Ethics in Information

Technology, Second Edition

Chapter 3
Computer and Internet Crime
 Objectives
• What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?

• Why has there been a dramatic increase in the

number of computer-related security incidents in
recent years?

• What are the most common types of computer

security attacks?
 Objectives (continued)
• What are some characteristics of common computer
criminals, including their objectives, available
resources, willingness to accept risk, and frequency of
attack?

• What are the key elements of a multilayer process for

managing security vulnerabilities, based on the concept
of reasonable assurance?

• What actions must be taken in response to a security

incident?
 IT Security Incidents: A Worsening
Problem
• Security of information technology is of utmost
importance
– Protect confidential data
• Safeguard private customer and employee data
– Protect against malicious acts of theft or disruption
– Must be balanced against other business needs and
issues
• Number of IT-related security incidents is
increasing around the world
The security of information technology used in business is of utmost importance.
Confidential business data and private customer and employee information must
be safeguarded, and systems must be protected against malicious acts of theft or
disruption. Although the necessity of security is obvious, it must often be
balanced against other business needs and issues. Business managers, IT
professionals, and IT users all face a number of ethical decisions
regarding IT security:

• If their firm is a victim of a computer crime, should they pursue prosecution of

the criminals at all costs, maintain a low profile to avoid the negative publicity,
inform their affected customers, or take some other action?
• How much effort and money should be spent to safeguard against computer
crime? (In other words, how safe is safe enough?)
• If their firm produces software with defects that allow hackers to attack
customer data and computers, what actions should they take?
• What tactics should management ask employees to use to gather competitive
intelligence without doing anything illegal?
• What should be done if recommended computer security safeguards make life
more difficult for customers and employees, resulting in lost sales and increased
costs?
Why Computer Incidents Are So Prevalent
In today’s computing environment of increasing complexity, higher user
expectations, expanding and changing systems, and increased reliance on
software with known vulnerabilities, it is no wonder that the number,
variety, and impact of security incidents are increasing dramatically.

Increasing Complexity Increases Vulnerability

The computing environment has become enormously complex. Networks,
computers, operating systems, applications, Web sites, switches, routers,
and gateways are interconnected and driven by hundreds of millions of
lines of code. This environment continues to increase in complexity every
day. The number of possible entry points to a network expands continually
as more devices are added, increasing the possibility of security breaches.

Higher Computer User Expectations

Today, time means money, and the faster computer users can solve a
problem, the sooner they can be productive. As a result, computer help
desks are under intense pressure to respond very quickly to users’
questions. Under duress, help desk personnel sometimes forget to verify
users’ questions. Under duress, help desk personnel sometimes forget
to verify users’ identities or to check whether they are authorized to
perform a requested action. In addition, even though they have been
warned against doing so, some computer users share their login ID
and password with other coworkers who have forgotten their own
passwords. This can enable workers to gain access to information
systems and data for which they are not authorized.

Expanding and Changing Systems Introduce New Risks

Business has moved from an era of stand-alone computers, in which
critical data was stored on an isolated mainframe computer in a locked
room, to an era in which personal computers connect to networks with
millions of other computers, all capable of sharing information.
Businesses have moved quickly into e-commerce, mobile computing,
collaborative work groups, global business, and interorganizational
information systems. Information technology has become ubiquitous
and is a necessary tool for organizations to achieve their goals.
However, it is increasingly difficult to keep up with the pace of technological change,
successfully perform an ongoing assessment of new security risks, and implement
approaches for dealing with them.

Increased Reliance on Commercial Software with Known Vulnerabilities

In computing, an exploit is an attack on an information system that takes advantage of a
particular system vulnerability. Often this attack is due to poor system design or
implementation. Once the vulnerability is discovered, software developers quickly
create and issue a “fix,” or patch, to eliminate the problem. Users of the system or
application are responsible for obtaining and installing the patch, which they can
usually download from the Web. (These fixes are in addition to other maintenance and
project work that software developers perform.) Any delay in installing a patch exposes
the user to a security breach. A zero-day attack takes place before the security
community or software developer knows about the vulnerability or has been able to
repair it.
 Increasing Complexity Increases
Vulnerability
• Computing environment is enormously complex
– Continues to increase in complexity
– Number of possible entry points to a network
expands continuously
 Higher Computer User Expectations
• Computer help desks
– Under intense pressure to provide fast responses to
users’ questions
– Sometimes forget to
• Verify users’ identities
• Check whether users are authorized to perform
the requested action
• Computer users share login IDs and passwords
 Expanding and Changing Systems
Introduce New Risks
• Network era
– Personal computers connect to networks with
millions of other computers
– All capable of sharing information
• Information technology
– Ubiquitous
– Necessary tool for organizations to achieve goals
– Increasingly difficult to keep up with the pace of
technological change
 Increased Reliance on Commercial
Software with Known Vulnerabilities
• Exploit
– Attack on information system
– Takes advantage of a particular system vulnerability
– Due to poor system design or implementation
• Patch
– “Fix” to eliminate the problem
– Users are responsible for obtaining and installing
patches
– Delays in installing patches expose users to security
breaches
 Increased Reliance on Commercial
Software with Known Vulnerabilities
(continued)
• Zero-day attack
– Takes place before a vulnerability is discovered or
fixed
• U.S. companies rely on commercial software with
known vulnerabilities
 Types of Attacks
• Most frequent attack is on a networked computer
from an outside source
• Types of attacks
– Virus
– Worm
– Trojan horse
– Denial of service
There are numerous types of computer attacks, with new varieties being
invented all the time. This section will discuss some of the more
common attacks, including the virus, worm, Trojan horse, botnet,
distributed denial-of-service, rootkit, spam, and phishing.

Viruses
Computer virus has become an umbrella term for many types of
malicious code. Technically, a virus is a piece of programming code,
usually disguised as something else, that causes a computer to behave in
an unexpected and usually undesirable manner. Often a virus is attached
to a file, so that when the infected file is opened, the virus executes.
Other viruses sit in a computer’s memory and infect files as the
computer opens, modifies, or creates them. Most viruses deliver a
“payload,” or malicious software that causes the computer to perform in
an unexpected way. For example, the virus may be programmed to
display a certain message on the computer’s display screen, delete or
modify a certain document, or reformat the hard drive. A true virus does
not spread itself from computer to computer. A virus is spread to other
machines when a computer user opens an infected e-mail attachment,
downloads an infected program, or visits infected Web sites. In other
words, it takes action by the “infected” computer user to spread a
virus. Macro viruses have become a common and easily created form
of virus. Attackers use an application macro language (such as Visual
Basic or VBScript) to create programs that infect documents and
templates. After an infected document is opened, the virus is executed
and infects the user’s application templates. Macros can insert
unwanted words, numbers, or phrases into documents or alter
command functions. After a macro virus infects a user’s application, it
can embed itself in all future documents created with the application.

Worms

Unlike a computer virus, which requires users to spread infected files

to other users, a worm is a harmful program that resides in the active
memory of the computer and duplicates itself. Worms differ from
viruses in that they can propagate without human intervention,
sending copies of themselves to other computers by e-mail or Internet
Relay Chat (IRC). The negative impact of a worm attack on an
organization’s computers can beconsiderable—lost data and
programs, lost productivity due to workers being unable to use their
computers, additional lost productivity as workers attempt to recover
data and programs, and lots of effort for IT workers to clean up the mess
and restore everything to as close to normal as possible.

Trojan Horses
A Trojan horse is a program in which malicious code is hidden inside a
seemingly harmless program. The program’s harmful payload can
enable the hacker to destroy hard drives, corrupt files, control the
computer remotely, launch attacks against other computers, steal
passwords or Social Security numbers, and spy on users by recording
keystrokes and transmitting them to a server operated by a third party.
A Trojan horse can be delivered as an e-mail attachment, downloaded
from a Web site, or contracted via a removable media device such as a
CD/DVD or USB memory stick. Once an unsuspecting user executes
the program that hosts the Trojan horse, the malicious payload is
automatically launched as well—with no telltale signs. Common host
programs include screen savers, greeting card systems, and games.
Another type of Trojan horse is a logic bomb, which executes when it
is triggered by a specific event. For example, logic bombs can be
triggered by a change in a particular file, by typing a specific series of
keystrokes, or by a specific time or date.

Distributed Denial-of-Service (DDoS) Attacks

A distributed denial-of-service attack (DDoS) is one in which a
malicious hacker takes over computers on the Internet and causes
them to flood a target site with demands for data and other small
tasks. A distributed denial-of-service attack does not involve
infiltration of the targeted system. Instead, it keeps the target so busy
responding to a stream of automated requests that legitimate users
cannot get in—the Internet equivalent of dialing a telephone number
repeatedly so that all other callers hear a busy signal. The targeted
machine “holds the line open” while waiting for a reply that never
comes, and eventually
the requests exhaust all resources of the target.
The software to initiate a denial-of-service attack is simple to use and
readily available at hacker sites. A tiny program is downloaded
surreptitiously from the attacker’s computer to dozens, hundreds, or even
thousands of computers all over the world. Based on a command by the
attacker or at a preset time, these computers (called zombies) go into
action, each sending a simple request for access to the target site again
and again—dozens of times per second. The zombies involved in a
denial-of-service attack are often seriously compromised and are left with
more enduring problems than their target. As a result, zombie machines
need to be inspected to ensure that the attacker software is completely
removed from the system. In addition, system software must often be
reinstalled from a reliable backup to reestablish the system’s integrity,
and an upgrade or patch must be implemented to eliminate the
vulnerability that allowed the attacker to enter the system
 Viruses
• Pieces of programming code
• Usually disguised as something else
• Cause unexpected and usually undesirable events
• Often attached to files
• Deliver a “payload”
 Viruses (continued)
• Does not spread itself from computer to computer
– Must be passed on to other users through
• Infected e-mail document attachments
• Programs on diskettes
• Shared files
• Macro viruses
– Most common and easily created viruses
– Created in an application macro language
– Infect documents and templates
 Worms
• Harmful programs
– Reside in active memory of a computer
• Duplicate themselves
– Can propagate without human intervention
• Negative impact of virus or worm attack
– Lost data and programs
– Lost productivity
– Effort for IT workers
 Trojan Horses
• Program that a hacker secretly installs
• Users are tricked into installing it
• Logic bomb
– Executes under specific conditions
 Denial-of-Service (DoS) Attacks
• Malicious hacker takes over computers on the
Internet and causes them to flood a target site with
demands for data and other small tasks
– The computers that are taken over are called
zombies
• Does not involve a break-in at the target computer
– Target machine is busy responding to a stream of
automated requests
– Legitimate users cannot get in
• Spoofing generates a false return address on
packets
 Denial-of-Service (DoS) Attacks
(continued)
• Ingress filtering - When Internet service providers
(ISPs) prevent incoming packets with false IP
addresses from being passed on
• Egress filtering - Ensuring spoofed packets don’t
leave a network
 Perpetrators
• Motives are the same as other criminals
• Different objectives and access to varying
resources
• Different levels of risk to accomplish an objective
Classifying Perpetrators of Computer Crime
 Hackers and Crackers
• Hackers
– Test limitations of systems out of intellectual curiosity
• Crackers
– Cracking is a form of hacking
– Clearly criminal activity
 Malicious Insiders
• Top security concern for companies
• Estimated 85 percent of all fraud is committed by
employees
• Usually due to weaknesses in internal control
procedures
• Collusion is cooperation between an employee and
an outsider
• Insiders are not necessarily employees
– Can also be consultants and contractors
• Extremely difficult to detect or stop
– Authorized to access the very systems they abuse
 Industrial Spies
• Illegally obtain trade secrets from competitors
• Trade secrets are protected by the Economic
Espionage Act of 1996
• Competitive intelligence
– Uses legal techniques
– Gathers information available to the public
• Industrial espionage
– Uses illegal means
– Obtains information not available to the public
 Cybercriminals
• Hack into corporate computers and steal
• Engage in all forms of computer fraud
• Chargebacks are disputed transactions
• Loss of customer trust has more impact than fraud
• To reduce the potential for online credit card fraud
sites:
– Use encryption technology
– Verify the address submitted online against the
issuing bank
– Request a card verification value (CVV)
– Use transaction-risk scoring software
 Cybercriminals (continued)
• Smart cards
– Contain a memory chip
– Are updated with encrypted data every time the card
is used
– Used widely in Europe
– Not widely used in the U.S.
 Cyberterrorists
• Intimidate or coerce governments to advance
political or social objectives
• Launch computer-based attacks
• Seek to cause harm
– Rather than gather information
• Many experts believe terrorist groups pose only a
limited threat to information systems
 Reducing Vulnerabilities
• Security
– Combination of technology, policy, and people
– Requires a wide range of activities to be effective
• Assess threats to an organization’s computers and
network
• Identify actions that address the most serious
vulnerabilities
• Educate users
• Monitor to detect a possible intrusion
• Create a clear reaction plan
 Risk Assessment
• Organization’s review of:
– Potential threats to computers and network
– Probability of threats occurring
• Identify investments that can best protect an
organization from the most likely and serious
threats
• Reasonable assurance
• Improve security in areas with:
– Highest estimated cost
– Poorest level of protection
Risk Assessment for a Hypothetical
Company
 Establishing a Security Policy
• A security policy defines
– Organization’s security requirements
– Controls and sanctions needed to meet the
requirements
• Delineates responsibilities and expected behavior
• Outlines what needs to be done
– Not how to do it
• Automated system policies should mirror written
policies
 Establishing a Security Policy
(continued)
• Trade-off between
– Ease of use
– Increased security
• Areas of concern
– E-mail attachments
– Wireless devices
• VPN uses the Internet to relay communications but
maintains privacy through security features
• Additional security includes encrypting originating
and receiving network addresses
 Educating Employees, Contractors,
and Part-Time Workers
• Educate users about the importance of security
– Motivate them to understand and follow security
policy
• Discuss recent security incidents that affected the
organization
• Help protect information systems by:
– Guarding passwords
– Not allowing others to use passwords
– Applying strict access controls to protect data
– Reporting all unusual activity
 Prevention
• Implement a layered security solution
– Make computer break-ins harder
• Firewall
– Limits network access
• Antivirus software
– Scans for a specific sequence of bytes
• Known as the virus signature
– Norton Antivirus
– Dr. Solomon’s Antivirus from McAfee
Firewall Protection
Popular Firewall Software for Personal
Computers
 Prevention (continued)
• Antivirus software
– Continually updated with the latest virus detection
information
• Called definitions
• Departing employees
– Promptly delete computer accounts, login IDs, and
passwords
• Carefully define employee roles
• Create roles and user accounts
 Prevention (continued)
• Keep track of well-known vulnerabilities
– SANS (System Administration, Networking, and
Security) Institute
– CERT/CC
• Back up critical applications and data regularly
• Perform a security audit
 Response
• Response plan
– Develop well in advance of any incident
– Approved by
• Legal department
• Senior management
• Primary goals
– Regain control
– Limit damage
 Response (continued)
• Incident notification defines
– Who to notify
– Who not to notify
• Security experts recommend against releasing
specific information about a security compromise in
public forums
• Document all details of a security incident
– All system events
– Specific actions taken
– All external conversations
 Response (continued)
• Act quickly to contain an attack
• Eradication effort
– Collect and log all possible criminal evidence from
the system
– Verify necessary backups are current and complete
– Create new backups
• Follow-up
– Determine how security was compromised
• Prevent it from happening again
 Response (continued)
• Review
– Determine exactly what happened
– Evaluate how the organization responded
• Capture the perpetrator
• Consider the potential for negative publicity
• Legal precedent
– Hold organizations accountable for their own IT
security weaknesses
Response
An organization should be prepared for the worst—a successful attack that defeats
all or some of a system’s defenses and damages data and information systems. A
response plan should be developed well in advance of any incident and be approved
by both the organization’s legal department and senior management. A well
developed response plan helps keep an incident under technical and emotional
control.
In a security incident, the primary goal must be to regain control and limit damage,
not to attempt to monitor or catch an intruder. Sometimes system administrators
take the discovery of an intruder as a personal challenge and lose valuable time that
should be used to restore data and information systems to normal.
Incident Notification
A key element of any response plan is to define who to notify and who not to
notify. Questions to cover include the following: Within the company, who needs
to be notified, and what information does each person need to have? Under what
conditions should the company contact major customers and suppliers? How does
the company inform them of a disruption in business without unnecessarily
alarming them? When should local authorities or the FBI be contacted?
Most security experts recommend against giving out specific information
about a compromise in public forums, such as news reports, conferences,
professional meetings, and online discussion groups. All parties working on
the problem need to be kept informed and up to date without using systems
connected to the compromised system. The intruder may be monitoring these
systems and e-mail to learn what is known about the security breach.

Protection of Evidence and Activity Logs

An organization should document all details of a security incident as it works

to resolve the incident. Documentation captures valuable evidence for a future
prosecution and provides data to help during the incident eradication and
follow-up phases. It is especially important to capture all system events, the
specific actions taken (what, when, and who), and all external conversations
(what, when, and who) in a logbook. Because this may become court
evidence,
an organization should establish a set of document handling procedures using
the legal department as a resource.
Incident Containment

Often it is necessary to act quickly to contain an attack and to keep a bad situation from
becoming even worse. The response plan should clearly define the process for deciding
if man attack is dangerous enough to warrant shutting down or disconnecting critical
systems from the network. How such decisions are made, how fast they are made, and
who makes them are all elements of an effective response plan.

Eradication

Before the IT security group begins the eradication effort, it must collect and log all
possible criminal evidence from the system, and then verify that all necessary backups
are current, complete, and free of any virus. Creating a forensic disk image of each
compromised system on write-only media both for later study and as evidence can be
very useful. After virus eradication, the group must create a new backup. Throughout
this process, a log should be kept of all actions taken. This will prove helpful during the
follow-up phase and ensure that the problem does not recur. It is imperative to back up
critical applications and data regularly. Many organizations, however, have
implemented inadequate backup processes and found that they could not fully restore
original data after a security incident. All backups should be created with enough
frequency to enable a full and quick restoration of data if an attack destroys the
This process should be tested to confirm that it works.

Incident Follow-Up
Of course, an essential part of follow-up is to determine how the organization’s
security was compromised so that it does not happen again. Often the fix is as
simple as getting a software patch from a product vendor. However, it is important
to look deeper than the immediate fix to discover why the incident occurred. If a
simple software fix could have prevented the incident, then why wasn’t the fix
installed before the incident occurred? A review should be conducted after an
incident to determine exactly what happened and to evaluate how the organization
responded. One approach is to write a formal incident report that includes a detailed
chronology of events and the impact of the incident. This report should identify any
mistakes so that they are not repeated in the future. The experience from this
incident should be used to update and revise the security incident
response plan. Creating a detailed chronology of all events will also document the
incident for later prosecution. To this end, it is critical to develop an estimate of the
monetary damage. Potential costs include loss of revenue, loss in productivity, and
the salaries of people working to address the incident, along with the cost to replace
data, software, and hardware.
 Summary
• Ethical decisions regarding IT security include
determining which information systems and data
most need protection
• 65-fold increase in the number of reported IT
security incidents from 1997 to 2003
• Most incidents involve a:
– Virus
– Worm
– Trojan horse
– Denial-of-service
 Summary (continued)
• Perpetrators include:
– Hackers
– Crackers
– Industrial spies
– Cybercriminals
– Cyberterrorists
 Summary (continued)
• Key elements of a multilayer process for managing
security vulnerabilities include:
– Assessment
– User education
– Response plan