Embed Size (px)
Citation preview
CYBERCRIME
DEFINED……DETECTED……
DEFEATED!
© Rita Hyland Consulting, LLC
Vision of the Future Computer(a la 1950’s!)
DEFINED
It is any crime wherein a computer is an essential factor in the perpetration of the crime itself.
However, the difficult question is: what constitutes a crime? How do we detect it and ultimately how can we defeat it!
The Laws
The Communications Decency Act (CDA) of 1996, Title V of the Telecommunications Act of 1996
Goal: to control internet pornography Janet Reno v Civil Liberties Union – Free speech versus
public interest
Child Online Protection Act (COPA) Section 230: “No provider or user of an interactive computer
service shall be treated as the publisher or speaker of any information provided by another information content provider.”
Star Trek Case - Carafano v. Metrosplash (2003)
Digital Millennium Copyright Act (DMCA) Criminalizes the production and dissemination of technology
that can circumvent measures to protect copyright Online Copyright Infringement Liability Limitation Act
(OCILLA) section 512 of the DMCA – limits the liability of Online Providers
DMCA Case Law Example: Chamberlain v. Skylink
Can Spam Act of 2003 The bill's full name is an acronym: Controlling the Assault of
Non-Solicited Pornography and Marketing Act of 2003. Establishes national standards for the sending of commercial e-mail
Federal Trade Commission enforces the provisions
Unsolicited commercial e-mail is permitted if the following requirements are met:
An opt-out mechanism; A functioning return e-mail address; A valid subject line indicating it is an advertisement; The legitimate physical address of the mailer.
Prohibits the sale or transfer of e-mail addresses through an opt-out request
Prohibits sexually oriented spam without clear markings Criminalizes sending e-mails with a falsified header Pre-empts state anti-spam laws Does not allow e-mail recipients to sue the spammers but this
may be allowed under state law
Can-Spam UPDATE: Federal Trade Commission Action Tuesday January 11, 2005 - FTC froze the assets of several companies & 5 individuals for failing to send an e-mail with the “SEXUALLY EXPLICIT” warning on the header.
HIPAA – Health Insurance Portability and Accountability Act - 1996
Privacy Standards – HHS promulgated rules regarding confidentiality, access, and disclosures
Security Standards - entities must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronically protected health information
Most entities must comply by April 21, 2005
Business Associate - Sec. 160.103 includes some of the functions or activities, and all of the types of services, that make a person or entity who engages in them a business associate, if such activity or service involves protected health information.
Sarbanes-Oxley Act of July 30, 2002 Follows in the wake of the high profile scandals such as
Enron and WorldCom Improves accuracy and reliability of corporate disclosures
made pursuant to the securities laws Includes provisions addressing audits, financial reporting
and disclosure, conflicts of interest, and corporate governance of public companies
Title IV - Section 404 - Requires an internal control report CEOs and chief financial officers must personally vouch for
the truth and fairness of their companies' disclosures Accounting profession will be regulated by an independent
board
GLBA - Gramm-Leach Bliley Act The Financial Modernization Act of 1999 Protects personal financial information held by financial
institutions establishing standards for collection, disclosure and security of data collected.
UPDATE: Massachusetts Bankers Association v. Division of Banks and the Division of Insurance – The US District Court overturned four State restrictions on the sale of insurance – The GLB preempts state law.
THE CRIMES
Spam – Essentially unwanted e-mails Dictionary Attacks – 40% success rate Internet Protocol Spoofing – Forging the header
to imitate another machine/network Hijacking
Trojan Horse – Non replicating Worm – Self replicating
Open Mail Relays – Routing through third party servers
Phishing – Luring sensitive data by masquerading as a trusted source, such as a bank or credit card
VULNERABILITIES Netsky Worm
Sends out copies using a built-in SMTP engine and spoofed sender name Gathers recipients from infected system Generally mimics an e-mail delivery notification Automatic execution of attachments
W32/Zafi Worm Copies itself to the Windows system folder with a file name of “Norton
Update.exe” Harvests e-mail addresses from Outlook and files on the hard drive
Virus Growth – in 2004 there were 17,000 new viruses introduced, i.e. 46 per day!
Employee Attacks – this is an area of particular vulnerability to firms
WI-FI Capability and Bluetooth – 60% remain unprotected!
LAW ENFORCEMENT
HHS – enforces HIPAA Securities and Exchange Commission (SEC)
and Public Company Accounting Oversight Board (PCAOB) – oversee the Sarbanes-Oxley Act
Eight Federal Agencies - administer and enforce The Gramm-Leach-Bliley Act
FBI – Federal Bureau of Investigation
FBI FACTS & STATISTICS IC3 - Internet Crime
Complaint Center 2003 Partnership with the
National White Collar Crime Center
Auction Fraud comprised 61% of complaints
79% of perpetrators are male
64.8% of complainants had e-mail contact with the perp & 19.4% via a web page
USA – 93% of worldwide complaints
Map – Concentration of Internet Fraud Activity
PREVENTION & DETECTION
$7 Trillion Business – highlights the need for detection and prevention in E-Commerce
Prevention: Security protocols Firewalls Virus Protection Spyware Protection or Detection Automatic filtering features or stand-alone programs Biometrics – fingerprint, voice recognition, ocular
recognition are examples Potential employee scrutiny – Screen for characteristics
such as trustworthiness, loyalty and integrity
TRANSFERRING THE RISK
First Party Exposures Physical Loss or Damage - traditionally required Indemnity Period – also usually requires physical loss or
damage and even if Electronic Data Processing Media coverage is often limited to the time to replace or restore the lost or damaged media
Employee Dishonesty – normally excluded in the commercial coverage forms
Solutions Expand definitions Remove exclusions
Third Party Exposures Invasion of Privacy – standard CGL usually requires
dissemination, not just gathering of data Infringement of Intellectual Rights – the standard CGL may
not cover web content and “advertising” or the infringing may originate from a third party & not the insured
Damage to third party data, software, programs or computer networks – may not be “property damage” per policy definition
Financial Loss to Customer or Vendor /Professional Liability – no “physical injury to tangible property” as for ex. A DOS attack
Patent Infringement - often not covered by the standard CGL policy
CARRIERS FIRST RESPONSE
Carriers narrow the standard coverage Expressly stated that computer data is not tangible property
thus if a virus is spread to a vendor or customer, there would be no coverage afforded.
Personal and advertising injury specifically excluded liability arising out of electronic chatrooms and bulletin boards
The traditional broadcasting, telecasting or publishing exclusion was expanded to include Web site design, Internet service provider activities, etc..
Specific exclusion for unauthorized use of domain name, e-mail address, etc.
Some exclude personal and advertising injury arising out of infringement of intellectual property rights.
CARRIERS OFFER CYBERINSURANCE
Major carriers – stand alone policies for e-commerce risk
Smaller start up companies versus larger companies
Address high-tech exposures such as legal liability to third parties, public relations expense, lost income, cost of recovering data
Awareness of the need for coverage is growing in the market
UNDERWRITING ISSUES
Is there a written IT Security policy? Does it outline areas of responsibility and access?
Personnel Security – background checks, monitoring, etc.
Computer and Network Protection such as access control, firewalls, anti-virus, remote user control, outsourcing controls, etc.
What is the timetable and procedures for system reviews and checks?
What access controls are in place?
What tools are in place to recognize an intrusion? To determine source?
What procedures are in place in the event of an intrusion?
What business plan is in place to assure minimal loss in the event of an security breach, DOS, etc.; reporting to authorities; protection of forensic evidence; etc.
What contracts and/or agreements are in place with others who advertise on the insured’s Web site or vice versa?
Are there WLAN’s (Wireless Lans) utilized and if so, what security response protocols are in place?
E-BUSINESS RISK COVERAGE
Web site publishing liability – such as libel, copyright, trademark, and service mark infringement arising out of web site publications
Network security liability – failed security resulting in unauthorized access to personal data maintained by the insured
Replacement or restoration of electronic data Cyber Extortion Business income and extra expense
ISO Cyber Risk Program 2005
Provisions
Coverage is on a claims-made basis Each Coverage Agreement has its own aggregate
limit as well as an overall policy limit. Defense and claims expense may be within the policy limits and may apply to the deductible
World-wide coverage may need to be endorsed The coverages are optional and allow customization
and flexibility Convenient on-line delivery
ISO Cyber Risk Program 2005
Limitations
The ISO CyberRisk Program has wide application but is not intended for
Financial Institutions Web content providers Publishers Broadcasters Internet service providers Etc.
ISO plans for expansion of the program Several major carriers have responded to the need
for the coverage with their own E-Commerce Risk Programs
THE END!
USEFUL WEB SITES
http://www.webopedia.com http://www.4law.co.il/ http://www.cybercrime.gov/ http://uk.fc.yahoo.com/h/hackattacks.html http://www.e-lawconsultant.com/cybercrime/ http://mishpat.net/law/Cyberlaw/cyber_crime/ http://www.internetnews.com/ http://www.internetintegrity.co.uk/Glossary_Search.asp http://www.naiw.org/HTM/cyber_crime.htm http://www.wikipedia.org http://www.fbi.gov/cyberinvest/cyberhome.htm http://www.sophos.com/ http://www.komando.com/ http://www.ftc.gov/bcp/conline/edcams/infosecurity/
ACKNOWLEDGEMENTS
Insurance Services Office Michael A. Rossi of the Insurance Law Group, Inc. Gary Sorensen, President ZT Planet Steve Sanchez, Technology Underwriter, CNA
Insurance Ed Cohen, Sr. Sales Consultant, Telemanagement
Systems, Inc. Jeff Geyer, Senior Vice President – Hire Golden
