Our first Security module assignment was due Sunday. I was ploughing away until all hours on Saturday night trying to get it finished. The topic was:
“Discuss the current trends in security threats on computer systems security and how we can mitigate these threats. Discuss the role of Knowledge Management in mitigating security threats if any?”
Since coding isn’t my forte I took a look at the effects of threats on common usage. I examined Phishing and Pretexting. I was surprised how little deep information there is out there these two issues. After much examination I concluded the reason there isn’t much in-depth information is because the scams are very basic in form.
Phishing doesn’t require much explanation, to say, “A phisher send you a phoney website. You fall for the ruse and plug in all your personal details. Phisher then uses your identity to steal you money and rack up depts.” Certainly there is a skill to it but the technology is very basic. Very little is required to understand how it is set up, how people fall for it and the resultant effects
It’s asymmetrical: tiny scam – huge problem. According to some sources, last year phishing cost nearly $5bn in consumer losses in the US. The numbers are hotly debated but whatever the exact amount, phishers are making a lot of money from their basic confidence-trick.
Pretexting also is easy to define. Same as above except using the phone. So far this isn’t as much as source of financial theft as it is about finding personal information about people for the purposes of private investigations, newspaper stories or in the case of HP, to plug a leak. Talk about about taking a sledgehammer to crack a wall nut! The corporate fall out and bad press HP got over that affair was orders of magnitude worse than the original problem, i.e. where a board member leaked long term HP strategy to CNET News.com. Ironically, HP’s situation was also somewhat asymmetrical: tiny problem – huge scandal.
Here is a sample of links I found very helpful:
References
Federal Trade Commission
SPAM
http://www.ftc.gov/bcp/conline/edcams/spam/index.html
Identity Theft Site
http://www.ftc.gov/bcp/edu/microsites/idtheft/
Phishing
http://www.onguardonline.gov/phishing.html
Pretexting
http://www.ftc.gov/bcp/conline/pubs/credit/pretext.htm
The Gramm-Leach Bliley Act
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
CNET News.com
HP execs: Spy scandal was ethical wake-up call
http://news.com.com/HP+execs+Spy+scandal+was+ethical+wake-up+call/2100-1014_3-6163563.html
HP outlines long-term strategy
http://news.com.com/HP+outlines+long-term+strategy/2100-1014_3-6029519.html?tag=st.prev
Wikipedia
Social engineering (security)
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)#Pretexting
Phishing
http://en.wikipedia.org/wiki/Phising
Ira Winkler on How To Fight Pretexting
http://www.baselinemag.com/article2/0,1540,2060332,00.asp
Kevin Mitnick
http://en.wikipedia.org/wiki/Kevin_Mitnick
United States Department of Justice
First Conviction in Hewlett Packard Pretexting Investigation
http://www.cybercrime.gov/wagnerPlea.htm
Sophos
Simple steps to avoid being phished
http://www.sophos.com/security/best-practice/phishing.html
The White House
The National Strategy to Secure Cyberspace
http://www.whitehouse.gov/pcipb/
The Mecury News
http://www.mercurynews.com/mld/mercurynews/news/local/16370086.htm
SANS
Top-20 Internet Security Attack Targets (2006 Annual Update)
CERT
Social Engineering and Phsihing Attacks
http://www.us-cert.gov/cas/tips/ST04-014.html
Current Activity
http://www.uscert.gov/current/
NIST
National Vulnerability Database
FBI
Cyber Investigations Division
http://www.fbi.gov/cyberinvest/cyberhome.htm
US Department of Homeland Security
US Ready
http://www.ready.gov/business/protect/cybersecurity.html
BBC
Which? highlights phishing losses
http://news.bbc.co.uk/2/hi/business/6401079.stm
Taxman Warns of ‘Phishing’ Fraud
http://news.bbc.co.uk/2/hi/business/6182151.stm
Net-security.org
Phishers Are Improving Their Chances of Success with Targeted Attacks
http://www.net-security.org/article.php?id=913&p=4
Scalet, Sarah D.
2006: The Year of the Security Non-Event
http://www2.cio.com/research/security/edit/a01042007.html
Anti-Phishing Working Group
Crimeware Mutations Shatter Records in December
http://www2.cio.com/research/security/edit/a01042007.html
Looks Too Good To Be True
Consumer Information and Protection
http://www.lookstoogoodtobetrue.com/about.aspx
Carlson Analytics
http://www.caslon.com.au/pretextingnote.htm
Webopedia
All About Phishing
http://www.webopedia.com/DidYouKnow/Internet/2005/phishing.asp
National Consumer League’s Internet Fraud Watch
http://www.fraud.org/tips/internet/phishing.htm
Search Security.com
http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci916037,00.html
Microsoft
Recognize phishing scams and fraudulent e-mails
http://www.microsoft.com/athome/security/email/phishing.mspx
ComputerWorld.com
Phising
http://www.computerworld.com/securitytopics/security/story/0,10801,89096,00.html
CACI
Knowledge Management in Crime
Forrester
Security Knowledge Management
http://www.forrester.com/Research/LegacyIT/Excerpt/0,7208,33469,00.html
