CYBER CRIME Louis D’Angelo Creighton University Student, Finance 340 Principles of Insurance December 01, 2000 2 EXECUTIVE SUMMARY The Internet has dramatically changed our society. It has been one of the defining inventions of our time. The Internet can be used for shopping, communication, entertainment or research, and all from the comfort of our own homes. This invention has given birth to a new breed of companies known as the dot-com companies. However, with this new way of doing business comes a new type of criminal. These criminals are known as cyber criminals. This paper is aimed at identifying types of cyber crimes, specifically cyber extortion, credit card fraud, denial of service attacks (DOS), and the theft of intellectual property. In today’s age of the Internet companies must put a great deal of thought into how they are going to protect themselves from potential attacks. This paper will discuss how, by using integrated risk management, a company can lessen their chances of being victimized by these cyber criminals. Finally, if an attack does occur, a company must have a way to recover the losses it suffered; this is where a new type of insurance policy comes into play. Researching this topic was not that difficult. With all of the recent publicity that the Internet has been receiving, the only real problem was picking out what aspects of cyber crime I wanted to deal with. There were many different ways that one could have gone with this topic. For example, there have been numerous court cases resulting from the invention of the Internet. There has been much debate over the legal aspect of the Internet as it pertains to cyber crime. However, this paper takes a different route. The major portion of this paper is dedicated to the analysis of four different types of cyber crimes. Specifically, looking at how frequently attacks occur, and the extent of damage one can expect when faced with a certain type of crime. Losses that have occurred as a result of cyber criminals are astonishing. The majority of losses are in the millions. This may be a bit surprising because we don’t hear about every attack on every company, so we automatically think that these crimes do not occur that often. However, as this paper shows, cyber attacks occur more often then we realize, and the companies will do everything in their power to keep the attack quiet. Also included, is the process of integrated risk management, which to many people’s surprise can actually help defend a company from these menacing criminals. Finally, insurance policies in the past have not traditionally covered Internet sites; but with the help of a few insurance brokers, companies now have a back up plan should they find themselves the victim of an attack. There are only a few recommendations that I would give to these e-commerce companies. First, I would strongly suggest that they use the integrated risk management technique. It only makes sense that by fostering better communication across all facets of the company, the company would have better chances of staving off any would be attacks. Second, the idea of a chief risk officer (CRO) is a good one. It would be in the company’s best interest to hire a person whose main focus is the potential risk a company may face. Last, 3 a company must inform all of its employees of its policies on such matters, and what steps they should take if they discover the company is being, or has been attacked. 4 Table Of Contents Executive Summary………………………………………………………... 2 Introduction………………………………………………………………... 5 Types of Cyber Crime……………………………………………………… 5 How Can We Stop These Crimes?…………………………………………. 7 Conclusion…………………………………………………………………. 9 Glossary……………………………………………………………………. 10 References………………………………………………………………….. 12 5 Introduction We live in an age of constantly changing technology. Today we have luxuries such as cellular phones, GPS systems in golf carts that tell you exactly how far your ball is from the pin, and of course increased speed and power for our personal computers. These conveniences pale in comparison though, to a tool that has affected the whole world. The Internet has had a huge impact on our lives. It can be used for research, communication, shopping or entertainment. The Internet has changed how we do business, and has given birth to a new breed of companies known as the dot-com companies. However, with all of the growth in the e-commerce world comes a new breed of criminals. These criminals are known as cyber criminals, and they can bring a large company to a halt from the comfort of their own home. Cyber crimes range from cyber extortion, to credit card fraud, to denial of service attacks, to the stealing of intellectual property. With all of these new types of crimes, and all of the news surrounding these crimes, it seems as if no company is safe. There is some good news though; a company can protect itself from these acts with the proper procedures; and in the event on an attack, the company can be prepared so that there is no major loss of business. One way of protection comes in the form of risk management; namely integrating risk management across the whole company. Should a company find itself victimized, there must be a way in which the company can recover losses, and fix the problem in a very timely fashion. This is where a new policy of insurance comes in. The issue of cyber crime is an issue that is relatively new, and one that needs to be addressed in order for a company to survive in this new era of e- commerce. Cyber crime is becoming one of the Internet’s growth businesses. According to an article from BusinessWeek, the FBI estimates computer losses at up to $10 billion a year (2). It seems as if these types of crimes are far too easy to carry out. The software that aid these criminals is readily available on the web, all one has to do is point and click. According to one estimate, “there are 1,900 Web sites that offer digital tools-for free-that will let people snoop, crash computers, hijack control of a machine, or retrieve a copy of every key stroke (Sager, et.al., 2000, 3). You don’t have to be a computer super genius in order to run these programs either. These programs are so simple that an eight-year old could launch their own attack. Types of Cyber Crime Cyber Extortion One type of cyber crime that is committed all too often is known as cyber extortion. According to BusinessWeek magazine, cyber extortion bears a remarkable resemblance to dealing with a real-world kidnapping. First of all, the company must decide if it’s facing a serious case before it launches a response effort that can cost hundreds of thousands of dollars. Tim Belcher, chief technology officer of information-security firm RIPTech, recommends “…clients weigh the value of the damage to themselves vs. the 6 potential liabilities. A small incident that’s a public embarrassment may very well not pay to prosecute” (Salkever, 2000, 2). If it has been determined that the cyber extortion is real, then it is crucial that the company’s decision makers are contacted as quickly as possible. At this point in time, the company may wish to pursue the offending hackers. Also, the company will want to analyze the breached areas of their security system so that there are no more attacks from that entry point (Salkever, 2000, 2). There are no statistics that identify how many companies are affected by cyber extortion. One reason for the lack of statistics is that companies do not want to admit to a security breach. They do not reveal that they have been compromised for fear of future attacks, and loss of business. “Almost all attacks go undetected-as many as 60%, according to security experts. What’s more, of the attacks that are exposed, maybe 15% are reported to law enforcement agencies (Sager, et.al., 2000, 5). Credit Card Fraud Credit card fraud is another form of cyber crime, and according to MSNBC, is said to be the perfect cyber crime. According to Stephen Orfei, vice president for electronic commerce and emerging technology at MasterCard, the Internet accounts for between 2 and 2.5 percent of total credit card transactions. In 1998 online fraud losses were between $10.5 million and $13.2 million (Brunker, 2000, 5). “An investigation by MSNBC has learned that while criminals based overseas now account for up to a third of all online fraud directed at U.S e-businesses, there is no evidence that a single one of these crooks has been prosecuted” (Brunker, 2000, 1). It has emerged that these criminals have been so far untouchable to U.S. law enforcement, which is hampered by the patchwork of laws on white collar crime in other countries, jurisdictional questions, the indifference of some governments and the fact that investigation of such a crime is both time consuming and expensive (Brunker, 2000, 2). The cards are stolen from either mailboxes, or swiped through a card reader by accomplices working in a store or restaurant. This information is then transmitted to thieves overseas, who then start charging as much merchandise as they can in a short period of time to the Internet merchants. The merchandise is then delivered to vacant homes or living quarters rented under false names. By the time the e-merchant realizes the purchase was made using stolen credit cards, the merchandise and the crooks are gone (Brunker, 2000, 4). There have been improvements in the way that credit cards are tracked for fraud, but this problem seems to have no immediate and permanent solution. Denial of Service Attack (DOS) On February 6, 2000, Yahoo! Inc. was brought to a halt for three hours by a hacker or hackers. The next day Buy.com was hit, and that same evening eBay, Amazon.com and CNN had all gone dark as well. As of right now, law enforcement does not know who committed these crimes, or simply won’t say. What we do know is that these companies were victims of a cyber crime known as denial of service (DOS). In the attack against Yahoo!, the hackers commandeered computers at various universities and companies 7 lacking good security to bring down the targeted site. “With a DOS attack, what you do is break into a mass number of computers and establish what’s called a zombie program,” explains Bill Marlow, executive vice president of global Integrity Corp. “The program is triggered at a certain time or message to access as fast as it can another site or sites” (Conley, 2000, 22). This basically brings the target site to a halt due to the overload of visits. It is hard to say exactly how much money a DOS attack costs a company, but if down for too long, an e-commerce company could lose millions of dollars. However, one estimate states that in 2000, there have been forty-six incidents, worth a total of $8.2 million in lost money (Harrison, 2000, 1). This figure is up from 1999, which means that this type of crime is on the rise. Theft of Proprietary Information Another form of cyber crime is the theft of proprietary information. In this age of technology, more and more companies are storing their information in digital form, approximately 80% (Sager, et.al., 2000 5). This information is very important to companies, and proved to be the most costly of the cyber crimes, accounting for $66.7 million in losses (Harrison, 2000, 1). In a recent survey conducted by Computer Security Institute (CSI), of the 273 companies surveyed 70% of them reported theft of proprietary information (Harrison, 2000, 1). Companies spend a great deal of time and money gathering all of this information, and need to find better ways to protect against the theft of such property. How Can We Stop These Crimes? These types of crimes are not just going to disappear. There needs to be more done to protect the companies from such attacks. Attorney General Janet Reno vowed to battle cyber crime, stating “We are committed to tracking down those responsible and bring them to justice” and ensuring “that the Internet remains a secure place to do business” (Sager, et.al., 2000, 4). The United States cannot go at it alone. The companies have to be prepared to do battle as well. However, it seems as if these companies are still not able to protect their information. They spend money on complex and expensive security systems for their actual building and tangible property, but they have to realize that they need to put as much effort, if not more, into protecting their digital information. The company must also protect itself from the inside out. There have been cases where the criminal was one of the employees. In fact, this is the biggest threat. “Law enforcement officials estimate that up to 60% of break-ins are from employees” (Sager, et.al., 2000, 3). With all of these cases of cyber crime, it seems as if no company is safe. However, there are numerous ways that a company can protect itself from attacks; and if an attack occurs a company must have a contingency plan. The first step for companies is to secure their systems by locating the hacker programs that could be used in such attacks. Experts also suggest formal security policies that can be distributed to employees letting them know how often to change passwords or what to do in case of an attack (Sager, et.al., 2000 ,7). In addition, devices such as “smart” cards can be used to keep criminals from gathering information. Criminals can obtain passwords and other vital security information using a 8 technique known as social engineering. With regards to their actual computer systems, complex networks and firewalls will help out as well. Integrated Risk Management If we are going to stop these crimes, Internet security must be the next growth business. This is where integrated risk management comes into play. Risk management has changed dramatically in the Internet age. “In the early 1990s, risk managers began to assume responsibility for all risks that affect the company-credit, market, operational, business and organizational-and thus emerged the concept of integrated risk management. Today, the evolved disciplines enable companies to implement effective and consistent process for protecting all of their assets” (Hernandez, 2000, 32). One step that a company must take to defend itself against attacks is to unite these disparate groups by improving its communication. Once there is a higher level of communication, the company will detect risks faster through the training of management and staff in basic decision skills. This will result in closer relationships, which leads to cooperative working between employees; common systems for reporting and measuring exposures; and knowledge sharing (Hernandez, 2000, 32). Some companies are also going so far as to appoint a Chief Risk Officer, or CRO. These employees are responsible for protecting corporate assets by implementing common processes and establishing consistent goals. Insurance Policies Another way that a company can be prepared when an attack does occur, is by purchasing insurance. Many companies think that they are covered for cyber attacks, when, in fact, the coverage is questionable (Conley, 2000, 22). Most comprehensive general liability policies cover bodily injury and tangible property. This is where the coverage becomes shaky. Can digital information be considered tangible property? Most insurance brokers will tell you no. Their reasoning is that if a site is hacked, there is no bodily injury and no property damage. The policies were not originally written to cover cyber crimes. There is some good news for risk mangers though, insurance brokers such as AIG, Zurich F&D, Lloyd’s of London, and other carriers have teamed up to offer NetSecure. NetSecure is a broad policy that covers a range of cyber risks, including first party and third party liability (Conley, 2000, 24). Most of these new e-commerce policies offer up to $25 million in coverage at a price somewhere between 2 percent and 3.5 percent of the limits purchased. The draw back of these new policies is the underwriting process. The company wishing to be insured must undergo an extensive audit of their computer systems, networks, online market places, security measure, and so forth. “This audit is paid for by the applicants, and is expensive, costing the companies anywhere from a few thousand dollars to hundreds of thousands” (Conley, 2000, 26). Not all companies need comprehensive insurance treatment. That’s where the smaller brokers specializing in e- commerce, such as Kaye Insurance Associates, come in. “Our value proposition is in handling the e-commerce risk transfer needs of small emerging-growth companies,” stated Michael Zeldes, executive director at Kaye (Conley, 2000, 26). Insurance for e- commerce is relatively new but is quickly becoming an important tool for the risk managers. 9 Conclusion Cyber crime is a fairly new topic, but one that is being discussed more and more. Although cyber crime will never be stomped out one hundred percent, companies can insure that they are not the targets of future attacks. There is not just one simple solution, rather there needs to be multiple ideas integrated into one plan, and if that fails there needs to be a failsafe, such as insurance. As Dick Heydinger, risk manager at Hallmark Cards Inc., stated “Just when you think you’ve battened down the doors, they figure out a new way to get in. The fact is you can never relax. You’ve got to always be one step ahead.” He pauses, then adds, “No, make that two steps ahead” (Conley, 2000, 26). 10 Glossary Cyber extortion Illegally obtaining information that belongs to a corporation via a computer, and then holding the information for ransom Chief Risk Officer (CRO) A person in the company whom reports to the CEO and is responsible for protecting corporate assets by implementing common processes and establishing consistent goals. Denial of Service (DOS) A Denial of Service attack is not a virus but a method hackers use to prevent or deny legitimate users access to a computer. DOS attacks are typically executed using DOS tools that send many request packets to a targeted Internet server (usually Web, FTP or Mail server), which floods the server's resources, making the system unusable. Any system connected to the Internet equipped with TCP-based network services are subject to attack. Firewall A method for keeping a network secure. It can be implemented in a single router that filters out unwanted packets, or it may use a combination of technologies in routers and hosts. Firewalls are widely used to give users access to the Internet in a secure fashion as well as to separate a company's public Web server from its internal network. They are also used to keep internal network segments secure. For example, a research or accounting subnet might be vulnerable to snooping from within. Hacker There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term `hacker'. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. Peak load balancing When e-commerce companies experience spikes in demand at specific times. For example, during the holiday shopping rush many companies were unable to handle the capacity. “Smart” cards A credit card with a built-in microprocessor and used for identification or financial transactions. When inserted into a reader, it transfers data to and from a central computer. It is more secure than a magnetic stripe card and can be programmed to self- destruct if the wrong password is entered too many times. As a financial transaction card, 11 it can be loaded with digital money and used like a travelers check, except that variable amounts of money can be spent until the balance is zero. Social engineering A term used among hackers that rely on weaknesses in humans rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security Zombie program A program set up by a hacker that is triggered at a certain time or message to access as fast as it can another site or sites. The result overloads the site and brings it to a heel. 12 References Salkever, Alex. (2000, August 22). “Cyber-Extortion: When Data Is Held Hostage.” http://www.bwonline.com (accessed 2000, September 07). Brunker, Mike. (2000, March 03). “E-Business vs. The Perfect Cybercrime.” http://www.msnbc.com (accessed 2000, September 07). Hernandez, Luis Ramiro. (2000, June). “Integrated Risk Management in the Internet Age.” Risk Management, pp. 29-32. Conley, John. (2000, July). “Outwitting Cybercriminals.” Risk Management, pp. 18-26. Harrison, Ann. (2000, March 27). “Survey: Cybercrime cost firms $266M in ’99.” Computerworld, 13 (34), 28. Sager, Ira; Hamm, Steve; Gross, Neil; Carey, John & Hof, Robert. (2000, February 21). “Cyber Crime.” http://www.businessweek.com (accessed 2000, October 09). 0, February 21). “Cyber Crime.” http://www.businessweek.com (accessed 2000, October 09).
Pages to are hidden for
"Business Affected by Online Crime"Please download to view full document