Computer crime countermeasures
Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.
On the global level, both governments and non-state actors continue to grow in importance, with the ability to engage in such activities as espionage, and other cross-border attacks sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions, with the International Criminal Court among the few addressing this threat.
A cyber countermeasure is defined as an action, process, technology, device, or system that serves to prevent or mitigate the effects of a cyber attack against a victim, computer, server, network or associated device. Recently there has been an increase in the number of international cyber attacks. In 2013 there was a 91% increase in targeted attack campaigns and a 62% increase in security breaches.
A number of countermeasures exist that can be effectively implemented in order to combat cyber-crime and increase security.
Types of threats
Malicious code
is a broad category that encompasses a number of threats to cyber-security. In essence it is any “hardware, software, or firmware that is intentionally included or inserted in a system for a harmful purpose.” Commonly referred to as malware it includes computer viruses, worms, Trojan horses, keyloggers, BOTs, Rootkits, and any software security exploits.Malicious code also includes spyware, which are deceptive programs, installed without authorization, “that monitor a consumer’s activities without their consent.” Spyware can be used to send users unwanted popup ads, to usurp the control of a user’s web browser, or to monitor a user’s online habits. However, spyware is usually installed along with something that the user actually wishes to install. The user consents to the installation, but does not consent to the monitoring tactics of the spyware. The consent for spyware is normally found in the end-user license agreement.
Network attacks
A network attack is considered to be any action taken to disrupt, deny, degrade, or destroy information residing on a computer and computer networks. An attack can take four forms: fabrication, interception, interruption, and modification. A fabrication is the “creation of some deception in order to deceive some unsuspecting user”; an interception is the “process of intruding into some transmission and redirecting it for some unauthorized use”; an interruption is the “break in a communication channel, which inhibits the transmission of data”; and a modification is “the alteration of the data contained in the transmissions.” Attacks can be classified as either being active or passive. Active attacks involve modification of the transmission or attempts to gain unauthorized access to a system, while passive attacks involve monitoring transmissions. Either form can be used to obtain information about a user, which can later be used to steal that user’s identity. Common forms of network attacks include Denial of Service and Distributed Denial of Service, Man-in-the-middle attack, packet sniffing, TCP SYN Flood, ICMP Flood, IP spoofing, and even simple web defacement.Network abuse
Network abuses are activities which violate a network's acceptable use policy and are generally considered fraudulent activity that is committed with the aid of a computer. SPAM is one of the most common forms of network abuse, where an individual will email list of users usually with unsolicited advertisements or phishing attacks attempting to use social engineering to acquire sensitive information such any information useful in identity theft, usernames, passwords, and so on by posing as a trustworthy individual.Social engineering
is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. This method of deception is commonly used by individuals attempting to break into computer systems, by posing as an authoritative or trusted party and capturing access information from the naive target. Email Phishing is a common example of social engineering's application, but it is not limited to this single type of attack.Technical
There are a variety of different technical countermeasures that can be deployed to thwart cybercriminals and harden systems against attack. Firewalls, network or host based, are considered the first line of defense in securing a computer network by setting Access Control Lists determining which what services and traffic can pass through the check point.Antivirus can be used to prevent propagation of malicious code. Most computer viruses have similar characteristics which allow for signature based detection. Heuristics such as file analysis and file emulation are also used to identify and remove malicious programs. Virus definitions should be regularly updated in addition to applying operating system hotfixes, service packs, and patches to keep computers on a network secure.
Cryptography techniques can be employed to encrypt information using an algorithm commonly called a cipher to mask information in storage or transit. Tunneling for example will take a payload protocol such as Internet Protocol and encapsulate it in an encrypted delivery protocol over a Virtual Private Network, Secure Sockets Layer, Transport Layer Security, Layer 2 Tunneling Protocol, Point-to-Point Tunneling Protocol, or Internet Protocol Security to ensure data security during transmission. Encryption can also be employed on the file level using encryption protocols like Data Encryption Standard, Triple DES, or Advanced Encryption Standard to ensure security of information in storage.
Additionally, network vulnerability testing performed by technicians or automated programs can be used to test on a full-scale or targeted specifically to devices, systems, and passwords used on a network to assess their degree of secureness. Furthermore, network monitoring tools can be used to detect intrusions or suspicious traffic on both large and small networks.
Physical deterrents such as locks, card access keys, or biometric devices can be used to prevent criminals from gaining physical access to a machine on a network. Strong password protection both for access to a computer system and the computer's BIOS are also effective countermeasures to against cyber-criminals with physical access to a machine.
Another deterrent is to use a bootable bastion host that executes a web browser in a known clean and secure operating environment. The host is devoid of any known malware, where data is never stored on the device, and the media cannot be overwritten. The kernel and programs are guaranteed to be clean at each boot. Some solutions have been used to create secure hardware browsers to protect users while accessing online banking.
Counter-Terror Social Network Analysis and Intent Recognition
The Counter-Terror Social Network Analysis and Intent Recognition project uses the Terrorist Action Description Language to model and simulate terrorist networks and attacks. It also models links identified in communication patterns compiled from multimedia data, and terrorists’ activity patterns are compiled from databases of past terrorist threats. Unlike other proposed methods, CT-SNAIR constantly interacts with the user, who uses the system both to investigate and to refine hypotheses.Multimedia data, such as voice, text, and network session data, is compiled and processed. Through this compilation and processing, names, entities, relationships, and individual events are extracted from the multimedia data. This information is then used to perform a social network analysis on the criminal network, through which the user can detect and track threats in the network. The social network analysis directly influences and is influenced by the intent recognition process, in which the user can recognize and detect threats. In the CT-SNAIR process, data and transactions from prior attacks, or forensic scenarios, is compiled to form a sequential list of transactions for a given terrorism scenario.
The CT-SNAIR process also includes generating data from hypothetical scenarios. Since they are imagined and computer-generated, hypothetical scenarios do not have any transaction data representing terrorism scenarios. Different types of transactions combine to represent the types of relationships between individuals.
The final product, or target social network, is a weighted multiplex graph in which the types of edges are defined by the types of transactions within the social network. The weights within these graphs are determined by the content-extraction algorithm, in which each type of link is thought of as a separate graph and “is fed into social network algorithms in part or as a whole.” Links between two individuals can be determined by the existence of the two people being mentioned within the same sentence in the compiled multimedia data or in relation to the same group or event.
The final component in the CT-SNAIR process is Intent Recognition. The goal of this component is to indicate to an analyst the threats that a transaction stream might contain. Intent Recognition breaks down into three subcategories: detection of “known or hypothetical target scenarios,” prioritization of these target scenarios, and interpretation “of the resulting detection.”