The growing economic value of information, products, and services accessible through computer systems has attracted increased attention from opportunistic criminals. In par-ticular, the many potential vulnerabilities of online systems and the Internet have made computer crime attractive and pose significant challenges to professionals whose task it is to secure such systems.
The motivations of persons who use computer systems in unauthorized ways vary. Some hackers primarily seek detailed knowledge of systems, while others (often teenag-ers) seek “bragging rights.” Other intruders have the more traditional criminal motive of gaining access to information such as credit card numbers and personal identities that can be used to make unauthorized purchases (see identity theft). Computer access can also be used to intimidate (see cyberstalking and harassment), as well as for extortion, espionage, sabotage, or terrorism (see cyberterrorism). Attacking and defending information infrastructure is now a vital part of military and homeland security planning (see information warfare).
According to the federal Internet Crime Complaint Cen-ter, in 2006 the most commonly reported computer-related crime was auction-related fraud (44.9 percent), followed by nondelivery of goods (19 percent)—these no doubt reflect the high volume of auction and e-commerce transactions. Various forms of financial fraud (including identity theft) make up most of the rest.
The new emphasis on the terrorist threat following Sep-tember 11, 2001, has included some additional attention to cyberterrorism, or the attack on computers controlling key infrastructure (including banks, water and power systems, air traffic control, and so on). So far ideologically inspired attacks on computer systems have mainly amounted to simple electronic vandalism of Web sites. Internal systems belonging to federal agencies and the military tend to be relatively protected and isolated from direct contact with the Internet. However, the possibility of a crippling attack or electronic hijacking cannot be ruled out. Commercial systems may be more vulnerable to denial-of-service attacks (see below) that cause economic losses by preventing con-sumers from accessing services.
Forms of Attack
Surveillance-based attacks involve scanning Internet traffic for purposes of espionage or obtaining valuable informa-tion. Not only businesses but also the growing number of Internet users with “always-on” Internet connections (see broadband) are vulnerable to “packet-sniffing” software that exploits vulnerabilities in the networking software or operating system. The main line of defense against such attacks is the software or hardware firewall, which both “hides” the addresses of the main computer or network and identifies and blocks packets associated with the common forms of attack (see firewall).
In the realm of harassment or sabotage, a “denial of ser-vice” (DOS) attack can flood the target system with packets that request acknowledgment (an essential feature of net-work operation). This can tie up the system so that a Web server, for example, can no longer respond to user requests, making the page inaccessible. More sophisticated DOS attacks can be launched by first using viruses to insert pro-grams in a number of computers (a so-called botnet), and then instructing the programs to simultaneously launch attacks from a variety of locations.
Computer viruses can also be used to randomly vandal-ize computers, impeding operation or destroying data (see computer virus). But a virus can also be surreptitiously inserted as a “Trojan horse” into a computer’s operating sys-tem where it can intercept passwords and other information, sending them to the person who planted the virus. Viruses were originally spread through infected floppy disks (often “bootleg” copies of software). Today, however, the Internet is the main route of access, with viruses embedded in e-mail attachments. This is possible because many e-mail and other programs have the ability to execute programs (scripts) that they receive. The main defense against viruses is regular use of antivirus software, turning off scripting capabili-ties unless absolutely necessary, and making a policy of not opening unknown or suspicious-looking e-mail attachments as well as messages that pretend to be from reputable banks or other agencies (see phishing and spoofing).
Computer Security
Because there are a variety of vulnerabilities of computer systems and of corresponding types of attacks, computer security is a multifaceted discipline. The vulnerability of computer systems is not solely technical in nature. Some-times the weakest link in a system is the human link. Hackers are often adept at a technique they call “social engineering.” This involves tricking computer operators into giving out sensitive information (such as passwords) by masquerading as a colleague or someone else who might have a legitimate need for the information.
Since computer crimes and attacks can take so many forms, the best defense is layered or in depth. It includes appropriate software (firewalls and antivirus programs, and network monitoring programs for larger installations). It emphasizes proper training of personnel, ranging from security investigators to clerical users. Finally, if informa-tion is compromised, the use of strong encryption can make it much less likely to be usable (see encryption).
While the flexibility and speed of the Internet can aid attackers, it can also facilitate defense. Emergency response networks and major vendors of antivirus software can quickly disseminate protective code or “patches” that close vulnerabilities in operating systems or applications.
The growing concern about vulnerability to computer intrusion and information theft has also been reflected in attempts to make operating systems inherently more secure. The introduction of new security features in Microsoft Win-dows Vista has received mixed reviews. Some features, such as User Account Control, make it harder for viruses or other automated attacks to access critical system resources, but also annoy users by constant requests for permission to carry out common tasks. This reflects a fundamental truth: Security features that make everyday computing more tedious tend to be turned off or bypassed by users.
Once a computer-based crime is detected, a system-atic approach to evidence gathering and investigation is required (see computer forensics). This is because evi-dence in computer crimes tends to be technical, intangi-ble, and transient, and thus difficult to explain properly to judges and juries.
Individual consumers can reduce their vulnerability by ensuring that they do not give out personal information without verifying both the requester and the need for the data. Use of secure Web sites for credit card transactions has become standard. Generally speaking, vulnerability to computer crime is inversely proportional to the degree of privacy individuals have with regard to their personal information (see privacy in the digital age). Public con-cern about privacy and security has led to recent laws and initiatives aimed at disclosure of organizations’ privacy policy and limiting the redistribution of information once collected.
No comments:
Post a Comment