Cybercrime Countermeasures

Cyber crime, or computer crime, refers to any crime that involves a computer and a network.Moore, R. (2005) "Cybercrime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

On the global level, both governments and non-state actors continue to grow in importance, with the ability to engage in such activities as espionage, and other cross-border attacks sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions, with the International Criminal Court among the few addressing this threat.

A cyber countermeasure is defined as an action, process, technology, device, or system that serves to prevent or mitigate the effects of a cyber attack against a victim, computer, server, network or associated device. Recently there has been an increase in the number of international cyber attacks. In 2013 there was a 91% increase in targeted attack campaigns and a 62% increase in security breaches.

A number of countermeasures exist that can be effectively implemented in order to combat cyber-crime and increase security.

Types of threats

Malicious code

Malicious code is a broad category that encompasses a number of threats to cyber-security. In essence it is any “hardware, software, or firmware that is intentionally included or inserted in a system for a harmful purpose.”Newman, R. (2006) Cybercrime, Identity Theft, and Fraud: Practicing Safe Internet – Network Security Threats and Vulnerabilities. Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. Kennesaw, GA: ACM. p. 69. Commonly referred to as malware it includes computer viruses, worms, Trojan horses, keyloggers, BOTs, Rootkits, and any software security exploits.

Malicious code also includes spyware, which are deceptive programs, installed without authorization, “that monitor a consumer’s activities without their consent.”Loibl, T. (2005) Identity Theft, Spyware, and the Law. Proceedings of the 2nd Annual Conference on Information Security Curriculum Development. Kennesaw, GA: ACM. p. 119. Spyware can be used to send users unwanted popup ads, to usurp the control of a user’s Internet browser, or to monitor a user’s online habits. However, spyware is usually installed along with something that the user actually wishes to install. The user consents to the installation, but does not consent to the monitoring tactics of the spyware. The consent for spyware is normally found in the end-user license agreement.
akua AB

Network attacks

A network attack is considered to be any action taken to disrupt, deny, degrade, or destroy information residing on a computer and computer networks. An attack can take four forms: fabrication, interception, interruption, and modification. A fabrication is the “creation of some deception in order to deceive some unsuspecting user”; an interception is the “process of intruding into some transmission and redirecting it for some unauthorized use”; an interruption is the “break in a communication channel, which inhibits the transmission of data”; and a modification is “the alteration of the data contained in the transmissions.” Attacks can be classified as either being active or passive. Active attacks involve modification of the transmission or attempts to gain unauthorized access to a system, while passive attacks involve monitoring transmissions. Either form can be used to obtain information about a user, which can later be used to steal that user’s identity. Common forms of network attacks include Denial of Service (Dos) and Distributed Denial of Service(DDoS), Man-in-the-middle attack, packet sniffing, TCP SYN Flood, ICMP Flood, IP spoofing, and even simple web defacement.

Network abuse

Network abuses are activities which violate a network's acceptable use policy and are generally considered fraudulent activity that is committed with the aid of a computer. SPAM is one of the most common forms of network abuse, where an individual will email list of users usually with unsolicited advertisements or phishing attacks attempting to use social engineering to acquire sensitive information such any information useful in identity theft, usernames, passwords, and so on by posing as a trustworthy individual.

Social engineering

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. This method of deception is commonly used by individuals attempting to break into computer systems, by posing as an authoritative or trusted party and capturing access information from the naive target. Email Phishing is a common example of social engineering's application, but it is not limited to this single type of attack.

Technical

There are a variety of different technical countermeasures that can be deployed to thwart cybercriminals and harden systems against attack. Firewalls, network or host based, are considered the first line of defense in securing a computer network by setting Access Control Lists (ACLs) determining which what services and traffic can pass through the check point.

Antivirus can be used to prevent propagation of malicious code. Most computer viruses have similar characteristics which allow for signature based detection. Heuristics such as file analysis and file emulation are also used to identify and remove malicious programs. Virus definitions should be regularly updated in addition to applying operating system hotfixes, service packs, and patches to keep computers on a network secure.

Cryptography techniques can be employed to encrypt information using an algorithm commonly called a cipher to mask information in storage or transit. Tunneling for example will take a payload protocol such as Internet Protocol (IP) and encapsulate it in an encrypted delivery protocol over a Virtual Private Network (VPN), Secure Sockets Layer (SSL), Transport Layer Security (TLS), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), or Internet Protocol Security (IPSec)to ensure data security during transmission. Encryption can also be employed on the file level using encryption protocols like Data Encryption Standard (DES), Triple DES, or Advanced Encryption Standard (AES) to ensure security of information in storage.

Additionally, network vulnerability testing performed by technicians or automated programs can be used to test on a full-scale or targeted specifically to devices, systems, and passwords used on a network to assess their degree of secureness. Furthermore, network monitoring tools can be used to detect intrusions or suspicious traffic on both large and small networks.

Physical deterrents such as locks, card access keys, or biometric devices can be used to prevent criminals from gaining physical access to a machine on a network. Strong password protection both for access to a computer system and the computer's BIOS are also effective countermeasures to against cyber-criminals with physical access to a machine.

Another deterrent is to use a bootable bastion host that executes a web browser in a known clean and secure operating environment. The host is devoid of any known malware, where data is never stored on the device, and the media cannot be overwritten. The kernel and programs are guaranteed to be clean at each boot. Some solutions have been used to create secure hardware browsers to protect users while accessing online banking.

Counter-Terror Social Network Analysis and Intent Recognition

The Counter-Terror Social Network Analysis and Intent Recognition (CT-SNAIR) project uses the Terrorist Action Description Language (TADL) to model and simulate terrorist networks and attacks. It also models links identified in communication patterns compiled from multimedia data, and terrorists’ activity patterns are compiled from databases of past terrorist threats.Weinstein, C., et al. (2009) Modeling and Detection Techniques for Counter-Terror Social Network Analysis and Intent Recognition. Proceedings from the Aerospace Conference. Piscataway, NJ: IEEE. p. 2. Unlike other proposed methods, CT-SNAIR constantly interacts with the user, who uses the system both to investigate and to refine hypotheses.

Multimedia data, such as voice, text, and network session data, is compiled and processed. Through this compilation and processing, names, entities, relationships, and individual events are extracted from the multimedia data. This information is then used to perform a social network analysis on the criminal network, through which the user can detect and track threats in the network. The social network analysis directly influences and is influenced by the intent recognition process, in which the user can recognize and detect threats. In the CT-SNAIR process, data and transactions from prior attacks, or forensic scenarios, is compiled to form a sequential list of transactions for a given terrorism scenario.

The CT-SNAIR process also includes generating data from hypothetical scenarios. Since they are imagined and computer-generated, hypothetical scenarios do not have any transaction data representing terrorism scenarios. Different types of transactions combine to represent the types of relationships between individuals.

The final product, or target social network, is a weighted multiplex graph in which the types of edges (links) are defined by the types of transactions within the social network.Weinstein, C., et al. (2009) Modeling and Detection Techniques for Counter-Terror Social Network Analysis and Intent Recognition. Proceedings from the Aerospace Conference. Piscataway, NJ: IEEE. p. 7. The weights within these graphs are determined by the content-extraction algorithm, in which each type of link is thought of as a separate graph and “is fed into social network algorithms in part or as a whole.” Links between two individuals can be determined by the existence of (or lack of) the two people being mentioned within the same sentence in the compiled multimedia data or in relation to the same group or event.

The final component in the CT-SNAIR process is Intent Recognition (IR). The goal of this component is to indicate to an analyst the threats that a transaction stream might contain.Weinstein, C., et al. (2009) Modeling and Detection Techniques for Counter-Terror Social Network Analysis and Intent Recognition. Proceedings from the Aerospace Conference. Piscataway, NJ: IEEE. p. 10. Intent Recognition breaks down into three subcategories: detection of “known or hypothetical target scenarios,” prioritization of these target scenarios, and interpretation “of the resulting detection.”

Economic

The optimal level of cyber-security depends largely on the incentives facing providers and the incentives facing perpetrators. Providers make their decision based on the economic payoff and cost of increased security whereas perpetrators decisions are based on the economic gain and cost of cyber-crime. Potential prisoner’s dilemma, public goods, and negative externalities become sources of cyber-security market failure when private returns to security are less than the social returns. Therefore, the higher the ratio of public to private benefit the stronger the case for enacting new public policies to realign incentives for actors to fight cyber-crime with increased investment in cyber-security.

Legal

In the United States a number of legal statutes define and detail the conditions for prosecution of a cyber-crime and are used not only as a legal counter-measure, but also functions as a behavioral check against the commission of a cyber-crime. Many of the provisions outlined in these acts overlap with each.

The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act passed in 1986 is one of the broadest statutes in the US used to combat cyber-crime. It has been amended a number of times, most recently by the US Patriot Act of 2002 and the Identity theft enforcement and Restitution Act of 2008. Within it is the definition of a “protected computer” used throughout the US legal system to further define computer espionage, computer trespassing, and taking of government, financial, or commerce information, trespassing in a government computer, committing fraud with a protected computer, damaging a protected computer, trafficking in passwords, threatening to damage a protected computer, conspiracy to commit a cyber-crime, and the penalties for violation. The 2002 update on the Computer Fraud and Abuse Act expands the act to include the protection of “information from any protected computer if the conduct involved an interstate or foreign communication.”

The Digital Millennium Copyright Act

The Digital Millennium Copyright Act passed in 1998 is a United States copyright law that criminalizes the production and dissemination of technology, devices, or services intended circumvent Digital Rights Management (DRM), and circumvention of access control.

The Electronic Communications Privacy Act

The Electronic Communications Privacy Act of 1986 extends the government restrictions on wiretaps from telephones. This law is generally thought in the perspective of what law enforcement may do to intercept communications, but it also pertains to how an organization may draft their acceptable use policies and monitor communications.

The Stored Communications Act

The Stored Communications Act passed in 1986 is focused on protecting the confidentiality, integrity and availability of electronic communications that are currently in some form of electronic storage. This law was drafted with the purpose of protecting the privacy of e-mails and other electronic communications.

Identity Theft and Aggravated Identity Theft

The Identity Theft and Aggravated Identity Theft statute is a subsection of the Identification and Authentication Fraud statute. It defines the conditions under which an individual has violated identity theft laws.

Identity Theft and Assumption Deterrence Act

Identity theft was declared unlawful by the federal Identity Theft and Assumption Deterrence Act of 1998 (ITADA). Criminals knowingly transferring or using, without lawful authority, “a means of identification of another person with the intent to commit, or to aid abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable State or local law.” Penalties of the ITADA include up to 15 years in prison and a maximum fine of $250,000 and directly reflect the amount of damage caused by the criminal’s actions and their amount of planning and intent.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) requires that financial institutions and credit agencies increase the security of systems that contain their customers’ personal information. It mandates that all financial institutions “design, implement, and maintain safeguards to protect customer information.”

Internet Spyware Prevention Act

The Internet Spyware Prevention Act (I-SPY) prohibits the implementation and use of spyware and adware. I-SPY also includes a sentence for “intentionally accessing a computer with the intent to install unwanted software.”

Access Device Fraud Statutes

18 U.S.C. § 1029 outlines 10 different offenses under which an offender could violate concerning device fraud. These offenses include:
*Knowingly trafficking in a counterfeit access device
*Trafficking the counterfeit access device with the intention to committing fraud
*Possessing more than 15 devices with the purpose to defraud
*Production/possession/trafficking in equipment to create access devices if the intent is to defraud
*Receiving payment from an individual in excess of $1,000 in a one-year period who was found using illegal access devices
*Solicitation of another individual with offers to sell illegal access devices
*Distributing or possessing an altered telecommunication device for the purpose of obtaining unauthorized telecommunication services
*Production, possession, or trafficking in a scanning receiver
*Using or possessing a telecommunication device that has been knowingly altered to provide unauthorized access to a telecommunication service
*Using a credit card which was illegally obtained and used to purchase goods and services

CAN-SPAM Act

The CAN-SPAM Act of 2003 establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions.

Wire Fraud Statute

The Wire fraud statute outlined in 18 U.S.C. § 1343 applies to crimes committed over different types of electronic medium such as telephone and network communications.

Communications Interference Statutes

The communications interference statute listed in 18 U.S.C. § 1362 defines a number of acts under which and individual can be charged with a telecommunications related crime including:
*Maliciously destroying a property such as cable, system, or other means of communication that is operated or controlled by the United States
*Maliciously destroying a property such as cable, system, or other means of communication that is operated or controlled by the United States Military
*Willfully interfering in the working or use of a communications line
*Willfully obstructing or delaying communication transmission over a communications line
*Conspiracy to commit any of the above listed acts

Behavioral

Behavioral countermeasures can also be an effective tool in combating cyber-crime. Public awareness campaigns can educate the public on the various threats of cyber-crime and the many methods used to combat it. It is also here that businesses can also make us of IT policies to help educate and train workers on the importance and practices used to ensure electronic security such as strong password use, the importance of regular patching of security exploits, signs of phishing attacks and malicious code, etc.

California, Virginia, and Ohio have implemented services for victims of identity theft, though not well publicized. California has a registry for victims with a confirmed identity theft. Once registered, people can request law enforcement officers call a number staffed 24 hours, year round, to "verify they are telling the truth about their innocence.”Luong, K. (2006) The other side of identity theft: Not just a financial concern. Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. Kennesaw, GA: ACM. p. 153 In Virginia and Ohio, victims of identity theft are issued a special passport to prove their innocence. However, these passports run the same risk as every other form of identification in that they can eventually be duplicated.

Financial agencies such as banks and credit bureaus are starting to require verification of data that identity thieves cannot easily obtain. This data includes users’ past addresses and income tax information. In the near future, it will also include the data located through use of biometrics. Biometrics is the use “of automated methods for uniquely recognizing humans based upon … intrinsic physical or behavioral traits.” These methods include iris scans, voice identification, and fingerprint authentication. The First Financial Credit Union has already implemented biometrics in the form of fingerprint authentication in their automated teller machines to combat identity theft. With a similar purpose, Great Britain has announced plans to incorporate computer chips with biometric data into their passports. However, the greatest problem with the implementation of biometrics is the possibility of privacy invasion.

US agents

Government

*Federal Trade Commission (FTC)
* Federal Bureau of Investigation (FBI)
* Bureau of Alcohol Tobacco and Firearms (ATF)
*Federal Communications Commission (FCC)

Private organizations

*Antivirus/security firms
*Internet service providers (ISPs)
*Messaging Anti-Abuse Working Group (MAAWG)
*IT consultants
*Computer emergency response teams

Public–private partnerships

*CERT Coordination Center, Carnegie Mellon University
* United States Computer Emergency Readiness Team (US-CERT)

See also

Government resources

References

{{Reflist

External links

Carnegie Mellon University CSIRT

Empirical Study of Email Security Threats and Countermeasures

*