1. Explain why a policy-driven response to cyber-attacks is vital to security.
2. Explain the European Union’s Right to Be Forgotten initiative.
3. Explain the implications of war moving from a physical battlefield to a cyber battlefield (or a combination of the two).
4. Discuss the breadth of the threat of theft due to a lack of encryption.
5. Explain the kinds of crimes that can occur when thieves are able to access unencrypted data.
1. Explain why a policy-driven response to cyber-attacks is vital to security.
Ans:
Cyber-Attacks:
A cyberattack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyberattacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations.
cybersecurity:
Cybersecurity is important because it encompasses everything that pertains to protecting our sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and governmental and industry information systems from theft and damage attempted by criminals and adversaries.
Cybersecurity risk is increasing, driven by global connectivity and usage of cloud services, like Amazon Web Services, to store sensitive data and personal information. Widespread poor configuration of cloud services paired with increasingly sophisticated cyber criminals means the risk that your organization suffers from a successful cyber-attack or data breach is on the rise.
cybersecurity policies:
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly. At the same time, employees are often the weak links in an organization's security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files. Grand Theft Data, a McAfee report on data exfiltration, found that people inside organizations caused 43% of data loss, one-half of which was accidental. Improved cybersecurity policies can help employees and consultants better understand how to maintain the security of data and applications.
These types of policies are especially critical in public companies or organizations that operate in regulated industries such as healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small firms not subject to federal requirements are expected to meet minimum standards of IT security and could be prosecuted for a cyberattack that results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.
Cybersecurity policy procedures:
Cybersecurity procedures explain the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security. Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the "roles and responsibilities" or "information responsibility and accountability" section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The SANS Institute provides examples of many types of cybersecurity policies. These SANS templates include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
Organizations in regulated industries can consult online resources that address specific legal requirements, such as the HIPAA Journal's HIPAA Compliance Checklist or IT Governance's article on drafting a GDPR-compliant policy.
For large organizations or those in regulated industries, cybersecurity policy is often dozens of pages long. For small organizations, however, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be fairly simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personally identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data.
2. Explain the European Union’s Right to Be Forgotten initiative.
Ans:
Right to be forgotten
1)The right to be forgotten is the concept that individuals have the civil right to request that personal information be removed from the Internet. In the European Union, the right to be forgotten is also referred to as the right to erasure. In order to effectively remove someone's personal data, there must be a traceable mechanism for making sure that deleted data is also removed from backup storage media.
2)While the right to be forgotten has become law in the European Union, the concern in the United States is that removing information from the Internet conflicts with the open nature of the Web and the free flow of information.
3)Article 17 of the General Data Protection Regulation (GDPR) is technically called the right to erasure, but it is commonly referred to as the right to be forgotten. According to article 17, an individual can make a request to a data controller that all of their personal data be erased without "undue delay" and with no cost to the person making the request. This includes files, records in a database, replicated copies, backup copies and any copies that may have been moved into an archive.
4)The terms data controller and data processor are clearly defined as they apply to GDPR. The data controller is the person or entity who is legally responsible for storing digital personal identifiable information. The data processor is the entity that holds or processes personal data but does not exercise responsibility for or control over the personal data. In this context, a cloud provider is considered to be a data processor. The data processor cannot hold copies of data or make them available for other uses. The data controller, therefore, is responsible for deleting the personal data and ensuring it has been erased, as well as executing the operations but not for the decision process.
5)Currently, the General Data Protection Regulation ruling regarding backups applies only in the European Union, but enterprises doing business in the European Union need to be able to address the General Data Protection Regulation's right to erasure clauses or face financial penalties. The new regulations expand the definition of personally identifiable information(PII) to include IP addresses and photos.
6)In May 2014, a man from Spain asked Google to remove links to an old newspaper article about his previous bankruptcy, claiming there was no legitimate reason for the outdated information to remain accessible online. The European Court of Justice ruled that under European law, search engines are data controllers so they must consider all requests to stop returning irrelevant or outdated information in search queries. According to the ruling, Web pages where the query results were in question point could remain online and any link omissions on query returns would only occur when searches were made in Europe. In the wake of the 2014 ruling, Google began receiving thousands of requests to take downlinks.
3. Explain the implications of war moving from a physical battlefield to a cyber battlefield (or a combination of the two).
Ans:
It's like we, as a society, we're on a two-lane road.
The left lane was the physical world, and the right lane was the cyber world.
Now, here we are, passing a sign that says "Lanes Merge Ahead."
And while that seems to be generally okay in an everyday living kind of sense, what does it mean on the battlefield? And when will the impacts of a virtual battle and a physical one be treated the same way?
Iran takes down U.S. drone, U.S. responds with a cyber attack
One recent piece of evidence that traditional war and cyberwar are merging happened on June 20, 2019.
Iran fired a surface-to-air missile at an unmanned U.S. surveillance drone flying over the Strait of Hormuz and brought it crashing out of the sky.
The U.S. responds to Iran with cyber weapons
Shooting this drone down, physical activity was expected by many to lead to a physical military response by the United States.
Instead, President Trump told the world that he had called off a physical military response shortly before it was to happen and he would increase sanctions, instead.
What he did not tell the world is what The Washington Post revealed two days later.
The President gave U.S. Cyber Command the green light to launch a cyberattack against Iran, and the U.S. hit Iranian computer systems that control missile and rocket launches.
In other words, an act of physical warfare (shooting down the drone) led to an act of cyber warfare (a cyberattack) in response.
The U.S. steps up its use of cyber consequences
During 2018, the U.S. dramatically shifted the way it talks about cyber warfare and cyber attacks. We were there as former Secretary of Homeland Security Kirstjen Nielsen issued a warning at an annual cybersecurity conference:
“I have a newsflash for America’s adversaries. Complacency is being replaced by consequences," she said. "Cyber is not just a target, it is also a weapon."
It appears the United States has just used cyber as a weapon against Iran.
U.S. warning: cyberattack on Iran lead to cyberattacks on the U.S.
And we've discovered something else is happening when we respond to physical aggression with a cyber response. In the case of Iran, it has apparently shifted the battlefield into the cyber realm.
And we're not done fighting.
This is why the U.S. Department of Homeland Security issued a special alert about an increasing number of cyberattacks from Iran. Attacks which are not only going after U.S. government agencies but also U.S.-based businesses:
"These efforts are often enabled through common tactics like spear-phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network."
When will cyberwar be treated like 'regular' war?
And when it comes to the merging of traditional war and cyberwar, the SecureWorld media team recently came across a thought-provoking perspective on this by the World Economic Forum:
"A worrying indicator is the barrage of cyberattacks to which Ukraine has been subjected since 2014, giving rise to suspicions that Russia is using Ukraine as a test-bed for disruptive attacks of ever greater sophistication, such as CrashOverride, an autonomous exploit designed to enable the remote closing down of electricity-generation systems.
Physical damage arising from activities initiated in the cyber domain is already a reality. Fatalities, at the very least as a second-order consequence of persistent and large-scale digital disruption, may not be far behind."
And when cyberattacks on the United States or other countries result in injuries and deaths, will we treat it as an act of actual war—or like it's just another hack in which bad actors have upped their game?
Will it truly rise to the level of war as defined by various treaties, conventions, and constitutions around the globe?
Technology: a modern war fighter's powerful tools
Remember when war was focused on the physical attributes of your military abilities? Rapid shifts away from that into the cyber realm are continuing as we head toward 2020.
What is cyber warfare worst-case scenario, anyway?
We suppose cyberwar could mean different things to different people, and we know more than a few who are experts on this concept. That includes Major General (Ret.) Brett Williams, the former Director of Operations at U.S. Cyber Command.
"My concern is a real campaign, right, that may include simultaneous or near-simultaneous attacks against the financial sector, the energy sector, maybe into the air traffic control system and at the same time it's combined with some type of activity in the real world."
That's scary, isn't it?
And it appears to be a growing possibility as traditional warfighting methods and cyber warfighting methods are used interchangeably to settle disputes.
4. Discuss the breadth of the threat of theft due to a lack of encryption.
Ans:
With all the different hacks, data breaches and loss of personally identifiable information (PII) that are occurring, organizations are being challenged to encrypt their data throughout the data life cycle (from creation through destruction). But does today’s encryption technology really provide the level of confidentiality required in this totally Internet-connected world?
There are three primary phases in which data can be encrypted: in transit, at rest and in use. Of these three phases, data in transit seems to provide the highest level of data protection. In this phase, encryption occurs between specific communicating devices. The protection provided by encryption in transit includes confidentiality from eavesdropping and sniffing or man-in-the-middle attacks. Applications such as VPN clients and browser-based HTTPS provide strong encryption processes, which protect the confidentiality of data making it very difficult for unauthorized users to intercept.
It is common practice for organizations to encrypt data transmitted from remote devices; however, data that is being transmitted on internal networks typically goes unencrypted. There is a perception that data being transmitted on the internal network, or to remote facilities, is secure and therefore does not require encryption. Nevertheless, organizations’ internal networks can be easily breached, making data vulnerable to the same risks of eavesdropping, sniffing and man-in-the-middle attacks.
Consultants, vendors and individuals off the street not only have access to wireless networks, but also often have access to network jacks in conference rooms, cafeterias and other common areas. Also, devices that do not require direct authentication (i.e. printers, scanners, industrial controls, etc.) can be infected with malware that can eavesdrop, sniff or capture traffic and send out information to the Internet.
Past concerns over implementing encryption to internal data transit included increased overhead on servers, network devices and end-user workstations which could cause system delays, loss of connectivity and loss or corruption of data. Many of today’s server and network technologies though have data encryption capabilities built in to allow for easier configuration and implementation to minimize the impact on utilization. Implementing encryption of data in transit from the endpoint to endpoint both remotely and internally is mandatory in today’s cyber risk environment.
Another phase of data encryption is the encryption of data at rest. Implementing encryption for data at rest is the easiest of all phases and, in fact, it is built-in on many devices such as smartphones, tablets and PCs. There really is no reason not to encrypt all data on these devices; however, there are some major limitations of encrypting data at rest. Users and applications must be able to read data in order to use it. Consequently, when a user or application logs into the system, the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to becomes readable. So, if a user’s device or application is infected with a virus, malware, etc., and they log in, all data on their system or systems they can access becomes available to a hacker.
The last phase of data encryption is the encryption of data in use. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use.
But current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users — limiting their access to the principles of least privilege and performing on the fly decryption of data upon access — companies are providing a minimal level of encryption of data in use.
Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.
Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices which can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device, and it can also be bypassed by unauthorized users who illegally obtain valid user IDs and passwords which have rights to view the data. The encryption of data in use with existing technologies uses the same, but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.
Encryption is designed to provide an additional layer of data protection, but complex authorization policies and strict access control providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data.
If hackers get into a network but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining unauthorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.
5) Explain the kinds of crimes that can occur when thieves are able to access unencrypted data.
Ans:
Types of Identity Theft and Fraud
There are so many identity theft schemes, scams, and tools that it can be hard to wrap your head around all the different types of fraud that can occur, from phishing scams that lead to account takeover to data leaks that result in tax fraud. So we’ve compiled a list of the most common types of identity theft, how often they occur, and what that means for you.
Credit card fraud was the most common type of identity theft in 2017, accounting for 30% of identity theft reports to the Federal Trade Commission. Existing account card fraud was up by 20% from 2016. Credit card fraud was followed closely by tax fraud at 18%, phone or utility fraud at 13%, bank fraud at 11%, loan or lease fraud at 7%, government documents or benefits fraud at 6%, and other types of identity theft accounting for the remaining 15%. Here are some quick and handy definitions for the different types of identity theft and fraud to be on the lookout for.
Synthetic Identity Theft: Synthetic identity theft, a relatively new type of identity theft, occurs when a fraudster creates a new fabricated identity using bits and pieces of real identities, usually using Social Security numbers, names, addresses, and birth dates stolen from multiple people. Synthetic identity theft exploits common issues that the three major credit bureaus face, such as misspellings, name changes, and relocations, and showcases just how sophisticated and complex identity theft has become. Synthetic identity theft primarily harms lenders and banks, but if a thief uses someone’s real Social Security Number to commit synthetic ID fraud it can cause real problems for the unwitting victim.
Medical Identity Theft: Medical identity theft is the use of someone else’s health insurance to get medical care in their name. Medical ID theft can cause all sorts of problems, from inaccurate medical histories that can lead to a patient getting the wrong care or medication to victims being left in the lurch with sky hill medical bills for the care they did not receive. If the victim does not catch the fraud quickly, it can lead to debt collections that serve a major blow to their credit score, making it difficult to obtain a mortgage, auto loan, or rent an apartment until they are able to get it resolved.
Child Identity Theft: Child identity theft is the use of a child’s Social Security number to commit fraud. Children are acutely susceptible to identity theft because often parents don’t think to monitor their credit reports for new activity, making it easy for identity thieves to go undetected for years as victim’s don’t usually realize fraud has occurred until they are old enough to apply for a credit card or rent an apartment. Over 1 million children were victims of identity theft in 2017, causing $2.6 in financial losses according to Javelin Strategy & Research. And 66% of children who suffer from identity theft are 0 to 7 years old.
Tax Identity Theft: Thieves often use imposter scams and phishing attacks to impersonate the IRS in an attempt to steal personal information and commit tax fraud. Tax fraud occurs when a fraudster uses someone else’s personal information to fraudulently file a tax return and claim their refund. Tax fraud is often not detected until the taxpayer receives notice from the IRS that a return has been filed. According to the Federal Trade Commission, there were 67,374 reports of tax fraud in 2018.
New Account Fraud: When fraudsters open new financial accounts or take out loans using a victim’s personal information it is new account fraud. Mortgages, student loans, car loans, and credit cards are common targets for new account fraud. Fraudsters can also open new phone or utility accounts using stolen information as well. NAF has been on the rise in recent years, with losses increasing from $3 billion in 2017 to $3.4 billion in 2018.
Credit Card Fraud: Credit card fraud is a type of Existing Account Fraud, along with bank account and insurance fraud, that includes both unauthorized transactions using counterfeit cards, as well as a card not present fraud which usually occurs when a credit card number is fraudulently used online. The recent and, by international standards, late arrival of the EMV card standard in the United States has helped alleviate counterfeit card fraud to a degree. EMV cards use an integrated chip for authentication and make it much harder to produce counterfeit cards. Even with this progress, credit card fraud still occurs at a relatively high rate and is the most common type of fraud.
Account Takeover: When hackers or fraudsters gain unauthorized access to a personal or financial account and take over control it is considered an account takeover. Along with new account fraud, account takeover is the fastest rising type of identity fraud, with mobile account takeovers increasing from 380,000 in 2017 to 679,000 in 2018. Credential stuffing has helped fuel this increase, making it possible for hackers to rapidly try millions of stolen login credentials and easily gain access to thousands of accounts at a time.
1. Explain why a policy-driven response to cyber-attacks is vital to security. 2. Explain the European...