Mitigating Computer Fraud in the Online Environment Essay

Crime on the Internet is creating stunning losses for people as well as organizations of all kinds (Internet Crime Complaint Center, 2009; Mensch & Wilkie, 2011). The necessity to inform and educate faculty, staff, and students of the diversity of threats and methods to protect and mitigate organizations and individuals from these threats is practically a moral imperative. People who lack the fundamental skills and knowledge to safeguard themselves and the institutions they attend or work for, cost those institutions and themselves billions of dollars every year, and the cost is rising (Custer, 2010; Internet Crime Complaint Center, 2009). This lack of fundamental skills and knowledge paired with the overall lack of education and information security by a preponderance of educational institutions and business makes it progressively more probable that cybercrime damages and costs will continue to burgeon (Guy & Lownes-Jackson, 2011; Khansa & Liginlal, 2009). In 2011, the fiscal cost of cybercrime was valued at 114 billion dollars (Ivan, Milodin, & Sbora, 2012). Responding to the escalated danger to educational organizations from cybercrime, a number of schools have been assigned to create programs for training students in Information Security Management (Kuzma, Kenney, & Philippe, 2009). Consistent with the necessity for instruction is the subsequent discussion of cyber threats and responses to them. Threats in an Online Environment Spam is the sending of unsolicited e-mails to unsuspecting victims. Spam is responsible for many of the threats that will be discussed (Burgunder, 2011). Spam harmfully effects computer systems because it’s sheer volume, with eighty percent or more of e-mail shown to be spam. Spam affords the method of deploying numerous kinds of threats. These threats can be divided into application based threats and human based threats. According to two international studies, businesses do not put sufficient emphasis on information technology security (Labodi & Michelberger, 2010). Human-based Threats Viruses, spyware, zombies, bots, and worms are all computer programs that are applied to destroy, corrupt, or glean data (Burgunder, 2011; Ivan et al., 2012). These are examples of human-based threats since systems are affected as a consequence of something that a human does. A virus is a computer program that typically contaminates systems through a spam e-mail or by clicking of a random advertisement, and then replicates itself over and over again. Trojan horses are a nonreplicating type of virus that appears useful, but is intended to corrupt or destroy files and programs. Spyware is designed to facilitate identify theft by delivering personal identifying data to cybercriminals. Zombies and bots can perform helpful purposes, but are used to collect data concerning the utilization of a system or computer. Worms are similar to viruses but do not need to piggyback on a file to be delivered from one system to another. Federal laws enacted make it a crime to deliberately generate harm to any computer system (Burgunder, 2011). Phishing is when someone poses as a legitimate company to collect personal information from unknowing victims. Phishing typically begins with an authoritative looking and sounding e-mail that directs the victim to a website that appears to be a legitimate business but is utilized to collect personal data (Burgunder, 2011; Custer, 2010). Phishing is currently the most widespread and well-known technique of fraud by electronic measures (Ivan et al., 2012). Software programs that either utilize a rainbow table or endeavor to deduce a password to get into a database or network is considered password sniffing (Kara & Atalay, 2012). After an administrator’s password is deduced it is probable that further accounts will be breached (Custer, 2010 Much too frequently transferable data with a person’s identifiable data is kept by means that were not constructed for security and not counted in a data security strategy (Custer, 2010). The greatest percentage of thefts of private information is from incorrectly stored backup tapes, external hard drives, or laptops. Existing laws order companies to alert affected individuals of a potential breach of their data. It is expected that the price tag of the typical breach of educational data will span from $210,000 to as much as $4 million from the costs of notifying affected individuals alone (Custer, 2010). Still, another type of cybercrime concerning human error is scams. In 2011 more than 20,000 recorded infringements involved four types of crime (Internet Crime Complaint Center, 2011). One of these types was FBI-related scams, in which someone impersonates a FBI agent to cheat victims, while another is personal identity theft, in which someone uses the victim’s personal identifying data to perpetrate a crime. The other two types are advanced fee fraud, in which a perpetrator persuades the victim to pay a fee to acquire something of value but without ever providing it and the non-delivery of products, in which the victim pays for merchandise that never arrives (Internet Crime Complaint Center, 2011; Ivan et al., 2012). Increasingly, information breaches happen because of resentful or dissatisfied employees (Custer, 2010). Presently, the main risk to data’s confidentiality, availability, and integrity within a company is careless treatment or purposeful destruction by in-house employees (Labodi & Michelberger, 2010). It is unusual for small or medium companies to pay much time or attention to the harm that insufficiently educated or malicious employees can cause. Application-based Threats Usually when security is penetrated from outside it is because of vulnerabilities or configuration errors connected to applications installed on networks and computers (Custer, 2010). The Open Web Application Security Project (OWASP) enumerates 162 vulnerabilities a standard software application may contain that could be manipulated. Two of the most often abused application vulnerabilities are injection flaws and cross-site scripting (Custer, 2010). Cross-site scripting incorporates extra code in a HTTP response message that gets implemented if the vulnerability is not detected and prevented. The implementation of this code could involve dispatching the session cookie to someone who could then utilize that cookie to do damage (Custer, 2010). Current scrutiny estimates that poorly written and protected web pages permit as much as forty percent of information breaches by means of cross-site scripting (Custer, 2010). A database language that permits the retrieval and manipulation of objects and data on a relational database management system is the Structured Query Language (SQL). SQL injection attacks permits invaders to make several harmful changes. One possibility is to cause repudiation problems such as changing balances or voiding transactions. Another possibility is to meddle with data by allowing full disclosure of all information on the system or to eliminate the information or make it unavailable. A disturbing possibility is to make the intruder the administrator of the database server. The vulnerability happens when no effort is made to authenticate the user information, this makes it possible for an experienced user to input data in such a way to displace the real function of the SQL, and implement code for nefarious purposes (Custer, 2010). Between ten to twenty percent of information breaches happen because of web pages that vigorously generate statements against the database without authenticating the statements before proceeding to execution (Custer, 2010). Threat Responses in an Online Environment The necessity to develop, plan, and, most importantly, implement IT security awareness instruction is essential to guarantee the security of faculty, student, and institutional information (Mensch & Wilkie, 2011). Today’s systems have key security components such as spam filters and intrusion detection systems (Ivan et al., 2012). These components can expose unauthorized admission and filter electronic communications that are deemed high risk. Some information breaches happen because of system invasion and extraordinary technical talents of criminals. However, the majority happen because of human error and are founded more on inventiveness and cleverness (Ivan et al., 2012). Needed are policies, awareness and technology, education and training to ensure data security for both organizations and individuals (Mensch & Wilkie, 2011). Responding to Human-based Threats There are several actions that can be taken to eliminate or minimize the threats posed by viruses, spyware, zombies, bots, and worms. Installing a virus detecting software, then keeping it current, and confirming that it operates on a regular schedule is the principal defense for these threats. Additionally, a browser add-in that verifies web site ratings prior to permitting routing to a site should be installed and it will also warn users when they may be making a questionable or unsafe Internet selection. Furthermore, browser pop-up blockers reduce the frequency of successful infringement of this kind (Mensch & Wilkie, 2011). Finally, a security information awareness program should teach faculty, staff, and students concerning the gravity of the danger and the potential cost of their actions. Phishing is so widespread and flourishing due to the inexperience of users. An adequate amount of education and training is the key to alleviating the success of a phishing tactic (Ivan et al. , 2012). The way to mitigate or eliminate password sniffing is to teach all users on all systems to utilize hardened passwords. A hardened password is deemed to be a password that is changed at least every 90 days, with at least eight characters with one being a different case from the rest of the password, one is a special character, and at least one is a number (Custer, 2010). It is also essential that each user use a special hardened password for every system and that these hardened passwords not be recorded in a manner that can be discovered. An even superior remedy for sensitive information is a two-factor authentication that requests something the user has, such as a random digit produced by a miniature hardware token and something the user knows, like a password (Custer, 2010). A suggestion for IT professionals is to consider how they would transport over $200,000, and use comparable common sense and caution in their treatment of private information and the vehicle on which it is stored (Custer 2010). Also, it is recommended that any portable device use whole disk encryption and consequently if it is misplaced or stolen then information is rendered unreadable. Another method for decreasing human error is to inform users of the most predominant scams so they are prepared and less likely to be fooled (Ivan et al., 2012). The Internet Crime Complaint Center issues guidelines for performing business online (2011). A curriculum to maintain and increase data security awareness among staff, faculty, and students has a considerably inconsequential cost when equated to the conceivable costs of a security breach, but does entail consistency in application (Labodi & Michelberger, 2010). Responding to Application-based Threats The FBI reported that ninety percent of security infiltrations is from recognized problems. Assistive services have been designed that will permit companies to test their systems for these problems. Running these tests and then repairing any problems that are detected is vital to protect the system from the majority of security infiltrations (Custer, 2010). Also, creating a policy of regular system tests will most likely ensure that these types of system infiltrations will not occur. The most effective way to guard against SQL infiltration is centered on solid input validation (Ivan et al., 2012). Products exist that can be installed on systems to test a web site’s security ratings. Cross-site scripting can be curtailed through the utilization of such products. Conclusion Information technology security must be first and foremost for an organization. The protection of faculty, staff, and student personal data is critical to individual privacy and, furthermore, to the finances and reputation of the organization. Dangers to IT security come from weaknesses intrinsic to the use of compound software products and from human error. The educational organization’s IT team is responsible for averting the occurrence of information breaches and implementing appropriate tactics to diminish the damage of a data breach if it occurs. Information Security plans outline the security procedures that must be taken by an institution and should include both strategic and high level as well as operational and detailed. A key element in any information security plan must be the education and training of the individuals who have access to information. References Burgunder, L. B. (2011). Legal aspects of managing technology (5th ed.). Mason, OH: South-Western Cengage Learning. Custer, W. L. (2010). Information security issues in higher education and institutional research. New Directions for Institutional Research, 146, 23-49. doi:10.1002/ir.341 Guy, R., & Lownes-Jackson, M. (2011). Business continuity strategies: An assessment of planning, preparedness, response and recovery activities for emergency disasters. Review of Management Innovation & Creativity, 4(9), 55-69. Retrieved from http://www.intellectbase.org/articles.php?journal=RMIC&volume=4&issue=9 Internet Crime Complaint Center. (2011). Internet Crime Report. Washington, DC: National White Collar Crime Center and the Federal Bureau of Investigation. Retrieved from http://www.ic3.gov/media/annualreport/2011_ic3report.pdf Ivan, I., Milodin, D., & Sbora, C. (2012). Non security – Premise of cybercrime. Theoretical and Applied Economics, 19(4), 59-78. Retrieved from http://www.ectap.ro/ Khansa, L., & Liginlal, D. (2009). Quantifying the benefits of investing in information security. Communications of the ACM, 52(11), 113-117. doi:10.1145/1592761.1592789 Kuzma, J. M., Kenney, S., & Philippe, T. (2010). Creating an information technology security program for educators. International Journal of Business Research, 10(1), 172-180. Retrieved from http://www.iabe.org/domains/iabe/journal.aspx?journalid=12 Labodi, C., & Michelberger, P. (2010). Necessity or challenge – information security for small and medium enterprises. Annals of the University of Petrosani Economics, 10(3), 207-216. Retrieved from http://www.upet.ro/anale/economie/pdf/20100322.pdf Mensch, S., & Wilkie, L. (2011). Information security activities of college students: An exploratory study. Academy of Information and Management Sciences Journal, 14(2), 91-116. Retrieved from http://www.alliedacademies.org/Publications/Papers/AIMSJ_Vol_14_No_2_2011%20p%2091-116.pdf