It Risk Management -- Cyber

it Risk Management -- Cyber Crime

Over the last several years, the issue of cyber crime has been increasingly brought to the forefront. This is because it is seen as tool which can be used to conduct espionage, terrorism or criminal activities. The results are that the more rouge nation states and other organizations are taking an active part in these activities. According to the U.S. Internet Crime Complaint Center, they received a total of 336,665 reports of cyber related activities occurring last year. This is accounting for $559.77 million in losses. (Liu, 2013)

What makes these figures so troubling; is they are from just one organization which is monitoring the scope of cyber related crimes. When this is applied around the world, these statistics are easily crossing into the trillions of dollars in losses. This is problematic, in illustrating how these activities are not monitored or accurately reported. These challenges are highlighting, the issues impacting a number of different individuals and organizations. (Liu, 2013)

To make matters worse, many of them are becoming more common with larger amounts of people utilizing the Internet to conduct a host of activities (ranging from entertainment to financial transactions). According to Liu (2013), there are total of 2.95 billion people worldwide who are online every single day. This is creating a new platform which is providing hackers with a large number of potential targets. (Liu, 2013)

Recently, these problems have been compounded with an increase in the total amount of cyber related activities associated with espionage. In a 2012 report, the Pentagon found that the Chinese government was directly involved with these kinds of attacks against the U.S. government and American business interests. Their basic objectives were to use the information they obtained, in order to give them more of an advantage on the battlefield or in how they are competing against multinational firms. (Shakarian, 2013)

This is example, is illustrating the way the overall scope of cyber related criminal activities has been increasing. The primary reason is from the Internet being used as a place to store information and easily retrieve it. For cyber criminals, rouge states and terrorist organizations; this is an effective tool for achieving their objectives without having to go through the conventional means of stealing it. This is significant, in illustrating how cyber crimes have become more brazen. In the future, these activities will lead directly to similar incidents. That could have negative implications for various individuals, firms and organizations. (Shakarian, 2013)

To fully understand what is happening, requires looking at the way cyber crime is becoming more common and the lasting effects it is having. This will be accomplished by examining the different theories, tools / techniques, models and costs. Together, these elements will highlight the scope of the problem and the lasting effects it is having on a variety of organizations. It is at this point, when a risk assessment plan can be created to effectively mitigate these challenges over the long-term.

Theories

There are a number of theories that are used to highlight how cyber crime occurs and the overall scope of these activities. The most notable include: the classical, self-control and routine philosophies. These different ideas are illustrating why it is taking place and the views of perpetrators who are becoming involved.

The Classical Theory

The classical theory is based upon the belief that most people will not participate in any kind of illegal activities. This is because they realize that the consequences are severe if they are caught. These opinions will serve as deterrent in preventing them from taking part. According to Gryzbowski (2012), these ideas are supported based upon the views and the perceptions of someone being punished for their participation. (Gryzbowski, 2012)

Evidence of this can be seen with her saying, "The classical theorists think people will not participate in crime if they know what the punishment will be, that it will be delivered rapidly, and it is certain. This is because when it occurs the consequences from committing the crime outweigh the benefits an individual would have received from committing it. People rationally choose not to participate in criminal acts. In order to prevent them from occurring, they know that consequences will outweigh the benefits. This is when they will freely choose not to participate in this behavior." (Gryzbowski, 2012)

These ideas are illustrating how the classical theory of crime, is based upon a certain amount of deterrence from someone becoming caught and severely punished. It is at this point, when they will follow the various provisions of the law and avoid participating in these kinds of activities. In the case of cyber crime, there are no real penalties for someone who is involved or has the ability to effectively catch them. This is because, these actions are taking place across international borders and most people can hide their identities. To make matters worse, many different states have been known to be directly or indirectly supporting cyber crime. This is from it giving them the ability to severely weaken their adversaries and strengthen their capabilities. (Gryzbowski, 2012)

At the same time, the lack of regulations inside many countries is making the situation more severe. For instance, inside China an entire underground economy has been established that is focused on exclusively on cyber crime. A good example of this can be seen with observations from Jianwei (2012). He determined that this is contributing to an $852 million black market. What is making the problem so challenging, is there are no effective regulations to curtail these activities. (Jianwei, 2012)

Inside the U.S., these activities are becoming more brazen. This is taking place, because criminals do not feel that they will be caught. Instead, they believe that cyber crime is a good way to reap lucrative financial rewards from these activities. According to a study conducted by the Ponrmon Institute, they found that this are becoming more common with them saying, "Organizations need to be more vigilant in protecting their most sensitive and confidential information. Key takeaways from this research include:

Cyber crimes continue to be costly. We found that the average annualized cost of cyber crime for 56 organizations in our study is $8.9 million per year, with a range of $1.4 million to $46 million. In 2011, the average annualized cost was $8.4 million. This represents an increase in cost of 6% or $500,000 from the results of our cyber cost study published last year.

Cyber attacks have become common occurrences. The companies in our study experienced 102 successful attacks per week and 1.8 successful attacks per company per week. This represents an increase of 42% from last year's successful attack experience. Last year's study reported 72 successful attacks on average per week.

The most costly cyber crimes are those caused by denial of service, malicious insiders and web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions." (Shavers, 2012)

These findings are showing how cyber crime is becoming more common. This is because there is lack of penalties or the ability to be caught. Based upon the classical theory, these challenges are showing how more criminals are seeing the potential rewards they can make from these activities. This means that there are no deterrents and limited capabilities to prevent these incidents. When this happens, the overall scope of them will continue to increase. (Shavers, 2012)

The Self-Control Theory

The self-control theory, believes that these crimes will occur when someone has a lack of control over these issues. This encourages them to become involved in these activities based upon their inability to personally inhibit their actions. When this takes place, they will turn to this as a way to enhance their lifestyle. (Gryzbowski, 2012)

In the case of cyber crime, this theory is highlighting how these actions are creating a situation where more people an encouraged to participate. This is because they will have no self-control and will utilize this as a way to realize lucrative financial rewards. In many cases, organized crime elements have been participating and are realizing similar benefits from these opportunities. (Gryzbowski, 2012)

Evidence of this can be seen with observations from the UN Interregional Crime and Justice Research Institute which said, "Cybercrime has become a billion dollar industry -- therefore it is of no surprise that organized crime groups are increasingly seeking a share of the illicit profits. Attracted by the high rewards and low risk that many online criminal ventures provides, more and more organized criminal groups are focusing less on traditional criminal activities, and instead setting up online criminal networks. These groups plan, organize and commit all forms of online crime -- from fraud, theft and extortion, to the abuse of children. Unfortunately, the structure of such organizations makes them very difficult to be intercepted. Unlike traditional criminal groups, online groups generally operate on a 'stand alone' basis, with members rarely coming into direct physical contact with one another, and only meeting online. The organizations are usually run by a core group, which divides the different responsibilities of an operation (e.g. spamming, web design, data collection) among the members. The members run their own outer networks to fulfill those responsibilities -- rarely even having contact with each other online. The decentralized structure of the internet, as well as the high levels of anonymity it provides makes it difficult for law enforcement agencies to locate cybercriminal groups. A group could have networks in a myriad of different countries, whilst using servers based in numerous different countries and jurisdictions. Furthermore, many national jurisdictions lack the legislative framework required to properly prosecute online crime." (Collins, 2012)

These insights are illustrating how the lack of self-control is creating a situation where more criminals or organizations are turning to cyber crime. What makes the situation worse; is they can work anonymously and be able to conduct these activities with little to no negative effects. It is at this point, when these individuals and groups are participating in order to reap the lucrative rewards from them. This is illustrating how the self-control theory is highlighting why this becoming so common and the effects it is having criminals and other related organizations. (Collins, 2012)

The Routine Theory

The routine theory believes that crimes will occur when there is an intersection between the time, space, motivated offenders, attractive targets and a lack of effective law enforcement. This creates the perfect environment for someone to conduct illegal activities and it increases the odds that they will be able to get away with it. When this occurs, they will continue to commit these crimes over and over based upon the rewards they are receiving from them. According to Walsh (2010), this will encourage these activities to become more frequent, until there is some kind of effective deterrent in place to stop them. (Walsh, 2010)

Evidence of this can be seen with Walsh (2010) saying, "It does not so much matter why individuals are motivated to commit crimes, what matters is that an individual with the inclination to commit a crime is in the right place to move against his or her target at the right time when there is no one around to stop the offender. The absence of any one of the conditions would be sufficient to prevent a crime from occurring. If an individual is motivated to steal an object from a victim's house, but there is always someone home, then the offender will be unable to commit the crime. In sum, according to routine activity theory; a crime can only occur if there is an offender, a suitable target, and no guardians around to protect the target." (Walsh, 2010)

This is illustrating how criminal activities will occur when there is the opportunity to conduct them and a high probability of being able to benefit. In the case, of cyber crime, these issues are common with lack of regulations, effective monitoring and no one is aware of what is happening until it is too late. The more individuals and organizations realize this, the greater the odds are that these activities will become increasingly common. This is the exact situation and one of the reasons why it is continually increasing in scope. (Yates, 2013)

Tools / Techniques

There are a number of different tools and techniques which are utilized by cyber criminals to conduct a variety of attacks against vulnerable targets. The most notable include: botnets, fast flux, social engineering and skimmers. Each one of these areas has been utilized to achieve the different objectives of these individuals or organizations. In some cases, this can occur with them completely shutting down an entire computer system or network. While at other times, they will involve stealing personal or financial information. (Casey, 2011)

A botnet is a network of robots (i.e. bots) which are designed to spread malware. This is used to infect a computer system's files and provide criminals with access to the information inside it. This takes place in the form of a denial of service attack. When this occurs, it floods a server or network with traffic in order to make it unavailable to users. In many cases, this is often used as a preferred method of seeking out computers that are online and infecting them with some kind of virus. According to Robinson (2011), these techniques are the most common tools which are utilized to gain access to critical information. (Robinson, 2011) (Casey, 2011)

Evidence of this can be seen with him saying, "The use of botnets for malicious activities has grown significantly in recent years. Criminals leverage the flexibility and anonymity associated with botnets to harvest personal data, generate spam, distribute malware and launch distributed denial-of-service attacks. These same attributes readily translate to applications that can support operations in warfare. In 2008, distributed denial-of-service attacks launched by botnets targeted it assets belonging to Estonian banks, newspapers and parliament. This crippled their infrastructure for weeks. " (Robinson, 2011)

This is illustrating how these tools and techniques can allow criminals to take control of entire networks and exploit the information inside. When this happens, they can quickly retrieve it and prevent someone from being able to access it in the future. It is at this point, when the victim will be forced to spend time and money trying to restore everything back to normal. During this process, these individuals and organizations will have achieved their primary goals and moved onto another entity with similar vulnerabilities. Once this process is continually repeated, the rewards for these kinds of activities can be very lucrative for anyone who is conducting them. (Robinson, 2011) (Casey, 2011)

Fast flux is quickly moving data around to avoid any kind of detection of the malware software or where it originated from. This often involves using computers which have been hacked into and seizing control of them (in order to hide the location / identity of cyber criminals). The way that this is achieved is a large number of IP addresses are collected and these computers are utilized to hide the location where the attack is originating from. (Robinson, 2011) (Casey, 2011)

This makes it difficult to determine who is involved and the precise locations they are operating. For cyber criminals, this is an effective tool / technique to quickly steal information and have no one know where they are at until it is too late. It is at this point when they can move on to another location and protect themselves against detection from law enforcement. (Robinson, 2011) (Casey, 2011)

Social engineering is when cyber criminals will use lies and manipulation to trick someone into revealing their personal information to them (i.e. phishing). This involves them posing as a represenative from a legitimate organization and requiring this data to solve some kind of fictitious problem. Once they have revealed it, is the point these individuals will utilize this to gain access to their bank accounts and possibly commit identity theft. In some cases, this can provide them with the ability to go into the database of large organizations and steal entire quantities of files. (Robinson, 2011) (Casey, 2011)

Skimmers are used to steal credit card information when someone is at a store or restaurant and it is out of the sight of the owner. This data is sold online to various criminal organizations. They will utilize it to take large sums of money, gain access to bank accounts or charge various goods / services to the individual. (Robinson, 2011) (Casey, 2011)

These different tools and techniques are showing how criminals and related organizations have become very sophisticated in committing cyber crime. This helps them to gain access to the data they need and to protect their locations / identities. When this happens, they can conduct their operations quickly and then move onto the next target without the fear of retribution. (Robinson, 2011) (Casey, 2011)

Models

To protect firms and individuals against these kinds of issues; requires using a risk management plan that will take into account the overall nature of the threat and evolve with new challenges in the future. This will allow everyone to keep up with the latest tools and tactics utilized by cyber criminals. It is at this point when they reduce the odds of them being able to exploit their different vulnerabilities. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

The best way to mitigate cyber crime is to utilize an all encompassing strategy that is focused on a number of areas. The most notable include: having multiple firewalls in place, restricting access to who is provided with sensitive information, limiting the amount of data that is stored on mobile devices and always being watchful for suspicious activity. Anyone who is using a combination of these elements; will be able to keep up with the threats they are facing and reduce the chances of them or their organization becoming the victims of cyber criminals. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

Having Multiple Firewalls

A firewall makes it difficult for botnets to take over the computer system, server or network. This is because it will serve as the first line of defense by: encrypting sensitive information and preventing them from being able to access the operating files. Instead, they will be denied access to this information and cannot breach it without a lot of time / effort. For most criminals, they will more than likely move onto other targets. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

In the event that there is a breach, multiple firewalls should be utilized together. This is when they are all interconnected to prevent cyber criminals from being able to access information by overcoming one obstacle. Instead, they will have to go through a series of blocks. That is becoming progressively more difficult for them. This increases the odds of their activities being identified by the software from one or combination of these firewalls. It is at this point, when they will be isolated and prevented from gaining further access to the system. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

Restricting Access to who is provided with Sensitive Information

Restricting access to sensitive information is when all personal data is stored offline. This means that organizations and individuals will not use different online retrieval systems or cloud computing to gain entry to their personal information (i.e. user names, passwords, Social Security numbers or dates of birth). Instead, they will be required to enter it every single time they want to access an application (utilizing something that is secretive in nature). This makes it more difficult for cyber criminals to create an online profile of the individual. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

At the same time, all personal information which is shared over social networks (such as: Facebook and LinkedIn) should be limited. This is because many organizations and hackers will use what they learn to trick someone into revealing more about themselves. It is at this point, when they can utilize this information to create profile of the person and pretend to be from a legitimate organization. Anyone who responds will more than likely have their information stolen in the process. If all sensitive data is restricted, it will make it more difficult for cyber criminals to understand the person, their interests and various groups / organizations they are affiliated with. This decreases the chances of some kind of security breach occurring through various phishing techniques. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)

Limiting the Amount of Data that is Stored on Mobile Devices

Mobile devices (such as: smart phones) are one of the easiest ways for cyber criminals to gain access to sensitive information. This is because they have fewer security features and most people assume that their personal information is safe. For many hackers, this is one of the most effective ways to go around organizational and individual firewalls on servers, networks or computers. In most cases, they can be able to breach them quickly and gain access to some of the most sensitive information (such as: passwords, files and personal information). This can be used to log into various web sites and then download some kind of malware. (Vacca, 2010) (Solomon, 2008) (Gregg, 2010)