Mitigating+Computer+Fraud+in+the+Online+Environment


 * ** EL7007-8 ** ||  ||
 * ** Ethical and Legal Issues in an Online Course ** || ** 5 Mitigating Computer Fraud ** ||
 * Hi Stephen, **
 * Outstanding work! Extremely well thought out and presented. Impressive APA formatting. I made a few comments below that I want you to take into account in future papers. Again, outstanding work! You definitely deserve 10 points. **
 * Outstanding work! Extremely well thought out and presented. Impressive APA formatting. I made a few comments below that I want you to take into account in future papers. Again, outstanding work! You definitely deserve 10 points. **

=Mitigating Computer Fraud in the Online Environment = Losses resulting from crime on the Internet are reaching staggering levels for individuals as well as institutions and organizations of all sorts ( Internet Crime Complaint Center, 2009; Mensch & Wilkie, 2011 ). Types of cyber crimes vary widely and many will be discussed below. The need to educate and inform students, faculty, and staff of the variety of threats and ways to mitigate and protect individuals and organizations from these threats in an online environment is almost an ethical imperative. Individuals who lack the basic knowledge and skills to protect themselves and the organizations they attend or work for, cost themselves and those organizations billions of dollars each year, and the cost is going up ( Custer, 2010; Internet Crime Complaint Center, 2009 ). Couple this lack of knowledge with the general lack of information security and education by a majority of business and educational institutions for responding to and recovering from potential man-made disasters, and it is increasingly likely that cyber crime costs and damages will continue to skyrocket ( Guy & Lownes-Jackson, 2011; Khansa & Liginlal, 2009 ). In 2011, the financial cost of cyber crime was estimated at 114 billion dollars ( Ivan, Milodin, & Sbora, 2012 ). Because of the increased risk of harm to educational institutions from cyber crime, several schools have been tasked with creating programs for educating students in Information Security Management ( Kuzma, Kenney, & Philippe, 2009 ). In line with the need for education, the following cyber threats and responses to them are discussed. [Very comprehensive introduction!]​

Threats in an Online Environment
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Many of the threats that follow originate from spam, the sending of unsolicited e-mails to unsuspecting victims ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Spam negatively impacts computer systems through its sheer volume, with 80% of more of e-mail traffic reported to be spam ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Spam provides the means of exploiting several types of threats; these include human-based threats and application-based threats. According to two international studies, “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">enterprises do not put adequate weight on IT security and information security <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Labodi & Michelberger, 2010, p. 207 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">).

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Human-based Threats
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Viruses, worms, malware, bots, zombies, and spyware.** Viruses, worms, malware, bots, zombies, and spyware are all computer programs that are used to glean, destroy, or corrupt data ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011; Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). These are human-based threats because systems are infected as a result of something that a user does. A virus is a computer program that usually infects systems through a spam e-mail or the clicking of an advertisement on a web page, and then copies itself repeatedly ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Trojan horses are a nonreplicating form of virus that acts beneficial, but is designed to destroy or corrupt ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Worms are like viruses but do not require attachment to a resource to be transported from system to system ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Bots, zombies, and spyware can serve positive or nefarious purposes, and are used to glean information regarding the use of a computer or system. Several federal laws make it a crime to intentionally “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">cause damage to any computer system <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011, p. 447 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Spyware is used to enable identify theft by passing personal identifying information to cybercriminals ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Phishing and password sniffing.** Phishing is used to gather personal data from victims by posing as a legitimate business. Phishing is usually initiated by an official looking e-mail that leads the victim to a website that looks like the legitimate business but is used to gather personal information ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Burgunder, 2011; Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Phishing is now “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">the most common and best known method of cheating by electronic means <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012, p. 61 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Password sniffing is the use of software programs that either attempt to guess a password or use a database of hashed passwords to get into a database or network. Once an administrator password is compromised it is likely that other accounts can be compromised, and the breach expanded ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="color: #ff0000; font-family: 'Times New Roman',Times,serif; font-size: 120%;">[Most definitely!] <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Human error or culpability.** Too often portable data with personally identifiable information is stored on media that was not designed for security, is easily stolen, and not considered in an information security plan ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). The largest percentage of thefts of private data is of inappropriately stored backup tapes, laptops, or external hard drives ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Current laws require organizations to notify affected people of a possible breach of their information. It is estimated that the cost of “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">the average breach of educational records will range from $210,000 to as high as $4 million from breach notification costs alone <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010, p. 28 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Another area of cybercrime involving human error is scams. In 2011 there were four crime types that involved more than 20,000 reported complaints ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Internet Crime Complaint Center, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). These major cyber crimes were; (a) FBI-related scams, in which a criminal poses as the FBI to defraud victims, (b) identity theft, in which a criminal uses the victims personal identifying information to commit a crime, (c) advanced fee fraud, in which a criminal convinces the victim to pay a fee to receive something of value without ever sending anything, and (d) non-delivery of merchandise, in which the victim pays for an item that they never receive ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Internet Crime Complaint Center, 2011; Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="color: #ff0000; font-family: 'Times New Roman',Times,serif; font-size: 120%;">[Excellent inclusion] <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Data breaches increasingly occur because of disgruntled or disaffected employees (Custer, 2010). Currently, the primary threat to information’s integrity, availability, and confidentiality in an organization is “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">negligent handling or purposeful damage at the hands of internal employees <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Labodi & Michelberger, 2010, p. 208 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Few medium or small organizations pay much attention to the damage that willful or inadequately trained employees can cause.

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Application-based Threats
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">When security is breached from outside, most of the time this is because of configuration errors or vulnerabilities related to applications installed on computers and networks ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). The Open Web Application Security Project (OWASP) lists 162 vulnerabilities a typical software application may have that may be exploited by criminals. Two of the most often exploited application vulnerabilities are cross-site scripting and injection flaws ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">), which will be discussed next. <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Cross-site scripting.** Cross-site scripting inserts additional code in a HTTP response message that gets executed if the vulnerability is not checked for and prevented. The execution of this code could include forwarding of the session cookie to another user who can then use that cookie to do harm ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). According to recent analysis, poorly written and secured web pages allow as much as 40% of data breaches through cross-site scripting ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**SQL injection attacks.** The Structured Query Language (SQL) is a database language that allows for the manipulation, retrieval, and control of data and objects on a relational database management system. A SQL injection vulnerability results from web pages constructing SQL statements from client information gathered from a web page. The vulnerability occurs when no attempt is made to validate the client information before executing it against the database. For a knowledgeable user it is possible to enter information in such a way to supplant the original purpose of the SQL, and execute code for alternate purposes ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Between 10-20% of data breaches occur because of web pages that dynamically create statements against the database without validating the statements prior to execution ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">).

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Threat Responses in an Online Environment
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">“ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">The need to plan, develop, and implement IT security awareness training is crucial to ensure the security of student, faculty, and institutional data and information <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Mensch & Wilkie, 2011, p. 92 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">).* Major security components in today’s systems are intrusion detection systems and spam filters ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). These components can detect unauthorized access and filter electronic messages that are considered high risk. While some data breaches occur because of system intrusion and exceptional technical skills of criminals, most occur because of the human factor and are “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">based more on ingenuity and creativity in terms of deception <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012, p. 65 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">Policy, education and training, awareness and technology are required to assure information security for both individuals and organizations <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Mensch & Wilkie, 2011, p. 96 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">).*

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Responding to Human-based Threats
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Viruses, worms, malware, bots, zombies and spyware.** There are several actions that can be taken to eliminate or minimize the threats posed by these computer programs. The installation of virus detection software, then keeping it up-to-date, and ensuring that it runs on a regular basis is the primary defense against these programs. Installing a browser add-in that checks web site ratings before allowing navigation to a site also informs users when they may be making an unsafe or questionable Internet choice. Browser pop-up blockers lower the incidence of successful attacks of this type ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Mensch & Wilkie, 2011 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Finally, a security information awareness program can instruct students, faculty, and staff regarding the seriousness of the threat and the possible consequences of their actions. <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Phishing and password sniffing.** Phishing is so common and successful due to the naiveté of users. The only way to militate the success of a phishing strategy is through adequate training and education ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). To eliminate or mitigate against password sniffing it is essential to train all users on all systems to use only hardened passwords. A hardened password is considered to be a password with at least eight characters in which at least one is a number, one is a special character, and one is a different case from the rest of the password, and is changed at least every 90 days ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). It is also important that each user utilize a different hardened password for each system, and that these passwords not be written down in a way that they can be found. An even better solution for sensitive data is two-factor authentication that asks for “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">something you know (a password) and something you have (such as a random number generated by a pocket-sized hardware token) <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010, p. 35 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">**Human error or culpability.** Custer (2010) suggested that IT professionals consider how they would transport and carry over $200,000, and use similar caution and common sense in their handling of private data and the media it is stored on. He also suggested that any portable media should use whole disk encryption, so that if it is stolen or misplaced the data is rendered unreadable. Another technique for reducing human error is to educate users of technology of the most prevalent scams so they are more likely to not be duped ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). The Internet Crime Complaint Center (2011) publishes a number of tips for conducting any business online. A program to increase and maintain information security awareness among students, faculty, and staff has a much lower cost when compared to the potential costs of a security breach, but does require consistency in implementation ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Labodi & Michelberger, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">).

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Responding to Application-based Threats
<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">The FBI indicated “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">that 99 percent of security intrusions are from known vulnerabilities or configurations <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010, p. 36 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Because most intrusions come from known issues, services have been created that will allow organizations to check their systems against these issues. To respond to the majority of security intrusions it is essential to run these vulnerability checks and then fix any threats that are found ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Custer, 2010 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Implementation of this suggestion would have most likely ensured that the denial of service attack that prompted this plan would not have occurred ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). “ <span style="color: #0000ff; font-family: 'Times New Roman',Times,serif; font-size: 120%;">The best way to defend against SQL injection routines are [sic] based on strong input validation <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">” ( <span style="font-family: 'Times New Roman',Times,serif; font-size: 90%;">Ivan et al., 2012, p. 67 <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">). Several products exist that can be added to browsers to check the security ratings of web sites. Through the use of these products, cross-site scripting can be minimized. =<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Conclusion = <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">Information technology security cannot be an afterthought. The protection of student, faculty, and staff personal information is essential to individual privacy, but also to the reputation and finances of the organization. Threats to IT security come from the human factor and from vulnerabilities inherent in the use of multiple software applications. The educational institution’s IT staff are responsible for preventing the incidence of data breaches and creating appropriate plans to mitigate the effects of a breach if one occurs. Information Security plans identify the security actions that must be taken by an organization and should be both high level and strategic as well as detailed and operational. A major component in any information security plan, however, must be the training and education of the people who have access to data. ​[Well done, Stephen!]

<span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;"> [K1] I always recommend to learners NOT to start a sentence with a direct citation. <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">[K2] I recommend that you refrain from back to back direct citations <span style="font-family: 'Times New Roman',Times,serif; font-size: 120%;">[K3] Outstanding APA formatting going on here. Just one small mistake below.


 * = References* ||
 * * Burgunder, L. B. (2011). //Legal aspects of managing technology// (5th ed.). Mason, OH: South-Western Cengage Learning.
 * Custer, W. L. (2010). Information security issues in higher education and institutional research. //New Directions for Institutional Research, 146//, 23-49. doi:10.1002/ir.341
 * Guy, R., & Lownes-Jackson, M. (2011). Business continuity strategies: An assessment of planning, preparedness, response and recovery activities for emergency disasters. //Review of Management Innovation & Creativity, 4//(9), 55-69. Retrieved from http://www.intellectbase.org/articles.php?journal=RMIC&volume=4&issue=9
 * Internet Crime Complaint Center. (2011). //Internet Crime Report//. Washington, DC: National White Collar Crime Center and the Federal Bureau of Investigation. Retrieved from http://www.ic3.gov/media/annualreport/2011_ic3report.pdf
 * Ivan, I., Milodin, D., & Sbora, C. (2012). Non security – Premise of cybercrime. //Theoretical and Applied Economics, 19//(4), 59-78. Retrieved from http://www.ectap.ro/
 * Khansa, L., & Liginlal, D. (2009). Quantifying the benefits of investing in information security. //Communications of the ACM, 52//(11), 113-117. doi:10.1145/1592761.1592789
 * Kuzma, J. M., Kenney, S., & Philippe, T. (2010). Creating an information technology security program for educators. //International Journal of Business Research, 10//(1), 172-180. Retrieved from http://www.iabe.org/domains/iabe/journal.aspx?journalid=12
 * Labodi, C., & Michelberger, P. (2010). Necessity or challenge – information security for small and medium enterprises. //Annals of the University of Petrosani Economics, 10//(3), 207-216. Retrieved from http://www.upet.ro/anale/economie/pdf/20100322.pdf
 * Mensch, S., & Wilkie, L. (2011). Information security activities of college students: An exploratory study. //Academy of Information and Management Sciences Journal, 14//(2), 91-116. Retrieved from http://www.alliedacademies.org/Publications/Papers/AIMSJ_Vol_14_No_2_2011%20p%2091-116.pdf ||