INT J COMPUT COMMUN, ISSN 1841-9836

8(1):97-104, February, 2013.

Managing Information Technology Security in the Context of

Cyber Crime Trends
D. Neghina, E. Scarlat

Diana-Elena Neghina
Institute of Doctoral Studies - ASE
11, Tache Ionescu Street, Bucharest, Romania
E-mail: [email protected]

Emil Scarlat
Academy of Economic Studies
Department of Economic Cybernetics
6, Romana Square, Bucharest, Romania
E-mail: [email protected]

Abstract:
Cyber-attacks can significantly hurt an organization’s IT environment, leading to se-
rious operational disruptions, from simply damaging the first layers of IT security up
to identity theft, data leakage and breaking down networks. Moreover, the dangers
through which current cybercrimes practices affect organizations present a tendency
of developing more rapidly that decision makers can assess them and find counter-
measures. Because cyber threats are somewhat new thus a critical source of risks,
within the context of the constantly changing IT environments (e.g. cloud services
integration) organizations may not effectively implement and manage cyber threat
risk assessment processes. This paper highlights the importance of designing effec-
tive security strategies and proactively addressing cybercrime issues as key elements
within the organizational risk management approaches.
Malware rises constantly in impact and complexity and has surpassed the traditional
security model. One of the main ideas of the study is to present the main areas of risks
related to cyber security to which an organization is subject to and provide a baseline
of an analysis model that would adequately evaluate input data, rank priorities and
represent the results and solutions to decrease these risks. The importance of this
study is to increase awareness efforts and to highlight the critical importance of using
the full extent of resources provided. Each member of an organization has a significant
role in decreasing the exposure to the vulnerabilities created by cyber-attacks.
Keywords: Cybercrime, IT security, risk assessment, vulnerability management.

1 Introduction
The dangers through which current cybercrimes practices affect organizations present a ten-
dency of developing more rapidly that decision makers can assess them and find countermea-
sures, exposing entities to significant risks. Vulnerability events are created constantly, through
the exposure over shared environments(such as cloud solutions), permanent transfers of critical
information between an organizations branches, social platforms, electronic banking solutions,
displaying intellectual property, all enabling favorable circumstances for appropriation, distur-
bances and misuse of critical information and data.
The purpose of this paper is to make entities aware of the changes in the last decades of
cyber threats within network environments and how to effectively approach these elements,
timely finding solutions and actions to be taken. One of the main ideas of the study is to present
the principal areas of risk related to cyber security to which an organization is subject to in the
current IT environments and to determine a specific analysis model that would adequately lead

Copyright ⃝
c 2006-2013 by CCC Publications
98 D. Neghina, E. Scarlat

to input data evaluations, rank priorities and represent the results and solutions to mitigate the
identified risks.
On the current market, the tendency of decision makers is still to take unintended or unex-
pected risks by following classical patterns of behavior and standard models of security, applied
additionally in new environments that are continuously changing, often with the consequence of
significantly affecting organizational value.
Our opinion is that the increasing number of attacks and constantly developing threats are
leading to significant gains that are further supporting the constant adaptation of cyber criminals
to the classical implementation and management of security tools. We consider that our paper is
raising an alarm signal on the lack of perception of the fact that traditional models are starting
to be considered as outdated and decision makers must evaluate the need of combining them with
additional elements from the operational areas to obtain a better understanding; the real issue
is the fact that professional cybercrime tools and methods are so advanced that are continuously
increasing the security issue.
Managements ability of forecasting security breaches that are considered critical for the com-
pliance of a company with its strategies is essential in using corporate information as an asset,
as well as a significant competitive advantage. This further sustains the capability of a close
collaboration between IT resources and operational ones. Technical understanding of events and
processes must be combined with the business perception of processes and activities for entities
to adjust more quickly to challenges and take immediate actions to unexpected events.
Even though IT governance and compliance methods, identity management, applications
security and network tools are becoming more and more complex, are processing information
from different areas of an organizational environment, cyber criminals are also aware of the
changes and are also adjusting their techniques, becoming better at hiding their trace, gaining
undetected access and all for extended durations of time; studies present the fact that they are
characterized by stealthy and passive methods for attacking a system (Schudel, Wood) [1].
Entities must better determine the key elements that are making them a target of cyber
criminals and the way they are perceived by external parties regarding critical information of
interest and act on these vulnerabilities first, these being considered as the initial layers of attack.
All security analysis and prevention methods should begin from the idea of unauthorized
access being gained and core business data being misused, thus leading to appropriate security
measures of classification of critical information (high to low risk assessments). As a general
overview of IT reviews, there are not many entities that are implementing levels of security and
classification of data based on values or risk considerations.
As a summary conclusion, the actual warning is the tendency of cybercrime attacks of con-
tinuously becoming more dangerous and complex, evolving into schemes difficult to anticipate.
The attacks are determined to be more destructive, more advanced and more studied (signifi-
cant resources are invested in these activities, new capabilities are researched based on existing
security tools) and have a serious impact over economic and even national security elements.

2 Cyber-Crime Trends Analysis

The current approaches of cyber criminals may be characterized as proactive. Further, at-
tackers actions are dynamic through their frequency and most aggravating, collaborative, in
the sense that services emerge over the Internet with the scope of committing fraud, theft and
exploitation of systems vulnerabilities.
 Managing Information Technology Security in the Context of Cyber Crime Trends 99

2.1 Brief development of cyber crime

As a summary of cyber-attacks tendencies, during the first periods of modern Internet and
IT environments, cyber-attacks were generally performed by employees, within organizational
networks, generally due to different dissatisfaction reasons. This type of threat was favored until
the 1980 and attackers took advantage of privileged and granted access privileges to IT resources;
they altered information mainly for financial advantages or simply sabotaged data for revenge
at employers.
Studies revealed that programmers developed their abilities of writing malicious software,
including self-replicating programs, to interfere with personal computers. During the 1990s,
financial crime over the Internet completed through penetration and subversion of computer
systems increased significantly. By the late 1990s and in the years following 2000, fraud attacks
and identity theft developed. Moreover, organized attacks started to be performed more often
including groups of cyber criminals and increasing the time of acting out without any detection
(Kabay) [3].
Throughout the 2000s, cyber attackers started to externalize services and offer their unautho-
rized activities for more complex crimes. There were identified many denial-of-services attacks
opposing known websites and malware was designed to record logs of keystrokes and then send
this information through secure Internet communication channels to cyber criminals.

2.2 Trends and security challenges

Thus, business data, organizational assets are increasingly threatened and traditional IT
security approaches are offering only the basis of solutions. As a general characteristic, the present
IT environment can be considered as reactive, without any time allocated for risks assessments;
cyber criminals are aware of all these exposures and take advantage of them through the use of
end users (social engineering, theft of credentials), phishing attacks, through all sorts of original
deceptions, penetration and encryption techniques to make their trace inaccessible.
As mentioned previously, security events are continuously increasing, in frequency as well as
in impact. However, in the same time quantitative information related to these events are both
difficult to obtain as well as hard to place into a meaningful framework (Shimeall, Williams) [2].
On a general level, organizations should transition from a mainly security based approach
to a more risk assessment approach, thus addressing vulnerabilities within the risk management
planning and methods. Entities should continuously increase their security awareness procedures,
apply active monitoring procedures and complete periodical trainings for all operational and
technical personnel to achieve an effective cyber security stance.
Operational and information technology solutions are shifting towards collaboration environ-
ments. IT environments sustain shared resources and services, including core business applica-
tions, centralized architecture and infrastructure elements for which entities must put in place
controls to identify and counteract effectively unauthorized actions. Thus there must be put
in place techniques that set the baseline for risk control and business efficiency, outlining the
key issues and introducing risk assessments of specific elements regarding enterprise information
protection and personal privacy.
However, the vast majority of organizations have restricted abilities to identify and take
effective actions against security breaches. Researches show that preventive actions are extremely
hard to implement. Moreover, most of the current analysis tools are based on prior behavior
and activities and may not produce significant models to appropriately identify other attacks or
to be used for efficient preventive actions (Jajodia et al) [4]. Vulnerabilities are thus analyzed
constantly based on prior security events and not on emerging cyber threats, adding value to the
security outline of the organization.
100 D. Neghina, E. Scarlat

However, in practice, defined security assessments performed by organizations are not capable
any more to cope with the continuously evolving threats. These are not focused on collecting
cyber threat data from a variety of business and operational areas and different sources due
to increased time allocation and costs of implied resources. Security methods applied are based
mainly on high level information and tools and technologies implemented are generally configured
based on existing standards, and not customized on the features of the environments that would
have the ability to promptly identify, enclose and restrict, evaluate and restore compromised
characteristics.
With the difficulty of obtaining and updating cyber intelligence information, the implemen-
tation of risk management methodologies should be performed. These must be appropriately
designed and used to effectively challenge or even block access attempts, security breaches or
fraudulent transactions. In the following section we present the approach distinguished through
a set of specific tools and techniques that can be easily customized and applied to specific orga-
nizations profiles, networks, and significantly improve the already implemented security controls
by organizations.

3 Cyber Threats Risk Management Capability

The risks characteristic for an organization and its related industry shape the operational en-
vironment, its readiness and effective response to different interactions with internal and external
environments. The general characteristic of the current organization is its increasing reliance on
technology, information sharing, and connectivity elements. Thus dependence leads to risks at
all levels.
Due to the fact that cyber threats are a relatively new and constant source of risk, continu-
ously changing, entities are not as capable at managing cyber threat risk as they are at managing
any other operational risk related to business activities.

3.1 The fundamentals of a cyber-threat risk assessment process

Unless an organization is considerably developed related to cyber threat risk management
practices, it cannot have the risk assessment infrastructure and governance elements designed to
sustain an adequate security environment. For example, if the basic elements are not defined,
such as specific risk definitions and business impact analysis, risk limits of acceptance or specific
key performance indicators.
If an enterprise cannot sustain at least the above mentioned elements, it is advisable as a
starting point the evaluation of the following set of information security practices that significant
for an appropriate cyber risk assessment process:
1. Existing security controls, implemented by the entity to identify and record known types
of cyber-attacks that are characterized by stealth breaches. Here are included also the security
tools and techniques used to timely identify and contain compromised IT resources;
2. Available methods of recording security breaches information from multiple sources (in-
ternal as well as external). Added to this category are the abilities of the entity to implement
cyber-crimes risk models in order to collect relevant cyber intelligence information and generate
value and actionable data for decision making purposes;
3. Exposure of employees to complex social engineering attacks that allows malware to be
integrated in the administrative consoles or workstations. Here are included the procedures of
detecting advanced, persistent threats within the entitys own business environments in the case
of identity theft or unauthorized use of authentication elements.
 Managing Information Technology Security in the Context of Cyber Crime Trends 101

These are not topics for an elaborate analysis process, but they do represent basic elements
of an effective defense mechanism against current cyber-attacks. By applying a more elaborate
cyber threat risk assessment framework (presented in Figure 1. and further detailed in the
following section) an organization can better protect its operational environments as well as gain
valuable insights on its vulnerabilities and improvement actions to be taken.

Figure 1: Model score after boosting

3.2 Core cyber threats risk management capabilities

Below we present a new approach of cyber threat risks that, if unaddressed, may lead to the
security vulnerabilities exploited firstly by attackers.
1. Monitoring and key performance indicators:
Starting from the basic incident driven communication with management, periodical and
formalized communication with decision makers should be implemented. Evidence should be
kept for ongoing dialogue and critical metrics should be reviewed, analyzed and used to improve
already existing security controls.
Key performance indicators should be designed based on cyber intelligence information that
must be logged for predefined periods of time. These must be standardized within the organi-
zational units and have a clear linkage to business value (generally these should be defined in
quantitative terms).
2. Organizational personnel:
Employees must be aware of cyber threat risk, recognize attacks as a potential risk area and
have basic knowledge of designed security policies, processes, and implemented tools; roles and
responsibilities for risk management should be established that would ensure the integration of
specific risk assessments into larger security decisions and controls affecting an organization.
IT personnel must have specialized knowledge about cyber threat risk; moreover, as a required
competency security feeds from operational units must be centrally coordinated to manage and
102 D. Neghina, E. Scarlat

keep cyber threat risks within defined acceptance levels.

Written and approved IT security policies, training missions, and communications must be
effectively distributed and compliance periodically monitored and reviewed for appropriate en-
forcement; most of employees should have clearly defined responsibilities for cyber risk manage-
ment, appropriate to their roles and responsibilities.
3. Operational processes:
Organizational business units are characterized by fragmented processes, which are not always
communicating between them, certain manual input and execution of operational activities.
Defined processes must align with enterprise-wide risk management framework above mentioned
and must be monitored by IT personnel and executive management at different levels; processes
must reach the level of being consistently integrated, automated, and clearly documented related
to cyber threats risk assessments.
Organizations must formally measure and monitor process effectiveness; automation must
be viewed as an objective; cyber threat risk management may be organized at a higher level as
a self-standing unit and through which all processes are addressed by continuous improvement
efforts; the overall objective is to accomplish structured cyber threat risk management programs
that are integrated with the already existing IT risk management and enterprise risk management
agendas.
4. Security tools and techniques:
Technology already installed for security reasons must be enabled to log security events, to
centralize them and as a basis must send alerts in case of incidents recorded or exceptions;
signature-based controls such as anti-virus and intrusion-detection software must be imple-
mented. For an evolved organizational environment, forensic tools may be used for reacting
to exceptional security events.
Commercially available threat monitoring feeds may be integrated with centralized logging
solutions and monitoring software to generate automated alerts. For more complex risk man-
agement existing security tools may be automatically enabled to perform advanced correlations
related to threat information and to convert obtained data into actionable alerts. These meth-
ods applied may be used to automate not just threat monitoring and alerts, but further security
events identified, such as malware, or complete forensic analysis, as well as more complex threat
assessments.
The presented framework of continuously evolving cyber threat risk management capability
model may sustain an organization in the process of implementing better security techniques to
avoid cyber-attacks of criminals that make it past the already existing access controls mecha-
nisms.
For example, a well-developed cyber threat risk management model will include safety ele-
ments against unauthorized information distribution, as well as protection opposed to unautho-
rized information access. Effective completion of these features lead to the use of technologies
and processes that monitor outbound information traffic for both content and destination in
particular. This can be configured as an alert point if data is being transferred to a location
outside the normal operational environment, where the organization has not been present be-
fore. An accomplished capability will also be able to contain the transfer of information timely,
to isolate the elements involved and assess the suspicious communication networks until their
authentication credentials are clear; in case of unauthorized actions, procedures are in place for
forensic analysis.
Because cyber-attackers are continuously improving their identity theft techniques, an or-
ganization shouldnt assume that each user that authenticates at network level and within the
IT application systems and is performing the required activities with legitimate credentials is in
reality a legitimate user, an employee or an agreed service provider of the entity.
 Managing Information Technology Security in the Context of Cyber Crime Trends 103

A complex cyber threat risk management process will be designed to use at least two ver-
ification methods, depending on the classification of the information being protected. These
activities include the verifications of a persons physical identity through techniques including
biometrics such as laptop fingerprint readers, PIN code token devices that must be carried by
the legitimate users at all times, and finally behavioral programs that track post-login activity
against historical patterns defined for a specific user in order to determine the likelihood of that
person authenticating of being legitimate.

4 Discussions
Any cyber-attack can hurt an organization in any number of ways, ranging from minor
damages to a website informative page to shutting down core networks, committing fraud, and
stealing intellectual property. Thus organizations should implement actionable, risk-based intelli-
gence processes in order to timely identify unauthorized cyber activity. Entities should maximize
the use of existing security solutions, logged information and most important, completing cyber
threat awareness programs among employees. As a summary process, an organization should
effectively identify the cyber-criminal risk, assess and evaluate this risk, integrate it, respond
and take isolation actions to the risk, design, implement and test appropriate security controls,
further monitor events, as well as assure and escalate future cyber-attacks.
As mentioned within prior studies, cyber-crime events will become more precise, more spe-
cialized, and for this reason organizations must integrate a dedicated cyber threat analysis tools
and IT experts. As a general idea, an organization’s security resources will need to focus more
on analyzing available internal and external data sources, customize controls and center less on
managing and maintaining standard security controls.

5 Conclusions
Entities are responsible for implementing and maintaining an integrated approach between
its employees, operational process, and technology resources implemented in order to complete
effective risk management procedures. Resources must be allocated to gather and process cyber
threat analysis information, notifying the results and defining alerts for better security controls
and measures to be taken by the operational units.
Complex cyber risk management processes are repeatable, clearly defined, well-documented,
and aligned with an organizations larger IT risk management. Future work will focus upon cyber
intelligence collection methods and processing algorithms, behavioral trends of cyber attackers,
which could accommodate customized improvements to the risk management activity of an orga-
nization. As the research of cyber security capabilities transforming from raw data to actionable
intelligence will provide valuable cyber threat research. Hence, such an analysis would support
improvements in multiple key threat indicators and metrics related to IT security analysis.

Bibliography
[1] Gregg Schudel, Bradley Wood, Modeling Behavior of the Cyber-Terrorist, in
http : //www.dli.gov.in/data/HACKIN G_IN F ORM AT ION/P RIN T ED20P AP ERS
/M odeling20Behavior20of 20cyber20terrorist.pdf .
[2] Tim Shimeall, Phil Williams, Models of Information Security Trend Analysis, in http :
//www.dli.gov.in/data/HACKIN G_IN F ORM AT ION/P RIN T ED20P AP ERS/
models20f or20inf 20security20T REN D20AN ALY SIS.pdf .
104 D. Neghina, E. Scarlat

[3] M. E. Kabay, MA Brief History of Computer Crime, in

http://www.mekabay.com/overviews/history.pdf.

[4] Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, Editors, Cyber situational awareness:
Issues and Research, in Springer International Series on ADVANCES IN INFORMATION
SECURITY.

[5] Sumit Ghosh, Elliot Turrini, Editors, Cybercrimes: A Multidisciplinary Analysis, in

Springer-Verlag Berlin Heidelberg, 2010.

[6] Martin C. Libicki, Cyberdeterrance and Cyberwar, Rand Corporation, 2009.

[7] Jean-Marc Seigneur, Adam Slagell, Collaborative Computer Security and Trust Management,
in Information Science Reference (an imprint of IGI Global), 2010.