Introduction
The internet era has brought with it numerous benefits and risks as well. One of the risks associated with the use of the internet is the attack of cyberspace. Cyber attacks render the United States and other nations vulnerable to attacks on its government operations, financial institutions, military operations, and intelligent gathering functions. Each form of cyber threat endeavors to achieve specific goals. If at all we are to protect our networks and systems form such threat actors as hacktivist and cybercriminal, we must first try to understand the nature of such attacks (Libicki, 2009). This report is divided into two parts. Part one will be dedicated to researching and analyzing of such types of cyber attacks as fraud, destructive attacks, intellectual property theft, and denial of service. In each of these cases, an attempt will be made to provide a documented example, along with the motivation behind the attack. Also, the ensuing damage shall be described, in addition to examining the existing vulnerabilities. Further, the report shall also try to explore the factor behind the success of these vulnerabilities. Any prosecutions or prevention techniques put in place will be discussed. The impact of the attack shall also be examined. Part two of the report is a brief description of the Common Vulnerabilities and Exposures database.
Issues Analysis
Fraud
The pyramid scheme advertised by Fortuna Alliance on the internet is an example of fraud attack on cyber space. The firm tried to entice customers by promoting its services as a personal marketing expert. By paying $ 250 a month, Fortuna Alliance claimed that this would result in a monthly income of $ 2,250 (Aguilar, 1996). The marketing ad that appeared on the internet claimed that after the initial investment of $ 250, you did not have to pay any further payments as these would be deducted from the “profits” earned. The firm claimed that the high profits were due to the fact that they had implemented a mathematical formula known as “Fibonacci series”. The firm had managed to recruit some 15,622 investors. The one-time contributions varied between $ 250 and $ 1,750 and in total, the unfortunate investors contributed $ 6 million. Fortuna Alliance claimed to offer different forms of membership to its customers. In addition, the firm was also involved in the sale of some 250,000 profit-sharing certificates, each of which retailed at $ 100. The firm claimed that the certificate would give customers a return of 20% during the first year. Meanwhile, the FTC was suspicious of the activities carried out by Fortuna Alliance and in May 1996, it begun investigating the firm on grounds that they were inducing unsuspecting customers to enter into the scheme in the hope of making huge incomes, which was not to be. Consequently, five officers of the firm were sued by the FTC for operating a classic pyramid scheme, which is illegal. Fortuna Alliance was accused by the FTC of transferring funds allegedly belonging to their customer and stashing it in an account in Antigua, West Indies. The money was thought to be approximately 3.55 million. The US government acted quickly and had the bank account that Fortuna Alliance had in Antigua, West Indies frozen. Finally, Fortuna Alliance agreed to settle in February, meaning that it was to pay its customer approximately $ 5.5 million in redress.
Destructive Attack
Destructive attack refers to the malicious damage to the database, website, or system of an organization. Normally, the culprit will have gain unauthorized access to the system in question with a view to undertaking his/her malicious actions.
The case of Adrian Lamo vs. The New York Times is a classic example of destructive attack on the cyber space. Lamo acknowledged that in February 2002, he gained unauthorized access to the New York Times database. Over 3,000 individuals who made their contributions to the Op-Ed page of the paper had saved their personal information in this database and Lamo had access to it. In addition, he also confessed that he had proceeded to create user account with the LexisNexis online information service using the i>Times account (Find Law, 2003). He then proceeded to make over 3,000 searches using this account for a period of more than 3 months. Using the Paper’s LexisNexis account, Lamo conducted research, had access to, and changed confidential databases. He claimed that his motivation for hacking into the New York Times database was with a view to experiencing the hack value. This is an idea held by hackers that something is interesting and as such, is worth doing. After pleading guilty to the charges leveled against him, Lamo faced a fine $ 250,000 for the crimes he had committed. In addition, he could also have needed up in prison for a maximum of 5 years. However, the court ordered him to pay restitution amounting to $ 64,900 in addition to the two years probation that he was sentenced to.
Intellectual Property
A perfect example of intellectual property theft was the case involving a former General Motors’ engineer. Shanshan Du was employed by General Motors in 2000 as a hybrid vehicle specialist. Unknown to her employers, she was secretly collecting computer files and design documents on how to manufactures hybrid cars. In 2005, Du left General Motors and she started Millennium Technology International Company with her husband Yu Din. They then tried to sell the information that Du had collected secretly while at General Motors to foreign countries (Micrimdefense, 2011). The motivation behind Du’s decision to steal the intellectual property of her employee could be attributed to greed and unfulfilled ambitions that she never realised while at General Motors. Information from the Federal Bureau of Investigation claims that the intellectual property that Du had stolen from General Motors never reached China. In 2006, the FBI began to investigate the two on grounds of intellectual property theft. This prompted Du and Qin to begin destroying the secret documents that they had amassed to ensure that they would not be held accountable in case they were caught. Following the backfiring of the strategy, the FBI pressed charges against the two on grounds of destruction of evidence. Criminal charges were also pressed against the couple. A flash-drive that contained the stolen documents was finally seized from Qin by law enforcement officials and consequently, the two were arrested. Later, e-mail correspondence believed to have been Chinese auto makers and the two suspects were discovered by detectives. The e-mail correspondence indicated how the two suspects had tried to sell the stolen documents. Armed with this vital information, the police had enough ground to arrest Du and Qin.
Companies such as General Motors can efficiently and effectively prevent intellectual property loss by leveraging a strong collection of information security controls (SETEC Investigations, n. d.), including but not limited to, ensign that electronic evidence is properly preserved.
Denial of Service
On February 7, 2000 Yahoo! experienced a three-hour outage, thanks to a malicious attack whose sole purpose was to intentionally disable the service. This was a denial of service attack that clearly overwhelmed the routers of Global Center, the company contracted by Yahoo! to host its web (Grice, 2000). A few months leading up to the attack, the FBI and the National Institute of Standard and Technology had issued warnings on the issue of possible denial of service attacks. In late December 1999, the FBI stated that it had discovered tools necessary for initiating such attacks. They had been secretly installed on various computer systems across the Net, and the owners had neither issued permission for such installations, nor did they have any knowledge of their existence.
In order to prevent future episodes of denial of service, Yahoo! Cretzman and Weeks (2012) have recommended a number of practices that such companies can adopt. First, such companies need to maintain an audit trail that shows what was changed and the reason behind such changes. Emergency Operating Procedures should also be created. In addition, companies should create awareness among their employees of old configurations, as well as their functions. More importantly, companies should try to anticipating denial of service attacks by imagining what hackers would do to gain unauthorized access to their websites.
The Common Vulnerabilities and Exposures (CVE) database
This is a free dictionary that contains well known information security exposures and vulnerabilities for use by the public. The database has common identifiers that enable the exchange of data between various security products. In addition, the CVE database gives a baseline index point that has proved useful in assessing coverage of different services and tools (CVE, 2012). Moreover, the website has explored the widespread use of CVE in such areas as vulnerability management, vulnerability alerting, intrusion detection, US-CERT Bulletins, patch management, National Vulnerability database, and SANS Top Cyber Security Risks (CVE, 2012). The database has also defined CVE Identifiers. These are the common and unique identifiers for information security vulnerabilities known to the public. The procedure for creating a CVE Identifier has also been explored. Web site, alert/advisory, service, or database that utilizes CVE Identifiers for CVBE-compatibility are listed (CVE, 2012). Also, the database has listed organizations that are working to ensure their products and services are compatible with the CVE program.
What I have learnt about the assignment
Writing this assignment has enabled me to gain AN in-depth analysis of the various forms of cyber attacks encountered by businesses every day. I have come to appreciate the fact that cyber attacks are significant issues of national concern to a country because they tend to impact greatly on not just the economy of the country in question, but also on the political; and military realms of the country. For example, in case hackers are able to hack into the websites of either the FBI or the CIA, then the security measures of our country would be compromised to a great extent. Moreover, writing the assignment has enabled me to come to terms with the fact that money is not the only motivation behind the actions of individuals who hack into the websites and databases of organizations. Many of them do it in order to gain the hack value, that is, the excitement of having undertaken such an illegal activity. Furthermore, I am now acquainted with some of the remedial actions that organizations and individuals can adopt in order to put cyber attacks at bay.
Conclusion
Protection of the information medium (cyberspace) is now regarded as an issue of national interest owing to its significance to the military power and economy (Libicki, 2009). Different cyber attackers are motivated by different motivations including the need to steal information, disrupt operations, or make money. It is important to know the motivation behind each cyber attack in order to design the most appropriate strategy to counter it. Due to the proliferation in cyber attacks in recent years, policymakers and strategists are slowly coming to terms with the darker side of cyber attacks (Arquilla & Ronfeldt, 2001). However, if at all these policymakers and strategists are to succeed in the war against cyber crime, they must try to forge closer cooperation with nonstate actors and nongovernmental organizations as well.
Reference List
Aguilar, R. (1996). Pyramid cases at peak of online fraud. Web.
Arquilla, J., & Ronfeldt, D. F. (2001). Networks and netwars: the future of terror, crime, and militanc. Santa Monica, California: Rand Corporation.
Cretzman, M., & Weeks, T. (2012). Best Practices for Preventing DoS/Denial of Service Attacks. Web.
CVE. (2012). Common Vulnerabilities and Exposures. Web.
Find Law. (2003). United States v. Adrian Lamo. Web.
Grice, C. (2000). How a basic attack crippled Yahoo. Web.
Libicki , M. (2009). Cyberdeterrence and Cyberwar. Santa Monica, California: Rand Corporation.
Micrimdefense. (2011). Former GM Engineer Arrested For Intellectual Property Theft. Web.
SETEC Investigations (n. d.). Investigating Intellectual Property Theft. Web.