Information threat posed to any business, but if

 

 

 

Information Security and Cybercrime
ICA

 

By Dyllan Allison

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

T7062558

Teesside University

2017-18

 

 

Green is within 250 words, Red means
over 250

 

Change Styles of Headings at Later
Date

 

Also add references such as (r.shay,
2004) to parts where I have re-written text in my own words or else it may be
flagged i.e this is my own words (r.shay, 2004).

 

 

 

 

 

1       System Security

1.1      Threats and Vulnerabilities

Threats
and vulnerabilities are two completely different things but often they work in
tandem with one another; the vulnerability being the platform where the threat
can be realized and the threat being the possible action taken against you or
your system. While this may seem like a simple concept threats and
vulnerabilities are far more than simple problems to overcome, but what exactly
are threats and vulnerabilities?

A
threat can be defined as anything that exploits a vulnerability in a system;
threats can be both software based and physical based. Threats can be looked at
as more of a “what if” and something that “might” happen in the future rather
than a set-in stone attack, this is due to the fact that threats rely on
vulnerabilities before they can materialize.

Vulnerabilities
offer a platform for threats to attack and are something that will have always
existed within a system which is the biggest different between the two;
vulnerabilities cannot simply materialize out of nowhere, they will have always
existed in some capacity whereas threats cannot become an actual attack without
that vulnerability. To stop a threat from exploiting a vulnerability and
becoming an actual attack, it must be eliminated through various means.

A vulnerability can
exist from something as simple as an employee not receiving proper email usage
training and not recognizing the difference between a real email and a threat;
in this example the employee is the vulnerability and the email is the threat.
Once that malicious email has been opened the threat now becomes an attack and
the system the employee is using becomes compromised.

1.2      Legal,
Social and Ethical Issues in Relation to Surveillance

The
leaking of information to competitors by employees is a very real and serious
threat posed to any business, but if an employer decides to start monitoring
and surveying employee activity many legal grey areas and issues arise due to
it being seen as a violation of human rights as well as an invasion of privacy,
and this section of the report will cover such issues starting with the legal
issues.

There
isn’t much in the way of legal issues that stops an employer from monitoring
and surveying the workplace activities of their staff; in actuality the only
law where all form of monitoring is covered is the data protection act as
stated by citizensadvice.org and gov.uk. Employers do not even require your
legal consent in many cases to monitor your electronic communications at work
if it can be seen as a justifiable reason i.e. preventing a crime, internal
investigation etc. If the employer decides to use the data collected from
surveillance and monitoring for something outside of it’s stated purpose, then
they become legally liable as it is a breach of the data protection act; monitoring
of personal data is also considered to be illegal.

(WRITE ABOUT ETHICS AND
SOCIAL ISSUES AT A LATER DATE HERE/WRERITE THIS SECTION)

 

1.3      Onion
Routing (REVISIT AT A LATER DATE – ADD EXAMPLE)

There
is one widely shared statement of the internet that has seemingly just been
accepted by its massive userbase, and that is your privacy and rights to
privacy as a user are long gone. Your anonymity as a user, for better and for
worse, is almost non-existent as your internet activities can always be traced
back to you regardless of if they’re legal or illegal; we can make this task
very difficult and effectively achieved some level of anonymity online using a
technique called onion routing.

Onion
routing works on a similar concept to that of proxy servers but instead of
sending your data packets through a server they’re instead sent through a
network of user hosted nodes; those packets are then encrypted during every
step of the way until they’re finally decrypted by what is known as an “exit node”, after decryption the packets
are then sent to their destination. If traced back the data will seem like it’s
original sender was that of the exit node and subsequent nodes rather than your
own system.

This
method effectively adds multiple layers of encryption to your sent data before
they reach their destination therefore making it a very difficult feat to see
what is being sent or even track the message back to its originally sending
location. Onion routing achieves privacy for it’s users by offering multiple
layers of security for data being sent through it’s nodes all while making it
almost impossible to track the data back to its original location due to the
exit node acting like the original sender of the data.

1.4      Issues
Caused by Certificate Authorities for End Users

Breach
of privacy is one very real issue that end users face and It has been
speculated by many that governments conspire and use certificate authorities to
partake in malicious actives such as spying on individual users, while this may
seem farfetched there has already been a case of this happening; if true this
is a very serious issue as it breaches the trust placed by the end user and CA.
Back in January of 2017 Microsoft had released a windows update that had
installed a Thai government root certificate which is used to verify
HTTPS-enabled websites (A. Toor, 2017), considering the Thai government is well
known for keeping tight control over the internet it would not be beyond the
realm of reason to assume they use this certificate for malicious activities
e.g. spying on its citizens, intercepting communications.

 

 

Certificate
authorities have and always will be a prime target for attackers to try and
exploit; managing to successfully attack a CA can result in millions of end
users being susceptible to a wide verity of attacks, most notably man in the
middle attacks using fraudulent digital certificates. The most notable of
attacks being that of DigiNotar where an attacker was able to compromise their
servers and issue over 500+ fraudulent certificates, including one for
*.google.com; according to an investigation report written by Fox-IT there were
over 300,000 (primarily Iranian) end users who were affected by this attack.
DigiNator was found to be running unpatched software on one of it’s webservers
and because of this negligence over a quarter of a million end users had their
communications intercepted.

2       Digital Evidence and Cyberattack
Scenarios

2.1      Securing Evidence

            Since
the inception of computers, it has become much easier for people to partake in
criminal activity especially on a much grander scale but thankfully it has also
become somewhat easier to collect evidence on these criminals using various
techniques and forensic tools. In a crime such as child grooming almost all of
it is committed today via the use of computers and other electronic devices,
this means that in almost all cases of child grooming there will be admissible
evidence that can be extracted from the device used by the perpetrator.

            The
words “chain of custody” are the three most important words when it pertains to
a crime scene as it ensures the integrity of any evidence collected, and with
digital evidence all devices that are suspected to have been used to commit a
crime such as child grooming must be seized as quickly as possible, if not
there is a risk that evidence may be tampered with in some capacity; chain of
custody is also maintained by documenting the seizer, taking images and
assigning serial numbers to the devices taken.

When
ready, the devices collected need to be forensically examined to extract and
secure any evidence stored onto them, in most cases this is done through a
method called imaging where an exact copy of the device is created to keep the
integrity of the original in place during the investigation. These devices must
be handled by forensic professionals and in no way, should be examined at the
scene of the investigation unless necessary as even simply turning a device on
can alter thousands of files, this would make any evidence found later no
longer admissible in court.

Having
evidence thrown out of court and no longer being admissible is one of the
biggest issues that can occur during an investigation and conviction of a
criminal, fortunately enough issue we are able to almost completely avoid an
issue such as this today using hashing algorithms. Before any examination can
take place, we generate what is known as a hash value for the forensic image
which acts as a large numeric identifier(1);
this value is unique to the data stored on both the copy and original device so
that when matched up together it can verify the integrity of the evidence
collected, if there are even the smallest changes made to the data on the copy
the hash value will be completely different and will no longer match up which
in turn shows signs of tampering.

Social
media has become the most popular and widely used form of communication but due
to this it has made it much easier for people to commit crimes; if we take a
case such as Bob being a suspected child groomer, social media makes it much
easier for him to communicate with children via social media like Tumblr for
example where, according to statista.com, the userbase is found to be
predominantly 16-25 years of age or younger. Users will often ignore age
restrictions within the terms of service to use a social media platform which
can make it hard to track the actual age of users on those platforms, this is
especially apparent on Facebook.

Because
social media is often a hotbed of evidence for the police it is extremely
beneficial to them when they’re able to gain the access to the suspects data or
account. If the forensic team analyzing the system can’t brute force his way
into the suspects account the police will issue a court order, a subpoena or
search warrant for example, to make Facebook or any other social media platform
hand over any data they have on the suspect; the data provided by the platform
can be anything from IP logs, chat logs, login information and so much more (2).

Issues
can arise if the police need to issue a court order as they’re not in control
of the process, the magistrate, judge or the supreme court is. Without probably
cause a judge isn’t obligated to issue a court order to a social media platform
which means the police can potentially lose evidence of a crime if they’re not
able to gain access some other way; the likelihood of a court order not being
issued are miniscule especially in a case such as child grooming, but it has
happened in the past and the potential amount of evidence lost due to an issue
like this can be staggering.

Email
evidence can work in a similar fashion to that of social media where a court
order can be given to gain access to a suspect’s information. Forensic analysts
can extract the metadata contained within email headers for various amounts of
information like the IP address of the sender/receiver, email addresses and the
dates of when the email is sent; unfortunately email metadata can be forge and
spoofed through a proxy which often means email evidence is heavily scrutinized
and must be authenticated before it can be presented as evidence (3). The recovery of deleted emails can also be somewhat of an issue as
an email service provider will only keep archives of your emails for a certain
amount of time, after this time they will no longer be recoverable.

Mobile
phones are often a goldmine of evidence as they’re at this point a staple in
how people communicate on a day to day basis, someone like Bob can exploit this
fact and use many of the apps at his disposal to chat to vulnerable children.
Extracting evidence from a mobile phone works in a similar way to that of a
computer where a forensic image is created of the mobile device but thankfully
for mobile phones almost all data is recoverable no matter how deep within the
system it may be or how damaged the phone is. By scouring the file system of a
mobile phone bit by bit forensic experts are able to recover almost anything.

 

 

There
is almost no limit as to what can be recovered from a mobile phone due to
everything being stored locally onto the device, this means that if a suspect
uses an app like WhatsApp to send illicit messages they can be recovered from a
folder in the internal memory even if deleted. Images taken by the device also
contains metadata of the mobile phone which can also be used to authenticate
certain types of evidence like for example If an illicit image has been sent;
this metadata will consist of IP address, name, make and model of the phone,
dates and much more. (ADD IN DIGITAL FOOTPRINT LATER)

2.2      Cyberattacks
and the Recovery from Them

Cyberattacks
are a commonplace in today’s society with one of the most popular types coming
in the form similar to that of a hostage situation known as ransomware; It has
been speculated that from 2017 to 2021 the cost in spending of cybersecurity
could exceed $1 trillion in global spending and damages due to that cybercrime could
also potentially exceed $6 trillion annually by 2021(1). While ransomware may not be a dangerous type of malware like stuxnet
it has seen a rise in use by criminals looking to make money from unsuspecting
victims as in 2016 alone the FBI had reported that more than 4,000 (2) daily ransomware attacks.

Currently
there are 3 different types of ransomware in circulation: a screen-locking
ransomware where a user isn’t able to get past the ransom note screen, an encryption
ransomware where your data will be encrypted using public key cryptography,
this is the most damaging of the three and can often result in loss of data
during a recovery process, and the last is something that pretends to be
ransomware but doesn’t actually do anything to the system but demand money (3).

Ransomware
can be scary to the average user as it is often presented as if the police is
trying to demand you pay some kind of fine for breaking a law, while this is
completely fake it can often freak users to pay the fine without properly
looking into it which is why it’s such an effective method of attack; smart
criminals can and will exploit a paying victim even further by handing back
over the system or all of the data and then executing another attack at a later
date since they know there’s a chance the user will pay out money once again.

Small
businesses like accountancy firms are seen as a main priority target for
cybercriminals as they often contain sensitive information that, when stolen or
exploited, can lead into some serious repercussion for that business such as
law suits and bankruptcy; a small business such as this would be seen as more inclined
to pay a ransom as the repercussions outweigh the cost of paying out, but
almost every security expert would always advice paying any sort of ransom as
there is never a guarantee you’ll receive the key to unlock your data.

 

 

 

Arriving
at the premises of a small accountancy firm there are a few first steps that
you would need to take regardless of the type of ransomware used in the attack
and this would be to disconnect any device connected to the internet and go
offline as soon as possible as ransomware can be spread to other systems
connected to the same network. An explanation would also need to be given to
the owners about the current situation they’re in, how much downtime they may
possibly experience during the recovery process and also what kind of data they
may lose, this is because the owners can start determining their losses while
you’re busy with recovery; it would also be beneficial to determine if older backups
are available before the process is begun to have an idea of what kind of data
will be recoverable.

Once
the owners have been informed and the systems have all been disconnected from
the internet we would then need to determine the type of ransomware used on the
system and how many of the computers are infected, this is an important step as
recovery is done differently depending on the type of ransomware that is
infecting the system; in this scenario there are two infected systems.

Screen-locking
ransomware is the easier of the two types to fix due to it not actually encrypting
any of the data stored on the system. If it has been determined that the
ransomware is a screen-locking type we would first need to reboot the system in
safe mode which will allow the removal of malware via antivirus/malware removal
software, this is because safe mode restricts your system to use only the
essential files and keeps any infected files inactive. If the safe mode method
doesn’t work we can restore the system to an older state by going into the
advance boot mode options although this may result in data being lost permanently
if backups aren’t available