valuable company time expended to sort through mail that successfully penetrates anti-spam filtration
Last but not least, the first hacker to have his photograph on an FBI’s most wanted poster was Kevin Mitnick Mitnick is a self proclaimed liar and he used his social
engineering skills to hack into the computer systems of Nokia, Fujitsu, Motorola and Sun Microsystems As a result of his crime, Mitnick spent five years in prison
Hacker’s Toolbox
The previous accounts of computer attacks are merely a few examples of the
damage that can and has occurred Hackers have many tools at their disposal to wreak havoc on a company’s computer system and/or to steal information The next section provides a list of some of the methods of attack
Cookies—programs that store information about web sites that a person has visited
Most cookies are used for legitimate purposes
DoS - Denial of Service Attack—an assault on a network that floods it with so many
additional requests that regular traffic is either slowed or completely interrupted
Key Logger—a program that records passwords and IDs by recording keystrokes from
the computer keyboard and either logging them or sending them to its creator
Phishing—a scam to steal valuable information when an official-looking email is sent to
potential victims pretending to be from their Internet Service Provider, bank or retail establishment
4 http://www.depts.washington.edu viewed 10/05
Trang 5Phreaking—the act of breaking into the telephone system in order to obtain free phone
service
Remote Administration Tool (RAT)—a program that has been embedded into an
unsuspecting victim’s computer This is the most dangerous of all hacking tools as it allows complete and total control of an infected computer
Salami Attack—a series of minor computer crimes that together results in a larger crime Spam—unsolicited email advertisements.
Spyware—a program embedded on a computer that records passwords, Internet visits,
cookies and can sometimes control computer services and remotely execute commands
Trojan Horse —a program that appears legitimate but performs some illicit activity
when it is run
Virus—software used to infect a computer Once the program is executed, the virus code
is activated and attaches copies of itself to other programs in the system Effects range from pranks to destruction of programs
Worm —a destructive program that replicates itself throughout disk and memory, using
up the computer’s resources and eventually taking the system down
While most of the information gathered by hackers to conduct their attacks is obtained through electronic means, hackers also obtain the information through physical means, or a combination of both
Dumpster Diving—the act of sifting through the trash of an office or a technical
installation to extract confidential data
Wiretapping—the act of listening in on a phone conversation by a third party, usually
through covert means
Physical Masquerading—the act of using forged documents to physically gain access to
secure areas
Social Engineering—the act of manipulating others into revealing sensitive data
CSI/FBI Computer Crime Survey
The Computer Crime Survey is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation In 2004, approximately 700 companies and government entities responded to questionnaires regarding computer security issues (see Figure 1 for breakdown) The number of responses in 2004 was the highest since the survey started in 1995 and there were some key findings in this year’s survey
First of all, virus attacks continue to be the source for the greatest amount of
financial losses As illustrated in Figure 2, viruses accounted for nearly $43 million of the total $130 million in losses reported Unauthorized access and the theft of proprietaryinformation rounded out the top three greatest financial losses with approximately $31 million each.5
5 http:// www.usdoj.gov/criminal/cybercrime/FBI2005.pdf viewed 10/23/2005
Trang 6Another key finding of the CSI/FBI survey is that the financial loss per incident decreased significantly from the prior year In 2004, a total of 639 respondents reported atotal loss of $130 million whereas in 2003, a total of 269 respondents reported a total loss
of approximately $141 million The losses per respondent decreased from $526,000 to
$203,000 or 61%.1
Figure 1.
Figure 2
Trang 7The final key finding regarding the number of security breaches reported was the number
of web site incidents According to the respondents, web site incidents increased
dramatically from 2003 to 2004 In 2003 approximately 89% of the respondents reportedbetween one and five web incidents However, in 2004, 95% of the respondents reported more than ten web incidents Even though the increase is quite substantial, web site incidents still represent the smallest dollar amount of financial losses incurred by the respondents
The financial losses shown in Figure 1 are rough estimates at best Some of the losses associated with a cyber attack are easily measured, such as the cost of new
software, the repair of an infected network or lost time However, many of the losses experienced by businesses are not as easily measured, such as the financial loss
associated with the corruption of data, redirection of staff tasks or the loss of customers
If these items were quantifiable, the total calculated loss would prove to be much higher
2004 E-Crime Watch Survey
Another survey conducted in 2003 and 2004 was the E-Crime Watch survey
conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center.The survey results were based on 500 completed surveys by various sectors, both public and private Similar to the results of the CSI/FBI survey results, the financial losses associated with cyber crime are large Following are some of the findings based on the survey
First of all, 30% of the 500 respondents reported no intrusion while 43% of the respondents reported an increase in attacks from the year before Of the 500 respondents,approximately 32% of them don’t track losses associated with e-crime or intrusions Of those organizations that track losses, a staggering 49% of them didn’t know the amount
of loss incurred due to cyber crime The total estimated losses from cyber crime or intrusions were approximately $666 million. 6
According to the survey, 40% of the organizations reported that the greatest cyber security threats were from hackers and 22% of the organizations reported current
employees as the greatest cyber security threats.6
Similar to the findings from the CSI/FBI survey, viruses were the number one method of attack; approximately 77% of the organizations surveyed reported being attacked with viruses or other malicious software Denial of service attacks came in second at approximately 43% of the respondents experiencing these types of attacks. 6
Based on the findings in both surveys, cyber crime produces substantial measurable losses and even greater non-measurable financial losses
6 http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf viewed 11/20/2005
6
Trang 8ANALYSIS OF THE WORLD OF SECURITY
In order for management to best devise a plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security This includes a brief analysis of the source of cyber threats, the victims, and the available resources
Source
Individuals or groups of individuals known as hackers are by and large
responsible for the countless number of security threats and cyber attacks The term hacker was originally characterized as a positive person whose motivation did not involveill intent A hacker was once defined as a person who passionately held a sincere
curiosity about computers and improving its software However, irregardless of intent, accidents can happen Case in point, in November 1988, Robert Morris, a computer researcher, erroneously launched a worm infecting several thousand of systems Thus, the infamous Morris worm was born In addition, hacking is not a recent problem, as some seem to think As early as 1970, the hacker John Draper, better known as Cap n Crunch used a toy whistle from a cereal box to get free phone usage Today, cracker is the new term used to define cyber abusers However, the term has not yet caught on universally Consequently the terms to hack, hacking and hackers is understood to signify unconstructive behavior With the increasing number of global attacks as well as the destructive severity of attacks, other terms are becoming common, such as cyber-terrorism, information warfare, economic espionage and data pirating
Money and personal profit would appear to be a hacker’s main motivation However, goals to gain attention, to thrill, for challenge, for political impact, to
vandalize, or to cause serious damage can rank higher than monetary gains For example,the hacker Electron from the NASA break in, expressed, “Initially I saw it as a challenge,
as time passed it became more of an obsessive addiction, with challenge becoming a secondary motivator.” Also, the famous reformed hacker, Kevin Mitnick gave some insight to his motives “…I was hacking for the curiosity, and the thrill to get a bite of the forbidden fruit of knowledge.”
Managers should also be aware of the hacker underworld and its high level of sophistication where 90% of abusive hacking is done There are numerous gangs
connected across the globe For example, the Shadow Crew is said to be 4000 members strong operating worldwide from America to Brazil to England to Russia to Spain Thesesecretive and dangerous networks of professionals, although similar to other organized crime, keep abreast of current hacking skills through public resources Hackers can take advantage of hacking chat rooms or attend hacker conventions such as Def Con in Las Vegas or Hope (Hacker on Planet Earth) in New York, to polish up on hacker tips, tools, and guides
These groups know how to best utilize its members In many instances, while certain members are responsible for mapping out the strategies, younger members are
Trang 9given the orders to execute the dirty work Thus, if caught, penalties are minimal For example, Canadian teenager, Mafiaboy, was merely given a slap on the wrist because of his age His punishment consisted of eight months in youth detention for issuing a DoS attack on several websites including Yahoo, eBay, Amazon, and CNN Yet in still, punishment has proven to be lean for most convicted hackers In 1995, Vladmir Levin, a Russian mathematician was sentenced to three years in prison and required to pay
$240,015 in restitution after hacking into Citibank and stealing $10 million To date there has been only one case where death was issued as the punishment In 1998, two Chinese hackers, Hao Jinglang and Hao Jingwen, were sentenced to death for hacking into a bank and stealing 720,000 yaun, equivalent to $87,000 US dollars Nonetheless, hacking has continued to increase In 2000, USCERT reported approximately 22,000 hacking incidents In 2003, this number increased to over 137,000 incidents Therefore based on these numbers, it is reasonable to say that managers will not be free of hackers and their mayhem anytime soon
measures to address this issue and have placed monies in their budget specifically for security management Fifty percent of the respondents surveyed by CSI/FBI early this year indicated 1-5 % of their IT budget is dedicated to managing security issues See Figure 3 These numbers correspond with recent October 2005 discussions with James Burdiss Mr Burdiss mentioned 1% of Smurfit Stone’s IT budget is currently spent on security and that this percentage may increase to 5% this year However, most
companies tend to not share information regarding their attacks for fear of more attacks
It is also not uncommon for companies not to divulge their information to avoid negative publicity which in return could alarm customers, investors and business partners
Trang 10Figure 3: Percentage of IT Budget Spent on Security
Although companies are clearly the victims of many hacking expeditions,
companies can be held equally responsible for some of these senseless events This responsibility or lack thereof can be attributed to companies’ frequent mismanagement ofinformation This age of information has allowed companies to collect massive amounts
of sensitive information, however, in the same token, some companies have not been good stewards with protecting this information In 2004, H Jeff Smith, professor of management at Babcock Graduate School of Management at Wake Forest University in aDecember 2004 MISQE Vol.3, No 4 report, shared his research regarding types of frequently observed mismanagement See Figure 4 In many of the observations listed, lack of security and inadequate privacy controls was exposed On the other hand,
according to discussions with the UMSL (University of Missouri St Louis) IT
Department, sensitive data appears to be under control Mr Voss, the director of IT stated, “There are many regulations regarding private and sensitive data As we are entrusted with many different types of information, we feel it is incumbent upon us to keep that information in the greatest of confidence Since our focus is sharp on this issue,
we have been prepared for most new requirements that have come up.”
• Unclear or obfuscating about future uses of data
data re-use
• Inattentiveness to privacy implications of external data sharing
• Excessive liberalism regarding “affiliate sharing”
Trang 11• Quality control lapses in data collection or manipulation (accidental errors)
operating procedures (w/o rational referrals for human judgment)
data (or violations of clear provisions)
Figure 4: Frequent Types of Company Mismanagement
Although rarely targeted directly, individuals such as customers of the
aforementioned large and small companies are by default considered a victim Moreover,because companies have frequently displayed their lack of inattentiveness to personal information, the concern for privacy has increased This is supported by many reports like the one from Wall Street Journal, which reported personal privacy as Americans number one concern in the 21st century according to an NBC poll Furthermore, the public’s outcry to maintain their privacy rights is being heard Recently, Walmart
canceled a store test involving RFIDs (radio frequency identification devices) with their partner Gillette, after a public outcry of opposition These devices or chips, available as small as grains of rice, contain identifying data which can be automatically read from a distance Perfect for tracking packages or customers and their purchasing history
Available Resources
Although still emerging, there are existing resources external to company sources
in place to assist with security issues Such resources include but are not limited to legislation, government agencies, educational institutions, partnerships, insurance
providers and security professionals
Legislation
The 1986 Computer Fraud and Abuse Act is one of the major laws in place used
to deter computer crimes Violation of this act can carry a maximum penalty of 20 years
in prison as well as a determined monetary restitution More recently the Sarbanes-OxleyAct of 2002 requires proper management of customer information and sensitive data by conducting proper protocol Also, the 2002 Public Health Security and Bioterrorism Preparedness and Response Act requires critical public infrastructures to conduct regular vulnerability assessments (VA) and prepare and maintain emergency response plans (ERP) Critical infrastructures, such as community water systems with large customer bases can assess their system weaknesses with the VAs and better handle emergencies with an ERP in hand In addition, HIPAA, the Health Insurance Portability and
Accountability Act is recent legislation used to restrict secondary use of medical data Violating this act can incur a maximum of 10 years prison sentence and a $250,000 in fines
Government Agencies