countering cyber crime: it’s everyone’s responsibility€¦ · cyber crime counter measures. a...
TRANSCRIPT
It’s Everyone’s Responsibility
Countering Cyber Crime:
A Special Report By International Perspectives www.internationalperspectives.org
Overview & Highlights 2
The Problem: Avoiding Responsibility 4
The Cause: Defining Cyber Crime 6
Measures For Individuals 7
Parents 11
Educators 12
Employees 14
Measures For Organizations 15
Business 15
Industry 17
Law Enforcement 18
Government 20
Future Considerations 23
Conclusion 25
Glossary of Terms 25
Further Interest 25
Overview & Highlights
DisclaimerThis International Perspectives report contains analysis of perspectives and issues related to cyber crime. As such, this report is to be used
for general reference purposes only and is not to be construed as legal advice.
This report is copyright © 2008 International Perspectives and may not be reproduced, duplicated or distributed beyond the purchaser of this report. All rights reserved. IPSponsorship
Table of Contents
Overview: Due to a widespread lack of understanding on the topic, many have been slow to accept responsibility for countering cyber crime. This report considers the countering of cyber crime from a perspective geared at increasing awareness among a non-technical audience. In doing so, recommendations consisting of simple ways in which individuals and organizations can effectively counter cyber crime are made. Drawing from discussions held at a closed workshop on cyber crime, this report builds on the opinions of experts from a variety of fields.
Who Should Read This?:
Anyone with a vested interest in countering cyber crime, particularly, those readers looking to understand an oft-intimidating topic from a non-technical perspective or those responsible for disseminating an understanding on the topic to a non-technical audience.
Note on the Text:
Hyperlinks are provided to source material throughout the body of the text. As a result, the report is best read at a computer connected to the Internet.
Highlights • Simple Steps can counter cyber crime, but everyone must play their part. Anyone using Information Communications Technology is responsible for the prevention of cyber crime. Accepting responsibility is as basic as keep-ing Personal Computer software up-to-date or being cautious about sharing private information.
• Nearly half of all experts polled felt a lack of understanding most hinders cyber crime counter measures. A shift in focus from the technology involved in cyber crime onto the criminal act itself will increase awareness among non-technical people, encouraging uptake of simple yet effective counter measures.
• Education around issues in cyber crime and security must be increased. From the elementary to graduate levels, new programs need to be imple-mented and existing ones reassessed. Introducing mandatory courses on computer ethics at the introductory level and emphasizing the need to integrate security into software development at higher levels are absolutely necessary to counter cyber crime in the long-term.
• The Security industry should be prepared for a permanent shift towards openness regarding personal data among the average user. Although strong awareness campaigns can help discourage user disclosure of sensitive information, current trends suggest that the preponderance among average users to reveal personal information does threaten traditional identity-based approaches to security.
Overview & Highlights
Rates of cyber crime have been increasing at an alarming speed. In part, cyber crime contin-ues to spread due to a growing use of information communication technology (ICT), which plays an ever-important role in our daily lives. Individuals and organizations, however, which tend to typically be the victims of such illicit activity, are also playing a part in the effective spread of cyber crime. For many people, forming an understanding of what cyber crime really is has proven elusive. This lack of familiarity with the topic has led many to do nothing to counter the threat, under a misguided belief of not being responsible, thereby unwittingly abetting criminals. Considering the barriers to forming a working understanding of cyber crime, this report provides simple measures and ideas which even the non-technical reader can implement to counter the threat.
The Problem: Avoiding Responsibility
As quickly as ICT products have flooded the market and entered our lives, cyber crime rates have risen - perhaps at an even faster rate. Criminals have found a prime environment for conducting illicit activity in a digital world, while law abiding segments of society continue to grapple with developing an understanding of what cyber crime really is. The inability to comprehend the problem has left many with a sense of not being responsible for actively countering the threat.
This avoidance of responsibility plagues individuals, industry, corporations and governments alike. Stemming from a lack of understanding brought on by a broadness of definition, deci-sion makers are paralysed when faced with the task of developing practical measures to counter cyber crime. Instead of actually taking steps to counter cyber crime, many opt to shift the responsibility, and ultimately blame, onto someone or something else. Such irresponsibil-
Countering Cyber Crime:
It’s Everyone’s Responsibility
4
ity can manifest itself in individuals who store user passwords on notepads beside desktop computers to companies marketing products as completely secure when that is not the case to politicians who ignore the topic due to a lack of understanding.
The economic consequences of avoiding responsibility are considerable. Following a data breach in one of its stores, The TJX Companies Inc. spent US$12 million in the first quarter of fiscal 2008 alone on investigations into the network intrusions said to have occurred in 2005 and 2006. These costs are to say nothing of the prolonged financial losses that might be sustained including pending and potential law suits as a result of the breach. Breaches of customer or user data can affect millions of people, often putting sensitive personal informa-tion such as credit card and social insurance numbers into the hands of criminals – resulting in many unhappy, at-risk customers, leading to more unhappier investors.
5
Exhibit A Survey of 100 Experts, 2007Source: International Perspectives
What Most Hinders Counter Measures?
Weak Legislation34%
Geopolitics11%Under Funding
8%
Lack of Understanding
47%
The Cause: Defining Cyber Crime
It is difficult to assume responsibility for a topic that is little understood. Indeed, the chief
reason why most cyber crime measures are hindered is a fundamental lack of understanding.
Unlike traditional crime, many people have not yet developed a familiarity with the topic. The
sheer broadness of definition and a usual focus on technology as a key component of cyber
crime has done little to encourage such familiarisation.
The key to increasing widespread countering of cyber crime is to first adopt a simple sweep-
ing definition that allows non-technical people to readily grasp the topic, for example:
Cyber Crime is a very broad term used to describe illicit activity involving computers or networks either as a tool, target or place of a crime. Essentially it is crime that involves Information Communications Technology (ICT). Despite the focus on technology, cyber crime is just like other illicit activity perpetrated by a person or a group of persons against another entity and, as result, should be treated as such.
The focus should be shifted as much as possible away from the technological aspect of cyber crime and onto the actual crimes, such as fraud, theft and intrusion. Such a shift in focus will make the definition more acceptable to a wider audience. A focus on technology as a key component of cyber crime disassociates many people from the term. Computers and networks are subjects that many people perceive as requiring a high degree of specialisation to fully comprehend and as a result are met with discomfort by those not “in the know.”
Building on a broad definition, examples of cyber crime as it affects individuals in organizations should be used to help non-technical people develop a familiarity with cyber crime, such as:
6
• Computers and networks are increasingly being used to facilitate existing crimes. As a tool, e-mail has proven very effective at furthering fraud scams that encour-age people to provide sensitive personal information which enable culprits to access the victim’s bank and credit accounts, child exploitation has been greatly facilitated through the use of the Internet and stalking and abuse cases have taken on a virtual side through instant messaging and online communities.
• As ICT continues to play an ever-more integral role in our daily lives, computers and networks will inevitably be the target of crime. Such illicit activity will include attacks on service, otherwise known as Denial-of-Service (DoS) attacks, forced unauthorized access to sensitive information or hacking and the spreading of viruses or malicious code which can shut down or take over a computer network or destroy important information. And;
• Computers and networks can also be the place of crime, including the theft of communications services from a CSP or private network and financial fraud such as money laundering.
Developing a basic understanding of cyber crime as it affects individuals and organizations is crucial to encouraging widespread acceptance of responsibility, and as a result, active partici-pation in countering the threat. Too much focus on what exactly the permanent legal definition of cyber crime will be is counter-productive to a much needed concerted effort in thwarting illicit cyber activity. While lawyers and legislators struggle with the wording, there is much the rest of us can do to stop the spread of cyber crime.
Measures For Individuals
Never has the individual been more important than in stemming the spread of cyber crime. A person who accepts responsibility and actively takes steps to counter cyber crime, can help facilitate time sensitive investigations, influence larger organizations to take action or simply remove another computer from a ring of botnets engaged in fraud scams.
7
Unfortunately, many individuals have mistakenly perceived themselves to be unaffected by and, as a result, not responsible for countering cyber crime. Seen to be more a financial or economic crime affecting companies as opposed to regular people, cyber crime has been easily ignored by the individual. This added disregard for the topic combined with the inherent broadness and technical focus of the definition of cyber crime has caused many individuals to avoid becoming active in countering the threat.
What concern and responsibility that might have developed around stemming cyber crime has been stymied by a very human desire for easy answers. Technological solutions that promise security have misled many individuals into believing that everything straight out of the box is secure. Easily ignored green anti-fraud bars on web browsers and pop-up notifications re-garding anti-virus software have created a false sense of security resulting in a lack of vigi-lance and acceptance of responsibility in terms of self-protection against cyber crime.
As with other issues related to security, individuals tend to believe that the authorities are responsible and as a result will protect the interests of the public. This has caused many people to see the problem of cyber crime as being something far bigger than they can contribute to in curtailing. In reality, however, everyone is responsible, and failing to take action is a form of complicity in furthering cyber crime. For example, leaving a nice car on a busy street in a large city with the keys in the ignition and doors unlocked would be unthink-able for most people, in essence, it would be inviting a criminal to steal the vehicle. Yet, many individuals plug computers into a large community of users spanning the globe, the Internet, without first installing some sort of a lock to prevent others from accessing the device. Personal computers tend to be used as the home office storing sensitive information on bank accounts, finances and personal details. The long-term impact of having such data stolen is arguably greater than that of having a car stolen and yet it is commonplace only to protect against the stealing of one’s vehicle.
Not securing one’s computer or failing to be vigilant about on-line habits is as inviting to a criminal as an unlocked car with keys inside – except a computer is like an illicit gift that keeps on giving. For example, in a FBI study it was estimated that a million computers are already part of Bot networks, meaning that these computers have been infected with
8
malware, which has turned the machines into robots unbeknownst to the owners. Once part of a Bot network a computer can be easily controlled to further the spread of e-mail scams intended to trick regular computer users into providing sensitive personal information or worse, distribute child pornography, essentially acting as an accomplice in perpetrating a criminal offence.
Preventing cyber crime isn’t difficult. The following steps are but a few simple ways in which everyone can help thwart criminals taking advantage of ICT:
• Software and applications are inviting entrances into your computer. Taking certain precautions can prevent criminals from gaining access to your system. If some of these steps seem difficult, ask a friend who is more technically literate for help – it won’t take long and most tech savvy people are happy to help those willing to learn.
- Make sure you have efficient security software such as anti-virus, anti-spyware or a firewall operating on your system.
- Listen to your security software when it alerts you to something. - Keep your operating system and other software up to date. - Turn off all software and applications that aren’t being used or are unneces-
sary on your computer. - Turn your computer off when you are not using it, not only will this assist in
curbing power usage, but it can help prevent intrusions
• Be vigilant when opening e-mail or surfing the Internet. Although technology can help in securing your computer nothing trumps personal vigilance.
- Open only expected attachments from known contacts. E-mail forwards from friends might not be what they seem; after all, any computer can be infected with malware and sending messages surreptitiously.
- If you really must open an attachment, refrain from double-clicking on the icon. Instead, open the software you think would read the attached file, drag-
9
ging and dropping the attachment into the running software. If the attachment is malware the software will not be able to open it. If your software does not allow you to drag and drop the file, save the attachment to the desktop where your up-to-date anti-virus software will scan the document. Next, run the application you think will be needed and open the file inside the program.
- Clicking on embedded links in e-mails can lead you to fake and dangerous websites. Scammers are increasingly using graphics and embedded links in e-mails to hide bad websites. Typing out website addresses can help ensure that you visit only the official sites you want to. Always pay close attention to website addresses, clever spoofs fool the eye, such as replacing www.visa.com with www.v1sa.com.
- Avoid using scripts. The little programs that allow drop down menus and pop-up windows on websites, scripts, provide easy access for infecting your computer. By turning scripting off in your web browser, except when absolutely necessary such as with most on-line banking sites, another door
will be locked to criminals. Many newer versions of web browsers now come
10
Exhibit B: Survey of 100 Experts, 2007Source: International Perspectives
What Percentage of Your E-mail is Spam?
70-80%19%
50-70%8%
Less Than 50%35% More than 80%
39%
equipped with anti-Phishing and scripting technologies built in. Keeping such features up-to-date can maintain the usefulness of these alerts.
Proper use of passwords has presented a particular challenge to most users. As a result, it remains an easy point of access to those looking to compromise a computer system. Remembering more complex passwords need not be difficult, however. Pneumonic devices can be useful in creating and remembering stronger passwords, for example WI4TB might be easily recalled by “Work is for the birds” or BL8TN4 by “Better late than never.” Pass phrases are also viable and creative options for passwords, such as “work!s4theb!rd5”. Consciously employing a strong password that is not reused on multiple systems will help directly increase the security of the computer as well as the wider network of which the device might be a part.
Although everyone has a role to play in countering cyber crime, some individuals have special responsibilities that should be considered in the context of their societal roles.
Parents
Parents are often very much aware that no other criminal activity affords perpetrators such ease of access to a young child’s bedroom as does cyber crime. It is this awareness of the risks and costs of cyber crime that compels parents to realise the responsibility they have to curtail the threat. Unfortunately, it is the very magnitude of the problem, which renders many parents helpless.
The most effective way to prevent children from being a victim of cyber crime is to establish and maintain an open channel of communication through which threats can be addressed on an ongoing basis. Such interaction will also assist in educating children on the proper behav-iour or ethics of computer use. It is easier to establish a line of communication around the dangers of an online environment with younger children as they are learning to use the Inter-net, than it is to begin such discussions with teenagers already comfortable with a virtual realm. As a result, it is highly recommended that parents begin informing children of the risks as well as proper measures to protect themselves as they are exposed to computers.
11
Setting a good example is crucial. It is imperative that parents develop an understanding of the technologies their children are using. What merit does a lecture on safe Internet surfing garner from an adult who doesn’t know how to use a computer? Sign up to social networking sites like Facebook, gaining an insight as to how others are interacting on-line will give you the advantage of knowing exactly what you are talking about when addressing concerns to your children. If possible, invite your child to be a contact in the social network. Often, young users have friends numbering into the hundreds and adding a parent that takes pains not to be too “out of it” to the social roster will not be out of the question. In fact, it could bring parent and child closer together. Forging an online relationship with your child will not only help bridge a generational gap, but it will also provide insights into how your child interacts online without infringing your offspring’s privacy. Although the openness of an Internet age has put many on guard, that same openness can be used to advantage.
Above all else, parents should avoid extreme reactionary behaviour, such as unplugging the computer when frustration sets in. Reactionary approaches only drive rifts between parent and child and do little to actually educate children on acceptable on-line behaviour. Remain calm and consider finding an approach that leverages the benefits ICT offers in parenting, as opposed to discarding an almost necessary technology inconveniencing you and your child.
Educators
Teachers and other educators, like parents, play an important role in countering cyber crime. Beginning as soon as students are introduced to computers, instruction on proper on-line behaviour and precautionary measures must be taught. Coinciding with the teaching of fundamental usage basics, students need to be educated on the ethics of computer use in order to prevent the continued spread of cyber crime.
The widespread myth that the Internet is an anonymous realm must be dispelled. The misconception of anonymity encourages people to do things on-line that they would never do in the physical world. Internet personas fill some users with a false sense of security or a sort of psychological alter ego as which the user might commit acts and not be caught. It is not
12
difficult, however, to pinpoint the average user behind an Internet persona. Users need to be informed that there is no more anonymity as a person on the Internet than there is as one in the physical world. Invite specialists into the classroom to demonstrate the ease with which a user can be identified. Teach students that criminal behaviour on-line is unacceptable and has consequences just the same as it would in the physical world.
At the college and university levels, much can also be done to counter cyber crime in the long-term. In the July 2007 “Software Security Assurance: State-of-the-Art Report” published by the Information Assurance Technology Analysis Centre in Virginia, the authors noted that “the methodology for building secure software is not widely taught in software engineering and computer science programs.” Students are being taught how to develop software without learning about the inherent implications to security in programming. This means students have been graduating without first developing an instinct to check for and remove bugs, back doors or malicious code that might have been inserted by another developer into the soft-ware. Beyond this, as the report suggests, “many software engineering students are never taught about the inherent security inadequacies of popular processing models that they will use, programming languages, programmatic interfaces, communication protocols, technolo-gies and tools.” In short, security as a concept is lacking considerably from the current cur-riculum for software developers and engineers. As a result, most existing software has been built without a fundamental understanding of integrated security.
Given that software often presents on of the easiest points of access for perpetrators to com-promise a system, it is logical that correcting the curriculum for software developers and engi-neers to reflect the need for security is imperative – even if this means that legacy software cannot be salvaged in the long-term.
Students entering into other streams, such as business, should also be educated on the importance of ICT. As it is unlikely that ICT will cease to play an integral role in business, it is imperative that students in business schools develop a familiarity with computers and net-works – especially at a time when increased corporate regulations compel Chief Financial Officers to sign off on security measures. Such education will enable future decision makers to easily comprehend and enact sensible plans around ICT security.
13
Employees
The human factor is perhaps the biggest weakness in all organizational security. Employees, particularly disinterested or disgruntled ones, tend to be the most careless regarding security measures. From the insider attack to the call centre representative conned by social engi-neering to the password written on a post-it note stuck on the side of a computer monitor, employees present some of the available access points into a secured network.
Much apathy among employees around security has arisen from increasing job dissatisfac-tion. Someone might be working in a position that doesn’t meet their expectations, or feel overlooked for promotion, or have little loyalty as a result of layoffs and out-sourcing, causing the worker to not really care about the consequences of his or her actions. Others still might just find security measures inconvenient and be lax around password usage as a result. The impact any of the above examples can have on an organization is substantial.
Often, employees haven’t been provided with adequate training around security - which need not be an intense effort either. Ensuring that employees understand simple measures, such as those outlined in the above general section regarding measures for individuals, can make a considerable difference in over all organizational security. Likewise, clearly informing employees as to the consequences of lax security vigilance can also encourage that the proper steps are taken by all to keep a computer network secured.
Understanding what a potential breach to security could mean on a personal level can help induce some employees to adopt better security practices. For example, in organizations that store sensitive personal information of customers, an employee might more readily under-stand the consequences of such data being breached in relation to oneself as opposed to the losses it might bring to the organization. Likewise, creating incentive to being security-minded will also help encourage vigilance on the part of employees.
14
Measures For Organizations
Organizations can be regarded as the trend-setters in whether responsibility around counter-ing cyber crime is accepted, or not. Indeed, if organizations such as banks, software vendors, CSPs and government are perceived to not be doing enough in countering cyber crime, indi-viduals will be sure to follow.
Business
Approaching ICT security has been problematic for many businesses. In some instances, lack of understanding has driven companies to do too little whilst others have reacted in the oppo-site extreme. The wide scale digitalization of businesses has presented challenges, chiefly because data that was always considered important was no longer stored in physical files in a back room, but at the fingertips of anyone with access to the system, in seconds. The use of computers and networks didn’t change the essence of sensitive information, just the ease with which it could be retrieved. Protecting a business was no longer as simple as securing the perimeters, but required a new level of expertise which in turn put many decision makers off of moving forward with new and costly security measures.
As with other measures, steps businesses can take to prevent cyber crime need not be overly complex. The following points are simple things to remember when implementing organiza-tional security measures that will in the long run have a considerable impact in increasing security:
• Be reasonable about security spending. Security should not cost your organization more than risks would have cost. Absolute freedom from risk is not possible, thus absolute security is not either.
• Beware of specialists who treat security like an art. The word of a self-proclaimed computer-guru who equates hacking skills to artistic talents and avoids providing accessible explanations around how he or she is securing your organization is not
15
enough to comply with Sarbanes-Oxley. The best degree of security is only met through reliable and repeatable results, more like a science, less like an art.
• If your organization can afford it, keep a good security manager in house. A good specialist will know what standard your organization should be operating at in terms of security. Finding a security manager who is capable of thinking outside of the box is most beneficial as they are able to monitor security from fresh angles and uncover weaknesses that otherwise might go undetected.
• Insist on integrating privacy and security measures. There is an inherent relation-ship between privacy and security and measures should reflect this. Such inte-grated measures will prove ever more effective in the face of increased threats to sensitive customer information.
• Co-operating with other organizations to map cyber crime trends will benefit every-one. Fears around disclosure must be dealt with if real ground is to be covered in countering cyber crime. If the risk of accountability continues to override disclosure a third-party forum should be considered which allows for the anonymous relaying of crimes or threats that enables everyone to understand current trends without negatively impacting the informing organization. Full disclosure would, of course, be
16
Exhibit C: Survey of 100 Experts, 2007Source: International Perspectives
What is the #1 Cyber Threat in Canada?
Fraud61%Cyber
Terrorism15%
Child Exploitation
15%
Theft9%
preferable, as the public will undoubtedly see this fear of accountability unfavoura-bly.
Businesses should also develop security policies for employees. Humans remain the biggest weakness in security measures. Educating all employees on good password practices and the risks of social engineering can go a long way in increasing corporate security.
Companies offering customers electronic services, such as online banking or marketplaces, have an additional responsibility in countering cyber crime. In conjunction with advertisements that reassure customers of continued security, companies should begin mass media educa-tion campaigns on how users can protect themselves. Pop-up notifications on official websites indicating how to detect Phishing sites or television commercials exposing the risks in creative ways can increase awareness among users. More customers protecting their own interests will result in fewer losses on the part of the company providing the service.
Industry
No other sector has as great a responsibility to counter cyber crime as does industry, includ-ing software and hardware vendors and Communications Service Providers (CSP). In many ways, industry is the front line of cyber crime defence given that the very products and services industry offers consumers are the gateway between criminals and victims in terms of cyber crime.
The steps industry takes to curtail cyber crime become the basis for what all others will do. Due to the technical nature of cyber crime, many individuals and organizations look towards industry to provide all of the answers and protection necessary to defend against cyber crime. This dependency on industry to provide solutions increases the responsibility held by the sec-tor towards the wider society. As a result, it is imperative that industry begin implementing long-term measures that enable a widespread increase to security, such as:
17
• Correcting prevailing trends in software development weaknesses. This step can, in fact, be considered two fold. First, firms need to begin producing software with security built in, not as a feature but ingrained in the software. Given the deficien-cies in education around such an approach, the industry should also take an active role in promoting such instruction and thought at the college and university levels.
• Avoid promising the impossible – teach customers that the best security measures involve their active participation as well as a technical solution. Promoting solutions as secure can be misleading and discourage customers from being vigilant.
• Consider unorthodox candidates for employment. Tech savvy youth who engage in cyber crime are prime candidates for innovating the security industry. Offering such candidates employment and a challenge cannot just help increase your firm’s effec-tiveness but also stem the tide of cyber crime one culprit at a time.
• Don’t blame bureaucracy for preventing your fight on cyber crime – sponsor an independent international co-operative that can create and manage spam and bot-net advertiser blacklists. Instead of senseless and costly endeavours such as build-ing a new Internet, establish an international CSP alignment whereby through mutual agreement usage is regulated, complete with processes for investigating behaviour and reacting accordingly.
Above all else, the industry must support and engage in effective educational campaigns that reach the average user. Such programs should not be limited to younger users but different segments of society. Often, the younger people more frequently targeted by such campaigns already possess a better understanding whereas older age groups do not. In order to effec-tively raise awareness around cyber crime information and education campaigns must target all levels of users.
Law Enforcement
ICT has complicated the responsibilities of law enforcement agencies. Quite possibly as a result of the need for technical expertise, cases involving cyber crime seemed initially to be limited to the realm of forensic as opposed to traditional investigations. Limited resources in
18
terms of skilled officers capable of handling cyber crime cases strained law enforcement’s ability to manage growing rates of such illicit activity. Although inroads are being made, police forces continue to struggle to adapt to a changing environment. Similar to the challenges posed by terrorism, traditional policing practices might be ill-equipped to handle investigations in an increasingly open world dependent on technology under demands for preventative as opposed to reactionary security measures. Compounding difficulties cyber crime is often executed on an international scale with perpetrators located in a different country than the victim forcing investigators to work across jurisdictions.
The rigid structures of organizations such as law enforcement agencies and governments coupled with restrictive recruitment practices will prevent effective and quick responses to the changing criminal environment. As a result, policing agencies as well as other heavily bureaucratic organizations will find coping with cyber crime increasingly challenging. Indeed, many of the following recommendations reflect the growing need for re-thinking the organiza-tional limitations that are leading to such challenges:
• Embrace openness. Superimposing traditional approaches onto an open age will hinder progress. Consider fresh ideas such as creating a cyber crime Wiki that asks experts and others to assist in solving trying cases or problems. Be open to using other channels of communications in the face of frustrating bureaucracy – this can be particularly beneficial when covering an international case. Leverage industry and other relationships to help in investigations.
• Revisit stifling hiring practices. Specialists need to be drawn into Law Enforcement Agencies. Current hiring practices encourage younger new recruits without the skills needed to counter cyber crime effectively. New programs enabling lateral entry should be encouraged.
• Computer forensic principles should be made to reflect the nature of such types of investigations. Computer forensics is more akin to crime scene investigations than to traditional identification type forensics. Specialists are being called to the site to investigate entire systems. Gathering evidence from computers should thus be akin to gathering bits of physical evidence – find a way to facilitate the removal of just
19
the piece of digital evidence as opposed to the entire system. Rectify current approaches mandating that digital evidence cannot be altered as working on a live system automatically renders the system changed.
• Establish a separate and dedicated section to handle cyber crime. Such a depart-ment should be capable of interfacing with various other groups of specialists within the wider law enforcement agency, such as those handling anti-rackets, fraud and sex crimes. Be sure to recruit from a variety of pools such as seasoned officers with technological backgrounds, experienced computer specialists and digital forensic scientists. Avoid high rates of turn over and staff rotations to ensure that interfacing between departments and across jurisdictions is facilitated.
• Create and support a global training centre for cyber crime investigations. Not only will this ensure uniformity among regional police investigators, but also in assisting in training international agencies cyber crime can be fought more easily across borders.
The key to fighting cyber crime, as well as other emerging threats, will be flexibility. How well law enforcement agencies can adapt to changing landscapes will be the measure of their success. A tradition of looking inward could present the biggest roadblock in an open-age.
Government
Governments, like law enforcement agencies, face a particular challenge regarding security. Due to the large bureaucratic nature of government, issues such as cyber crime have easily been tossed to the wayside. As officials lacking a minimal expertise on cyber crime pass the responsibility to fight the threat off their desks on onto those of others, the ability and drive to actually implement counter-measures wanes.
As on many other issues, a lack of cohesiveness among government decision makers as well as other key stake-holders has prevented effective progress in the fight on cyber crime. Although many independent initiatives have met with some success, on a whole a wider movement led by the government is lacking. Often, these smaller programs have more impact
20
on an international scale than within the originating country – which results in considerable frustration among those participating ultimately leading to the loss of attention of valuable contributors who seek other more fulfilling projects instead.
Individuals as well as organizations look to the government for leadership and regulations. As with industry, if the government is seen to be doing nothing in the fight on cyber crime, it will be difficult for wider change to occur across sectors as a result. The recommendations for government are considerable, but so too is the responsibility that it holds in countering cyber crime, as a result:
• Establish a separate agency to deal with cyber crime. This agency should go beyond a task force housed within a bigger department. The agency should recruit from a variety of sources, including industry, the legal profession, security and law enforcement. Professional diversity is key in developing a fresh organization that is flexible enough to handle the threat of cyber crime. This organization should be federal, capable of easily interacting with law enforcement within the country as well as internationally.
• Create an oversight body for technical matters in security and investigations. This body would be at arms length of any other department, particularly those focused on security to prevent conflicts of interest. The oversight body should consist of representatives from industry, privacy, security and law enforcement, law and academia. Such a body would be responsible for setting the regulations around legislation on cyber crime and other measures such as lawful intercept as well as reviewing investigations and the use of security tools.
• Ensure activity that is currently not recognized as illegal under existing legislation is criminalised as soon as possible. Many types of cyber crime are enforceable under existing legislation, but those that are not need to be addressed.
• Enact laws around cyber crime based on already existing standards. As much as possible draw from existing legislation such as those for cyber crime produced by the G8 and OECD. Consider differentiating the degrees of cyber crime. Those deemed to have intent would carry a more severe punishment than others. For
21
example, consider a fining system for first time unintentional acts or complicity in furthering botnets by failing to have taken proper measures to secure a system.
• Consider regulating marketing around security products. Encourage industry to market security reasonably to avoid misleading individuals into believing that straight out of the box merchandise will ensure security without proper user vigi-lance. This is not to say that security products need to be tested or prevented from release based on these regulations, simply that companies will be accountable for the message presented to customers around products, thus encouraging industry to strive for a higher standard of quality.
• Educate and inform the masses. No other government responsibility is so great. Institute creative and catchy educational mass media campaigns to inform citizenry. Make an impact in the public education system; ensure young students are taught as soon as possible about the ethics of computer use. Press universities into alter-
ing the software developer and engineering curriculum to include security as a fundamental principle in programming.
22
Exhibit D: Survey of 100 Experts, 2007Source: International Perspectives
Who is Behind Most Cyber Crime?
Organized Crime77%
Terrorists2%
Rogue States4%Lone Hackers
16%
• Make foreign aid and development programs conditional. Encourage development of proper ICT security measures in developing nations by putting reasonable condi-tions on aid packages.
Future Considerations
The aforementioned recommendations are very much based on the current social environ-ment surrounding cyber crime. Today’s conditions, however, will most likely not be those of tomorrow. Indeed, younger users are already challenging traditional approaches to privacy and security.
Some 44% of the total population of developed countries is under the age of 35. This segment of society is arguably the most tech-savvy to date, with the oldest members of this group being under 10 years of age when the first personal computer was released. Although there is increased adoption of social networking tools such as Facebook among users 35 years of age and older, users under 35 still account for more than 50% of all subscribers to the free service. Many of these users feel quite comfortable sharing a wide array of personal information with friends and acquaintances.
The way in which these users interact in an online environment does impact considerably our current approach to security. Identity and the ability to prove that a person is in fact who he or she claims to be is the basis for most of our security measures in place today. An underlying principle of identity-based security is the safeguarding of personal information including names, contact details, and identification numbers such as driver’s license and social insur-ance numbers. Such personal data is to be treated as sensitive by individuals and the organizations privy to the information for verification purposes. If the sensitivity around personal information inherent in identity-based systems is lost, many security measures will be affected as a result.
Trends in personal information disclosure through online communities suggest that concern around protecting personal data is waning among average users. In a recent study published
23
by Sophos, of 200 random users invited to connect with a fraudulent identity on Facebook, 41% accepted the invitation providing personal information. Most of the respondents provided his or her full date of birth, present place of employment and current address or location. Further investigation on Facebook or the Internet could reveal additional sensitive data such as the names of parents or grandparents or other relationships which might be used as pass-words or secret questions to have forgotten passwords unlocked. Such details are more than enough for a perpetrator to use the social engineering technique of pretexting to gain further access to sensitive information in a bid to commit fraud.
This ease of access to personal information complicates the customer authorization processes of most businesses as well as government services. Relying on different bits of personal information in combination is no longer confidential enough to ensure a degree of security. The willingness of indi-viduals to release ever-more information freely or in exchange for something only aggravates the situation.
Raising awareness around the risks of liber-ally disclosing personal information can curb some of this alarming trend. Technologies such as biometric systems will also be able to assist in identity authentication on small scales. If, however, this penchant for open-ness continues we will be forced to rethink our current security fundamentals. The sooner we begin to consider new, innovative options the better.
Although technology will undoubtedly be a component of our future approaches we must guard against an over reliance on such tools to answer humans problems. After all, the very
24
Exhibit E: Statistics on Personal Data Disclosure,Source: Sohpos
72 % revealed 1 or more e-mail addresses
84 % listed full birth dates
87 % shared education or workplace details
78% of respondents listed theircurrent address or location
23 % listed a current phone number
26 % provided an instant messaging ID
reason why our current identity-based security models are failing is because of the human component, chiefly, as a result of weaknesses stemming from inherent cognitive biases. Humans can be easily induced to betray sensitive information or provide access to a system without even realizing the consequences. No amount of technology can correct the flaws of its creator. Therefore we must consider approaches that also take into consideration the need for human growth as well as technological advancements.
Conclusion
Cyber crime is a growing problem that impacts everyone. The nature of an interconnected world dictates that anyone enjoying the benefits derived from ICT is not only open to being affected by cyber crime, but is also responsible for actively counteracting such illicit activity – if only through basic steps towards self-protection. Although the magnitude of cyber crime is alarming, the problem is not insurmountable. Indeed, there are no viable excuses for any party to disregard responsibility in counteracting cyber crime.
A shift of focus must be made in how cyber crime is approached. Although technology is clearly a component in cyber crime, it must be looked past in order to understand the wider situation. Most cyber crimes bear considerable resemblance to traditional crimes. In many ways, far from generating new crimes, technology has really only facilitated existing ones, opening up new and wider markets to criminals. The underlying desires and conditions that perpetuate crime were there before the technology and continue to play an enormous role in growing rates of cyber crime. In fact, ICT can be seen as a looking glass that distorts the subject peering into the mirror. We as humans look into the mirror only to see our problems magnified in the reflection. Instead of realizing that we have a serious social problem with crime that begins first in the physical world, we perceive the increased rates of illicit activity in the form of cyber crime as a direct result of technology, ultimately absolving ourselves of responsibility. We must accept that certain aspects of human nature are really at the heart of the cyber crime problem and as a result, all humans are directly responsible for counteracting the threat.
25
The steps taken towards countering cyber crime need not be complex or daunting. In fact, simple approaches are often the most effective. With each individual who begins to consciously protect his or her ICT interests, considerable inroads on the fight against cyber crime are made. The domino effect of such increasing awareness is considerable too. A single person who accepts responsibility for countering cyber crime not only helps remove another computer from the possibility of recruitment into a botnet ring, but also has the potential to cure the larger organizations of which he or she is a part. After all, “responsibility walks hand in hand with capacity and power.” Essentially, our ability to overcome cyber crime comes down to a choice on the part of individuals as to what sort of world in which they wish to live.
Make your choice today – will you accept responsibility?
26
Glossary of TermsBots, shortened from robot, are programs that are used to perform repeated tasks on the Internet, such as posting messages on multiple forums or comparing prices for shopping information websites. Bots are also used illegally to send spam messages and as part of larger networks known as botnets.
Botnets, shortened from robot network, are groups of computers that have been compro-mised by a perpetrator and are then used to send out Phishing scams and spam messages as well as commit other attacks such as denial-of-service. The computers are typically compromised through a Trojan, which allows the culprit to gain access to remotely control the computer. Botnet herders generate considerable revenue by placing adware on compromised computers, an act which is compensated by online marketing firms.
Embedded Link, or hyperlink, is a predetermined connection between one object and another. For example, a selection of text in an e-mail or document with a previously estab-lished link to a website address is a form of hyperlink.
Keylogger, or keystroke logger, is solution that enables the monitoring of all key depressions made on a computer under surveillance. Trojan versions of software with such capabilities are used to monitor passwords inputted into compromised computers.
Malware, short for Malicious Software, is software created to destroy and aggravate users. Examples of malware include Trojans, viruses, worms, and logic bombs.
Phishing, pronounced fishing, is a scam used to acquire sensitive personal information from unsuspecting targets. A seemingly official e-mail is sent to a potential target from a legitimate organization asking the recipient to update important customer information on the website provided. Websites used for Phishing scams can appear very authentic and many are increasingly being interconnected with the official organization’s legitimate website.
Other Phishing scams include Interactive Voice Response (IVR) or Phone Phishing and Spear Phishing. Phone Phishing includes the provision of phone numbers in e-mail scams that are connected to an IVR system mimicking that of the official organization. Whereas Spear Phishing involves targeted, personal e-mails supposedly originating from a real and known individual. Spear Phishing is particularly effective within organizations.
Pretexting refers to the use of an alleged reason or pretext to be granted access to a system or sensitive information. Pretexting involves creating a scenario, which is then presented to a person with authorization to the desired system or information. Typically, for the pretext to be found acceptable, there must be some legitimacy to the claim. For example, when pretexting relies on impersonation some previously uncovered personal information will be provided to the target to bolster the claim of identification, such as date of birth, amount of the last
Glossary of Terms
27
bill received or a driver’s licence number.
Quid Pro Quo – Literally “Something for something”, perpetrators will offer a trade in order to gain access to a system or sensitive information. This may come in the form of offering passers-by a free gimmick in exchange for their personal information or a perpetrator tricking a person with access into believing that they are answering their call for assistance.
Social Engineering refers to a variety of tactics used to breach security measures whereby the perpetrator manipulates a person with access to either execute certain tasks or provide sensitive information. Social Engineering methods include Pretexting and Phishing scams. Social Engineering remains the biggest cyber crime threat to individuals, organizations and governments to date.
Trojans, named after the Trojan horse of Greek mythology, are programs that seem legiti-mate but are executing unauthorised acts on the computer in the background. Trojans can be used to conscript a computer into a botnet, locate password details or create vulnerabilities for future attacks. As with the Trojan horse which was the demise of Troy, Trojans often come in the form of free games, screensavers or other programs hidden in the software.
Virus is a piece of malware used to infect a computer. Virus code is embedded into another program, which when the infect program is next run enables the virus code to self-replicate and attach itself to other programs. Viruses vary in degrees of harmfulness from simple pranks to outright destruction of data.
Web Browser is a program that acts as a gateway for computer users to the Internet. Exam-ples of web browsers include Internet Explorer, Safari, Firefox and Netscape.
Worm, similar to viruses but capable of automatic replication, is a destructive program that self-replicates across networks or within a single computer. Worms can also facilitate the distribution of Trojans on computers.
28
Further InterestBooksBinkley, Jim & Schiller, Craig A., “Botnets: The Killer Web App”, Syngress, 2007
Schneier, Bruce, “Beyond Fear: Thinking Sensibly About Security in an Uncertain World”, Springer, 2006
Verton, Dan, “The Insider: A True Story”, Llumina Press, 2005
Winkler, Ira, “Zen & The Art of Information Security”, Syngress, 2007
Winkler, Ira, “Spies Among Us: How to Stop the Spies, Terrorists, Hackers, & Criminals You Don’t Even Know You Encounter Every Day”, Wiley, 2005
WebsitesCanada's National Tiplinehttp://cybertip.ca/en/cybertip/
Child Exploitation and Online Protection (CEOP)http://www.ceop.gov.uk/
Cyber Law Enforcement Organizationhttp://www.cyberlawenforcement.org/
Identity Theft and Identity Fraudhttp://www.usdoj.gov/criminal/fraud/websites/idtheft.html
Insafehttp://www.saferinternet.org/ww/en/pub/insafe/index.htm
Internet Crime Complaint Center (IC3)http://www.ic3.gov/
Internet Watch Foundationhttp://www.iwf.org.uk/
PhishTank
Further Interest
29
http://www.phishtank.com/
Scambuster 419http://www.scambuster419.co.uk/
SCAMwatchhttp://www.scamwatch.gov.au/content/index.phtml/itemId/693900
National Fraud Information Centrehttp://www.fraud.org/welcome.htm
Network Abuse Clearinghousehttp://www.abuse.net/
Nigeria - The 419 Coalition Websitehttp://home.rica.net/alphae/419coal/
RCMP Fraud Resourceshttp://www.rcmp-grc.gc.ca/scams/index_e.htm
Reporting Economic Crime On-Line (RECOL)http://www.recol.ca/
Virtual Global Taskforcehttp://www.virtualglobaltaskforce.com/
WiredSafetyhttp://wiredsafety.org/index.html
30