Part 6- Conclusion (RAJESH TANDUKAR)
This paper explores the fast growing Cyberworld and
its components. It starts with definitions of who is the hacker, and what is a
cybercrime. Types and offenses of cybercrime are addressed as well. The paper
concentrates on the possibilities to protect ourselves from the cybercrime, and
guard Cyberworld from us. Therefore, it emphasizes the importance of users’
education, starting from the early age, creation and enforcement of policies,
and awareness training. The paper presents laws, applicable to the computer
related crime, highlights the U.S. Department of Homeland Security involvement,
and investigates on the fact why businesses do not report hackers’ attacks and
why is it important.
Every year privacy and ethical behavior play more
and more important role in our lives than the year before. Be ethical is a new
requirement on a job market in any field, but it is especially important in the
security related areas. Fast speeding process of converting more business data
into electronic format creates a constant pressure on the involved businesses
due to the liabilities in data protection. Electronic data security is a
relatively new growth, which requires everybody’s input to make it work.
Information technology professionals enhance their skills to use computer
mechanisms to secure the data transactions and restrict an unauthorized data
access, while achieving the fastest possibly data retrieve. Unfortunately, some
of the skilled professionals use their abilities to harm the society, by
finding the vulnerabilities in the companies’ systems and attacking them,
creating and distributing virus-containing codes, finding the ways to avoid
payments for the desires services… This is not just wrong and unethical, but
also criminal activities, which are prosecuted in accordance to U.S laws.
Sukhai, N.B., 2004, October. Hacking and
cybercrime. In Proceedings of the 1st annual conference on Information
security curriculum development (pp. 128-132). ACM.
There are hundreds and hundreds definitions of
“hackers” on the Web. Combining it all together we get a computer enthusiast,
who enjoys learning programming languages and computer systems and can often be
considered an expert on the subject, who mastered the art and science of making
computers and software do much more than the original designers intended.
“Hackers are computer professionals, with skills… Hackers built the Internet.
Hackers made the Unix operating system what it is today. Hackers run Usenet.
Hackers make the World Wide Web work. If you are part of this culture, if you
have contributed to it and other people in it know who you are and call you a
hacker, you’re a hacker” (Raymond E., 2001).
A hacker is a very talented programmer, respected by
his peers. A true hacker can find plenty of useful projects to work on;
breaking things is more a characteristic of children of any age. The basic
difference is this: hackers build things; crackers break them. According to
Raymond, real hackers consider crackers lazy, irresponsible, and not very
bright and want nothing to do with them. Unfortunately, many journalists and
writers have been fooled into using the word “hacker” to describe “crackers”,
which is obviously upsets real hackers (Raymond E., 2001). Sadly, we have to
join the majority and use the term “hacker” in this paper to refer to
individuals who cause so much harm in the society.
Laws related to Hacking in Australia:
Incidents of Hacking observed in Australia:
Hackers infringe the laws for a number of reasons
such in the order from less harmful to more serious (if we can even classify
them this way). Hackers do it:
Because they know how and can, either being smart and figuring out how
to, or getting the instructions and tools from friends-hackers
Because they like the challenge to break into something so secure
Because they get a trill of doing illegal activities and hoping not to
Because they seek publicity
Because they want to take a revenge
Because they are getting paid (though most hackers are passionate about
breaking into the system and do it for free)
Assessing the consequences of industrial cyber attack is not simply a
case of assigning a financial value to an incident. Although there are obvious
direct impacts which may be easily quantifiable financially (e.g. loss of
production or damage to plant), other consequences may be less obvious. For
most companies, the impact on reputation is probably far more significant than merely
the cost of a production outage. The impacts of health, safety or environmental
incidents could be highly detrimental to a company’s brand image. Even impacts
such as minor regulatory contraventions may in turn affect a company’s
reputation, and threaten their license to operate. (E Byres, J Lowe, 2004)
Therefore, hacking, being a cyber crime, has
both short term and long term impacts on the victims which include (Choo,
Short- term impacts
Adverse effects on individual users by hampering on their
accessibility to receive information and conduct transactions.
Obstruction on day-to-day activities of the Businesses and
Long- term impacts
Breaches of National security (e.g. leakage of confidential
Loss of public faith in the Government
Shut down of Businesses and Industries
The above analysis indicates that there is a clear shift in the source
of cyber attacks on industrial control systems because of the mushrooming threats.
Threats originating from outside an organization are likely to have very
different attack characteristics to internal threats. Thus, companies may need
to reassess their security risk model and its assumptions.
In addition, the variation in the infiltration paths indicates a wide
variety of vulnerabilities available to the attacker. Considering the
difficulty of closing off all of these avenues, it would be wise to assume
there will be boundary breaches and harden the equipment and systems on the
plant floor to withstand possible attack. In effect, companies need to deploy a
“defense in depth” strategy, where there are multiple layers of protection,
down to and including the control device.
Achieving a defense in depth solution for industrial systems will
require at least four steps. On the system design side, it is recommended that
more internal zone defenses and more intrusion detection be deployed. Companies
may also need to re-evaluate boundary security in terms of all possible
intrusion points and not just focus on the obvious connections such as the
business-process link. A single firewall between the business network and control
system network is likely to miss many intrusions and will offer little security
once the attacker is inside the control system network.
From the control system manufacturers’ side, SCADA and automation
devices need to undergo security robustness design and testing prior to
deployment in the field. SCADA & control protocols should also be improved to
include security features. Currently most devices appear to be highly
vulnerable to even minor attacks and have no authentication/authorization mechanisms
to prevent rogue control.
Failure to adapt to the changing threats and vulnerabilities will leave
the controls world exposed to increasing cyber incidents. The result could
easily be loss of reputation, environmental impacts, production and financial
loss and even human injury.
The likely impact of being unable to view or control
the process or system is an increased reliance on emergency and safety systems.
Traditionally these systems have been totally independent of the main control system
and generally considered ‘bullet proof’. However, mirroring the trend in the
design of the main control systems, these emergency systems are also becoming
based on standard IT technologies (such as TCP/IP). They are increasingly being
connected to o0072 combined with the main control system, increasing the
potential risk of common mode failure of both the main control system and the
safety systems. Consequently, in the future, the systemic risks zone defense
and more intrusion detection to be deployed. Companies may also need to
re-evaluate boundary security in terms of all possible intrusion points and not
just focus on the obvious connections such as the business-process link. A
single firewall between the business network and control system network is
likely to miss many intrusions and will offer little security once the attacker
is inside the control system network.
From the control system manufacturers’ side, SCADA
and automation devices need to undergo security robustness design and testing
prior to deployment in the field. SCADA & control protocols should also be
improved to include security features. Currently most devices appear to be
highly vulnerable to even minor attacks and have no
authentication/authorization mechanisms to prevent rogue control. Key security
controls should be applied to both the customer and providers networks –
withtailored security controls in place.
Failure to adapt to the changing threats and
vulnerabilities will leave the controls world exposed to increasing cyber incidents.
The result could easily be loss of reputation, environmental impacts,
production and financial loss and even human injury.
Byres, E. and Lowe, J., 2004, October. The
myths and facts behind cyber security risks for industrial control systems.
In Proceedings of the VDE Kongress (Vol. 116, pp. 213-218).
The participants found that no single solution could
solve any of the issues raised in the scenarios. All plausible solutions required
multiple actors: government, the private sector, and consumers. Often, as
anticipated in Australia’s Cyber Security Strategy, these actors would need to
coordinate their efforts.
However, the exercise revealed areas in which
collaboration between sectors occurs solely through informal relationships rather
than being mandated through official duties and authorities, clearly defined
roles and responsibilities, or formally agreed-upon processes and procedures
for handling crisis events.
This introductory exercise provided an opportunity
for stakeholders from varying industries and government disciplines to begin
identifying challenges to the status quo and propose solutions. Future
exercises could develop ideas about how to implement the proposed solutions or
how to avoid unintended consequences. The types of consequences that could
be explored in future events include the solutions’
impact on Australian industries, innovation, trade (imports and exports), procedures
for criminal investigations and prosecutions (domestically and across
international borders), and Australia’s ability to keep multiple options open
when responding to national security events.
One key lesson was that finding satisfactory
resolution to the scenarios in the exercise is difficult after a crisis has occurred.
Proactive measures need to be implemented in advance to avoid attacks or dampen
their effects, and such responses require establishing mechanisms to prevent or
mitigate a crisis, communication and relationships across sectors that can be
leveraged during a crisis, and contingency plans when attacks happen despite
all efforts to prevent them. Australia’s Cyber Security Strategy acknowledges
that more effort is needed in this area. Exercise participants often suggested
creating cyber security standards, such as product safety standards, minimum security
requirements for product importers, and mechanisms to measure, modify, and
enforce standards. This topic was discussed more frequently than many other
solutions and could serve as an initial area for the government to pursue
Pursuit of this topic could have the secondary
impact of facilitating stronger relationships and lines of communication between
government and industry, establishing new government authorities for cyber
security, and laying the foundations for future policy advances in law
enforcement, diplomacy, and national security.
Discussions about cyber security standards and
enforcement included three goals that should be explored collectively to
develop cohesive solutions. First, exercise participants believed that
standards would need to be more stringent for medical devices, vehicles, and
other product groups that could jeopardise public safety. Thresholds could be
lower for pedometers, household appliances, and other products that could be hacked
but pose a lower risk to user health and safety. Second, Future exercises could
consider how policy development, including the Australian Government’s next
Cyber Security Strategy, should challenge assumptions about government roles,
responsibilities, and authorities and incentivise a broader range of government
and non-governmental stakeholders to participate in building and implementing
cyber security solutions. (Igor
Mikolic-Torreira, Don Snyder, Michelle Price, David Shlapak, Sina
Beaghley,Megan Bishop, Sarah Harting, Jenny Oberholtzer, Stacie Pettyjohn,
Cortney Weinbaum,and Emma Westerman, 2016)
Accessed 13 Jan. 2018.
Internet is not only a tool to use for work, study
or pleasure but a very important part of our life in general. It gives that
magic feeling to accomplish things and be invisible, but this invisibility may
leads to actions, we normally wouldn’t do in person or in public – actions that
might be wrong. Relatively new terms, “cybercitizenship”, “cyber
ethics”, and “netiquette” refer to responsible cyber social
behavior, to what people do online when no one else is looking. Reasonably, we
need to educate all Internet users on rules and sequences of being Online in
order not to be a victim of our own ignorance as one of the young explorers did
not intend to do any damage and did not realize he was doing anything unethical
or illegal. But was caught and asked at a Congressional subcommittee hearing at
what point he questioned the ethics of his actions, he answered, “Once the
Computer Hacking and Ethics FBI knocked on the door.”(Harvey B., 2004).