CHAPTER 5 Cybersecurity and Risk Management Technology
Crimeware can be broken down into several categories, including
spyware, adware, malware, and ransomware.
When spear phishing targets are executives or persons of significant wealth, power, influence, or control the activity is known as
"whaling."
Five Key Factors Leading to an Increase in Cyberattacks
(1)Interconnected, interdependent, wirelessly networked business environment (2)Smaller, faster, cheaper computers and storage devices (3) Decreasing skills necessary to be a computer hacker (4) International organized crime taking over cybercrime (5) Lack of management support
Critical infrastructure is defined as
, "systems and assets, whether physical or virtual, so vital to a country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters"
When a host computer is infected, attempts to remove the malware may fail—and the malware may reinfect the host for these two reasons:
1. Malware is captured in backups or archives 2. Malware infects removable media
The Information Security Forum, a self-help organization that includes many Fortune 100 companies, compiled a list of the top information problems and discovered that nine of the top 10 incidents were the result of three factors:
1. Mistakes or human errors leading to misconfigured systems, applications, or networks 2. Malfunctioning systems 3. Failure to patch or otherwise properly maintain software on existing systems.
Access control is the management of who is and who is not authorized to use a company's hardware and software.
Access control methods, such as firewalls and access control lists, restrict access to a network, database, file, or data. It is the major line of defense against unauthorized insiders as well as outsiders.
Crimeware
Characteristics:Use of malware and ransomware Solution: Use antimalware/AV software Patch promptly Monitor change and watch key indicators Back-up system regularly Capture data on attacks Practice principle of least privilege
Intrusion Prevention Systems (IPSs) is designed to take immediate action—such as blocking specific IP addresses— whenever a traffic-flow anomaly is detected.
An application-specific integrated circuit (ASIC)-based IPS has the power and analysis capabilities to detect and block DDoS attacks, functioning somewhat like an automated circuit breaker.
Intrusion Detection Systems (IDSs)
As the name implies, an IDS scans for unusual or suspicious traffic. An IDS can identify the start of a DoS attack by the traffic pattern, alerting the network administrator to take defensive action, such as switching to another IP address and diverting critical servers from the path of the attack.
An audit is an important part of any control system.
Auditing can be viewed as an additional layer of controls or safeguards. It is considered as a deterrent to criminal actions, especially for insiders.
Miscellaneous errors
Characteristics: Any unintentional action that compromises security, except theft, and loss of assets Solution : Learn from your mistakes Strengthen controls Ensure all assets go through a rigorous check by IT before they are decommissioned or disposed of
Insider and privilege misuse
Characteristics: Employees, contractors, partners, suppliers, and other external entities with specific insider roles abusing access granted to systems for legitimate business purposes. Solution: Monitor user behavior Track mobile media usage Know your data
Phishing
Characteristics: Social engineering, targeting human behavior rather than computer technology Solution: Train your staff Monitor activity.
Physical loss
Characteristics: Theft of laptops, tablets, and peripheral devices Solution : Encrypt your data Train your staff
Physical theft
Characteristics: Theft of laptops, tablets, peripherals, printed material, etc. Solution: Encrypt your data Train your staff Reduce use of paper
Hacking
Characteristics: Unauthorized access of networks, systems or applications for economic, social, or political gain. Use of programs such as backdoor services to promote reentry or further incursion into target environment Solution: Train your staff Change password frequently Have "strong" passwords
Distributed denial-ofservice
Characteristics: Use of compromised systems to overwhelm a system with malicious traffic Solution: Segregate key servers Choose your providers carefully Test your antiDDoS service
White hat
Characteristics:Computer security specialist who breaks into protected systems and networks to test and assess their security. Outcome: Use their skills to improve security by exposing vulnerabilities before malicious hackers (black hats) can detect and exploit them.
Characteristics of an Effective Cybersecurity Program (2 of 2) Ensure compliance with government regulations and laws. Prevent attacks by having network intrusion defenses in place.
Detect, diagnose, and respond to incidents and attacks in real time. Maintain internal controls to prevent unauthorized alteration of data/records. Recover from business disasters and disruptions quickly.
Cybersecurity experts warn that battling the increasing number of Denial-of-Service (DoS) threats needs to be a top priority. DoS threats come in a number of "flavors," depending on their target. The three most prominent forms are:
Distributed Denial-of-Service (DDoS) Telephony Denial-of-Service (TDoS) Permanent Denial-of-Service (PDoS
Appropriate physical security may include several physical controls such as the following: (2 of 2)
Emergency power shutoff and backup batteries, which must be maintained in operational condition. Properly designed and maintained air-conditioning systems. Motion detector alarms that detect physical intrusion.
Spyware : is tracking software that is not designed to intentionally damage or disable a system.
For example, an employer may install spyware on corporate laptops to monitor employee browsing activities, or an advertiser might use cookies to track what Web pages a user visit in order to target advertising in a marketing campaign.
Appropriate physical security may include several physical controls such as the following: (1 of 2):Appropriate design of the data center.
For example, the data center should be noncombustible and waterproof. Shielding against electromagnetic fields. Good fire prevention, detection, and extinguishing systems, including a sprinkler system, water pumps, and adequate drainage facilities.
Intentional Cyberthreat
Hacking Phishing Crimeware Distributed denial-of service Insider and privilege misuse Physical theft
Characteristics of an Effective Cybersecurity Program (1 of 2) Make data and documents available and accessible 24/7 while simultaneously restricting access.
Implement and enforce procedures and AUPs for data, networks, hardware, and software that are company or employee owned, as discussed in the opening case. Promote secure and legal sharing of information among authorized persons and partners.
Permanent Denial-of-Service (PDoS) —completely prevents the target's system or device from working. This attack type is unique.
Instead of collecting data or providing some ongoing perverse function its objective is to completely prevent its target's device(s) from functioning. The damage PDoS causes is often so extensive that hardware must be reinstalled or reinstated. PDoS is also known as "phlashing."
Threat Actions Classified as Miscellaneous Errors
Misdelivery Publishing error Misconfiguration Disposal error Programming error Date entry error Omission
2. Malware infects removable media
Months or years after the initial infection, the removable media may be accessed, and the malware could attempt to infect the host.
Black hat Characteristics: Person who attempts to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons.
Outcome: Can inflict major damage on both individual computer users and large organizations by stealing personal financial information, compromising security of major systems, or shutting down or alerting the function of websites and networks.
Gray hat Characteristics: Person who may violate ethical standards or principles, but without the malicious intent ascribed to black hat hackers.
Outcome: May engage in practices that are less than ethical, but are often operating for the common good, e.g., exploits a security vulnerability to spread public awareness that the vulnerability exists.
When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization.
Patches are software programs that users download and install to fix a vulnerability.
Unintentional Cyberthreat
Physical loss Miscellaneous errors
Internal control (IC) is a process designed to achieve:
Reliability of financial reporting, to protect investors Operational efficiency Compliance with laws, regulations, and policies Safeguarding of assets
1. Malware is captured in backups or archives
Restoring the infected backup or archive also restores the malware.
To use the Defense-in-Depth Model an organization must carry out four major steps:
Step 1: Gain senior management commitment and support Step 2: Develop acceptable use policies and IT security training Step 3: Create and Enforce IT security procedures and enforcement Step 4: Implement Security Tools: Hardware and software
Antivirus Software: Antimalware tools are designed to detect malicious codes and prevent users from downloading them.
They can also scan systems for the presence of worms, trojans, and other types of threats. This technology does not provide complete protection because it cannot defend against zero-day exploits. Antimalware may not be able to detect a previously unknown exploit.
Phishing messages include a request to respond with information of some kind or a link to a fraudulent website that often looks like an authentic site the user works with.
When the user clicks the link to the site, he or she falls victim to a malware download, drive-by attack, or information skimming such as being asked for a credit card number, Social Security number, account number, or password.
there are three classes of Hacker
White hat Black hat Gray hat
Two widely accepted frameworks that guide risk management and IT governance
are Enterprise Risk Management (ERM) and Control Objectives for Information and Related Technology (COBIT)
Remote access trojans (RATS)
are a form of Trojan horse that creates an unprotected backdoor into a system through which a hacker can remotely control that system.
Internal fraud prevention measures
are based on the same controls that are used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access.
General controls
are established to protect the system regardless of the specific application. For example, protecting hardware and controlling access to the data center are independent of the specific application.
Minimum security defenses for mobile devices
are mobile biometrics, rogue app monitoring, remote wipe capability, and encryption.
It is also important to have a set of general controls in place. The major categories of general controls
are physical controls, access controls, data security controls, communication network controls, and administrative controls.
Bring your own device (BYOD) and bring your own apps (BYOA)
are practices that move enterprise data and IT assets to employees' mobile devices and the cloud, creating a new set of tough IT security challenges
Application controls
are safeguards that are intended to protect specific applications. In the next two sections, we discuss the major types of these two groups of information system controls.
Access control involves
authorization (having the right to access) and authentication, which is also called user identification (proving that the user is who he or she claims to be).
Social networks and cloud computing increase vulnerabilities
by providing a single point of failure and attack for organized criminal networks. Critical, sensitive, and private information is at risk, and like previous IT trends, such as wireless networks, the goal is connectivity, often with little concern for security.
Infected computers, called zombies,
can be controlled and organized into a network of zombies on the command of a remote botmaster (also called bot herder).
Computer systems failures
can occur as the result of poor manufacturing, defective materials, or poor maintenance.
Human error
can occur in the design of the hardware or information system. It can also occur during programming, testing, or data entry.
Mobile biometrics, such as voice and fingerprint biometrics,
can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services.
Users bringing their personal mobile devices and their own mobile applications to work and connecting them to the corporate network is part of the larger
consumerization of information technology (COIT) trend.
Some of the most prevalent and deadly targets that cyber criminals will attack in companies and governmental agencies include:
critical infrastructure; theft of IP; identity theft; bring your own device (BYOD); and social media.
The consequences of insufficient cybersecurity include
damaged reputations, consumer backlash, lost market share, falling share prices, financial penalties, and federal and state government fines.
Unintentional threats fall into three major categories:
human error, environmental hazards, social unrest and computer system failures.
Environmental hazards
include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires (the most common hazard), defective heating, ventilation and airconditioning (HVAC) systems, explosions, radioactive fallout, and water-cooling-system failures.
An enterprise-wide approach that combines risk, security, compliance, and IT specialists greatly
increases the prevention and detection of fraud.
Threats from employees, referred to as
internal threats, are a major challenge largely due to the many ways an employee can carry out malicious activity.
Insiders may be able to bypass physical security (e.g., locked doors) and technical security (e.g., passwords) measures that organizations have put in place to prevent unauthorized access. Why? Because defenses such as firewalls,
intrusion detection systems (IDSs), and locked doors mostly protect against external threats. Despite the challenges, insider incidents can be minimized with a layered defense-in-depth strategy consisting of security procedures, acceptable use policies (AUPs), and technology controls.
Data tampering
is a common means of attack that is overshadowed by other types of attacks
Vulnerability
is a gap in IT security defenses of a network, system, or application that can be exploited by a threat to gain unauthorized access.
In contrast, a botnet
is a group of external attacking entities and is a totally different attack method/vector from malware which is internal to the system
From an IT security perspective, social engineering
is a hacker's clever use of deception or manipulation of people's tendency to trust, be helpful, or simply follow their curiosity.
Fraud
is a nonviolent crime in which fraudsters use deception, confidence, and trickery for their personal gain.
Attack vector
is a path or means by which a hacker can gain access to a computer or network server in order to deliver a malicious outcome.
Trojan horse
is a program that appears harmless, but is, in fact, malicious.
ERM
is a risk-based approach to managing an enterprise developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ERM integrates internal control, the Sarbanes- Oxley Act mandates, and strategic planning.
Cyberthreat
is a threat posed by means of the Internet (a.k.a. cyberspace) and the potential source of malicious attempts to damage or disrupt a computer network, system, or application.
Ransomware
is a type of malware that is designed to block access to a computer system until a sum of money has been paid.
Intellectual property
is a work or invention that is the result of creativity that has commercial value, including copyrighted property such as a blueprint, manuscript, or a design, and is protected by law from unauthorized use by others.
Data incident
is an attempted or successful unauthorized access to a network, system, or application; unwanted disruption or denial of service; unauthorized use of a system for processing or storage of data; changes to system without the owners knowledge, instruction, or consent.
A biometric control
is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. The most common biometrics are a thumbprint or fingerprint, voice print, retinal scan, and signature.
Voice biometrics
is an effective authentication solution across a wide range of consumer devices including smartphones, tablets, and TVs. Future mobile devices are expected to have fingerprint sensors to add another authentication factor.
Hacking
is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access. Various state and federal laws govern computer hacking.
A malware's payload
is code that is dropped on the system that performs any or all of the following functions: facilitates the infection or communicates with the command and control server or downloads more code.
The BYOD trend
is driven by employees using their own devices for business purposes because they are more powerful than those the company has provided. Another factor is mobility.
The single most effective fraud prevention tactic
is making employees aware that fraud will be detected by IT-monitoring systems and punished, with the fraudster possibly turned over to the police or FBI.
Hacktivist
is short for hacker-activist or someone who performs hacking to promote awareness for or otherwise support a social, political, economic, or other cause. Hacking an application, system, or network without authorization, regardless of motive, is a crime.
Adware
is software that embeds advertisements in the application. It is considered a legitimate alternative offered to consumers who do not wish to pay for software
Time-to-exploitation
is the elapsed time between when vulnerability is discovered and when it is exploited.
Risk
is the probability of a threat successfully exploiting a vulnerability and the estimated cost of the loss or damage.
A vector
is the specific method that malware uses to propagate, or spread, to other machines or devices. Malware may also replicate to make copies of itself.
Data breach
is the successful retrieval of sensitive information by an individual, group, or software system.
Phishing
is the term used to describe a social-engineering attack that can use e-mail sent to the recipient under false pretense to steal confidential information from the target.
The internal control environment
is the work atmosphere that a company sets for its employees.
The purpose of a business continuity plan
is to keep the business running after a disaster occurs. Each function in the business should have a feasible backup plan.
Vulnerabilities can be exemplified by
lack of controls around people (user training, inadequate policies), process (inadequate separation of duties, poor process controls), or tools (lack of technical controls enforcement or monitoring).
Malware
refers to hostile or intrusive software, including computer viruses, rootkits, worms, trojan horses, ransomware, and other malicious programs used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems.
Business continuity
refers to maintaining business functions or restoring them quickly when there is a major disruption. The plan covers business processes, assets, human resources, business partners, and more.
Physical security
refers to the protection of computer facilities and resources. This includes protecting physical property such as computers, data centers, software, manuals, and networks. It provides protection against most natural hazards as well as against some human hazards.
Spear phishing
targets select groups of people who have something in common. They can work at the same company, bank at the same financial institution, use a specific Internet provider, or attend the same church or university.
Internal fraud prevention measures are based on
the same controls that are used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access. They are also based on human resource (HR) procedures, such as recruitment screening and training.
In the United States, the Sarbanes-Oxley Act requires that companies prove that
their financial applications and systems are controlled (secured) to verify that financial reports can be trusted. It is intended to discourage fraud at the corporate and executive levels.
One of the biggest mistakes managers make is
underestimating IT vulnerabilities and threats. For example, workers use their laptops and mobiles for both work and leisure, and in an era of multitasking, they often do both at the same time.
Experts believe the greatest cybersecurity dangers over the next few years
will involve persistent threats, mobile computing, and the use of social media for social engineering.
Attacks on critical infrastructure sectors can significantly disrupt the functioning of government and business
—and trigger cascading effects far beyond the targeted sector and physical location of the incident. These cyberattacks could compromise a country's critical infrastructure and its ability to provide essential services to its citizens.
Distributed Denial-of-Service (DDoS)
—crashes a network or website by bombarding it with traffic (i.e., requests for service) and effectively denying services to all those legitimately using it and leaving it vulnerable to other threats.
Telephony Denial-of-Service (TDoS)
—floods a network with phone calls and keeps the calls up for long durations to overwhelm an agent or circuit and prevents legitimate callers such as customers, partners, and suppliers from using network resources.