Cybercrimes and Threats PDF

CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 1. INTRODUCTION OUTLINE What is cyber space? What is cybercrime? Type of cybercrimes Causes & Reasons behind crimes Consequnces & Impact behind crimes Q/A WHAT IS CYBER SPACE? Cyberspace is a broad and complex term that refers to the virtual environment created by interconnected digital devices, networks, and systems, such as the internet, telecommunications networks, computer systems, and other digital infrastructure. It encompasses the entire digital ecosystem, including the data, information, and interactions that occur within it. Cyberspace is a man-made domain, distinct from the physical world, where communication, commerce, social interaction, entertainment, and a wide range of activities take place using digital technologies. Cyberspace is also associated with cybersecurity, as it is a domain that requires protection against threats such as hacking, cybercrime, data breaches, and other malicious activities that target digital assets and infrastructure. WHAT IS CYBERCRIME? Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Most cybercrime is committed by cybercriminals or hackers who want to make money. However, occasionally cybercrime aims to damage computers or networks for reasons other than profit. These could be political or personal. Cybercrime can be carried out by individuals or organizations. Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others are novice hackers. TYPE OF CYBERCRIMES TYPE OF CYBERCRIMES When any crime is committed over the Internet, it is referred to as a cyber crime. There are many types of cyber crimes, and the most common ones are explained below: Hacking: Unauthorized access to computer systems or networks to steal, alter, or delete data. Hackers may exploit vulnerabilities in software to gain control of systems. Social Engineering: Manipulating people into divulging confidential information or performing actions that compromise security. Phishing is a common form of social engineering. Phishing: A type of social engineering attack where cybercriminals send fraudulent messages (often via email) pretending to be from reputable sources to trick individuals into revealing sensitive information, such as passwords or credit card numbers. Malware: Malicious software, such as viruses, worms, trojans, ransomware, and spyware, designed to damage or disrupt computer systems, steal data, or gain unauthorized access. Ransomware: A specific type of malware that encrypts a victim’s data and demands payment (ransom) to restore access. It often targets organizations and critical infrastructure. Identity Theft: Stealing someone’s personal information (e.g., Social Security number, credit card details) to commit fraud, such as opening accounts or making unauthorized transactions in the victim’s name. TYPE OF CYBERCRIMES Distributed Denial-of-Service (DDoS): Overloading a network, website, or service with traffic to make it unavailable to users. DDoS attacks involve multiple systems to generate the traffic, making them harder to stop. Cyberstalking: Using the internet or other digital means to harass, threaten, or stalk someone, often through repeated and intrusive communication. Online Fraud: Any deceitful practice carried out over the internet to gain something of value, such as financial gain or sensitive information. This includes online scams, auction fraud, and credit card fraud. Intellectual Property Theft: Unauthorized access to or copying of someone’s creative works, such as software, music, movies, or patents, often for illegal distribution or financial gain. Child Exploitation: The use of digital platforms to produce, distribute, or access illegal content involving the exploitation of minors, such as child pornography. Cyber Espionage: The use of digital tools to spy on organizations, governments, or individuals to gather confidential information, often for political or competitive advantage. Cryptojacking: Unauthorized use of someone else’s computer resources to mine cryptocurrencies. This is often done through malware that secretly uses the victim’s computing power. CAUSES & REASONS BEHIND CRIMES Financial Gain: Many cybercriminals are motivated by the potential for financial rewards. Activities like phishing, ransomware attacks, online fraud, and identity theft are often conducted to steal money or valuable financial information. Political or Ideological Motives: Some cybercrimes are driven by political or ideological beliefs. Hacktivists use cyber attacks to promote their causes, protest against government actions, or draw attention to social issues. They may deface websites, leak sensitive information, or disrupt services. Revenge or Personal Vendettas: Cybercriminals may target individuals, organizations, or governments out of personal revenge. Disgruntled employees, for example, might use their knowledge of a company’s systems to cause harm after being terminated. Curiosity or Thrill-Seeking: Some individuals, particularly younger or less experienced hackers, engage in cybercrimes out of curiosity or for the thrill of breaking into systems. They may not have malicious intent but are driven by the challenge. CAUSES & REASONS BEHIND CRIMES Terrorism: Terrorist organizations may use cyber attacks to disrupt critical infrastructure, spread propaganda, or instill fear. The aim is often to cause widespread disruption, harm economies, or undermine trust in institutions. Psychological Factors: Some cybercriminals are motivated by the desire for power and control, enjoying the sense of dominance they gain from manipulating systems or people. Lack of Effective Law Enforcement: Some regions may lack comprehensive cybercrime laws or the resources to enforce them, making it easier for criminals to operate with impunity. Lack of Awareness and Security: Many cybercrimes exploit vulnerabilities in systems that lack adequate security measures. Poorly configured networks, outdated software, weak passwords, and untrained users can make systems easy targets. Globalization and Interconnectedness: As more systems become interconnected globally, the potential for cybercrime increases. The complexity and scale of these networks create more opportunities for cybercriminals to exploit weaknesses. CONSEQUNCES & IMPACT BEHIND CRIMES CONSEQUNCES & IMPACT BEHIND CRIMES Financial Loss Direct Financial Theft: Victims may suffer immediate financial losses due to theft, fraud, or extortion, such as in cases of ransomware attacks, online banking fraud, or unauthorized transactions. Business Disruption: Cyber attacks like ransomware or denial-of-service (DoS) can disrupt business operations, leading to lost revenue, productivity declines, and increased operational costs. Data Breach Personal Data Compromise: Cybercrimes often result in the theft of personal information, such as social security numbers, credit card details, and medical records. This can lead to identity theft and other forms of fraud. Intellectual Property Theft: Cybercriminals may steal valuable intellectual property, trade secrets, or proprietary information, causing long-term financial damage and loss of competitive advantage. Loss of Confidential Information: Sensitive corporate or governmental data may be exposed, leading to breaches of confidentiality and security. CONSEQUNCES & IMPACT BEHIND CRIMES Operational Disruption Service Outages: Cyber attacks can cause significant disruptions to IT systems, leading to downtime and interruption of services, affecting business operations and customer experiences. Supply Chain Impact: Cybercrimes can also impact supply chains, especially when critical suppliers are targeted, causing delays and increased costs in the production and distribution of goods. Reputation Damage Loss of Trust: Organizations that fall victim to cybercrimes, especially data breaches, often suffer significant damage to their reputation. Customers, partners, and stakeholders may lose trust, leading to a decline in business. Brand Damage: Negative publicity resulting from cyber incidents can tarnish a brand’s image, potentially leading to a loss of customers and market share. CONSEQUNCES & IMPACT BEHIND CRIMES Legal and Compliance Consequences Lawsuits and Litigation: Victims of cybercrime, including customers and partners, may file lawsuits against the affected organizations, leading to costly legal battles and settlements. Regulatory Penalties: Failure to comply with cybersecurity regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), can result in heavy fines and sanctions. Psychological and Emotional Impact Stress and Anxiety: Individuals who fall victim to cybercrimes, such as identity theft or cyberstalking, may experience significant stress, anxiety, and a sense of violation. Fear and Uncertainty: Repeated cyber attacks can create a climate of fear and uncertainty, especially for individuals and small businesses, leading to a reluctance to engage in online activities. THREAT ACTORS Cybercriminals: Individuals or groups who engage in illegal activities online, typically for financial gain. This can include hacking, identity theft, ransomware attacks, and other forms of cybercrime. Nation-State Actors: Government-sponsored groups or individuals who conduct cyber espionage, cyber warfare, or other activities to further the interests of a nation. These actors often have significant resources and capabilities. Insider Threats: Employees, contractors, or other trusted individuals within an organization who misuse their access to data or systems for malicious purposes, whether intentional or unintentional. Hacktivists: Individuals or groups who use hacking as a form of protest or to promote a political or social agenda. Their attacks are often intended to cause disruption, spread a message, or draw attention to a cause. THREAT ACTORS Script Kiddies: Inexperienced or amateur hackers who use pre-written scripts or tools to launch attacks. While they may lack technical skills, they can still cause significant damage. Advanced Persistent Threats (APTs): Highly sophisticated and well-funded groups, often associated with nation-states, that conduct prolonged and targeted cyber attacks, usually for espionage or intellectual property theft. Terrorist Organizations: Groups that use cyber attacks as a tool to further their ideological goals, including causing fear, disruption, or physical damage. Organized Crime: Well-organized criminal groups that use cyber activities as part of their illegal operations, such as extortion, drug trafficking, or human trafficking. Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 2. Criminology OUTLINE Criminology Criminology Theory Applying Criminological Theories Cyber Crimes VS Traditional Crimes Cyber Harassment Q/A CRIMINOLOGY Criminology is the scientific study of crime, criminal behavior, and the criminal justice system. It involves examining the causes, prevention, and control of crime, as well as the social, psychological, and economic factors that contribute to criminal activity. Criminology also explores the impact of crime on victims and society, the effectiveness of laws and law enforcement, and the functioning of the penal and correctional systems. Criminologists use various theories and research methods to understand why individuals commit crimes and how society responds to criminal behavior. The field is interdisciplinary, drawing on knowledge from sociology, psychology, law, and other disciplines to analyze and address issues related to crime and justice. APPLYING CRIMINOLOGICAL THEORIES ON CYBER CRIMES Criminology Theory refers to a set of ideas and principles that aim to explain the causes of criminal behavior, the functioning of the criminal justice system, and the social responses to crime. These theories are used by criminologists to understand why individuals commit crimes, how criminal behavior can be prevented, and how society can best respond to crime and its consequences. Examples of criminological theories: Routine Activity Theory Social Learning Theory Victim Participation Theory ROUTINE ACTIVITY THEORY Routine Activity Theory is explained by the intersection of three factors. 1. Motivated offenders. 2. Availability of suitable target or victims. 3. The absence of capable guardians. Researchers have used this theory to gain an understanding of the relationship and/or interaction between the criminal and the victim (Cox, Johnson and Richards, 2009). This theory has been used for almost three decades to effectively explain causation across several categories of crime and continues to serve as the theoretical base for several practical explanations of contemporary criminal behavior. EXAMPLE OF ROUTINE ACTIVITY THEORY Motivated Offender: In cybercrime, motivated offenders could be hackers, cybercriminals, or malicious insiders who seek financial gain, data theft, or disruption. Suitable Target: Suitable targets in the cyber realm include individuals or organizations with valuable data, weak security practices, or vulnerabilities in their systems (e.g., unpatched software, weak passwords). Absence of a Capable Guardian: The “guardian” could be robust cybersecurity measures like firewalls, encryption, multi-factor authentication, and security awareness training. A lack of these protections makes targets more vulnerable to attacks. Example: Phishing attacks often succeed because they target users who are unaware of security practices (suitable target) and lack strong cybersecurity defenses (absence of capable guardian), allowing a motivated offender to easily exploit them. SOCIAL LEARNING THEORY Social Learning Theory is often combined with the cognitive learning theory which theorizes that learning is influenced by psychological factors and behavioral learning based on responses to environmental stimuli. For this theory to imply, there are four key requirements for learning: 1. Observation (environmental) 2. Retention (cognitive) 3. Reproduction (cognitive) 4. Motivation EXAMPLE OF SOCIAL LEARNING THEORY Observation (Environmental): Cybercriminals often learn by observing others in online environments, such as hacking forums, dark web marketplaces, or social media platforms where cybercrime techniques are discussed and demonstrated. Retention (Cognitive): After observing criminal behavior, the individual must retain this information. This involves remembering the steps, techniques, and strategies involved in committing cybercrimes, which are stored in memory for future use. Reproduction (Cognitive): The observed and retained behavior must be translated into action. This involves the ability to replicate the criminal techniques learned from others, which may require practice and refinement. Motivation: The key to whether the individual will actually commit the cybercrime. Motivation can stem from various factors, including financial gain, a desire for recognition in hacker communities, or ideological reasons. EXAMPLE OF SOCIAL LEARNING THEORY A young individual interested in technology stumbles upon a hacking forum where cybercriminal activities are regularly discussed and demonstrated (Observation). They become intrigued and start following tutorials on hacking techniques, storing this information for future use (Retention). After learning the basics, they start experimenting with hacking tools, attempting to replicate what they have learned (Reproduction). Their motivation is driven by the potential financial rewards of selling stolen data and the thrill of outsmarting security systems (Motivation). Eventually, this individual successfully executes a cyber attack, having fully internalized and acted on the behaviors they observed and learned. VICTIM PARTICIPATION THEORY Victim Participation Theory holds that certain victims make themselves targets for crime by engaging in actions that are confrontational or risky (active); or by simply being present in a location that provides a motivated offender with the opportunity to commit an offense (passive); or by engaging provocative behavior in a criminogenic environment. The victim may knowingly act in a provocative manner, uses fighting words or threats, or attacks first. The victim can display specific attributes, characteristics, or mannerism that unknowingly motivates or threatens the attacker. Victim precipitation may exist when an individual is part of a particular group that offends or threatens someone’s political, social, and economic security, status or reputation. EXAMPLE OF VICTIM PARTICIPATION THEORY Active Par ticipation: In some cases, victims might unintentionally facilitate cybercrimes through their actions. For example, clicking on a malicious link or downloading an unverified attachment can result in a malware infection, leading to data breaches or financial loss. Passive Par ticipation: Victims might also contribute to their victimization by neglecting basic cybersecurity practices, such as using weak passwords, not updating software, or ignoring security warnings. This passive participation can make them more vulnerable to cyberattacks. Example: A user who shares too much personal information on social media might become a target for social engineering attacks like phishing. Their active sharing of personal data (active participation) and failure to adjust privacy settings (passive participation) contribute to their victimization. CYBERCRIMES VS TRADITIONAL CRIME There are some studies that suggest that cybercrime offenders have the same demographics as traditional offenders. Cybercriminals, for example, are more likely to be men There are limitations to the usage and potential benefits offered by cyber criminology. For example, the absence of robust evidence about the extent, role, and nature of criminal actors in cyber space impedes the development of sound countermeasures Other limitations offered by researchers focus of the argument that cybercrime is not an entirely new form of contemporary and/or innovative genre of crime. For example, most of the cybercrime we see today simply represents the migration of traditional crime to cyberspace where cybercriminals use available technology to commit old crimes in new ways CRIMINOLOGY Watch this video! What is Criminology? A Crash Course CYBER HARASSMENT The use of digital technology has become an integral part of our lives. Any technology can be used for constructive or destructive purposes. Misuse of information and communication technology is an important ingredient of Cyber Crime. Among many offensive acts in cyberspace, online abuse/ harassment is a common phenomenon that directly or indirectly affects cyberspace users of diverse age groups. Cyber Harassment is defined as a repeated, unsolicited, hostile behavior by a person through cyberspace with a intent to terrify, intimidate, humiliate, threaten, harass or stalk someone. Any harassment caused through electronic media is considered to have a similar impact as traditional offence of harassment. It can be done through various means of ICT as depicted. CATEGORIES OF CYBER HARASSMENT Cyber Cyber Cyber bullying Teasing Stalking CYBERBULLYING Cyberbullying is an act of sending, posting or sharing negative, harmful, false or demeaning content regarding others. Sharing personal or private information which could cause embarrassment or humiliation to others too falls under the ambit of Cyberbullying. It takes place through digital devices such as cell phones, computers, and tablets via services such as SMS, texts, Apps, social media platforms, online forums and gaming where people can view, participate or share content. EXAMPLES OF CYBERBULLYING Posting nasty or humiliating content or comments about an individual online Publishing an embarrassing or demeaning photo or video Creating a fake profile of another individual Online threats provoking an individual to harm/kill himself or hurt someone else Triggering religious, racial, regional, ethnic or political vitriol online by posting hate comments or content EXAMPLES OF CYBERBULLYING Using other’s identity online to ask for or post personal or fake, demeaning, embarrassing information about someone Repeatedly harming a player’s character, asking for monetary exchange, ganging up on a player or using personal information to make direct threats Posting online stories, pictures, jokes, or cartoons that are intended to embarrass or humiliate others. MOTIVITIES BEHIND CYBERBULLYING To gain popularity and influence within the dominant social circle Sometimes bullies do it to take revenge Many cyberbullies perform their actions for pure entertainment To isolate the victim CYBER TEASING CYBER TEASING Cyber teasing is an attitude, a mindset, a pattern of behavior and/or actions that are construed as an insult and an act of humiliation to the target. Generally, it is the harassment of women by strangers in public places, streets and public transport but when a similar crime occurs using means of ICT then it is called Cyber Teasing. CYBER TEA SI NG EXAMPLES OF CYBER TEASING Sending, sharing, posting vulgar/defamatory/ embarrassing/ harmful/ false messages or information via the below means: Social Media (Facebook, Instagram, Snapchat, Twitter etc.) SMS (text messages from the cellular network) Instant Message Services (WhatsApp, Facebook Messenger, Instant Message etc.) E-mail MOTIVITIES BEHIND CYBER TEASING For gaining attention Exacerbate feeling of shame and humiliation Out of revenge CYBER STALKING Cyberstalking is the usage of Information and Communications Technology (ICT) to stalk, control, manipulate or habitually threaten a minor, an adult or a business group. Cyberstalking is both an online assailant tactic and typology of psychopathological ICT users. Cyberstalking includes direct or implied threats of physical harm, habitual surveillance and gathering information to manipulate and control a target. EXAMPLES OF CYBER STALKING Leaving harassing or threatening messages in the guestbook, on the victim’s website, social media profile, or blog Sending inappropriate electronic greeting cards to the victim Posting personal advertisements in the victim’s name Creating websites, profiles, or other accounts that contain messages to threaten or harass the victim or creating circumstances as if the victim created a particular website that contains provocative or pornographic photographs Hate speech, i.e. the language that denigrates, insults, threatens or targets an individual based on their identity and other traits (such disability or religion etc.) EXAMPLES OF CYBER STALKING Accessing the victim’s e-mail or social media accounts to find the victim’s personal information, read e-mails and messages, or change passwords Impersonating the victim’s online identity to harm reputation or relationships Monitoring the victim’s movements using GPS, tracking apps or spyware Ordering goods or services: Ordering items or subscribe to magazines in the victim’s name MOTIVITIES BEHIND CYBER STALKING Jealousy Obsession and attraction Erotomania Revenge and hatred MEANS OF CYBER HARASSMENT E-mail Social Media/Networking (Facebook, Instagram, WhatsApp, Twitter, YouTube etc.) Website Instant Messages Web-based SMS MMS Online Games Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 3. Cyber Laws OUTLINE Cyber laws Role of Cybercrime law Harmonization of laws Cybersecurity Legislation and Regulations Cyber Fraud Identity Theft Cyber-Terrorism Q/A CYBER LAW Cyber law refers to the legal framework that governs activities conducted in cyberspace, particularly those involving the internet, computers, software, and digital communications. It encompasses laws, regulations, and policies that deal with issues arising from the use of technology, such as data privacy, intellectual property rights, cybercrime, electronic commerce, and freedom of speech online. Cyber laws reduce or prevent damage from online criminal activities by protecting privacy, information access, intellectual property (IP), communications and freedom of speech related to the use of websites, cell or mobile phones, email, computers, the internet, software, and hardware, such as data storage devices. CYBERSECURITY LAW VS CYBERCRIME LAW The cyber law definition states that cyber security law comprises a number of directives that safeguard information technology while forcing organizations to protect their information and systems from cyberattacks using a number of methods. Cybercrime laws are created for the offences and penalties for cybercrimes. These laws include crimes that are directed at data, computers, or information communications technologies (ICTs), and crimes committed by people using ICT or computers. ROLE OF CYBERCRIME LAW Cybercrime law identifies standards of acceptable behavior for information and communication technology (ICT) users; establishes socio-legal sanctions for cybercrime; protects ICT users, in general, and mitigates and/or prevents harm to people, data, systems, services, and infrastructure, in particular; protects human rights; enables the investigation and prosecution of crimes committed online (outside of traditional real-world settings); and facilitates cooperation between countries on cybercrime matters. ROLE OF CYBERCRIME LAW Cybercrime law provides rules of conduct and standards of behavior for the use of the Internet, computers, and related digital technologies, and the actions of the public, government, and private organizations; rules of evidence and criminal procedure, and other criminal justice matters in cyberspace; and regulation to reduce risk and/or mitigate the harm done to individuals, organizations, and infrastructure should a cybercrime occur. Cybercrime law includes: Substantive law Procedural law Preventive law ROLE OF CYBERCRIME LAW Substantive law: Substantive law defines the rights and responsibilities of legal subjects, which include persons, organizations, and states. Sources of substantive law include statutes and ordinances enacted by city, state( statutory law). Procedural law: Procedural law demarcates the processes and procedures to be followed to apply substantive law and the rules to enable the enforcement of substantive law. An important part of procedural law is criminal procedure, which includes comprehensive rules and guidelines on the manner in which suspected, accused, and convicted persons are to be handled and processed by the criminal justice system and its agents. Preventive law: Preventive law focuses on regulation and risk mitigation. In the context of cybercrime, preventive legislation seeks to either prevent cybercrime or, at the very least, mitigate the damage resulting from the commission of a cybercrime. HARMONIZATION OF LAWS The clear majority of countries worldwide have national laws that cover cyber crime or some facets of cybercrime. Cybercrime safe havens are created in countries that do not have cybercrime laws because a person cannot be prosecuted for a cybercrime unless it is considered an illicit activity punishable by law. This was observed in the case of the creator and distributor of the "LOVEBUG” computer virus, a resident of the Philippines, who could not be prosecuted (even though this virus had adverse economic consequences on countries around the world) because the Philippines did not have a cybercrime law at the time of the incident (Maras, 2014). These cybercrime safe havens can also be created if cybercrime laws are not adequately enforced and/or there is a divergence between national cybercrime laws. CYBERSECURITY LEGISLATION AND REGULATIONS The Anti-Cyber Crime Law aims at preventing cybercrimes by identifying such crimes and defining their punishments. The objective is to ensure information security, protection of public interest, and morals, protection of rights of the legitimate use of computers and information networks, and protection of the national economy. The National Cybersecurity Authority (NCA) has issued a number of controls, frameworks and guidelines related to cybersecurity at the national level to enhance cybersecurity in the country in order to protect its vital interests, national security, critical infrastructure and government services. CYBERSECURITY LEGISLATION AND REGULATIONS Controls, frameworks and guidelines issued by NCA includes: Organizations’ Social Media Accounts Cybersecurity Controls Essential Cybersecurity Controls Cloud Cybersecurity Controls Telework Cybersecurity Controls (TCC) The National Cryptographic Standards (NCS) Cybersecurity Guidelines for e-Commerce And more. It can be seen at following link: Cybersecurity in the Kingdom of Saudi Arabia (my.gov.sa) CYBER- FRAUD “Fraud" or “Scam," the goal of the perpetrators of these crimes is always the same: to gain an advantage, usually financial, over others using deceptive means. Scams come in different forms across different media, but they all involve deliberate deception, with the intent to mislead and often pander to deep-seated needs and desires, in order to deceive the intended target for financial gain. Cyber fraud can be broadly classified into two distinct categories: Cyber-Dependent Fraud. Cyber-Enabled Fraud. CYBER-DEPENDENT FRAUD 1- Cyber-Dependent Fraud Fraudulent activity that can only be committed via the use of information communications technology, primarily targeting computers and networks. This type of cyber-crime poses the greatest threat to public services and businesses but can also affect individuals due to the collection of personal data, leading to further fraudulent activity. Cyber-Dependent Fraud The primary types of cyber-dependent crimes are: 1. Hacking. 2. Disruption of Computer Functionality. CYBER-DEPENDENT FRAUD 1- Hacking: The unauthorized use of, or access into, computers and networks, by exploiting vulnerabilities. This access can then be used to gather personal data and information, of which the impact can be significant financial losses for larger organizations, but can also result in the personal and financial data of individuals being compromised, leading to further fraudulent activities 2- Disruption of Computer Functionality: Often referred to as 'malware' and distributed by unsolicited or junk mail. Malicious software is designed to interfere with how computers and network's function, most frequently seen in the form of viruses, worms, Trojans, spyware and ransomware. Malware performs functions such as: undertaking hidden or unauthorized actions, damaging or deleting hardware, software or files, gathering sensitive and personal information or monitoring activity. DISRUPTION OF COMPUTER Other types of Disruption of Computer Functionality, such as: Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)attacks. Most frequently aimed at organizations and businesses rather than individuals, are designed to interrupt or suspend services and systems and make web-based services unavailable to users. CYBER-ENABLED FRAUD 2. Cyber-Enabled Fraud Offenses which can be committed without the use of information communications technology but can be increased in their scale, impact and reach by the use of computers and computer networks. Cyber-enabled frauds are similar to those carried out via other mediums, such as mail, telephone and doorstep scams, but can often target individuals on mass, increasing the number of potential targets. The majority of cyber-enabled frauds can be aligned with the following four broad categories: CYBER-FRAUD IDENTITY THEFT It is the used of someone’s identity to commit a crime such as tax fraud, unlawfully establish credit accounts, create fake IDs or passports, secure loans or enter into contracts. Identity fraud occurs when a criminal uses personal information, such as a Social Security Number or credit card account number to steal financial resources. Identity fraud does not occur when a credit card is simply stolen — it may be consumer fraud but is not identity fraud. Identity fraud occurs when someone steals personal information, opens credit card accounts in your name without permission and charges merchandise to those accounts. Identity theft occurs when criminals steal a victim’s personal information to commit criminal acts. Using this stolen information, a criminal takes over the victim's identity and conducts a range of fraudulent activities in their name. Cyber criminals commit identity theft by using sophisticated cyber attack tactics, including social engineering, phishing, and malware. Identity theft can also result from rudimentary tactics with criminals stealing mail and listening in on phone conversations in public places. TYPES OF IDENTITY THEFT Financial Identity Theft: Financial identity theft is a type of scam where the attacker uses your personal information to take over your financial accounts, such as credit cards, bank accounts, and social security number. Medical Identity Theft: In medical identity theft, a cyber criminal uses your health insurance information to see a doctor, obtain prescription drugs, and file claims against your health insurance provider. Online Identity Theft: Online identity theft refers to the attacker’s use of online platforms to steal identities and commit online fraud. This can range from attacks on a user’s social media account or e - commerce platform. IDENTITY THEFT Watch this video: Identity theft victim: 'It's been hell’ View U.S. Department of Justice’s website Criminal Division | Identity Theft (justice.gov) CYBER-TERRORISM The term 'cyberterrorism’ was coined in 1996 by Barry Collin. La Church Road. Cyber terrorism - "convergence of cyberspace”. US national infrastructure protection center (2001) has defined cyber terrorism as: “A criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services, where the intended purpose is to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social or ideological agenda.” Use of computers, internet and information gate ways to support traditional terrorism. CYBER-TERRORISM A cyberterrorist is someone who intimidates or coerces a government or an organization to advance his or her political or social objectives By launching a computer-based attack against computers, networks, or the information stored on them. Cyberterrorism can be defined as an act of terrorism committed through the use of cyberspace or computer resources. Can be considered cyber terrorism: A simple propaganda piece on the Internet that there will be bomb attacks during the holidays. Hacking activities directed towards individuals, families, etc., within networks, tending to cause fear among people, demonstrate power, collecting information relevant for ruining peoples' lives, robberies, blackmailing. EXAMPLES OF CYBER TERRORISM Examples of cyber terrorism: Introduction of viruses to vulnerable data networks. Hacking of servers to disrupt communication and steal sensitive information. Defacing websites and making them inaccessible to the public thereby causing inconvenience and financial losses. Hacking communication platforms to intercept or stop communications and make terror threats using the internet. Attacks on financial institutions to transfer money and cause terror. Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 4. Cybercrime Investigation OUTLINE Cybercrime Investigations Computer Forensics The Need for Forensics Computer Forensics Process Investigation Techniques, Tools & Skills, Obstacles Evidence Q/A CYBERCRIME INVESTIGATION Cybercrime investigation refers to the process of identifying, tracking, and prosecuting individuals or groups involved in illegal activities conducted through digital means. A cyber crime investigation is the process of investigating, analyzing, and recovering forensic data for digital evidence of a crime. Examples of evidence in a cyber crime investigation include a computer, cellphone, automobile navigation system, video game console, or other networked device found at the scene of a crime. This evidence helps cyber crime investigators determine the perpetrators of a cyber crime and their intent. It involves the application of various techniques and tools to gather evidence, analyze data, and uncover the identities of cybercriminals. CYBERCRIME INVESTIGATION Understanding Cybercrime. Reporting Cybercrime. Evidence Collection. Digital Forensics. Tracking Cybercriminals. Collaboration and Jurisdiction. Legal Proceedings. Prevention and Awareness. CYBERCRIME INVESTIGATION Understanding Cybercrime: Cybercrime encompasses a wide range of illegal activities committed using computers, networks, or the internet. These can include hacking, identity theft, online fraud, data breaches, malware attacks, and more. Reporting Cybercrime: If you become a victim of cybercrime, it is crucial to report the incident to your local law enforcement agency or a dedicated cybercrime unit. They will guide you through the process and initiate an investigation. Evidence Collection: Investigators gather digital evidence by analyzing computer systems, networks, and other electronic devices. This may involves seizing and examining hardware, capturing network traffics, or recovering deleted files CYBERCRIME INVESTIGATION Digital Forensics: Digital forensics is a key component of cybercrime investigation. It involves the preservation, extraction, and analysis of digital evidence to reconstruct events, identify perpetrators, and support legal proceedings. Tracking Cybercriminals: Investigators use various techniques to trace the origin of cyberattacks, such as IP address analysis, email tracing, and network forensics. They collaborate with internet service providers, cybersecurity firms, and international agencies to track down cybercriminals. Collaboration and Jurisdiction: Cybercrime often transcends national borders, making international cooperation crucial. Law enforcement agencies work together through mutual legal assistance treaties and information sharing to apprehend cybercriminals. CYBERCRIME INVESTIGATION Legal Proceedings: Once sufficient evidence is gathered, cybercrime investigators work with prosecutors to build a case against the perpetrators. This involves presenting evidence in court and ensuring it meets the legal requirements for admissibility. Prevention and Awareness: Cybercrime investigation is not only about catching criminals but also about preventing future incidents. Investigators collaborate with organizations, educate the public, and develop strategies to enhance cybersecurity and raise awareness about potential threats. It's important to note that cybercrime investigation is a complex and ever-evolving field. Investigators must stay updated with the latest technologies, techniques, and legal frameworks to effectively combat cyber threats. WHAT IS COMPUTER FORENSICS? Forensic is the scientific tests or techniques used in connection with the detection of crime. Furthermore, forensic is the process of using scientific techniques during the identification, collection, examination and reporting the evidence to the court. Computer forensics is, “A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media that can be presented in a court of law in a coherent and meaningful format.” If we further define computer forensics then, it is the procedure to collect, analyze and presentation of digital evidence to the court. The scope of computer forensics is not limited to investigating a crime only. Apart from this, computer forensics can be used for: Data recovery Log monitoring Data acquisition (from the retired or damaged devices) Fulfill the compliance needs THE NEED FOR FORENSICS The world has become a global village since the advent of computer, digital devices & the internet. Life seems impossible without these technologies, as they are necessary for our workplace, home, street, and everywhere. Information can be stored or transferred by desktop computers, laptop, routers, printers, CD/DVD, flash drive, or thumb drive. The variations and development of data storage and transfer capabilities have encouraged the development of forensic tools, techniques, procedures and investigators. In the last few years, we have witnessed the increase in crimes that involved computers. As a result, computer forensics and digital investigation have emerged as a proper channel to identify, collect, examine, analysis and report the computer crimes. COMPUTER FORENSICS PROCESS Computer forensics work procedure or work process can be divided into 5 major parts: COMPUTER FORENSICS PROCESS 1. Identification: The first process of computer forensics is to identify the scenario or to understand the case. At this stage, the investigator has to identify the purpose of investigation, type of incident, parties that involved in the incidence, and the resources that are required to fulfill the needs of the case. 2. Collection: The collection (chain of custody) is one of the important steps because your entire case is based on the evidence collected from the crime scene. Collection is the data acquisition process from the relevant data sources while maintaining the integrity of data. Timely execution of the collection process is crucial in order to maintain the confidentiality and integrity of the data. Important evidence may lost if not acted as required. 3. Examination: The aim of third process is to examine the collected data by following standard procedures, techniques, tools and methodology to extract the meaningful information related to the case. COMPUTER FORENSICS PROCESS 4. Analysis: Since all five processes are linked together, the analysis is the procedure to analyze the data acquired after examination process. At this stage, the investigator search for the possible evidence against the suspect, if any. Use the tools and techniques to analyze the data. Techniques and tools should be justified legally, because it helps you to create and present your report in front of the court. 5. Reporting: This is the final, but the most important step. At this step, an investigator needs to document the process used to collect, examine and analyze the data. The investigation report also consists the documentation of how the tools and procedures were being selected. The objective of this step is to report and present the findings justified by evidences. COMPUTER FORENSICS TEAM Law enforcement and security agencies are responsible for investigating a computer crime; however every organization should have the capability to solve their basic issues and investigation by themselves. Here are the key people that a computer investigation firm should have: Investigators: This is a group of people (number depends on the size of the firm) who handle and solve the case. It is their job to use the forensic tools and techniques in order to find the evidence against the suspect. They may call the law enforcement agencies, if required. Investigators are supposed to act immediately after the occurrence of the event that is suspected of criminal activity. Photographer: To record the crime scene is as important as investigating it. The photographer’s job is to take photographs of the crime scene (IT devices and other equipment). Incident Handlers (first responder): Every organization, regardless of type, should have incident handlers in their IT department. The responsibility of these people is to monitor and act if any computer security incidence happen, such as breaching of network policy, code injection, server hijacking, RAT or any other malicious code installation. They generally use the variety of computer forensics tools to accomplish their job. COMPUTER FORENSICS TEAM IT Engineers & technicians (other suppor t staff): This is the group of people who run the daily operation of the firm. They are IT engineers and technicians to maintain the forensics lab. This team should consist of network administrator, IT support, IT security engineers and desktop support. The key role of this team is to make sure the smooth organizational functions, monitoring, troubleshooting, data recovery and to maintain the required backup. Attorney: Since computer forensics directly deal with investigation and to submit the case in the court, so an attorney should be a part of this team. RULES OF COMPUTER FORENSICS There are certain rules and boundaries that should be keep in mind while conducting an investigation. ‘Collecting Electronic Evidence after a System Compromise’ has provided the rules of computer forensics: 1. Minimize or eliminate the chances to examining the original evidence: Make the accurate and exact copy of the collected information to minimize the option of examining the original. This is the first and the most important rule that should be considered before doing any investigation, create duplicates and investigate the duplicates. You should make the exact copy in order to maintain the integrity of the data. 2. Don't Proceed if it is beyond your knowledge: If you see a roadblock while investigating, then stop at that moment and do not proceed if it is beyond your knowledge and skills, consult or ask an experienced to guide you in a particular matter. This is to secure the data, otherwise the data might be damaged which is unbearable. Do not take this situation as a challenge, go and get additional training because we are in the learning process, and we love to learn. 3. Follow the rules of evidence: The rule of evidence must be followed during the investigation process to make sure that the evidence will be accepted in court. RULES OF COMPUTER FORENSICS 4. Create Document: Document the behavior, if any changes occur in evidence. An investigator should document the reason, result and the nature of change occurred with the evidence. Let say, restarting a machine may change its temporary files, note it down. 5. Get the written permission and follow the local security policy: Before starting an investigation process, you should make sure to have a written permission with instruction related to the scope of your investigation. It is very important because during the investigation you need to get access or need to make copies of the sensitive data, if the written permission is not with you then you may find yourself in trouble for breaching the IT security policy. 6. Be ready to testify: Since you are collecting the evidence than you should make yourself ready to testify it in the court, otherwise the collected evidence may become inadmissible. 7. Your action should be repeatable: Do not work on trial-and -error, else no one is going to believe you and your investigation. Make sure to document every step taken. You should be confident enough to perform the same action again to prove the authenticity of the evidence. RULES OF COMPUTER FORENSICS 8. Work fast to reduce data loss: Work fast to eliminate the chances of data loss, volatile data may lose if not collected in time. While automation can also be introduced to speed up the process, do not create a rush situation. Increase the human workforce where needed. Always start collecting data from volatile evidence. 9. Don't shut down before collecting evidence: This is a rule of thumb, since the collection of data or evidence itself is important for an investigation. You should make sure not to shut down the system before you collect all the evidence. If the system is shut down, then you will lose the volatile data. Shutdown and rebooting should be avoided at all cost. 10.Don't run any program on the affected system: Collect all the evidence, copy them, create many duplicates and work on them. Do not run any program, otherwise you may trigger something that you don't want to trigger. Think of a Trojan horse. CYBER CRIME INVESTIGATION TECHNIQUES Activities that a computer crime investigator performs include recovering file systems of hacked computers, acquiring data that can be used as evidence to prosecute crimes, writing reports for use in legal proceedings, and testifying in court hearings. Cyber crime investigation techniques include: Performing background checks: Establishing the when, where, and who of a crime sets the stage for an investigation. This technique uses public and private records and databases to find out the backgrounds of individuals potentially involved in a crime. Gathering information: This technique is one of the most critical in cyber crime investigations. Investigators ask questions such as: What evidence can be found? What level of access to sources do we have to gather the evidence? The answers to these and other questions provide the foundation for a successful investigation. CYBER CRIME INVESTIGATION TECHNIQUES Running digital forensics: Cyber crime investigators use their digital and technology skills to conduct forensics, which involves the use of technology and scientific methods to collect, preserve, and analyze evidence throughout an investigation. Forensic data can be used to support evidence or confirm a suspect’s involvement in a crime. Tracking the authors of a cyber crime: With information about a crime in hand, cyber crime investigators work with internet service providers and telecommunications and network companies to see which websites and protocols were used in the crime. This technique is also useful for monitoring future activities through digital surveillance. Investigators must seek permission to conduct these types of activities through court orders. CYBERCRIME INVESTIGATION TOOLS Cybercrime investigation requires the use of specialized tools and software to collect, preserve, and analyze digital evidence. These tools can be used to identify suspects, track their activities, and gather evidence to build a case against them. Some of the most common cybercrime investigation tools used by investigators: 1. Digital Forensics Software It is used to recover deleted files, analyze metadata, and examine network traffic logs. Popular digital forensics software includes tools like EnCase, FTK, and Autopsy. 2. Network Analysis Tools They are used to monitor network traffic, identify suspicious activity, and track the flow of data. Network analysis tools include tools like Wireshark, tcpdump, and Netscout. CYBERCRIME INVESTIGATION TOOLS 3. Malware Analysis Tools They are used to analyze and reverse engineer malware to understand its behavior and identify its source. Malware analysis tools include IDA Pro, OllyDbg, and Binary Ninja. 4. Password Recovery Tools They are used to recover passwords from encrypted files, databases, or other sources of digital evidence. Password recovery tools include tools like Cain and Abel, John the Ripper, and Hashcat. 5. Social Media Analysis Tools They are used to track suspects' activities and gather evidence from social media platforms. Social media analysis tools include tools like Hootsuite, Followerwonk, and Mention. CYBERCRIME INVESTIGATORS SKILLS Some examples of Knowledge, Skills, and Abilities that are important for a cybercrime investigator: Knowledge of Cybersecurity: A cybercrime investigator should have a solid understanding of cybersecurity principles, including network security, encryption, secure coding practices, and common vulnerabilities. Digital Forensics Expertise: Proficiency in digital forensics is crucial for analyzing and preserving digital evidence. This includes knowledge of forensic tools, data recovery techniques, file systems, and evidence handling procedures. Understanding of Cyber Laws and Regulations: Familiarity with relevant cyber laws, regulations, and legal procedures is essential for conducting investigations and ensuring that evidence is collected and presented in a legally admissible manner. Technical Skills: Proficiency in using various technical tools and software is necessary for conducting investigations. This includes knowledge of network analysis tools, malware analysis, data recovery software, and programming languages. CYBERCRIME INVESTIGATORS SKILLS Some examples of Knowledge, Skills, and Abilities that are important for a cybercrime investigator: Analytical and Critical Thinking: Cybercrime investigations often involve complex scenarios and large amounts of data. Investigators should possess strong analytical and critical thinking skills to identify patterns, connect dots, and draw conclusions from the evidence. Communication and Report Writing: Effective communication skills are vital for interacting with colleagues, stakeholders, and legal professionals. Investigators should be able to write clear and concise reports that document their findings and present them in a manner that is easily understandable. Collaboration and Teamwork: Cybercrime investigations often require collaboration with other investigators, law enforcement agencies, and cybersecurity professionals. The ability to work well in a team, share information, and coordinate efforts is crucial for successful outcomes. Continuous Learning: Cybercrime is a rapidly evolving field, and investigators must stay updated with the latest trends, techniques, and technologies. EVIDENCE & ITS TYPES Evidence is the key to prove the case in the court, evidence from a legal point of view can be divided into many types and each type do have its own characteristics in it. To keep the characteristics in mind during evidence collection helps an investigator to make the case stronger. Admissible is the important characteristics of any evidence, it is generally the first rule of every evidence. Let's discuss the multiple types of evidence: 1. Real / tangible evidence: As the name suggests, real evidence is consisting of a tangible/physical material e.g hard-drive, flash drive, etc. Apart from the material, human can also be treated as real evidence e.g. an eye witness. 2. Original evidence: “Evidence of a statement made by a person other than the testifying witness, which is offered to prove that the statement was actually made rather than to prove its truth.” This is generally an out of court statement. 3. Hearsay evidence: It is also referred as “out of court statement”, it is made in court, to prove the truth of the matter declared. 4. Testimony: When a witness takes oath in a court and give his/her statement in front of the court. RULES OF EVIDENCE Collecting Electronic Evidence after a System Compromise has defined the five rules of evidence: 1. Admissible: The first and the most important rule is that your evidence should be able to use in court as an evidence. 2. Authentic: Evidence should be authentic, and it should be related and relevant to the case, you need to prove in front of the court that the collected evidence is authentic. Fail to do so, means the failure of the investigation. 3. Complete or Whole: The court will not accept half evidence. you should be unbiased during your investigation and your evidence should not show the one prospective of the incident. As Matthew says, “it is vital to collect evidence that eliminates alternative suspects. For instance, if you can show the attacker was logged in at the time of the incident, you also need to show who else was logged in and demonstrate why you think they didn’t do it. This is called Exculpatory Evidence and is an important part of proving a case. ” RULES OF EVIDENCE Collecting Electronic Evidence after a System Compromise has defined the five rules of evidence: 4. Reliable: Reliability of the evidence is important, but the process is also important, and it should not create any doubt on the evidence. 5. Believable or Acceptable: The evidence presented in the court should be in layman’s language, clear and easy to understand. You should present a well-crafted version of the document with the reference to the technical document. CYBERCRIME INVESTIGATIONS OBSTACLES There are several obstacles that may be encountered during cybercrime investigations: 1. One such obstacle is created by the anonymity that information and communication technology affords to users. Anonymity enables individuals to engage in activities without revealing themselves and/or their actions to others. Attackers can create fake online profiles or use stolen identities to carry out their activities, complicating efforts to identify the real perpetrator. 2. Criminals often employ tools such as proxy servers, VPNs (Virtual Private Networks), and TOR (The Onion Router) to conceal their identities and evade detection. A proxy server acts as an intermediary between a client (e.g., a computer) and the server it requests resources from. By routing traffic through these servers, criminals obscure their actual IP addresses, making it much more difficult to trace their online activities. VPNs and TOR networks further enhance anonymity by encrypting communications and masking geographical locations, complicating efforts to identify and apprehend the perpetrators. CYBERCRIME INVESTIGATIONS OBSTACLES There are several obstacles that may be encountered during cybercrime investigations: 3. Cybercriminals adapt rapidly, using emerging technologies like AI, machine learning, and deep fakes to bypass traditional security measures. 4. Digital evidence can be easily altered, deleted, or hidden. Investigators need to act quickly to preserve such evidence, which is not always feasible. 5. Many organizations fail to report cybercrimes due to reputational damage or lack of awareness, making it difficult for law enforcement to track and respond to incidents. Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 5. Cyber Ethics OUTLINE What is Ethics? What is Computer (Cyber) Ethics? The ten commandment of computer ethics Ethics and cultural differences Unethical uses of computer Codes of ethics Q/A WHAT IS ETHICS? Many Professional groups have explicit rules governing ethical behavior in the workplace. For example, doctors and lawyers who commit egregious violations of their professions’ canons of conduct can be removed from practice WHAT IS COMPUYET (CYPER) ETHICS? In simple terms, computer ethics refers to the basic ethics and etiquette that must be followed while using a computer system. Ethics, in general, refers to propagating good behavior, similarly by cyber ethics we refer to propagating good behavior online that is not harsh or rude. The ten commandment of computer ethics: 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people’s computer work. 3. Thou shalt not snoop around in other people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. THE TEN COMMANDMENT OF COMPUTER ETHICS: 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people’s intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans. ETHICS AND CULTURAL DIFFERENCES Cultural differences can make it difficult to determine what is and is not ethical — especially when it comes to the use of computers. Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality is ethical behavior violates the ethics of another national group. For example, to Western cultures, many of the ways in which Asian cultures use computer technology is software piracy. UNETHICAL USES OF COMPUTER Software License Infringement (piracy) Software piracy is the unauthorized duplication, distribution, or use of computer software-for example, making more copies of software than the license allows, or installing software licensed for one computer onto multiple computers or a server. Copying software is an act of copyright infringement and is subject to civil and criminal penalties. It's illegal whether you use the copied software yourself, give it away, or sell it. And aiding piracy by providing unauthorized access to software or to serial numbers used to register software can also be illegal. UNETHICAL USES OF COMPUTER Illicit Use Computer illicit use is the legal term for the use of a computer to carry out improper or illegal activities, but which do not constitute financial crimes that would be classified as wire fraud. Misuse of Corporate Resources Examples of misuse of company assets may include using company equipment or facilities for personal use, diverting company funds for personal gain, stealing company property or information, or engaging in fraudulent activities using company resources ETHICS AND EDUCATION Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education Employees must be trained and kept aware of a number of topics related to information security, not the least of which are the expected behaviors of an ethical employee This is especially important in information security, as many employees may not have the formal technical training to understand that their behavior is unethical or even illegal Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk system user CODES OF ETHICS A number of professional organizations have established codes of conduct or codes of ethics that members are expected to follow Codes of ethics can have a positive effect on people’s judgment regarding computer use Unfortunately, many employers do not encourage their employees to join these professional organizations But employees who have earned some level of certification or professional accreditation can be deterred from ethical lapses by the threat of loss of accreditation or certification due to a violation of a code of conduct Loss of certification or accreditation can dramatically reduce marketability and earning power ORGANIZATIONS DEVELOPING CYBERSECURITY CODES OF ETHICS Association of Computing Machinery www.acm.org Code of 24 imperatives of personal ethical responsibilities of security professionals Information Systems Audit and Control Association www.isaca.org One process area and six subject areas that focus on auditing, information security, business process analysis, and IS planning through the CISA and CISM certifications Tasks and knowledge required of the information systems audit professional ORGANIZATIONS DEVELOPING CYBERSECURITY CODES OF ETHICS International Information Systems Security Certification Consortium (ISC) 2 www.isc2.org International Consortium dedicated to improving the quality of security professionals through SSCP and CISSP certifications Requires certificates to follow its p published code of ethics ACM CODE OF ETHICS AND PROFESSIONAL CONDUCT The ACM Code of Ethics and Professional Conduct is a guide to proactive action that helps computing professionals promote good. The Code is designed to inspire and guide the ethical conduct of all computing professionals, including current and aspiring practitioners, instructors, students, influencers, and anyone who uses computing technology in an impactful way Additionally, the Code serves as a basis for remediation when violations occur The Code includes principles formulated as statements of responsibility, based on the understanding that the public good is always the primary consideration ACM CODE OF ETHICS AND PROFESSIONAL CONDUCT Each principle is supplemented by guidelines, which provide explanations to assist computing professionals in understanding and applying the principle The code is made of four sections General ethical principles Professional responsibilities Professional leadership principles Compliance with this code GENERAL ETHICAL PRINCIPLES Contribute to society and human well-being: Promoting ethical computing for the benefit of society. Avoid harm: Minimizing or preventing harm to users, individuals, and communities. Be honest and trustworthy: Acting transparently and truthfully in all professional endeavors. Be fair and take action not to discriminate: Promoting equality, fairness, and inclusiveness. Respect privacy: Maintaining the privacy and confidentiality of user data. Honor confidentiality: Protecting sensitive information obtained in the course of professional work. PROFESSIONAL RESPONSIBILITIES 1. Strive to achieve high quality in both the processes and products of professional work Computing professionals should insist on and support high quality work from themselves and from colleagues The dignity of employers, employees, colleagues, clients, users, and anyone else affected either directly or indirectly by the work should be respected throughout the process. Computing professionals should respect the right of those involved to transparent communication about the project Professionals should be cognizant of any serious negative consequences affecting any stakeholder that may result from poor quality work and should resist inducements to neglect this responsibility 2. PROFESSIONAL RESPONSIBILITIES 2. Maintain high standards of professional competence, conduct, and ethical practice High quality computing depends on individuals and teams who take personal and group responsibility for acquiring and maintaining professional competence Professional competence starts with technical knowledge and with awareness of the social context in which their work may be deployed Professional competence also requires skill in communication, in reflective analysis, and in recognizing and navigating ethical challenges. Upgrading skills should be an ongoing process and might include independent study, attending conferences or seminars, and other informal or formal education. Professional organizations and employers should encourage and facilitate these activities 2. PROFESSIONAL RESPONSIBILITIES 3. Accept and provide appropriate professional review High quality professional work in computing depends on professional review at all stages. Whenever appropriate, computing professionals should seek and utilize peer and stakeholder review. Computing professionals should also provide constructive, critical reviews of others' work. 4. Perform work only in areas of competence A computing professional is responsible for evaluating potential work assignments. This includes evaluating the work's feasibility and advisability, and making a judgment about whether the work assignment is within the professional's areas of competence 2. PROFESSIONAL RESPONSIBILITIES 4. Perform work only in areas of competence If at any time before or during the work assignment the professional identifies a lack of a necessary expertise, they must disclose this to the employer or client. The client or employer may decide to pursue the assignment with the professional after additional time to acquire the necessary competencies, to pursue the assignment with someone else who has the required expertise, or to forgo the assignment A computing professional's ethical judgment should be the final guide in deciding whether to work on the assignment. 2. PROFESSIONAL RESPONSIBILITIES 5. Foster public awareness and understanding of computing, related technologies, and their consequences As appropriate to the context and one's abilities, computing professionals should share technical knowledge with the public, foster awareness of computing, and encourage understanding of computing. These communications with the public should be clear, respectful, and welcoming. Important issues include the impacts of computer systems, their limitations, their vulnerabilities, and the opportunities that they present Additionally, a computing professional should respectfully address inaccurate or misleading information related to computing. Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 6. Denial of Service Attack (DoS) OUTLINE DoS– Denial of Service Attack Classification of DoS Attacks Types or Levels of DoS attack DDoS– Distributed Denial of Service Attack How to protect from DoS and DDoS attack Q/A DOS– DENIAL OF SERVICE ATTACK ❑ The term DOS refers to a form of attacking computer system over a network. It is normally a malicious attempt to make a networked system unable to function but without permanently damaging it. ❑ A Denial-of-Service attack aims at preventing legitimate users from authorized access to a system resource. The attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. ❑ Denial of Service is currently the most expensive computer crime for victim organizations: CLASSIFICATION OF DOS ATTACKS ❑ Volume Based attacks or Bandwidth attacks: Attacks will consume all available network bandwidth. Every site is given with a particular amount of bandwidth for its hosting, say for example 50 GB. Now if more visitors consume all 50 GB bandwidth then the hosting of the site can ban this site. The attacker does the same. Attacker will open 100 pages of a site and keeps on refreshing and consuming all the bandwidth, thus the site become out of service. Eg: UDP floods, ICMP floods, spoofed packet floods ❑ Application layer attacks or Programming flaws: Failures of applications or OS components to handle exceptional conditions (i.e.unexpected data is sent to a vulnerable component). The goal of this attack is to crash the web server. CLASSIFICATION OF DOS ATTACKS ❑ Protocol attacks or Resource starvation: ▪ Attacks will consume system resources (mainly CPU, memory, storage space) ▪ Protocols here are rules that are to be followed to send data over network. These kind of attacks exploit a specific feature or implementation bug of some protocol installed at the victim’s system to consume excess amount of its resources. ▪ Eg: TCP SYN floods, fragmented packet attacks, Ping of death, Smurf attack etc. ❑ Unintentional DoS Attack ▪ A friendly or unintentional DoS attack is when a website experiences such heavy traffic that users can no longer access the website. This is done when many people flood to the website and cause the server to crash. ▪ This may be due to a sudden enormous spike in popularity of a particular website. ▪ Eg: A celebrity shares a link of a particular website in his/her own social media page so that a large no of followers visit that particular website and finally leads to server crash. TYPES OR LEVELS OF DOS ATTACKS ❑ UDP flood ❑ ICMP Flood attack or ping flood ❑ SYN attack or TCP SYN Flooding ❑ Smurf attack ❑ Ping of Death Attack. ❑ Teardrop Attack. ❑ Land Attack. ❑ Nuke Attack ❑ Permanent denial-of-service attacks TYPES OR LEVELS OF DOS ATTACKS ❑ ICMP Flood Attack or ping flood ▪ Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overloading it with ICMP echo requests. ▪ The attacker hopes that the victim will respond with ICMP "echo reply" packets for each ICMP request, thus consuming both outgoing bandwidth as well as incoming bandwidth of target device. ▪ It is most successful if the attacker has more bandwidth than the victim. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown. TYPES OR LEVELS OF DOS ATTACKS ❑ UDP flood ▪ A UDP flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond. ▪ The firewall protecting the targeted server can also become exhausted as a result of UDP flooding, resulting in a denial-of-service to legitimate traffic. ❑ Ping of Death Attack ▪ An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result. TYPES OR LEVELS OF DOS ATTACKS ❑ Teardrop Attack A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. Here the size of one fragmented packet differs from that of the next fragmented packet. Since the machine receiving such packets cannot reassemble them and hence the packets overlap one another, crashing the network device or server. The figure given below shows two different fragmented packet with different size. Since the size is different for each fragmented packet the server will not be able to reassemble the packet properly and leads to server failure. Server failure will lead to Denial of Service. TYPES OR LEVELS OF DOS ATTACKS ❑ Teardrop Attack TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks ▪ Taking advantage of the flaw of TCP three–way handshaking behavior, an attacker makes connection requests aimed at the victim server with packets with unreachable source addresses. TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks ▪ In TCP-SYN Flooding the last message of TCP’s 3-way handshake never arrives from sender. ▪ This causes server to allocate memory for pending connection and wait. This fills up the buffer space for SYN messages on the target system, preventing other systems on the network from communicating with target system. TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks ▪ For a network there are three type of IP addresses First one represent IP address of Network Router itself eg: 192.168.1.0 Second category of IP addresses represent the IP address of all devices connected to that particular Network router. Eg from 192.168.1.1 to 192.168.1.254 Third one represent broadcast IP of that particular network. Eg: 192.168.1.255. ▪ In Smurf attack the attacker will send ICMP request to broadcast IP of a network by using Victim’s IP as source address. ▪ All the systems on these networks reply to the victim with ICMP echo replies. ▪ This attack rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users. TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Land Attack ▪ Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer ▪ IP address used is the host’s IP address ▪ For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses TYPES OR LEVELS OF DOS ATTACKS ❑ Land Attack ▪ Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer ▪ IP address used is the host’s IP address ▪ For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses TYPES OR LEVELS OF DOS ATTACKS ❑ Permanent DoS (PDoS) attack: ▪ It is a type of DoS attack. It damages a system so badly that it requires replacement or reinstallation of hardware. ❑ Nuke Attack ▪ Attacker repeatedly sends fragmented or invalid ICMP packets to the target computer using a ping utility. This significantly slows the target computer DDOS ATTACK ❑ A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer. DOS AND DDOS ATTACK: DIFFERENCE ❑ It is important to differentiate between denial of service (DOS) and distributed denial of service (DDOS) attacks. ❑ In a DOS attack, a single computer and a single internet connection is used to exhaust the victim resources by flooding a server with packets. ❑ On the other hand DDOS attacks multiple computers and multiple internet connections are used which are distributed globally to make an attack. In this situation the victim will be flooded with the packets send from many hundreds and thousands of sources. DOS AND DDOS ATTACK: DIFFERENCE DOS AND DDOS ATTACK: DIFFERENCE HOW TO PROTECT FROM DOS AND DDOS ATTACK ❑ Buy more bandwidth ▪ To ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity. ❑ Build redundancy into your infrastructure ▪ To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country. ❑ Deploy anti-DDoS hardware and software modules ▪ Servers should be protected by network firewalls and more specialized web application firewalls. By configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network can help prevent certain DNS and ping-based volumetric attacks. ▪ Software protection can also be used. for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value. HOW TO PROTECT FROM DOS AND DDOS ATTACK ❑ Practice Basic Network Security ▪ Engaging in strong security practices can keep business networks from being compromised. Secure practices include complex passwords that change on a regular basis, anti-phishing methods, and secure firewalls that allow little outside traffic. ❑ Understand the Warning Signs ▪ Some symptoms of a DDoS attack include network slowdown, or broken website shutdowns. No network is perfect, but if a lack of performance seems to be prolonged or more severe than usual, the network likely is experiencing a DDoS and the company should take action. ❑ Maintain spares ▪ Spares means the machines that can be placed into service quickly if a similar machine is disabled. ❑ Establish and maintain regular backup schedules and policies Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 7. Cyber Threat Modeling OUTLINE What is Threat Modeling? Benefits of Threat Modeling Threat Modeling Process Types of Threat Models Best Practices for Threat Modeling Q/A CYBER THREAT MODELING WHAT IS THREAT MODELING? Threat modeling is a systematic approach to identifying and mitigating potential security threats. It helps in understanding and addressing vulnerabilities before they can be exploited. The aim of the threat modeling process is to get a clear picture of various assets of the organization, the possible threats to these assets, and how and when these threats can be mitigated. The end product of threat modeling is a robust security system. 1 Early Identification Identify potential security threats at an early stage, enabling timely countermeasures. 2 Improved Understanding Gain a better understanding of the system's BENEFITS security posture, facilitating proactive risk management. OF THREAT 3. Cost-effective Risk Management MODELING Manage security risks in a cost- effective manner by prioritizing threats and allocating resources efficiently. 4 Enhanced Collaboration Promote collaboration and communication between different stakeholders, fostering a holistic approach to security. Step 1: Define the System Define the system and its boundaries to establish a clear scope for the threat modeling process. Step 2: Identify Threats Identify potential threats that could compromise the security of the system. THREAT Step 3: Evaluate Risks Evaluate the risks associated with identified threats MODELING to prioritize and allocate resources effectively. PROCESS Step 4: Address Critical Threats Prioritize and address the most critical threats through appropriate mitigation strategies. Step 5: Iterate and Improve Continuously iterate and improve the threat model to stay updated with evolving threats and system changes. TYPES OF THREAT MODELS There are several types of security threat models, each tailored to suit different system architectures and requirements. The next figure shows the high-level of the existing threat modeling approaches. COMMON THREAT MODELING METHODOLOGIES STRIDE THREAT MODEL Created by Microsoft engineers, which is meant to guide the discovery of threats in a system. Used along with a model of the target system, which makes it most effective for evaluating individual systems. STRIDE is an acronym for the types of threats it covers, which are: PASTA THREAT MODEL PASTA stands for Process for Attack Simulation and Threat Analysis PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats. It provides a framework for conducting threat modeling activities throughout the software development lifecycle. CVSS THREAT MODEL The Common Vulnerability Scoring System (CVSS) captures the principal characteristics of a vulnerability and produces a numerical severity score. It provides a scoring system that takes into account various factors such as exploitability, impact, and ease of remediation. The CVSS provides users a common and standardized scoring system within different cyber and cyber-physical platforms CVSS assigns a numerical score to vulnerabilities, allowing organizations to prioritize their response and allocate resources accordingly. DREAD THREAT MODEL DREAD is an acronym that stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability It is a risk assessment model used to evaluate potential risks associated with identified threats. DREAD provides a scoring system for each criterion, allowing for the prioritization of threats based on their severity and impact. DREAD THREAT MODEL THREAT MODELING While all of these threat model methodologies serve the purpose of identifying and assessing security threats, they differ in their approach and focus. STRIDE focuses on six specific threat categories, PASTA provides a structured methodology for threat analysis, DREAD offers a risk assessment model, and CVSS is primarily used for vulnerability scoring and prioritization. The choice of which methodology to use depends on the specific needs and requirements of the organization or project. It is also common to combine multiple techniques or adapt them to suit the unique context of the system being analyzed. BEST PRACTICES FOR THREAT MODELING Involve all relevant stakeholders Include representatives from various disciplines, such as developers, architects, security professionals, and business stakeholders, to ensure a comprehensive understanding of the system and its security requirements. Start early in the development lifecycle Integrate threat modeling activities as early as possible in the software development process to identify and address security risks from the outset. Use a structured approach Adopt a structured methodology or framework for threat modeling, such as STRIDE, PASTA, or any other suitable technique, to ensure a systematic and consistent analysis of threats. BEST PRACTICES FOR THREAT MODELING Continuously update and refine the threat model Recognize that threat modeling is an iterative process. Regularly review and update the threat model to account for changes in the system and emerging threats. Consider different perspectives and threat modeling techniques Explore multiple threat modeling techniques and perspectives to gain a comprehensive understanding of potential threats and vulnerabilities. Integrate threat modeling with other security processes Connect threat modeling with other security practices, such as risk management, penetration testing, and secure coding practices, to create a holistic and cohesive security approach. BEST PRACTICES FOR THREAT MODELING Document and communicate the findings Document the identified threats, risks, and mitigation strategies in a clear and concise manner. Communicate the results to relevant stakeholders to ensure a shared understanding of the security posture and necessary action points. Seek expertise and external perspectives Consider engaging external security experts or consultants to provide guidance, validation, and an impartial assessment of the threat model. Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 8. Attack Lifecycle OUTLINE What is Cyber Kill Chain? Phases of Cyber Kill Chain Role of Cyber Kill Chain How does Cyber Kill Chain protect against Attacks? Q/A CYBER KILL CHAIN Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures HOW THE CYBER KILL CHAIN WORKS The term “cyber kill chain” was adapted from the military and describes the structure of an attack (either offensive or defensive) broken into a pattern of identifiable stages, including identifying a target, dispatch, decision, order, and destruction of the target. In cybersecurity, the cyber kill chain is a model outlining the various phases of common cyberattacks. Using the cyber kill chain, organizations can trace the stages of a cyberattack to better anticipate and prevent against cyber threats in the future. CYBER KILL CHAIN 1. RECONNAISSANCE 1. Reconnaissance Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place both online and offline. 2. WEAPONIZATION 2. Weaponization The weaponization stage of the Cyber Kill Chain occurs after reconnaissance has taken place and the attacker has discovered all necessary information about potential targets, such as vulnerabilities. In the weaponization stage, all of the attacker’s preparatory work culminates in the creation of malware to be used against an identified target. Weaponization can include creating new types of malware or modifying existing tools to use in a cyberattack. For example, cybercriminals may make minor modifications to an existing ransomware variant to create a new Cyber Kill Chain tool. 3. DELIVERY 3. Delivery In the delivery stage, cyberweapons and other Cyber Kill Chain tools are used to infiltrate a target’s network and reach users. Delivery may involve sending phishing emails containing malware attachments with subject lines that prompt users to click through. Delivery can also take the form of hacking into an organization’s network and exploiting a hardware or software vulnerability to infiltrate it. 4. EXPLOITATION 4. Exploitation Exploitation is the stage that follows delivery and weaponization. In the exploitation step of the Cyber Kill Chain, attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this process, cybercriminals often move laterally across a network to reach their targets. Exploitation can sometimes lead attackers to their targets if those responsible for the network have not deployed deception measures. 5. INSTALLATION 5. Installation After cybercriminals have exploited their target’s vulnerabilities to gain access to a network, they begin the installation stage of the Cyber Kill Chain: attempting to install malware and other cyberweapons onto the target network to take control of its systems and exfiltrate valuable data. In this step, cybercriminals may install cyberweapons and malware using Trojan horses, backdoors, or command-line interfaces. 6. COMMAND AND CONTROL 6. Command and Control In the C2 stage of the Cyber Kill Chain, cybercriminals communicate with the malware they’ve installed onto a target’s network to instruct cyberweapons or tools to carry out their objectives. For example, attackers may use communication channels to direct computers infected with the Mirai botnet malware to overload a website with traffic or C2 servers to instruct computers to carry out cybercrime objectives. 7. ACTIONS ON OBJECTIVES 7. Actions on Objectives After cybercriminals have developed cyberweapons, installed them onto a target’s network, and taken control of their target’s network, they begin the final stage of the Cyber Kill Chain: carrying out their cyberattack objectives. While cybercriminals’ objectives vary depending on the type of cyberattack, some examples include weaponizing a botnet to interrupt services with a Distributed Denial of Service (DDoS) attack, distributing malware to steal sensitive data from a target organization, and using ransomware as a cyber extortion tool. 7. ACTIONS ON OBJECTIVES 7. Actions on Objectives The final phase involves executing the attack's primary objective, such as: Data exfiltration Encryption (and possible attempts to ransom or extort the target) Supply chain attacks LAYERS OF CONTROL Based on these stages, the following layers of control implementation are provided: 1. Detect – Determine the attempts to penetrate an organization. 2. Deny – Stopping the attacks when they are happening. 3. Disrupt – Intervene is the data communication done by the attacker and stops it then. 4. Degrade – This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects. 5. Deceive – Mislead the attacker by providing them with misinformation or misdirecting them. 6. Contain – Contain and limit the scope of the attack so that it is restricted to only some part of the organization. ROLE OF THE CYBER KILL CHAIN IN CYBERSECURITY Detect attackers within each stage of the threat lifecycle with threat intelligence techniques Prevent access from unauthorized users Stop sensitive data from being shared, saved, altered, exfiltrated or encrypted by unauthorized users Respond to attacks in real-time Stop lateral movement of an attacker within the network HOW DOES THE CYBER KILL CHAIN PROTECT AGAINST ATTACKS? The cyber kill chain is not a security system: it’s a framework that enables security teams to anticipate how attackers will act so they can stop them as quickly as possible or intercept them if the attack has already transpired. The cyber kill chain maps out the exact path a typical attacker will take so cybersecurity teams can recognize the starting point of common cyberattacks. Cyber kill chain simulations allow security teams to gain firsthand experience in dealing with a cyber threat, and evaluating simulation responses can help organizations identify and remediate any security gaps that may exist. HOW DOES THE CYBER KILL CHAIN PROTECT AGAINST ATTACKS? The cyber kill chain's purpose is to bolster an organization's defenses against advanced persistent threats (APTs), also known as sophisticated cyberattacks. These threats commonly include: Malware Ransomware Trojan horses Phishing Other social engineering techniques EXAMPLES OF HACKER(ADVERSARY) PROFILE Disaffected former employee Goals, personal motives – embarrass or stalk former co-workers Scope, organizational Subset – email and messaging services Timeframe, Persistence, and Stealth, episodic, limited planning, moderate concern for concealing methods Effects, fabricated messages; non-physical harm to targeted individuals Capabilities, use credentials (userid and password) which were not decommissioned when the employee was terminated; perform spear-phishing of former co-workers to obtain their credentials EXAMPLES OF HACKER(ADVERSARY) PROFILE Criminal organization Goals, stepping-stone Scope, organizational Associates; Sector Timeframe, Persistence, and Stealth, sustained with persistent, stealthy activities in most stages of the attack(recon, deliver, exploit, control, execute, maintain) Effects, establish foothold for attacks on a customer organization Capabilities, adversary developed malware EXAMPLES OF HACKER(ADVERSARY) PROFILE APT team Goals, economic advantage Scope, organizational Operations; Sector Timeframe, Persistence, and Stealth, sustained with persistent, stealthy activities in all stages of the attack Effects, extensive or repeated data breaches, Extensive or repeated DoS Capabilities, malware crafted to the target environment, and maintain long-term presence in systems Q/A THANK YOU FOR LISTENING ANY QUESTIONS? CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 9. Cyber Policy OUTLINE What is a Security Policy? Why Security Policy is important? Types of Security Policy. Elements of an effective Security Policy Examples of Security Policy SANS Template Q/A WHAT IS A SECURITY POLICY? A security policy (also called an information security policy or IT security policy) is a document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data. Security policies exist at many different levels, from high-level constructs that describe an enterprise’s general security goals and principles to documents addressing specific issues, such as remote access or Wi-Fi use. WHAT IS A SECURITY POLICY? A security policy is frequently used in conjunction with other types of documentation such as standard operating procedures. These documents work together to help the company achieve its security goals. The policy defines the overall strategy and security stance, with the other documents helping build structure around that practice. You can think of a security policy as answering the “what” and “why,” while procedures, standards, and guidelines answer the “how.” WHY SECURITY POLICY IS IMPORTANT? 1. Guides the implementation of technical controls 2. Sets clear expectations 3. Helps meet regulatory and compliance requirements 4. Improves organizational efficiency and helps meet business objectives TYPES OF SECURITY POLICIES 1. Program policy Program policies are strategic, high-level blueprints that guide an organization’s information security program. They spell out the purpose and scope of the program, as well as define roles and responsibilities and compliance mechanisms. TYPES OF SECURITY POLICIES 2. Issue-specific policy Issue-specific policies build upon the generic security policy and provide more concrete guidance on certain issues relevant to an organization’s workforce. Common examples could include a network security policy, bring-your-own- device (BYOD) policy, social media policy, or remote work policy. These may address specific technology areas but are usually more generic. A remote access policy might state that offsite access is only possible through a company- approved and supported VPN, but that policy probably won’t name a specific VPN client. This way, the company can change vendors without major updates. TYPES OF SECURITY POLICIES 3. System-specific policy A system-specific policy is the most granular type of IT security policy, focusing on a particular type of system, such as a firewall or web server, or even an individual computer. In contrast to the issue-specific policies, system-specific policies may be most relevant to the technical personnel that maintains them. NIST states that system-specific policies should consist of both a security objective and operational rules. IT and security teams are heavily involved in the creation, implementation, and enforcement of system-specific policies but the key decisions and rules are still made by senior management. ELEMENTS OF AN EFFECTIVE SECURITY POLICY 1. Clear purpose and objectives 2. Scope and applicability 3. Commitment from senior management 4. Realistic and enforceable policies 5. Clear definitions of important terms 6. Tailored to the organization’s risk appetite 7. Up-to-date information SECURITY POLICY EXAMPLES Program or organizational policy: This high-level security blueprint is a must for all organizations, and spells out the goals and objectives of an information security program. The program policy also specifies roles and respons

Cybercrimes and Threats PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue