Posts Tagged cybersecurity

Emerging Cybersecurity Technologies

Emerging Cybersecurity Technologies

By: Amy Wees

CSEC670

June 9, 2013

 

Abstract: Advanced cyberattacks on the public and private sectors at the local, national, and international level have prompted an increase in funding and support for the study of emerging cybersecurity technologies.  The considerations for this paper are to discuss the emerging technologies and strategies that can be integrated across the public and private sector to improve cybersecurity on a local, national, and international level.  New technologies need to dynamically assess networks real-time such as with the use of Remote Agents and Real-time forensic analysis.  These technologies also need to make the attack space less predictable and constantly evolving such as through the use of moving target defense.

Emerging Cybersecurity Technologies

The E-government Act of 2000 was signed by President Bush to move toward a more 24-7 government.  The dream was to eliminate the need to have to stand in line at the DMV for half a day just to pay annual vehicle registration fees (Barker, 2011).   Security was certainly a concern, but it was not at the forefront of the move as government agencies would go through massive changes in equipment, manning, and practices in order to move information and programs online.  Now, over a decade later we still see moves and changes taking place, such as the department of Veterans Affairs recently moving all of their applications, forms and records online.  The expensive cost of getting the government caught up was expected with such an overhaul in the system; however, the U.S. should have spent more on cybersecurity and had to learn this lesson the hard way.  The recent breaches by Anonymous into the FBIs and Department of Homeland Security’s systems were disappointing as these were the two government agencies tasked with taking on cybercrime (Novasti, 2012).  How does the government expect to control the protection of SCADA systems for critical infrastructures as recently proposed by congress if they cannot protect their own assets (Associated Press, 2012)?  Annual Federal Information Security Management Act (FISMA) audits still point to lax practices (US SEC, 2011).

In 2009, President Obama called for a malware-based cyberattack against Iran’s nuclear system computer networks through the use of the Stuxnet worm, which was noted as the first use of cyber as a weapon by the US.  More recently, Iran has experienced more cyberattacks linked to their nuclear systems and operations.  (Airdemon, 2010).

Advanced Persistent Threats (APT) have changed the cybersecurity game as APT attacks can be so sophisticated that many well-known techniques for detection and mitigation may not be effective against them.  An APT that utilizes targeted exploitation code leveraging zero-day vulnerabilities will not be detected by Intrusion Detection Systems and Anti-virus products (Casey, 2011).  The issue is that once the malware is detected, it might not be obvious as to how long the malware was operational.  Further, in the case of an APT, it cannot be determined if the discovered malware is the entirety of the compromise.  The APT might leverage multiple malware tools to maintain access by state-sponsored attackers.  With the aforementioned attacks on critical infrastructures and government systems, as well as an overall increase in complexity of cyberattacks, governments on an International level have considered cybersecurity to be more crucial than ever before.

The considerations for this paper are to discuss the emerging technologies and strategies that can be integrated across public and private sectors to improve cybersecurity on a local, national, and international level.  New technologies need to dynamically assess networks real-time such as with the use of Remote Agents and Real-time forensic analysis.  These technologies also need to make the attack space less predictable and constantly evolving such as through the use of moving target defense.

Moving Target Technologies

Moving Target (MT) technologies aim to constantly change the attack surface of a network, increasing the cost for an attacker and decreasing the predictabilities and vulnerabilities present at any time (NITRD, 2013).  The problem of most networks today in terms of cybersecurity is that they are static and an easy target for an attacker to analyze over time and strategize on the best way to capitalize on vulnerabilities.  Moving target defenses allow the network to consistently change in configurations and environmental values (Grec, 2012).

For example, an organization could change the network IP addresses, operating systems, open ports and protocols, and many other areas of the environment.  This way when an attacker scans the network, the scans are not consistent, and if an attack is launched, chances of successful penetration are severely reduced because of the dynamic changes in the environment.  The MT defense could also react to an attack by reducing the areas of the network known to or accessed by the attacker (Grec, 2012).

The most difficult challenge in using MT is in maintaining an operational network for users during the changes and minimizing costs involved.  The JumpSoft Company has created a subscription based MT defense package called “JumpCenter.”  JumpCenter uses reactive and adaptive automated systems that reduce the attack surface.  The concept behind JumpCenter and MT defenses is to maximize the cost and risk to the attacker.  JumpCenter keeps the network operational by deploying in the application layer. The application layer is more exploitable as it is updated regularly through vendor releases which are exploitable.  JumpSoft adds the incentive that downed applications are a harder impact on the mission because the loss of one application can bring down the business (JumpSoft, 2013).

Government Support of Moving Target Technologies

In January of 2011, the Presidential Council of Advisors on Science and Technology sponsored the work of the Networking and Information Technology Research and Development (NITRD) program.  NITRD has identified emerging technologies such as MT as a Federal Cybersecurity game change research and development project (NITRD, 2013).  The government’s efforts to support NITRD and other research partners in developing MT technologies supports the efforts of the public and private sectors to redefine security in the cyber domain.

For example, in 2011 Professor Scott DeLoach of Kansas State received a $1 million grant from Air Force Office of Scientific Research to study MT (Chabrow, 2012).  Intelligent defenses can change the military reactive position on cyber to an active position, giving them the upper-hand on the adversary.  If military networks can be made unpredictable through the use of MT, the chances of cyber-attack and APTs are lessened.

Remote Agent Technologies

Remote agents, also known as mobile agents, can actively monitor a network’s security.  Active monitoring is necessary because a network that is not updated with the latest patches has shown to be reactive and ineffective against today’s cyber threats.  Additionally, large networks are nearly impossible for a system administrator to successfully monitor as most are made up of multiple nodes, each with constant system variations and users (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).  Remote agents can conduct centralized testing of network security from a remote client or server without a large manpower or travel cost requirement.  Most importantly, remote agents can run network tests without using unsecure firewall protocols (UMUC, 2012).

Currently, many organizations use network monitoring tools based on SNMP or the occasional execution of scripts built based on network threats which require tedious and complicated updates in order to remain current and valid.  Both SNMP agents and script monitoring procedures offer limited functionality and require specially trained administrators to comb through logs and write updates (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).

In response to these network monitoring difficulties, a team of students at the University of Minnesota worked under a grant from the National Science Foundation to develop a framework for mobile agent network monitoring using the Ajanta mobile agent system.  The Ajanta mobile agents can remotely filter information and alter system functions.  They use a centralized database to detect and compare system events to ensure policies are enforced.  Using Ajanta, administrators can securely make changes to an agent’s monitoring and filtering rule sets as well as dynamically remove or add new agents to an area of the network based on events triggered.  The model presented contains different types of agents that can monitor, subscribe, audit or inspect.

Perhaps the largest difference between the traditional SNMP monitoring systems and a remote agent system is the ability of a remote agent to relate one event with another in the system and then generate an alert in the log file and raise awareness or threat levels of other agents.  For example, if one agent detects a user logging in with multiple accounts and another auditor agent detects a subsequent remote or console login in the event registry, a password or security compromise can be detected.  In another example of a system reaction based on an agent, an auditor agent is sent to the login event subscriber by a management station.  When a root login event occurs and passes a predefined threshold, an alert is sent back to the manager to raise the alert level on the system (Tripathi, Ahmed, Pathak, Carney & Dokas, 2002).  All of this can be done without a system administrator’s intervention or brain power.

Government Support for Remote Agent Technologies

The government can benefit from the advancement of remote monitoring capabilities as the largest and most complex networks are government owned and operated.  There are many coalition military networks that cross the boundaries of multiple countries.  The monitoring and security of these government defense networks is at the best interest of everyone involved.

The ability to monitor classified defense networks to this level of clarity across International domains could aid in preventing insider leaks such as that of the Bradley Manning leak of military intelligence data to Wikileaks in 2010.  Although Manning was prosecuted, Wikileaks founder Assange has yet to be prosecuted for publishing classified material on the Internet (Wu, 2011).  Until international cyber laws and jurisdiction are better defined, it is in the best interest of all governments to find ways to successfully and dynamically monitor their networks for signs of attack or breach.

Real-Time Forensic Analysis

The use of computer forensic tools in criminal proceedings has proven to be necessary for making a case in today’s digital world.  Also related to network monitoring is real-time forensic analysis which is an investigative approach to maintain situational awareness and continuous observation of the network (UMUC, 2012).  While remote access monitoring actively monitors the network and takes necessary action to correlate threats and increase defenses, real-time forensic analysis allows for an incident to be reproduced and the cause and effect of the event to be analyzed further (UMUC, 2012).

A Network Forensics Analysis Tool (NFAT) prepares the network for forensic analysis and allows for ease of monitoring and convenience in identifying security violations and configuration flaws.  The information found when analyzing network traffic can also contribute background data to other events (Corey, Peterman, Shearin, Greenberg, & Van Bokkelen, 2002).

In addition to monitoring the network, network forensics has many practical uses. For example, health care agencies fall under the Health Insurance Portability and Accountability Act, which requires that information passed between networks be monitored.  Although all of the information provided by a NFAT may not be necessary, it is better to have more information than not enough in legal situations.  NFAT can also allow for recovery of lost data when other back-up methods fail or repeatable analysis of traffic anomalies or system errors (Corey, Peterman, Shearin, Greenberg, & Van Bokkelen, 2002).

Government Support of Real-time Forensic Analysis

Government support of real-time forensic analysis is more obvious in the state and federal criminal justice sectors as forensic analysis is a regular part of legal proceedings and police agencies have expanded to include entire divisions devoted to computer forensics.  The question remains as to whether the government from a local to international level should be concerned with real-time forensic analysis outside of the criminal justice realm?  Forensic analysis makes sense from a network defense perspective as governments can learn more about emerging threats by conducting an in-depth analysis of them.

In 2006, , the National Science Foundation and DARPA funded a project at Columbia University to create an Email Mining Toolkit (EMT) in support of law enforcement and other government research.  The EMT allows for email traffic to be analyzed for outside communications, social interactions, and specific attachments.  According to the report, EMT is in use by many organizations (Stolfo, Creamer, & Hershkop, 2006).

Since 1999 DARPA has funded numerous information assurance experiments using live red, blue, and white teams to simulate attackers, responders, and users during cyber-attack events such as denial of service, malware, and other threats known to be in use by the adversary based on intelligence data (Levin, 2003).  Real-time forensic analysis has allowed for early detection and analysis of the red team efforts by the blue team and has contributed to lessons learned for future responses.

Conclusion

The liability to protect public and private assets on a local, national, and international level cannot fall solely on the government.  Through the cooperative use of government, scientific, and academic programs, emerging technologies can be brought to the forefront to secure cyber assets dynamically and real-time.  Increased and continuing cooperation to fine-tune moving target defenses, remote agent technologies, and real-time forensic analysis will ensure these technologies can be implemented across sectors to protect against emerging threats now and into the future.

 

References:

Airdemon. (2010). Airdemon. Stuxnet worm. Retrieved from: http://www.airdemon.net/stuxnet.html.

Associated Press. (2012, February 6). Bigger U.S. role against companies’ cyber threats? Retrieved February 25, 2012, from Shreveport Times: http://www.shreveporttimes.com/article/20120206/NEWS03/120206009/Bigger-U-S-role-against-companies-cyberthreats-?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

Barker, W. C. (2011). E-Government Security Issues and Measures. In H. Bidgoli, Handbook of Information Security (pp. 97-107). Hoboken: John Wiley & Sons.

Casey, E. (2011). Handbook of digital forensics and investigation. Burlington: Academic Press.

Chabrow, E. Government Information Security, (2012). Intelligent defense against intruders. Retrieved from Information Security Media Group, Corp. Website: http://www.govinfosecurity.com/interviews/intelligent-defense-against-intruders-i-1565

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkelen, J. (2002). Network forensics analysis. Internet Computing, IEEE6(6), 60-66.

Grec, S. (2012, May 23). Is moving-target defense a security game changer?. Retrieved from https://www.novainfosec.com/2012/05/23/is-moving-target-defense-a-security-game-changer/

JumpSoft. (2013). Cyber moving target defense. Retrieved from http://www.jumpsoft.net/solutions/moving-target-defense/

Levin, D. (2003, April). Lessons learned in using live red teams in IA experiments. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings (Vol. 1, pp. 110-119). IEEE.

NITRD. (2013). Moving target. Retrieved from http://cybersecurity.nitrd.gov/page/moving-target

Stolfo, S. J., Creamer, G., & Hershkop, S. (2006, May). A temporal based forensic analysis of electronic communication. In Proceedings of the 2006 international conference on Digital government research (pp. 23-24). Digital Government Society of North America.

Tripathi, A., Ahmed, T., Pathak, S., Carney, M., & Dokas, P. (2002). Paradigms for mobile agent based active monitoring of network systems. In Network Operations and Management Symposium, 2002. NOMS 2002. 2002 IEEE/IFIP (pp. 65-78). IEEE.

TV-Novasti. (2012, January 20). FBI Website Crippled by Anonymous. Retrieved February 14, 2012, from rt.com: http://rt.com/usa/news/crippled-fbi-megaupload-anonymous-239/

UMUC. (2012). Module 7: The future of cybersecurity technology and policy. Retrieved from the online classroom https://tychousa.umuc.edu

U.S. Securities and Exchange Commission. (2011). 2010 Annual FISMA Executive Summary Report. Washington D.C.: U.S. Securities and Exchange Commission.

Wu, T. (2011, February 4). Drop the Case Against Assange. Retrieved February 27, 2012, from Foreign Policy: http://www.foreignpolicy.com/articles/2011/02/04/drop_the_case_against_assange?page=0,0

 

Advertisements

, , , ,

5 Comments

iTrust Database Software Security Assessment

iTrust Database Software Security Assessment

Security Champions Corporation (fictitious) Assessment for client Urgent Care Clinic (fictitious)

Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root

University of Maryland University College

Author Note

Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College.

This research was not supported by any grants.

Correspondence concerning this research paper should be sent to Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College, 3501 University Blvd. East, Adelphi, MD 20783. E-mail: acnwgirl@yahoo.com, rogalskibf@gmail.com, kzhang23@gmail.com, sscaramuzzino86@hotmail.com and Chad.Root@gmail.com

 

Abstract

The healthcare industry, taking in over $1.7 trillion dollars a year, has begun bringing itself into the technological era.  Healthcare and the healthcare industry make up one of the most critical infrastructures in the world today and one of the most grandiose factors is the storage of information and data.  Having to be the forerunner of technological advances, there are many changes taking place to streamline the copious amounts of information and data into something more manageable.  One major change in the healthcare industry has been the implementation of the Electronic Medical Record (EMR) systems.  Having risks and benefits, the electronic medical record systems will strive to provide and change the way healthcare industry will operate.  iTrust is a role-based health care web application.  Through this system, patients can see and manage their own medical records.  Medical personnel can manage the medical records of their patients including those provided by other medical personnel, be alerted of patients with warning signs of chronic illness or missing immunizations, and perform bio-surveillance such as epidemic detection.  Today, the gradual introduction of a of these electronic medical records lie at the center of the computerized healthcare industry and are slowly being implemented to provide modern technologies such as cloud database systems and cloud network storage as well as a way to streamline the medical data and patient information process.

 

Keywords: iTrust, database, cloud computing, software security, application security

 

iTrust Database Software Security Assessment

Security Champions Company is a software security company that specializes in assessment and analysis of software used primarily in the medical field.  Urgent Care Clinic has hired Security Champions to assess the primary cyber threats and vulnerabilities associated with the use of the open source electronic medical records software “iTrust”.  As much of the medical industry is moving toward electronic medical records (EMR), we want to ensure our client is in compliance with various stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX).  We will also provide a risk assessment and ease-of-attack threat analysis for several new requirements Urgent Care Clinic has requested to add to the iTrust software.  The following four requirements are reviewed and assessed:

  1. Add role for emergency responders to view patient emergency reports containing medical information such as allergies, current and previous diagnosis, medication and immunization history as well as blood type.
  2. Allow patients to search the database for qualified licensed health care professionals (LHCP) for specific diagnosis.  The patient will be able to view the doctor’s name, number of patients treated for the specified condition, laboratory tests requested and medication used to treat the diagnosis as well as patient satisfaction ratings.
  3. The third requirement is to update the diagnostics code tables to reflect new ICD-10 coding standards outlined by American Medical Association guidelines.
  4. The last requirement is to allow a patient to view the access log for their medical records in an online cloud database system.  This allows the patient to see what changes are made to their records and who made those changes.

iTrust Database Software Overview

iTrust is an open source software application created and maintained by engineers at North Carolina State University.  The software allows for medical staff from various locations to access patient records, schedule visits, order medications and laboratory tests, and view records, diagnosis and test results.  iTrust also allows patients to manage their care by viewing records, scheduling office visits, and finding health care providers in the area (UMUC, 2011).

iTrust Database Table Security Assessment

Each Champion Security teammate individually assessed the security of the various database tables in the iTrust database.  The tables were rated and are limited to the numerical choices 1,2,3,5,8,13,20,40,100 with 1 being the lowest security rating and 100 being the highest.  The Appendix A table represents each teammate’s individual values (noted by initials) and the average rating of those values combined in the highlighted column (see Appendix A: Table 1 – Database Table Value Points).

 

Analysis of New Requirements

The information age is growing exponentially, and the more resources and information that can be gained is critical.  This stands true to the medical field, particularly medical staff, emergency responders and patients.  Adding new requirements to the iTrust system allows for better care, medical attention, and informative information for the client.  These new requirements will enhance Urgent Care’s communication capabilities and allow for greater success.  By reviewing case-by-case scenarios regarding medical information and background information, these requirements benefit every aspect of Urgent Care’s Clinic.  The following analysis will provide more information on the new requirements.

Emergency Responder

Urgent Care Clinic is requesting four additional roles and allowable access to the iTrust healthcare cloud database system and application.  The addition of these roles and access points will be valuable to emergency responders and individuals who are seeking information for their own medical care instantaneously.  An emergency responder or a first responder is considered anyone who is qualified and certified in providing pre-hospital care prior to the patient entering the medical facility.  The need for these responders to have access to essential health information is necessary in order for them to provide the most appropriate and advance medical treatment in measures to save a patient’s life.  The responder could stabilize, treat and perform certain medical procedures on the patient according to their personal medical history (Department of Health & Humans Services, 2006).  The responder would need access to allergy, blood type, prescription history, medical history showing prior surgeries and prior diagnosis information.  This vital information is valuable when assessing individuals in the field.  The procedures that the responders are completing on the patient can then be documented in the iTrust system, so when the individual arrives at the hospital the attending medical staff can view what was done and can evaluate patient treatment from that point forward.

In order for the responder to get authorization and then be authenticated to the system, the use of a biometric control would be applied.  This authentication procedure would be extremely beneficial in the field due to the stress of the job.  The responder would use his fingerprint to gain access and then proceed to the required medical information.  The use of a password and user ID would slow response to the patient because the responder would have to remember that information.  If responders are unable to gain access and the proper medical care is not administered, this could lead to law suits or even death.  HIPAA would have a role in allowing these types of responders to gain access.  The patients could sign a HIPAA waiver during a doctor visit and have it kept in a database so access could be granted without hassle.

Find qualified licensed health care professional

            Allowing the patient access to search the iTrust cloud database system for a LHCP, would give them more control over their health care and enhance the quality of care that they receive based on their preferences and diagnosis.  This requirement will also give the user relevant information on where the medical facility is, how many people have been referred to the facility, what doctors are considered experts in a particular field, what procedures were used, and the satisfaction of the people that have been seen at that particular facility.  Allowing the patient to name their own medical preferences would also decrease man-hours for the staff normally responsible for these tasks.

Providing patients electronic health/medical information by means of a cloud database system makes way for streamlined care by providing the latest medical reports in an instantaneous manner, allows for rural individuals to gain access to specialized medical procedures, and may cut costs in certain healthcare facilities (Polito, 2012).  The advantage of being able to cut the number of patients in any single facility would allow for better care of patients, decreased wait times and a more precise diagnosis because each patient’s current medical and health information and patient history could be reviewed thoroughly and quickly by medical staff.  Finding the right health care professional would also allow the patient the opportunity to have predetermined questions to ask, have selective information prior to attending the visit, and be more advised on what to expect during the entire process.  This information could be very valuable to patients and medical providers because they would not waste their time on individuals that may not have a certain medical problem; in which case the patient would have to be referred to another doctor.  This access could provide more efficient and effective medical care.

Update diagnosis code table                

ICD-9CM is an outdated medical code system and the new internationally used code system is ICD-10.  This new code system needs to be updated in the iTrust medical application so that medical providers can accurately diagnose patients and medical staff knows what the history of the patient was.  Updating the coding system will provide proper analysis, quality management within the medical profession, increased productivity and overall compliance with medical regulations (Bounos, n.d.).  Entering the new codes would allow a patient to be seen at multiple facilities throughout the world and all medical care providers would understand the prior history.  Outdated material could cause errors in treating the patient and possibly cause severe physical harm to a patient. The ICD-10 has significant improvements which allow for diagnosis of symptoms to have fewer codes to describe the medical issue and information regarding ambulatory and managed care encounters (Centers for Disease Control and Prevention, 2012).

View Access Log

The last requirement that iTrust would like to make available to the patient is the ability to view access logs for their medical records.  The access log would provide information regarding who updated their medical information and when it occurred.  This could be very valuable to a patient as they can communicate with the facility regarding any discrepancies in their chart.  This might also act as a check and balance system between the patient and the provider, which could also assist in medical insurance billing and payment information.  For example, if a patient was diagnosed with ailment X, but the provider mistakenly coded ailment Y in the system, the insurance company may or may not cover the cost of the visit or associated procedures.  Allowing the patient to view the access log information can be provided to the insurance provider and the medical facility for correction.

Another advantage of allowing patients to view the access log is so they are able to see if someone compromised their medical information.  Being able to catch this breach early enough may allow law enforcement time to track the perpetrator before that information is used in a manner non-conducive to the patient.  Without access, the likelihood of a patient knowing their information has been tampered with is severely lessened.

HIPAA was enacted to ensure that personal medical and health information remains secure from others that could use the information wrongfully or intentionally against an individual.  HIPAA allows the patient more control over their personal information, applies limits on who can see the information and on what information is disclosed (Thacker, 2003).  This law itself provides the patient with access to their medical information and the ability to see what was logged in their records.

Applying the new requirements to the iTrust medical cloud database system allows responders, medical professionals and patients the ability to see information that could lead to a proactive sense of medical care.  The efficiency in how medical care is provided could save on medical care costs and make hospital visits more effective due to the limited number of individuals waiting to be seen. The patients will have the option to make the informed decision on which doctor they will see and also have more background information before they see any individual.

 

Ease of Attack

            The iTrust cloud database is relational and made up of tables that account for all the data processing needs of a medical office.  The tables record transactions and patient information.  Specifically, data is recorded for all patients, is considered personal health information and falls under the Health Insurance Portability and Accountability Act (HIPAA).   New requirements to the database will pose risks to the confidentiality, integrity and availability (CIA) of data if threats are not mitigated.

The following tables provide supplemental data that feed into the patient record and transaction history.  These tables include medical procedures (table: cptcodes), lists procedures performed at office visits and hospitals.  Hospitals (table: hospitals), lists hospitals in the system.  Diagnosis and immunization (table: icdcodes), lists diagnoses and immunizations with codes.  The standard medication codes (table: ndcodes) provides a list of medications.

Other tables in the system are relational and are linked to tables in the system through ‘id’ fields.  Allergies (table: allergies) links with the patient record listing allergy by type or description.  Lab procedures (table: labprocedure), provides information on what was performed during an office visit and is related to the patient, and office visit tables.  Login failure log (table: loginfailures) logs failures, records the date, time, and IP address.   Office visit table (officevisits) relates the patient id, hospital id, and office id to the office diagnosis (table: ovdiagnosis), office medication (table: ovmedication), office procedure (table: ovprocedure), office survey (table: ovsurvey) tables.  The patients table is a central table that contains personally identifiable information, and relates to the patient health information table, personnel, lab procedure, users, and transaction log tables.  Medication codes (ndcodes), office visits (table: officevisits), office visit diagnoses (table: ovdiagnosis), office visit medication prescription (table: ovmedication), office visit medical procedure (table: ovprocedure), office visit survey (table: ovsurvey), patients (table: patients), personal health information (table: personalhealthinformation), personnel (table: personnel), transaction log (table: transactionlog), and users (both patients and personnel called ‘users’).  Figure 1: Relational Design shows the relations between the tables.

Ease of attack is the calculation of valued risk by table (value points) on a scale of 1-100.  The value points show which table will be least attractive and which table will be most attractive to attack.  Ease points are calculated by determining the average value points for each requirement multiplied by the maximum value (or highest value) to obtain a security risk value.  The requirements are ranked by security risk, where a higher value means a higher ease of attack and a lower value means a lower ease of attack (see Appendix B: Table 3 – Security Risk).  The requirements in order of ‘ease of attack’ are the ability to view the access log of who has viewed their medical records by date, an additional role of emergency responder (ER) who will be able to see a ‘report’ of the patient that details vital medical information, the ability to query for a medical professional according to diagnosis and their zip code, finally an update to the diagnosis code for all diagnoses beginning January 1, 2010.  Ease of attack is calculated by a ranked risk of tables used by each requirement (see Appendix C: Table 3 – Security Risk).

The most vulnerable requirement is providing the patient the ability to view their access log.  The access log provides vectors of attack that allow the potential malicious user to take advantage  of the inference problem (Newman, 2009) to create a picture of internet protocol (IP) addresses within the network, the users medical identification (MID), and action.  A good configuration of the network will allow the attacker to focus in on subnets and eventually build an attack using database foot printing (McDonald, 2002) and network configuration.  Personnel and other patient’s user IDs could be vulnerable to being seen.  An attacker can infer what user IDs belong to certain personnel and eventually determine the level of access (i.e., Doctor, Administrator, etc.).

 

 

Figure 1: iTrust Relational Design


Allowing emergency responders the ability to pull a report that will show the patient’s vital statistics has several vulnerabilities.  The vital record statistics can be accessed from a police cruiser, ambulance and possibly through a smart-phone type device.  As this information is considered personal health information, there is a possibility that records can be left in the open, or accessed by any emergency responder regardless of an emergency.    A malicious user can glean a lot of knowledge for further attacks by inferring records combined with using an emergency responder access level.  Personal records provide information into other hospital or provider accounts that may be exploited to gain either more information or elevated access to other systems within iTrust.

The need to update diagnosis codes throughout the system implies that the access control level providing the ability has access to most all tables within the iTrust system.  The threat is low, all diagnoses must be coded with ICD-10 rather than ICD-9CM and saved to the patient and healthcare provider record.  A malicious attacker could use this attack vector to establish the database’s footprints as a platform for further attacks.

The hardest attack vector will be the ‘find qualified healthcare professional’ requirement.  A diagnosis and zip code are all that are needed to query the database to pull up potential healthcare providers in the patient’s locality.  If the malicious attacker has already exploited one of the easier vulnerabilities presented by the new requirement(s), data provided in a report could help determine how a database is structured.

The new requirements assume that the system as a whole is secure and has not already been breached.  The relational database’s design provides for efficiency in data processing and access.  The design also presents challenges to security if they are not mitigated.  A malicious attacker can infer a lot about the patients, personnel, and users within the database because of its relational design.  Security mitigations need to provide a level of confidentiality to ensure personally identifiable information is not vulnerable per regulations ensuring privacy.

Threats, Vulnerabilities, and Liabilities at Urgent Care Clinic

With the advancement of technology and the growing trends of enterprise networks, medical clinics like Urgent Care are becoming innovative and adopting new forms of database storage and network systems.  This means the implementation of a cloud database system or a form of cloud storage.  Cloud database systems are all the rage, and in a broad sense, they refer to virtual servers housed on the Internet used for storage of data.  The cloud database system focuses on increasing the capabilities and the capacity of network storage without having to invest in a new infrastructure.  It is a technology that utilizes remote servers to maintain data and applications that can be accessed by consumers and businesses at any time and from anywhere using the Internet (Gruman & Knorr, 2012).  It refers to many different computing models like Platform as a Service (PaaS)[1], Software as a Service (SaaS)[2], and Infrastructure as a Service (IaaS)[3].  However, implementing a medical cloud database system or utilizing Urgent Care Clinic’s iTrust cloud database services can have both positive and negative effects on data security and consumer availability.

Technological advancements and the unlimited accessibility involved with cloud storage, especially electronic medical records, opens additional avenues for vulnerabilities and threats against data, network systems, and company reputations (Trend Micro, 2011).  Cloud storage is here to stay and some very important threats need to be addressed in iTrust’s cloud database systems. With large amounts of data being transferred to the cloud storage servers, physical attacks are turning to network infiltrated attacks and the abusive use of the cloud through dishonest activities.  Because cloud computing and cloud storage deals with privacy and a seamless and easy registration system, criminals using new and advanced technologies are targeting weak registration systems and sliding under the limited fraud detection software.  This ranks as an extremely high security risk for both businesses and consumers utilizing the iTrust system.  The potential use of botnets has the ability to infiltrate a public cloud network and spread malware and viruses to thousands of computers.  This has already been seen in the real world with the “Zeus Botnet” attacking the Amazon cloud.  The “Zeus Botnet”, having infiltrated Amazon’s EC2 cloud computing service, installed a virus and took over complete command control of a high performance cloud platform (Cimpanu, 2009).  This malware caused a system wide outage while remaining hidden and transferring millions of dollars; it had to be dealt with.  In this instance and other similar instances, publicly blacklisting IaaS network addresses has been one way to combat and defend against spam and phishing.  To further defend against such risks, enhanced monitoring methods dealing with registration and initial validation, should be initiated. Whether implementing cloud analytics software or just more personnel for monitoring purposes, defending against such malware or botnets is a move in the right direction.

Based on the Cloud Security Alliance (CSA), another threat to cloud computing and virtual data storage is making sure that the security implications associated with usage and integrated into the service models are understood by consumers.  Relying on a weak set of application programming interfaces (APIs) exposes organizations to a variety of security related issues including availability, confidentiality, and accountability (Cloud Security Alliance, 2010, p. 9).  Rectifying this situation involves better authentication and encryption procedures on access controls.  Also, examining security models of iTrust’s data storage interfaces will help to reduce the susceptibility of attacks on a company’s cloud network. What does this mean for consumers?  As for the users and consumers of Urgent Care Clinic’s cloud network, this only helps and instills them with a sense of confidence when they are logging into the virtual storage network; their access information and registration will be kept confidential and secure.

Risks on Urgent Care’s end are also apparent, this means having a separation of duties so as to not run into malicious attacks from a single insider with too much power and access.  When ranking this threat among others, it needs to be at the top of the list.  The impact of a malicious insider can be devastating to users and have and even larger impact on the organization.  Although this has not been seen in the aspect of cloud computing and using virtual database systems today, insider attacks do happen.  Financial crash, productivity loss, and damage to the company’s integrity and reputation are just a few areas affected by malevolent insiders.  As the human element takes over and companies move toward virtual storage systems, it becomes critical for consumers to understand what policies and procedures are in in place to thwart such wicked attacks.  Urgent Care needs to enforce stricter supply chain management systems by incorporating a separation of duties as a way to bring checks and balances into the iTrust application.  Also, security breach notification policies need to be applied and employees need to be aware of their surroundings and report any atypical information or suspicious behavior.  Training and preventative measures go a long way in preserving company data and brand reputation.

ITrust cloud database users must also be aware of the issues revolving around shared technologies.  Whether this be virtual machines, management technologies, or communication systems, these shared technologies have never been set up for strong compartmentalization.  As a result, hackers or malicious individuals focus on how to influence the processes of other cloud database customers, and how to gain unlawful access to sensitive medical data.  For example, a zero-day attack or one that exploits computer application vulnerabilities, such as the blue pill technology, has the potential to spread rapidly across a public cloud and expose all the data within the server.  The “Blue Pill Technology” is a program written directly for a particular operating system that, if implemented, could embed malware into a system and go undetected until it is too late. Because this is a phishing style attack, implementation of security best practices with high-tech monitoring software will help prevent such things from happening.  In addition to monitoring software, enforcing some sort of service level agreement for vulnerability remediation and continual scanning and auditing will continue to help keep clinical data and the iTrust virtual storage system secure.

According to cloud computing and cloud database system standards, another risk that ranks up there with the other threats and vulnerabilities is the sense of security and protection of sensitive information and personal data.  Companies need to secure information and data through identity management.  Identity management has been described as the most essential form of information protection that an organization can use (Aitoro, 2008, Para. 3) and can be defined as the process of representing, using, maintaining, and authenticating entities as digital identities in computer networks (Seigneur & Maliki, 2009, p. 270).  Along with the need for identity management is the requirement for accurate auditing and reporting due to federally mandated, regulatory, and compliance directives such as Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA).  The Sarbanes-Oxley Act, enacted in 2002, is legislation designed to protect shareholders and the general public from accounting errors and fraudulent enterprise practices. The SOX act is governed by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Additionally, Sarbanes-Oxley outlines which records are to be stored and for how long (Spurzem, 2006, Para 1).  The Health Insurance Portability and Accountability Act (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Furthermore, the HIPAA Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.  The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information (U.S. Department of Health and Human Services, n.d., Para. 1).  As a direct result of the organizational needs for both identity management and accurate federal reporting, identity management systems were developed that provide the ability to log, control, audit and report on end user access to particular information assets and serve as the foundation of an organization’s threat and overall compliance strategy (DeFrangesco. 2009, Para. 1-2).  Identity management systems are designed to create processes, which address the five fundamental aspects of identity management — Authentication, Authorization, Accountability, Identification, and Auditability (UMUC 2, 2010, p. 5).

Additionally, there are many ways in which data can be compromised and not having a backup of sensitive material remains the biggest fault among users and organizations.  Because data loss can have an overwhelming negative impact on a business, it is in the best interest of the company to provide proper policies and hardware for data duplication.  Not having data backup in place only renders a company’s information unrecoverable.  The threat that data will be compromised in the cloud increases due to the number of and interactions between risks and challenges which are either unique to virtual database systems, or more dangerous because of the operational characteristics of the virtual cloud environment (Cloud Security Alliance, 2010, p. 12).  Besides the company’s reputation and integrity being compromised, there is a significant negative influence on customer morale and trust. A company is only as good as the quality of work it produces and when data is leaked or lost, users are not happy.  Cloud information systems and implementing virtual data storage revolves around the ability to access sensitive data and personal information at any time and if this service were to go down or be compromised, a company’s reputation will be ruined and a significant financial impact will be placed on the organization.  Even worse, depending on the incident, a company might incur legal ramifications for possible compliance violations.  For an organization to avoid severe occurrence of data loss, multiple backups should be in place and the data being stored on the network needs to be encrypted so it can be secure in transit.  Not only will this provide a sense of data integrity for Urgent Care, it will offer peace of mind to the consumers utilizing the iTrust virtual data storage system.

Another issue that remains a legitimate threat to iTrust users is account service and traffic hijacking.  Ranging from phishing to spam, stolen user credentials or mobile devices allow hackers to infiltrate full company networks.  With sensitive data being hosted on virtual servers, hackers have an all access pass to everything just by gaining simple entrance, user login information, or an unmonitored mobile device.  Because untrained and gullible employees remain the easiest point of entry, an attack on passwords, devices, and user credentials remain at the top of the charts.  If an attack were to happen on the Urgent Care network, the hacker would have the ability to monitor transactions, manipulate data, and steal personal customer information all at the click of a button.  Preventative measures must be taken by applying password policies, tracking software, and Internet usage information to all employees.  Employees must keep personal information and credentials to themselves and appropriate monitoring software must be introduced to oversee all activity within an organization.  “Organizations like Urgent Care should be aware of these techniques as well as common defense in depth protection strategies to contain the damage resulting from a data breach” (Cloud Security Alliance, 2010, p. 13).

Finally, when adopting Urgent Care’s virtual storage network service, it is important to provide users with PCI compliant software services.  Standards, compliance of internal security procedures, or the information that might be disclosed after an incident occurs, tend to be overlooked and cause and unknown risk profile when moving ahead with cloud computing.  Because companies want to move forward with virtual network storage due to the low costs and other benefits that come with implementation, often these overlooked questions, like how is data being stored or who has access, may lead to serious malicious threats.  Unknown risk profiles can better be understood when analyzing the Heartland Data Breach.  In May of 2008, Heartland Data Center, the fifth biggest payments processor in the United States, was hacked into using known-vulnerable software.  This known vulnerable software came packed with a few loopholes to allow hackers to embed a data sniffer, capturing credit card information, card numbers, expiration dates, and internal bank codes, to allow them to duplicate cards and steal customer and business finances (Slattery, 2009).   Once Heartland knew about the issue they only took minimal steps to rectify the situation.  Heartland did not take the extra effort to comply and notify every single user that was affected.  Rather, they were only willing to do the bare minimum to comply with state laws.  If an organization is to learn from past mistakes and take anything from the Heartland Data Breach, then it would be to go above and beyond the bare minimum to not only be in compliance with state and federal laws, but to contact every affected user while incorporating proper incident response procedures.  Not abiding by these rules or taking the extra step to have a proper incident response plan can cause Urgent Care’s reputation to take a dive and will in turn, have negative ramifications on existing and future customers from utilizing the iTrust database service.  Chris Whitener, Chief Security Strategist for Hewlett-Packard, said, “companies should not jump into the cloud or virtual network storage without a proper risk assessment” (Mimoso, 2010).  Organizations need to be aware of the risks and evaluate the vulnerabilities as needed.

In summary, the cloud and virtual database storage is, and will continue to grow and be part of the critical infrastructure of many businesses such as Urgent Care, and so must the security and response policies and procedures be considered when migrating to the iTrust virtual storage system.  “This role is likely to grow as a multitude of new services are developed and commercialized and users’ level of familiarity and comfort, with this approach to service delivery, develops and grows” (Kate, 2011).  Companies are in it for the cost and benefits that can be gained from cloud computing and virtual storage systems but they should be focused on the consumer and end-user aspect of the business.  This is what is going to drive a company to the next level.  Ultimately, the end-user is the one experimenting and taking the risk by providing a facility such as Urgent Care with sensitive personal data.  Organizations taking the next step to secure, monitor, and regulate the information housed on the virtual database network are the ones more likely to give peace of mind to the end-user.  “From this study of current cloud computing and virtual storage practices and inherent risks involved, it is clear that at present there is a lack of risk analysis approaches in the cloud computing environments. A proper risk analysis approach will be of great help to both Urgent Care and their patients. With such an approach, patients and staff can be guaranteed data security and Urgent Care Clinic can win the trust of their customers” (Angepat & Chandran, 2012).  Cloud computing serves as an ever-growing technology for storage and data processing and the threats and vulnerabilities involved to hang by the wayside.  It is and will always be in the best interest of a company like Urgent Care to test these threats and make changes above and beyond expectations.  If Urgent Care’s integrity is compromised, then what else is there? Nothing.  It is in the best interest of any organization, to make an effort to fortify their cloud network and take into consideration the threats focused on in this paper, to give ample knowledge to defend against attacks and beef up security.

Changes to Security Management Policies

With the inclusion of the new requirements, changes will have to be made to the security policy in order to reduce risk. These changes can come over time, but it must also take as little time as possible. The first step is to improve authentication protocols, such as using stricter password requirements or PKI-based authentication (Katsumata, Hemenway, & Gavins, 2010). Admittedly, a more stringent password requirement may be more of a hassle for patients. On the other hand, employees should be expected to have strong passwords or utilize the PKI system. Cost may factor into this change, and indeed the integration of a PKI system can cost up to $1,000,000 (Katsumata et al., 2010). However, the risk reduction is far higher for PKI compared to passwords, and the cost-to-benefit ratio is much lower in comparison (Katsumata et al., 2010). Security is an investment, not only to the company, but also its users.

The inclusion of regular audits can help improve and refine access controls, making sure that employees have the correct authentication and patient access is both secure and unencumbered (Sommer & Brown, 2011). Penetration testing can find weaknesses in the system as the new roles are established and the entire system changed to incorporate the new security measures (Sommer & Brown, 2011). Lastly, plans for disaster recovery and mitigation should be prepared. Even with all the latest technologies and best policies, there is always the chance that someone will have the luck or skill of breaking through all the barriers. As such, having contingency plans can help reduce the impact of a security breach (Sommer & Brown, 2011). Data redundancies and system technicians trained and prepared for such a crises can help mitigate damage considerably (Sommer & Brown, 2011).

Each requirement needs to be fine-tuned over time for any potential leaks and security hazards. For example, accessing system logs would require strong authentication and regular audits. The audit itself can be a universal security check-up on each requirement, as the audits seek out both weaknesses and discrepancies in the system (Sommer & Brown, 2011). Be it patients’ access rights, emergency responder accesses, or system administrator access, each profile must be scrutinized for properly configured permissions and access controls. Of the three requirements, updating the diagnosis code table has the lowest priority. Authentication is still necessary, but the team had decided that it was unlikely to be a target for attack. Coming to this conclusion was most definitely a team effort.

Reaching consensus over prioritization of security issues was a surprisingly uncomplicated task. Each member of the team reviewed the iTrust addendums and filled out the tables per individual opinion. Individual tables were collected and the values averaged. This way, every team member’s opinion is taken equally and fairly. Fortunately, while there were minor differences on security values and ease of attack points, all team members had very similar tables regarding prioritization. Every team member agreed that certain tables, such as cpt, hospitals, icdcodes, and ovprocedure, were not of high value for attacks. Similarly, the team had similar opinions in that the patient, personalhealthinformation, personnel, and users tables were of the highest values, and thus, the most likely to be attacked. Despite the new requirements needing different access levels to different tables, the team determined that all new roles are equally viable, and highly vulnerable, to attack. This was because of number of tables each role needed access to; each requirement would access a high-risk table at some point. As a result, the team agreed that all new requirements were at high risk for attack. Lastly, using the ease-of-attack value combined with the asset value, the team was able to prioritize the security issues.

Conclusion                                                                                                         

There are always lessons to be learned when reevaluating an existing security policy. It is foolhardy to blindly set up new requirements and roles without properly assessing the risk factors these new roles may introduce. Rather, it is important to examine both the new requirements as well as currently established roles and determine the level of risk they represent. By looking at this objectively, we can produce a priority list.  In establishing a priority list, we are better able to relegate appropriate resources to protect particularly vital data tables without compromising the overall security of the network. Since these modifications will reflect on security as a whole, we must be careful in making these changes. Ensuring compliance with federal standards is a fantastic first step in the right direction, but we must also look to exceeding these minimum requirements. This leads to establishing trust between provider and client, and trust is what builds successful relationships. An important lesson learned is to make certain that we both deserve and can hold onto the trust of clients, and an excellent way to do so is to make their data secure.

 

Appendix A: Table 1 – Database Table Value Points

Table Value (SS) Value (TR) Value (KZ) Value (BR) Value

Avg.

Use in Requirement #
allergies 20 15 1 20 20  1,3
cptcodes 1 10 3 3 3 2,3
hospitals 5 5 5 5 5 1,2,3
icdcodes 5 20 5 5 5 1,2,3
labprocedure 13 70 40 40 40 2,3,4
loginfailures 40 40 20 20 40 3,4
ndcodes 1 50 3 3 3 1,2,3
officevisits 8 4 20 8 8 2,3,4
ovdiagnosis 20 60 40 20 20 1,2,3
ovmedication 40 3 13 20 40 1,3
ovprocedure 1 30 2 1 1 2,3,4
ovsurvey 1 2 1 1 1 2,3
patients 100 80 100 100 100 1,3,4
personalhealthinformation 100 40 40 100 100 1,3,4
personnel 100 90 100 100 100 2,3,4
transactionlog 13 1 20 20 20 4
users 20 100 100 40 100 3,4
longtermdiagnosis n.d. 40 1 n.d. 40 1,3
shorttermdiagnosis n.d. 60 3 n.d. 60 1,3

 

 

 

Appendix B: Table 2 – Database Tables Used by Requirement

Requirement Table(s) Used (Consensus) Average Value Points of Each Table Max Value Average
1:  Add role:  emergency responder. Allergies

hospitals

icdcodes

longtermdiagnosis

ndcodes

ovdiagnosis

ovmedication

patients

personalhealthinfo shorttermdiagnosis

20

5

5

40

3

20

40

100

100

60

100
2:  Find qualified licensed health care professional. Cptcodes

Hospitals

Labprocedures

icdcodes

ndcodes

Officevisits

ovdiagnosis

Ovprocedure

Ovsurvey

Personnel

3

5

40

5

3

8

20

1

1

100

100
3:  Update diagnosis code table. Allergies

Cptcodes

Hospitals

Icdcodes

Labprocedure

Loginfailures

Ndcodes

Officevisits

Ovdiagnosis

Ovmedication

Ovprocedure

Ovsurvey

Patients

Personalhealthinformation

Personnel

Transactionlog

Users

Longtermdiagnosis

shorttermdiagnosis

20

3

5

5

40

40

3

8

20

40

1

1

100

100

100

20

100

40

60

100
4:  View access log.  Labprocedure

loginfailures

officevisits

patients

Personal health info

personnel

transactionlog

users

 

 

40

40

8

100

100

100

20

100

100

 

 

 

Appendix C: Table 3 – Security Risk

Requirement Ease of Attack Points (Average) Average Max Value of Asset Points Security Risk Rank of Security Risk
1:  Add role:  emergency responder. 39.3 100 3930 2 (based on higher ranking average)
2:  Find qualified licensed health care professional. 18.6 100 1860 4
3:  Update diagnosis code table. 37.15 100 3715 3
4:  View access log.  63.5 100 6350 1


 

References

Aitoro, J. (2008). Identity Management. Retrieved from: http://www.nextgov.com

Angepat, M., & Chandran, S. P. (2012, October 27). Cloud Computing: Analysing the risks involved in cloud computing environments. Retrieved July 29, 2012, from Cloud Computing: School of Innovation, Design and Engineering: www.idt.mdh.se/kurser/ct3340/ht10/…/16-Sneha_Mridula.pdf

 

Bounos, M. (n.d.). Evaluating computer assisted coding systems & ICD-10 readiness. Wolters Kluwer Law& Business.  Retrieved from http://www.mediregs.com/files/1007-1/WKLBEvaluatingCADICD10.pdf

 

Centers for Disease Control and Prevention. (2012). International classification of diseases, tenth revision clinical modification.  Classification of Disease, Functioning, and Disability.  Retrieved from http://www.cdc.gov/nchs/icd/icd10cm.htm

 

Cimpanu, C. (2009, December 10). Zeus Botnet Infiltrates Amazon’s Cloud. Retrieved July 29, 2012, from Softpedia: http://news.softpedia.com/news/Zeus-Botnet-Infiltrates-Amazon-s-Cloud-129438.shtml

 

Cloud Security Alliance. (2010, February 24). Top Threats to Cloud Computing V1.0. Retrieved July 29, 2012, from Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

 

DeFrangesco, R. (2009). Identity and Access Management as an Audit Tool. Retrieved from: http://www.itbusinessedge.com

 

Department of Health & Humans Services. (2006). Emergency responder electronic health record. Officer of the National Coordinator for Health Information Technology.  Retrieved from healthit.hhs.gov/…/EmergencyRespEHRUseCase.pdf

 

Gruman, G., & Knorr, E. (2012, February 29). Retrieved July 29, 2012, from Cloud Computing: Info World: http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

 

Katsumata, P., Hemenway, J., & Gavens, W. (2010). Cybersecurity risk management. The 2010 Military Communications Conference – Unclassified Program. Retrieved from http://202.194.20.8/proc/MILCOM2010/papers/p1742-katsumata.pdf

 

Kate. (2011, June 7). Securing Your Data In the Cloud: An Insiders Perspective. Retrieved July 29, 2012, from Kate’s Comments: http://www.katescomment.com/securing-data-in-the-cloud/

 

Mimoso, M. S. (2010, March 1). Cloud Security Alliance releases top cloud computing security threats. Retrieved July 29, 2012, from Tech Target: Search Cloud Security: http://searchcloudsecurity.techtarget.com/news/1395924/Cloud-Security-Alliance-releases-top-cloud-computing-security-threats

 

McDonald, S. (2002, April 8). SQL Injection: Modes of attack, defense, and why it matters. Retrieved July 28, 2012, from Sans.org: http://www.sans.org/reading_room/whitepapers/securecode/sql-injection-modes-attack-defence-matters_23

 

Newman, R. (2009). COMPUTER SECURITY: PROTECTING DIGITAL RESOURCES. Sudbury, MA: Jones and Bartlett Publishers International.

 

Polito, J. M. (2012). Ethical Considerations in Internet Use of Electronic Protected Health Information. Neurodiagnostic Journal, 52(1), 34-41.

 

Seigneur, J-M. & Maliki, T. (2009). Identity Management. In Vacca, J.R. (Ed.), Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.

 

Slattery, B. (2009, January 21). Heartland Has No Heart for Violated Customers. Retrieved July 29, 2012, from PC World: http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html

Sommer, P., & Brown, I. (2011). Reducing systemic cybersecurity risk. Organisation for Economic Cooperation and Development. Retrieved from http://papers.ssrn.com

 

Spurzem, B. (2006). Sarbanes-Oxley Act (SOX). Retrieved from: http://searchcio.techtarget.com

 

Thacker, S. (2003). HIPPA privacy rule and public health. Center for Disease Control and Prevention.  Retrieved from

http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm

 

Trend Micro. (2011, August 23). Security Threats to Evolving Data Centers. Retrieved July 29, 2012, from Virtualization and Cloud Computing: www.trendmicro.com/cloud…/rpt_security-threats-to-datacenters.pdf

 

U.S. Department of Health and Human Services. (n.d.). Health Information Privacy. Retrieved from: http://www.hhs.gov

 

University of Maryland University College. (2011). CSEC 610: Cyberspace and Cybersecurity, Interactive Case Study II. College Park, MD, USA.

UMUC. (2012). Module 9: Virtualization and Cloud Computing Security. Adelphi, MD, USA. Retrieved July 23, 2012, from http://tychousa5.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.plclass=1206:csec630:9042&fs_project_id=389&xload&ctype=wbc&tmpl=csecfixed&moduleselected=csec630_09


[1] “Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet” (TechTarget, PaaS, 2012).

[2] “Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network” (TechTarget, SaaS, 2012).

[3] “Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components” (TechTarget, IaaS, 2012).

, , ,

Leave a comment

Protection of Network Operating Systems

 

 

 

 

 

Protection of Network Operating Systems

Amy Wees

CSEC630

15 July 2012

 

Abstract

 

Operating systems are essential to business operations, system security and software applications. Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for everyday operations (UMUC, 2011).  Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011).  Although many operating systems have incorporated controls to address these security concerns, there are additional measures that need to be taken to ensure the necessary level of security is achieved. Identification and Authentication protection measures are the most significant measures to implement.  Before a user or administrator is allowed to access the system, security measures must be implemented to identify and authenticate the need for and level of access.  After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network.  Internal to external and external to internal communications must also be protected and restricted.  Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures.  The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005).

 

 

 

Keywords: firewalls, security training, operating systems, security policies, password, access control, security management

Protection of Network Operating Systems

Operating systems are essential to business operations, system security and software applications.  Operating systems allow administrators to control access to the system, install and configure third party commercial-off-the-shelf (COTS) software and monitor activity with built in auditing tools.  Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for daily operations (UMUC, 2011).  Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011).  Although many operating systems include built in controls to address these security concerns, additional measures should be taken to ensure the required level of security is achieved.  This paper will address the implementation, advantages and disadvantages, and security management issues of three protection measures: Identification and Authentication, Access Control, and Security Policies and Auditing (Information Assurance Directorate, 2010).

 

Security Ratings and Prioritization

            The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005).  A high severity rating is one in which could result in an attacker or intruder gaining root level access to a system leading to potential loss of critical data.  A medium severity rating is given to vulnerabilities that could result in remote nonprivileged access to the system.  A low security rating is that related to events which are improbable and may result in a local attacker gaining nonprivileged access to the system (Zeltzer, 2005).  The measures listed in this paper are rated as follows:

Measure Rating
Identification and Authentication protection measures High
  1. Badge Access Control System
High
Access Control High
  1. Host Based Firewall
Medium
  1. Network Firewall
High
  1. Use of a DMZ
Medium
  1. Limiting Access to Data using Least Privilege & Separation of Duty Principles
Medium
  1. Enforcing strong password policies
High
Security Policy Medium
  1. Drafting Effective Security Policies
Low
  1. Security Awareness Program
Low
  1. Security Auditing
Low

 

 

Identification and Authentication

            Identification and Authentication protection measures are the most significant measures to implement.  Before a user or administrator allowed access to the system, security measures must be implemented to identify and authenticate the need for and level of access.  Pre-employment background checks can prevent organizations from hiring individuals with criminal records and verify qualifying information on a candidate’s resume (Mallery, 2009).  A popular method for controlling identification and authentication is by utilizing access badges.  Access badges can be linked to security systems and control and monitor physical access to the facility, to rooms within the facility and most importantly logical access to the systems that contain proprietary sensitive information.  Access badges also provide employees a visual tool for monitoring levels of access, job titles, and recognition of visitors.

Today many different types of access badge systems are available.  An organization must weigh the cost of the system with the benefit to security.  Smart card systems are relatively easy to implement offering a multitude of vendors and interoperability with legacy systems.  After the user has verified his or her identity using a passport or drivers license and a representative of the company has verified the users’ required level of access, the user can be issued a smart card where he or she sets a pin number to be used from that point forward to verify his or her identity and authentication for physical and logical access into the facility (Smart Card Alliance, 2003).

Management of the system will require information assurance professionals who can conduct background checks and verify identities as well as control and administer the computer applications associated with the system.  The organization will also need to prepare for possible outages of the system and develop procedures for training employees to identify badges, escort unauthorized individuals and properly wear, use and store badges.

Utilizing smart card technologies removes the need to verify identify on a daily basis and also allows for ease of monitoring of a person’s whereabouts.  Access changes can also be made remotely from the management software application if an employee switches jobs, loses their badge, or leaves the company.  Smart cards can be used for physical and logical access and such access can be limited throughout the facility.  Smart cards can also limit the number of passwords an employee has to remember, decreasing man hours spent on password resets and locked out systems.  Although the advantages are many, access badge systems can be costly, and a strong social engineer may be able to outsmart the system by replicating a badge or fooling an employee in to granting them access they should not have.

 

Access Control

            The second most critical security measure is access control.  After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network.  Internal to external and external to internal communications must also be protected and restricted.

A firewall is one of the best mechanisms to protect the network from internal and external threats and control as well as monitor communications.  The Windows operating system offers an integrated firewall for use on clients, which drops incoming solicited traffic that is not in response to a request made by the computer, and allows specified unsolicited traffic. Host based firewalls such as the Windows Firewall safeguard against threatening applications that utilize unsolicited traffic as an attack mechanism (Microsoft , 2012).  The network firewall should be attached directly to the internet connection, to block malicious traffic from entering the network.  Network firewall software can be installed on a dedicated server located between the internet and the protected network (Goldman, 2006).  Firewalls can filter and monitor incoming traffic and also protect against insider threats such as users clicking on phishing e-mail links or navigating to dangerous websites.  Goldman (2006) notes research shows that seventy to eighty percent of malicious activity comes from insiders who already have network access.  Although firewalls are an advantageous method of protection, they can cause more damage if not configured properly or if maintained by administrators that do not understand the complex rules or monitoring procedures.  Firewalls must also be combined with other protection strategies such as vulnerability assessment tools, intrusion detection and prevention systems and antivirus tools (Goldman, 2006).

The physical location and configuration of assets on the network is also vital to access control on the network.  For example, a demilitarized zone or DMZ is a controlled area for the most vulnerable systems on the network.  If a user is hacked or a system is infected the DMZ prevents interruption of essential functions such as e-mail and databases (Turner, 2010).

Password, user and administrative access policies are equally essential to protecting the network and clients from outside and inside threats.  The level of access a user requires must first be determined using the principle of least privilege.  Files and information should be separated by roles or departments within an organization and access given only to those assigned in those roles or associated with that department.  Limiting data access also decreases the possibility of an intruder gaining access to critical files.  Administrative access should also be limited to the roles and responsibilities of the administrator.  Full administrative access to the network should be given on an extremely limited basis following a separation of duty policy.  Password policies should be understood by all users and administrators, and Windows active directory configured to enforce policy.  Studies have shown the most secure password policies are those that require a 14 character password comprised of at least two uppercase and lowercase letters, two numbers, and two unique characters.  Passwords should be changed every 60 days and screen saver passwords enforced to prevent intruders from accessing open systems (Turner, 2010).  An excellent prevention and education measure to enforce the use of strong passwords is to run a password cracking application such as L0phtcrack against the password database using a keyboard progression dictionary often used by crackers.  If passwords are cracked, users should be notified and forced to change their passwords.  Training in this way helps users and administrators learn to create and maintain strong passwords, and understand how easily weak passwords can be exploited for malicious purposes.

 

Security Policies and Auditing

The likelihood of a business falling victim to cyber-attack becomes more prevalent as more and more businesses utilize technology to conduct operations and store critical information.  Attacks can cause severe financial losses to businesses and customers and destroy reputations.  Research has shown that most security breaches are not due to misconfiguration of firewalls or poor password policies, but caused by inadequate security planning (Hamdi, Doudriga, & Obaidat, 2006).  Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures.  The security policy should be based on business objectives and detail security measures for information systems, operating systems, and key management in the business environment and document procedures for handling security incidents.  Security policies can also be multifaceted and separated by audience (such as technical versus end-user policies), or separated by issues (such as information classification and access control policies).  At a minimum, the security policy should address access privileges, user accountability and responsibility, authentication procedures, availability and maintenance of resources, and procedures for reporting violations (Hamdi, Doudriga, & Obaidat, 2006).

Enforcing securing policies requires awareness programs and employee training.  Employees should feel they are stakeholders in the security of the organization.  Policies should be widely disseminated, easy to understand and follow, and retrained on a regular basis.  Employees should know how to recognize and respond to security incidents.  The effectiveness of a security policy can be assessed using simple tests such as a contingency plan or emergency response practice drill (Hamdi, Doudriga, & Obaidat, 2006).

Conducting regular vulnerability assessments and audits of an organization’s security posture will help to ensure weaknesses in operating systems, third party applications, and security policies are identified.  This is best accomplished by hiring a third party to conduct an audit.  Security professionals are trained on many different systems and can educate staff on vulnerability management.  Audits can include penetration tests, which can assess the external security of the network, or a less invasive vulnerability assessment to scan the system for threats and provide fix actions (Mallery, 2009).  If the organization decides not to outsource the audit, there are other options for scanning the network using tools such as the Nessus vulnerability assessment tool as well as employing intrusion detection and prevention systems and antivirus.  The benefits of utilizing in-house tools are that they are always available and can often automatically assess and mitigate vulnerabilities.  The drawbacks are that employee training to maintain such systems can be extensive, and systems can be costly (Kakareka, 2009).  After audits are conducted it is paramount to set a time frame in which to accept risks, remedy vulnerabilities, and update security policies and other relevant documents.

 

Conclusion

            Businesses rely on network operating systems as an effective way to control, manage and secure their operations with ease.  Effective security of operating systems requires a defense in depth strategy that goes beyond what is inherent to the operating system.  Businesses must identify and authenticate employees using background checks, physical security procedures such as badging systems.

After identification and authentication, access to assets is best controlled using the principles of least privilege and separation of duties.  User and administrator access to shared electronic data folders and applications should be separated and limited by function or role.  Firewalls, DMZs and physical separation of assets can be utilized to protect the network from unwanted incoming and outgoing traffic and malicious actors.  Strong password policies and practices can also assist in protecting the network and preventing unauthorized access.

Finally, drafting a strong security policy based on risk analysis and business objectives and confirming employees have a clear understanding of policies and procedures will go a long way in developing a security culture in the organization.  Conducting periodic audits will ensure policies are updated and put into practice.

 

           

 

 

 

 

 

 

 

 

 

References

 

Goldman, J. (2006). Firewall Basics. In H. Bidgoli, Handbook of Information Security (pp. 2-14). Hoboken: John Wiley & Sons, Inc.

Hamdi, M., Doudriga, N., & Obaidat, M. (2006). Security Policy Guidelines. In H. Bidgoli, Handbook of Information Security (pp. 227-241). Hoboken: John Wiley & Sons, Inc.

Information Assurance Directorate. (2010). US Government Protection Profile for General-Purpose Operating Systems in a Networked Environment. Information Assurance Directorate. Retrieved from http://www.niap-ccevs.org/pp/pp_gpospp_v1.0.pdf

Kakareka, A. (2009). What is Vulnerability Assessment? In J. Vacca, Computer and Information Security Handbook (pp. 383-393). Boston: Morgan Kaufmann Inc.

Mallery, J. (2009). Building a Secure Organization. In J. Vacca, Computer and Information Security (pp. 3-21). Boston: Morgan Kaufmann Inc.

Microsoft . (2012). Windows Firewall. Retrieved from Microsoft Technet: http://technet.microsoft.com/en-us/network/bb545423.aspx

Smart Card Alliance. (2003). Using Smart Cards for Secure Physical Access. Princeton Junction: Smart Card Alliance. Retrieved from http://www.smartcardalliance.org/resources/lib/Physical_Access_Report.pdf

Stallings, W. (2011). Operating Systems Security. Handbook of Information Security, 154-163.

Sensei Enterprises, I. (Director). (2010). How do I secure my computer network? [Educational Video]. Retrieved from http://www.youtube.com/watch?v=g_xzh1rqkNs&feature=youtube_gdata_player

UMUC. (2011). Prevention and Protection Strategies in Cybersecurity. Adelphi, MD, USA.

Zeltzer, L. (2005). Auditing UNIX Systems: A Case Study. Retrieved from Lenny Zeltzer: http://zeltser.com/auditing-unix-systems/#prioritizing

, ,

Leave a comment

The Life and Crimes of a Carder

 

 

 

 

The Life and Crimes of a Carder

By: Amy L. Wees

University of Maryland University College

CSEC620

April 6, 2012

 

 

 

Abstract

The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year.  The most lucrative example of the carding network came from a website called CarderPlanet.  Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career.  Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet.  To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.

 

Keywords: Carders, Identity Theft, Credit Card Fraud, Cyber-crime

 

The Life and Crimes of a Carder

The words of a fictitious Internet advertisement boast “Don’t miss it! There is a limited time only sale on stolen identifications, debit and credit cards including pins and CVVs, counterfeiting equipment, bank account information and PayPal accounts!  Get dumps of U.S. accounts for as little as 20 dollars!  Learn how to make your own credit cards with our specialized equipment.  It has never been easier to get your hands on all of this FREE money!! Fine print: Membership required, website can be relocated at any time and cannot be held liable for unlawful transactions.  All transactions are risky and success is not guaranteed”.

Unfortunately the above advertisement illustrates a scenario that is very real.  The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year.  Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career.   Though these criminals can make a lot of easy money and mask their identities behind online codenames to avoid capture, there are many separate roles played in this crime ring and different motivations for involvement.  This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.

 

The Threat

The most lucrative example of the carding network came from a website called CarderPlanet.  CarderPlanet was launched in 2003 and was quickly known in the underground community as the place to go to learn the secrets of the carder trade and how to make money from stolen credit cards and identities.  Forum topics on the site covered everything from beginners’ instructions, sales or trades of credit cards, identity theft information and sales, programming, hacking and carder software, how to maintain anonymity and security, and employers offering carding jobs (Munns, 2010).    The site had fake contact information for an address in Ho Chi Minh City, Vietnam and an administrator who went by the alias “Script”.  “Script” was so bold he even created several online advertisements boasting of CarderPlanet’s success.  One of the flashy advertisements makes the following statements in capital letters: “NEED RELIABLE PARTER? CARDERPLANET! WORLD-CLASS CARDERS; GENIUS OF PROCESSING SECURITY; PROFESSIONALS OF PAYMENT SYSTEMS; WE GIVE YOU THE KNOWLEDGE; PROFITABLE STRATEGIES, CARDERPLANET TACTICS AND TUTORIALS; CARDERPLANET IS INEVITABLE” (F-Secure, 2008).

The site was easy to find for Internet browsers and Federal Bureau of Investigation (FBI) investigators attempting to hunt down cyber criminals.  Authorities gained a lot of leads from posts on the site which could be linked to open cases, but only names of aliases and little in regards to location or actual identities of criminals could be found.  Interpol soon was involved, and with the cooperation of multi-national law enforcement agencies, arrests were made and the site brought down (Munns, 2010).  In a 2010 FBI press release after the arrest of one of CarderPlanet’s founders Vladislav Anatolievich Horohorin, U.S. Secret Service Assistant Director for Investigations Michael Merritt stated:

“The network created by the founders of CarderPlanet, including Vladislav Horohorin, remains one of the most sophisticated organizations of online financial criminals in the world; this network has been repeatedly linked to nearly every major intrusion of financial information reported to the international law enforcement community” (U.S. Department of Justice , 2010).

Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet.  To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals.

Threat Profiles and Scenarios

According to University of Maryland University College (2010), a threat profile has five elements: asset – an item of value, whether data or physical property; actor – the person causing damage; motive – the reason for the action; access – the means of obtaining the item; and outcome- the eventual result of the action (p. 9).  For the purpose of this paper threat profiles will be given based on observed and reported scenarios of carders.

Scenario 1: Data Breach via Wardriving

In 2010, eleven cybercriminals were charged with conspiracy, computer intrusion, fraud, identity theft and various other crimes after stealing forty million credit and debit card numbers via wardriving.  The criminals tapped into the wireless networks using laptops while parked in front of various retailers including Sports Authority, TJ Maxx, Barnes & Noble, Marshalls and Office Max.  After gaining access to the network packet sniffers were installed to capture account numbers as cash registers processed purchases (U.S. Department of Justice , 2010).

Threat Profile

The asset in this case is the credit and debit card numbers.  There were 11 separate actors, most with the motive of financial gain as account numbers were sold over the internet or imprinted on magnetic strips of counterfeit cards and used to withdraw thousands of dollars (DOJ, 2008).  Ukrainian Maksym Yastremski was a well-known online seller of stolen cards and supposedly gained eleven million dollars from his crimes.  U.S. citizen Albert Gonzalez was also caught while simultaneously acting as a Secret Service informant on a separate operation (Poulsen, 2008).  Gonzalez’s motive may have been to lessen his previous sentence by working as an informant but also to use this position as a cover up to participate in other crimes for financial gain.  He may have been addicted to this crime if even after being caught he could not stop.  The outcome of this crime was severe financial losses to several major retailers.  The cost of the intrusion to TJ Maxx alone was reported to be over 130 million dollars (Poulsen, 2008).

Prevention Strategies

            How could these wardriving attacks have been prevented?  Data on a wireless network is transmitted via radio instead of over a wire, leaving it highly vulnerable to interception.  The first step in protection is to keep all essential data on a more secured wired network and not connect a device loaded with critical data to an unsecured wireless network.  Next, defaults on routers should be changed from factory settings and the Service Set Identifier (SSID) should not be broadcasted.  When setting passwords, ensure they are complex enough to deter a password cracker.  Third, Media Access Control (MAC) address filtering and Dynamic Host Configuration Protocol (DHCP) can be used to limit the number of workstations or devices allowed to access the network.  Last and most importantly, ensure the information sent over the wireless network is encrypted.  The best encryption standard is Wi-Fi Protected Access (WPA) 2 and is included in the latest router configurations.  Information should also be protected at the source using anti-virus programs, personal firewalls, and wireless network firewalls.   For businesses that may need even more protection, virtual private networks (VPN) can be used to ensure the person connecting to the network enters via a secure gateway (Comodo, 2006).

Scenario 2: Skimming

            In 2011, carders were arrested in several states after installing skimming devices on top of existing automatic teller machine (ATM) card slots on the entryway door used for access to the machine.  Additionally, carders installed pinhole cameras pointed at the ATM number pad (KTLA News, 2012).  The skimming device captured the account numbers on customers’ debit cards and carders later used these numbers in combination with the pins from captured videos to create counterfeit cards used for purchases and cash withdrawals (Kitten, ATM Skimmer Sentenced to Jail, 2011).

Threat Profile:

The asset in this scenario is the account data and pin numbers.  In this case there were three actors believed to be linked to a larger crime ring as several separate arrests were made for similar crimes in New York.  Gabriella Graham plead guilty of acting a lookout for other members of her team while they installed cameras and skimming machines at eleven banks in Connecticut, Massachusetts and Rhode Island.  She also admitted to creating and using counterfeit debit cards.  At first glance Graham’s motive appears to be financial gain, though she was labeled as a mule by authorities and offered a lower sentence in exchange for her testimony against accomplices.  This suggests she may have been pressured into involvement by others.  The skimming attacks cost banks and customers over $335,000 (Kitten, ATM Skimmer Sentenced to Jail, 2011).

Prevention Strategies

            Julie McNelley, a fraud analyst for Aite Group, states “ATM skimming has helped push debit-related fraud losses to the top of the card-fraud list; debit losses now outpace credit card fraud” (Kitten, Skimmers Busted by Fraud Detection, 2011).  Customers and banks need to know how to protect themselves from skimming.  Customers need to keep an eye on their account statements, look for irregular charges and report them to the bank immediately.  Credit cards offer fraud protection but debit cards are limited to a $50 limit by the FDIC’s consumer protection rule.  Therefore if a customer’s bank account is drained due to theft or fraud the bank does not have to refund the money unless a full investigation is completed to determine there was no fault of the customer (Sullivan, 2004).  Some banks use fraud detection software that limits the amount of cash that can be withdrawn on a daily basis and looks for irregular customer spending habits such as large dollar amounts outside of the immediate area.

Customers should also pay attention to ATM card slots or credit card swiping machines that look out of the ordinary.  If it appears as if something is attached to the original machine, do not use it and report suspicion to the vendor (Rogak, 2012).  Skimmers have also been found on cashiers and wait staff at restaurants, so customers should pay at the register when possible and not leave their card with staff for long periods of time (such as for a bar tab).  Retailers should mount security cameras over all areas in the store where transactions are processed to deter employees from theft or fraud (Crane, 2008).

Scenario 3: Phishing

In December, 2011 the United Kingdom’s e-crime unit caught six cybercriminals running a phishing scam targeted at college students across the U.K.  The criminals sent e-mails to students at various schools asking them to update the login details to their student loans.  Some students followed the e-mail link to an official looking website and provided enough personal information for criminals to gain access to the student’s bank accounts (Kovacs, 2011).

Threat Profile:

            The asset was the student loan accounts and the bank accounts.  The actors, whose names were not released, were four men and two women many in their mid-20’s and one age 49.  Police found computers and storage media used to access the stolen information (Neal, 2011).  The motive was financial gain as amounts of up to 5,000 pounds were withdrawn at one time adding up to over 1 million pounds stolen.  The U.K. charged the suspects with “conspiracy to defraud, money laundering and other offences under the Computer Misuse Act” (Ashford, 2011).   The outcome to the victimized students and banks is unknown.

Prevention Strategies

Consumer awareness is key when it comes to preventing phishing attacks as the amount of phishing e-mails sent and the differences in subjects are substantial.  Consumers need to know what to look for that is commonplace in many phishing e-mails and web addresses so they are able to recognize the scams in their inboxes.  The Anti-Phishing Working Group (APWG) offers consumer advice and recommendations; a brief summary is given:

  • Do not respond to e-mails with requests for personal financial information; banks and other businesses will not ask for this information via e-mail
  • Avoid clicking on links in an e-mail.  Type the known web address in the address bar instead
  • When purchasing items online use trusted retailers and ensure the https:// secure site is enabled as well as the padlock icon
  • Install a web browser toolbar that will provide alerts when browsing known fraudulent websites
  • Report phishing e-mails to the company being spoofed, the Federal Trade Commission or the Internet Crime Complaint Center of the FBI (Anti-Phishing Working Group, 2012).

Scenario 4: The Middle Man

            The U.S. Secret Service reports they have arrested “one of its five most wanted cybercriminals in the world” (Metzger, 2010).  “BadB” was an online credit card trafficker who was one of the founders of CarderPlanet.com and later opened another site named badb.biz.  “BadB” sold credit card dumps to Secret Service agents on one of his sites and collected money for the sale through a Russian hosted site called Webmoney.  The sale led to his eventual identification and arrest in Nice, France (U.S. Department of Justice , 2010).

Threat Profile:

The asset in this scenario is the credit card dumps, which are large amounts of electronic copies of the magnetic stripes of stolen credit card numbers offered for sale in bulk in online forums (CreditCards.com, 2012).  The actor is Vladislav Horohorin, a.k.a. “BadB”, who bought and sold stolen credit card data online in web forums that he reportedly scrupulously participated in by posting chat rules against swearing and warnings of devious users.  On his own site, badb.biz he advertised his services with animated cartoons showing Russian political gain by stealing from the U.S. and carders receiving medals for their work.  Horohorin’s motive is more than just financial.  Being a founder of CarderPlanet and watching fellow carders go to prison did not derail him.  He continued on as a leader in the carder crime ring and did not make any attempts to cover his tracks, making noise with his bold cartoon advertisements, his website, and his avid participation on other popular carding sites (Metzger, 2010).  His actions show political motivations as he was determined to show Russian carders as heroes and U.S. citizens as easy targets who deserve to be criminalized.  Horohorin also showed that his crimes were motivated by his ego.  He wanted to see how much he could get away with.  It was obvious he thought he was untouchable.  The outcome of Horohorin’s crimes was his arrest.  He is charged with access device fraud and aggravated identity theft with a total maximum sentence of up to 12 years in prison and fines of up to $500,000 (U.S. D.O.J., 2010).

Prevention strategies

Although authorities have cracked down on carders, the problem remains almost too large to conquer.  There is no sign carders are slowing down in their crimes.  The credit card and banking industry must find better ways to combat the simplistic ways in which account data can be compromised.  Europe, Japan and various other areas around the globe have moved to a new standard using credit cards embedded with a computer chip instead of a magnetic strip.  The new cards also require the user to enter a pin to verify their identity at the time of purchase (Tulipan, 2012).  The use of this card prohibits skimmers from being used to steal credit card data and is a step in the right direction toward more secure credit and debit cards.  Another option would be to utilize biometric systems either instead of cards or to verify the identity of the owner of a card in lieu of a pin.

History has shown us that regulating information shared on the Internet is nearly impossible.  Regulating users of the Internet is also exceedingly tough as many of the sites in which hackers and cybercriminals converge are quickly moved from one location or host to another or utilize dynamic internet protocol addresses.  Law enforcement has come together on a global scale to bring cybercriminals to justice, but there are many more criminals to arrest than there are cyber-crime teams to dedicate to their capture.  Another solution posed by journalist Misha Glenny while speaking for Technology Entertainment Design (TED) talks is to hire the hackers to design security solutions instead of jailing them.  Glenny studied some of the most notorious cybercriminals and noted that nearly all of them learned their skills in their teens before their moral compass had developed, demonstrated advanced skills in science and math, and lacked social skills.  He also noted that countries like Russia and China are recruiting these hackers before and after they get into crime and utilizing them to develop their cyber-offensive capabilities (Glenny, 2011).  Glenny ends his presentation with an interesting point; he says “We need to find ways of offering guidance to these young people, because they are a remarkable breed.  And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame” (Glenny, 2011).

Conclusion

Identity theft and credit card fraud are a serious global problem.  Criminals have various motivations for committing these crimes as carding does not require any advanced hacking skills, it is fairly easy to hide securely behind an Internet address and alias, and there is money to be made.  Victims must report crimes and suspicious activity to law enforcement and consumer protection agencies and also stay informed on the latest security threats and prevention strategies.

 

References

Anti-Phishing Working Group. (2012). Consumer Advice: How to Avoid Phishing Scams. Retrieved from APWG: http://www.antiphishing.org/consumer_recs.html

Ashford, W. (2011, December 9). UK police arrest six in £1m phishing scam. Retrieved from Computer Weekly: http://www.computerweekly.com/news/2240112250/UK-police-arrest-6-for-1m-phishing-scam

Comodo. (2006, October 11). Wardriving: What is it, how common is it, and how to protect against it. Retrieved from Comodo: http://forums.comodo.com/general-security-questions-and-comments/wardriving-what-is-it-how-common-is-it-and-how-to-protect-against-it-t3199.0.html;msg23829#msg23829

Crane, A. (2008, September 9). 5 steps to avoid ID theft at the register. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/merchant-data-security-identity-theft-tips-1275.php

CreditCards.com. (2012, April 6). Credid Card Glossary: Terms and Definitions. Retrieved from CreditCards.com: http://www.creditcards.com/glossary/term-dump.php

Department of Justice. (2008, August 5). Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers. Retrieved from Department of Justice: http://www.justice.gov/opa/pr/2008/August/08-ag-689.html

F-Secure. (2008, March 14). Digging the Archives for Case CarderPlanet. Retrieved from F-Secure.com: http://www.f-secure.com/weblog/archives/00001403.html

Glenny, M. (2011, July). Hire the Hackers. (M. Glenny, Performer) TED, Edinburgh, U.K.

Kitten, T. (2011, December 28). ATM Skimmer Sentenced to Jail. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4362

Kitten, T. (2011, November 22). Skimmers Busted by Fraud Detection. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4262

Kovacs, E. (2011, December 10). Six Phishers Arrested for Scamming UK Students. Retrieved from Softpedia: http://news.softpedia.com/news/Six-Phishers-Arrested-For-Scamming-UK-Students-239744.shtml

KTLA News. (2012, February 7). 2 Arrested for Installing Skimming Device at Chase Bank. Retrieved from KTLA News: http://www.ktla.com/news/landing/ktla-skimming-device-chase-bank,0,1600909.story

Metzger, T. (2010, August 12). Alleged cybercriminal, cartoonist arrested in France. Retrieved from Creditcards.com: http://www.creditcards.com/credit-card-news/carderplanet-badb-data-thief-cybercriminal-arrested-1282.php

Munns, D. (2010, August 12). The secret history of CarderPlanet.com and Dmitry Ivanovich Golubov. Retrieved from CreditCards.com: http://blogs.creditcards.com/2008/05/secret-history-of-carderplanet.php

Neal, D. (2011, December 9). Arrests made for student phishing scam. Retrieved from The Inquirer: http://www.theinquirer.net/inquirer/news/2131361/arrests-student-phishing-scam

Poulsen, K. (2008, August 5). Feds Charge 11 in Breaches at TJ Maxx, OfficeMax, DSW, Others. Retrieved from Wired: http://blog.wired.com/27bstroke6/2008/08/11-charged-in-m.html

Rogak, L. (2012, April 6). 10 things you should know about identity theft. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/help/10-things-you-should-know-about-identity-theft-6000.php

Sullivan, B. (2004, February 18). ID theft victims face tough bank fights. Retrieved from MSNBC: http://www.msnbc.msn.com/id/4264051/ns/business-online_banking/t/id-theft-victims-face-tough-bank-fights/#.T3kvBdm-2So

Tulipan, M. (2012). European Credit Card Standard Leaves Americans Stranded. Retrieved from The Saavy Explorer: http://www.thesavvyexplorer.com/index.php/life-and-style-mainmenu-31/36-tips/689-european-credit-card-standard-leaves-americans-stranded

U.S. Department of Justice . (2010, August 11). Alleged International Credit Card Trafficker Arrested in France on U.S. Charges Related to Sale of Stolen Card Data . Retrieved from Federal Bureau of Investigation: http://www.fbi.gov/atlanta/press-releases/2010/at081110.htm

University of Maryland University College. (2010). Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology. Module 7. UMUC.

 

 

, ,

3 Comments