Cyber Crime: Risk Assessment

Cyber Crime: A Clear and Present Danger

This is the excel file used for this post –>   Risk-Registry.xlsx

Information systems give great ways to communicate and learn, but also allow nefarious others access to exploit the power of the Internet for terrorist and/or criminal purposes. Criminal warfare has moved to the virtual world were more damage can be done in less time with a better potential of getting away with it. The term used for criminals that use the Internet as there method for committing crimes is know as cyber criminals. Moor’s Law describes how the number of transistors that can be placed on inexpensive integrated circuitry double every two years. Since a new generation of faster computers can be processed every two years, it also allows for criminals to afford faster, more complex computers to leverage against your organization

Analyzing and avoiding risk should be a part of any organization who, especially if transactions are made on the Net. Include\ing: email, web browsing, online stores, etc.

The rest of this article is an example of what may be used to start your own risk register.

Qualitative Risk Assessment

Threats that have been identified through the risk it holds to the organizations have been qualified in the attached risk register spreadsheet. Download the actual Excel File –>   Risk-Registry.xlsx

Risk RegisterWhile all risk poses a level of threat there are certain ones that can be identified as low medium or high risk based on the severity of risk against cost and time loss to our origination. Damage to reputation from faulty security is actually a side effect of not being able to protect our customer’s assets and personal information. Side by side comparison of the risk register with the risk matrix will give a better forecast of risk as it impacts our organization.

Quantitative Risk Matrix

Qualitative

On average credit scam counts for $260 dollars per customer per year and we can mitigate that price through the use of heuristic programs that can detect unusual purchases as they happen instead of reading reports after the fact.

While the risk of finances from cyber attacks can be measured after the fact the most damaging effects of cyber attacks is the lack of trust from our customers. Irreversible damage could be imposed upon are organization as customer retreat to companies that they believe can manage their finances better. The contingency budget set forth below would save us from going completely under in the future. The quantity of the budget needed is minimally estimated to be around 1% of what we risk loosing. We must be ready to budget at least 30% of our organizations earned income after taxes and deductions.

Contingency Budget

Contingency BudgetColors reflect the same qualitative selection as the risk Matrix and should be considered top priority when considering budgeting amounts. The contingency cost has been lowered based on the probability of the risks occurrence and is 65% of the total budget needed to address all risks.

 

Recommendations

When money is used it is gone, data is more valuable than money. Our data and systems are worth more than can be quantified in any report. Data can be reused over and over again. In order to protect our data we need to spend our budget targeting mitigation of the highest ranked risks. Targeting unknown risks through monitoring assets as they are accessed and having a fast corrective action time to save the organization from unknown intrusions. All internal and external metrical information that can help target cyber activities should be used to the up-most efficiently to be as effective as possible. Continually vigilance in our security reaction time, as we move towards future technologies to communicate and process information on the Internet, is imperative to our survival.

Additional Resources

Martin H. Bosworth. (2008). Losses From Cybercrime Nearly $240 Million in 2007. Consumer Affairs. Retrieved from: http://www.consumeraffairs.com/news04/2008/04/cybercrime.html

Tom Mochal. (2006, May). Creating a risk contingency budget using expected monetary value (EMV). TechRebulic. Retrieved July 24, 2011, from http://www.techrepublic.com/article/create-a-risk-contingency-budget-using-expected-monetary-value-emv/6069576

United States Department of Justice. Computer Crime & Intellectual Property Section. Cyberethics. Retrieved from: http://www.cybercrime.gov/cyberethics.htm

Develope a Web Based CMS Using PHP

Download this File Here

Abstract
The Content Management System (CMS) is a web based application using a Linux Server,
Apache Web-server, MySQL Database, and PHP Programming Language (LAMP). The
objective of managing users, and information in any given network environment can only be
hindered by the creativity of an information technology professional and not by technology. The
main objective of this thesis is to develop the early development steps of a LAMP software bundleCMS. By creating the
building blocks for developing, and taking into consideration basic methods for creating the core
platform of a CMS for further development. All information gathered, and experience gained will
assist with developing and offering my own personal e-commerce business solutions in the future
and to obtain additional business and practical knowledge in an open source software and ecommerce.
Continue reading

Digital Forensics

 forensics              Reviewing the concept of anti-forensics, which can be described as being:  “…more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you” (Berinato, 2007).  The ultimate fear is that the rise of anti-forensics tools and techniques could make any data collected suspect, and that it jeopardizes the validity of any forensic investigation (or at least makes them so cost-prohibitive that they will seldom be feasible).  Throughout this paper we will look at what these tools and techniques are – from new developments in the field intended to conceal illegal activity to traditional anti-forensic methods to wipe data when old equipment is sold or no longer needed.  We will likewise examine the potential impact to the future of forensic investigations, as this could make the probability of a conviction extremely low.

Case studies

     After painstakingly searching several sites in the attempts to find documentation of successful anti-forensics stories and tools that were used, attempt came up pretty empty. While there are a few stories that share how people have tried to fool digital forensic experts, the fact is that no one is going to report that they were successful in fooling digital forensic investigators because they want to be able to fool them again in the future. Even the digital forensic investigators are not willing to relinquish case stories on what they found and the conclusions that they were able to come to so that they can stay an expert in their field. Some of the following stories were what I was able to find. If you ever find any interesting stories like explosives rigged into computers, or magnetic doorways, I would be interested to hear about it. Lastly I included information on how anti-forensics could be useful for personal use, in order to keep your personal information safe.

     With the amount of digital forensic cases that have been posted after the initial commencement date of this research paper, suggests that the amount of information that will be available within the next year will be an exponential growth from the amount that is available at present.

     Additionally I have come to the conclusion from reading several discussions and online expert opinions that while EnCase is the chosen digital forensic tool of use to get a broad overview of the file system, it is only one of the primary tools in an arsenal of tools that usually has a few other tools dropped into the mix and only through suggestions of peers and trial and error will you be able to decide what are the best tools for you to use.

     Just like some people to use torrents to collect illegal free music, movies, and books, pedophiles are using the same technology to spread child pornography to other pedophiles. The city of Trenton, N.J. tracked the digital fingerprints of pornographic pictures as they left one person’s computer and followed it to the next IP address and was willing to follow pictures for a total of 27 adults. One of the adults was arrested promptly before the others when officers found out he lived above a daycare facility.

     Out of the 100 state troopers and 3 months of hard work, the time came to collect the computers from the felons and extract the digital forensics necessary to convict the 27 individuals for the federal offense of either creating or having possession of child pornography. The traceable factor was the electronic watermark that was imprinted on each image. Making each image traceable on individual’s computers and also the routes the images would take on the internet. Artifacts were left on computers that were proof that the images were downloaded and viewed even if the images were deleted, just like a fingerprint on a murder weapon, it should be easy to convict each person.

The most anti-forensic material that was used by one of the culprits was heavy duty magnets that were installed in the shoes to erase the hard-drive of incriminating evidence. Yet with all the networking detective work, the magnets in the shoes probably just helped proof his guilt.

     Because the images were shared on a peer-to-peer network, every person involved in the arrest will not only be charged with possession of child pornography but also of distribution of child pornography because most torrent downloads automatically start uploading to other users who request the same data(Fletcher, 2012).

     30 year old Higinio O. Ochoa, a member of the hacker group Cabincr3w an offshoot of anonymous, was arrested after he posted an image of his girlfriend from an iPhone to Twitter. What he neglected to take into account was the GPS tagging EXIF metadata that was imprinted on the image. When the FBI viewed the metadata on the image, it effortlessly pointed to his girlfriend’s house in the outer-Melbourne area. Because of the image, I cannot post the actual image to this research paper but I can tell you that there was a message on it that his girlfriend was displaying, it read, “PwNd by W0rmer & cabinCr3w <3 u B(commented out)’s!”. All EXIF data had been wiped from the photos posted online.

     I was not able to find any current digital forensics tools that would look for coded messages, just encrypted messages. One helpful post I found from a digital forensics expert suggests that by using Unicode escape sequence messages, that you could possibly circumvent most digital forensic tools, unless it is a professional smart enough to check for the. For an example, \u0048 \u0045 \u004c \u004c \u004f , spells out HELLO.

     Fortunately there are people that are trying to close the gap for digital forensic tools lie Pavel Gladyshev of the UCD School of Computer Science and Informatics located in Texas, is working on a project to develop tools that will not only search for raw binary data for keywords but also search for possible character encoding to include ASCII, UTF-8, UTF-16, and UTF-32 that might have escape sequences embedded in it.

Anti-forensics for Your Protection

     Some people might jump to conclusions that by using anti-forensics to protect your information imply that you’re trying to hide illegal information. That is not always the case, sometimes it is useful to use anti-forensic tools in ordinary daily activities to protect against malware that targets devices like smartphones (Storm, 2011). Take for example the mobile forensic solutions offered by the company Cellebrite that are able to extract deleted data from all smartphones and tablets. While most information gleaned is produced from a hardwired connection, it is possible for devices to attach wireless through infrared or Bluetooth signal. The ability to access data remotely from a smart device makes forensic devices dangerous for the general populace because they may be used for criminal activity or spying (Bloomberg 2012).

      Companies like WhisperSystems (www.whispersys.com), make it a little bit harder for government and criminals alike to easily take data from your smart device by providing full disk encryption, network security tools, encrypted backup to the cloud, and selective permissions. Not only will anti-forensics software encrypt you data but it can also encrypt your text messages and voice calls if the other person is using the same software, if they are not it will still encrypt the data on your phone. This protection is not just necessary from a direct attack but also by malware that might disguise itself as an application you really want on you device.

    In the near future, I will be testing mobile digital forensic tools at Ferris State University and will test to see how well at least one of the free anti-forensic tools work during class and plan to come back and add more on forensics and security.

Reference

Berinato, S. (2007, June 8). The rise of anti-forensics. Retrieved from http://www.csoonline.com/article/221208/the-rise-of-anti-forensics

Bloomberg Government, (March, 2012) IPhones to BlackBerrys Cracked by Cops Using Digital Forensics. Cellebrite mobile data secured. Retrieved 4/18/2012. From http://www.cellebrite.com/news-and-events/mobile-data-news/335-iphones-to-blackberrys-cracked-by-cops-using-digital-forensics.html

Fletcher, J. (April, 2012). N.J. investigators track digital ‘fingerprints’ on shared images to nab child pornographers. The republic of Columbus Indiana. Retrieved 4/18/201, from http://www.therepublic.com/view/story/CPT-CHILDPORN_7786030/CPT-CHILDPORN_7786030/