Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources, and technology. Top-level management must ensure that employees understand the required computer configurations, user functions, and security necessary to prevent cybercrime (Prevention Tips, n.d.). Policies needed for training, security controls, and information protection should be implemented and monitored by management and the employees responsible for ensuring its implementation. Upon arrival on the cybercrime site, forensics professionals can investigate whether the computers were loaded with the correct security patches and updates (Prevention Tips, n.d.). The forensics examiner, in determining the source of the cybercrime incident, identifies the organization's security weaknesses and makes recommendations to the organization to prevent future crimes. The proper encryption, access controls, and strong passwords must be used by the organization to prevent cybercrime (Prevention Tips, n.d.). If the security patches and updates were not updated, then the source of the crime may be a hacker. If the patches and updates were loaded, then the investigator begins by determining how the penetration occurred and the advanced methods used to perform the cyberattack. Organizations should pay attention to Internet and e-mail use, fraudulent websites, and e-mail messaging as it relates to cybercrime (Prevention Tips, n.d.). Employee training alone can prevent inadvertent responding to illegal e-mails that request a reply to gain financial information or browsing of fraudulent websites used to gain personal and financial information. If an organization uses the Internet to conduct business, it should ensure that employees' personal information, corporate trade secrets, and financial information are not exchanged over nonsecure circuits. Prevention tips. (n.d.). Retrieved July 16, 2007, from Symantec Web site: http://www.symantec.com/avcenter/cybercrime/prevention.html Question 2: What are some incident prevention techniques used to prevent network intrusions? Answer 2: Organizations use intrusion prevention systems (IPSs) to protect information systems from individuals who engage in network intrusion, and sometimes organizations and countries, gaining access to critical corporate and private personnel information. Additionally, IPSs provide a reporting system to an organization's security personnel and the forensic examiner, establishing the incident location (McAfee, 2005). The hardware and software purchased to provide the intrusion protection manipulate the information on the network to intercept any network
intrusion (McAfee, 2005). Any individual systems, such as laptops, personal computers, or servers, that accept network communication packets are inspected while on the network to establish incident prevention or at least incident containment (McAfee, 2005). During attack detection, it is common for IPSs to attempt to put up a barrier to the attack or provide communications to other software packages to halt any related intrusion activity (McAfee, 2004). All networked communication passes through the IPS for early detection of the threat and source of the incident (McAfee, 2004). An incident in which the network is penetrated and/or network communication packets are intercepted commonly happens through several stages, including reconnaissance, scanning, gaining access, maintaining access, and clearing tracks (McAfee, 2004). Both the host and network prevention systems provide the organization with the ability to prevent the incident and allow the forensics investigator to establish the source of the incident as well as view the log of network activity related to the incident. In cases where there is cause to believe that there has been a compromise of confidentiality, IPSs can be implemented to protect the confidentiality of the electronic information from backdoor programs and keyboard-logging programs (McAfee, 2005). IPSs provide the security barrier through constant scanning of network packets and information exchanges in efforts to pick out illegal activity (McAfee, 2004). s McAfee, Inc. (2005, February). Host and network intrusion prevention: Competitors or partners. Retrieved June 16, 2007, from http://www.mcafee.com/us/local_content/white_papers/wp_host_nip.pdf McAfee, Inc. (2004, October). Network intrusion prevention systems justification and ROI. Retrieved June 16, 2007, from http://www.mcafee.com/us/local_content/white_papers/wp_nps_justification_roi.pdf Question 3: How can an organization prevent an identity theft incident from occurring? Answer 3: Organizations must identify the various types of information that require privacy protection as well as the hardware and software components responsible for security, exchange, and storing private information (The Ultimate Guide to Identity Theft Prevention, 2006). In addition, the identification of policies related to security and privacy must be clearly designed and distributed throughout the organization to ensure that there are no privacy compliance issues. Preventing identity theft incidents involves identifying places in the organization where identities are stolen. Organizations should ensure that mail is picked up and dropped off in a secure location. The mail must not be left in any location over a weekend and should always be in a locked box to prevent organizational identity theft (The Ultimate Guide to Identity Theft Prevention, 2006).
Employees must understand that they are not to conduct online personal transactions at the workplace, and should not use their personally identifiable information in any communications transmission unless over a secure, encrypted communications connection or over connections with updated software. The submission of seemingly valid credit card applications and purchase orders to organizations to gain money may occur (The Ultimate Guide to Identity Theft Prevention, 2006). The people who commit this fraud are those who submit the applications using a credible address; however, the phone number, e-mail address, and delivery location will not match that of the actual company. Six-figure orders will be placed with illegitimate sources that have no intention of ever providing a product back to the organization (The Ultimate Guide to Identity Theft Prevention, 2006). The same organizational fraud can be applied when the source of the fraud uses others to forward the order as a work-from-home scheme. It is very difficult to detect, track, and prevent this fraud. Experts understand that the source address of the order must be validated to include checking the domain registration of the e-mail address to establish if the order should be investigated as a potential case of fraud (The Ultimate Guide to Identity Theft Prevention, 2006). The ultimate guide to identity theft prevention. (2006). Retrieved July 16, 2007, from Your Credit Advisor Web site: http://www.yourcreditadvisor.com/blog/2006/10/the_ultimate_gu.html Question 4: How can organizational security policies prevent security incidents? Answer 4: Policies made up of security and physical practices and procedures reduce the probability of a security attack and enable forensic investigators with an increased ability to detect or monitor an ongoing attack (Van der Walt, 2001). Through the security policy, the forensic examiner can identify the policy, practice, and procedure the organization followed when attempting to provide confidentiality, integrity, and availability of information and information system. Once the investigator reads the security policy, he/she understands how security incidents are prevented (Van der Walt, 2001). Forensic professionals can study the security policies to see what procedures led to the security incident and the mechanisms that may have been involved. The start of organizational security is to put together a draft security policy. Organizations provide the identification of all the users, the resources (both hardware and software) requiring protection, and the external and internal assets that fall under the security plan (Importance of Corporate Security Policy, n.d.). Users, administrators, and managers use the security policy as a method of defining the security environment and attempting to prevent or respond to security incidents. Both the goals of the security plan and the measures of how to ensure its success are required in the security policy. Any standards used to measure compliance should also be a part of the plan and available for the forensics professional to review (Importance of Corporate Security Policy, n.d.).
Organizations need security guidance in the form of binding documentation to ensure that information security can be enforced (Importance of Corporate Security Policy, n.d.). Risk analysis and security risk assessment provide the basis for drafting the various sections of the security policy. The combined preparation and security policy enforcement both prevent security incidents and help forensics professionals understand the security environment (Importance of Corporate Security Policy, n.d.). s Importance of corporate security policy. (n.d.). Retrieved July 16, 2007, from Symantec Web site: http://securityresponse.symantec.com/avcenter/security/content/security.articles/corp.sec urity.policy.html Van der Walt, C. (2001, August 27). Introduction to security policies, part one: An overview of policies. Retrieved July 16, 2007, from SecurityFocus Web site: http://www.securityfocus.com/infocus/1193 Question 5: What training can be provided to employees to ensure security incident prevention? Answer 5: For employees or an organization to understand what must be done to ensure security incident prevention, the organization must identify the cyberthreats facing it and typical actions taken by internal users that compromise the privacy, confidentiality, integrity, and availability of information (Critical Incident Prevention Practice, n.d.). Additionally, organizations need to ensure that employees can respond to the identified threats through knowledge of the federal, state, and local rules and regulations governing information security and the privacy of information. Employees must understand both the acceptable and unacceptable ways to use computer and electronic equipment through training to ensure that the initial steps are taken to prevent security incidents (Reid & Hilldale, 2006). Through training, employees should be taught about devices that affect the confidentiality, integrity, and availability of information. Any corporate standards for security must be a part of the training and tied to prevention and awareness of both the security threat and the tested prevention techniques (Reid & Hilldale, 2006). Any systems or accounts under the control of an employee must be kept secure through employee training and concept implementation (Reid & Hilldale, 2006). Any rules for how to set up passwords at both the user and system level need to be clearly dictated to the employee by the organization. Knowing how to securely conduct business operations over the Internet and how to transmit, receive, and exchange privacy information electronically should be part of any security training (Reid & Hilldale, 2006). s
Critical incident prevention practice. (n.d.). Retrieved July 16, 2007, from MARSH Web site: http://www.marshriskconsulting.com/st/psev_c_362_sc_321862_nr_302.htm Reid, G., & Hilldale, D. (2006, November 3). Acceptable use policy template. Retrieved July 16, 2007, from FIRST Web site: http://www.first.org/resources/guides/aup_generic.doc Question 6: How can CSIRTs help organizations recover from security incidents? Answer 6: Organizations must establish a Computer Security Incident Response Team (CSIRT) responsible for responding to the computer incident and reviewing the affected systems and any related reports or activity (CSIRT FAQ, 2007). By establishing a response team, the organization can respond when a threat attempts to forcibly acquire unauthorized data, disrupt networked operations, store data through unauthorized means, or change system hardware and software without the organization's or the user's knowledge (CSIRT FAQ, 2007). The CSIRT has specific training to identify, understand, and respond to security incidents in these areas (CSIRT FAQ, 2007). The CSIRT will handle the incident identification, required reporting, any incident analysis, and the actual response related to the incident. The CSIRT provides the organization and the forensics examiner with a central authority for incident identification, recovery, and expected reporting (CSIRT FAQ, 2007). The CSIRT existence is important to the forensic examiner because the CSIRT will provide the investigator with critical incident information, thus saving time for the collection of evidence. The CSIRT helps the organization recover the incident overall as a result of the intense knowledge gained in training about corporate systems, networks, policies, procedures, and response techniques (CSIRT FAQ, 2007). Standard operating procedures and policies related to incident response are within the knowledge of the CSIRT (CSIRT FAQ, 2007). Any policies related to how hardware, software, and communications are to be used are knowledge of the CSIRT. The CSIRT has policies, an organizational system, and network configurations, and it states how these resources are used. It provides the organization with an immediate source of responsible input once it has been determined that a response is needed to a security incident (CSIRT FAQ, 2007). CSIRT FAQ. (2007). Retrieved July 8, 2007, from the CERT Web site: http://www.cert.org/csirts/csirt_faq.html Question 7: How do organizational IT personnel recover from a network intrusion incident? Answer 7: After a computer security incident occurs and has been contained through the proper information technology (IT) security procedures, the user should analyze the affected system and assess any
harm that has been caused. Trained IT personnel with security experience can manipulate the system and the network to find out the scope of the incident (Cook, 2000). It is important for the user to communicate with the IT personnel to ensure that all error messages, application activities, friendly processes, and threat processes are noted. If forensic professionals arrive on the scene later, it will be important to have this information on hand. After the user has performed the required analysis with IT personnel to determine the identity of the threat, it is critical to establish the cause of the incident and determine if the incident could have been handled with better speed and accuracy (Cook, 2000). After completion of the analysis phase by the user and the IT personnel, a network administrator applies the correction to the security component to prevent future attacks (Cook, 2000). Virus attacks come in various configurations and can cause mild to severe damage to the system and its operations; therefore, it is critical for users to understand what files the virus affected and establish comparisons with a known good copy before the incident (Cook, 2000). Running updated antivirus and antispyware software to establish stability is a critical user responsibility and a part of an organization's security policy (Cook, 2000). Once IT personnel, the Computer Security Incident Response Team (CSIRT), and/or the system administrator in charge of responding to security incidents arrive on the scene, several activities must take place (Cook, 2000). It must be established whether the incident came from a lack of virus protection or just the lack of a virus update. They must determine if it is possible that employees violated the security policies of the company (Cook, 2000). After the attack is contained, it is productive to determine if the response to the incident was justified, correct, timely, and ensured correction (Cook, 2000). Cook, C. (2000, November 29). An introduction to incident handling. Retrieved May 26, 2007, from SecurityFocus Web site: http://www.securityfocus.com/infocus/1184