Cyber Crime I

1
Cyber Crime I

• Introduction to Computer Related Crime

Adj. Prof. Peter Stephenson, CISSP, CISM,
FICAF Director Information Assurance CeRNS The
Center for Regional and National
Security peter.stephenson_at_emich.edu
2
What You Can Expect in this Course

• We will cover the following topics
• Cyber crime and information warfare
• Technical aspects of cyber crime
• Investigation techniques
• Legal issues
• Host and server investigations
• Computer forensics
• Wireless networks
• You will be graded on
• Research project 20
• Class and on-line discussion participation 20
• Quizzes 20
• Mid term exam 20
• Final exam 20

3
What I Expect in this Course

• Participate on-line and in class
• Lectures are interactive participate, question,
  dont take my word at face value if you dont
  agree question everything
• I have been in the information security world for
  over 20 years, and in technology for over 40
  your task in this course is to drain as much of
  my experience as you can. You wont do that by
  keeping quiet.
• This is a graduate class you should know how to
  write already
• Quizzes and exams will all be essay type tests
  I WILL grade your writing as well as your content
• The same is true especially for your research
  paper
• Plan to apply what you learn in your job
• Select a research project that will help you at
  work
• I expect critical thinking and the application of
  logic cyber crime investigation is not
  mechanical. Success requires reasoning and the
  application of appropriate structured techniques.
• Assignments WILL be turned in on time
• You will earn every grade you get here
• Nobody skates in this course

4
Lets Get Started Tonights Topics

• The information assurance environment
• Risks Threats, vulnerabilities and impacts
• Information warfare
• Offensive and defensive
• Cyber crime
• Digital incidents
• An intro to how hackers hack
• Types of attacks

5
Information Assurance Elements
6
Information Systems Risk

• Definition of risk
• The likelihood that a threat agent will
  successfully exploit a vulnerability to create an
  unwanted or adverse impact. (Jones)
• Risk consists of the agent causing the threat,
  the exploitable vulnerability, the impact of a
  successful attack and mitigating factors

7
Elements of Risk

• Malicious threat factors
• Capability
• Motivation
• Access
• Catalysts
• Inhibitors
• Amplifiers
• Impacts
• Cannot quantify the unquantifiable
• Complex impacts impact impacts
• Vulnerabilities
• Mitigating factors
• Safeguards or countermeasures that reduce,
  redirect or eliminate impact

8
Threat Identification and Analysis

• A threat is credible if
• There is a credible threat agent
• There is a potential vulnerability that the
  threat could exploit
• There is a law, regulation or policy that defines
  a security control that could be compromised
  resulting in an impact to the organization
• The required combination of threat factors are in
  place in the context of vulnerability and impact

9
Formal Definition of Threats
All formal definitions are taken from Stephenson,
Peter. A Formal Model for Information Risk
Management Using Colored Petri Nets. Pending
publication, CPN 2004, October 2004, Aarhus,
Denmark
10
Threat Components and Relationships
Jones, Andrew. Identification of a Method for the
Calculation of Threat in an Information
Environment. Unpublished, April 2002
11
Calculating Threat Capability
HACKER GROUPS
TC (Q4) (H7) (T3) (U6) - - Generic
Hacker Group Formula
TC (2 4) (5 7) (4 3) (5 6) 85
- - Silver Lords Calculation
Jones, Andrew. Identification of a Method for the
Calculation of Threat in an Information
Environment. Unpublished, April 2002
12
Formal Definition of Digital Incidents
13
Formal Definition of Vulnerabilities
14
Formal Definition of Impact
15
Determining Impacts

• Is there a credible threat and threat agent?
• Are there vulnerabilities for the threat agent to
  exploit?
• Would exploiting the vulnerability cause harm to
  the organization?
• If the answers to all three are yes, manage the
  risk if not, ignore it.
• BUT - - do NOT be naïve about your answers

16
Leading to the Formal Definition of Risk

17
Security Policy Domains

• A domain whose objects are all governed by the
  same security policy. There are several types of
  security policy domain, including access control
  policy domains. Corba
• The scope over which a security policy is
  enforced. There may be subdomains for different
  aspects of this policy. NIST
• an environment or context that is defined by a
  security policy, a security model, or
  architecture, and includes a set of system
  resources and a set of entities that have the
  right to access the resources. -"Requirements
  for the Multidimensional Management and
  Enforcement (MSME) System."

18
Formal Definition of Policy Domains
19
Policy Domains - Details

• Concerned with both the scope of the domain and
  the interconnections between it and other
  security policy domains
• Represent communications channels
• May be authorized or covert
• Impact data flows
• May contain multiple components or a single high
  sensitivity/criticality component
• Policy may be explicit (corporate policy,
  procedure or guideline)
• Policy may be implicit (configuration of devices
  governed by a policy)
• Instantiation of the policy

20
Example of Security Policy Domains
21
Informal Definition of Information Warfare
A coherent and synchronized blending of physical
and virtual actions to have countries,
organizations, and individuals perform, or not
perform, actions so that your goals and
objectives are attained and maintained, while
simultaneously preventing competitors from doing
the same to you.
22
Information Warfare Areas - Defensive

• Information Assurance
• Personnel security
• Operations security
• Physical security
• Smart cards
• Biometrics
• Digital signatures
• PKI
• Malicious code detect and eradicate
• Intrusion detection
• Certification accreditation
• Firewalls
• Encryption
• Tamper resistance

• Other Defensive Measures
• Intelligence
• Strategic early warning
• Open source intel
• Signals intel
• Human intl
• Vulnerability assessment
• Risk analysis
• Red team
• Knowledge management
• Data mining
• Information sharing
• Document management
• Business continuity
• Recovery
• Resiliency
• Continuity planning
• R D
• Modeling simulation

23
Information Warfare Areas - Offensive

• Information Operations
• Computer network attack
• Physical destruction
• Electronic warfare
• Virus and worm attacks
• Trojan horses
• Fraud
• Social engineering
• Information harvesting

• Marketing
• Public relations
• Misinformation
• Disinformation
• Advertising
• Publicity
• Branding

24
Main Types of Technology Crime

• Technology-supported terrorism
• May be offensive or defensive IW
• Online fraud
• Money laundering
• Online pornography

25
Defining Computer Crime
26
The Intrusion Process

• How intruders intrude general case
• Information gathering
• Does not touch the victim
• Footprinting
• Enumerating
• Probing for weaknesses
• Penetration
• Back dooring, Trojans, etc.
• Cleanup

27
The Intrusion Process (2)
28
There Are Only 4 Kinds of Attacks

• Denial of service
• Social engineering
• Technical
• Sniffing

29
Leading to four Basic Incident Types

• Penetration
• Fraud
• Denial of service
• Virus/worm infection

30
Penetration

• Purposes
• Data theft
• Extortion
• Joy riding
• Web defacement
• Incident management preparation
• Preventative and detective controls
• Managing penetration incidents
• Interdiction terminate connection if on-line,
  notify law enforcement as appropriate, launch
  internal investigation
• Containment Locate root kits, compromised
  accounts, etc. and correct, correct vulnerability
  that allowed initial penetration
• Recovery analyze damage and respond
• Analysis generally part of the containment and
  recovery stages, formal incident post mortem at
  completion of incident

31
Fraud

• Incident management preparation
• Preventative and detective controls
• Managing fraud incidents
• Interdiction terminate connection if on-line,
  notify law enforcement as appropriate, launch
  internal investigation
• Containment Locate root kits, compromised
  accounts, etc. and correct, correct vulnerability
  that allowed initial penetration
• Recovery analyze damage and respond
• Analysis generally part of the containment and
  recovery stages, formal incident post mortem at
  completion of incident

32
Denial of Service

• Incident management preparation
• Harden and test perimeter
• Relationship with ISP
• Managing denial of service incidents
• Interdiction terminate connection via ISP
  backbone routers
• Containment if necessary, terminate Internet
  connection until attack subsides, isolate
  vulnerable/critical assets temporarily
• Recovery analyze damage and respond
• Analysis formal incident post mortem at
  completion of incident

33
Virus and Worm Infection

• Incident management preparation
• Harden and apply defense in depth
• Use security policy domains
• Relationship with ISP
• Managing denial of service incidents
• Interdiction terminate connection via ISP
  backbone routers to stop incoming worm or virus
  attack
• Containment isolate infected security policy
  domains temporarily
• Recovery analyze damage and respond, dont
  re-open infected domains until all domains have
  been cleared
• Analysis formal incident post mortem at
  completion of incident

34
That's it for this week.

• FOR NEXT WEEK
• Yale and Cisco TCP/IP Intros (see my web site
  for links)
• Dont forget to be ready to select your research
  topic
• On-line discussion forum
• http//home.comcast.net/prstephenson/E_M_U.htm