Protecting Airport Information Systems against Cyber Attacks

On September 11, 2001 the concept of airport security was forever changed when several airplanes filled with unsuspecting passengers were hijacked by terrorists holding little more than box cutters and then used as weapons to destroy some of America’s most iconic government buildings.  Although September 11^th was not the first time an airport or airplane was targeted by terrorists, it certainly was the most devastating and memorable experience for Americans and many others worldwide. Many people were afraid to fly and the airline industry suffered financially as a result.  A change in security had to be made.  The Transportation Security Administration (TSA) was formed as a response and new technology along with heightened security processes have beenimplemented at airports everywhere(Coskun & Hoey, 2005).

Intruder detection systems and biometrics are now used to track employees, enhanced body scanners and x-ray technologies are the norm for passenger and baggage screening.  The individual airline companies have also developed new technologies to identify passengers and check them in via kiosks and on in the internet. Some have also developed smart phone applications useful to track flights and allow paperless boarding at the gate.  Wireless internet is available in the airport terminals and even on board the flight.These are the technologies that are obvious to customers, however there are countless other complex Information Technology and Systems (IT&S) present behind the curtain “which enable the airport and all of its intricate facets to efficiently and safely function minute-by-minute and day-to-day (Airport Consultants Council, 2008).”

While physical security may have improved a new threat has emerged with the increased use of new technologiesin the form of cyber attacks. Due to the complexity of different businesses operations and processes going on during daily operations, airport information systems consist of all types of technologies which have different maintenance practices and data owners (Transportation Research Board, 2009).  With cyber attackson the rise, how is it possible to protect all of the different systems and technologies within an IT&S infrastructure as complex as an airport?

 

Focus of the Study

The purpose of this study is to identify those systems and technologies common to an international airport that are most vulnerable to cyber attack, explain the risks and vulnerabilities and recommend mitigation techniques.  The infrastructure of the systems of an international airport will be generalized based on commonalities in the passenger and employee experience. The technologiesanalyzed will be broken up into the following categories:

• Biometrics and Access Control
• Flight tracking and information systems
• Passenger screening
• Baggage tracking and inspection
• Networks and Web Services
• Radios and Communication

The analysis of each technology will focus on the amplification of the following information:

Information –What is the device or technology used for? What kind of information is involved (i.e. financial, personal, business intelligence…)?

Data Ownership and Maintenance – What are the maintenance practices?Who owns the information? What stakeholders are involved?

Vulnerabilities – What are the vulnerabilities? How can the vulnerabilities be exploited? Does the lack of security in one system pose threats to another?

Consequences of breach – Why is it important to secure the information? What could happen if certain areas are breached? What is the potential loss?

Mitigation – What is the best way to secure the information? How to maintain secure information? What is the process?

 

Biometrics and Access Control

Biometric systems use a peripheral device to identify an individual by scanning a unique bodily feature such as an iris or finger print.  After identification has been made the file can be used to check criminal databases or allow access to an area(Airport Consultants Council, 2008).  Fingerprint scanners are currently in use at customs and border patrol workstations in many airports. After a finger print is added to the database it is used to verify travel documents and cross-check criminal databases and travel alerts(Find Biometrics, 2011).  Some airports also use iris scanners in conjunction with finger print scans.  This speeds up the processing of passengers through customs by allowing quick access to information without the border patrol agent having to manually type identification information into a database where errors could occur or mistakes could be made.  Although there is the possibility of someone using an altered fingerprint or contact lens, the use of multiple identification procedures such as additional biometrics and confirmation of identity against passports by the border patrol agent lessens the chances of the biometric system being compromised. The largest vulnerability for biometric systems at airports comes from the backend of the computer system or database.  If firewalls are not installed and access logs are not carefully monitored, the system could be cracked(Lee, 2006).  The system should also be password protected, default user accounts should be deleted and users trained to keep passwords secure and complex.  The compromise or alteration of this personal information could have devastating consequences. Customs may have to go to a back up database (assuming they have one) or shut down altogether, extremely limiting airport operations.

A common access control system used by employers and TSA in airports is a badge access system. Badges worn by personnel serve the purpose of identifying their name, position and access level and also allow or deny them access to various areas throughout the airport(Airport Consultants Council, 2008).  The most obvious vulnerability to a badge system is the management of the system by security personnel.  Employees must not be given more access than is required of their position, access must be monitored and systems must be maintained to ensure security and proper restriction on all levels. Outside attackers could easily replicate or confiscate a badge and gain access to the terminal or aircraft. Combining badge access with a pin or biometric system will improve the security of this access system.

 

 

Flight tracking and information systems

Throughout the airport there are various Flight Information Display Systems (FIDS). FIDS which allow passengers and airport personnel to monitorcurrent flight tracking data, gate information, weather information, delays and other pertinent information.  These FIDS are connected to various databases from various internal and external sources(Airport Consultants Council, 2008).  The stakeholders of this information are many.  Various airlines control databases as well as the Federal Aviation Administration (FAA) and Air Traffic Control (ATC).  If the databases feeding the information to FIDS were to become compromised airport operations would come to a screeching halt.  Passengers would not know what gate to go to, flight crews would not know where to park planes, the tower would have trouble prioritizing departures and arrivals and multiple airports would be affected.

Exploitation of databases often occurs in the form of hijacked or spoofed client sessions where an attacker can formulate queries of a database that disclose unauthorized information.  In the case of flight information databases a hacker could create a virus or VBS script commanding an application to perform certain actions (such as to show all flights as delayed or delete all database information).  Because the information flows over a complex network of collocated servers, an attacker could use a TCP attack and a password cracker to gain access(Dulaney, 2009). In 2011, the Department of Transportation issued a report that unauthorized users were able to gain access to the FAA’s ATC tracking system due to unauthorized information disclosure, systems not being securely patched, the use of unsupported operating systems, and improper network configurations(Hall, 2011).  Security of these databases to outside access is of utmost importance because of the potential loss to the stakeholders involved including the safety of airline passengers.  Servers must be patched, back-ups to databases maintained, and access to systems limited and configured properly.

 

Passenger screening

            When passengers arrive to the airport they must check-in using a kiosk, airline ticketing desk or print their boarding passes online prior to airport arrival. Individual airline ticketing/check in counters track customers using Common Use Passenger Processing Systems (CUPPS).  “CUPPS allow multiple airlines at an airport to share data on common workstations but also tie into an airline’s back-office systems and preferred front-office passenger processing applications(Airport Consultants Council, 2008).”  CUPPS are only as safe as the back-office systems and other applications they are connected to.  If an airline’s office systems are not secure, the vulnerabilities to the CUPPS are even greater. If the CUPPS is compromised, passenger processing for all airlines could be affected along with passenger lists and flight data.  Airline kiosks and web check increase access and possible depredation of the CUPPS because anyone with flight information, a frequent flier number or access to e-mail could check in with fake identification and gain a boarding pass under another name.  TSA agents can become complacent and photo identification can take on many formats.  The potential for unauthorized access to the terminal and a flight is very high.  One case reported by a United Airlines passenger who didn’t pay attention to the prompts on the kiosk screen and ended up with the wrong boarding pass.  The same news report mentioned several cases where passengers had accidentally entered an incorrect letter and were given several names of people to choose from.  As was pointed out in the report, what is to stop a person from acquiring fake identification and boarding the wrong flight(San Diego News, 2007)?  The stakeholder in this case is primarily the individual airline as it is their responsibility to protect the private data of their customers, but it could turn into a major incident if a criminal were to board a plane under another name and someone was harmed in the process.  Airlines must do a better job of ensuring boarding passes do not land in the wrong hands. This means assessing and increasing the security of their office hardware and software, company websites and most importantly monitoring what goes on at the kiosk.  Requiring a web password at the kiosk rather than just flight information or a confirmation code could improve security as well as securing online check-in options by requiring customers to login to the website to access boarding passes rather than by simply clicking a link in their e-mail inbox.

Another common passenger screening tool used and recently implemented at most airports is the full body scanner.  This scanner uses Advanced Imaging Technology (AIT) similar to that of an x-ray machine in a hospital to view any objects a passenger might be carrying under his or her clothes, in pockets or even in body cavities.  The scanners are controlled and monitored by the TSA and are vulnerable in that they are controlled by software which could have glitches or be hacked and images stolen or manipulated and the scanners could also lose power due to an electrical outage(Swafford, 2011).  It is important for the TSA to ensure the computers controlling the software have access control in place in the form of passwords, smart cards, or biometrics and also to ensure a back-up power supply and proper climate control is available to mitigate these vulnerabilities.

 

 

Baggage tracking and inspection

            The Baggage Handling System (BHS) is one of the most critical ground systems in an airport as it is responsible for tracking bags from ticketing to the gate, to follow on flights, and all the way to the passengers destination.  If the BHS is inoperable, flights are grounded(Airport Consultants Council, 2008).  In a 2008 study of 13 world-wide airports, Airtight Networks found that many airports were using wireless WEP systems with out of the box configurations to operate their baggage tracking systems(Airtight Networks, 2008).  This is a concerning report considering there are so many unsecured wireless network users within the airport that could easily gain access to or unknowingly allow their computer to be used as a vehicle for access to the BHS.  Even a wired BHS has vulnerabilities as servers must be patched and locked down, clients must have access restrictions and most importantly the information protected from intruders via access controls.  Employees must also be trained on the importance of securing peripheral scanning devices and passwords.

With the volume of baggage passing through an international airport on a daily basis it is important to have a secure and accurate method of quickly scanning baggage for explosives or other dangerous materials.  If a baggage scanning system were unknowingly compromised, the consequences could be devastating.  The Aviation and Transportation Security Act of 2001 mandates that 100 percent of checked baggage be screened using explosion detection systems.  The most common screening system used today is the Explosives Detection System (EDS) scanner. This scanner uses computer-aided tomography (CT) adapted from medical technology to automatically detect high density signatures of threat explosives without human interaction.  Bags are loaded into the scanner by TSA personnel and the EDS indicates whether or not there is a threat.  If a threat is indicated, the machine alarms and the agent reviews the images to determine if further inspection (a physical search of the baggage contents) is necessary.  If no threat is detected, the bag moves on(Semp Inc., 2005).  Although the EDS are stand-alone systems with a lessened cyber-attack threat, TSA personnel must ensure bags are being properly screened.  Recently 28 bag screeners were fired from their jobs at the Honolulu International Airport after an inspection revealed that bags were consistently not being screened for explosives. Workers reported they were under pressure to get flights out on time(McAvoy, 2011).  It is clear the TSA will need to conduct some retraining of baggage screening personnel to emphasize the need for secure practices despite pressured timelines.

 

Networks and Web Services

            International airports have complex wired campus networks that allow data access through secondary and tertiary levels of distribution.  These networks are the information technology backbone of the airport and their design and management are critical to operations(Airport Consultants Council, 2008).  Nearly every system in the airport is connected to the campus network and securing that network from internet or external attacks is extremely important.  The first step in securing the network is to have solid security policies and ensure that employees are trained and that network configuration supports these policies. These policies will have to be coordinated with any outside airline or business interconnected networks so that breaches do not occur regardless of internal security.  Equally important to implementing policies is frequently self-assessing compliance with policies. Self-assessments should also be run on the network to check for vulnerabilities.  This can be done by looking at firewall configurations, ensuring anti-virus software is up to date, and downloading and installing the latest patches on a regular basis.  The network must also be encrypted requiring all outside connections to utilize a VPN for access.  Outside networks connecting via VPN should also be required to meet the minimum security practices. E-mail sessions, hard drives and file transfers among many other items on the network can be encrypted relatively easily using the appropriate tools.  Assets on the network should be given a replacement cost and security should be prioritized according to the protection of the most valuable assets.  Lastly, disaster recovery and back-up plans should be in place and practiced on a regular basis(Miliefsky, 2007).

More recently wireless networks have become commonplace and are relied upon by airport personnel and customers alike.  In 2008 Airtight Networks Inc. conducted a security assessment of the wireless networks of 13 airports worldwide, 9 located within the United States.  The goal of the report was to “assess the vulnerabilities of airport wireless networks and the information security risk exposure of laptop users while they are transiting through airports(Airtight Networks, 2008).”  The study found that 80 percent of wireless networks were open or WEP versus the more secure WPA/WPA2, only 3 percent of hot-spot users were encrypting their data, those not using hot-spots were leaking network information and 10 percent of laptops connected to the network were infected with viruses(Airtight Networks, 2008).  Many public free wireless networks were not encrypted and had open SSIDs allowing viral SSIDs to spread from the U.S. all the way to sites in Europe.  Baggage handling systems and customs networks were found connected to Bangkok’s International airport wireless network.  Three clients were also found connected to the customs network via this wireless connection.  This assessment was a follow up of best practices previously recommended and vulnerabilities in the core systemswere found to be worse during this assessment than when originally identified(Airtight Networks, 2008).  How can WI-FI be secured when there are so many different broadcasters located across many sections within a large airport?  Frequencies are also in short supply and must be managed across the spectrum.  Strict policies must be put in place to detail security practices for wireless networks and define who is allowed to broadcast service in specific areas(Airport Consultants Council, 2008).  The same protocols for securing the wired network can be followed for the wireless network.  Other mitigations to vulnerabilities are to change the out of the box default configurations, ensure SSID are not broadcasted, and use WPA encryption with complex passwords changed on a regular basis(Airtight Networks, 2008).  Each network should also define and minimize the physical radius of the wireless broadcast to prevent unauthorized outside users from connecting.

 

Radios and Communication

Airports use many forms of radios and telephones for communication.  Most vulnerable to cyber-attacks are Voice over Internet Protocol (VoIP) communications. VoIP is a telephone like system that accepts a voice transmission and converts it into a packet which travels over the network to its destination whether internal or external(Airport Consultants Council, 2008).  VoIP systems are a convenient, cost-effective wayof communicating within a large campus like environment without the need to run complex telephone lines.  The vulnerability of a VoIP system is the ability of a cybercriminal to eavesdrop on conversations to collect confidential information or use for blackmail purposes. Criminals can conduct VoIP hopping attacks to compromise the VLAN from a remote location and use a computer to mimic an IP phone.  After the network has been breached it is easy to spoof caller identification features of the VoIP phone system or flood the system with bogus transmissions disabling communications(Hickey, 2007).  It is important for employees using VoIP systems to be aware of these vulnerabilities and report suspicious activity on the network immediately.  There should also be implementation and awareness of Critical Information List (CIL) detailing information not to be discussed over unsecure lines.

 

Conclusion:

Airport information systems infrastructures are complex; derived from and connected to a seemingly untraceable number of sources.  New technologies are coming about faster than IT professionals can fully understand how to properly utilize and protect them from cyber-attacks.  Each technology or system used within an airport has unique uses, value, stakeholders, vulnerabilities and mitigations.  It is important for airport owners and management to ensure personnel are trained, security policies are in place and enforced, emergency back-ups are prepared, and systems are assessed for vulnerabilities on a regular basis.

 

 

 

 

 

References

 

Airport Consultants Council. (2008). Best Practice Guidelines for the Airport Industry. Airport Information Technology and Systems, 110.

Airtight Networks. (2008). Wireless Vulnerability Management. Retrieved September 30, 2011, from Airtight Networks: http://www.airtightnetworks.com/fileadmin/ppt/AirTight-Airport-Scan-Results-Part2.ppt

Coskun, E., & Hoey, J. (2005). Airport Security Complexity: Problems With the Information Security Components. 2nd International ISCRAM Conference (pp. 61-66). Brussels, Belgium: LeMoyne College Business Department.

Dulaney, E. (2009). CompTIA Security + Study Guide. Indianapolis: Wiley Publishing.

Find Biometrics. (2011). Border Control / Airport Biometrics Gets a Fast Boarding Pass. Retrieved September 30, 2011, from Find Biometrics Global Identity Management: http://www.findbiometrics.com/border-control-airports/

Hall, S. (2011, April 22). DOT Issues Vulnerability Report On The FAA’s ATC System. Retrieved September 30, 2011, from AvStop Online Magazine: http://avstop.com/april_2011/dot_issues_vulnerability_report_on_the_faa_s_atc_system.htm

Hickey, A. R. (2007, December 18). Top 9 VoIP Threats And Vulnerabilities. Retrieved September 30, 2011 , from CRN: http://www.crn.com/slide-shows/networking/205100204/top-9-voip-threats-and-vulnerabilities.htm?pgno=7

Lee, V. M. (2006, September 20). Vulnerabilities of Biometric Technologies. Retrieved September 30, 2011, from International Biometric Group: http://www.biometrics.org/bc2006/presentations/Wed_Sep_20/Session_III/Biometrics_and_EAuth/20_Lee_e-auth.pdf

McAvoy, A. (2011, September 16). TSA fires 28 Honolulu bag screeners after probe. Retrieved September 30, 2011, from The Associated Press: http://news.yahoo.com/tsa-fires-28-honolulu-bag-screeners-probe-005755308.html

Miliefsky, G. S. (2007, January 17). The 7 best practices for network security in 2007. Retrieved October 1, 2011, from Network World: http://www.networkworld.com/columnists/2007/011707miliefsky.html?page=8

San Diego News. (2007, November 20). Airport Kiosks — Convenience Or Security Risk? Retrieved September 30, 2011, from 10 News: http://www.10news.com/news/14654657/detail.html

Semp Inc. (2005, April 2). How the TSA Is Strengthening Baggage Screening Systems to Improve Aviation Security. Retrieved September 30, 2011, from Suburban Emergency Management Project: http://www.semp.us/publications/biot_reader.php?BiotID=194

Swafford, S. (2011, June 29). International Airport Cyber Security Challenges. Retrieved September 30, 2011, from Radical Development: http://radicaldevelopment.net/2011/06/29/international-airport-cyber-security-challenges/

Transportation Research Board. (2009). Integrating Airport Information Systems. Washington D.C.: Airport Cooperative Research Program.

Tyson, J., & Grabianowski, E. (2001, June 20). How Airport Security Works. Retrieved September 27, 2011, from HowStuffWorks.com: http://science.howstuffworks.com/transport/flight/modern/airport-security.htm

 

 

American Freedom and Cyber Security

American Freedom and Cyber Security

“We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their powers from the consent of the governed, that whenever any Form of Government becomes destructive of these ends, it is the Right of the people to alter or abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness (Independence Hall Association, 1995).”

America was founded with these famous words of the Declaration of Independence.  Public elementary education requires American children to learn of the Declaration of Independence and the Bill of Rights, as well as some other basic rules and regulations of government.  It is important for a citizen to understand their rights and their government.  Some of these very simple rights, rules and regulations have been complicated by the wide-spread use of the internet and associated technology.  The internet does not play by America’s rules but is governed by the very people who create, add, and contribute content in its billions of pages connected throughout the world.  When that content is unlawful according to U.S. law, can a citizen be prosecuted?  What about actions or content that crosses borders?  Thus far the U.S. government has held some jurisdiction over internet content in relation to matters of intellectual property, computer security, information privacy, and freedom of speech.  Many times due to lack of knowledge, burden of proof, or jurisdiction, government is not successful in persecution of internet related crime or cybercrime (Brenner, 2006).  The question remains as to what role the government should play in policing cybercrime?  Is policing the internet in the best interest of the freedom of the people; the safety of the people?  The internet and new technologies connecting the world have brought about new opportunities and new ways of life.  However just like our forefathers felt it necessary to declare the rights of the people and the laws of the government during the founding of a brave, new world; so will Americans today have to rewrite some of those same rights and responsibilities to ensure the safety and happiness of the people in America’s new, connected world.

Threats to America’s Safety and Security

On September 11, 2001 multiple civilian airliners filled with innocent civilians were hijacked by terrorists and used as missiles to destroy some of America’s very critical political and economical structures and kill thousands of innocent civilians.  Americans were in a panic over the safety of their homeland.  Many blamed the government for not acting on earlier released intelligence reports that pointed to threats of this type.  As a response to the attacks and the outcry from the public; President George W. Bush declared a war on terrorism inside and outside America’s borders.  The Department of Homeland Security was founded to respond to terrorist threats and further protect the borders of America.  Security policies resulted in a significant change to privacy laws per the U.S. Patriot Act which allows the government “to conduct a search without notifying the subject that a warrant has been executed and monitor an individual’s movements on the Web upon showing that these movements are likely to be relevant to an ongoing criminal investigation (Himma, 2006).”  The U.S. government has previously attempted to control pornography and hate speech on the internet through various laws but all were found in violation of the First Amendment.  Although the Patriot Act violates basic privacy rights, it also protects the safety and security of citizens.  After the events of September 11^th, the Patriot Act stayed intact despite complaints of breaches in privacy law.  It seems safety and security has become more important than freedom in this case.

 

The Dangers of E-mail

Recent polls show that more than 80 percent of Americans have access to the internet and 92 percent of users use search engines and e-mail on a daily basis (Price, 2011).  Compared to regular U.S. Postal Service mail, e-mail poses some serious threats to consumers.  The biggest of which is exposure to phishing and malware attacks.  PC World reports one in every 300 e-mails sent last year contained some elements to phishing, most pointing toward financial fraud.  The Federal Bureau of Investigation (FBI) recently warned that cybercriminals were compromising e-mail accounts to request and authorize overseas wire transfers.  Compromised legitimate e-mail accounts were also used by cybercriminals to trick banks into thinking a wire transfer had already been initiated.  As of December 2011, the fraud amounted to 23 million dollars with an actual loss to victims of approximately 8 million dollars.  How is the FBI to trace these criminals and prosecute them when many are using compromised accounts and are physically located in countries where the FBI does not have jurisdiction and the country in question may not have the necessary laws against such crimes (Olavsrud, 2012)?

Additionally, although the public is the biggest target of these scams, cybercriminals also target small and medium sized business which may not have the resources to practice robust cyber security.  These smaller agencies have reported losses of up to $400,000 at one time, which is enough money to shut down a small or medium business.  Jorge Rey, director, Information Security & Compliance with Kaufman, Rossin & Co., P.A. offers some tips for small businesses to combat cybercrime to include understanding the businesses’ liabilities with their financial institution, perform regular security assessments and audits, ensuring anti-virus software is installed and up-to-date, use a dedicated computer for all financial transactions, utilize separation of duties for financial responsibilities, review banking records with scrutiny and keep security in mind when reading and opening links in e-mails (Olavsrud, 2012).  On the grounds that spam e-mail violates the First Amendment by spreading intentionally deceptive commercial speech, in 2004 Congress enacted the CAN-SPAM act which “prohibits transmitting multiple commercial e-mails with the intent to deceive and intentionally falsifying header information before transmitting commercial e-mails (Himma, 2006).”  Although Congress had the best intentions, spammers are easily able to conceal their location and are most often located outside the U.S. and have yet to be prosecuted.  Clearly the Department of Homeland Security and other government agencies are not prepared to combat such a large amount of separate and different types of scams and it is important for the private sector and businesses to be prepared to protect themselves and their customers.

Large enterprises such as Microsoft and Google have joined forces recently to combat e-mail scams from the source using new technology.  Many of the phishing e-mails sent are masked as these big name businesses to entice consumers into providing their account information, passwords and credit card numbers.  MSNBC News (2012) reports “Facebook, Google Inc. and Microsoft Corp. have joined with financial firms Bank of America Corp ., Fidelity Investments and eBay Inc.’s PayPal to create a set of industry standards for preventing criminals from sending out spam emails that appear to come from corporate e-mail addresses.”  Using a combination of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail; when a cybercriminal sends an e-mail to a partner member’s account (such as Yahoo or Google) claiming to be PayPal or Bank Of America, the e-mail will not be properly authenticated and therefore will not be delivered to the intended recipient.  However, if the e-mail is sent to a non-partner e-mail account such as a small town internet server provider, the spam would reach its target.  It’s not a perfect solution but it’s a start in the right direction led by large industry members (Associated Press, 2012).
For those consumers and businesses not lured in by phishing there is malware to contend with.  Malware can be attached in the form of a clickable link in an e-mail or can be embedded in a search engine or a pop-up in an internet browser.  According to the Sophos (2011) mid-year security report, during the first half of 2011 19,000 new malicious URLs were found every day; a new URL every 4.5 seconds.  The two most common malware threats are fake anti-virus software and search engine optimization poisoning.  The fake anti-virus is a pop-up from a seemingly legitimate antivirus vendor claiming the victim’s computer has a virus.  The victim then follows the link and is forced to pay for software to get rid of the virus. The payment then goes to the scammer and the victim is stuck with the malware and stolen credit card information.  Last year the FBI caught a cyber gang selling the fake anti-virus software for $50 to $130 an instance.  The gang had tricked nearly a million people netting 72 million dollars (Sophos Ltd., 2011).  Cybercriminals can also hack legitimate websites through weaknesses in software and use those websites to infect unsuspicious visitor’s computers.  Malware is so dangerous because it allows cybercriminals to sneak in and take over a computer many times completely unnoticed.  Businesses and people store personally identifiable information and other important proprietary information on their computers.  Losing this information can put their identity, finances or overall security in danger.

Threats from e-mail, search engines and the web are just a few examples of dangers in cyberspace.  There are similar threats to mobile phones, tablet PCs, and social networking sites.  The threats will only grow with the number of technologies and users connecting to the web.  Although the U.S. government can continue to prosecute cyber criminals and gain expertise on cyber threats and mitigations, it is clear the threat is much larger than the government will ever be able to contain or control.  It is up to the public to remain educated and work together with security professionals and government agencies to protect personal and business assets as best possible.

 

Cracking

            Another threat to all systems connected to the internet or connected to a private network is malicious security cracking (often mistermed hacking).  Cracking is achieved by utilizing weaknesses in the security of a system to gain unauthorized access.  Some agencies contract cracking experts to conduct penetration testing on their systems to identify security weaknesses before they are used for malicious cracking.  Anytime a computer is cracked, the system and information stored on the computer can be stolen or used to the criminal’s advantage.  Many crackers come in undetected and then purposefully leave backdoors in the system in order to return at a later time when they are less likely to be caught or can do further damage. A wide variety of information is targeted during cracking incidents including research, business strategies, financial information, and client databases containing names, social security numbers, credit card numbers and other personal information (Gish, 2012).  The U.S. Computer Crime and Fraud Act (18 U.S. Code Section 1030) authorizes fines and imprisonment of up to 20 years for, among other things, “knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing at least $5,000 in damage without authorization to a protected computer (Himma, 2006).”  The losses to businesses due to cracking can be substantial.  Sony reported a loss of $170 million in 2011 due to a crack on a single PlayStation.  The Computer Security Institute reported single instances of cracking cost businesses anywhere from $600,000 to $7 million in one day (Gish, 2012).  With these statistics it is clear that businesses need to have cyber security policies and procedures clearly defined for all employees and information technology support personnel.  The U.S. state and federal government can help by providing best practices and by thoroughly investigation cyber crimes to determine how they could have been prevented and to bring criminals to justice where possible.

 

Cyber terrorism

            The thought that simply clicking the wrong icon on the web or in an e-mail can lead to identity theft or financial loss is nerve-wracking.  The thought of the businesses American’s trust being cracked or losing personal and proprietary information is equally unsettling.  “In 1996, Barry C. Collin wrote, “This enemy does not attack us with truckloads of explosives, nor with briefcases of Sarin gas, nor with dynamite strapped to the bodies of fanatics.  This enemy attacks us with ones and zeros (Jaeger, 2006).” Collin went on to list potential acts of cyberterrorists:

• Remotely changing the pressure in gas lines, causing valve failures, explosion, and fire
• Placing computerized bombs around a city
• Attacking future air traffic control systems to cause civilian jets to collide
• Remotely accessing the processing control systems of a cereal manufacturer to alter the formula and sicken children
• Disrupting banks and international financial institutions and stock exchanges, with resulting loss of confidence in the economic system
• Remotely altering formulas of medication at pharmaceutical manufacturers, resulting in ineffective or potentially harmful medications
• Shutting down the electrical grid, causing widespread chaos

When Barry Collin introduced the idea of cyberterrorism in 1996 his ideas may have seemed farfetched to the average American.  After the attacks of September 11^th and as more and more people become victims of cybercrime the threat of cyberterrorism quickly becomes a reality.  The conclusion that Barry Collin made in his writing is very clear; “the cyber-terrorist will make certain that the population of a nation will not be able to eat, to drink, to move, or to live.  In addition, the people charged with the protection of their nation will not have warning, and will not be able to shut down the terrorist, since the cyber-terrorist is most likely on the other side of the world (Jaeger, 2006).”  The American government sees this same problem with cybercrime today in that it is very tough to trace, to track, to prove and to prosecute.  No matter the laws and the severe consequences of being caught, the cyber-criminal has not been deterred.

Thus far, although there have been reports of cracks into U.S. water-systems and FBI and Department of Homeland Security databases by computer “hacktivists”; there have been no events that have qualified as cyberterrorism.  CBS News reported in 2011 that a hacker had sent an e-mail to CNET news providing proof by attaching detailed diagrams that he had cracked a Houston water facility just to prove how easily it could be done.  He wrote:

“Basically, people have no idea what’s going on in terms of industrial control, groups like ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too slow/don’t have enough power to react to situations.  There’s a lot of rubbish information out there that’s being treated seriously, etc. Lot of crap. So I’m putting information out there to show people what kind of systems are vulnerable to basic attacks.  No damage was done to any of the machines; I don’t really like mindless vandalism. It’s stupid and silly.  On the other hand, so is connecting interfaces to your SCADA machinery to the Internet,” he added. “I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic, as for how I did it, it’s usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces (Mills, 2011).”

 

The recent mischief by hacktivists does however show just how vulnerable America’s critical databases and infrastructures are to attack.  Congress is currently working on a bill that would put the Department of Homeland Security in charge of regulating private companies in charge of critical infrastructures such as water, nuclear, electrical and power plants, 85 percent of which are controlled by the private sector.  Representative Jim Langevin notes “We know voluntary guidelines simply have not worked. For the industries upon which we most rely, government has a role to work with the private sector on setting security guidelines and ensuring they are followed (Associated Press, 2012).”  According to authors the bill is “intended to ensure that computer systems running power plants and other essential parts of the country’s infrastructure are protected from hackers, terrorists or other criminals. The Department of Homeland Security, with input from businesses, would select which companies to regulate; the agency would have the power to require better computer security (Associated Press, 2012).”

 

Cyber Security – A Unified Responsibility

System activity monitoring, e-mail phishing, malware infections, cracking, cyberterrorism – all are threats to America’s security; whether financially, structurally, socially, mentally, or physically.  The thought of so many threats in the midst seems scary and out of control.  Policing all of the world wide activity on the internet isn’t realistic. The best chance of protecting Americans from cyber threats is for law enforcement, government, private and public enterprises to join forces and ensure businesses and governments are securing their resources using best practices, reporting and mitigating the latest threats, and engineering new ways to combat threats on a regular basis.

Information technology professionals can ensure they are educated on the latest threats and security practices and maintain the security of company and government systems by installing patches, monitoring system logs, and updating software on a regular basis.  Businesses can share their experience and protection practices with the government and industry to help other, less experienced businesses learn what to do when an attack occurs and how to prevent one in the first place.

Government can ensure they are protecting their own resources in order to protect others.  In 2002, the Federal Information Security Management Act (FISMA) mandated that “government agencies develop annual reports and risk assessments, configuration guidelines, continuity plans, security policies, and inventories of systems (Jaeger, 2006).”  In 2003, most government agencies were near failing compliance with FISMA.  A 2010 FISMA Executive Report for the Securities and Exchange Commission notes lack of documentation for deviations to desktop configurations, failure to terminate user accounts when no longer needed, failure to properly identify users prior to granting access to systems and excess privileges granted to users (U.S. Securities and Exchange Commision, 2011).  In order for the government to provide guidance and protection to others, government entities must first protect themselves.

Individual citizens can do their part by reporting incidents and remaining educated on threats and mitigations.  Higher education institutions can offer training and education and lead the way in studying new ways of securing technology and sharing that information with business and government (Jaeger, 2006).

America has a long way to go to ensure its citizens are safe from cyber crime.  The reality may be that the goal of safety may never fully be achieved.  Freedom, however, is maintainable for those that are willing to contribute to the greater good of the people.  Everyone has a responsibility to make ethical and lawful decisions in their use of the internet and use of private and commercial computer systems; and to take responsibility for securing those systems from known threats.  If a reasonable effort is made, the words of the Declaration of Independence, “Life, Liberty and the pursuit of Happiness…” can still hold true for years to come.

References

Associated Press. (2012, February 6). Bigger U.S. role against companies’ cyber threats? Retrieved February 25, 2012, from Sheveport Times: http://www.shreveporttimes.com/article/20120206/NEWS03/120206009/Bigger-U-S-role-against-companies-cyberthreats-?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

Associated Press. (2012, January 30). Tech companies team up to combat email scams. Retrieved February 23, 2012, from MSNBC: http://www.msnbc.msn.com/id/46191126/ns/technology_and_science-security/t/tech-companies-team-combat-email-scams/#.T0aNTIcgd2A

Brenner, S. W. (2006). Cybercrime and the U.S. Criminal Justice System. University of Dayton School of Law, 10-11.

Gish, W. (2012). The Effects of Computer Hacking on an Organization. Retrieved February 24, 2012, from Chron: http://smallbusiness.chron.com/effects-computer-hacking-organization-17975.html

Himma, K. E. (2006). Legal, Social, and Ethical Issues of the Internet. In H. Bidgoli, Handbook of Information Security (pp. 74-75). Hoboken: John Wiley & Sons, Inc.

Independence Hall Association. (1995, July 4). The Declaration of Independence. Retrieved February 21, 2012, from US History.org: http://www.ushistory.org/declaration/document/

Jaeger, C. (2006). Cyberterrorism and Information Security. In H. Bidgoli, Handbook of Information Security (pp. 14-17). Danvers: John Wiley & Sons, Inc.

Mills, E. (2011, November 18). Hacker: I broke into water plant. Retrieved February 25, 2012, from CBS News: http://www.cbsnews.com/8301-205_162-57328066/hacker-i-broke-into-water-plant/

Olavsrud, T. (2012, February 16). 8 Tips to Defend Against Online Financial Fraud Threats. Retrieved February 23, 2012, from PC World Business Center: http://www.pcworld.com/businesscenter/article/250139/8_tips_to_defend_against_online_financial_fraud_threats.html

Price, G. D. (2011, August 9). New Internet Usage Statistics. Retrieved February 23, 2012, from infodocket.com: http://infodocket.com/2011/08/09/new-internet-usage-statistics-u-s-search-and-email-remain-most-popular-online-activities/

Sophos Ltd. (2011). Security Threat Report. Boston: Sophos Ltd.

U.S. Securities and Exchange Commision. (2011). 2010 Annual FISMA Executive Summary Report. Washington D.C.: U.S. Securities and Exchange Commision.