CHAPTER 5
Cybersecurity and Risk Management Technology

Introduction

Today, most business leaders know they are responsible for cybersecurity and privacy threats, wherever they occur. What most don’t understand is how to design, implement, and manage threat-intelligent business strategies and risk management plans to prevent data breaches and protect IT and business resources.

In the digital economy, organizational data is typically available on demand 24/7 to enable companies to benefit from opportunities for productivity improvement and data sharing with customers, suppliers, and business partners. The concept of data on demand is an operational and competitive necessity for global companies, but unfortunately, it also opens them up to cyberattacks.

New vulnerabilities are continuously being found in operating systems, applications, and wired and wireless networks. Left unaddressed, vulnerabilities provide an open door for cyberattacks that can cause business disruptions and devastating financial consequences. Managers no longer question whether their networks will be breached, but when it will happen, how much damage will be done, how long the investigation will take, and how much the investigation and fines will cost.

For example, after detecting a network hack, credit card processing company Global Payments, Inc. spent 14 months investigating the resulting data breach that exposed 1.5 million U.S. debit and credit card accounts. Global’s damages totaled $93 million. This loss consisted of $36 million in fraud losses and fines and $77 million for the investigation, remediation, credit monitoring, and identity theft insurance for affected consumers. And this is not an unusual occurrence, according to a global study conducted by the Ponemon Institute, the average cost of a breached record is $141 and the average cost of an overall data breach is $3.62 million (Ponemon Institute, 2017).

These reports of data breaches focus primarily on what companies are required to report publicly—theft of personally identifiable information (PII), payment data, and personal health information (PHI). Consequently, the costs commonly associated with data breaches only take into consideration these more easily understood impacts. But these are not always an attacker’s objective. Rarely brought into full view are theft of intellectual property (IP), espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure. These attacks can have a much more significant impact on organizations. But the damage they cause is not widely understood and is much more difficult to quantify.

As a result, organizations need to acquire a deeper knowledge of cyberattacks and combine it with business context, valuation techniques, and financial quantification to establish the true costs of their losses. Applying this more accurate knowledge of potential business impacts, leaders can be much more effective in managing and controlling cyber risk and improve their ability to recover from a cyberattack.

In Chapter 5, you will learn about cybersecurity terminology, the rising number of data breaches, sources of cyberthreats, damage caused by cybercriminals’ aggressive tactics and their impacts on organizations. You will also learn how organizations can defend against cyberattacks, correctly assess the damage they cause, and ensure the actions needed for business continuity. But, first, let’s take a look at two of the biggest cyberattacks ever reported.

5.1 The Face and Future of Cyberthreats

Over the past several years, the number of cyberattacks in which data records have been stolen by hackers has increased at an alarming rate. In 2016, the total number of U.S. data breaches hit an all-time record high of 1,093 according to a report released on January 19, 2017, by the Identity Theft Resource Center (ITRC) (Goldman, 2017). This represents a 40% increase over the previous year. The general business sector reported the highest number of cyberattacks with 494 reported incidents, followed by the healthcare/medical industry with 377, education sector with 98, government/military with 72, and the banking/credit/financial sector with 52 breaches (see Figure 5.1).

Pie chart for Number of 2016 U.S. data breaches by industry sector.

FIGURE 5.1 Number of 2016 U.S. data breaches by industry sector.

Vulnerability is a gap in IT security defenses of a network, system, or application that can be exploited by a threat to gain unauthorized access. Vulnerabilities can be exemplified by lack of controls around people (user training, inadequate policies), process (inadequate separation of duties, poor process controls), or tools (lack of technical controls enforcement or monitoring).

Data incidents and breaches in 2016 exposed everything from usernames to passwords to Social Security numbers and are caused by the successful exploitation of vulnerabilities in information systems by a threat (risk = threat × vulnerability). Vulnerabilities threaten the confidentiality, integrity, or availability (CIA) of data and information systems, as defined in Figure 5.2.

Illustration of The three objectives of data and information systems security: Confidentiality, Integrity, and Availability.

FIGURE 5.2 The three objectives of data and information systems security.

Fifty-six percent of all breaches were phishing attacks, where hackers trick an employee into clicking a specially crafted e-mail link or attachment which then provides the hackers access to the user’s system and ultimately corporate network and data. These attacks were up 38% from 2015. Table 5.1 lists the top five data breaches worldwide in 2016. Although these numbers are high, it’s important to remember that a vast majority of data breaches go unreported, according to cybersecurity experts, because corporate victims fear that disclosure would damage their stock price, or because they never knew they were hacked in the first place.

TABLE 5.1 2016 Biggest Data Breaches Worldwide, in Terms of Number of Data Records Breached

Source: Breach Level Index (2016).

Company Type of Data Breach Records Breached
Anthem Insurance The attack against U.S.-based health insurer Anthem was an identity theft breach that resulted in the theft of 78.8 million records, making it the largest data breach of the year in terms of records compromised. Current and former members of one of Anthem’s affiliated health plans, as well as some members of other independent Blue Cross and Blue Shield plans who received health-care services in any of the areas that Anthem serves, were said to be affected. 78.8 Million
Turkish General Directorate of Population and Citizenship Affairs The Turkish government agency experienced an identity theft attack at the hands of a malicious outsider. The attack exposed 50 million records, and information pertaining to citizens was stolen. 50 Million
Korean Pharmaceutical Information Center The South Korean organization that distributes pharmacy management software to many of the country’s pharmacies was hit by an identity theft breach launched by a malicious insider. The result was the exposure of 43 million records. According to the Korea Herald, medical information of nearly 90% of the South Korean population was sold to a multinational firm, which processed and sold the data. 43 Million
U.S. Office of Personnel Management The state-sponsored attack, which was described by federal officials as being among the largest breaches of government data in the history of the United States, scored a 9.6 on the risk assessment scale. The attack exposed data including PII such as Social Security numbers, names, dates and places of birth, and addresses. 22 Million
Experian The U.S.-based credit bureau and consumer data broker experienced an identity theft breach by a malicious outsider that resulted in the theft of 15 million records. The data included some PII about consumers in the United States, including those who applied for T-Mobile services or device financing. 15 Million

The consequences of insufficient cybersecurity include damaged reputations, consumer backlash, lost market share, falling share prices, financial penalties, and federal and state government fines. As a result, companies are investing heavily in security-related technologies—worldwide spending on security-related hardware, software, and services rose to $73.7 billion in 2016 from $68.2 billion a year earlier and that number is expected to approach $90 billion in 2018.

Hacks of high-tech companies like Yahoo, LinkedIn, Google, Amazon, eBay, and Sony, and top security agencies like the CIA and FBI are proof that no one is safe. Cyberwarriors are too well funded and motivated. Taking a global perspective, Verizon’s 2016 Data Breach Investigations Report (DBIR) examined over 100,000 incidents, including 3,141 confirmed data breaches across 82 countries. Of these, 89% of the breaches were motivated by financial gain or espionage. In over 90% of the breaches, it took attackers mere minutes (or less) to compromise a system. On the other hand, it took companies weeks to months to discover that a breach had occurred and in most cases it was external sources, such as customers or law enforcement that sounded the alarm! Cyberthreats can be intentional or unintentional.

Table 5.2 lists eight sources of intentional and unintentional cyberthreats that account for the vast majority of data breaches and other cybersecurity incidents.

TABLE 5.2 Major Sources of Cyberthreats

Source: Verizon (2016).

Source/Type Characteristics Solution
Intentional Cyberthreat
Hacking Unauthorized access of networks, systems or applications for economic, social, or political gain. Use of programs such as backdoor services to promote reentry or further incursion into target environment Train your staff
Change password frequently
Have “strong” passwords
Phishing Social engineering, targeting human behavior rather than computer technology Train your staff
Monitor activity
Crimeware Use of malware and ransomware Use antimalware/AV software
Patch promptly
Monitor change and watch key indicators
Back-up system regularly
Capture data on attacks
Practice principle of least privilege
Distributed denial-of-service Use of compromised systems to overwhelm a system with malicious traffic Segregate key servers
Choose your providers carefully
Test your anti-DDoS service
Insider and privilege misuse Employees, contractors, partners, suppliers, and other external entities with specific insider roles abusing access granted to systems for legitimate business purposes. Monitor user behavior
Track mobile media usage
Know your data
Physical theft Theft of laptops, tablets, peripherals, printed material, etc. Encrypt your data
Train your staff
Reduce use of paper
Unintentional Cyberthreat
Physical loss Theft of laptops, tablets, and peripheral devices Encrypt your data
Train your staff
Miscellaneous errors Any unintentional action that compromises security, except theft, and loss of assets Learn from your mistakes
Strengthen controls
Ensure all assets go through a rigorous check by IT before they are decommissioned or disposed of

Select the caption to view an interactive version of this figure online.

Intentional Threats

Examples of intentional threats include data theft such as inappropriate use of data (e.g., manipulating inputs); theft of computer time; theft of equipment and/or software; deliberate manipulation in handling, entering, programming, processing, or transferring data; sabotage; malicious damage to computer resources; destruction from malware and similar attacks; and miscellaneous computer abuses and Internet fraud.

Unintentional Threats

Unintentional threats fall into three major categories: human error, environmental hazards, social unrest and computer system failures.

  • Human error can occur in the design of the hardware or information system. It can also occur during programming, testing, or data entry. Neglecting to change default passwords in applications or on systems or failing to manage patches creates security holes. Human error also includes untrained or unaware users falling prey to social engineering like phishing scams or ignoring security procedures. Human errors contribute to the majority of internal control and information security problems.
  • Environmental hazards include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires (the most common hazard), defective heating, ventilation and air-conditioning (HVAC) systems, explosions, radioactive fallout, and water-cooling-system failures. In addition to the primary damage, computer resources can be damaged by the side effects of a hazard, such as smoke and water. Such hazards may disrupt normal computer operations resulting in extended data inaccessibility and exorbitant restoration and recovery costs.
  • Computer systems failures can occur as the result of poor manufacturing, defective materials, or poor maintenance. Unintentional malfunctions can also occur for other reasons, ranging from administrator inexperience to inadequate testing.

In the next sections, you will learn more about the various sources of cyberthreats and their potential impact on organizations.

Hacking

Hacking is a very profitable industry. In 2016, 56% of reported data breaches were reported to be the result of hacking, which is 18% higher than those reported for 2015 (Verizon, 2016). Hacking is a big part of underworld cybercrime, and a way for hacktivists to protest. Both the anonymity of the Internet and lack of international treaties provide hackers with a feeling of near invincibility because they face very low risk of capture and punishment.

It is important to note that in the Hacker culture there are three classes of Hackers, shown in Table 5.3.

TABLE 5.3 Three Classes of Hackers

Type Characteristics Outcome
White hat Computer security specialist who breaks into protected systems and networks to test and assess their security. Use their skills to improve security by exposing vulnerabilities before malicious hackers (black hats) can detect and exploit them.
Black hat Person who attempts to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons. Can inflict major damage on both individual computer users and large organizations by stealing personal financial information, compromising security of major systems, or shutting down or alerting the function of websites and networks.
Gray hat Person who may violate ethical standards or principles, but without the malicious intent ascribed to black hat hackers. May engage in practices that are less than ethical, but are often operating for the common good, e.g., exploits a security vulnerability to spread public awareness that the vulnerability exists.

An Inside Look at How the Hacking Industry Operates

Hacking is an industry with its own way of operating, a workforce, and support services. Hackers use social networks, underground forums, and the Deep Web to rate and promote services, share exploits, and recruit others. In certain forums and in the Deep Web, hackers can purchase the use of any number of services. These include the following:

  • Educational services
  • Software platforms for building and distributing hacking tools and malware/ransomware
  • Sale or purchase of stolen data ranging from items as simple as e-mail accounts to credit cards, PII, and corporate data.
  • Contract hackers are available for hire or complete hack attacks can be bought.
  • Hacking help desks provide 24/7 support—making sophisticated attacks easier to manage and execute.
  • Organized crime groups quickly learned that cybercrime has better payoffs with substantially lower risks to life, limb, and liberty than other activities like human trafficking, smuggling, extortion, and the drug trade. They become virtually untouchable by law enforcement because often no one sees the crime and if it is identified, the lack of international treaties and cooperation make capture and trial between those non-extradition countries virtually impossible. Given this, it is not surprising that almost every survey identifies the same troubling trend—the recovery costs and frequency of cybercrimes are increasing while the costs of execution are declining. This means much stronger IT security practices and defenses are obviously needed. One of the greatest cybersecurity weaknesses is users who ignore the dangers of weak passwords—more than half of all confirmed data breaches involve weak or stolen passwords. The capture and misuse of credentials, such a user’s IDs and passwords, is one of the foundations of the cybercriminal and nation-state hackers used in executing numerous other types of cyberthreats, including phishing (discussed in more detail later in the chapter). Proper credential management is essential to security.

Cyber Social Engineering and Other Related Web-Based Threats

Experts believe the greatest cybersecurity dangers over the next few years will involve persistent threats, mobile computing, and the use of social media for social engineering. From an IT security perspective, social engineering is a hacker’s clever use of deception or manipulation of people’s tendency to trust, be helpful, or simply follow their curiosity. Powerful IT security systems cannot defend against what appears to be authorized access.

Notorious hacker Kevin Mitnick, who served time in jail for hacking, used social engineering as his primary method to gain access to computer networks. In most cases, the criminal never comes face-to-face with the victim, but communicates via the phone or e-mail.

Humans are easily hacked, making them and their social media posts high-risk attack vectors. For instance, it is often easy to get users to infect their corporate network or mobile devices by tricking them into downloading and installing malicious applications or backdoors.

Phishing

Phishing is the term used to describe a social-engineering attack that can use e-mail sent to the recipient under false pretense to steal confidential information from the target. This is done by the sender pretending to be a known person or legitimate organization, such as PayPal, a bank, credit card company, or other trusted source and asking the user to perform an action that would expose his or her computer to a cyberthreat or reveal credentials, personal, financial, or business-related private information. Phishing messages are either sent in mass campaigns or they are specifically targeted at a particular group of people or person. The former requires no front work to gain context for the target but relies on sheer volume of messages (millions to tens of millions) to achieve returns.

The latter requires more effort to gather relevant context about the message target and is therefore sent out in far smaller batches but has a higher rate of return on both the number of opened messages and the payback per message for that effort. The latter approach is discussed later in this section.

Phishing messages include a request to respond with information of some kind or a link to a fraudulent website that often looks like an authentic site the user works with. When the user clicks the link to the site, he or she falls victim to a malware download, drive-by attack, or information skimming such as being asked for a credit card number, Social Security number, account number, or password.

Criminals use the Internet and private networks to hijack large numbers of systems including PC’s mobile devices, servers, and Internet of Thing (IoT) devices to spy on users, spam them, shake down businesses, and steal identities. Once captured, they are called Bots, short for robots or Internet Robots. But why are they so successful? The Information Security Forum, a self-help organization that includes many Fortune 100 companies, compiled a list of the top information problems and discovered that nine of the top 10 incidents were the result of three factors:

  1. Mistakes or human errors leading to misconfigured systems, applications, or networks
  2. Malfunctioning systems
  3. Failure to patch or otherwise properly maintain software on existing systems

Unfortunately, these factors can too easily create gaps in cybersecurity controls that companies and individuals use to protect their information.

Spear Phishing

Spear phishing targets select groups of people who have something in common. They can work at the same company, bank at the same financial institution, use a specific Internet provider, or attend the same church or university. The scam e-mails appear to be sent from organizations or people the potential victims normally receive e-mails from, making them even more deceptive.

Here is how spear phishing works:

  1. Spear phishers gather information about people’s activities, social groups, companies, and/or jobs from general media announcements, social media or compromised accounts, applications that are poorly designed and leak information or they can steal it from websites, computers, or mobile devices they have compromised, and then use that information to customize messages.
  2. Then they send the customized e-mails to targeted victims, creating some sort of pretext requiring the user to act or respond. These can be threats of account closure, loss of access or privilege, loss of funds or additional charges, legal actions impact to friends or family members, and so on. With the background information gained the message creates a very legitimate-sounding and compelling explanation as to why they need your personal data.
  3. Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, and so on.

When spear phishing targets are executives or persons of significant wealth, power, influence, or control the activity is known as “whaling.”

Crimeware

IT security researchers discover almost 1 million malicious programs every day. Why would so many hackers be spending so much time generating or launching these programs? The answer is simple—it pays well! Crimeware can be broken down into several categories, including spyware, adware, malware, and ransomware.

Malware Assaults are Part of Everyday Operations

There have been numerous test cases of malware overheating devices, causing them to physically distort or worse. These attacks, bundled into a cyberattack, could have devastating and lasting effects beyond what we commonly associate with an aggravating distributed denial-of-service (DDoS) attack.

Viruses, worms, trojans, rootkits, backdoors, and keyloggers are types of malware. Most viruses, trojans, and worms are activated when an attachment is opened or a link is clicked. But when features are automated, they may trigger malware automatically, too. For example:

  • If an e-mail client, such as Microsoft Outlook or Gmail, is set to allow scripting, then virus infection occurs by simply opening a message or attachment.
  • Viewing e-mail messages in HTML, instead of in plain text, can trigger virus infections.
  • Malware is not just about e-mail. It also includes rogue applications and malicious websites.

Remote access trojans (RATS) are a form of Trojan horse that creates an unprotected backdoor into a system through which a hacker can remotely control that system. As the name implies, a backdoor provides easy access to a system, computer, or account by creating the access that may or may not require authentication.

However, hackers are very territorial and don’t want someone else using systems they worked to compromise, so RATS often require some form of access control to eliminate the need to authenticate with a username and password.

A malware’s payload is code that is dropped on the system that performs any or all of the following functions: facilitates the infection or communicates with the command and control server or downloads more code. In doing so, the payload carries out the purpose of the malware. The payload could cause damage that is visible or operate in stealth mode so as to remain undetected. A vector is the specific method that malware uses to propagate, or spread, to other machines or devices. Malware may also replicate to make copies of itself.

Malware creators often use social engineering to maximize the effective distribution of their creations. For example, the ILoveYou worm, released in May, 2000, used social engineering to entice people to open malware-infected e-mail messages. It successfully attacked tens of millions of Windows computers when it was sent as an e-mail attachment with the subject line: ILOVEYOU. Within nine days, the worm had spread worldwide, crippling networks, destroying files, and causing an estimated $5.5 billion in damages.

Malware Reinfection, Signatures, Mutations, and Variants

When a host computer is infected, attempts to remove the malware may fail—and the malware may reinfect the host for these two reasons:

  1. Malware is captured in backups or archives Restoring the infected backup or archive also restores the malware.
  2. Malware infects removable media Months or years after the initial infection, the removable media may be accessed, and the malware could attempt to infect the host.

Most antivirus (AV) software relies on signatures to identify and then block malware. According to the Worldwide Malware Signature Counter, at the start of 2013, there were an estimated 19 million malware signatures. Detecting and preventing infections are not always a possibility. Zero-day exploits—malware so new their signatures are not yet known—are an example. Malware authors also evade detection by AV software and firewalls by altering malware code to create variants, which have new signatures. But not all procedures or AV tools are capable of removing every trace of the malware. Even if the malicious parts of the infection can be cleaned from a system, the remaining pieces of code could make the system unstable or expose to future infection.

Botnets

Today’s malware is often designed for long-term control of infected machines. Advanced malware sets up outbound communication channels in order to upload stolen data, download payloads, or do reconnaissance.

In contrast, a botnet is a group of external attacking entities and is a totally different attack method/vector from malware which is internal to the system. Infected computers, called zombies, can be controlled and organized into a network of zombies on the command of a remote botmaster (also called bot herder). Storm worm, which is spread via spam, is a botnet agent embedded inside over 25 million computers. Storm’s combined power has been compared to the processing might of a supercomputer. Storm-organized attacks are capable of crippling any website. Zombies can be commanded to monitor and steal personal or financial data—acting as spyware. Botnets are used to send spam and phishing e-mails and launch DDoS attacks. Botnets are extremely dangerous because they scan for and compromise other computers, which then can be used for every type of crime and attack against computers, servers, and networks.

Ransomware Is Increasingly Becoming a Problem

Ransomware has been around for more than a decade. The problem began on a fairly small scale, targeting individual users, but the ransomware cyberthreat has been growing in the last couple of years and the attacks have become large scale. Now, some company executives fear entire companies will be shut down by ransomware until they pay up, or risk losing all their data.

Ransomware works by first infiltrating a computer with malware and then encrypting all the files on the disk. The malware used to encrypt files can be difficult to defend against, and the encryption in most cases can’t be broken. Then, the user is presented with a limited time offer: Lose all your data or send money with the promise the data will be unlocked. The fee typically varies from a few dollars to hundreds of dollars and often has to be transmitted in Bitcoin. One hospital in Los Angeles, whose electronic medical record system was locked out for 10 days, was forced to pay cyberattackers 40 Bitcoins to get its system unlocked when law enforcement and computer experts were unable to help in restoring the hospital’s data files.

Computer security experts have theorized that this type of attack has a higher rate of success versus other cybercrime activity that has become more difficult. The best insurance against ransomware is to have offline or segregated backups of data.

Denial-of-Service

Cybersecurity experts warn that battling the increasing number of Denial-of-Service (DoS) threats needs to be a top priority. DoS threats come in a number of “flavors,” depending on their target. The three most prominent forms are:

  • Distributed Denial-of-Service (DDoS)—crashes a network or website by bombarding it with traffic (i.e., requests for service) and effectively denying services to all those legitimately using it and leaving it vulnerable to other threats.
  • Telephony Denial-of-Service (TDoS)—floods a network with phone calls and keeps the calls up for long durations to overwhelm an agent or circuit and prevents legitimate callers such as customers, partners, and suppliers from using network resources.
  • Permanent Denial-of-Service (PDoS)—completely prevents the target’s system or device from working. This attack type is unique. Instead of collecting data or providing some ongoing perverse function its objective is to completely prevent its target’s device(s) from functioning. The damage PDoS causes is often so extensive that hardware must be reinstalled or reinstated. PDoS is also known as “phlashing.”

A “chilling” example of the havoc that PDoS can cause was demonstrated when a PDoS attack took the building management system offline in a block of residential apartments in Finland. The system’s Internet connection was blocked causing the system to repeatedly try to reconnect by rebooting itself. During this downtime, the system was unable to supply heat at a time when temperatures were below freezing! Fortunately, the energy company was able to find alternate accommodations for residents until the system was brought back online.

Insider and Privilege Misuse

Threats from employees, referred to as internal threats, are a major challenge largely due to the many ways an employee can carry out malicious activity. Insiders may be able to bypass physical security (e.g., locked doors) and technical security (e.g., passwords) measures that organizations have put in place to prevent unauthorized access. Why? Because defenses such as firewalls, intrusion detection systems (IDSs), and locked doors mostly protect against external threats. Despite the challenges, insider incidents can be minimized with a layered defense-in-depth strategy consisting of security procedures, acceptable use policies (AUPs), and technology controls.

Data tampering is a common means of attack that is overshadowed by other types of attacks. It refers to an attack during which someone enters false or fraudulent data into a computer, or changes or deletes existing data. Data tampering is extremely serious because it may not be detected. This is the method often used by insiders.

Physical Theft or Loss

The threat of an information asset going missing, whether through negligence or malice can send companies into a panic. The “miniaturization” of computing has led to an increase in physical theft or loss. Laptops, tablets, modems, routers, and USBs are much more easily transportable than mainframes or servers! When a laptop or tablet with unencrypted sensitive documents on it goes missing it’s difficult to determine if a data breach has actually occurred, but precautions must always be taken. Theft of laptops occurs primarily in victims’ own work area or from their vehicles. On the positive side, lost items are much more prevalent than theft. Theft is more likely to be related to the procurement of USB drives and printer paper.

Miscellaneous Errors

The main concern related to this source of cyberthreat is a shortage of capacity, thus preventing information from being available when needed. Other threat actions that fall within this category of miscellaneous errors are shown in Table 5.4.

TABLE 5.4 Threat Actions Classified as Miscellaneous Errors

Misdelivery Information delivered to the wrong person, when e-mails or documents are sent to the wrong people
Publishing error Information published to an unintended audience, such as the entire Internet, enabling them to view it
Misconfiguration A firewall rule is mistyped allowing access to a sensitive file server from all internal networks rather than a specific pool of hosts
Disposal error A hard drive is not “wiped” on decommissioned devices
Programming error Code is mistyped or logic is flawed
Date entry error Data is entered incorrectly or into the incorrect file or duplicated
Omission Data is not entered; document is not sent

New Attack Vectors

Vulnerabilities exist in networks, operating systems, applications, databases, mobile devices, and cloud environments. These vulnerabilities are attack vectors or entry points for malware, hackers, hacktivists, and organized crime. Mobile devices and apps, social media, and cloud services introduce even more attack vectors for malware, phishing, and hackers. As a result, new cyberthreats are on the horizon.

Malicious (Rogue) Mobile Applications

The number of malicious Android applications is growing at an alarming rate. According to a report by AV provider and software analysis group Trend Micro, more than 850,000 Android phones worldwide have been infected by the new “Godless” malware, as of June, 2016 (Goodin, 2016). The malware is transferred to users’ phones through rogue applications in the Google Play store. According to mobile security cloud service providers Marble Security and Trend Micro, over 42% of the more than 300 rogue mobile applications found in the Google Play store are published in the United States (RT.com, 2015; Duan, 2016). Almost all of these applications were found in unreliable third-party stores. Rogue mobile applications can serve up trojan attacks, other malware, or phishing attacks.

Companies offering legitimate applications for online banking, retail shopping, gaming, and other functions might not be aware of threats lurking in their app stores. And despite their best efforts, legitimate app store operators cannot reliably police their own catalogs for rogue apps.

With a single click on a malicious link, users can launch a targeted attack against their organizations.

Concept Check 5.1

  1. An example of an incident is:
a. Gaining unauthorized access to a system or its data
b. Authorized use of a system for processing or storage of data
c. Changes to a system with the owners’ knowledge, instruction of consent
d. Unwanted disruption or denial of service
Correct or Incorrect?

 

  1. In 2016 the total number of data breaches reported by Identify Theft Resource Center was:
a. 1,065
b. 2,061
c. 1,093
d. 2,223
Correct or Incorrect?

 

  1. The business sector that reported the highest number of cyberattacks in 2016 was:
a. Healthcare
b. Education
c. Government
d. Business
Correct or Incorrect?

 

  1. The three objectives of data and information systems security are:
a. Caution, integrity, availability
b. Confidentiality, integrity, availability
c. Confidentiality, interest, accessibility
d. Confidentiality, integrity, accessibility
Correct or Incorrect?

 

  1. In 2016, the greatest number of reported data breaches were reported to be the result of:
a. Hacking
b. Phishing
c. Malware
d. Ransomware
Correct or Incorrect?

 

5.2 Cyberattack Targets and Consequences

Every enterprise has data that profit-motivated criminals want. Customer data, networks, websites, proprietary information systems, and patents are examples of assets—things of value that need to be protected. However, it would appear that management may not be doing enough to defend against cyberattacks. Even high-tech companies and market leaders appear to be detached from the value of the confidential data they store and the ways in which highly motivated hackers will try to steal them.

One of the biggest mistakes managers make is underestimating IT vulnerabilities and threats. For example, workers use their laptops and mobiles for both work and leisure, and in an era of multitasking, they often do both at the same time. Yet off-time or off-site use of devices remains risky because, despite policies, employees continue to engage in dangerous online and communication habits. Those habits make them a weak link in an organization’s otherwise solid security efforts.

Some of the most prevalent and deadly targets that cyber criminals will attack in companies and governmental agencies include: critical infrastructure; theft of IP; identity theft; bring your own device (BYOD); and social media. Some of these attacks will be conducted as high-profile attacks while others will fall into the category of “under-the-radar” attacks. Before discussing the different cyberattack targets, let’s take a look at the differences between these two approaches.

“High-Profile” and “Under-the-Radar” Attacks

Advanced persistent threat (APT) attackers operate “under the radar” so they can continue to steal data, as described in IT at Work 5.1 and profit from it. These APT attackers are profit-motivated cybercriminals who often operate in stealth mode. In contrast, hackers and hacktivists with personal agendas carry out high-profile attacks to gain recognition and notoriety.

Hacktivist groups, such as Anonymous, a loosely associated international network of activist and hacktivist entities and its spin-off hacker group, LulzSec, have committed daring data breaches, data compromises, data leaks, thefts, threats, and privacy invasions. Consider the following three examples:

  • Philippine Commission on Elections A few months before a Philippine election, the hacker group Anonymous tapped into the commission’s website and released personal information on 55 million registered voters. The demonstration was in response to the Philippines’ lax security measures around its voting machines; 1.3 million overseas voters’ information, which included passport numbers, were included in the breach.
  • Combined Systems, Inc. Proudly displaying its hacktivist flag, Anonymous took credit for knocking Combined Systems, Inc. offline and stealing personal data from its clients. Anonymous went after Combined Systems, which sells tear gas and crowd-control devices to law enforcement and military organizations, to protest war profiteers.
  • CIA Twice in one year, Anonymous launched a DoS attack that forced the CIA website offline. The CIA takedown followed a busy week for the hacktivists. Within 10 days, the group also went after Chinese electronics manufacturer Foxconn, American Nazi groups, AV firm Symantec, and the office of Syria’s president.

In contrast, APTs typically steal corporate and government secrets. Most APT attacks are launched through phishing. Typically, this type of attack begins with some reconnaissance on the part of attackers. This can include researching publicly available information about the company and its employees, often from social networking sites. This information is then used to create targeted phishing e-mail messages. A successful attack could give the attacker access to the enterprise’s network.

APTs are designed for long-term espionage. Once installed on a network, APTs transmit copies of documents, such as Microsoft Office files and PDFs, in stealth mode. APTs collect and store files on the company’s network; encrypt them; then send them in bursts to servers often in China or Russia. This type of attack has been observed in other large-scale data breaches that exposed significant numbers of identities.

Both high-profile and under-the-radar attacks can be launched against a number of different targets. We will discuss those next.

Critical Infrastructure Attacks

Hackers, hacktivists, crime syndicates, militant groups, industrial spies, fraudsters, and hostile governments continue to attack networks for profit, fame, revenge, or an ideology; to wage warfare and terrorism, fight against a terrorist campaign, or disable their target. For example, the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that attacks against critical infrastructure are growing. In 2015, more than 427 vulnerability incidents were reported, far surpassing the 245 total attacks reported in 2014. The most affected industry was the energy sector.

Figure 5.3 shows the 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Illustration of U.S. critical infrastructure sectors.

FIGURE 5.3 U.S. critical infrastructure sectors.

Attacks on critical infrastructure sectors can significantly disrupt the functioning of government and business—and trigger cascading effects far beyond the targeted sector and physical location of the incident. These cyberattacks could compromise a country’s critical infrastructure and its ability to provide essential services to its citizens.

For example, the first cyberattack against a nation’s power grid occurred in December, 2015, when a cyberattacker successfully seized control of the Prykarpattyaoblenergo Control Center (PCC) in the Western Ukraine leaving 230,000 citizens without power for up to six hours. The attackers carefully planned their assault over many months. They studied the networks and siphon operator credentials and finally launched their devastating synchronized assault in the middle of winter. The PCC operated a supervisory control and data acquisition (SCADA) system, which is a common form of industrial control system, that distributed electricity. The critical devices at 16 substations became unresponsive to any remote command by its operators after attackers overwrote its firmware. This type of control system is surprisingly more secure than some used in the United States since they have robust firewalls that separate them from control center business networks. Governments around the world have plans in place to deal with the consequences of natural disasters, yet none have disaster relief plans for a downed power grid. Clearly, this must change. Local and state governments must work together with their national counterparts to produce and quickly implement plans to address future attacks.

In response to the consistently growing number of cyberattacks over the past decade, the Inter-American Committee Against Terrorism (CICTE) issued a formal declaration to protect critical infrastructure from emerging threats and a Presidential executive order was signed in May 2017 to strengthen the cybersecurity of Federal networks and critical infrastructure.

Theft of Intellectual Property

Intellectual property (IP) can represent more than 80% of a company’s value and as such is a critical part of all 21st-century organizations. Losing customer data to hackers can be costly and embarrassing but losing IP, commonly known as trade secrets, could threaten a company’s existence. It’s a business leaders’ nightmare—that gut-wrenching realization that a corporate network has been breached and valuable intellectual assets have been stolen by unknown cybercriminals (Gelinne et al., 2016).

Theft of IP has always been a threat from corporate moles, disgruntled employees, and other insiders. While some IP may still be obtainable exclusively through physical means, digitization has made theft easier. Advancements in technology, increased mobility, rapid globalization, and the anonymous nature of the Internet create growing challenges in protecting IP. Hackers’ preferred modus operandi is to break into employees’ mobile devices and leapfrog into employers’ networks—stealing trade secrets without a trace.

Cybersecurity experts and government officials are increasingly concerned about breaches from other countries into corporate and government networks either through mobile devices or other means. For example, a government agency could have blueprints for a secret new weapon system stolen by foreign agents, or an employee of a popular game developer might steal their latest game before it is released to the public.

In May of 2016, President Barack Obama signed the Defend Trade Secrets Act (DTSA), to allow “the owners of trade secrets to bring a civil action in federal court for trade secret misappropriation” (Gibson Dunn, 2016). Until the signing of the DTSA, corporations had to rely on state law regarding trade secrets. Now, every American corporation is equally protected under federal law. Moreover, it extends the power of the federal government in regulation of trade secrets through interstate and foreign commerce while maintaining existing trade secret laws.

A famous example of theft of IP is the APT attack named Operation Aurora perpetrated against Google, described in IT at Work 5.1.

Identity Theft

One of the worst and most prevalent cyberthreats is identity theft. Thefts where individuals’ Social Security and credit card numbers are stolen and used by thieves are not new. Criminals have always obtained information about other people—by stealing wallets or dumpster diving. But widespread electronic sharing and databases have made the crime worse. Because financial institutions, data-processing firms, and retail businesses are reluctant to reveal incidents in which their customers’ personal financial information may have been stolen, lost, or compromised, laws continue to be passed that force those notifications.

Bring Your Own Device

Another, more recent, vulnerability is bring your own device (BYOD). Roughly 74% of U.S. organizations are either already using or planning to use BYOD. It’s an appealing concept because BYOD enables companies to cut costs by not having to purchase and maintain employees’ mobile devices. Unfortunately, many companies have rushed into it without considering issues relating to security. Mobile devices rarely have strong authentication, access controls, and encryption even though they connect to mission-critical data and cloud services. For example, only 20% of androids have a security app installed.

The BYOD trend is driven by employees using their own devices for business purposes because they are more powerful than those the company has provided. Another factor is mobility. In the past, and before the BYOD push, employees worked at their desks on a landline and on a computer plugged into the wall with a network cable. This change in exposure requires greater investment to defend against BYOD risks. As more and more people work from home and on the go, the office-bound traditional 9-to-5 workday has become a thing of the past.

Users bringing their personal mobile devices and their own mobile applications to work and connecting them to the corporate network is part of the larger consumerization of information technology (COIT) trend. Bring your own device (BYOD) and bring your own apps (BYOA) are practices that move enterprise data and IT assets to employees’ mobile devices and the cloud, creating a new set of tough IT security challenges. Figure 5.5 summarizes how apps, mobile devices, and cloud services put organizations at a greater risk of cyberattack. Widely used applications that are outside of the organization’s firewall are Twitter, Google Analytics, Dropbox, WebEx, and Salesforce.com.

Illustration of Factors that expose companies and users to attack

FIGURE 5.5 Factors that expose companies and users to attack.

Enterprises take risks with BYOD practices that they never would consider taking with conventional computing devices. One possible reason is that new devices, apps, and systems have been rolled out so quickly. As a result, smartphones are not being managed as secure devices, with fewer than 20% of users installing antimalware and 50% using some type of data encryption. In fact, employees expected instant approval of (or at least no disapproval of) and support for their new tablet computers within hours of the product’s release.

BYOD Raises Serious and Legitimate Areas of Concern

Hackers break into employees’ mobile devices and leapfrog into employers’ networks—stealing secrets without a trace. New vulnerabilities are created when personal and business data and communications are mixed together. All cybersecurity controls—authentication, access control, data confidentiality, and intrusion detection—implemented on corporate-owned resources can be rendered useless by an employee-owned device. The corporation’s mobile infrastructure may not be able to support the increase in mobile network traffic and data processing, causing unacceptable delays or requiring additional investments.

Another serious problem arises when an employee’s mobile device is lost or stolen. The company can suffer a data breach if the device is not adequately secured by a strong password and the data on the BYOD is not encrypted.

Tech Note 5.1 demonstrates why users should only download applications from trusted sources and check reviews to verify the legitimacy of the application being downloaded.

Social Media Attacks

Companies’ poor social media security practices put their brands, customers, executives, and entire organizations at serious risk. According to Cisco, Facebook scams are the most common form of malware distributed in 2015. The FBI reported that social media-related events had quadrupled over the past five years and PricewaterhouseCoopers (2015) found that more than one in eight enterprises has suffered at least one security breach due to a social media-related cyberattack.

Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical, sensitive, and private information is at risk, and like previous IT trends, such as wireless networks, the goal is connectivity, often with little concern for security. As social networks increase their offerings, the gap between services and information security also increases. For example, virus and malware attacks on a well-established service such as e-mail have decreased as e-mail security has improved over the years. Unfortunately, malware is still finding ways to successfully disrupt new services and devices, such e-readers, netbooks, Google’s Chrome OS, Facebook, YouTube, Twitter, LinkedIn, and other cloud-based social media networks. For example, in Twitter and Facebook, where users build relationships with other users, cybercriminals are hacking in using stolen logins. These types of attacks that take advantage of user trust are very difficult to detect. Facebook recently reported that up to 2% of its 31 million accounts are false, Twitter estimates 5%, and LinkedIn openly admitted, that they don’t have a reliable system for identifying and counting duplicate or fraudulent accounts.

To combat these cyberthreats, Web filtering, user education, and strict policies are key to preventing widespread outbreaks.

Networks and Services Increase Exposure to Risk

An overriding reason why these networks and services increase exposure to risk is the time-to-exploitation of today’s sophisticated spyware and mobile viruses. Time-to-exploitation is the elapsed time between when vulnerability is discovered and when it is exploited. That time has shrunk from months to minutes so IT staff have ever-shorter timeframes to find and fix flaws before they are compromised by an attack. Some attacks exist for as little as two hours, which means that enterprise IT security systems must have real-time protection.

When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization. Patches are software programs that users download and install to fix a vulnerability. Microsoft, for example, releases patches that it calls service packs to update and fix vulnerabilities in its operating systems, including Vista, and applications, including Office 2010. Service packs can be downloaded from Microsoft’s website.

Left undetected or unprotected, vulnerabilities provide an open door for IT attacks and business disruptions and their financial damages. Despite the best technology defenses, information security incidents will occur mostly because of the users who do not follow secure computing practices and procedures. IT at Work 5.2 illustrates how Google’s new automated cybersecurity initiative is poised to reduce Google’s losses suffered due to cyberattacks in the cloud.

Concept Check 5.2

  1. Advanced persistent threats are carried out as:
a. High profile attacks
b. Under the radar attacks
c. Back door attacks
d. Snare attacks
Correct or Incorrect?

 

  1. The first cyberattack against a nation’s power grid occurred in:
a. Russia
b. Germany
c. Western Ukraine
d. West Africa
Correct or Incorrect?

 

  1. The U.S. has _____ critical infrastructure sectors:
a. 12
b. 15
c. 19
d. 17
Correct or Incorrect?

 

  1. Critical infrastructure, intellectual property theft, identify theft, BYOD and social networks are all examples of:
a. Cyberthreats
b. Cyberattack targets
c. Vulnerabilities
d. Data breaches
Correct or Incorrect?

 

  1. As social media networks increase their offerings, the gap between ____________ and ____________ also increases.
a. Services and information security
b. Technology and information security
c. Technology and services
d. Services and email
Correct or Incorrect?

 

5.3 Cyber Risk Management

Top management needs to sponsor and promote security initiatives and fund them as a top priority. As you will read in this section, robust data security is not just the responsibility of IT and top management, but the ongoing duty of everyone in an organization.

It is becoming more important than ever that security is viewed as a high priority as the growth of mobile technologies and the IoT threaten to provide attackers with new opportunities. The five key factors contributing to the rising number of data breaches that must be addressed in a cyber risk management program are listed in Table 5.5.

TABLE 5.5 Five Key Factors Leading to an Increase in Cyberattacks

1. Interconnected, interdependent, wirelessly networked business environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a computer hacker
4. International organized crime taking over cybercrime
5. Lack of management support

Keep in mind that security is an ongoing, unending process—something akin to painting the Golden Gate Bridge in San Francisco—and not a problem that can be solved with just hardware or software. Hardware and software security defenses cannot protect against irresponsible business practices. These are organizational and people issues.

IT Defenses

Since malware and botnets use many attack methods and strategies, multiple tools are needed to detect them and/or neutralize their effects. Three essential defenses are the following:

  1. Antivirus Software Antimalware tools are designed to detect malicious codes and prevent users from downloading them. They can also scan systems for the presence of worms, trojans, and other types of threats. This technology does not provide complete protection because it cannot defend against zero-day exploits. Antimalware may not be able to detect a previously unknown exploit.
  2. Intrusion Detection Systems (IDSs) As the name implies, an IDS scans for unusual or suspicious traffic. An IDS can identify the start of a DoS attack by the traffic pattern, alerting the network administrator to take defensive action, such as switching to another IP address and diverting critical servers from the path of the attack.
  3. Intrusion Prevention Systems (IPSs) An IPS is designed to take immediate action—such as blocking specific IP addresses—whenever a traffic-flow anomaly is detected. An application-specific integrated circuit (ASIC)-based IPS has the power and analysis capabilities to detect and block DDoS attacks, functioning somewhat like an automated circuit breaker.

Business policies, procedures, training, and disaster recovery plans as well as hardware and software are critical to cybersecurity. Table 5.6 lists the characteristics of an effective cybersecurity program.

TABLE 5.6 Characteristics of an Effective Cybersecurity Program

Make data and documents available and accessible 24/7 while simultaneously restricting access.
Implement and enforce procedures and AUPs for data, networks, hardware, and software that are company or employee owned, as discussed in the opening case.
Promote secure and legal sharing of information among authorized persons and partners.
Ensure compliance with government regulations and laws.
Prevent attacks by having network intrusion defenses in place.
Detect, diagnose, and respond to incidents and attacks in real time.
Maintain internal controls to prevent unauthorized alteration of data/records.
Recover from business disasters and disruptions quickly.

To help keep managers updated on the latest cyberthreats and prioritize defenses, KPMG publishes its Data Loss Barometer. The annual report describes the latest trends and statistics for data losses worldwide. Key findings and predictions are listed in Table 5.7.

TABLE 5.7 Worldwide Data Loss Key Findings and Predictions

Source: KPMG (2016).

Key findings from KPMG Data Loss Barometer Report and its predictions for the next few years:
  • Hacking is the number one cause of data loss.
  • Internal threats have reduced significantly, while external threats are increasing significantly.
  • The most hacked sectors are technology, financial services, retail, and automotive.
  • Expect increased loss of data from mobile devices.
  • Expect a steep rise in automated hacking and botnets.
  • Expect less tolerant regulators and greater fines and negative consequences.
  • Expect greater visibility and reporting of data loss as a result of less tolerant regulators.

The higher the value of the asset to the company and to cybercriminals, the greater the risk is to the company and the higher the level of security needs to be. The smart strategy is to invest more to protect the company’s most valuable assets rather than trying to protect all assets equally, as discussed in IT at Work 5.2. The IT security field—like sports and law—has its own terminology, which is summarized for quick reference in Figure 5.7 and Table 5.8.

Illustration of Basic IT security concepts.

FIGURE 5.7 Basic IT security concepts.

TABLE 5.8 IT Security Terminology

Term Definition
Exposure Estimated cost, loss, or damage that can result if a threat exploits a vulnerability
Access control Security feature designed to restrict who has access to a network, IS, or data
Audit Procedure of generating, recording, and reviewing a chronological record of system events to determine their accuracy
Encryption Transforming data into scrambled code to protect them from being understood by unauthorized users
Plaintext or clear text Readable text
Ciphertext Encrypted text
Authentication Method (usually based on username and password) by which an IS validates or verifies that a user is really who he or she claims to be
Biometrics Methods to identify a person based on a biological feature, such as a fingerprint or retina
Firewall Software or hardware device that controls access to a private network from a public network (Internet) by analyzing data packets entering or exiting it
Intrusion detection system (IDS) A defense tool used to monitor network traffic (packets) and provide alerts when there is suspicious traffic, or to quarantine suspicious traffic
Fault tolerance The ability of an IS to continue to operate when a failure occurs, but usually for a limited time or at a reduced level

Minimum Security Defenses for Mobiles

Minimum security defenses for mobile devices are mobile biometrics, rogue app monitoring, remote wipe capability, and encryption. For travelers, do-not-carry rules may be a necessary defense.

A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. The most common biometrics are a thumbprint or fingerprint, voice print, retinal scan, and signature.

Mobile biometrics, such as voice and fingerprint biometrics, can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services. Biometric controls have been integrated into e-business hardware and software products. Biometric controls do have some limitations: They are not accurate in certain cases, and some people see them as an invasion of privacy. Most biometric systems match some personal characteristic against a stored profile.

When Apple acquired Siri, Inc., the voice-based personal assistant Siri was integrated into its Apple’s operating system, Siri gave Apple the potential to move into voice biometrics.

Voice biometrics is an effective authentication solution across a wide range of consumer devices including smartphones, tablets, and TVs. Future mobile devices are expected to have fingerprint sensors to add another authentication factor.

Another type of defense is rogue app monitoring to detect and destroy malicious applications in the wild. Several vendors offer 24/7 monitoring and detection services to monitor major app stores and shut down rogue applications to minimize exposure and damage.

In the event of loss or theft of a device, a mobile kill switch or remote wipe capability as well as encryption are needed. All major smartphone platforms have some kind of remote-erase capability and encryption option.

In response to mobile security threats, many U.S. companies and government agencies are imposing do-not-carry rules on mobiles to prevent compromise. Travelers can bring only “clean” devices and are forbidden from connecting to the government’s network while abroad.

Do-Not-Carry Rules

The U.S. Chamber of Commerce did not learn that it and its member organizations were the victims of a cybertheft for months until the FBI informed the Chamber that servers in China were stealing data from four of its Asia policy experts, individuals who frequently travel to Asia. Most likely, the experts’ mobile devices had been infected with malware that was transmitting information and files back to the hackers. By the time the Chamber hardened (secured) its network, hackers had stolen at least six weeks of e-mails, most of which were communications with the largest U.S. corporations. Even later, the Chamber learned that its office printer and a thermostat in one of its corporate apartments were communicating with an Internet address in China. The Chamber did not disclose how hackers had infiltrated its systems, but its first step was to implement do-not-carry rules.

U.S. companies, government agencies, and organizations are now imposing do-not-carry rules, which are based on the assumption that devices will inevitably be compromised according to Mike Rogers, current chairman of the House Intelligence Committee. For example, House members can bring only “clean” devices and are forbidden from connecting to the government’s network while abroad. Rogers said he travels “electronically naked” to ensure cybersecurity during and after a trip. IT at Work 5.3 explains how one cybersecurity expert complies with do-not-carry rules while traveling.

Business Continuity Planning

Risk management is not complete without a business continuity plan that has been tested to verify that it works. Business continuity refers to maintaining business functions or restoring them quickly when there is a major disruption. The plan covers business processes, assets, human resources, business partners, and more. Fires, earthquakes, floods, power outages, malicious attacks, and other types of disasters hit data centers. Yet, business continuity planning capabilities can be a tough sell because they do not contribute to the bottom line—that is, until it is too late. Compare them to an insurance policy: If and only if a disaster occurs, the money has been well spent. And spending on business continuity preparedness is an ongoing process because there is always more that could be done to prepare better.

The purpose of a business continuity plan is to keep the business running after a disaster occurs. Each function in the business should have a feasible backup plan. For example, if the customer service center or call center was destroyed by a storm or lost all power, would anyone know how the reps would continue to answer customer calls? The backup plan could define how to provide necessary network access to enable business to continue.

Government Regulations

Cyberattacks are now the number one type of danger facing many countries around the globe. As a result, international, federal, and state laws and industry regulations mandate that enterprises invest in cybersecurity defenses, audits, and internal controls to help secure confidential data, prevent attacks, and defend against fraud and unauthorized transactions such as money laundering (Morris 2016).

IT defenses must satisfy ever-stricter government and international regulations. All mandate the protection of PII. To protect consumers, some countries require strict compliance with these regulations. For example, in the United States the director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC) warned that the agency would bring enforcement action against small businesses lacking adequate policies and procedures to protect consumer data. Some examples of major national security regulations are listed in Figure 5.8. Some of these regulations also apply to occupational fraud that is described in the next section.

Illustration of Global government regulations of PII.

FIGURE 5.8 Global government regulations of PII.

Select the caption to view an interactive version of this figure online.

To ensure compliance with these regulations in United Sates, the SEC and FTC impose huge fines for data breaches to deter companies from underinvesting in data protection.

Concept Check 5.3

  1. The ___________ the value of the assets to the company and to cybercriminals, the ________ the risk is to the company and the ________ the level of security needs to be.
a. Higher, lower, higher
b. Higher, greater, higher
c. Lower, higher, greater
d. Lower, lower, higher
Correct or Incorrect?

 

  1. A ______________ is an automated method of verifying the identity of a person based on physical or behavioral characteristics.
a. Rogue app monitor
b. Administrative control
c. Biology control
d. Biometric control
Correct or Incorrect?

 

  1. The Sarbanes’ Oxley Act, Gramm-Leach-Bliley Act, Federal Information Security Management Act and the USA PATRIOT Act are all examples of:
a. Roge app monitor
b. Government audits
c. Government regulations
d. Do-not-carry rules
Correct or Incorrect?

 

  1. When a cyberattack is conducted by employees within the organization it is referred to as:
a. High profile attack
b. Under the radar attack
c. Fraud
d. Theft
Correct or Incorrect?

 

  1. An organization can demonstrate that it has implemented effective corporate governance and risk management measures by using:
a. IT development
b. Intelligent analysis engines
c. Fraud detection
d. IT monitoring and control
Correct or Incorrect?

 

5.4 Defending Against Fraud

Not all cybercrimes are “attacks” conducted from outside the organization. Some are conducted by employees within the organization. This is called fraud. Fraudsters carry out their crime by abusing the power of their position or by taking advantage of the trust, ignorance, or laziness of others. According to the latest Annual Global Fraud Survey, 81% of organizations have been victims of frauds perpetrated by insiders. Of these, 36% were carried out by senior or middle managers and 45% were attributed to junior employees. Only 23% of the reported frauds resulted from actions of an agent or nonemployee with access.

Occupational Fraud Prevention and Detection

High-profile cases of occupational fraud committed by senior executive have led to an increase in government regulations. Unfortunately, this increased legislation has not put an end to fraud.

The single most effective fraud prevention tactic is making employees aware that fraud will be detected by IT-monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. The fear of being caught and prosecuted is a strong deterrent. IT must play a visible and major role in detecting fraud. A strong corporate governance program and internal audits and controls are essential to the prevention and detection of occupational fraud.

Several examples of occupational fraud, their characteristics and the extent to which they impact corporate financial statements are illustrated in Figure 5.9.

Type of Fraud Impacts Financial Statements? Typical Characteristics
Operating Management Corruption No Occurs off the books. Median loss due to corruption is 6X median loss due to misappropriation
Conflict of Interest No Breach of confidentiality, such as revealing competitor bids. Often occurs coincident with bribery.
Bribery No Uses positional power or money to influence others
Embezzlement or “misappropriation” Yes Employee theft. Employee access to company property creates the opportunity for embezzlement
Senior management financial reporting fraud Yes Involves massive breach of trust and leveraging of positional power
Accounting Cycle fraud Yes Also called “earnings management” or “earnings engineering.” Violates generally accepted accounting principles (GAAP) and other all other accounting principles. See aicpa.org

FIGURE 5.9 Types, impact, and characteristics of occupational fraud.

Select the caption to view an interactive version of this figure online.

Corporate Governance

An enterprise-wide approach that combines risk, security, compliance, and IT specialists greatly increases the prevention and detection of fraud. Prevention is the most cost-effective approach, since detection and prosecution costs are enormous in addition to the direct cost of the loss. It starts with corporate governance culture and ethics at the top levels of the organization.

IT monitoring and control also demonstrate that the company has implemented effective corporate governance and fraud prevention measures. Regulators look favorably on companies that can demonstrate best practices in corporate governance and operational risk management. Management and staff would then spend less time worrying about regulations and more time adding value to their brands and business.

Internal fraud prevention measures are based on the same controls that are used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access. They are also based on human resource (HR) procedures, such as recruitment screening and training.

Intelligent Analysis and Anomaly Detections

Most detection activity can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques. These systems take in audit trails from key systems and personnel records from the HR and finance departments. The data are stored in a data warehouse where they are analyzed to detect anomalous patterns, such as excessive hours worked, deviations in patterns of behavior, copying huge amounts of data, attempts to override controls, unusual transactions, and inadequate documentation about a transaction. Information from investigations is fed back into the detection system so it learns of any anomalous patterns. Since insiders might work in collusion with organized criminals, insider profiling is important to find wider patterns of criminal networks.

General Controls

It is also important to have a set of general controls in place. The major categories of general controls are physical controls, access controls, data security controls, communication network controls, and administrative controls.

Physical Controls

Physical security refers to the protection of computer facilities and resources. This includes protecting physical property such as computers, data centers, software, manuals, and networks. It provides protection against most natural hazards as well as against some human hazards. Appropriate physical security may include several physical controls such as the following:

  • Appropriate design of the data center. For example, the data center should be noncombustible and waterproof.
  • Shielding against electromagnetic fields.
  • Good fire prevention, detection, and extinguishing systems, including a sprinkler system, water pumps, and adequate drainage facilities.
  • Emergency power shutoff and backup batteries, which must be maintained in operational condition.
  • Properly designed and maintained air-conditioning systems.
  • Motion detector alarms that detect physical intrusion.

Access Controls

Access control is the management of who is and who is not authorized to use a company’s hardware and software. Access control methods, such as firewalls and access control lists, restrict access to a network, database, file, or data. It is the major line of defense against unauthorized insiders as well as outsiders. Access control involves authorization (having the right to access) and authentication, which is also called user identification (proving that the user is who he or she claims to be).

Authentication methods include:

  • Something only the user knows, such as a password
  • Something only the user has, for example, a smart card or a token
  • Something only the user is, such as a signature, voice, fingerprint, or retinal (eye) scan; implemented via biometric controls, which can be physical or behavioral

Administrative Controls

While the previously discussed general controls are technical in nature, administrative controls deal with issuing guidelines and monitoring compliance with the guidelines. Examples of controls are shown in Table 5.9.

TABLE 5.9 Representative Administrative Controls

  • Appropriately selecting, training, and supervising employees, especially in accounting and information systems
  • Fostering company loyalty
  • Immediately revoking access privileges of dismissed, resigned, or transferred employees
  • Requiring periodic modification of access controls, such as passwords
  • Developing programming and documentation standards (to make auditing easier and to use the standards as guides for employees)
  • Insisting on security bonds or malfeasance insurance for key employees
  • Instituting separation of duties, namely, dividing sensitive computer duties among as many employees as economically feasible in order to decrease the chance of intentional or unintentional damage
  • Holding periodic random audits of the system

To guard against fraud and protect clients, customers, and constituents, all public and private enterprises are subject to federal and state laws and regulations, some of which are shown in Figure 5.8. In the United States, the Sarbanes–Oxley Act requires that companies prove that their financial applications and systems are controlled (secured) to verify that financial reports can be trusted. It is intended to discourage fraud at the corporate and executive levels.

Sarbanes–Oxley Act Mandates More Accurate Business Reporting and Disclosure of Violations

The Sarbanes–Oxley Act (SOX) mandates more accurate business reporting and disclosure of generally accepted accounting principles (GAAP) violations. Section 302 deters corporate and executive fraud by requiring that the CEO and CFO verify that they have reviewed the financial report, and, to the best of their knowledge, the report does not contain an untrue statement or omit any material fact. To motivate honesty, executive management faces criminal penalties including long jail terms for false reports. Section 805 mandates a review of the Sentencing Guidelines to ensure that “the guidelines that apply to organizations . . . are sufficient to deter and punish organizational criminal conduct.” The Guidelines also focus on the establishment of “effective compliance and ethics” programs. As indicated in the Guidelines, a precondition to an effective compliance and ethics program is “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

Among other measures, SOX requires companies to set up comprehensive internal controls. There is no question that SOX, and the complex and costly provisions it requires public companies to follow, have had a major impact on corporate financial accounting. For starters, companies have had to set up comprehensive internal controls over financial reporting to prevent fraud, catching it when it occurs. Since the collapse of Arthur Andersen, following the accounting firm’s conviction on criminal charges related to the Enron case, outside accounting firms have gotten tougher with clients they are auditing, particularly with regard to their internal controls.

SOX and the SEC are making it clear that if controls can be ignored, there is no control. Therefore, fraud prevention and detection require an effective monitoring system. If a company shows its employees that it can find out everything that every employee does and use that evidence to prosecute a wrongdoer to the fullest extent possible under the law, then the likelihood of any employee adopting an “I can get away with it” attitude drops drastically.

Approximately 85% of occupational fraud could be prevented if proper IT-based internal controls had been designed, implemented, and followed.

Internal Controls

The internal control environment is the work atmosphere that a company sets for its employees. Internal control (IC) is a process designed to achieve:

  • Reliability of financial reporting, to protect investors
  • Operational efficiency
  • Compliance with laws, regulations, and policies
  • Safeguarding of assets

Cyber Defense Strategies

The objective of IT security management practices is to defend all of the components of an information system, specifically data, software applications, hardware, and networks, so they remain in compliance. Before they make any decisions concerning defenses, the people responsible for security must understand the requirements and operations of the business, which form the basis for a customized defense strategy.

The defense strategy and controls that should be used depend on what needs to be protected and a cost–benefit analysis. That is, companies should neither underinvest nor overinvest. The major objectives of defense strategies are listed in Table 5.10.

TABLE 5.10 Major Objectives of Defense Strategies

Action Details
Prevention and deterrence Properly designed controls may prevent errors from occurring, deter criminals from attacking the system, and, better yet, deny access to unauthorized people. These are the most desirable controls.
Detection Like a fire, the earlier an attack is detected, the easier it is to combat, and the less damage is done. Detection can be performed in many cases by using special diagnostic software, at a minimal cost.
Contain the damage This objective involves minimizing or limiting losses once a malfunction has occurred. It is also called damage control. This can be accomplished, for example, by including a fault-tolerant system that permits operation in a degraded mode until full recovery is made. If a fault-tolerant system does not exist, a quick and possibly expensive recovery must take place. Users want their systems back in operation as fast as possible.
Recovery A recovery plan explains how to fix a damaged information system as quickly as possible. Replacing rather than repairing components is one route to fast recovery.
Correction Correcting the causes of damaged systems can prevent a problem from occurring again.
Awareness and compliance All organization members must be educated about the hazards and must comply with the security rules and regulations.

A defense strategy is also going to require several controls, as shown in Figure 5.10. General controls are established to protect the system regardless of the specific application. For example, protecting hardware and controlling access to the data center are independent of the specific application. Application controls are safeguards that are intended to protect specific applications. In the next two sections, we discuss the major types of these two groups of information system controls.

Illustration of Major defense controls: General and Application.

FIGURE 5.10 Major defense controls.

Auditing Information Systems

Some companies rely on surprise audits. But being proactive about searching for problems is more effective and can stop frauds early on, before the losses mount. An audit is an important part of any control system. Auditing can be viewed as an additional layer of controls or safeguards. It is considered as a deterrent to criminal actions, especially for insiders. Auditors attempt to answer questions such as these:

  • Are there sufficient controls in the system? Which areas are not covered by controls?
  • Which controls are not necessary?
  • Are the controls implemented properly?
  • Are the controls effective? That is, do they check the output of the system?
  • Is there a clear separation of duties of employees?
  • Are there procedures to ensure compliance with the controls?
  • Are there procedures to ensure reporting and corrective actions in case of violations of controls?

Auditing a website is a good preventive measure to manage the legal risk. Legal risk is important in any IT system, but in Web systems it is even more important due to the content of the site, which may offend people or be in violation of copyright laws or other regulations (e.g., privacy protection). Auditing e-commerce is also more complex since, in addition to the website, one needs to audit order taking, order fulfillment, and all support systems.

Concept Check 5.4

  1. __________________________ refers to the deliberate misuse of the assets of one’s employer for personal gain.
a. Cyberthreat
b. Data breach
c. Occupational fraud
d. Occupational therapy
Correct or Incorrect?

 

  1. Embezzlement or “misappropriation” involves:
a. A massive breach of trust and leveraging of positional power
b. Breach of confidentiality such as revealing competitors’ bids
c. Violates generally accepted accounting principles
d. Employee theft
Correct or Incorrect?

 

  1. __________________ is the most cost-effective approach to occupational fraud.
a. Detection
b. Prevention
c. Prosecution
d. Dismissal
Correct or Incorrect?

 

  1. Categories of general controls include:
a. Physical controls
b. Data security controls
c. Administrative controls
d. All of the above
Correct or Incorrect?

 

  1. In the U.S. the ___________________________ requires that companies prove that their financial applications and systems are secure to verify that financial reports can be trusted.
a. Sarbanes-Oxley Act
b. Risk Management Framework
c. Enterprise Risk Management Framework
d. COBIT framework
Correct or Incorrect?

 

5.5 Frameworks, Standards, and Models

A number of frameworks, standards, and models have been developed to guide cyber defense strategies.

Risk Management and IT Governance Frameworks

Two widely accepted frameworks that guide risk management and IT governance are Enterprise Risk Management (ERM) and Control Objectives for Information and Related Technology (COBIT) 5.

Enterprise Risk Management Framework

ERM is a risk-based approach to managing an enterprise developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ERM integrates internal control, the Sarbanes–Oxley Act mandates, and strategic planning.

ERM consists of eight components, listed in Table 5.11.

TABLE 5.11 Enterprise Risk Management Components

Component Description
Internal environment Assess risk management philosophy and culture
Objective setting Determine relationship of risk to organizational goals
Event identification Differentiate between risks and opportunities; negative/positive impact
Risk assessment Assess risk probability and impact
Risk response Identify and evaluate risk responses
Control activities Develop policies and procedures to ensure implementation of risk responses
Information and communication Identify, capture, and communicate information
Monitoring Conduct ongoing and separate evaluations of risk-related activities

These eight components can be viewed from a strategic, operations, reporting, and compliance perspective at all level of the organizations. Taking a portfolio view of risk, management must consider how individual risks are interrelated and apply a strong system of internal controls to ensure effective enterprise risk management. Those involved in ERM include management, Board of Directors, Risk officers, and internal auditors. ERM is intended to be part of routine planning processes rather than a separate initiative. The ideal place to start is with buy-in and commitment from the board and senior leadership.

COBIT 5

COBIT 5, is the internationally accepted IT governance and control framework created by the International Systems Audit and Control Association (ISACA) to align IT with business objectives, delivering value, and manage associated risks. It provides a framework for management, users, and IS audit, control, and security practitioners that allows them to bridge the gap between control requirements, technical issues, and business risks.

COBIT 5 is the leading framework for the governance and security of IT. COBIT 5, the most current version of the COBIT 5 framework is based on five principles, shown in Figure 5.11. COBIT 5 contains highly relevant guidance for IT practitioners and business leaders regarding governing and protecting data and information. COBIT 5 encourages each organization to customize COBIT to fit its priorities and circumstances and can be downloaded from isaca.org.

Illustration of COBIT 5 principles.

FIGURE 5.11 COBIT 5 principles.

Three of the five COBIT 5 principles are most applicable to security:

  1. A system needs to be in place that considers and effectively addresses enterprise information security requirements. At a minimum, this would include metrics for the number of clearly defined key security roles and the number of security-related incidents reported.
  2. An established security plan has been accepted and communicated throughout the organization. This would include level of stakeholder satisfaction with the security plan, the number of security solutions that are different from those in the plan and the number of security solutions deviating from the enterprise security architecture that can lead to security gaps and potentially lengthen the time to resolve security or compliance issues.
  3. Information security solutions are implemented throughout the organization. These should include the number of services and solutions that align with the security plan and security incidents caused by noncompliance with the security plan.

By following these three principles, using a specified set of IT-enabling processes, and taking additional steps to move from an application centric focus to a data centric focus, organizations that use COBIT 5 can improve the governance and protection of their data and information.

While COBIT 5 provides sound and comprehensive improvement recommendations to start the security governance journey, organizations clearly need to move beyond reactive compliance and security to proactively mandating the need for data privacy and security enterprise-wide. In this way data are always protected.

ERM and COBIT 5 can be used separately or jointly. As with most improvement methodologies, the key to success is to start using them one step at a time.

Industry Standards

Industry groups impose their own standards to protect their customers and their members’ brand images and revenues. One example is the Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover. PCI is required for all members, merchants, or service providers that store, process, or transmit cardholder data. PCI DSS requires merchants and card payment providers to make certain their Web applications are secure. If done correctly, this could reduce the number of Web-related security breaches.

The purpose of the PCI DSS is to improve customers’ trust in e-commerce, especially when it comes to online payments, and to increase the Web security of online merchants. To motivate following these standards, the penalties for noncompliance are severe. The card brands can fine the retailer, and increase transaction fees for each credit or debit card transaction. A finding of noncompliance can be the basis for lawsuits.

IT Security Defense-In-Depth Model

The Defense-in-Depth Model encourages a multilayered approach to information security. The basic principle is that when one defense layer fails, another layer provides protection. For example, if a wireless network’s security was compromised, then having encrypted data would still protect the data, provided that the thieves could not decrypt it.

The success of any type of IT project depends on the commitment and involvement of executive management, also referred to as the tone at the top. The same is true of IT security. This information security tone makes users aware that insecure practices and mistakes will not be tolerated. Therefore, an IT security model begins with senior management commitment and support, as shown in Figure 5.12. The model views information security as a combination of people, policies, procedures, and technology.

Illustration of IT security defense-in-depth model.

FIGURE 5.12 IT security defense-in-depth model.

To use the Defense-in-Depth Model an organization must carry out four major steps:

  1. Step 1: Gain senior management commitment and support Senior managers’ influence is needed to implement and maintain security, ethical standards, privacy practices, and internal control. IT security is best when it is top-driven. Senior managers decide how stringent infosec policies and practices should be in order to comply with laws and regulations. Financial institutions are subject to strict security and anti-money laundering (AML) rules because they face numerous national and international regulations and have high-value data. Advertising agencies and less regulated firms tend to have more lenient rules. Other factors influencing infosec policies are a corporation’s culture and how valuable their data are to criminals.

    For instance, management may decide to forbid employees from using company e-mail accounts for nonwork purposes, accessing social media during work hours, or visiting gambling sites. These decisions will then become rules stated in company policy, integrated into procedures, and implemented with technology defenses. Sites that are forbidden, for instance, can be blocked by firewalls.

  2. Step 2: Develop acceptable use policies and IT security training Organizations need to put in place strong policies and processes that make responsibilities and accountabilities clear to all employees. An acceptable use policy (AUP) explains what management has decided are acceptable and unacceptable activities, and the consequences of noncompliance. Rules about tweets, texting, social media, e-mail, applications, and hardware should be treated as extensions of other corporate policies—such as physical safety, equal opportunity, harassment, and discrimination. No policy can address every future situation, so rules need to be evaluated, updated, or modified. For example, if a company suffers a malware infection traced to an employee using an unprotected smartphone connected to the company network, policies to restrict or prohibit those connections might be advisable.
  3. Step 3: Create and Enforce IT security procedures and enforcement Secure procedures define how policies will be enforced, how incidents will be prevented, and how an incident will be responded. Here are the basic secure procedures to put in place:
    1. Define enforcement procedures Rules that are defined in the AUP must be enforced and enforcement procedures must be applied consistently. Procedures for monitoring employee Internet and network usage are defined at this stage.
    2. Designate and empower an internal incident response team (IRT) The IRT typically includes the CISO, legal counsel, senior managers, experienced communicators, and key operations staff. Minimizing the team size and bureaucracy can expedite decision making and response. Because there may be significant liability issues, legal counsel needs to be involved in incident response planning and communication.
    3. Define notification procedures When a data breach occurs the local police department, local office of the FBI, Securities and Exchange Commission (SEC), the U.S. Secret Service, or other relevant agency need to be notified immediately. Federal and state laws or industry regulations may define how and when affected people need to be notified.
    4. Define a breach response communications plan Effective incident response communication plans include personnel and processes with lists, channels, and social media needed to execute all communications that might be needed.
    5. Monitor information and social media sources Monitor Twitter, social media, and news coverage as a standard procedure to understand how people are responding to the incident and criticizing the company. Damage control procedures may be needed.

      When an incident occurs, the organization is ready to respond intelligently—having the correct information to be honest, open, and accountable, and to communicate with consumers and other important audiences as quickly as possible.

  4. Step 4: Implement Security Tools: Hardware and software The last step in the model is implementation of software and hardware needed to support and enforce the AUP and secure practices. The selection of hardware and software defenses is based on risk, security budget, AUP, and secure procedures. Every device that connects to an organization’s network; every online activity and mobile app of employees; and each file sent or received are access points. Technology defense mechanisms need to be:
    • able to provide strong authentication and access control of industrial grade
    • appropriate for the types of networks and operating systems
    • installed and configured correctly
    • tested rigorously
    • maintained regularly

How much does a cyberattack really cost an organization? Regulatory fines, public relations costs, breach notification and protection costs, and other consequences of large-scale data breaches are easy to see and quantify. However, the effects of a cyberattack can linger for years, resulting in a wide range of intangible costs tied to a damaged reputation, disruption of operations, loss of IP or other strategic assets. The latter are much more difficult to measure since they are not easily quantifiable.

No matter which frameworks, standards, and controls are used to assess, monitor, and control cyber risk, a balanced approach to measuring direct costs and intangible impacts associated with cyberattacks must be used to paint an accurate picture of the damage sustained and to guide the creation of increased security measures going forward.

Concept Check 5.5

  1. The Enterprise Risk Management Framework (ERM) has ____ components:
a. 4
b. 6
c. 7
d. 8
Correct or Incorrect?

 

  1. _________________ is an internationally accepted IT governance and control framework.
a. Sarbanes-Oxley Act
b. COBIT 5
c. Risk Management Framework
d. Enterprise Risk Management Framework
Correct or Incorrect?

 

  1. A purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to improve ________________ trust in _____________.
a. customers, e-commerce
b. vendors, websites
c. customers, web security
d. online merchants, web security
Correct or Incorrect?

 

  1. The influence of ___________________ is needed to implement and maintain security, ethical standards, privacy practices and internal control.
a. Operational personnel
b. Middle managers
c. IT support
d. Senior managers
Correct or Incorrect?

 

  1. The four steps of the security defense-in-depth model include the following, EXCEPT:
a. Senior management commitment and support
b. Acceptable use policies and IT security training
c. IT security procedures and enforcement
d. Compliance with the Sarbanes-Oxley Act
e. Implementation of hardware and software
Correct or Incorrect?

 

Key Terms

acceptable use policy (AUP)

access control

administrative controls

advanced persistent threat (APT)

adware

Anonymous

application controls

assets

attack vector

audit

backdoor

biometric control

black hat

botnet

bring your own apps (BYOA)

bring your own device (BYOD)

business continuity plan

business impact analysis (BIA)

command and control (C&C) channel

consumerization of information technology (COIT)

contract hacker

Control Objectives for Information and Related Technology (COBIT) 5

corporate governance

critical infrastructure

cyberthreat

data breach

Data incident

data tampering

distributed denial-of-service (DDoS) attack

do-not-carry rules

enterprise risk management (ERM)

fraud

general controls

gray hat

hacking

hacktivist

intellectual property

internal control (IC)

internal threats

intrusion detection system (IDS)

intrusion prevention system (IPS)

IT governance

LulzSec

malware

mobile biometrics

occupational fraud

patches

payload

Payment Card Industry Data Security Standard (PCI DSS)

permanent denial-of-service (PDoS)

phishing

physical controls

ransomware

remote access trojan (RAT)

remote wipe capability

risk

rogue app monitoring

rootkit

service pack

signature

social engineering

spam

spear phishing

spyware

telephony denial-of-service (TDoS)

threat

time-to-exploitation

trojan

Trojan horse

vector

Virus

voice biometrics

vulnerability

white hat

worm

zero-day exploit

zombie

Assuring Your Learning

References

  1. Abadi, M., and D.G. Andersen. “Learning to Protect Communications with Adversarial Neural Cryptography.” Cornell University Library, October 24, 2016.
  2. Balakrishnan, A. “U.S. Accuses Russia of Hacking Yahoo.” CNBC, March 15, 2017.
  3. Berman, R. “Alice, Bob, and Eve Are Neural Networks. And They Have Secrets.” Big Think, November 1, 2016.
  4. Breach Level Index. “2015: The Year Data Breaches Got Personal.” February 18, 2016.
  5. Burgess, M. “How Google’s AI taught itself to create its own encryption.” Wired, October 31, 2016.
  6. Department of Justice. “The USA Patriot Act: Preserving Life and Liberty”. 2001. Accessed from https://www.justice.gov/archive/ll/highlights.htm
  7. Duan, E. “DressCode and its Potential Impact for Enterprises.” TrendMicro, September 29, 2016.
  8. Fiegerman, S. “Verizon says Yahoo’s massive breach could impact deal.” CNN, October 13, 2016.
  9. Franceschi-Bicchierai, L. “Another Day, Another Hack: 117 Million LinkedIn Emails and Passwords.” Motherboard Vice, May 18, 2016.
  10. Gelinne, J., J. Fancher, and E. Mossburg. “The Hidden Costs of an IP Breach: Cyber Theft and the Loss of Intellectual Property.” Deloitte Review, Issue 19, July 25, 2016.
  11. Gibson Dunn. “President Obama Signs Federal Trade Secrets Law.” May 11, 2016.
  12. Goldman, J. “All-Time High of 1,093 Data Breaches Reported in U.S. in 2016.” E-Security Planet, January 24, 2017. Accessed from: http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.html
  13. Goodin, D. “Godless Apps, Some Found in Google Play, Can Root 90% of Android Phones.” ArsTechnica, June 23, 2016.
  14. Hackett, R. “Yahoo’s Titanic Data Breach Highlights Risk to M&A.” Fortune, September 23, 2016a.
  15. Hackett, R. “LinkedIn Lost 167 Million Account Credentials in Data Breach.” Fortune, May 18, 2016b.
  16. Kan, M. “Hackers Now Have a Treasure Trove of User Data with the Yahoo Breach.” International Data Group, September 22, 2016.
  17. KPMG. Consumer Loss Barometer. 2016. https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2016/08/consumer-loss-barometer-v1.pdf
  18. Lee, D. “‘State’ Hackers Stole Data from 500 Million Users.” BBC, September 23, 2016.
  19. Matwyshyn, A., and H. Bhargava. “Will Yahoo’s Data Breach Help Overhaul Online Security?” Knowledge@Wharton: University of Pennsylvania, September 27, 2016. Accessed from http://knowledge.wharton.upenn.edu/article/will-yahoos-data-breach-help-overhaul-online-security/
  20. Morris, A., D. Nathan, and A. Ayyar. “Broker-Dealers and Their Auditors Face Increased Regulatory Scrutiny.” Bloomberg Legal, November 3, 2016.
  21. Murgia, M. “Cyber experts look to usual suspects in Yahoo hack.” Financial Times, September 25, 2016.
  22. Ponemon Institute. “2017 Cost of Data Breach Study: Global Overview” June, 2017.
  23. PricewaterhouseCoopers. “US Cybersecurity: Progress Stalled.” July, 2015.
  24. RT.com. “Buyer Beware: US Is Biggest Creator of Malicious Mobile Apps.” February 4, 2015.
  25. Sterling, G. “Bing Reaches 20 Percent Search Market Share Milestone in US.” SearchEngineLand, April 16, 2015.
  26. Verizon. “2016 Data Breach Investigations Report.” Accessed from: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset