1. How have phishing attacks compromised major systems?
Phishing attacks aim to steal information from the user’s computer and this is usually done through email messages that mimic those from a legitimate company, but which contain fraudulent information and fraudulent links. Once the link is clicked then the user’s personal information gets stolen. It can also be that the installation of a particular application or the opening of an email may cause Trojans or key loggers to be installed in the computer. These Trojans then work in the background to steal the user’s information.
The stolen information is used to launder money, steal identities, and access the user’s bank details (Cawley & Hill, 2010). This can result in the loss of savings, which can in turn cause debt increases or the repossession of property and vehicles.
For companies, this can mean a loss of $2 billion every year due to their clients falling victims to phishing attacks (Cawley & Hill, 2010). In particular, banks and card issuers lost $1.2 billion in 2003 (Topkara, Atallah & Nita-Rotaru, n.d.), and additional monetary losses were incurred from about 70,000 calls per hour for twelve hours (Cawley & Hill,
2010) as a result of the attacks.
Most importantly, these attacks make the company lose their customers’ trust. It affects the company’s credibility and reputation, in turn putting their brand equity at risk (Sophos, 2005). Moreover, smaller businesses are even more vulnerable to being victimized by email frauds, especially when the corporate accounts are handled by only one or two employees who do not have much of a background on technical matters. Although larger companies are at less risk of such, it would still be recommended for employees to be provided with protection from the fraud attempts that arrive in their inboxes through the corporate network.
2. Major corporations, governments, and other organizations are hacked each week, mostly by means of phishing attacks. Describe how users and IT organizations should arm themselves against these attacks.
Companies should design and deploy secure email for the prevention of various forms of phishing attacks (Topkara, Atallah & Nita-Rotaru, n.d.). This would require a Public Key infrastructure. Spam filters, firewalls, anti-spyware, and anti-virus software must also be installed in every employee’s computer. As well, the company’s IT team must ensure that all of these defense tools are regularly updated with the latest virus definitions. In addition, operating systems should be regularly updated with security patches. Moreover, the company should use a secure connection for the company’s websites. As well, the company can use sender-authentication technologies such as the Sender Policy Framework (SPF) under which the company can publish the list of servers that are allowed to send emails on their behalf.
The company should also provide their employees and customers with guidelines on how to identify a probable phishing attacks. One is that it would be better for the user to go to a site directly by typing the URL on the browser instead of by clicking a link, as the link can be deceiving if not carefully read (Sophos, 2005). The user should also ensure that the website is legitimate and secure. An indication of this is that the URL starts with https rather than with http. There should also be a lock icon on the status bar. In addition, users should guard their passwords and PINs well and should refrain from opening or replying to spam emails. Caution should also be taken when reading emails, that is, if something seems improbable or too good to be true then it most likely is. As well, users should regularly check their accounts to determine any suspicious transactions. These should be immediately reported, along with any other suspicious activity such as receiving a fraudulent email.
3. What are the social and security issues for individuals and organizations relative to the personal and business use of social media? Facebook, Twitter, Linkedin, and other Social Media.
One reason that the security threat exists with the use of these sites is that the technologies that entice users
to participate in social media sites are also the same technologies that make it easier for these sites to be infected by malware, which can log keystrokes to steal credentials or shut down the company’s networks (EMR-ISAC, 2010).
Networking risks include web application attacks, spoofing, social engineering, and spear phishing. These attacks are usually successful because of the users’ assumption that they are in a trusting environment, as is created by the social networks.
In addition, the more information a user posts on these sites, the more information becomes available for potentially being compromised by people with malicious intentions. Similarly, providing confidential, sensitive, or private information on these sites result in higher risks for the user or company. The posting of audio files, videos, or photos can also result in a user’s breach of privacy or in a company’s breach of confidentiality.
4. We're all probably familiar with people who have done things via social media that they regret - but what sort of other threats should be considered in terms of the personal and business use of social media?
These would include the risk of identity theft, which can occur if a user’s personal information such as social security number, phone number, and street address are posted on these sites. Some people also like to post information about their whereabouts, which enable criminals such as burglars to determine when there would be no one in the house. These would also allow people to stalk someone or to harm them for whatever reason.
As for companies, the premature and unauthorized posting of the company’s financial information can hurt the company’s performance at the stock market, if it is a public company. If the company’s finances are not good, this could also indicate to customers that the company’s in trouble, which would either make the customers panic – such as in the case of banks – or take their business elsewhere. Worse, it may be that the company’s financially healthy after all and that the information posted was based on initial and unofficial data, which do not reflect the company’s final performance, say, at the end of the quarter. In this case, the damage may be difficult to undo.
In addition, if information about the company’s current or new projects is posted online then this can lead to intellectual property theft or it can give competitors a hint about what the company’s working on, which may make the company lose its advantage. As well, posting about problems in the company may make the public think negatively of the company, which in turn may damage the company’s image or reputation.
Cawley, C. & Hill, S. (2010, March 4). The critical effects of phishing scams. Retrieved from http://www.brighthub.com/computing/smb-security/articles/64476.aspx.
EMR-ISAC. (2010, March 23). Security and privacy on social networking sites. CIP Bulletin 2-10. Retrieved from http://www.usfa.fema.gov/downloads/pdf/infograms/bulletins/
Sophos. (2005, August). Phishing and the threat to corporate networks [White paper]. Retrieved from http://www.sophos.com/whitepapers/sophos-phishing-wpuk.pdf.
Topkara, M., Atallah, M. J., Nita-Rotaru, C. (n.d.). Mitigating phishing attacks. Retrieved from http://www.cerias.purdue.edu/news_and_events/events/symposium/2005/materials/pdfs/0 7B-778.pdf