Upload
giona
View
49
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Jessica Cassano. 497-00-6092. www.umsl.edu/~lacity/int480a.htm. The CYBER GANG. www.umsl.edu/~lacity/int480a.htm. A Comprehensive Approach to Managing Cyber-Security (including Privacy Considerations). Darin Hancock LaWanda Jones (2007 PMBA UMSL Cohorts) 11/2005. Prepared for : - PowerPoint PPT Presentation
Citation preview
1
Jessica Cassano
497-00-6092www.umsl.edu/~lacity/int480a.htm
2
The CYBER GANG
www.umsl.edu/~lacity/int480a.htm
3
A Comprehensive Approach to Managing Cyber-Security
(including Privacy Considerations)
Darin HancockLaWanda Jones(2007 PMBA UMSL Cohorts)11/2005
Prepared for:
IS6800
4
Common Types of Potential Cyber Threats
VIRUSWORM
TROJANDoS (Denial of Service)
SPAMSALAMI
PHISHINGPHREAKING
ONLINE FRAUD, IDENTITY & DATA THEFTDUMPSTER DIVING
SOCIAL ENGINEERINGNATURAL DISASTER
www.thefreedictionary.com viewed 10/05
5
DefinitionsAn infectious program that reproduces itself, destroying data along the way.
VIRUSThe practice of sifting refuse from an office or technical installation to extract confidential data.
DUMPSTER DIVINGAn infectious program that reproduces itself over & over using up memory.
WORMA network assault that floods the system with multiple requests.
DENIAL OF SERVICE (DoS)A program that appears legitimate, but performs some illicit activity when it is run.
TROJANAn anonymous or disguised, unsolicited email sent in mass delivery.
SPAMA scam to steal info thru the use of “official” looking emails or websites.
PHISHINGA series of minor computer crimes that together result in a larger crime.
SALAMI ATTACKThe art and science of cracking the telephone network..
PHREAKINGAn emergency situation posing significant danger to life and property that results from a natural cause.
NATURAL DISASTERIntentional deception resulting in injury to another person .
ONLINE FRAUD, IDENTITY & DATA THEFTTo trick people into revealing passwords or other sensitive information.
SOCIAL ENGINEERING
www.thefreedictionary.com viewed 10/05
6
7
The Melissa Virus• Date of Attack – March 26, 1999
• Attacker – 30 year old David Smith
• Victims – thousands of Microsoft Word 97 and Word 2000 email users
• Damage - $80 million
http://www.usdoj.gov/criminal/cybercrime/melissa.htm viewed 10/05www.viruslist.com viewed 10/05
8
The WANK Worm• Date of Attack – October 16, 1989; 2 days prior to a scheduled
space shuttle take off mission• Attacker – 2 teenagers, Electron & Phoenix, from Melbourne,
Australia• Victim - NASA• Damage – initial network infection at the Kennedy Space
Station in Florida, then weeks later to other sites around the globe, including other agencies:US Dept. of Energy’s Fermi National Accelerator Lab (IL, US)European Center for Nuclear Research (Switzerland)Riken Accelerator Facility (Japan)
www.theage.com.au/articles/2003/05/24 viewed 11/05
9
SPAM• Date of Attack – 1997 to present
• Attacker – Commercial Advertisers
• Victim – All email users
• Damage – Valuable time expended to sort thru mail that penetrated anti-spam filtration
Case: James Burdis, Smurfit Stone Sr. VP & CIO, estimates that of
the 1.2 million emails received monthly, 80% is spam; and approx. 82% of the 80% penetrates their anti-spam blocks.
www.viruslist.com viewed 10/05
10
Cisco Systems Data Theft
• Date of Attack – April 2001
• Attacker – 2 Cisco employees
• Victim - Cisco
• Damage – approx. $6.3 million of stolen stock shares
www.depts.washington.edu viewed 10/05
11
Losses(quantified & unquantified)
• Productivity Disruption• Time Delays• Redirection of Staff Tasks• Down & Damaged Networks• Data Corruption• Profit Loss• Disclosure of Sensitive Data• Damage to Interdependent Companies• Loss of Customers
MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005
12
RED ALERT!!!
13
You Have Been Hacked Hacking first began as a positive execution of
computer improvements Although not widely used, “Cracking” is the
term for abusive hacking Ill intent hacking occurred as early as the 1970s
case: in 1991 Cap N Crunch hacker, John Draper used a toy whistle from a cereal box to obtain free phone usage
Occurrences increase each year New terms: cyberterrorism, information
warfare, economic espionage, data pirating
www.cert.org viewed 10/05www.viruslist.com/en/hackers viewed 10/05
14
Parties Involved in the Cyber-Security World
Hackers
Computer Researchers
Companies
Individuals
15
Key Points
Hackers
Why hack ?“… I was hacking for the curiosity,
and the thrill to get a bite of the
forbidden fruit of knowledge.”
Kevin Mitnick,a famous reformed hacker
The Underworld•Hacking Guides/
Conferences•Organized Gangs (ex: Shadow Gang4000 worldwide
members)
Punishment•Detention (kids)
•Prison•Death
www.cnn.com/2005/TECH/internet viewed 10/05www.businessweek.com viewed 10/05 www.viruslist.com viewed 10/05
16
Key PointsComputer Researcher
OOPs it was an Accident
Case: Nov. 1988, the Morris Worm erroneously launched by Robert Morris infected several thousand systems around the country
www.viruslist.com/en/hackers viewed 10/05
17
Key PointsCompanies – the Victims
High profile companies are hacker targets “I’d begun targeting specific systems I saw as high profile or high challenge.” Electron – NASA break
Hesitant to disclose attacks to public On the average, companies have meager security
standards Security & Privacy is ranked the top 3rd
management concern Although, companies are the shepards of massive
amounts of sensitive information, information mismanagement is frequent
www.theage.com.au/articles/2003/05/24 viewed 11/05MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005
18
19
20
21
Invasion of the Privacy Snatchers
22
Action Frequent Types of Mismanagement
Collection & Storage •More data collection than needed
•Unclear or obfuscating about future uses of data
Secondary Use •Policies/practices ignore privacy implications of internal data re-use
•Inattentiveness to privacy implications of external data sharing
•Excessive liberalism regarding “affiliate sharing”
Data Accuracy •Lax security controls (enable deliberate errors)
•Quality control lapses in data collection or manipulation (accidental errors)
Authorized Access •Weak security controls (technical)
•Inattentiveness to “need to know” implementation
Automated Judgment •Excessive reliance on implementation of standard operating procedures (w/o rational referrals for human judgment)
Profiling •Lack of clarity regarding provisions on external sharing of data (or violations of clear provisions)
Information Mismanagement
MISQ Information Privacy and its Management Vol. 3 No.4/December 2004
23
Key PointsIndividuals – the Indirect Victims
Rarely targeted directly “There are attacks that can be done, but its unlikely that I’ll be targeted as an individual.” Kevin Mitnick, hacker poster boy
Indirect Victims primarily due to lax company security measures & practices
Privacy concerns raised because of frequent company information mis-management
www.cnn.com/2005/TECH/internet viewed 10/05
24
To the Rescue - RESOURCES
LAW1986 Computer Fraud & Abuse Act, Gramm Leach Bliliy & Sarbane Oxley
Government AgenciesFBI/NIPC, USCERT, Homeland Security
EducationSANS Institute, MITRE, Conferences
PartnershipsISACs – Information Sharing & Analysis Centers
Insurance ProvidersAIG, CISCO, CHUBB, Counterpane
Security ProfessionalsSymantec, Unysis
www.cert.org viewed 10/05
25
26
27
28
The Future
• Continued Hacking at an increased pace with more sophistication,thought: potential for large grids of electricity to be damaged thereby crippling thousands of people, businesses, & emergency services
• Enhanced cyber-security technology,• Additional privacy concerns with new wireless technology
(RFIDs),• Increased company spending expected for cyber-security
defenses,• Stronger alliances, • Additional regulations/laws expected, and• Better international collaboration anticipated.
29
Best Practices
Company Executives
ALL Users
Agency Strategic Plan Cyber-Security Plan
GOOD ACTION
BETTER ACTION
BEST ACTION
30
Best Practices
Company Executives ALL Users
Agency Strategic Plan Fundamental Standards
GOOD Utilize applications for perimeter defenses:
FirewallIDS – Intrusion Detection SystemAnti-spamAnti-virusVPN – Virtual Private NetworkEncryption
www.cleanlink.com/sm/article viewed 10/05
31
32
Best Practices
Company Executives ALL Users
Agency Strategic Plan Cbyer-Security Plan
BETTER Shred PaperPassword Protection/ Better SelectionSystem Removal (old employees)TrainingEstablish process for all users (identify steps; answer who, what, how)Track attacksBetter Information ManagementTop level buy in
www.cleanlink.com/sm/article viewed 10/05www.toptechnews.com/story viewed 10/05
33
Best Practices
Company Executives ALL Users
Agency Strategic Plan Comprehensive Management Cbyer-Security Plan
BEST Assessments: self penetration testsDuring IT design stage link security with business strategiesUnderstand can’t provide 100% protection, therefore set security goals according to classificationKeep abreast of current news/ join partnershipsOngoing Process
www.toptechnews.com/story viewed 10/05www.cleanlink.com/sm/article viewed 10/05MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005
34
35
36
SUMMARY
Sensitive transactions call for increased security. More sophisticated hacking calls for increased security. Awareness: Know what’s going on in the cyber-security community. Emerging policies logical for companies to interact to provide their
input vs being strictly mandated to.Create a company specific comprehensive security plan.Plan align with business strategy.Plan to indicate proper management of information to help eliminate
privacy concerns.Understand that security plan should concentrate on the process not
the technological applications.And that this process is ongoing.
“You have to continue to train and implement new security. It needs to be something you do everyday.” Steve Epner of Brown Smith Wallace, a St. Louis technology consulting firm
www.cleanlink.com/sm/article viewed 10/05