ASSUMING THE POSITION OF A REPRESENTATIVE OF THE BUSINESS SOFTWARE ALLIANCE

As a representative of the Business Software Alliance, I would say that software piracy is bad. Piracy is not a victim less crime as that other people may believe. Due to software piracy companies are losing billions of dollars and over a hundred thousand jobs have been lost. The attractions of piracy is due to its ease of which illegal copies of software can be distributed without monetary consequence. However, every person who produces illegal copies is contributing to the monetary loss of companies and the people working for those companies. People who write the software should have the rights to profit from it, just like people who write books. Copying software deprives the rightful owners of the software of hard-earned wages. The claim that pirates have the right to make illegal copies of a software because the software is buggy, or too expensive, or not frequently used is also flawed. Aside from the practical policies and procedures a company can put into place, company insurance policies are typically evaluated for potential coverage. Many companies are now securing cyber liability policies in addition to traditional commercial general liability policies (CGL policies) in order to provide additional security. While most CGL policies do not cover third-party liability, cyber liability policies routinely cover third-party liability for stolen credit card numbers, social security numbers and other private data, the forensic costs to investigate a data breach, and the notification expenses resulting from a company having to inform all involved parties of a breach. While having a cyber liability policy in place is paramount to a company’s longevity and sustainability, having the right policy in place is even more important as insurers are challenging company cyber liability claims as being non-covered losses. Someone might think a certain item is too expensive and not worth the money, but this doesn’t give them the right to steal it. In short, piracy is a crime and software developers, distributors, and end users are all affected by piracy.

SECURITY MEASURES

1. An online company who accepts credit card details wants to secure its customers’ details, and safeguard against damage.

Most likely in this kind of company, it is very prone in a computer crime like, theft of goods, info or money, and also unauthorized access (hacking). The threats may come in internal or external when doing some kind of procedural work. In internal threat, many are disgruntled employees who use their privileged access to damage their employers. Others are infiltrators who work for outside intelligence or hope to sell information on the black market. Malicious insiders with full access are hard to stop. The main objective for cyber-criminals is to attain the credentials of an employee or admin, and then move through the network with complete access to everything. This is where employee training on cyber security becomes extremely valuable. Also in the external threat, let’s start by taking a look at malicious programs which are designed to spy on users’ actions (e.g. to record all keys pressed by the user) or to search for certain data in user files or the system registry. The data collected by such malicious programs is eventually sent to the author or user of the malicious program, who can then, of course, do what he/she wants with the information and make the company collapse on its own. The security measure that will be fitted to this kind of computer threat is the audit control software, biometrics, access control software for the internal threat and for the external threat are the heavily precise anti-virus and solid firewall.

2. A communications company employing a lot of young, technically able people, wants to ensure its online facilities are not being abused.

In this type of facility, the type of cyberthreat that may occur is the unauthorized access or modify the computer system. The internal threat that may occur to this facility is that there are some employees or staff that pretend correctly but they are just a spy to the other company or facility or just trying desperately to sabotage their own facility for their own interest. Two-factor authentication is an important security standard when it comes to account protection. It employs an additional physical device, such as a security token or a mobile device, to confirm the identity of the person behind the screen. This authentication method provides a very reliable login procedure as long as the secondary device doesn’t get lost or stolen. As an added benefit, it also allows you to clearly distinguish among users of shared accounts, making access control easier.

3. A high-security establishment needs to ensure that only authorized users can access certain parts of the system.

In fact, this is the most complicated situation and must be highly guarded by cyber security team. There are only few crimes that may committed, one example of that is the hacking or unauthorized access of computer system. The threats in kind of situation may come in both internal and external. For example in internal is that some employees were trying to sabotage their own company or hacker trying to disguise to an employee to that company. For the external threat is there are a lot possible attack that may occur in the company. For example, sending a virus that may interrupt while protecting the system and some are trying to crackdown the system and manipulate it. A much better approach is to form your data security strategy by prioritizing measures based on how much they will affect your bottom line. In order to do this, your best tool is a thorough risk assessment. Data backup is another fairly basic security measure that has gained increased relevance in recent years. With the advent of ransomware – malicious software designed to encrypt all your data and block access to it until you pay a hefty sum for a decryption key – having a full current backup of all your data can be a lifesaver.

4. A private consultant has a contract with a research organization working on highly sensitive issues. He needs to be sure his communications are secure, and some of the documents he sends might be used as legal proof of his recommendations.

In this kind of case, there must be a trusted employee and capable people who can protect the system for being abused. It’s hard to believe, but the key to protecting your data lies with your employees just as much as with your defenses. Even if you have the best cyber security policies and procedures in place, your employees will ignore them in the name of convenience and productivity. Strict rule enforcement may make the situation better, but it doesn’t guarantee results and may even stress out your employees, costing you additional money. The best way to deal with negligence and security mistakes by your employees is to educate them on why security matters, raise awareness about cyber threats your company faces and how they affect the bottom line. Make sure your employees know why certain measure are in place and why they’re important. Recruit them as part of your defenses, and you will see that the instances of negligence and mistakes will become less frequent. It’s much better to get your employees the proper training than to deal with a data breach caused by accidental actions.

Security Technologies

Biometrics

Biometrics is the measurement and statistical analysis of people's unique physical and behavioral characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance. The basic premise of biometric authentication is that every person can be accurately identified by his or her intrinsic physical or behavioral traits.

Authentication by biometric verification is becoming increasingly common in corporate and public security systems, consumer electronics, and point-of-sale applications. In addition to security, the driving force behind biometric verification has been convenience, as there are no passwords to remember or security tokens to carry. Some biometric methods, such as measuring a person's gait, can operate with no direct contact with the person being authenticated. Biometric data may be held in a centralized database, although modern biometric implementations often depend instead on gathering biometric data locally and then cryptographically hashing it, so that authentication or identification can be accomplished without direct access to the biometric data itself.

Biometric identifiers depend on the uniqueness of the factor being considered. For example, fingerprints are generally considered to be highly unique to each person. Fingerprint recognition, especially as implemented in Apple's Touch ID for the iPhone, is the first widely used mass market application of a biometric authentication factor. The greatest privacy issue of using biometrics is that physical attributes like fingerprints and retinal blood vessel patterns are generally static and cannot be modified. This is in distinction to nonbiometric factors like passwords (something you know) and tokens (something you have), which can be replaced if they are breached or otherwise compromised, including over 20 million individuals whose fingerprints were compromised in the 2014 U.S. Office of Personnel Management data breach. The increasing ubiquity of high-quality cameras, microphones and fingerprint readers in many of today's mobile devices means biometrics will continue to become a more common method for authenticating users, particularly as Fast ID Online (FIDO) has specified new standards for authentication with biometrics that support two-factor authentication with biometric factors.

While high-quality cameras and other sensors help enable the use of biometrics, they can also enable attackers. Because people do not shield their faces, ears, hands, voice or gait, attacks are possible simply by capturing biometric data from people without their consent or knowledge.

Encryption

In computing, encryption is the method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key. Encryption is one of the most important methods for providing data security, especially for end-to-end protection of data transmitted across networks.

Encryption is widely used on the internet to protect user information being sent between a browser and a server, including passwords, payment information and other personal information that should be considered private. Organizations and individuals also commonly use encryption to protect sensitive data stored on computers, servers and mobile devices like phones or tablets.

Unencrypted data, often referred to as plaintext, is encrypted using an encryption algorithm and an encryption key. This process generates ciphertext that can only be viewed in its original form if decrypted with the correct key. Decryption is simply the inverse of encryption, following the same steps but reversing the order in which the keys are applied.

Traditional public key cryptography depends on the properties of large prime numbers and the computational difficulty of factoring those primes. Elliptical curve cryptography (ECC) enables another kind of public key cryptography that depends on the properties of the elliptic curve equation; the resulting cryptographic algorithms can be faster and more efficient and can produce comparable levels of security with shorter cryptographic keys. As a result, ECC algorithms are often implemented in internet of things devices and other products with limited computing resources.

Encryption is used to protect data stored on a system (encryption in place or encryption at rest); many internet protocols define mechanisms for encrypting data moving from one system to another (data in transit). Some applications tout the use of end-to-end encryption (E2EE) to guarantee data being sent between two parties cannot be viewed by an attacker that intercepts the communication channel. Use of an encrypted communication circuit, as provided by Transport Layer Security (TLS) between web client and web server software, is not always enough to insure E2EE; typically, the actual content being transmitted is encrypted by client software before being passed to a web client, and decrypted only by the recipient.

Encryption was almost exclusively used only by governments and large enterprises until the late 1970s when the Diffie-Hellman key exchange and RSA algorithms were first published -- and the first personal computers were introduced. By the mid-1990s, both public key and private key encryption were being routinely deployed in web browsers and servers to protect sensitive data. Encryption is now an important part of many products and services, used in the commercial and consumer realms to protect data both while it is in transit and while it is stored, such as on a hard drive, smartphone or flash drive (data at rest).

Encryption is usually a two-way function, meaning the same algorithm can be used to encrypt plaintext and to decrypt ciphertext. A cryptographic hash function can be viewed as a type of one-way function for encryption, meaning the function output cannot easily be reversed to recover the original input. Hash functions are commonly used in many aspects of security to generate digital signatures and data integrity checks. They take an electronic file, message or block of data and generate a short digital fingerprint of the content called a message digest or hash value.

For any cipher, the most basic method of attack is brute force; trying each key until the right one is found. The length of the key determines the number of possible keys, hence the feasibility of this type of attack. Encryption strength is directly tied to key size, but as the key size increases so, too, do the resources required to perform the computation. Alternative methods of breaking a cipher include side-channel attacks, which don't attack the actual cipher but the physical side effects of its implementation. An error in system design or execution can allow such attacks to succeed. Attackers may also attempt to break a targeted cipher through cryptanalysis, the process of attempting to find a weakness in the cipher that can be exploited with a complexity less than a brute-force attack. The challenge of successfully attacking a cipher is easier if the cipher itself is already flawed. For example, there have been suspicions that interference from the National Security Agency weakened the Data Encryption Standard algorithm, and following revelations from former NSA analyst and contractor Edward Snowden, many believe the NSA has attempted to subvert other cryptography standards and weaken encryption products. More recently, law enforcement agencies such as the FBI have criticized technology companies that offer end-to-end encryption, arguing that such encryption prevents law enforcement from accessing data and communications even with a warrant. The FBI has referred to this issue as "Going Dark," while the U.S. Department of Justice has proclaimed the need for "responsible encryption" that can be unlocked by technology companies under a court order.

Access Control Software

Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.

To secure a facility, organizations use electronic access control systems that rely on user credentials, access card readers, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings as well as alarms and lockdown capabilities to prevent unauthorized access or operations. Access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include passwords, personal identification numbers (PINs), biometric scans, security tokens or other authentication factors. Multifactor authentication, which requires two or more authentication factors, is often an important part of layered defense to protect access control systems. These security controls work by identifying an individual or entity, verifying that the person or application is who or what it claims to be, and authorizing the access level and set of actions associated with the username or IP address. Directory services and protocols, including the Local Directory Access Protocol (LDAP) and the Security Assertion Markup Language (SAML), provide access controls for authenticating and authorizing users and entities and enabling them to connect to computer resources, such as distributed applications and web servers. Organizations use different access control models depending on their compliance requirements and the security levels of information technology they are trying to protect.

The goal of access control is to minimize the risk of unauthorized access to physical and logical systems. Access control is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information, such as customer data. Most organizations have infrastructure and procedures that limit access to networks, computer systems, applications, files and sensitive data, such as personally identifiable information and intellectual property. Access control systems are complex and can be challenging to manage in dynamic IT environments that involve on-premises systems and cloud services. After some high-profile breaches, technology vendors have shifted away from single sign-on systems to unified access management, which offers access controls for on-premises and cloud environments.

Access control is a process that is integrated into an organization's IT environment. It can involve identity and access management systems. These systems provide access control software, a user database, and management tools for access control policies, auditing and enforcement.

When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows. The best practice of "least privilege" restricts access to only resources that an employee requires to perform their immediate job functions. A common security issue is failure to revoke credentials and access to systems and data when an individual moves into a different job internally or leaves the company.

Firewall

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. A firewall can be hardware, software, or both.

In the early days of the internet, when AT&T's Steven M. Bellovin first used the firewall metaphor, network traffic primarily flowed north-south. This simply means that most of the traffic in a data center flowed from client-to-server and server-to-client. In the past few years, however, virtualization and trends such as converged infrastructure have created more east-west traffic, which means that sometimes the largest volume of traffic in a data center is moving from server-to-server. To deal with this change, some enterprise organizations have migrated from the traditional three-layer data center architectures to various forms of leaf-spine architectures.

References: https://searchsecurity.techtarget.com/definition/biometrics https://searchsecurity.techtarget.com/definition/encryption https://searchsecurity.techtarget.com/definition/access-control https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html https://searchsecurity.techtarget.com/definition/firewall

RAPHAEL GRAY

Raphael Gray, 19, from Clynderwen, near Narberth in west Wales, faced 10 charges under the Computer Misuse Act (Section 2) of downloading unauthorised information. A teenage computer hacker arrested during an FBI investigation has admitted gaining unlawful access to company websites and to dishonestly obtaining services from the internet. Gray was able to break into the secure systems using an £800 computer he bought in his home town Clynderwen, Pembrokeshire, Wales. After publishing the credit card info on his webpages Gray posted on the page that law enforcers would never find him "because they never catch anyone. The police can't hack their way out of a paper bag." He was dubbed the Bill Gates hacker when he sent Viagra tablets to Gates' address and then published what he said was the billionaire's own number. He was tracked down by ex-hacker Chris Davis who was insulted by Gray's "arrogance". It took Davis under a day to find Gray which he then forwarded to the FBI, "The FBI was actually quite easy to deal with, although technically, they didn't really understand what it was I was explaining to them. The local police were also very polite, but they didn't understand it," said Davis. Gray was arrested when FBI agents and officers from the local Dyfed Powys Police turned up at the door of his home, which he shared with his mother and two sisters, in March 1999. 

Neil Barrett, Ph.D., is a security professional who helps companies better understand their systems’ weaknesses. He spends a good part of his day cracking into computer systems, sneaking into offices, breaking open encrypted files, and cracking computer passwords. A former hacker who worked as a security specialist for Bull Information Systems, Barrett has published a book called Digital Crime: Policing the Cybernation. Barrett says that he started hacking when he was a mathematics student; he maintains that he hacked as a benign intellectual exercise resulting from frustration with his university’s limited communication links with the rest of the computing world. By age 36, Barrett was one of Britain’s leading computer crime experts, and he has been ¬contracted by such organizations as the police, customs, banks, the Inland Revenue, telecommunications and utilities companies, the military defense, Internet Service Providers, and the National Criminal Intelligence Service. In fact, Dr. Barrett was a witness for the prosecution at the criminal trial of Raphael Gray, a Welsh teenager who worked from his bedroom on a personal computer (PC) to crack e-commerce sites to obtain the credit card particulars of more than 20,000 Internet purchasers. Gray, in fact, obtained the credit card particulars of Microsoft founder Bill Gates, and he consequently had a batch of Viagra sent to Gates’ California home. In the end, Gray did not go to jail but was issued a three-year “rehabilitation sentence” for his cybercrime. With his many cyber forensic skills, it is little wonder that Barrett once was offered a large sum to steal a file containing a list of high-income customers from a bank. The good news is that he declined the offer. During his investigative work of cybercriminals, Barrett uses a number of tools. The system audit log, for one, keeps an electronic record of the system’s operations and is a crucial record for cyber sleuths such as Barrett. The DIBS® disk imaging system allows Barrett to make perfect hard-disk copies without affecting the contents. Other tools he uses can detect Internet traffic and collect packets of data for analysis. Profiling tools tell Barrett whether any traffic looks as though it may be coming from a cracker, or if someone is trying to edit an audit trail.

Raphael Gray did not go to jail but was issued a three year “rehabilitation sentence” for his cybercrime. The case has been adjourned for pre-sentence reports.

Gray was arrested when FBI agents and officers from the local Dyfed Powys Police turned up at the door of his home, which he shared with his mother and two sisters, in March 1999.

People with only a casual concern for Internet privacy need not achieve total anonymity Internet users may achieve an adequate level of privacy through controlled disclosure of personal information.