You are on page 1of 46

CS 101

Computers and Society


Lecture 3
Computer and Internet Crime

Review
IT

professionals have many different


relationships with:
Employers
Clients
Suppliers
Other

professionals
IT users
Society at large

Review
Support

the Ethical Behavior of IT


Professionals
Professional

Code of Ethics
Professional Organizations
Certification
Government Licensing

Objectives
Why

has there been a dramatic increase in the


number of computer-related security incidents in
recent years?
What are the most common types of computer
security attacks?
What are the types of perpetrators?
What are the key elements of a multilayer process
for managing security vulnerabilities?
What actions must be taken in response to a
security incident?

IT Security Incidents: A Worsening


Problem
Security

of information technology is of
utmost importance

Protect confidential data


Safeguard

private customer and employee data

Protect against malicious acts of theft or disruption


Must be balanced against other business needs
and issues

Number

of IT-related security incidents is


increasing around the world

Quote:

In view of all the deadly computer viruses that


have been spreading(We) would like to
remind you; when you link up to another
computer, youre linking up to every computer
that the computer has ever linked up to.

Increasing Complexity Increases


Vulnerability
Computing

environment is enormously

complex
Continues

to increase in complexity
(interconnection of networks, web sites,
switches, routers, etc.)
Number of possible entry points to a network
expands continuously

Higher Computer User Expectations


Computer

help desks

Under

intense pressure to provide fast


responses to users questions
Sometimes forget to
Verify

users identities
Check whether users are authorized to perform the
requested action

Computer

users share login IDs and


passwords

Expanding and Changing Systems


Introduce New Risks
Sneakers

net
Network era
Personal

computers connect to networks with


millions of other computers
All capable of sharing information

Increased Reliance on Commercial


Software with Known Vulnerabilities
Exploit

Attack on information system


Takes advantage of a particular system vulnerability
Due to poor system design or implementation

Patch

Fix to eliminate the problem


Users are responsible for obtaining and installing
patches
Delays in installing patches expose users to security
breaches

Increased Reliance on Commercial


Software with Known Vulnerabilities
(continued)
Zero-day
Takes

attack

place before a vulnerability is discovered


or fixed

Types of Attacks
Most

frequent attack is on a networked


computer from an outside source
Types of attacks
Virus
Worm
Trojan

horse
Denial of service

Viruses
Pieces

of programming code
Usually disguised as something else
Cause unexpected and usually
undesirable events
Often attached to files

Viruses (continued)
Does

not spread itself from computer to


computer

Must be passed on to other users through


Infected

e-mail document attachments


Programs on USB flash disk
Shared files

Macro

viruses

Most common and easily created viruses


Created in an application macro language
Infect documents and templates

Worms
Harmful
Reside

programs
in active memory of a computer

Duplicate
Can

propagate without human intervention

Negative
Lost

themselves
impact of virus or worm attack

data and programs


Lost productivity
Effort for IT workers

Cost Impact of Worms

Trojan Horses

Trojan Horses
Program

that a hacker secretly installs


Users are tricked into installing it
Allow the attacker to steal passwords or
spy on users by recording keystrokes
Logic bomb
Executes

under specific conditions


Ex. Specific time or date

Denial-of-Service (DoS) Attacks


Malicious

hacker takes over computers on the


Internet and causes them to flood a target site

The computers that are taken over are called zombies

Does

not involve a break-in at the target


computer

Target machine is busy responding to a stream of


automated requests
Legitimate users cannot get in

Spoofing

packets

generates a false return address on

Perpetrators
Motives

are the same as other criminals


Different objectives and access to varying
resources
Different levels of risk to accomplish an
objective

Classifying Perpetrators of
Computer Crime

Hackers and Crackers


Hackers
Test

limitations of systems out of intellectual


curiosity
Script kiddies
Crackers
Cracking

is a form of hacking
Clearly criminal activity

Malicious Insiders
Top

security concern for companies


Estimated 85 percent of attacks is committed by
employees
Usually due to weaknesses in internal control
procedures
Insiders are not necessarily employees
Can also be consultants and contractors
Extremely difficult to detect or stop
Authorized to access the very systems they
abuse

Industrial Spies
Illegally

obtain trade secrets from competitors


Competitive intelligence
Uses

legal techniques
Gathers information available to the public (financial
reports, interviews with key officials)
Industrial
Uses

espionage

illegal means
Obtains information not available to the public
(wiretap, bug a conference room, break into a
research facility)

Cybercriminals
Hack

into corporate computers and steal


Stealing and reselling credit card numbers,
personal identities, cell phone numbers
Cyberterrorists
Intimidate

governments to advance political or


social objectives
Launch computer-based attacks
Seek to cause harm
Rather

than gather information

Reducing Vulnerabilities

1.
2.
3.
4.
5.
6.

Security
Combination of technology, policy, and people
Requires a wide range of activities to be effective
Assess threats to an organizations computers and network
Identify actions that address the most serious vulnerabilities
Educate users
Take action to prevent a security incident
Monitor to detect a possible intrusion
Create a clear reaction plan

1. Risk Assessment
Organizations

review of:

Potential threats to computers and network


Probability of threats occurring

Identify

investments that can best protect an


organization from the most likely and serious
threats
Improve security in areas with:
Highest estimated cost
Poorest level of protection

2. Establishing a Security Policy


A security

policy defines
Organizations security requirements
Controls and sanctions needed to meet the
requirements
Outlines what needs to be done
Automated system policies should mirror written
policies (password change every 30 days)
Trade-off between
Ease of use
Increased security

3. Educating Employees,
Contractors, and Part-Time Workers
Educate

users about the importance of security


Motivate them to understand and follow security
policy
Discuss recent security incidents that affected the
organization
Help protect information systems by:
Guarding passwords
Not allowing others to use passwords
Applying strict access controls to protect data
Reporting all unusual activity

4. Prevention
1.

Implement a layered security solution

2.

Firewall

3.

Implement different technologies


Make computer break-ins harder
Limits network access

Antivirus software

Scans for a specific sequence of bytes


Known as the virus signature
Norton Antivirus, McAfee, Nod32, Kaspersky, Avira
Continually updated with the latest virus detection
information virus definition

Firewall Protection

Popular Firewall Software for


Personal Computers

4. Prevention (continued)
4.

Implement safeguards against malicious


insiders

Departing employees - Promptly delete


computer accounts, login IDs, and passwords
Carefully define employee roles
Create roles and user accounts

4. Prevention (continued)
5.

Keep track of well-known vulnerabilities

SANS (System Administration, Networking,


and Security) Institute
CERT/CC

Back up critical applications and data


regularly
7. Perform a security audit
6.

Audit Change password every 30 days

SANS Vulnerability Report


CERT Advisory CA-2001-22 W32/Sircam Malicious Code (NIMDA)
Original release date: July 25, 2001
Last revised: August 23, 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Microsoft Windows (all versions) Overview
"W32/Sircam" is malicious code that spreads through email and potentially through unprotected
network shares. Once the malicious code has been executed on a system, it may reveal or delete
sensitive information.
As of 10:00EDT(GMT-4) Jul 25, 2001 the CERT/CC has received reports of W32/Sircam from over
300 individual sites.
I. Description
W32/Sircam can infect a machine in one of two ways:
When executed by opening an email attachment containing the malicious code
By copying itself into unprotected network shares
Propagation Via Email
The virus can appear in an email message written in either English or Spanish with a seemingly
random subject line. All known versions of W32/Sircam use the following format in the body of the
message:
EnglishSpanishHi! How are you? [middle line] See you later. Thanks Hola como estas ? [middle line]
Nos vemos pronto, gracias. Where [middle line] is one of the following:
EnglishI send you this file in order to have your advice I hope you like the file that I sendo you I hope
you can help me with this file that I send This is the file with the information you ask for

5. Detection
1.

Intrusion detection system (IDS)/ Intrusion


prevention systems (IPS)

Monitors system and network resources and


activities/Prevents attack
Notifies the proper authority when it identifies

Possible intrusions from outside the organization


Misuse from within the organization

Knowledge-based approach known vulnerability


pattern
Behavior-based approach unusual traffic for web
site

5. Detection (continued)
2.

Honeypot

Provides would-be hackers with fake


information about the network
Decoy server
Well-isolated from the rest of the network
Can extensively log activities of intruders

6. Response
1.

Incident notification defines

2.

Who to notify
Who not to notify
Security experts recommend against releasing
specific information about a security compromise in
public forums

Document all details of a security incident

All system events


Specific actions taken
All external conversations

6. Response (continued)
3.

Incident Containment

4.

Act quickly to contain an attack

Eradication Effort

Collect and log all possible criminal evidence


from the system
Verify necessary backups are current and
complete
Create new backups

6. Response (continued)
5.

Follow-up

Determine how security was compromised

Review

Prevent it from happening again


Determine exactly what happened
Evaluate how the organization responded

Capture the perpetrator


Consider the potential for negative publicity

What Would You Do?


1.

You are the CEO of a three-year-old software


manufacturer that has several products and annual
revenues in excess of $500 million.
Youve just received a recommendation from the
manager of software development to hire three
notorious crackers to probe your software products in
an attempt to identity any vulnerabilities, The reasoning
is that if anyone can find a vulnerability in your software,
they can. This will give your firm a head start on
developing patches to fix the problems before anyone
can exploit them.
Youre not sure, and feel uneasy about hiring people
with criminal records and connections to unsavory
members of the hacker/cracker community. What would
you do?

What Would You Do?


2. You have just been hired as an IT security
consultant to fix the security problem at Acme
United Global Manufacturing.
The company has been hacked mercilessly
over the last six months, with three of the
attacks making headlines for the negative
impact they have had on the firm and its
customers.
You have been given 90 days and a budget of
$1 million. Where would you begin, and what
steps would you take to fix the problem?

What Would You Do?


3.

You are the CFO of a midsized manufacturing firm. You have


heard nothing but positive comments about the new CIO you
hired three months ago.
As you observe her outline what needs to be done to improve
the firms computer security, you are impressed with her energy,
enthusiasm, and presentation skills.
However, your jaw drops when she states that the total cost of
the computer security improvements will be $300,000. This
seems like a lot of money for security, given that your firm has
had no major incident, Several other items in the budget will either
have to be dropped or trimmed back to accommodate this project.
In addition, the $300,000 is above your spending authorization
and will require approval by the CEO.
This will force you to defend the expenditure, and you are not
sure how to do this. You wonder if this much spending on security
is really required. How can you sort out what really needs to be
done without appearing to be micromanaging or discouraging the
new ClO?

What Would You Do?


4.

Your friend just told you that he is developing a


worm to attack the administrative systems at
your college.
The worm is harmless and will simply
cause a rnessageLets party! to be
displayed on all workstations on Friday
afternoon at 3 p.m. By 4 p.m., the virus will
erase itself and destroy all evidence of its
presence. What would you say or do?

What Would You Do?


5.

You are the vice president of application development


for a small but rapidly growing software company that
produces patient billing applications for doctors offices.
During work on the next release of your firms one
and only software product, a small programming glitch
has been uncovered in the current release that could
pose a security risk to users. The probability of the
problem being discovered is low, but if exposed, the
potential impact on your firms 100 or so customers
could be substantial: hackers could access private
patient data and change billing records-The problem
will be corrected in the next release, but you are
concerned about what should be done for the users of
the current release.

What Would You Do?


The problem has come at the worst possible time.
The firm is seeking approval for a $10 million loan to
raise enough cash to continue operations until revenue
from the sales of its just-released product offsets
expenses.
In addition, the effort to communicate with users, to
develop and distribute the patch, and to deal with any
fallout will place a major drain on your small
development staff, delaying the next software release at
least one month.
You have a meeting with the CEO this afternoon;
what course of action will you recommend?