Ten Deadly Sins of Cyber Security

Anuncio
August 2010 Ten Deadly Sins of Cyber Security
Ten Deadly Sins of Cyber Security
Criminals have taken the cyber route to steal money
from your wallets. Cybercrime has evolved in terms
of both nature and scope. Cyber security is in
response mode and growing in significance. This
paper focuses on the ten deadly sins of cyber
security.
1. Introduction
The Information technology (IT) revolution has made it easier to communicate and
disseminate information over long distances and in real time. IT has entered into major
realms of a person’s life like education, occupation, commerce and entertainment. The
speed, convenience and efficiency associated with IT have made it the lifeline of most
organizations, government agencies, professionals and individuals. Whether you take a look
at banking and finance, energy, health care, utility services and communication, IT has
revolutionized every sphere of business activity and service delivery. The services sector, in
particular has been one of the major beneficiaries of the IT revolution. Banks now offer
multiple channels for interacting with their clients such as branch, Internet, mobile, phone and
teller machines which make financial products more attractive, and banking more convenient
for customers. In this case, banking industry customers are networked to their bank in one
way or another.
1.1 Cyber Security
Information Technology and its significance in the business world have become
ubiquitous. Today’s business environment is comprised of service industries that are
completely dependent on their IT infrastructure. For example, the air traffic control
industry is critical to the “normal” functioning of airlines so any disruption in their “traffic
control systems” can cause errors that could result in accidents and could even lead to
loss of life. Conversely, a power breakdown resulting from a disruption in a company’s IT
infrastructure could bring all “operational” activities to a standstill.
The explosive growth and dependence on Information Technology has also provided a
veritable breeding ground for cyber crime. Information Technology has made it easier for
unscrupulous entities to deceive, steal and harm others through cyberspace. The ease
with which these cybercrimes can be committed has raised concerns regarding
information confidentiality, integrity and availability. Therefore, the importance of cyber
security cannot be overstated. Cyber security involves protection of the data on all
computers and systems that interact with the Internet. It is possible to achieve this level
of protection by ensuring proper authentication and maintaining confidentiality, integrity
and access controls. In addition, non-repudiation of data is a crucial element of cyber
security.
Page | 1
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
August 2010 Ten Deadly Sins of Cyber Security
2. Vulnerabilities
The evolution of Cybercrime is evident when one examines how technologically advanced
the scope and nature of common attacks have become. Cybercriminals have a more
sophisticated modus operandi and purpose. Information can be stolen through social
engineering techniques like phishing, or via direct attacks, installing malware through
browser tools, ad-links, and key loggers among others. Cybercrime is steadily evolving into a
well-organized but still very illegal business activity. In spite of these advances, adherence to
a standard of IT Security fundamentals can facilitate appropriate handling of cyber threats.
2.1 Ten Deadly Sins of Cyber Security
i. Weak passwords
The most fundamental, but often overlooked premise of cyber security is strong
passwords. Many users still use insecure passwords.
Some of the insecure password practices include
a)
Using all letters of same case,
b)
Sequential numbers or letters,
c)
Only numerals,
d)
Less than eight-characters,
e)
Predictable characters (such as name, date of birth, phone number)
f)
Common passwords for different online accounts.
Now, the question is, “What makes users use predictable passwords irrespective
of perceived threats?” Consider the number of accounts that require a user to
“login,” throughout a user’s daily routine. Social networking sites, bank websites,
official web applications, databases and email ids.
Some of the reasons for using predictable and insecure passwords include:
a)
Easy to remember
b)
Lack of uniformity in password policy across websites.
A strong password must be a combination of letters, numerals and special
characters and must not be less than eight characters long. A password should
not be predictable. Users must employ different passwords for each of their
individual online accounts.
ii. Phished
Do you respond to e-mails asking for account information? If your answer is,
“Yes.” then you are more likely [than not], to be a victim of a phishing scam.
Phishing is a common method of identity theft that utilizes fake e-mails which are
sent to customers to acquire sensitive user information.
Page | 2
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
August 2010 Ten Deadly Sins of Cyber Security
Example:
Mr. “XYZ” has a savings account with Target bank. Last weekend, Mr. XYZ
received an e-mail from [email protected] with a subject line,
”Update your Target bank online access.”
The e-mail stated that the bank had recently upgraded its services and requested
that the recipient fill out a “Customer Update Form” on the link
http://www.targetbank.com.
Since Mr. XYZ assumed that the email came from his own bank, he clicked on the
provided link. The link took him to a website which appeared to be identical to
Target bank’s website. Mr. XYZ filled out the web form containing personal
information as well as authentication details, which the “Customer Update Form”
required.
A day later, when he logged on to his online account at
https://www.targetbank.com, he was shocked to find that all the funds in his
account had been drained.
Mr. XYZ was the victim of a simple phishing scam. Let’s review some basic details
that Mr. XYZ missed in the email. First, the mail did not address him by his name;
instead, it used “Dear Customer”. Second, the email id ended with “co.uk”, while
ideally it should have ended with “.com.” Third, the link, “http://targetbank.com”
lead to a fake site www.malicious.ie/userdetails.asp. Finaly, banks usually do not
ask customers to reveal “access details” through email.
This is the type of example that can be shared with an employee while training
them not to respond to or click on links provided in a “suspicious e-mail.”
iii. Lack of data back up
A user can lose data in events such as hardware or software failure, a virus
attack, file corruption, accidental file deletion, application failure, damage of
partition structure, or even damage due to power failure. Appropriate data backup
procedures allow a user to restore data in times of crisis. There are many ways to
backup data such as storing it on CD or DVDs drives, thumb drives, and external
hard disks. Users can create a complete system backup by using a disk image1.
Another secure way to back up data is to employ an online backup service whose
main business function is to host uploading and downloading of files as well as file
compression and encryption. The basic premise behind backing up data is to
make “backed up” data available for later use. Depending upon the changes in
data, a user may schedule backup activity on an hourly, daily or weekly basis.
Users can make use of backup options available on a backup utility to verify that
all data is properly copied
1
A disk image is a complete sector‐by‐sector copy of the device and replicates its structure and contents Page | 3
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
August 2010 Ten Deadly Sins of Cyber Security
It is not uncommon to “back up your back up” by creating multiple copies of data,
so that in case one backup copy is damaged, another copy could be used. Data,
which has been backed up, must be adequately protected from malware, Trojans
or other cyber threats by using anti-virus solutions and regular updates. Another
process, which can prove to be valuable, is to store a copy of data at an offsite
location to safeguard data from any disaster at current premises. While recovering
backup files, it is a good idea to have a data recovery software in place to retrieve
files from external hard drives.
iv. Insecure Internet Browsing
A Web browser is the gateway to the Internet and is one of the most widely
utilized applications. Web browsers are embedded with scripts, applets, plugins
and Active X controls. However, these features can be used by hackers to infect
unprotected computers with a virus or malicious code. For example, web browsers
allow plugins like a flash viewer to extend functionality. Hackers may create
malicious flash video clips and embed them in web pages. Vulnerabilities in a
web browser can compromise the security of a system and its information. To
control security threats, a user may:
a. Disable active scripting in the web browser
b. Add risky sites encountered under restricted sites zone
c. Keep Web browser security level at medium for trusted sites and high for
restricted sites
d. Uncheck the AutoComplete password storage feature in AutoComplete
e. Avoid downloading free games and applications as they may have in-built
spyware and malware
f.
Use anti-spyware solutions
Cyber threats that originate as the result of web browser vulnerabilities, can be
controlled by using the latest versions of the web browser software, or by installing
updates and configuring settings to disable applets, scripts, plugins and Active X
controls.
v. Use of pirated software
Do you use pirated operating systems and/or software?
If your answer is, “Yes.” then you are more likely [than not], to be vulnerable to
cyber-attacks.
Page | 4
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
August 2010 Ten Deadly Sins of Cyber Security
The ease of availability and often low cost of pirated software can entice users to
install pirated software on their computers. However, pirated software may not
have the same configuration strength that is available with “genuine software.” The
threat to individuals and companies from the risk of privacy, identity or data
protection breaches and the exposure of financial implications in the cyber space
make the purchase of “genuine software,” a must.
Pirated software may be used to harvest Trojans and viruses in computer systems
and since the software is “unsupported” the user is deprived of technical support.
Another downside is that software updates are not available to those who have
installed pirated software. We purchase software for its functionality and pirated
software may lead to frequent interruptions and has even been documented to
cause damage to your hard disk. Users who purchase and install genuine software
products will benefit from technical support, product updates, un-interrupted
services and in the long run; cost savings.
vi. Misuse of Portable storage devices.
The last few years have seen an increased usage of portable storage devices.
These devices have brought improvements in working practices, but they also
pose a threat to data via theft or leakage. These devices have high storage
capacity and can easily be connected to other devices and/or to network
resources. Users can use portable storage devices to download software,
applications and data by connecting to official networks. Portable storage devices
may also be used to download privileged business information and sensitive
customer information. Organizations can restrict the use of portable storage
devices to selected users or selected set of devices.
“The loss or theft of portable devices can lead to loss or
“leakage” of sensitive business and/or user information. “
An example:
In 2007, a leading provider of a Security Certification lost a laptop containing
names, addresses, social security numbers, telephone numbers, dates of birth and
salary records of employees. In this case, the sensitive business information could
have been encrypted to protect data from leakage, even if the device was stolen.
vii. Lack of proper encryption
If a user does not have the proper network security practices in place, they are
essentially inviting malicious entities to attach their system. Whether a system is a
wired or wireless network it is crucial for the proper security safe guards to be in
place to assure safe operations while the computer is active in a live session on
Page | 5
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
August 2010 Ten Deadly Sins of Cyber Security
the web. Some of the risks that one can expect from an unsecured network
include:
a. Unauthorized access to files and data
b. Attackers may capture website traffic, user id and passwords,
c. Attackers may inject a software to log user key strokes and steal
sensitive information
d. Unauthorized access to corporate network. (In the event that the
user’s network is connected to a corporate network.)
e. A users IP address could be compromised and unauthorized users
may use it for illegal transactions. (User network may be used to
launch spam and virus attacks on other users.)
A network can be secured by using proper encryption protocols. Network
encryption involves the application of cryptographic services on the network
transfer layer, which exists between the data link level and the application level.
Data is encrypted during its transition from the data link level to the application
level. Wired networks use Internet Protocol Security, while Wireless Encryption
Protocol is used to encrypt wireless networks.
viii. Lack of regular updates
Cyber threats are always on the horizon. New versions and updates of security
products are released on a regular basis with enhanced security features to guard
against latest threats. A user can make use of recommended practices to improve
defense against cyber-attacks. Users may also keep track of latest versions of
software to improve performance. Since some software developers only issue
updates for the latest versions of their software, a user that is using an older
version, may not benefit from the latest updates. One of the crucial ways to reduce
vulnerabilities is to regularly update the system’s network security devices and
related software.
ix. Using Wireless Hotspots
Wireless users often look for convenient ways to gain Internet access, and public
Wi-Fi hotspots provide quick, easy and free access to the Internet. What can be
more convenient than that? A resourceful wireless user can find Wi-Fi access
points at public places such as Cyber café’s, universities, offices, airports, railway
stations and hotels. However, these Wi-Fi hotspots may be insecure. Some of the
risks involved in connecting to Wi-Fi hotspots include:
a. Users may be required to use the ISP that is hosting the Internet access for
the business that is creating a particular access point. Not all ISPs provide
secure SMTP for sending e-mail. In other words, it is possible that any e-mail
that is sent and received by users via a “random” hot spot could be
Page | 6
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ten Deadly Sins of Cyber Security
August 2010 intercepted by other users sharing the same hot spot. (All users in the same
hot spot are sharing the same network.)
b. If a user’s wireless card is set to ad-hoc mode, other users can connect
directly.
c. If the access point does not use encryption technology like WEP, other users
with a Wi-Fi card could intercept and read the username, passwords, and any
other information transmitted by a user.
While using public access points it is safe to use secure websites protected by the
Secure Sockets Layer. Using infrastructure mode is safer than ad-hoc mode as it
uses access controls to connect to network. A Virtual Private Network (VPN) is a
secure way for a user to connect with their company network. (VPN creates secure
access to private network over public connections.)
x. Lack of awareness/ proper training
Internet and wireless technologies have revolutionized the daily routine of users.
With the aid of this new technology, users can conduct transactions, access bank
accounts and reserve airline tickets in few minutes. The downside of this new
technology is that there are also incidents of data breach and transaction frauds.
Cyber security is becoming an issue of major concern. However, users can avoid
most of the risks by employing simple precautions. (Lack of awareness is a major
hurdle in the safe use of the cyberspace.) Selection of weak passwords is one of
the most fundamental errors committed by users. Unaware users are tempted to
reveal authentication details through phishing. Inadequate firewall protection, lack
of regular software updates can make systems vulnerable to cyber threats. Users
may take precautions by adhering to cyber security tips given on websites of
banks, regulatory organization, security product developers, and information
security departments such as US-CERT. Organizations can create awareness
among employees through regularly scheduled meetings, training programs and
workshops.
3. Conclusion
The proliferation of information technology has also presented the criminals with more attack
vectors. Consequently, cybercriminals make use of every possible vulnerability and
opportunity to exploit and launch attack. For example, web feeds designed for productive use
of users in meeting information requirements may be used by cybercriminals as attack
vectors. Cybercrime can be countered by proactive cyber security initiatives. Creating
awareness among users is crucial to limit threats in cyber space. Convergence of laws
related to cyber security across international boundaries could also assist in the appropriate
handling of cybercrime.
Page | 7
© Copyright EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Descargar