24-09-2016, 11:35 AM
1456034000-CyberCrimeandCyberSecurity.docx (Size: 25.78 KB / Downloads: 4)
Introduction:
The history of crime and crime prevention has been akin to the history of warfare: an
offense is developed, then a defense counters the offense, then a new offense counters the
new defense. Machine guns led to the development of tanks which led to the development
of rocket propelled grenades, etc. When commerce consisted of camel caravans, people
in the Arabian Peninsula promoted banditry, ultimately forcing the commerce to go by
sea. When merchants used the sea lanes through the Mediterranean, the people of the
Maghreb promoted the Barbary pirates until they were ultimately countered by a punitive
US military action.
More recently, with the advent of the railroads came Jesse James, countered by the
Pinkertons and so on. Airlines discovered airline hijackers and parried the threat with the
excruciating experience they call airport security. Move followed by counter-move. In the
present conditions of economic crisis with thousands of recently fired, super-computersavvy
techies on the loose, the venue for those of dishonest bent is the cyber-world. The
newest bandits are the malicious professional “hackers” who are not only well organized
but will strike with proven military precision driven by monetary gain. Thus, businesses
must learn to be en garde and protect their cyber property, such as Intellectual Property
(IP), which frequently accounts for 70% of the market value of companies that specialize
in franchising and licensing.
.
(II) Where’s the risk:
Everywhere: Cyber-crime is on the rise. On average, there has been a reported cybersecurity
event every single day since 2006. If there’s a transaction that involves a card
with a magnetic strip and a swipe, there’s a transaction that involves a risk. And if there’s
a computer system with software designed to allow access by multiple users (e.g. by
franchisees, vendors, or other providers) without security in mind, then there’s a major
risk of being hacked for malicious or competitive purposes. Mobile devices, often
containing sensitive data, are lost or stolen every day.
(III)Who’s been hacked?
As they say in the cyber security world, there are only two kinds of computer systems:
those that have been hacked and those that will be hacked. For example, crooks used
sophisticated methods to evade detection and place malware on nearly 300 Hannaford
Bros. supermarket servers to intercept payment information. As many as 4.2 million
credit and debit card numbers may have been exposed. Ironically, Hannaford was notified
of its massive problems on the very same day it was recertified as being Payment Card
Industry Data Security Standard-compliant. Like an AIDS test, penetration testing in the
cyber security arena offers assurance and protection only as of the date of the testing.
So once is not enough. Penetration testing must be done regularly and thoroughly to
maintain its value or it becomes worth no more than a cancelled subscription.
And just because people are computer savvy does not mean their data are safe. The
website of online retailer Geeks.com featured the “hacker safe” notification from McAfee
ScanAlert. Nevertheless, a hacker broke in and accessed customer credit card numbers
and other personal information on its site. And in another really scary example, mortgage
giant Fannie Mae narrowly avoided a software time-bomb set to destroy all data on its
computers.
(IV) What could happen:
1 Chan – Low risk. Hacker has gained entry to system but minimally. Minor
risk of business disruption, but access can aid attackers in information gathering and
planning future attacks.
2 Chans – Medium Risk. Malware has been implanted in the company’s
network, which could cause malfunctions and mischief. There is a significant risk of a
business disruption that could result in financial loss and/or damage of goodwill.
3 Chans – Medium-to-High Risk. Using sniffers or other equipment, hackers
have obtained personally identifiable information (PII) from point of sale (POS) systems.
There is a significant risk of a business disruption that could create financial loss and/or
damage of goodwill.
4 Chans – High Risk. Inside job: data stolen by disgruntled employee.
There is a potential risk of business disruption, resulting in financial loss and damage of
goodwill. PII may be taken, as well as company’s confidential information and financial
information.
5 Chans – Critical Risk. Hackers have gotten into the system and can access
PII as well as the company’s financial information and confidential information. There
is a severe risk of business disruption, financial loss, damage of goodwill. System,
application, and database have been compromised.
(V) What about policies/procedures:
Participants at the Davos conference on the international economy that ended in February
2009 took note of the world-wide gangs and other criminal organizations invading the
cyber world. They estimated the damages from cyber crime to be $1 trillion per year. The
cost of notifying customers alone in the case of a cyber event has been estimated at $1-3
per file accessed and $100-300 or more per file compromised.
In light of these numbers, companies are well advised to have policies in place with
respect to data protection, data retention, data destruction, privacy, and disclaimers to
customers. And, if a security breach occurs, the company should expect, and be prepared
for, a regulatory investigation during which the company will have to show that its
policies were well documented, updated as business processes change and observed, or
risk significant fines, agency oversight, or worse. The policies must be more than mere
window dressing; failure to conform to a company’s own stated, internal policies may be
worse than having no policies at all.
For example, the FTC recently went after two companies for failing to provide reasonable
and appropriate security for sensitive consumer information, leading to identity theft and
forced a settlement containing bookkeeping and record-keeping provisions to allow the
agency to monitor compliance. Under the terms of the settlement, the FTC ordered the
two companies to hire third-party security auditors to assess their security programs on
a biennial basis for the next 20 years; to certify that the companies’ security programs
meet or exceed the requirements of the FTC’s orders; and to prove that the companies are
providing “reasonable assurance that the security of consumers’ personal information is
being protected.”
(VI) What about cyber crisis planning/management:
IT (Information Technology) systems are vulnerable to a variety of disruptions from
a variety of sources such as natural disasters, human error, and hacker attacks. These
disruptions can range from mild (e.g. short-term power outage, hard disk drive failure)
to severe (e.g. equipment destruction, fire, online database hacked). Crisis (and Disaster
Recovery) planning refers to those interim measures needed to recover IT services
following an emergency or system disruption. Interim measures may include the
relocation of IT systems and operations to an alternate site, the recovery of IT functions
using alternate equipment, or the performance of IT functions using manual methods to
minimize the business impact.
In January 2009 Heartland Payment Systems, which processes 100 million credit and
debit card transactions per month, disclosed that hackers had penetrated its computer
network. By installing malicious software, the hackers gained access to digital
information encoded on a card’s magnetic strip that could be used to create duplicate
cards. In the wake of what was described as the biggest single breach of consumer
and financial data security ever, Heartland’s stock was hit hard. In public statements
following the incident, Heartland’s CEO compared the potential industry-wide impact of
the breach to the Tylenol poisonings that nearly brought down the drug maker Johnson &
Johnson in the early 1980s.
Cyber Crisis Management (Incident Response – Stop the bleeding) process covers the
following:
• Identify the Crisis at Hand – For example, is it a customer data breach, privacy
breach, virus outbreak, targeted malicious code attack, denial of service attack,
phishing attack, or third party data compromise?
• Analysis and Assessment – Triage of the incident to determine the severity (See
Chan Scale of Insecurity) and impact on the business.
• Coordination/Response Plan – Decide whether to protect or prosecute including
contacting the proper law enforcement authorities. If prosecution is the course of
action, all evidence (system/application logs, audit trails, and affected systems)
must be collected in a forensically sound manner to hold up in a court of law.
Contact all affected parties and communicate and agree upon a response plan.
• Containment/Recovery Plan – Restore affected systems to normal business
operation.
• Incident Learning – What can be learned from this incident? What can be
improved so this type of incident does not again?
(VII)What about regular surveillance?
Many companies overlook the fact that security monitoring or surveillance is necessary
in order to protect their information assets. Security Information Management Systems
(SIM), if configured properly, can be useful in collecting and correlating security data
• Security in Depth is a best practice. Several layers of security are better than one.
Surveillance on each layer of security will help identify the severity of a security
event; alerts coming from the internal corporate network might be more urgent
than on the external network.
• A policy of “least privileges access” should always be implemented with respect
to sensitive information and logs should be reviewed regularly for suspicious activity.
(VIII)Security Training and Awareness
The human factor is the weakest link in any information security program.
Communicating the importance of information security and promoting safe computing
are key in securing a company against cyber crime. Below are a few best practices:
• Use a “passphrase” that is easy to remember — E@tUrVegg1e$ (Eat your
veggies) and make sure to use a combination of upper and lower case letters,
numbers, and symbols to make it less susceptible to brute force attacks. Try not
to use simple dictionary words as they are subject to dictionary attacks – a type of
brute force attack.
• Do not share or write down any “passphrases.”
• Communicate/educate your employees and executives on the latest cyber security
threats and what they can do to help protect critical information assets.
• Do not click on links or attachments in e-mail from untrusted sources.
• Do not send sensitive business files to personal email addresses.
(IX) Conclusion
The risks of cyber crime are very real and too ominous to be ignored. Every franchisor and
licensor, indeed every business owner, has to face up to their vulnerability and do something
about it. At the very least, every company must conduct a professional analysis of their
cyber security and cyber risk; engage in a prophylactic plan to minimize the liability; insure
against losses to the greatest extent possible; and implement and promote a well-thoughtout
cyber policy, including crisis management in the event of a worst case scenario.
Appendix of links to articles on cyber crime
How to Jailbreak 1.1.1 only ipodtouch or iphone (script kiddie example )
http://www.youtubewatch?v=keO9K0kgJiI&feature=related
RSA Conference 2007: FTC planning new methods to combat ID theft (FTC chairman was a
victim)
http://www.scmagazineasia/news/article/6...newmethods-
combat-id-theft/
TJX settles with MasterCard for $24 million
http://www.scmagazineusTJX-settles-with-MasterCard-for-24-million/article/108671/
FTC settles breach case with Reed Elsevier and Seisint (TJX data brokers)
http://www.scmagazineusFTC-settles-breach-case-with-Reed-Elsevier-and-Seisint/
article/108400/
Hannaford tells regulators how breach happened
http://www.scmagazineusHannaford-tells-regulators-how-breach-happened/article/108569/
Horizon 300,000 members unencrypted data on stolen laptop
p/Journal.Article/articleID/100061.htm
Appendix – Glossary of Cyber Security Terms
How Computers Work
• Hardware – All of a computer’s physical components including the mouse, keyboard,
screen, and printer as well as internal parts like the processor and hard drive.
• Operating system – Creates the connection between the computer’s hardware
and the application software employed by the user. Common operating systems
include Microsoft Windows, MacOS and Linux.
• Software – A set of instructions that cause the computer to perform certain tasks;
can be divided into two types: system software and application software
• Browsers – Programs that look through content published on the Internet and
display Internet pages. The most commonly used browsers are Microsoft Explorer
and Mozilla Firefox.
Vulnerabilities
• Malware – The name given to malicious software that operates under the guise of
a useful software program. It runs computer processes that are either unexpected
or unauthorized but always harmful. The term “malware” generally covers
viruses, worms and Trojans.
• Viruses – Software with the ability to self-replicate and attach itself to other
executable programs. The behavior is comparable to its biological counterpart.
Computer viruses can also be contagious (might spread on or even beyond the
infected computer), exhibit symptoms (the presence of malicious code and
its magnitude) and involve a recovery period with possible long-term effects
(difficulty in removal and loss of data).
• Worm – An autonomous program or constellation of programs that distributes
fully functional whole or parts of itself to other computers. Worms are specialists
in spreading and reproducing. They consistently exploit all known vulnerabilities,
including people, to penetrate barriers that seem to be impenetrable to normal
viruses. A worm does not have a payload of its own but is often used as a transport
mechanism for viruses that ride piggyback and immediately start their work.
• Grayware – Applications that cause annoying behavior in the way programs
run. Unlike malware, grayware does not fall into the category of major threats.
Grayware is not detrimental to basic system operations.
• Spyware – Software that installed under misleading premises that monitors and
collects a user’s data and eventually transmits it to a company for various purposes.
This typically happens in the background - that is, the activity is invisible to most users.
• Phishing – A method of stealing personal data whereby an authentic-looking
e-mail is made to appear as if it is coming from a real company or institution.
The idea is to trick the recipient into sending secret information such as account
information or login data to the scammer.
• Dialers – Dialing programs used to dial up an Internet connection using preset and
typically overpriced phone numbers.
• Backdoor – An application or service that permits remote access to an infected
computer. It opens up a so-called backdoor to circumvent other security
mechanisms
• Trojans – From Greek legend of the Trojan Horse. In the world of computers,
it refers to covert infiltration by malicious software under the guise of a useful programme
Protection
• Anti-virus software – Software that detects and removes viruses.
• Firewalls – A personal firewall is a program that works on a PC as a protective
filter for data communication in a potentially dangerous network such as the
Internet.