By Camille Amolo, LLB
1. CYBER-CRIME
1.1 Introduction
· Cyber-crime can be defined as any illegal activity that uses a computer as its primary means of function. The U.S. Department of Justice broadens this definition to include any illegal activity that uses a computer for the storage of evidence.
· The term 'cyber-crime' can refer to offenses including criminal activity against data, infringement of content and copyright, fraud, unauthorized access, child pornography and cyber-stalking.
· There are two main categories that define the make-up of cyber-crimes. Firstly those that target computer networks or devices such as viruses, malware, or denial of service attacks. The second category relate to crimes that are facilitated by computer networks or devices like cyber-stalking, fraud, identity-theft, extortion, phishing (spam) and theft of classified information.
a) Computer assisted cyber-crimes- computer is instrumental is instrumental in committing the cyber-crime: i) selling non-existent, substandard, defective or counterfeit products, theft of credit card, bank fraud, fake stock shares, intellectual property offences including unauthorized sharing of the copyrighted content of movies and digitized books, ii) selling obscene and prohibited sexual representations.
b) Computer oriented cyber-crimes- computer is the target of the crime – i) malicious software viruses such as Trojan, ii) cyber terrorism, iii) child pornography, iv) violent and extreme pornography, v) internet inspired homicides and suicides.
· Cyber-crimes have expanded to include activities that cross international borders and can now be considered a global epidemic. The international legal system ensures cyber criminals are held accountable through the International Criminal Court.
1.2 Computer and Internet as target or wean used in crime
·
1.3 Trends/Kinds of Cyber crime
Types/ Kinds
· Hacking: This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed. In hacking, the criminal uses a variety of software to enter a person’s computer and the person may not be aware that his computer is being accessed from a remote location.
· Theft: This crime occurs when a person violates copyrights and downloads music, movies, games and software. There are even peer sharing websites which encourage software piracy and many of these websites are now being targeted by the FBI.
· Cyber Stalking: Online harassment wherein the victim is subjected to a barrage of online messages and emails. These stalkers know their victims and instead of resorting to offline stalking, they use the Internet to stalk. However, if they notice that cyber stalking is not having the desired effect, they begin offline stalking along with cyber stalking to make the victims’ lives more miserable.
· Identity Theft: In this cyber-crime, a criminal accesses data about a person’s bank account, credit cards, Social Security, debit card and other sensitive information to siphon money or to buy things online in the victim’s name.
· Malicious Software: Internet-based software or programs that are used to disrupt a network. The software is used to gain access to a system to steal sensitive information or data or causing damage to software present in the system.
· Child soliciting and Abuse: Criminals solicit minors via chat rooms for the purpose of child pornography. Crime agencies all over the world has been spending a lot of time monitoring chat rooms frequented by children with the hopes of reducing and preventing child abuse and soliciting.
Trends
· International Cyber-criminals: Cyber-criminals have gone international, making it harder to track down and stop their illegal and harmful activities. A lack of international collaboration also makes it harder to track down hackers as they attack from multiple locations.
· Social Media: With the advent of social media and the increasing reliance of our society on it to do business, the perfect opportunity for cyber-attacks is created. Consisting mainly of “spear phishing” and socially engineered attacks, cyber-criminals are given the perfect avenue to steal a company’s data.
· Advanced Persistent Attacks: Attacks that steal data, but do not destroy that data are also on the rise. What makes these attacks so damaging is that such data theft can remain undetected for a long period of time.
· Onion-Layered Security Incidents - Investigating one event reveals an older, often significantly more damaging hidden attack. These complex situations are the most demanding of investigative time and resources to ascertain the facts, find the root causes, develop a timeline of events and provide the client with recommendations on how to resolve the issues that allowed the attackers to get into the network.
· Ransomware - Ransomware is big business for cybercriminals, who can now hold data hostage via encryption. It is estimated that the paths of ransomware infections are primarily unpatched vulnerabilities (No. 1), drive-by downloads (No. 2) and spear phishing emails (No. 3).
· Greater Management Awareness - High-profile breaches have increased interest in cybercrime prevention at the management and even board level. This interest from people in positions of oversight can provide a forum for security professionals who need top-level support for needed initiatives.
1.4 The Role of Criminal Justice in Information Security
A government, through its criminal justice system has the following responsibilities;
- Understanding the problem - Having a better understanding of how cybercrime affects a country will help the criminal justice set-up in the country address it—the need to know who it targets and why, how it targets them, who the perpetrators are and how much harm it is causing. Armed with this information, governments can better shape policy responses and allocate resources, and businesses and individuals can better assess risk and take targeted action to protect themselves.
-Partnerships and shared responsibility - This means forging mutually beneficial partnerships to share information and combine efforts to combat cybercrime. Governments will also explore other partnership arrangements, including with overseas law enforcement agencies and with key industry sectors, such as internet service providers (ISPs), online service providers and the tertiary education sector.
- Balancing security, freedom and privacy- In striving to create a more secure online environment and take action against cyber criminals, our response must balance the rights of Australians to freely roam, create and interact on the internet, and uphold individuals’ right to privacy.
· USA -Cyber Security Enhancement Act of 2009 (S.773) - Intended to improve cyber security within the federal government and throughout the public and private sectors. To this end, the act establishes research and development requirements for federal agencies and promotes public-private partnerships. The Act provides the National Institute for Science and Technology for developing public awareness and education plans.
· United Nations - Through several congresses have managed to create some principles relating to prevention of cybercrimes. Prominent Congresses are The Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders and the 11th UN Congress on Crime Prevention and Criminal Justice- The Declaration (Declaration Synergies and Responses: Strategic Alliances in Crime Prevention and Criminal Justice) was adopted that highlighted the need for harmonization in the fight against cyber-crime.
· Kenya - The Cyber Security and Protection Bill 2016 - The principal object of this Bill is to provide increased security in cyberspace and to provide for the prohibition of certain acts in the use of computers. *The Bill proposes to establish a national cyber security response unit in the Ministry responsible for matters relating to security. The unit will be responsible for receiving and investigating reports on cyber threat incidences, *running a national computer forensics lab for the benefit of law enforcement agencies, advising on measures to combat cyber threats and supporting research into cyber security. The Bill also *proposes a mechanism to enable the sharing of information between private entities on cyber threats under certain circumstances( intended to enhance awareness and preparedness in combating cyber threats.)
In Kenya, the Kenya Information and Communications Act of 2009(12) establishes a body known as the National Computer Emergency Response Team (CERTS), whose mandate is to fight cybercrime in Kenya. *Also through the Communications Authority also Kenyan Govt. signed an Administrative Agreement for the implementation of the Kenya National Computer Incident Response Team Coordination Centre, which would be the national trusted organ for advising and coordinating responses to cyber security incidences in Kenya, liaising with the local sector computer incident response teams, gathering and disseminating technical information on computer security incidents, carrying out research and analysis on computer security, thus facilitating the development of key public infrastructure and capacity building in information security.
Kenyan government is working with the International Criminal Police Organization (INTERPOL) to combat cybercrime in Kenya. Consequently, Kenya is able to leverage on INTERPOL’s technical guidance for combating cybercrime, including detection, forensic evidence collection, and investigation.
Kenya has also made several attempts in its laws to seek to curb cybercrime, the most distinct being the *amendment to the Evidence Act to allow the admissibility of digital evidence in court. (However, this is not conclusive as the Interpretation and General Provisions Act has not been amended and still requires the production of a physical document for purposes of adducing evidence in court. This means that the production of information and evidence generated, sent or stored in magnetic, optical or computer memory is still contentious.) Another law covering this area is the *Central Depositories Act which provides stiff penalties for manipulation of electronic data.
1.5 Confidentiality and Classification
Four-step process for managing classified information
· Different types of information require different security measures depending upon their sensitivity.
· A) Asset inventory - The point of developing an asset inventory is that you know which classified information you have in your possession, and who is responsible for it (i.e., who is the owner). Classified information can be in different forms and types of media, e.g.:
Ø electronic documents
Ø information systems / databases
Ø paper documents
Ø storage media (e.g., disks, memory cards, etc.)
Ø information transmitted verbally
Ø email
· B) Classification of information - ISO 27001 (an information security standard) does not prescribe the levels of classification – this is something you should develop on your own, based on what is common in your country or in your industry. The bigger and more complex your organization is, the more levels of confidentiality you will have – for example, for a mid-size organization you may use this kind of information classification levels with three confidential levels and one public level:
Confidential (top confidentiality level)
Restricted (medium confidentiality level)
Internal use (lowest level of confidentiality)
Public (everyone can see the information)
· In most cases, the asset owner is responsible for classifying the information – and this is usually done based on the results of a risk assessment: the higher the value of information (the higher the consequence of breaching the confidentiality), the higher the classification level should be.
· Very often, a company may have two different classification schemes in place if it works both with the government and with a private sector. E.g. NATO requires the following classification with four confidential levels and two public levels:
· Cosmic Top Secret
· NATO Secret
· NATO Confidential
· NATO Restricted
· NATO Unclassified (copyright)
· NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC
· Information labeling
· C) Information Labelling - Once you classify the information, then you need to label it appropriately – one is to develop the guidelines for each type of information asset on how it needs to be classified (ISO 27001 is not prescriptive here, so you can develop your own rules.) E.g. you could set the rules for paper documents such that the confidentiality level is to be indicated in the top right corner of each document page, and that it is also to be indicated on the front of the cover or envelope carrying such a document, as well as on the filing folder in which the document is stored. Labelling of information is usually the responsibility of the asset owner.
· D) Asset Handling – Rules are to be developed on how to protect each type of asset depending on the level of confidentiality. For example, you could use a table in which you must define the rules for each level of confidentiality for each type of media
1.6 Policies and Management Support
· An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The governing principle behind ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
· ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
Ø The Plan phase- designing the ISMS, assessing information security risks and selecting appropriate controls.
Ø The Do phase - implementing and operating the controls.
Ø The Check phase - to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
Ø In the Act phase - changes are made where necessary to bring the ISMS back to peak performance.
· Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.
· Need for an ISMS - Security experts say that information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent *developing policies and procedures, performing security reviews and analysing risk, addressing contingency planning and promoting security awareness; security depends on people more than on technology; employees are a far greater threat to information security than outsiders; security is like a chain. It is only as strong as its weakest link; the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay; security is not a status or a snapshot, but a running process.
1.7 Challenges (in Information Security)
i. THE SKILLS GAP – Study showed that less than a quarter of an organizations’ employees are qualified for their positions. It was also identified that security practitioners’ ability to understand the business as the largest skills gap. This problem poses a serious risk to an organization. If security practitioners don’t fully understand the nature of their business, security and business personnel will fail to see how each asset is relevant to the support of an organization’s mission. That means they won’t grasp the relative business importance of protecting each asset, which will hamper their ability to reduce threats and mitigate risks. The skills gap poses a double-risk to organizations. Not only are information security practitioners in short supply, but skilled personnel are even rarer. Each business needs to address this hiring and skills challenge head-on if they’re to shore up their data security.
ii. THE EXPLOSIVE GROWTH IN ENDPOINTS - Some 22.9 billion endpoints are up and running on organizations’ networks, and according to a Cisco report, that number is expected to double by 2020. The effort needed to protect so many devices can drive up security operations costs and stretch any organization’s ability to make sure each device is compliant with industry standards.
iii. SECURITY AND TECHNOLOGY IS CHANGING RAPIDLY - Security has to evolve to meet today’s sophisticated threats. Changes can make it difficult for organizations to invest in security as navigating all the different packages and configuration options can get confusing.
iv. The age of cybercrime syndicates - Ever since the birth of the Internet, crime syndicates saw value in exploiting worldwide connectivity. Now, they have big budgets, deep skill sets and sophisticated tools to circumvent many of the best cyber-security solutions. Keeping an eye on these syndicates will be a key to information security success.
v. Lateral hacker movement/breach containment - Once cybercriminals find their way inside corporate networks, they're moving laterally between applications until they find the most sensitive and valuable data. This information security challenge is why Gartner predicted that micro-segmentation technologies will be one of the must-haves for enterprise security in 2016. The research firm explained that by cryptographically isolating workloads and encrypting network traffic end-to-end, organizations can prevent lateral "east/west" hacker movement, contain breaches and better secure data.
No comments:
Post a Comment