A Comprehensive Approach to Managing Cyber-Security
(including Privacy Considerations)
Darin Hancock () LaWanda Jones
2007 PMBA UMSL Cohorts/ IS6800
December 9, 2005
Executive Summary
In 2004, Security and privacy issues were ranked 3rd amongst CIOs and other IT manager. This ranking has grown over the last several years due to computer systems, and the data they store, being constantly bombarded with attacks from cyber criminals known as hackers.
Computers are used in nearly all facets of business today. As the world becomes more electronically interconnected through the use of the Internet, it is more important than ever for companies and government to protect the vast amounts of data that is stored electronically. Hackers are attacking computer systems at increasing rates in order to steal confidential data or to cause problems to computer networks. Hackers have many weapons at their disposal to wreak havoc on computer networks and this paper defines those tools, and explains solutions to combat these attacks.
The Computer Crime Survey which is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation provided many statistics for this report. Also, the 2003 and 2004 E-Crime Watch survey conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center provided additional data
In order for management to best devise a comprehensive plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security. This includes a brief analysis of the source of cyber threats, the victims, and the available resource. The source of cyber threats consist of individuals or sophisticated gang. The victims are primarily companies that characteristically do not like to share information regarding their attacks but at the same time are partly responsible because of their frequent mismanagement of information. Then there is the victim by default, the individual, who screams- privacy please. And the emerging resources consist of legislation, government agencies, educational institutions, partnerships, insurance providers and security professionals (some of which are reformed hackers).
Consequently, once managers become aware and considers the future expectations of increased hacking, better technology, stronger alliances, improved execution of legislation, in addition to the new and emerging acts such as economic espionage and cyber terrorism, managers must seriously take action and devise an effective security plan. To do this, managers must also understand that there is no such thing as 100% security. Therefore, expensive plans to secure everything are a waste. A comprehensive plan best utilizes funds to safeguard the critical business components while implementing and reinforcing the simple processes to maintain security.
Best Practices for this ongoing process, also consist of various elements such as self or outsourced assessments. Assessment examples provided are exercises with Black Ice and Dark Screen. Although, there are some global references made, this best practices of this report is primarily for United States managers
MANAGER’S CONCERN FOR SECURITY & PRIVACY ISSUES
In 2004, according to a formal survey conducted by the Society for Information Management (SIM), security and privacy issues were ranked as the top third concern amongst CIOs and other IT managers.[1] Approximately 10 years early, managers ranked security and privacy issues with an importance level of 19. Looking at similar trends and the recent realities associated with security and privacy, the increased concern is understandable. There is no doubt that the September 11, 2001 tragedy spurred an awaking to this concern. However there are thousands of other recorded and unrecorded accounts that have reinforced this importance.
Notable Hacks
In 1989 an attack was launched against the National Aeronautics and Space Administration (NASA) and exposed a weakness in the Agency’s computer network.[2] On October 16, 1989, (two days before a scheduled space shuttle mission), two juveniles from Australia launched the WANK (Worms Against Nuclear Killers) Worm
against NASA. The two youths managed to infect thousands of computers throughout the Agency by gaining access to the machines using default passwords that were included in the systems when they were shipped from the manufacturer. When the NASA technicians installed the new hardware, they didn’t take the time to change the passwords and this allowed the hackers access into the system. Within weeks, the worm had spread to various other agencies across the world.
On March 26, 1999, a 30 year old computer programmer by the name of David Smith unleashed the Melissa Virus on unsuspecting users of Microsoft’s email program Outlook.[3] The Melissa virus was distinct because it was the first macro virus that was spread through email. Once a computer was infected, the virus would send copies of itself to the first 50 names in the user’s email address book. When the recipient received the message, the subject line would read, “An important message from…..” The recipient would then open the message thinking that it was something important from their acquaintance and then the process would start all over again. Because of this unique way of distribution, the virus spread feverishly through thousands of computers. As a result of the virus, many companies had to shut down their email servers, including Microsoft. The total estimated damage caused by the Melissa Virus was approximately $80 million and David Smith received approximately 20 months in prison.
Even though the Melissa Virus is one of the most notorious virus attacks, it does not compare to the estimated damage caused by some other lesser known viruses. According to a December 2004 Forbes article, the top 5 most costly viruses are listed below:
· Sasser Virus—$17 billion
· Klez Virus—$21 billion
· SoBig Virus—$38 billion
· Netsky Virus—$63 billion
· MyDoom Virus—$83 billion
In April 2001, even a computer network giant, Cisco Systems, was victimized.[4] Two of their ex employees transferred approximately 230,000 shares of Cisco stock into their own personal brokerage accounts. The stock was valued at approximately $6.3 million and as a result of their brazen, and somewhat foolish act, the two ex employees spent approximately 34 months in prison.
Spam, another type of cyber threat has recently emerged as a major problematic issue. Spam is an anonymous or disguised, unsolicited email sent in mass delivery. Spam comes in all languages and accounts for 70 to 80 percent of all email traffic. Spam first started to surface in 1997 with moderate amounts of deliveries. Today it is not uncommon for a company to receive approximately 100 million spam emails per month. In a recent October 2005 discussion, James Burdiss
Smurfit Stone VP and CIO estimated that of the 1.2 million Smurfit Stone emails received each month, 80 % is spam. He further noted that approximately 82% of the 80% penetrates their anti-spam blocks. At an estimated market value of $1095 million annually it is likely that spam will continue to grow for some time. With spam, the damage lies in valuable company time expended to sort through mail that successfully penetrates anti-spam filtration.
Last but not least, the first hacker to have his photograph on an FBI’s most wanted poster was Kevin Mitnick. Mitnick is a self proclaimed liar and he used his social engineering skills to hack into the computer systems of Nokia, Fujitsu, Motorola and Sun Microsystems. As a result of his crime, Mitnick spent five years in prison.
Hacker’s Toolbox
The previous accounts of computer attacks are merely a few examples of the damage that can and has occurred. Hackers have many tools at their disposal to wreak havoc on a company’s computer system and/or to steal information. The next section provides a list of some of the methods of attack.
Cookies—programs that store information about web sites that a person has visited. Most cookies are used for legitimate purposes.
DoS - Denial of Service Attack—an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted.
Key Logger—a program that records passwords and IDs by recording keystrokes from the computer keyboard and either logging them or sending them to its creator.
Phishing—a scam to steal valuable information when an official-looking email is sent to potential victims pretending to be from their Internet Service Provider, bank or retail establishment
Phreaking—the act of breaking into the telephone system in order to obtain free phone service.
Remote Administration Tool (RAT)—a program that has been embedded into an unsuspecting victim’s computer. This is the most dangerous of all hacking tools as it allows complete and total control of an infected computer.
Salami Attack—a series of minor computer crimes that together results in a larger crime.
Spam—unsolicited email advertisements.
Spyware—a program embedded on a computer that records passwords, Internet visits, cookies and can sometimes control computer services and remotely execute commands.
Trojan Horse —a program that appears legitimate but performs some illicit activity when it is run.
Virus—software used to infect a computer. Once the program is executed, the virus code is activated and attaches copies of itself to other programs in the system. Effects range from pranks to destruction of programs.
Worm —a destructive program that replicates itself throughout disk and memory, using up the computer’s resources and eventually taking the system down
While most of the information gathered by hackers to conduct their attacks is obtained through electronic means, hackers also obtain the information through physical means, or a combination of both.
Dumpster Diving—the act of sifting through the trash of an office or a technical installation to extract confidential data.
Wiretapping—the act of listening in on a phone conversation by a third party, usually through covert means.
Physical Masquerading—the act of using forged documents to physically gain access to secure areas.
Social Engineering—the act of manipulating others into revealing sensitive data.
CSI/FBI Computer Crime Survey
The Computer Crime Survey is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation. In 2004, approximately 700 companies and government entities responded to questionnaires regarding computer security issues (see Figure 1 for breakdown). The number of responses in 2004 was the highest since the survey started in 1995 and there were some key findings in this year’s survey.
First of all, virus attacks continue to be the source for the greatest amount of financial losses. As illustrated in Figure 2, viruses accounted for nearly $43 million of the total $130 million in losses reported. Unauthorized access and the theft of proprietary information rounded out the top three greatest financial losses with approximately $31 million each.[5]
Another key finding of the CSI/FBI survey is that the financial loss per incident decreased significantly from the prior year. In 2004, a total of 639 respondents reported a total loss of $130 million whereas in 2003, a total of 269 respondents reported a total loss of approximately $141 million. The losses per respondent decreased from $526,000 to $203,000 or 61%.[1]
Figure 1.
Figure 2.
The final key finding regarding the number of security breaches reported was the number of web site incidents. According to the respondents, web site incidents increased dramatically from 2003 to 2004. In 2003 approximately 89% of the respondents reported between one and five web incidents. However, in 2004, 95% of the respondents reported more than ten web incidents. Even though the increase is quite substantial, web site incidents still represent the smallest dollar amount of financial losses incurred by the respondents.
The financial losses shown in Figure 1 are rough estimates at best. Some of the losses associated with a cyber attack are easily measured, such as the cost of new software, the repair of an infected network or lost time. However, many of the losses experienced by businesses are not as easily measured, such as the financial loss associated with the corruption of data, redirection of staff tasks or the loss of customers. If these items were quantifiable, the total calculated loss would prove to be much higher.
2004 E-Crime Watch Survey
Another survey conducted in 2003 and 2004 was the E-Crime Watch survey conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center. The survey results were based on 500 completed surveys by various sectors, both public and private. Similar to the results of the CSI/FBI survey results, the financial losses associated with cyber crime are large. Following are some of the findings based on the survey.
First of all, 30% of the 500 respondents reported no intrusion while 43% of the respondents reported an increase in attacks from the year before. Of the 500 respondents, approximately 32% of them don’t track losses associated with e-crime or intrusions. Of those organizations that track losses, a staggering 49% of them didn’t know the amount of loss incurred due to cyber crime. The total estimated losses from cyber crime or intrusions were approximately $666 million. [6]
According to the survey, 40% of the organizations reported that the greatest cyber security threats were from hackers and 22% of the organizations reported current employees as the greatest cyber security threats.[6]
Similar to the findings from the CSI/FBI survey, viruses were the number one method of attack; approximately 77% of the organizations surveyed reported being attacked with viruses or other malicious software. Denial of service attacks came in second at approximately 43% of the respondents experiencing these types of attacks. [6]
Based on the findings in both surveys, cyber crime produces substantial measurable losses and even greater non-measurable financial losses.
ANALYSIS OF THE WORLD OF SECURITY
In order for management to best devise a plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security. This includes a brief analysis of the source of cyber threats, the victims, and the available resources.
Source
Individuals or groups of individuals known as hackers are by and large responsible for the countless number of security threats and cyber attacks. The term hacker was originally characterized as a positive person whose motivation did not involve ill intent. A hacker was once defined as a person who passionately held a sincere curiosity about computers and improving its software. However, irregardless of intent, accidents can happen. Case in point, in November 1988, Robert Morris, a computer researcher, erroneously launched a worm infecting several thousand of systems. Thus, the infamous Morris worm was born. In addition, hacking is not a recent problem, as some seem to think. As early as 1970, the hacker John Draper, better known as Cap n Crunch used a toy whistle from a cereal box to get free phone usage. Today, cracker is the new term used to define cyber abusers. However, the term has not yet caught on universally. Consequently the terms to hack, hacking and hackers is understood to signify unconstructive behavior. With the increasing number of global attacks as well as the destructive severity of attacks, other terms are becoming common, such as cyber-terrorism, information warfare, economic espionage and data pirating.