Computer Crime Research Center


Cybercrime and Effective Security Policies

Date: May 14, 2005
Source: Government Technology
By: Corey McKenna

Larry Johnson, special agent with the Secret Service, Joanne McNabb, chief, Office of Privacy Protection, California Department of Consumer Affairs, and several industry representatives presented their perspectives at GTC West on the challenges facing California state agencies in securing constituents' personal information while maintaining quality service.

Participants addressed the threats facing customer data, effective enforcement actions taken against hackers and identity thieves, the need for cooperation between levels of government and between government and the private sector in combating cybercrime.

The growth of e-commerce and data mining has given rise to well-organized criminal elements who are in business to make money by misusing stolen personal information -- a change from three or four years ago when most hackers were hobbyists. Between 2002 and 2003 the number of online account takeovers doubled, Johnson said. However, legitimate businesses can provide a first line of defense by protecting customers' data. The method that is hard to prevent is the collusion of an employee. The employee will download the information and remove it from the office electronically or physically.

Agency coordination is very important in combating hacking, identity theft and other types of cybercrime because the groups involved in these kinds of crimes work in a multi-jurisdictional environment -- state, federal and international -- as well as the reality that cybercriminals form a tight-knit community and news of one person's capture can spread quickly across the Internet.

In October 2004, the Secret Service arrested 30 people and issued 30 more search warrants as part of Operation Firewall. The operation involved 18 Secret Service offices and 11 international law-enforcement organizations. It involved 2,000 terabytes of data and was the first use of a wiretap on a computer network, according to Johnson.

It is very important for businesses and state agencies to report system intrusions and data leaks soon after their discovery, but not without the affected agency doing its own analysis of how it happened. The authorities (whether it's state police, local authorities, the FBI or the Secret Service) need adequate facts in order to make arrests. However, the investigating agency may not make an arrest in an instance of identity theft, but information in one case may result in making an arrest in a different case through connecting common dots.

Identity theft started with criminals accessing unencrypted credit card data dumps on servers owned by e-commerce companies. The credit information was then used to make so-called "full info cards," which contain mothers' maiden names, the security digits on a credit card, PINs, passwords and usernames -- everything about anyone.

Phishing kits are easily obtainable as are e-mail lists of potential victims.

Over the last year, numerous e-mails, containing keylogging software, have been sent over the Internet. If the victim opens the e-mail the program installs itself on the user's computer and starts recording the user's keystrokes. The program then sends passwords and IDs to hackers who design the programs.

Cyber criminals are highly adaptive. They utilize numerous online exchanges for communication where up-to-date information of system security is disseminated within an hour. 'Sometimes we are one step ahead and then behind" the evolving technical savvy of cybercriminals, Johnson said.

A good percentage of encryption can be broken, according to Johnson, and the Secret Service has been and will continue to be very successful in breaking criminals' encryption.

One of the ways the Secret Service stays on top of the sophistication of cybercriminals is through the funding of electronic crimes task forces (ECTFs) which the private sector are greatly encouraged to be a part of. There are currently 15 ECTFs in the U.S. and the Secret Service is considering establishing one overseas in 2006.

Effective Security Policies
One of the things that Johnson said which has been echoed previously by other people involved in the public and private security effort is that corporate and government security is a partnership. The majority of computer networks are privately owned, and the only way to properly investigate network intrusions and data leaks is through gaining the cooperation of the private sector. Johnson said that only between 30 and 50 percent of data leaks are reported. This percentage undoubtedly needs to increase. To do that, confidentiality is very important.

Good security programs recognize that security is not an afterthought. Security programs should include risk assessment and management with accountability. Have a way for customers to verify the ID of a Web site or e-mail they visit or open. Organizations should also have procedures for preserving important computer data even after a security event. They should have an internal procedure in place to handle computer crime. Do an internal audit of affected systems to give law enforcement some facts with which to pursue the case, and file a police report quickly after a crime has been verified. And finally, but most importantly, educate people, since people are the weakest security link.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo