• WEEK
Lesson
8: Trends and Policy Implications
•
Week 8 Lessons
Chapter 14 - A Forecast of Future Trends and Policy Implications
1. This purpose of this chapter is to overview several possible trends
concerning the future issues related to digital crime and terrorism.
2. Summary of Forecasts
a. Forecast 1 – the number of offenses reported to the police involving
computers and electronic storage media will increase substantially requiring
changing priorities for resource allocation, new training for line officers and
investigators, new police specialties, and new knowledge for prosecuting
attorneys and Judges.
b. Forecast 2 – The largest computer crime problem affecting local law
enforcement representing the largest number of victims and the largest
monetary loss will be the Internet fraud, including fraud via identity theft.
c. Forecast 3 – Virtual crimes against persons will increase at a faster rate
compared to past years a result of the significant expansion in networking
and personal computing.
d. Forecast 4 – Some computer hacker groups, notably those characterized
by the “offender” and “predator” categories, will evolve into networked
criminal enterprises.
e. Forecast 5 – Current organized crime groups, particularly those that are
entrepreneurial, will increasingly adopt computerization as a criminal
instrument.
f. Forecast 6 – Terrorist groups will increasingly use global networking as a
tool to accomplish their goals.
g. Forecast 7 – The character of espionage will continue to broaden into the
arenas of information warfare, economic espionage, and theft of intellectual
property.
h. Forecast 8 – Criminals, terrorists, and anarchists will increasingly use
technology-based instruments and methodologies which can surreptitiously
capture data/information or destroy technological communications,
information processing and/or storage appliances.
Taylor, R., Caeti, R., Loper, D.K., Fritsch, E.J.,& Liederbach, J.(2011). Digital
Crime and Digital Terrorism.
14 Information Security and Infrastructure Protection
CHAPTER OBJECTIVES
After completing this chapter, you should be able to
■Understand the concept of risk as applied to information security and infrastructure protection.
■Discuss the major principles of risk analysis.
■Identify and define the primary security technologies used to protect information.
■Discuss the various functions of firewalls, and identify their limitations.
■Define encryption, and discuss its use in terms of authenticity, integrity, and confidentiality.
■Identify and explain some of the security vendor technologies used today to secure information.
•
•
•
•
•
•
INTRODUCTION
Risk analysis will always be an art informed by science. We cannot know all possible outcomes
and weigh them rationally. Risk analysis involves projecting the most probable outcome and
allocating available resources to address that outcome. At the same time, a risk analyst must
remember that assets (computers, networks, etc.) were purchased to fulfill a mission. If risk
management strategies substantially interfere with that mission, then the assets are no better off
than if they had been compromised through a security-related risk.
This section introduces the concept of risk by discussing several epochs of computer
development. Each era presents its own risk and at least somewhat functional responses to that
risk. Early decisions weighing the risk of computers not providing a useful function against
potential or unknowable future security threats produced results that we still live with today. It is
easy to criticize early decisions based on our knowledge of the outcomes, but even with
hindsight, we may fail to see that the benefit provided greatly outweighs the harm. In fact, some
decisions that have produced security vulnerabilities were absolutely essential to the basic
functioning of computers and networks for their intended purposes.
MASTERING THE TECHNOLOGY AND THE
ENVIRONMENT
In the earliest days of computing, before extensive networking and multiple user systems, the
primary problem faced by users was the technology itself. During these early days, programmers
created the computer functions that we take for granted.1 Early innovations included interactive
operation (rather than batch processing and output), rudimentary networking, graphics, tools and
utilities, and so on.2 In many cases, the primary limitation was the capacity of the hardware.
Limitations imposed by operating memory, storage, and processing speed each forced
adaptations. The net effect was the absence of security. At the time, physical security (i.e.,
locked doors) was sufficient to protect computing resources. The primary concern of system
architects was the expansion of useful function and overcoming hardware limitations. Although
decisions made at this early point would later have negative effects on security, they were really
unavoidable.
As technologies matured and found supporters in mainstream business, the computer moved
from research platform to business tool. Complex software was created for business, and
essential functions were transferred from armies of clerks to computer systems. Such moves
were always in one direction. It is impossible to reemploy clerical staff and reimplement paperbased procedures once the existing system is gone. Furthermore, the cost savings of computers
make such a backward move unlikely. This placed new emphasis on the availability of data and
recovery from errors and disasters. Computer centers were created to concentrate technical
expertise and provide a controlled environment in which to maximize the availability of
computing resources. Innovations in fire suppression,3efficient environmental controls,4 and
administrative procedures (i.e., backup schedules) gave reasonable assurance against disaster.
The user was undeniably part of the computing environment. During this era, legitimate users
were the primary human threat to computers. More harm was caused by failure to properly
maintain systems and backup schedules than from intrusion or malicious intent. When malicious
intent played a part, it was typically on the part of an insider.5 Although there are documented
cases of intrusion and loss, a much greater threat came from the relative scarcity of experts to
operate and maintain systems. Once again, the operational need for availability was more
pressing than security.
Personal Computers and Intruders
Although recreational system intrusion was not unknown in the previous era, it was largely
restricted by access to computers from insiders (see Chapter 4). Few people had access, and
fewer still had the skill to break through the rudimentary security on most systems. Those who
did were often deeply invested in terms of time and resources spent to acquire that
knowledge.6 Recreational intrusion was a minor problem at best. The advent of the home or
personal computer (PC) in 1975 marked the beginning of the democratization of computing. It
also marked the movement of hacking from the old-school era to the bedroom hacker era (again,
see Chapter 4).7 By the end of the 1970s, the restraint of peers and the investment in knowledge
no longer provided reasonable protection against malicious users.
In this era, intruders sought knowledge and resources to continue their use of computers. Much
of the literature is devoted to detailing the social connections or lack thereof among intruders and
hackers.8 Most pundits resort to the myth of the hacker as loner and contentious in interaction
with other hackers.9 An often-overlooked facet of the hacker culture is the need for information
and resources. In the early era of intrusion, access to other computers required a phone
connection, usually to a long-distance number. Thus, the search for access to resources and
knowledge of how to exploit them dominated the vast majority of hacker interactions.
For the first time, intruders became a significant threat to routine computer use. Although efforts
were made to secure computers, long-standing demands for the availability of computing
resources and the expansion of computer capabilities simply eclipsed demands for security.
Hollinger and Lanza-Kaduce provide one of the very few significant criminological works
describing the efforts to supplement the computer industries’ meager efforts toward security with
law.10 Various states and the federal government passed laws in the hopes of deterring would-be
computer criminals and punishing those who were caught.
The Internet Explosion
The explosive growth of the Internet has been the subject of numerous books and articles in the
popular press,11 scholarly publications of general interest,12 and works of technical research.13 The
dramatic influx of new users to computer networks has burdened both the technical infrastructure
and the social cohesion of online communities.14 The loss of social cohesion of the computer
underground gave rise to script kiddies, low-skilled network intruders with little desire to pursue
the traditional goals of hackers (see Chapter 4). At the same time, the influx of new users, also
with low levels of skill, gave script kiddies and other larval hackers a rich field of targets. Unless
a computer system holds particular interest (politically—like the World Trade Organization;
technologically; or as a trophy—like NASA or the Pentagon), the most likely threat comes from
script kiddies.
During this period, the amount of computerized data, such as bank records, personal information,
and other electronic files, increased. Businesses and financial institutions store sensitive
customer information in massive electronic databases that can be accessed and compromised by
hackers. The increased use of online banking and shopping sites also allows consumers to
transmit sensitive personal and financial information over the Internet. This created more
attractive targets for criminals to engage in identity theft, fraud, and espionage.
In turn, the Internet increased the availability and proliferation of hacker tools and data and the
professionalization of the hacker community. The recent emergence of malicious software
markets and communities that engender the sale of stolen information as outlined in Chapters
6and 7 makes it significantly easier for hackers to gain access to very sophisticated tools with
little to no understanding of how they function. Such tools existed in the previous era, but were
not as widely distributed or easily accessed. As a result, the global landscape of threats from
hacking has changed dramatically, leading accomplished network intruders to offer their services
for hire to unskilled hackers, terrorists, and organized crime groups. This has changed the way
threats are perceived, though it is clear that the potential of the Internet to find and retrieve
information from almost any jurisdiction has made it unlikely that a single nation’s efforts could
remove these tools from wide circulation. It is also undesirable to remove technical information
from our networks; technological advancement depends on the open exchange of ideas.15
PRINCIPLES OF RISK ANALYSIS
Risk analysis is performed at many levels and with many degrees of detail. Risk analysis services
are provided by Fortune 500 consulting firms like Deloitte, Accenture, Ernst & Young, and
many others. Reports from a major risk analysis can cover every aspect of
(Taylor 321-323)
Taylor, Robert W., Eric Fritsch, John Liederbach. Digital Crime and Digital Terrorism, 3rd
Edition. Pearson Learning Solutions, 02/2014. VitalBook file.
Purchase answer to see full
attachment