Importance of Information Security

Businesses and individuals are affected by threats, especially within the information technology sector.

Attackers can infect systems either by installing malicious code or by exploiting vulnerabilities in a system. Infected systems can be used in different ways to create profit for criminals. Criminals may use extortion, fraud and spam to make a profit. In the case of ransomware, access to the victim’s system is denied once it is infected. The victim has to

pay a ransom to the criminal before access to the system is restored (O'Gorman &

McDonald 2012). Extortion may be implemented through a Denial-of-Service (DoS) attack or by the theft of sensitive information from a company and threatening to sell or reveal that information to the public or competitors. Fraud involves the use of phishing attacks to steal information about individuals using an infected system: for example, the use of keyboard loggers to steal credit card details, passwords and other sensitive information (Provos, McNamee, Mavrommatis, Wang & Modadugu 2007).

Social engineering tactics are used to lure unsuspecting users to a website that infects the system with the use of ‘drive-by-download’ malware (2008). Drive-by-download infections occur when a user visits a website that subsequently redirects the user to another web page; this second web page then programmatically attempts to exploit the user’s web browser (Constantin 2014).

Browser hijacking can be used to force users to visit websites that make use of pay-per-click advertising (Polychronakis, Mavrommatis & Provos 2008). Spam is used to send e-mail that advertises products or services to as many users as possible (Stone-Gross, Holz, Stringhini & Vigna 2011). Malware can harvest e-mail addresses from infected systems or create an open relay e-mail service that will send e-mail from the infected system (Joe 2004). This is supported by Stewart (2006) who reported that online crime, for example phishing, spam and extortion, has a link to malware.

Miliefsky (2011) predicted an increase in unknown vulnerabilities from 2011. These unknown vulnerabilities are classified as zero-day vulnerabilities as the security community are not aware of the threat. This forecast was proved to be correct by the discovery of several new zero-day vulnerabilities since 2011. The security company Secunia compiled a report in 2015 which highlights the increase of new zero-day vulnerabilities (Secunia 2015). They reported that 25 new zero-day vulnerabilities were discovered in 2014 compared to the 14 zero-day vulnerabilities discovered in 2013. The following is not an exhaustive list but does indicate an increase of zero-day vulnerabilities:

Gregory and Glance (2013) conducted a review of information security trends from 2012 to 2013. One trend identified was the increase of malware targeting the Apple platform.

In April 2014, the Heartbleed vulnerability was discovered in the OpenSSL cryptography library (Zhang, Choffnes, Levin, Dumitras, Mislove, Schulman &

Wilson 2014).

On 24 September 2014, Shellshock was discovered, subsequently allowing attackers to gain access to computer systems (Graham-Cumming 2014).

Padding Oracle On Downgraded Legacy Encryption (POODLE) was also disclosed in September 2014, allowing attackers to view encrypted messages (Zorz 2014b).

In October 2014, another zero day vulnerability was disclosed which allowed attackers to embed malware into Microsoft PowerPoint (Zorz 2014a).

Computer threats can be neutralised with the implementation of mitigation techniques. The deployment of software tools such as a firewall and an anti-virus (AV) suite onto computer systems protects against threats. An AV suite protects the computer system against infections by known computer viruses. However, the presence of an AV suite on a computer does not guarantee protection against unknown viruses which are continually under development. This implies a new variant of a virus may not be correctly detected by the AV suite. Another problem is that users are required to update the AV suite’s virus database regularly which is impeded by two factors: firstly, they need to remember to update the database, and secondly, the database is usually a large download.

A feasible countermeasure is the promotion of information security awareness amongst users. Goodman, Kirk and Kirk (2007) noted that uninformed users could perform actions that might unintentional infect systems with malware, which in turn provides cybercriminals with resources to fund their underground economy. Many attacks require the user to perform an action that allows malicious software to exploit vulnerabilities within a computer system. However, if the user had prior knowledge about the possible exploitation techniques, he could have employed mitigation techniques learned during an information security awareness program.

Consider the case of a user who opens an email from an unknown sender with an attachment. Cybercriminals could embed malware into attachments and then using an email to deliver the malware to a wide variety of unsuspecting users. Such tactics decreases suspicion from the user receiving the email with the malware (Razzaq, Hur, Ahmad, & Masood, 2013). The probability of exploitation is high if the user is not aware of

this fact and mitigation is left to the AV to provide protection. In the case of the user having attended an information security awareness program that described these exploitation tactics, as well as a mitigation technique, the user could have deleted the email received from this unknown source and thus prevented a possible exploitation without relying on the AV to provide protection.

Also regard the case of users at companies being protected by measures implemented by their organisations. These measures could vary from anti-virus software running on the computers, the use of intrusion detection systems and firewalls, and users attending computer and information security awareness programs. Even users with little computer and information security knowledge are, to a certain degree, protected by measures implemented by their organisations. This means that the computer and information security awareness level of the user could determine if they will be lured into a phishing attack by a well-conceived social engineering attack or have their system infected with malware. Access to the Internet is usually carried out through the use of web browsers (Theobald & Dunsmore 2000). Users would, for example, use a web browser like Google Chrome, Microsoft Internet Explorer or Mozilla Firefox to access research papers, read news articles, to do online shopping, use internet banking, and socialise through social networking. Polychronkis et al. (2008); Cavalca and Goldoni (2008); and Provos et al.

(2007) have conducted research on web based malware which indicates that the web browser is the primary vector of system infection. The report by Secunia (2015) disclosed an increase of 42% of vulnerabilities identified across the major web browsers from 2013 to 2014.

Information security could be used to prevent or at least minimise data loss, maintain productivity, guard against cyberterrorism, outwit identity theft and prevent adverse legal consequences (Ciampa 2004).

The following list describes some cybercrimes that occurred between 2011 and 2014. This is not an exhaustive list and merely demonstrates the importance of security pertaining to information technology:

Cramer (2011) reported on a scam which targeted home users. The attackers used telephonic devices to call victims at home. They impersonated computer security engineers from well-known computer companies, for example Microsoft, as part of their techniques to build trust with the victims. Next the attackers would inform the

victims about risks from one or another computer security threat and provide a free service to mitigate the threat. The attackers convinced the victims of a possible infection that required them to perform remedial actions to fix the problem. These included downloading and installing software from the attacker’s website or providing remote access to the victim’s computer system. This resulted in unauthorised access to the victim’s computer, which allowed the attackers to install additional malware for nefarious purposes like logging credit card details, authentication information and access to personal information.

An amount of R42m was stolen from the Postbank in South Africa (Swart & Afrika 2012). Prior to this digital heist, the cybercriminals created bank accounts. The criminals waited until the offices of the company closed for the New Year and then used a compromised employee’s computer to access the servers and deposit money into their bank accounts. The heist started on the 1^st of January 2012 and stopped on the 3^rd of January 2012 when the offices opened for business. The legitimate account holders could not do anything to prevent this from happening; the focus is on the employee whose computer was used to access the server. In a banking environment, all computers require a username and password to access the computer. The employee could have used a weak password, shared the password with a colleague or wrote the password on a paper. All these dangerous practices could be addressed by information security awareness programs to educate users on good password practices.

The Eurograbber campaign made use of the malware called Zeus to steal an estimated of €36 million from over 30,000 customers across Europe in 2012 (Rashid 2012). Infected users had been lured to visit malicious websites. The malware could steal authentication credentials, which included usernames and passwords, and also intercepted banking sessions. The Eurograbber campaign also targeted mobile devices, including Android, BlackBerry, Symbian and ‘jailbroken’

iPhone systems.

In 2013 a series of attacks were launched against diplomatic, governmental and scientific research organisations in different countries. The main objective of this attack was to harvest intelligence from compromised organisations. The attackers

used email as the delivery mechanism to infect the victims’ computer systems (Kaspersky Lab 2014).

In 2014, hackers allegedly illegally accessed Apple services, which included iCloud, resulting in stealing and distributing nude photos of actresses. A flawed security design was bypassed by the attackers to gain access to the victims’ accounts. The attackers used a brute force password attack, resulting in access to the accounts (Stanford & Robertson 2014).

An understanding is required to gain knowledge about the different vectors that can be used to target assets. Vectors can be described as the options available to an attacker which could be used to target victims. For example, an attacker could target a laptop through the network, malicious software or physically. Awareness of these attack vectors could assist in mitigating the potential threats (Beaver 2007). These vectors include but are not limited to:

Non-technical attacks – These attacks target the human element using manipulation techniques to lure the person to perform detrimental actions, like providing passwords to attackers or opening a file containing malware and thus infecting the computer system.

Network infrastructure attacks – The majority of devices like computers are connected to wired and/or wireless networks. Users are required to access networking services, for example email to conduct their daily tasks. Attackers target networks in an attempt to disrupt network connectivity as in the case whereby services can be disrupted through a denial of service attack (Schuba, Krsul, Kuhn, Spafford, Sundaram & Zamboni 1997).

Operating system attacks – Computer devices require an operating system to provide the user with the capability to perform several tasks, which include writing a document, watching a movie, or accessing the Internet. Due to the complexity of operating systems, many vulnerabilities exist which attackers attempt to exploit.

Vendors issue patches to fix the vulnerabilities, but many users omit to apply the patches, leaving the operating system vulnerable to attack.

Application and other specialised attacks – Attackers know that the latest operating system updates will prevent several exploitation possibilities. However other opportunities still exist. As with operating systems, applications also have

vulnerabilities which can be exploited. Examples of exploitable applications include but are not limited to web browsers (e.g., Mozilla Firefox), word processors (e.g., Microsoft Word) and multi-platform software (e.g., Java and Adobe Flash).

Security vendors have developed tools to address the different attack vectors, subsequently creating a market for information technology security mitigation controls. The following section describes the main security controls implemented by the majority of computer end users which include novice and advance users.