August 2010 Ten Deadly Sins of Cyber Security Ten Deadly Sins of Cyber Security Criminals have taken the cyber route to steal money from your wallets. Cybercrime has evolved in terms of both nature and scope. Cyber security is in response mode and growing in significance. This paper focuses on the ten deadly sins of cyber security. 1. Introduction The Information technology (IT) revolution has made it easier to communicate and disseminate information over long distances and in real time. IT has entered into major realms of a person’s life like education, occupation, commerce and entertainment. The speed, convenience and efficiency associated with IT have made it the lifeline of most organizations, government agencies, professionals and individuals. Whether you take a look at banking and finance, energy, health care, utility services and communication, IT has revolutionized every sphere of business activity and service delivery. The services sector, in particular has been one of the major beneficiaries of the IT revolution. Banks now offer multiple channels for interacting with their clients such as branch, Internet, mobile, phone and teller machines which make financial products more attractive, and banking more convenient for customers. In this case, banking industry customers are networked to their bank in one way or another. 1.1 Cyber Security Information Technology and its significance in the business world have become ubiquitous. Today’s business environment is comprised of service industries that are completely dependent on their IT infrastructure. For example, the air traffic control industry is critical to the “normal” functioning of airlines so any disruption in their “traffic control systems” can cause errors that could result in accidents and could even lead to loss of life. Conversely, a power breakdown resulting from a disruption in a company’s IT infrastructure could bring all “operational” activities to a standstill. The explosive growth and dependence on Information Technology has also provided a veritable breeding ground for cyber crime. Information Technology has made it easier for unscrupulous entities to deceive, steal and harm others through cyberspace. The ease with which these cybercrimes can be committed has raised concerns regarding information confidentiality, integrity and availability. Therefore, the importance of cyber security cannot be overstated. Cyber security involves protection of the data on all computers and systems that interact with the Internet. It is possible to achieve this level of protection by ensuring proper authentication and maintaining confidentiality, integrity and access controls. In addition, non-repudiation of data is a crucial element of cyber security. Page | 1 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited August 2010 Ten Deadly Sins of Cyber Security 2. Vulnerabilities The evolution of Cybercrime is evident when one examines how technologically advanced the scope and nature of common attacks have become. Cybercriminals have a more sophisticated modus operandi and purpose. Information can be stolen through social engineering techniques like phishing, or via direct attacks, installing malware through browser tools, ad-links, and key loggers among others. Cybercrime is steadily evolving into a well-organized but still very illegal business activity. In spite of these advances, adherence to a standard of IT Security fundamentals can facilitate appropriate handling of cyber threats. 2.1 Ten Deadly Sins of Cyber Security i. Weak passwords The most fundamental, but often overlooked premise of cyber security is strong passwords. Many users still use insecure passwords. Some of the insecure password practices include a) Using all letters of same case, b) Sequential numbers or letters, c) Only numerals, d) Less than eight-characters, e) Predictable characters (such as name, date of birth, phone number) f) Common passwords for different online accounts. Now, the question is, “What makes users use predictable passwords irrespective of perceived threats?” Consider the number of accounts that require a user to “login,” throughout a user’s daily routine. Social networking sites, bank websites, official web applications, databases and email ids. Some of the reasons for using predictable and insecure passwords include: a) Easy to remember b) Lack of uniformity in password policy across websites. A strong password must be a combination of letters, numerals and special characters and must not be less than eight characters long. A password should not be predictable. Users must employ different passwords for each of their individual online accounts. ii. Phished Do you respond to e-mails asking for account information? If your answer is, “Yes.” then you are more likely [than not], to be a victim of a phishing scam. Phishing is a common method of identity theft that utilizes fake e-mails which are sent to customers to acquire sensitive user information. Page | 2 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited August 2010 Ten Deadly Sins of Cyber Security Example: Mr. “XYZ” has a savings account with Target bank. Last weekend, Mr. XYZ received an e-mail from customersecurity@targetbank.co.uk with a subject line, ”Update your Target bank online access.” The e-mail stated that the bank had recently upgraded its services and requested that the recipient fill out a “Customer Update Form” on the link http://www.targetbank.com. Since Mr. XYZ assumed that the email came from his own bank, he clicked on the provided link. The link took him to a website which appeared to be identical to Target bank’s website. Mr. XYZ filled out the web form containing personal information as well as authentication details, which the “Customer Update Form” required. A day later, when he logged on to his online account at https://www.targetbank.com, he was shocked to find that all the funds in his account had been drained. Mr. XYZ was the victim of a simple phishing scam. Let’s review some basic details that Mr. XYZ missed in the email. First, the mail did not address him by his name; instead, it used “Dear Customer”. Second, the email id ended with “co.uk”, while ideally it should have ended with “.com.” Third, the link, “http://targetbank.com” lead to a fake site www.malicious.ie/userdetails.asp. Finaly, banks usually do not ask customers to reveal “access details” through email. This is the type of example that can be shared with an employee while training them not to respond to or click on links provided in a “suspicious e-mail.” iii. Lack of data back up A user can lose data in events such as hardware or software failure, a virus attack, file corruption, accidental file deletion, application failure, damage of partition structure, or even damage due to power failure. Appropriate data backup procedures allow a user to restore data in times of crisis. There are many ways to backup data such as storing it on CD or DVDs drives, thumb drives, and external hard disks. Users can create a complete system backup by using a disk image1. Another secure way to back up data is to employ an online backup service whose main business function is to host uploading and downloading of files as well as file compression and encryption. The basic premise behind backing up data is to make “backed up” data available for later use. Depending upon the changes in data, a user may schedule backup activity on an hourly, daily or weekly basis. Users can make use of backup options available on a backup utility to verify that all data is properly copied 1 A disk image is a complete sector‐by‐sector copy of the device and replicates its structure and contents Page | 3 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited August 2010 Ten Deadly Sins of Cyber Security It is not uncommon to “back up your back up” by creating multiple copies of data, so that in case one backup copy is damaged, another copy could be used. Data, which has been backed up, must be adequately protected from malware, Trojans or other cyber threats by using anti-virus solutions and regular updates. Another process, which can prove to be valuable, is to store a copy of data at an offsite location to safeguard data from any disaster at current premises. While recovering backup files, it is a good idea to have a data recovery software in place to retrieve files from external hard drives. iv. Insecure Internet Browsing A Web browser is the gateway to the Internet and is one of the most widely utilized applications. Web browsers are embedded with scripts, applets, plugins and Active X controls. However, these features can be used by hackers to infect unprotected computers with a virus or malicious code. For example, web browsers allow plugins like a flash viewer to extend functionality. Hackers may create malicious flash video clips and embed them in web pages. Vulnerabilities in a web browser can compromise the security of a system and its information. To control security threats, a user may: a. Disable active scripting in the web browser b. Add risky sites encountered under restricted sites zone c. Keep Web browser security level at medium for trusted sites and high for restricted sites d. Uncheck the AutoComplete password storage feature in AutoComplete e. Avoid downloading free games and applications as they may have in-built spyware and malware f. Use anti-spyware solutions Cyber threats that originate as the result of web browser vulnerabilities, can be controlled by using the latest versions of the web browser software, or by installing updates and configuring settings to disable applets, scripts, plugins and Active X controls. v. Use of pirated software Do you use pirated operating systems and/or software? If your answer is, “Yes.” then you are more likely [than not], to be vulnerable to cyber-attacks. Page | 4 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited August 2010 Ten Deadly Sins of Cyber Security The ease of availability and often low cost of pirated software can entice users to install pirated software on their computers. However, pirated software may not have the same configuration strength that is available with “genuine software.” The threat to individuals and companies from the risk of privacy, identity or data protection breaches and the exposure of financial implications in the cyber space make the purchase of “genuine software,” a must. Pirated software may be used to harvest Trojans and viruses in computer systems and since the software is “unsupported” the user is deprived of technical support. Another downside is that software updates are not available to those who have installed pirated software. We purchase software for its functionality and pirated software may lead to frequent interruptions and has even been documented to cause damage to your hard disk. Users who purchase and install genuine software products will benefit from technical support, product updates, un-interrupted services and in the long run; cost savings. vi. Misuse of Portable storage devices. The last few years have seen an increased usage of portable storage devices. These devices have brought improvements in working practices, but they also pose a threat to data via theft or leakage. These devices have high storage capacity and can easily be connected to other devices and/or to network resources. Users can use portable storage devices to download software, applications and data by connecting to official networks. Portable storage devices may also be used to download privileged business information and sensitive customer information. Organizations can restrict the use of portable storage devices to selected users or selected set of devices. “The loss or theft of portable devices can lead to loss or “leakage” of sensitive business and/or user information. “ An example: In 2007, a leading provider of a Security Certification lost a laptop containing names, addresses, social security numbers, telephone numbers, dates of birth and salary records of employees. In this case, the sensitive business information could have been encrypted to protect data from leakage, even if the device was stolen. vii. Lack of proper encryption If a user does not have the proper network security practices in place, they are essentially inviting malicious entities to attach their system. Whether a system is a wired or wireless network it is crucial for the proper security safe guards to be in place to assure safe operations while the computer is active in a live session on Page | 5 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited August 2010 Ten Deadly Sins of Cyber Security the web. Some of the risks that one can expect from an unsecured network include: a. Unauthorized access to files and data b. Attackers may capture website traffic, user id and passwords, c. Attackers may inject a software to log user key strokes and steal sensitive information d. Unauthorized access to corporate network. (In the event that the user’s network is connected to a corporate network.) e. A users IP address could be compromised and unauthorized users may use it for illegal transactions. (User network may be used to launch spam and virus attacks on other users.) A network can be secured by using proper encryption protocols. Network encryption involves the application of cryptographic services on the network transfer layer, which exists between the data link level and the application level. Data is encrypted during its transition from the data link level to the application level. Wired networks use Internet Protocol Security, while Wireless Encryption Protocol is used to encrypt wireless networks. viii. Lack of regular updates Cyber threats are always on the horizon. New versions and updates of security products are released on a regular basis with enhanced security features to guard against latest threats. A user can make use of recommended practices to improve defense against cyber-attacks. Users may also keep track of latest versions of software to improve performance. Since some software developers only issue updates for the latest versions of their software, a user that is using an older version, may not benefit from the latest updates. One of the crucial ways to reduce vulnerabilities is to regularly update the system’s network security devices and related software. ix. Using Wireless Hotspots Wireless users often look for convenient ways to gain Internet access, and public Wi-Fi hotspots provide quick, easy and free access to the Internet. What can be more convenient than that? A resourceful wireless user can find Wi-Fi access points at public places such as Cyber café’s, universities, offices, airports, railway stations and hotels. However, these Wi-Fi hotspots may be insecure. Some of the risks involved in connecting to Wi-Fi hotspots include: a. Users may be required to use the ISP that is hosting the Internet access for the business that is creating a particular access point. Not all ISPs provide secure SMTP for sending e-mail. In other words, it is possible that any e-mail that is sent and received by users via a “random” hot spot could be Page | 6 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins of Cyber Security August 2010 intercepted by other users sharing the same hot spot. (All users in the same hot spot are sharing the same network.) b. If a user’s wireless card is set to ad-hoc mode, other users can connect directly. c. If the access point does not use encryption technology like WEP, other users with a Wi-Fi card could intercept and read the username, passwords, and any other information transmitted by a user. While using public access points it is safe to use secure websites protected by the Secure Sockets Layer. Using infrastructure mode is safer than ad-hoc mode as it uses access controls to connect to network. A Virtual Private Network (VPN) is a secure way for a user to connect with their company network. (VPN creates secure access to private network over public connections.) x. Lack of awareness/ proper training Internet and wireless technologies have revolutionized the daily routine of users. With the aid of this new technology, users can conduct transactions, access bank accounts and reserve airline tickets in few minutes. The downside of this new technology is that there are also incidents of data breach and transaction frauds. Cyber security is becoming an issue of major concern. However, users can avoid most of the risks by employing simple precautions. (Lack of awareness is a major hurdle in the safe use of the cyberspace.) Selection of weak passwords is one of the most fundamental errors committed by users. Unaware users are tempted to reveal authentication details through phishing. Inadequate firewall protection, lack of regular software updates can make systems vulnerable to cyber threats. Users may take precautions by adhering to cyber security tips given on websites of banks, regulatory organization, security product developers, and information security departments such as US-CERT. Organizations can create awareness among employees through regularly scheduled meetings, training programs and workshops. 3. Conclusion The proliferation of information technology has also presented the criminals with more attack vectors. Consequently, cybercriminals make use of every possible vulnerability and opportunity to exploit and launch attack. For example, web feeds designed for productive use of users in meeting information requirements may be used by cybercriminals as attack vectors. Cybercrime can be countered by proactive cyber security initiatives. Creating awareness among users is crucial to limit threats in cyber space. Convergence of laws related to cyber security across international boundaries could also assist in the appropriate handling of cybercrime. Page | 7 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited