Information Security Model and Cyber Terrorism

¶ … goals of this study are to reveal some of the common and prevailing cyber security threats. Here we plan to explore the risk that is most difficult to defend: social engineering. We seek answers to the human elements and characteristics that contribute to the frauds and how they themselves unwittingly give out information that eventually leads to difficult situations. There are many ways in which the attackers 'phish' their targets. We will look into the origin of such techniques and proceed to develop a methodology to avert such attacks.

In the highly computerized environment that we are living, a new method of multitenant services has been evolved to substitute for the demands on memory space and time- the Cloud. The impact of these vast and complex systems has raised newer kinds of concerns that will then be assessed and hence a strategy to safeguard the interests of the user because of threats arising hence will be attempted. The main aim is to create a data and internet environment that is safe and secure in the social perspective.

Table of Contents Chapter 1 Introduction Background of the Study Problem Statement Purpose of the Study Significance of this study Social Engineering Travel Threats WEB Threats The Cloudy Threat Chapter 2: Literature Review Prevalent Security Methods Digital Signature Firewalls Redundancy Freshness Configuring a Viable Security Structure ISO at work CFO at work Get only Certified persons Building up Security Model Access Control Personal authentication LDAP: Lightweight Direct Access Protocol.

Conclusion Chapter 3: Methodology Research Philosophy Research Approach Research type and Time line Data Collection Methods Quantitative Validity Sampling Strategy Data Analysis Conclusion Chapter 4: Results Chapter 5: Discussion and Conclusion Introduction Statement of the Problem Review of Methodology Summary of Results Relationship of Research Questions to the Field study Discussions of Results Conclusion Chapter 1 Introduction It is said that an engineer should have a secured computer at his disposal. Consequently, many non-engineers assume that they can enjoy computer without security.

Even if you are not a person who is working on critical information, you have an identity and information that you should protect; hence you should be informed user of computer. Your information is almost always on risk, if you are on computer network. Statistically speaking, interrogating more than 7000 business companies majority dealing on critical infrastructure, 67% reported at least one cyber attack (Rantala, 2008).

Nearly 60% reported a cyber attack to their computer system; 11% reported cyber theft, which includes embezzlement, fraud, and intellectual property theft; and 24% reported other cyber incidents such as port scanning, spyware, spoofing, or some type of breach that resulted in damage or a loss. On an average, in the year 2011 around 26,000 complaints were registered at the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

The situation hence suggests that one should be properly secured as sooner than later our computer system will be attacked! The most intriguing aspect of this is that you don't have to be PhD or an experienced user to attack computer system. Most of the time, it is just a work by an expert in his teens. Background of the Study In a report written by Mandiant (2013), a spear phishing attack was described targeting the company's CEO, Kevin Mandia.

The goal was to attack the organization with an advanced persistent threat (APT). The spear phishing e-mail was sent to all Mandiant employees. The e-mail was spoofed to appear as if it came from the company's CEO, Mr. Mandia. In such cases, what likely happens is that the personnel may give out information about the company that helps the social engineer gain access to gain further information by impersonation.

Here we find the two causes that contribute to the attack on the system, namely the gullibility of the employees of which the attacker has taken advantage and secondly the initial breach into the system by way of breaking into the security net. In further proof of this personal centered phenomenon that we are trying to address in this proposal, consider the observation of Kevin Mitnick.

It was Kevin Mitnick, who actually popularized social engineering, had accepted the use of technique he termed as "spear phishing." In this an e-mail targets a specific person or organization coming from a trusted source. The person is targeted using information found on a social networking site like LinkedIn. For example, the social engineer goes to LinkedIn and looks for network engineers because they usually have admin rights to the network (Luscombe, 2011).

Then, he or she sends those network-engineers an e-mail (since he or she knows where they work) or calls them to obtain the needed information. Even a company specializing in cyber attack recovery is a spear phishing target. The social engineering attack is implicit in its nature. It is again the human nature that comes into play here. That is the reason such attacks are termed as non-tech hack. High-Tech hacking involves explicit penetration in the user system by adding external programs as such as malware programs.

These are some of the tricks or methods that are used by the hackers to gain unauthorized access. On the other hand, these non-tech hackers prefer to initiate a telephone dialogue with the general user of the organization. It is a simple 2 telephone call mechanism in which first call is made to general user to gather general technological information. Once this is gathered, social engineer utilizes this information in second call to get the critical information.

In essence, social engineers take advantage of our human nature of kindness, which makes it easy for the social engineer to pretend to be someone else. Thus, when he or she is armed with a few pieces of information, more information to break into secure networks can easily be acquired. The other kind of vulnerability is the exposure that travelling people expose themselves to when they use 'open' and unsafe network access while activities like updating software, operating system updates and the like.

These officials experience some or all of the following attacks while they are on foreign unofficial tours. Exploitation of electronic media and devices Secretly entering hotel rooms to search Aggressive surveillance Attempts to set up romantic entanglements The exploitation could simply occur through software updates while using a hotel Internet connection ("New E-Scams & Warnings," n.d.). A pop-up window will appear to update software while the user is establishing an Internet connection in the hotel room. If the pop-up is clicked, the malicious software is installed on the laptop.

The FBI recommends either performing the upgrade prior to traveling or going directly to the software vendor's website to download the upgrade. All of these threats can be mitigated by training. It is intended in this proposal to suggest some of the procedures to avoid these eventualities. One example of the technical hacking is the damage infused by altering the IP addresses.

Domain name fraud converts the domain name (e.g., www.danamkaroti.org) to an incorrect IP address, thus sending the user to a website where fraudulent activity will probably occur. Internet protocol hijacking is where the Internet traffic is redirected through untrustworthy networks. In such cases use of proper technological security systems and practices will be of help to a great extent. Mitigation tactics to these threats will be discussed later in this proposal. The cloud is exploited by the hackers in several fashions.

The complex nature of the Cloud makes vulnerable to creating unexpected scenarios to an uninitiated user. This tricks widely adopted by social engineers to gather critical information. Secondly, the Cloud data is separated logically, not physically. This shared multitenant environment creates another opportunity for someone to gain unauthorized access. A good example is a security breach that occurred with Google Docs that allowed users to see files that were not "owned" or "shared" by them (Kaplan, 2008).

Finally, it is equally true that somebody else takes the management rights of your data that is put on the Cloud. That adds up the questions like has your security team audited the practices of your Cloud managers? Are the practices consistent with yours? Are you really confident of their executions? Apart from other issues regarding data security, sometimes your own employees engage themselves in real theft activity. It is important that proper watch on suspected employee or untimely retiring employee can control this problem.

In the Hewlett-Packard 2012 "Cyber Risk Report," researchers determined the risk trends for cyber security. For example, the number of new disclosed vulnerabilities had increased 19% from 2011. These come from every angle, such as web applications, legacy technology, and mobile devices. For example, the skyrocketing mobile device sales in 2012 brought with it a similar number of mobile application vulnerabilities. Mobile device applications alone have seen a 787% increase in vulnerability disclosures.

Understanding a company's technical security risk begins with knowing how and where the vulnerabilities occur within the organization ("White paper | HP 2012 Cyber Risk Report," 2013).

Problem Statement Why is it that human helping nature is responsible in passing the critical information to a stranger? How is it that in spite of being highly educated and adequately warned, social engineer succeeds in fetching information from computer user? What tricks are adopted by these hackers to get the critical information without using computers? Does travel by general user add to security risk for the organization? How use of state-of-the-art technologies like Cloud Computing affect cyber risks? Purpose of the Study The aim of this proposal is to highlight some of the common cyber security threats.

Here we will explore the risk that is most difficult to defend: social engineering (Mitnick, Simon, & Wozniak, 2002). We will seek answers to the human elements and characteristics that contribute to the frauds and how they themselves unwittingly give out information that eventually leads to difficult situations. There are many ways in which the attackers 'phish' their targets. We will look into the origin of such techniques and proceed to develop a methodology to avert such attacks.

In the highly computerized environment that we are living, a new method of multitenant services has been evolved to substitute for the demands on memory space and time- the Cloud. The impact of these vast and complex systems has raised newer kinds of concerns that will then be assessed and hence a strategy to safeguard the interests of the user because of threats arising hence will be attempted. The main aim is to create a data and internet environment that is safe and secure in the social perspective.

Significance of this study This study covers and explains 4 types of threats, which are: Social Engineering In his book, The Art of Deception, Kevin Mitnick goes through story after story based on what he calls one of the fundamental tactics of social engineering: "gaining access to information that a company employee treats as innocuous, when it isn't" (Mitnick, Simon, & Wozniak, 2002). Social engineering tactics can only be countered by properly training the system users.

Travel Threats Another area that is usually ignored by high-tech users is that social engineering occurs while traveling. Businesspeople, government officers, higher executives in 'critical' organization that are traveling abroad are constantly targeted for variety of sensitive information. WEB Threats The FCC's chairman, Julius Genachowski, has stated that the three top cyber threats are botnets, domain name fraud, and Internet protocol route hijacking (Grace, 2012). Bot-infected computers are computers that are controlled by an attacker.

A botnet is the collection of those computers that, according to the FCC, "pose a threat to the vitality and resiliency of the Internet and the online economy." The Cloudy Threat The cloud model shares resources such as networks, servers, storage, applications, and services. In other words, a cloud offers computing, storage, and software "as a service" (Buyya, Broberg, & Goscinski, 2011). Chapter 2: Literature Review Cyber terrorism can change commoner's life upside down with no previous symptoms.

Compromised data is one of the basic originator of scams, attacks and scandals (Kelly & McKenzie, 2002). Imagine an honest computer instructor at a local state school who got sacked and was convicted of base level charges. It was all because of spyware and lack of Internet Security professional at her computer school. It so happened that some student downloaded a game and malicious spyware got inside the system. Next time when computer was started, spyware got activated and opened a pop-up window from pornographic sites.

Computer instructor was convicted of risk of injury to a minor (Eckelberry et al. 2007). Prevalent Security Methods Digital Signature A standard way of maintaining privacy, consent and confidentiality of web-based messages and data is to process the exchange through SSL (Secured Sockets Layer ) encryption. A simple explanation of the process can be given thus: a public key format of an individual is impinged on the message, in what is known as "sign"-ing the message. A 'hash'-ing of the message then takes place, thus a sender is uniquely identified.

Thus a sender's identification can be used for his authenticity. The unique identification marks are called 'digital signatures' and is unique to a sender. This immediately implies that it is important to be careful while opening mails from unknown sender and that the privacy, too is maintained. (Kelly & McKenzie, 2002). Firewalls Firewalls are software or hardware methods of allowing through it only those incoming data and communications that are recognized and trusted IP addresses.

Such protection shields are available easily in the open market and have almost outlived their use as security tools for highly sensitive applications like, for example, the case of the 15-year-old scouring through classified material, proved in no uncertain.