Internet Security and Risks

| ACE |
Date of Presentation: 24 October 2012
Internet Security and Risks
Executive Summary
Introduction to modern issues related to the internet
Risks to Consumers and management of such risks
Risks to Businesses and management of such risks
1.0 Introduction
Contributors:
Isaiah Chia
ZICHIA1@e.ntu.edu.sg
Ow-Yang Zhi Yan
Z090086@e.ntu.edu.sg
Cyberspace – the internet and other computer-based networks – is becoming one of the most
important infrastructures that characterize many modern societies. Among the network of
cyberspace are systems that control and manage infrastructures such as energy delivery, emergency
services, banking and finance, military systems and many other applications. Regions’ economic and
social stability may also depend on these networks.
Dependencies on networks for communication and business operations continue to grow along with
the growth of cyberspace. Today, the Internet in particular, which has grown without any planning
or central organization, is a vast network of networks. Destructive acts using computer networks
have cost billions of dollars and continue to threaten the resources of network-connected critical
infrastructure.
In this research paper, we intend to first identify the various threats to individuals and businesses
alike linked to increasing proliferation of internet usage, possible impact and finally propose
alternatives to mitigate these risks.
2.0 Consumers’ Risk
The number of internet users has been increasing across time as the global economy is increasingly
reliant on the internet to communicate and relay information across distances. We often sign up for
online services with our email addresses without much thought, proceeding to key in our desired
username and password methodically, only to be greeted by a welcome message upon the
successful creation of the account. The sign up process has become an expected routine for new
users for most online services that we often overlook the possible risks that are associated with it. In
spite of the numerous phishing advisories that suggest that we ascertain if the information is
transmitted over a hypertext transfer protocol secure (https) connection, the use of https merely
prevents a third party from intercepting the transmitted information. As important as a secure
connection may be, it overlooks the password storage policies of the website you are creating an
account on, which is an additional risk factor most users fail to recognize.
NTU – RISK MANAGEMENT SOCIETY – RESEARCH DEPARTMENT Page 1 of 4

| ACE |
Websites employ an array of methods to store your account password in their database to facilitate
your log in to the website. The straight-forward method would be to store passwords in an
unencrypted plaintext format in the database, and this puts your associated email account at a risk if
you were to use the same password for both log ins. Should the database of the website be
compromised due to a security vulnerability, the attacker will be able to access your email account
with the password you signed up with on the website, compromising all other accounts which are
tagged to the same email address, as a “forget-password attack” could be employed to reset your
password for your other accounts having access to your email account. As such, since most websites
do not reveal the method of storing the passwords in the database, it is prudent to use a different
password for your email account and accounts for your other web services. This will protect your
email account should the website ever be compromised.
As a recommendation, we highly recommend users to not only change their password periodically,
but to have a combination of passwords to be used for different services. Email passwords and web
services passwords should ideally be different, and login passwords into your computer should be
different from email accounts and other web services. This will impede the ease at which all your
accounts will be compromised simultaneously should any one of your password be leaked in the
occurrence of an unfortunate event.
3.0 Business Security Risks
Businesses are also not spared from internet risks. A key trend coloring the world of business is how
computers have transformed into critical business systems. Information gathering was indeed made
easier with availability of information in the internet. Many solutions can be sourced with a click of
the mouse. Over the past few years, there were many instances of high-profile data breach cases
involving businesses. Many have the perception that only large corporations are targeted by hackers
and information thieves. However, the reality is that hackers are increasingly targeting small
businesses because of the assumption that many among the latter do not have advanced know-how
or resources to protect their data against sophisticated internet attacks. In this paper, we will discuss
3 possible threats businesses may face on the internet.
3.1 Malicious Codes
Malicious codes are encoded in any part of a software system or script that is intended to cause
undesired effects, security breaches or damage to a system. Malicious code describes a broad
category of system security terms that includes attack scripts, viruses, worms, Trojan horses,
backdoors, and malicious active content, and they tend to exploit internet-based services such as
email. These threats have to be highlighted as we use these technologies for day-to-day operations.
The threats of these malicious codes can be colossal; imagine the scenario, for example, if
companies the size of Microsoft had to turn off their email systems to survive a malicious code
attack.
Fortunately, it is possible to reduce the impact and mitigate the risk of malicious code by using tried
and tested business practices. They are:
• Educate users about the computer virus threat
NTU – RISK MANAGEMENT SOCIETY – RESEARCH DEPARTMENT Page 2 of 4

| ACE |
• Install reputable anti-virus software on workstations, servers and internet gateways
• Train users on how to use their anti-virus software properly
• Train system administrators to manage anti-virus software
• Making sure the anti-virus policy is up to date
3.2 Spear Phishing
Spear phishing is a type of phishing attack that focuses its attention on a single user or department
within an organization, and where the attacker impersonates someone within the organization in a
position of trust and requesting information such as login IDs and passwords. Another type of attack
involves asking users to click on a link, which deploys spyware that can steal data. Once hackers get
this data, they can gain entry into secured networks.
According to Cisco, spear phishing requires more work from cybercriminal – forging corporate logos,
snaring employees address etc. But their targets are more likely to trust and fall victim to the
fraudulent emails, and payoffs are bigger when scams succeed. Figure 1 below quantifies the likely
payoff for a normal phishing attack vis-à-vis that of a targeted spear phishing attack.
3.3 Unsecured Wireless Internet Networks
Figure 1: Payoff comparison
Businesses are quickly adopting and implementing wireless Internet networks. While having wireless
networks provide businesses an opportunity to streamline their network using minimal physical
infrastructure, there are security risks that businesses need to address. Hackers and fraudsters can
gain entry to businesses’ computers through an open wireless Internet network, and as a result,
NTU – RISK MANAGEMENT SOCIETY – RESEARCH DEPARTMENT Page 3 of 4

| ACE |
breach data security. This risk is amplified by the fact that many small businesses may not use strong
wireless security to protect their systems.
Knowing the risks and possible implications associated to it, businesses can mitigate these
unnecessary security risks via two methods.
Firstly, the default password should be changed. Most network devices, including wireless access
points, are pre-configured with default administrator passwords to simplify setup. These default
passwords are easily found online, so they provide little protection. Changing default passwords
makes it harder for attackers to take control of the device.
Secondly, businesses should encrypt the wireless network. WEP (Wired Equivalent Privacy) and WPA
(Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number
of security issues that make it less effective than WPA, so it will be advisable to use gears that
support encryption via WPA. Encrypting the data would prevent anyone who might be able to
monitor your network wireless traffic from viewing your data.
References
Cisco (June 2011) Email attack: Now it’s personal. Retrieved from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10339/ps10354/targeted_attacks.pdf
Disclaimer
The information set forth herein has been obtained or derived from sources generally available to the public and believed
by the author(s) to be reliable, but the author(s) does not make any representation or warranty, express or implied, as to
its accuracy or completeness. The information is not intended to be used as the basis of any investment decisions by any
person or entity. This information does not constitute investment advice, nor is it an offer or a solicitation of an offer to
buy or sell any security. This report should not be considered to be a recommendation by any individual affiliated with NTU
RMS Research Department.
NTU – RISK MANAGEMENT SOCIETY – RESEARCH DEPARTMENT Page 4 of 4