The Barnes & Noble Review
If you're a manager called upon to exercise due diligence in protecting your organization's data, Defending Your Digital Assets gives you the "big picture" you need to make intelligent judgments regarding your risks, and educated choices about what to do about them.
This isn't an infosec specialist's book: it's a book for the rest of us. It starts with a thoughtful review of the challenges you face in securing corporate data against disclosure, misuse, alteration, or destruction. You'll learn about the tools, processes, and technologies available to help you respond, from firewalls to Virtual Private Networks, biometrics to digital certificatesand how to define a security architecture that makes the most of them all.
There's a full section on enterprise continuity planning: vulnerability assessment, countermeasures, backups, beta sites, training, awareness, auditing, and what to do during and after an attack. In this age of eBusiness, the authors devote special attention to protecting web servers.
Finally, for those interested in military and information warfare issues, there's extensive coverage of cyberwar, infowar weapons and intelligence. Hey, you may think this section doesn't apply to you, but don't be so sure.
Read an Excerpt
Chapter 1: Introduction to Digital Espionage The Criminal Playground
Computer crimes take several forms including sabotage, revenge, vandalism, theft, eavesdropping, and even "data diddling," or the unauthorized altering of data before, during, or after it is input into a computer system. Computers can be used to commit such crimes as credit card fraud, counterfeiting, bank embezzlement, and theft of secret documents. The physical theft of a disk storing 2.8 MB of intellectual data is considered data theft. Logging into a computer account with restricted access and being caught there or purposely leaving evidence in the form of a message with an explanation of what has been done are examples of data diddling. A traveling employee who leaves his or her computer unattended while on an airplane, only to discover an empty drive slot to the tune of lost billing information, marketing plans, and/or customer data, can be considered inattentive, but this type of incident is steadily increasing.
Another type of computer crime involves electronic funds transfer or embezzlement. The first person convicted under the Computer Fraud and Abuse Act was Robert T. Morris Jr., who, as a Cornell graduate student, introduced a "worm" into the Internet. These "worms" float freely through the computer environment, attacking programs in a manner similar to viruses. Some would consider this an act of vandalism. By multiplying, the worm interfered with approximately 6200 computers. Morris was sentenced to three years' probation, ordered to pay a $10,000 fine, required to perform 40 hours of community service, and required to pay $91 per month to cover his probation supervision.
Computerscan play three different roles in criminal activity. First, computers can be targets of an offense; for example, a hacker tries to steal information from or damage a computer or computer network. Other examples of this behavior include vandalism of Web sites and the introduction of viruses into computers.
Second, computers can be tools in the commission of a traditional offense, for instance, to create and transmit child pornography. COMSEC Solutions composed an interesting list wherein the computer was used a * tool to facilitate the following crimes:"
- Drug trade
- Illegal telemarketing
- Fraud, especially false invoices
- Intellectual property theft
- "True face" or ID theft and misrepresentation
- Espionage, both industrial and national
- Conventional terrorism and crimes
- VA Electronic terrorism and crime
- Electronic stalking
- Electronic harassment of ex-spouses
- Inventory of child pornography
- Contract repudiation on the Internet
- Cannabis smuggling
- Date rape
- Gang crimes, especially weapons violations
- Organized crime
- Armed robbery simulation
- Copycat crimes
- Pyramid schemes
- DoS (denial of service) attacks
- Exposure or blackmail schemes
- Revenge and solicitation to murder of spouses
- Hate crimes
- Web site defacement (automated)
Third, computers can be incidental to the offense, but still significant for law enforcement purposes. For example, many drug dealers now store their records on computers, which raises difficult forensic and evidentiary issues that are different from paper records.
In addition, a single computer could be used in all three ways. For example, a hacker might use his or her computer to gain unauthorized access to an Internet service provider ("target") such as America Online, and then use that access to illegally distribute ("tool") copyrighted software stored on the ISP's computer-server hard drive ("incidental"). COMSEC Solutions composed another interesting list where the computer was an incidental part of computer crime. These included hacking, data theft, diddling, alteration and destruction, especially involving financial or medical records, spreading viruses or malicious code, misuse of credit and business information, theft of services, and finally, denial of service.
Internet service providers (ISPs) and large financial institutions are not the only organizations that should be concerned about computer crime. Hackers can affect individual citizens directly or through the person's ISP by compromising the confidentiality and integrity of personal and financial information. In one case, a hacker from Germany gained complete control of an ISP server in Miami and captured all the credit card information maintained about the service's subscribers. The hacker then threatened to destroy the system and distribute all the credit card numbers unless the ISP paid a ransom. German authorities arrested the hacker when he tried to collect the money. Had he been quiet, he could have used the stolen credit card numbers to defraud thousands of consumers.
Government records, like any other records, can be susceptible to a network attack if they are stored on a networked computer system without proper protections. In Seattle, two hackers pleaded guilty to penetrating the U.S. District Court system, an intrusion that gave them access to confidential and even sealed information. In carrying out their attack, they used supercomputers at the Seattle-based Boeing Computer Center to crack the courthouse system's password file. If Boeing had not reported the intrusion to law enforcement, the district court system administrator would not have known the system was compromised.
The computer can also be a powerful tool for consumer fraud. The Internet can provide a con artist with an unprecedented ability to reach millions of potential victims. As far back as December 1994, the Justice Department indicted two individuals for fraud on the Internet. Among other things, these persons had placed advertisements on the Internet promising victims valuable goods upon payment of money. But the defendants never had access to the goods and never intended to deliver them to their victims. Both pleaded guilty to wire fraud.
Personal computers can be used to engage in new and unique kinds of consumer fraud never before possible. In one interesting case, two hackers in Los Angeles pleaded guilty to computer crimes committed to ensure they would win prizes given away by local radio stations. When the stations announced that they would award prizes to a particular caller-for example, the ninth caller-the hackers manipulated the local telephone switching network to ensure that the winning call was the own. Their prizes included two Porsche automobiles and $30,000 in cash. Both miscreants received substantial jail terms.
In another interesting case that raises novel issues, a federal court in New York granted the Federal Trade Commission's request for a temporary restraining order to shut down an alleged scam on the World Wide Web. According to the FTC's complaint, people who visited pornographic Web sites were told they had to download a special computer program to view the sites. Unknown to them, the program secretly rerouted their phone calls from their own local Internet provider to a phone number in Moldova, a former Soviet republic, for which a charge of more than $2 a minute could be billed. According to the FTC, more than 800,000 minutes of calling time were billed to U.S. customers."
Internet crimes can be addressed proactively and reactively. Fraudulent activity over the Internet, like other kinds of crimes, can be prevented to some extent by increased consumer education. People must bring the same common sense to bear on their decisions in cyberspace as they do in the physical world. They should realize that a World Wide Web site can be created at relatively low cost and can look completely reputable even if it is not. The user should invest time and energy to investigate the legitimacy of parties with whom they interact over the Web, Just as with other consumer transactions, we should be careful about where and to whom we provide our credit card numbers. The legal maxim caveat emptor ("let the buyer beware"), which dates back to the early sixteenth century, applies with full force in the computer age.
The public can also be protected by vigorous law enforcement. Many consumer-oriented Internet crimes, such as fraud or harassment, can be prosecuted using traditional statutory tools, such as wire fraud. Congress substantially strengthened the laws against computer crime in the National Information Infrastructure Protection Act of 1996. The law contains 11 separate provisions designed to protect the confidentiality, integrity, and availability of data and systems.
Novel Challenges: Jurisdiction and Identity
The Internet presents novel challenges for law enforcement. Two particularly difficult issues for law enforcement are identification and jurisdiction...