Part 6- Conclusion (RAJESH TANDUKAR)Introductionto Hacking:This paper explores the fast growing Cyberworld andits components. It starts with definitions of who is the hacker, and what is acybercrime. Types and offenses of cybercrime are addressed as well.
The paperconcentrates on the possibilities to protect ourselves from the cybercrime, andguard Cyberworld from us. Therefore, it emphasizes the importance of users’education, starting from the early age, creation and enforcement of policies,and awareness training. The paper presents laws, applicable to the computerrelated crime, highlights the U.
S. Department of Homeland Security involvement,and investigates on the fact why businesses do not report hackers’ attacks andwhy is it important.Every year privacy and ethical behavior play moreand more important role in our lives than the year before. Be ethical is a newrequirement on a job market in any field, but it is especially important in thesecurity related areas.
Fast speeding process of converting more business datainto electronic format creates a constant pressure on the involved businessesdue to the liabilities in data protection. Electronic data security is arelatively new growth, which requires everybody’s input to make it work.Information technology professionals enhance their skills to use computermechanisms to secure the data transactions and restrict an unauthorized dataaccess, while achieving the fastest possibly data retrieve. Unfortunately, someof the skilled professionals use their abilities to harm the society, byfinding the vulnerabilities in the companies’ systems and attacking them,creating and distributing virus-containing codes, finding the ways to avoidpayments for the desires services… This is not just wrong and unethical, butalso criminal activities, which are prosecuted in accordance to U.S laws.Sukhai, N.B.
, 2004, October. Hacking andcybercrime. In Proceedings of the 1st annual conference on Informationsecurity curriculum development (pp. 128-132). ACM.Typologiesof Hacking:There are hundreds and hundreds definitions of”hackers” on the Web.
Combining it all together we get a computer enthusiast,who enjoys learning programming languages and computer systems and can often beconsidered an expert on the subject, who mastered the art and science of makingcomputers and software do much more than the original designers intended.”Hackers are computer professionals, with skills… Hackers built the Internet.Hackers made the Unix operating system what it is today.
Hackers run Usenet.Hackers make the World Wide Web work. If you are part of this culture, if youhave contributed to it and other people in it know who you are and call you ahacker, you’re a hacker” (Raymond E., 2001).A hacker is a very talented programmer, respected byhis peers. A true hacker can find plenty of useful projects to work on;breaking things is more a characteristic of children of any age. The basicdifference is this: hackers build things; crackers break them.
According toRaymond, real hackers consider crackers lazy, irresponsible, and not verybright and want nothing to do with them. Unfortunately, many journalists andwriters have been fooled into using the word “hacker” to describe “crackers”,which is obviously upsets real hackers (Raymond E., 2001).
Sadly, we have tojoin the majority and use the term “hacker” in this paper to refer toindividuals who cause so much harm in the society. Laws related to Hacking in Australia: MajorIncidents of Hacking observed in Australia: Motivesfor Hacking:Hackers infringe the laws for a number of reasonssuch in the order from less harmful to more serious (if we can even classifythem this way). Hackers do it: · Because they know how and can, either being smart and figuring out howto, or getting the instructions and tools from friends-hackers· Because they like the challenge to break into something so secure · Because they get a trill of doing illegal activities and hoping not toget caught· Because they seek publicity · Because they want to take a revenge · Because they are getting paid (though most hackers are passionate aboutbreaking into the system and do it for free) ConsequencesAssessing the consequences of industrial cyber attack is not simply acase of assigning a financial value to an incident. Although there are obviousdirect impacts which may be easily quantifiable financially (e.g. loss ofproduction or damage to plant), other consequences may be less obvious. Formost companies, the impact on reputation is probably far more significant than merelythe cost of a production outage.
The impacts of health, safety or environmentalincidents could be highly detrimental to a company’s brand image. Even impactssuch as minor regulatory contraventions may in turn affect a company’sreputation, and threaten their license to operate. (E Byres, J Lowe, 2004) Therefore, hacking, being a cyber crime, hasboth short term and long term impacts on the victims which include (Choo,K.
K.R., 2011)Short- term impacts· Adverse effects on individual users by hampering on theiraccessibility to receive information and conduct transactions.· Obstruction on day-to-day activities of the Businesses andGovernment.Long- term impacts· Breaches of National security (e.g.
leakage of confidentialgovernment information)· Loss of public faith in the Government· Shut down of Businesses and Industries Final wordsThe above analysis indicates that there is a clear shift in the sourceof cyber attacks on industrial control systems because of the mushrooming threats.Threats originating from outside an organization are likely to have verydifferent attack characteristics to internal threats. Thus, companies may needto reassess their security risk model and its assumptions.In addition, the variation in the infiltration paths indicates a widevariety of vulnerabilities available to the attacker. Considering thedifficulty of closing off all of these avenues, it would be wise to assumethere will be boundary breaches and harden the equipment and systems on theplant floor to withstand possible attack.
In effect, companies need to deploy a”defense in depth” strategy, where there are multiple layers of protection,down to and including the control device.Achieving a defense in depth solution for industrial systems willrequire at least four steps. On the system design side, it is recommended thatmore internal zone defenses and more intrusion detection be deployed.
Companiesmay also need to re-evaluate boundary security in terms of all possibleintrusion points and not just focus on the obvious connections such as thebusiness-process link. A single firewall between the business network and controlsystem network is likely to miss many intrusions and will offer little securityonce the attacker is inside the control system network.From the control system manufacturers’ side, SCADA and automationdevices need to undergo security robustness design and testing prior todeployment in the field. SCADA & control protocols should also be improved toinclude security features. Currently most devices appear to be highlyvulnerable to even minor attacks and have no authentication/authorization mechanismsto prevent rogue control.Failure to adapt to the changing threats and vulnerabilities will leavethe controls world exposed to increasing cyber incidents. The result couldeasily be loss of reputation, environmental impacts, production and financialloss and even human injury.
RecommendationThe likely impact of being unable to view or controlthe process or system is an increased reliance on emergency and safety systems.Traditionally these systems have been totally independent of the main control systemand generally considered ‘bullet proof’. However, mirroring the trend in thedesign of the main control systems, these emergency systems are also becomingbased on standard IT technologies (such as TCP/IP). They are increasingly beingconnected to o0072 combined with the main control system, increasing thepotential risk of common mode failure of both the main control system and thesafety systems.
Consequently, in the future, the systemic risks zone defenseand more intrusion detection to be deployed. Companies may also need tore-evaluate boundary security in terms of all possible intrusion points and notjust focus on the obvious connections such as the business-process link. Asingle firewall between the business network and control system network islikely to miss many intrusions and will offer little security once the attackeris inside the control system network.From the control system manufacturers’ side, SCADAand automation devices need to undergo security robustness design and testingprior to deployment in the field.
SCADA & control protocols should also beimproved to include security features. Currently most devices appear to behighly vulnerable to even minor attacks and have noauthentication/authorization mechanisms to prevent rogue control. Key securitycontrols should be applied to both the customer and providers networks –withtailored security controls in place.Failure to adapt to the changing threats andvulnerabilities will leave the controls world exposed to increasing cyber incidents.
The result could easily be loss of reputation, environmental impacts,production and financial loss and even human injury. Byres, E. and Lowe, J., 2004, October. Themyths and facts behind cyber security risks for industrial control systems.In Proceedings of the VDE Kongress (Vol. 116, pp. 213-218).
The participants found that no single solution couldsolve any of the issues raised in the scenarios. All plausible solutions requiredmultiple actors: government, the private sector, and consumers. Often, asanticipated in Australia’s Cyber Security Strategy, these actors would need tocoordinate their efforts.However, the exercise revealed areas in whichcollaboration between sectors occurs solely through informal relationships ratherthan being mandated through official duties and authorities, clearly definedroles and responsibilities, or formally agreed-upon processes and proceduresfor handling crisis events.
This introductory exercise provided an opportunityfor stakeholders from varying industries and government disciplines to beginidentifying challenges to the status quo and propose solutions. Futureexercises could develop ideas about how to implement the proposed solutions orhow to avoid unintended consequences. The types of consequences that couldbe explored in future events include the solutions’impact on Australian industries, innovation, trade (imports and exports), proceduresfor criminal investigations and prosecutions (domestically and acrossinternational borders), and Australia’s ability to keep multiple options openwhen responding to national security events.One key lesson was that finding satisfactoryresolution to the scenarios in the exercise is difficult after a crisis has occurred.Proactive measures need to be implemented in advance to avoid attacks or dampentheir effects, and such responses require establishing mechanisms to prevent ormitigate a crisis, communication and relationships across sectors that can beleveraged during a crisis, and contingency plans when attacks happen despiteall efforts to prevent them. Australia’s Cyber Security Strategy acknowledgesthat more effort is needed in this area. Exercise participants often suggestedcreating cyber security standards, such as product safety standards, minimum securityrequirements for product importers, and mechanisms to measure, modify, andenforce standards.
This topic was discussed more frequently than many othersolutions and could serve as an initial area for the government to pursuechanges.Pursuit of this topic could have the secondaryimpact of facilitating stronger relationships and lines of communication betweengovernment and industry, establishing new government authorities for cybersecurity, and laying the foundations for future policy advances in lawenforcement, diplomacy, and national security.Discussions about cyber security standards andenforcement included three goals that should be explored collectively todevelop cohesive solutions. First, exercise participants believed thatstandards would need to be more stringent for medical devices, vehicles, andother product groups that could jeopardise public safety. Thresholds could belower for pedometers, household appliances, and other products that could be hackedbut pose a lower risk to user health and safety. Second, Future exercises couldconsider how policy development, including the Australian Government’s nextCyber Security Strategy, should challenge assumptions about government roles,responsibilities, and authorities and incentivise a broader range of governmentand non-governmental stakeholders to participate in building and implementingcyber security solutions. (IgorMikolic-Torreira, Don Snyder, Michelle Price, David Shlapak, SinaBeaghley,Megan Bishop, Sarah Harting, Jenny Oberholtzer, Stacie Pettyjohn,Cortney Weinbaum,and Emma Westerman, 2016)Referenceshttps://nsc.
pdfAccessed 13 Jan. 2018. Internet is not only a tool to use for work, studyor pleasure but a very important part of our life in general. It gives thatmagic feeling to accomplish things and be invisible, but this invisibility mayleads to actions, we normally wouldn’t do in person or in public – actions thatmight be wrong. Relatively new terms, “cybercitizenship”, “cyberethics”, and “netiquette” refer to responsible cyber socialbehavior, to what people do online when no one else is looking. Reasonably, weneed to educate all Internet users on rules and sequences of being Online inorder not to be a victim of our own ignorance as one of the young explorers didnot intend to do any damage and did not realize he was doing anything unethicalor illegal.
But was caught and asked at a Congressional subcommittee hearing atwhat point he questioned the ethics of his actions, he answered, “Once theComputer Hacking and Ethics FBI knocked on the door.”(Harvey B., 2004).