In relation to crime, a computer (including some of its parts) can in general, and for ease of discussion, be used in two ways:
- As a means to perpetrate a crime that has nothing to do with the inherent characteristics of IT or a computer. Killing a family member by hitting them over the head with a laptop constitutes murder with a blunt instrument, not cybercrime; strangling someone with a mouse cable is also not punishable under a cybercrime statute.
- As a means to disrupt IT services by writing or using programs that explore network ports, try to find vulnerabilities, overload a network with technically correct or malformed packets; by sniffing passwords or eavesdropping on network traffic, by spying on other people’s e-mail, etc. Such acts constitute cybercrime.
Please note that phishing (as a very common act) fits the first rather than the second definition, as the phishing method used is seen as an instrument of fraud, rather than being the ultimate goal of the attacker.
Cybercrime attack methods come in different shapes and sizes, some die out very quickly, others remain usable for years and require technical and organisational measures to prevent them from being successful, others that may have been considered as having died out then reappear in organisations that have not made use of lessons learned.
To avoid victimisation, an individual (yes, most so-called “zombie” PCs are not found in companies but in private households) needs to have:
- virus protection for files, e-mail and web-traffic with a product that updates itself regularly and on-demand
- a spam filter
- a personal firewall product
- some awareness of what trust means in regard to the Internet without drifting into paranoia.
The definition of “individual” used above also includes private laptops of managers and board members who may use these occasionally in the workplace.
From an organisational perspective, to avoid victimisation a company should have in place:
- Processes to operate and manage IT systems with security elements to safeguard confidentiality, integrity and availability. ITIL has proven itself in regard to operations and operational management.
- Established security goals and a process to manage information security risks and the company’s risk profile; ISO27001 has proven its worth in this regard.
- An information security department at a suitable organisational level and with direct access to senior executive management.
- A governance framework to let the above interact with compliance and governance matters.
- Technologies, such as firewalls, intrusion protection and detection, centralised logging and maybe even continuous auditing, if the risk profile requires it.
- An incident management process that allows early detection and speedy reaction to incidents that occur.
The author welcomes comments, opinions or challenges to the views expressed. Please send these to firstname.lastname@example.org