Privacy and Security
Computer Crime
The Sources and Types of Security Threats
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Yesterday's security doesn't work for today's threats
Traditional or customary approaches to enterprise security are inherently reactive, an approach that can spell disaster for the fast-emerging threat landscape today. Cyber crime demands a very different approach to securing data assets, as this video demonstrates.
Internet Related Threats:
1. Denial of service (DoS): This is a form of attack on company information systems that involves flooding the company's Internet servers with huge amounts of traffic. Such attacks effectively halt all of the company's Internet activities until the problem is dealt with.
Simple DOS: It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. E.g. Ping computer to ask its name reputedly.
Distributed DOS: Multiple computers are virus infected to be slaves to master computer. Master computer instructs slaves to bombard target with multiple mundane resource intensive requests. Also strain on Internet due to number of packets routed via different places.
2. Brand abuse: This describes a wide range of activities, ranging from the sale of counterfeit goods (e.g. software applications) to the exploitation a well-known brand name for commercial gain.
3. Cyber-squatting: The act of registering an Internet domain with the intention of selling it for profit to an interested party. As an example, the name of a celebrity might be registered and then offered for sale at an extremely high price.
4. Cyber stalking: This refers to the use of the Internet as a means of harassing another individual. A related activity is known as corporate stalking, where an organisation uses its resources to harass individuals or business competitors.
5. Cyber terrorism: This describes attacks made on information systems that are motivated by political or religious beliefs.
6. Online stock fraud: Most online stock fraud involves posting false information to the Internet in order to increase or decrease the values of stocks.
7. Social engineering: This involves tricking people into providing information that can be used to gain access to a computer system.
8. Phishing: A relatively new development, phishing involves attempting to gather confidential information through fake e-mail messages and web sites.
Internal Threats:
· Intentional Malicious Behavior
· Typically associated with disgruntled or ill-willed employees – e.g.: A marketing employee selling customers’ e-mail addresses to spammers
· Careless Behavior- Associated with ignorance of or disinterest in security problem - e.g.: Failing to destroy sensitive data according to planned schedules
Responding to Security Threats:
Internal Security Threats
· Security Policies
· Spell out what the organization believes are the behaviours that individual employeeswithin the firm should follow in order to minimize security risks
· They should specify:
· Password standards
· User rights
· Legitimate uses of portable devices
· The firm should audit the policies to ensure compliance
Risk Assessment:
· Audit the current resources
· Map the current state of information systems security in the organization
· The audit will expose vulnerabilities and provide the basis for risk analysis
· Risk Analysis: The process of quantifying the risks identifies in the audit
Managers need to be aware of the following:
· Understand the need for the use of appropriate software such as anti-virus packages, firewalls and intrusion detection software.
· Manage the implementation of a formal security policy that incorporates an acceptable use policy.
· The use of regular audits to control activities such as the use of illegal software. Audits can also be useful in detecting unauthorised access to data and attempts to carry out acts of fraud.
· The introduction of various recovery methods intended to allow the organisation to resume its operations as quickly as possible.
Regulations:
· National UK: Computer Misuse Act 1990
Sec 1: Unauthorised access to Programs or computer material
Sec 2: Unauthorised access with intent to commit or facilitate commission of further offences
New Sec.3: Unauthorised acts with intent to impair operation of computer
Old Sec 3 – Unauthorised modification - updated in 2006 (via Police and Justice Act 2006) in response to ‘denial of service attacks’.
· Data Protection Act (1984): Legislation setting out the rights of organizations and individuals in terms of how personal information is gathered, stored, processed and disclosed. The Data Protection Act 1998 regulates not only the overt collection of data over the Internet but also invisible tracking (whether by means of cookies or otherwise).
- Personal Data: information that relates to an identified or identifiable person or which in combination with other information in the possession of, or that is likely to come into the possession of the data controller would permit their identification.
- Information will ‘relate to’ an individual if it is information that affects a person’s privacy, whether in his personal or family life, business or professional capacity.
- Sensitive Personal Data: racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental condition, sex life, criminal proceedings or convictions.
Data protection act latest information for organisations
Short news report
No comments:
Post a Comment