Regarding Risk Assessment

Please utilize the reading material below accordingly.

After reviewing the information above. Write a vulnerability assessment. Intro-Body-Conclusion

PLEASE MAKE COPY PASTE AVAILABLE

I IN THE PAST the media focused on cyber criminals. For the last two years, whenever I see a news report related to un- scrupulous developments in cyberspace, there is almost always a mention of weapons, the military, or an intelligence service. Nowadays, even when criminals are blamed for performing a major cyber heist, ven- dors call it "Operation Blitzkrieg" and the mass media announce, "Russian Hackers Declare War on USA." A New York Times article attributed an attack by "Izz ad-Din al-Qassam Cyber Fight- ers" against U.S. banks to the state of Iran without any evidence other than "a level of sophistication far beyond that of criminals." Has the world really changed that much in two years? I don't think so. Even the most complex cyber attacks are within the reach of cyber criminal enterprises. Criminals have always raeed ahead of the pack, figuring out how to steal from somewhere before the rest of the population realized there was money to be had. Cyber criminals have sites where they sell and buy things. In the early 2000s, criminals were selling credit card numbers. Then banks went online, and criminals invented phishing. As losses grew, the financial institutions responded by improving their security technologies. But cyber- crime had already moved on to the next best fraud. Criminals are open-minded when it comes to new ways of stealing money. They learn fast. The biggest change in the business of cybercrime occurred when the most advanced groups moved from selling goods (stolen data or computer viruses) to the establish- ment of the criminal cyber services (stealing data, providing access to in- fected computers, or writing tools to steal data) This transition in criminal business models was good for risk-averse cyber- criminals. It gave them stable cash flow and reduced their risks. It allowed them to interact with their customers (other criminals) without ever getting physically close to them. This approach attracted much less attention from law enforcement and old-style criminals- those carrying guns instead of laptops. Computer crime became an industry comparable in size to weapons traffick- ing and drug trafficking. Various soure- es put individual monetary losses from cybercrime as more than $100 billion. Symantec in the 2012 Norton Cyber crime report estimated an annual cost of These services are on the market for plus monthly support and consulta- up to $110 billion. Such reports might anyone who wants to buy them gov- tion fees. or might not be accurate, but even 1% of emments, activists of all persuasions, Cybercrime services allow busi- the perceived losses is a lot of money. terrorists, and criminals. These ser nesses (for example, street gangs with How can such money be made? vices facilitate other criminal activities soldiers on the ground) to buy a supply Garden-variety criminals cannot pull and are available for anyone who can line of stolen credit card data or bank off such expensive heists. That money pay. According to an interview with a credentials belonging to individuals comes from sophisticated, interlinked provider,' a denial of service attack is or companies local to their area. Once services that criminals have on offer. priced between $50 and $500 per day, they pay for the service, these "busi- Here the some of the services available depending on the site and deployed nesses" can exploit this information on cybercriminal trade portals: defenses. This provider estimated the at their own risk. The suppliers are not Sending unsolicited messages of price of shutting down the popular there if the exploiters of the data are all sorts this now includes not only blogging site LiveJournal.com at $250 caught. They are jurisdictionally and email messages, but also Twitter and to $100 per day. logically far away from the crime and social network messaging. Criminals have advertised: out of law enforcement's way. Success- Writing malware on-order, which The price for hacking a private ful arrests of providers of cybercrimi- includes online support and regular email address is between $30 and sso. nal services are rare and require a long- updates for additional licensing fees. A forged copy of an identity docu term sting operation or entrapment Bulletproof or as it is often ment of virtually any country in the like Operation Card Shop, which was termed, "abuse resistant"_hosting, world costs less than $30. a two year undercover effort the FBI for those criminals who need to have Custom-made software to auto that concluded in mid-2012. Web presence. matically register new accounts on pop Cyber criminals' capabilities are Botnet access ular Web sites and bypass CAPTCHA impressive. Now consider some at- Anonymous access to the Internet, protection costs less than $500. tacks that have been attributed to Getting your video to the top of - Custom-built malware costs $1,500 intelligence services, often with lan- YouTube. guage about cyberweapons. Accord Hacking in ceneral All onces are in US dollar ing to media reports, the proverbial MA crown jewels of the well-known secu- rity vendor RSA were stolen and alleg- edly used to attack multiple targets, including financial organizations and weapons manufacturers. The attack was not very advanced-it started with a known exploit, continued for some time, and ended with exfiltration of the data through a typical channel. The Stuxnet attack occurred when a uranium enrichment plant in the Islamic Republic of Iran was sabo- taged. The attack allegedly used spe- cially crafted malware, delivered to the target by uncontrolled USB de- vices. The attack exploited previously known and unknown vulnerabilities in industrial control systems to dam- age centrifuges. Georgia, a small nation in the Caucasus Mountains, got into the bad books of its bigger neighbor Rus- sia over the future of two pro-Russian separatist regions. It resulted in military conflict. Separatists' online news agencies were allegedly com- promised by hackers associated with Georgia while the online capabilities of Georgia were severely degraded by a massive denial-of-service attack. Georgian official and private web- sites were also defaced. The main shared feature of each of these stories is that those attacks used nothing more than was avail- able in the criminal markets at the time. Some of the example attacks may have been the work of govern- ment agencies, but they are also within reach of determined criminal groups. Similar attacks can be easily designed from building blocks avail- able on the market. Sophisticated malware can be ordered online. Un- known (so called zero-day) vulnera- bilities can be purchased and turned into exploits. Computing power equivalent of multiple, top of the- range supercomputers is on offer. Da- tabases of already-hacked passwords are available. An attack sponsor need not be a hacker or social engineer to profit from the theft of valuable data. A decent project manager capable of understanding what items are in demand can identify particular in OT Stories is that those attacks used nothing more than was avail- able in the criminal markets at the time. Some of the example attacks may have been the work of govern- ment agencies, but they are also within reach of determined criminal groups. Similar attacks can be easily designed from building blocks avail- able on the market. Sophisticated malware can be ordered online. Un- known (so-called zero-day) vulnera- bilities can be purchased and turned into exploits. Computing power equivalent of multiple, top-of-the- range supercomputers is on offer. Da- tabases of already-hacked passwords are available. An attack sponsor need not be a hacker or social engineer to profit from the theft of valuable data. A decent project manager capable of understanding what items are in demand can identify particular in- formation as marketable and build and execute a project plan using purchased components and ser vices. Custom exploits can deliver the payload into a protected perim- eter, unique malware can search and eventually reach valuable data, and individually crafted software can ex Altrate the lool. The sponsor of the at: tack can then sell the data wholesale or piece by piece to any party able to pay, whether a criminal organization, intelligence service, or terrorists. The scariest thing of all is that most of these recent attacks could be the work of a criminal. According to security vendors, poli- cymakers, and media, the world is rife with secret services, intelligence opera- tives, and military commands engaged in cybercrime. This perception is par- tially based on truth: intelligence agen- cies and military do operate in cyber- space. But this perception leads to bad decisions. Business leaders are not sure how best to invest in protection. Politi- cal leaders pass laws that reduce free- dom of information on the Internet and empower counterintelligence services. Society is exposed because defenses ap- propriate to the threat are not built. Most attacks, regardless of who is paying for them, are perpetrated by cyber criminals. We need to oppose them through better international en- forcement efforts, even though this has been difficult to achieve. We must also disrupt their business models by tak- ing down their ability to offer and de liver their services. This has been done somewhat successfully by U.K. banks. Most important, we must recognize that most attacks are executed by crim- inal enterprises, and not by nation- states. These attacks can be defended