CYBER AND ELECTRONIC SECURITY RISKS - Cyber crime costs the globe 400bn pa
CYBER AND ELECTRONIC SECURITY RISKS - Cyber crime costs the globe 400bn pa
Types of Cyber Crime1
- involves using someone else’s identity in an attempt to derive benefits by using the stolen identity. identity theft methods:
Using hand-held card readers to skim information about credit cards, allowing cloned cards to be made
Using wireless networks to obtain information about contactless debit and credit cards
Using personal information from social networking sites
Using systematic attacks to find out passwords and security question answers
Breaching network security by using spyware
Using hacking and phishing techniques (covered below)
is the activity of gaining unauthorised access to telecoms systems, networks and databases. However, not all hacking is a criminal offence.
are used to illegally gain access to computer systems in order to cause disruption or to gather information. Malware is a catch-all term used to describe any intrusive software.
aim to make a computer or network unavailable or unusable to end users.
is an attempt by criminals to persuade people to divulge personal data.
Types of cyber crime 2:
involves using computers to commit fraudulent activity.
- obtaining information without the permission of the owner of the information.
- illegally using, copying or distributing software without having the necessary permissions and licences.
involves redirecting website traffic to a bogus website. If an end user is redirected to a bogus website, they may be asked for personal details such as credit card information, which is then used to commit identity theft.
Risks to individuals, companies and countries
Cyber crime related monetary losses
– The scope of corporate losses from cyber crime are broad. Imagine if a hacker managed to steal money from the bank accounts of 200 customers. The bank will lose money by having to reimburse the customers for the money that has been stolen. The bank will then have to pay to investigate how the hacker managed to breach its security measures. Worse still, the customers who were affected by the crime could sue the bank for negilgence.
The loss of sensitive business information, including possible stock market manipulation
– A growing area in cyber crime relates to mergers and acquisitions: Hackers target banks, lawyers and accountants in order to steal information relating to potential merger and acquisition deals.
Opportunity costs, including service and employment disruptions, and reduced trust for online activities
– All of the money spent by a company on mitigating cyber crime is money that could be invested elsewhere to increase profits – by developing new products or improving efficiency. Therefore the cost of cyber crime is high.
The additional cost of securing networks, insurance, and recovery from cyber attacks –
To mitigate the high risks relating to cyber crime, companies must incur significant costs.
– Cyber crime can have a devastating effect on a company’s reputation.. If a company’s website or customer electronic interfaces (such as online payment systems) are compromised by cyber crime this can result in losing customers. This helps to explain why some corporate cyber crimes are not reported in the media.
The loss of intellectual property and business confidential information
– Information is a valuable asset for a company.
Physical loss of technology
– Increasing numbers of individuals are using technology as part of their working lives, such as using remote computer access to work from home. Entrepreneurs are likely to have key technology that they use to run their businesses, such as websites and customer databases. Therefore if technology is disrupted by cyber crime, individuals will not be able to carry out their work and daily routines.
The risks of
are far reaching for an individual. If someone was able to gain access to
an individual’s name, address, national insurance and date of birth, they could potentially:
– Steal money from the bank accounts of the victim
– Open new lines of credit and spend money under the name of the victim
– Gain access to social security benefits, such as medical care and unemployment benefit
– Provide an alias if arrested by the authorities
– Gain employment and falsify tax returns using the identity of the victim
Liability and compensation claims –
Incorrect, misleading or illegal statements can lead to an individual being sued for compensation and reputational damage. Therefore an individual could be sued for damages even though they were not responsible for the electronic compensation.
Disruption to utilities
– In 2013 alone, there were 256 cyber attacks on US energy utilities (Source: Reuters, 20 May 2014). If a cyber attack can disrupt or shut down a utility, it causes widespread panic and disruption.
Infiltration of the financial system
– The UK’s money transmission and payment system is heavily reliant on computers – therefore any cyber-related disruption could bring everyone to a halt, with nobody being able to withdraw money, make payments or receive their wages. Worst still, a cyber attack on one country’s financial system could cause a global meltdown.
Theft of government secrets
– The amount of sensitive data that a government holds is incredible, ranging from social security and tax records through to national security information, such as the location of weapons and military personnel.
– If two countries were at war, they would try to attack key areas of infrastructure, such as utilities, food supplies and industry, to weaken their enemy.
Best practice guidance
Government Communication Headquarters (GCHQ)
Home and mobile working policy – develop a policy and train staff to adhere to it.
User education and awareness – maintain user awareness of cyber risks and establish a staff training programme.
Incident management – establish an incident response and disaster recovery capability.
Information risk management regime – establish the company’s risk appetite and engage the board over cyber risk in order to establish an effective governance procedure.
Manage user privileges – limit user privileges and monitor user activity.
Removable media controls – produce a policy to control all access to removable media.
Monitoring – establish a monitoring strategy and produce supporting policies.
Secure configuration – ensure the secure configuration of all systems.
Malware protection – establish anti-malware defences that are relevant to all business areas.
Network security – monitor and test security controls.
CBEST is a framework spearheaded by the Bank of England to protect the UK financial system from cyber attacks
Firms should use the consistent cyber threat intelligence available to them.
Firms should use CBEST intelligence to understand the latest cyber threats and to improve their responses to threats.
Firms should undertake tests that mimic real cyber attacks.
Firms should undergo a best practice cyber test audit.
Firms should sign up to a code of conduct.
Centre for the Protection of National Infrastructure (CPNI) suggests a series of key controls that will enable an organisation to defend itself against the latest and most common cyber attacks
Maintaining an inventory of authorised and unauthorised software and devices
Ensuring secure configurations for hardware and software on all networks and devices
Continuous vulnerability assessment and remediation
Malware and virus defences
Data recovery capability
Controlled use of administrative privileges
Maintaining, monitoring and analysis of audit logs
Incident response and management
Secure network engineering
Cyber incident planning. Key points to consider:
Incident taxonomy –
terminology used in the plan should be standardised across the organisation in line with industry standards.
Data-classification frameworks –
incident response categories should be based on the various types of data held by the company. For example, the response taken to the loss of intellectual property would be different to the response taken for the loss of non-material historic financial data.
Performance objectives –
clear response objectives should be set for each incident type and each data type. For example, a performance objective following the loss of confidential customer information could be finding out how many customers have been affected within four hours.
Definition of response-team operating models –
this part of the plan will specify the roles and responsibilities and escalation processes in the event of a cyber incident occurring. They will tie back to the data-classification framework.
Identification and remediation of failure modes –
the cyber incident recovery plan must be enhanced in response to newly identified failure modes.
Key tools for using during incident response –
the plan will include procedural guides and guidelines for documenting the response in governance, risk, and compliance applications. Checklists will provide step-by-step instructions to specific individuals.
Methods of attack
is a technique used by hackers to gain unauthorised access to computers. The hacker will send messages to a computer that are interpreted as messages coming from a trusted host
Spam - some spam is sent with an ulterior criminal motive:
The email infects the computer with some form of malware.
The email redirects the computer to a website that will infect the computer with malware.
The email redirects the computer to a website selling illegal goods or services.
is an automated program that takes unauthorised control of a computer, and the computer becomes a ‘
involves using deception and subterfuge to gain information from people. This information is then used to work out passwords that can be used to gain access to computer systems
Advanced persistent threats (APTs)
- They are dubbed advanced because they use the latest malware and hacking techniques to attack their targets. Because of their advanced nature, some APTs will go unnoticed by the target. T
Prevention, policy planning and governance
Identify – develop the organisational understanding to manage cyber security risk to systems, assets, data and capabilities
Protect – develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect – develop and implement the appropriate activities to identify the occurrence of a cyber security event
Respond – develop and implement the appropriate activities to take action regarding a detected cyber security event
Recover – develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event
An organisation’s assessment of cyber security risk and potential risk responses considers the privacy implications of its cyber security program.
Individuals with cyber security-related privacy responsibilities report to appropriate management and are appropriately trained.
Process is in place to support compliance of cyber security activities with applicable privacy laws, regulations, and constitutional requirements.
Process is in place to assess implementation of the foregoing organisational measures and controls.
Choose strong, secure passwords and do not share them
Be diligent with personal information – if in doubt, do not share it
Update computer security regularly
Think carefully before opening unknown emails and accessing unknown links
Secure all networks
Protect sensitive data using encryption
Use the latest firewall and anti-virus/malware software
Remember that cyber crime could happen to you – cyber criminals prey on carelessness.