The Issues Concerning Identity Theft Essay Example for Free

The Issues Concerning Identity Theft Essay Abstract â€Å"Identity theft has been around since the Internet became more than just the stuff of science fiction. The benefits of being in the Network has been undisputed but it has its drawbacks especially recently†. The increasing sophistication of hacking technology and the ever-widening use of web-based communication have made the danger of identity theft loom even larger in the horizon. Recent statistics illustrate just how serious the situation is with cyber criminals increasingly focusing on small companies and individuals, who are considered soft targets. Countermeasures are fighting a losing battle and experts state that individual vigilance is the only really effective way of stemming the flood. Introduction There was a movie in 1992 starring Robert Redford and Ben Kingsley, called â€Å"Sneakers.† They played the parts of college computer geeks who managed to hack into a government computer system as a sort of teenage prank and got caught. Later in the movie, the character of Ben Kingsley becomes a high-powered high-tech executive determined to rule the world with the use of information technology that could hack into any system in the world. At the time of the movie, such scenarios were the stuff of science fiction, but that is precisely the situation today. The dependence on cyber infrastructure has become so ingrained into everyday life that vulnerability to attacks takes on new dimensions. The consequences of this vulnerability are far-reaching, as indeed information has become the new currency in this fast-paced, Web-based world. But ensuring the security of digital information is fraught with difficulty, as hackers and programmers are coming up with smarter and more destructive ways to wreak havoc with both public and private networks. One type of malware that illustrates the increasing sophistication of malicious code uses a JavaScript tool called NeoSploit. It can attack a system using seven distinct exploits that could be customized depending on the specific weakness of the system it is currently attacking. It is double obfuscated so that it easily evades most automated detection. It is a â€Å"smart† bug and adaptable as well. [33] The concept of identity theft is not new. Anybody with a computer and access to the Internet have been warned never to reveal personal information to unverified sources and to keep avoid financial transactions online unless the site is vouched for a by a reliable verification site. But identity theft is so much more, and recently, there has been a disturbing rise in incidents of identity theft beginning in 2004. The threat to networks has become more complex, as illustrated by the distributed denial-of-service attacks in 2000 and the 2001 CodeRed worm. [30] The cost to consumers and businesses of identity theft is significant. According to the Federal Trade Commission, it has been maintained at more than $50 billion in the US alone. [18] Such occurrences are not only occurring in the US, however. In South Africa, Standard Bank local and foreign clients were choused out of thousands of rands by a Trojan installed in public internet cafà ©s which captured bank information. In France, a 2005 report described how terrorists routinely used stolen identities forged onto false identity documents. [26] The effect of such security breakdowns on e-commerce is particularly horrendous. Such enterprises rely on the trust and confidence of their clients that their confidence will be secure during online transactions. It only takes one instance of invasion for clients to shy away from doing further business. This paper investigates the issues pertaining to the technology behind identity theft, the countermeasures being enacted to prevent it and the current unresolved problems. Requirement Analysis To more fully appreciate the problem, a definition of identity theft may be in order. Identity theft was first coined as part of the Identity Theft and Assumption Deterrence Act of 1998, better known as ID Theft Act. It is defined as a criminal act to: â€Å" †¦knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.†[1] Because of the increasing sophistication of ID theft techniques, the US Federal Trade Commission felt it incumbent to provide more specific definitions of what constitutes an â€Å"identity† or â€Å"identifying information†, to wit: â€Å"(a) The term ‘identity theft’ means a fraud committed or attempted using the identifying information of another person without lawful authority. (b) The term ‘identifying information’ means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any (1) Name, Social Security number, date of birth, official state- or government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number. (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation. (3) Unique electronic identification number, address, or routing code. (4) Telecommunication identifying information or access device.†[1] Looking at what comprises identity, it seems highly possible that at one point any one using the Internet or a private network will disclose one or more of the data above on a daily basis because it is almost impossible to go through a typical day without at least once using a network application such as an ATM machine or logging on to an e-mail service. Going to a hospital or school and it is highly likely an RFID is required in some form, whether as a school ID or a medical card. Schools are especially vulnerable to attack because security is not particularly high on the list of priorities for school districts working with a budget. The benefits that accrue from digital technology in the school setting is massive, but there has been no corresponding enthusiasm for establishing even the most basic of security measures. The fact is, cases such as the schools in California and Florida in which students themselves hack into the unsecured database for a prank or for profit, or the Ohio student who accidentally deleted student records which had not been backed up, are not unusual. Some of the most iconic movies are about tech savvy students who pull a fast one on uptight school administrators or against terrorists. However, in real life, security breaches for academic and medical records of students are carry consequences just as serious as those for government and corporate information. [43] It is not surprising that with the rapid digitization of information databases in all sectors, there are more and more incidents reported of some type of invasion. In 200 Techniques used in Identity Theft Physical methods computer and backup theft direct access to information dumpster diving, or searching trash theft of a purse or wallet mail theft and interception shoulder surfing skimming dishonest or mistreated employees telemarketing and fake telephone calls Internet-based methods hacking and unauthorized access phishing, or the use of spam and mirror sites pharming, or interception between an IP address and the target server. redirectors advance-fee fraud or 419 fraud fake IRS form keylogging and password stealing There has been such emphasis on Internet-related security breaches that the fact escapes most people that identity theft can happen physically as well as over the Ethernet. According to the Identity Theft Resource Center, there were more than 300 breaches in security in companies involving the loss of data storage tapes that contained the information of more than 20 million people in 2006. However, cyber-crimes is much harder to prevent because it can be done off-site and insiduously. It is also harder to detect because often the theft is done in small batches. Source: http://www.eset.eu/press_release_threats_march McAfee Avert Labs recently released a report called â€Å"Identity Theft† that identified keylogging, malware that keeps track of keystrokes to capture passwords and other sensitive information, as the tool being increasingly used to perpetrate identity theft. The report also tracked the occurrence of phishing attacks which increased 250% from January 2004 to May 2006. [26] In March 2007, ESET reported that the top malware threat was the Trojan keylogging malware called   Win32/PSW.Agent.NCC, followed by Win32/Netsky.Q or simply Netsky P, which has the power to replicate and to spread itself as an attachment through e-mail. In third place is Trojan Win32/TrojanDowloader.Agent.AWF which is used to download malware that creates botnets that in turn creates spam and disruption-of-service attacks. [4] The use of Internet Relay Chat (IRC) bots, a string of codes or independent program that attaches to the IRC channel of a system and appears to be just another user, by hackers has been developed to be transmitted through IM, mass mailing and peer-to-peer communication. While useful for managing channels, maintaining access lists, and providing access to databases, it has become dangerous in the hands of malicious users, who activate the bots to infect and reside in systems with a view of passing on confidential and sensitive information. It is difficult to detect and to clean because the bot is configured to disable anti-virus software and firewalls. Moreover, bots can edit registry entries to hide its presence. [44] Avenues used for Identity Theft Credit Card Fraud Individuals find themselves victims of credit card fraud when they transact with smaller merchants online merchants that utilize generic shopping cart software and failing to keep up with the latest software security patches. Web-based vulnerabilities, which provide cyber-criminals the soft patches in which to invade and infiltrate, is found in many different Web-based applications because of the failure to be vigilant. One example is that of Cellhut.com which uses third party Website security provider Hackersafe which is supposed to have passedthe FBI/SANS Internet Security Test. But experts are circumspect regarding the effectiveness of these tests as evidenced by the number of reports of fraud, which is actually only a part of the actual number of cases that actually occur. Small online companies are not required to report all incidents, making statistical data difficult to gather. [17] E-mail as a gateway In 2003, the number of spam or jank mail outstripped the number of legitimate e-mail in corporate America, indicating an unrelenting onslaught on computer defenses. Malicious code such as SoBig, Mimail, and Yaha, which wreaked havoc on personal computers and servers alike,   was disseminated through e-mail. As a reaction, companies allocated 8.2% of corporate budgets were earmarked for cyber-security but the economic lure for hackers have made them more inventive and devious as well. Phishing, the art of deceiving unwary users with cleverly disguised e-mail, has become the fastest-growing non-violent crimes against banks. One sneaky example was that of Swen, an e-mail virus that masquerades as a Microsoft security fix, complete to the last detail so that it looks authentic. The unwary unleashes the virus in the system when the message is opened or previewed. It then breaks down firewalls and antivirus, leaving the system open to infiltration. Instant Messaging, Instant Invasion Instant Messaging or IM has also become popular of late because it is, well, instant. Many companies believe they have increased productivity significantly with the use of Yahoo Messenger, Skype, MSN Messenger and AOL Messenger. However, these may bring more than messages into the picture. IM allows users not only to exchange messages but to transfer files as well, which may have malware or a virus riding on it. It also provides backdoor access to hackers because IM bypasses firewalls and gateway perimeter scans. The peer-to-peer network is especially open to exploitation because of this bypass, and the worms spread rapidly, testing at 10 to 20 seconds in some tests. Some antivirus software that work on the desktop level have some success in catching these worms, but only in restricted cases. Another way for hackers to open a portal is to hijack the connection using a man-in-the-middle attack and impersonate the hijacked user. The hacker is then in a position of trust and may solicit information from the unsuspecting person on the other end. The use of a network sniffer could also steal information from an open portal during an instant messaging session, and a trojan is not even needed. This is especially dangerous in a corporate network. [37] Voice-over-Internet Protocol (VoIP) The use of VoIP has the potential security risk as that of most data streams. While it may seem to be much like a telephone service, the architecture for VoIP is not the same as the conventional telephone line, where security is more established and any interception will require a physical presence on the specific telephone wire or PBX. VoIP transmits the voice as a data stream, similar to that of any other web-based application, and is vulnerable to the same kind of invasion or interception. The defense against such invasion is through the same combination of firewalls, antivirus and   encryption. [23] Because VoIP is comparatively new, it is still in its early stages of development, and has not excited the same attention for identity thieves as other forms of data exchange, although there are some spyware the specifically targets VoIP. Cookies Cookies are normally written by a website into the computer’s harddisk to store personal data about the user relevant to the application which stores the text-only code. Flaws in the generation of the cookie identity has been identified by Security researcher Michal Zalewski as potentially vulnerable to hacker attack because the overwrite protection feature can easily be bypassed and allow malware to remotely plant user information on another persons computer that can be accessed remotely when the user visits specific websites. [35] Malware is more than just malicious in that it is motivated by economic gain rather than any kind of grudge or misdirected sense of humor. A more appropriate term for these economic-driven malicous software is spyware. Spyware is much more focused and quite destructive because it can reside in a system for weeks or even months before it is discovered. Aside from the fact that transmits confidential information to its creator, it also slows down computers if enough of them reside in the system, even disbling some applications from working at all. There is loss of productivity as well as information. Sometimes it is simply annoying, popping up as adware or altering the home page to redirect the browser to specific websites. It sometimes masquerades as an end-user license agreement and most users just click on it as a matter of course, inadvertently allowing the spyware to be embedded in   the system. Whichever form it takes, it cuts down on productivity, uses up RAM and CPU resources. [27] Many IT professionals consider spyware the top security threat as revealed by a WatchGuard Technologies survey in 2005. Consequently, anti-spyware software is also on the rise, making it the top security technology for 2005. Since people make money from it, it is most likely that hackers would bring it up to the level of a serious enterprise. Particularly vulnerable are banks and financial institutions, such as PayPal, which was targeted by a variation of the Mimail worm. The pathogen redirected the user to a false PayPal verification window which then asked for sensitive financial information. PayPal had hitherto enjoyed a reputation for reliability, so the potential to victimize a large number of people makes the strategy particularly effective. The tendency to use a few core applications is another reason hackers are so effective: they only need to focus on circumventing the security of a few systems to ensure a good haul. [25]One of these core applications is Microsoft’s Windows. The vulnerabilities of these products are more numerous than ever, mostly because its widespread use has made it the target of concentration for   many hackers. And though improvements in the security features in the products have managed to deflect more than 100,000 variants of the malware circulating, it requires more vigilance on the part of the caretaker to maintain the system to the leading edge of the available updates and security patches.   [36] There has even been evidence that cyber-criminals have become loosely organized, expert hackers working together with spammers and fraudsters to extend the sophistication and reach of the attacks on peer-to-peer networks. The focus is now on compromising integrity rather than the random destruction of files and networks. The treasure in this hunt is for information, and since there is no immediate, discernible damage, it is only when the credit card bills come in or the security system springs an alarm that the invasion becomes apparent. In the instances that a pathogen succeeds in infiltrating a good system, more damage is done than its predecessor, and true to the nature of its name, the virus appears never to completely die, but rather to go into stasis, just waiting for the next improved bug to re-activate it in an evolved state, such as the Phatbot in 2004 which exploit known and newly-discovered vulnerabilities in multi-frontal attacks. [36] Profile of a Cyber Criminal [26] Organized crime groups The involvement of organized crime groups has served to coalesce otherwise individual hackers. The motive for the involvement is not only profit but to establish a supply of readily available identities to be used in the course of their criminal activities. Terrorists It has been established that terrorists use various identities to avoid detection by government agencies that are on the alert for their appearance in under their true identities. They acquire employment and obtain financing for their activities. One instance was reported in Spain where a terrorist cell made purchases with the use of stolen credit cards and used fake passports and travel documents to open legitimate bank accounts to finance their operations. Petty criminals These are the freelancers, out to make easy money and with no other motive but money. [26] Literature Survey of Solutions Research grants In 2002, $877 million in government grants were earmarked to fund the Cyber Security Research and Development Act and H.R. 3400, the Networking and Information Technology Advancement Act that would beef up the network security of vital infrastructure. The ATT Foundation has also made contribution by providing grants in 2004 to the University of Texas at Dallas and Syracuse University to support cybersecurity research. Similarly, National Institute of Standards and Technology gave a grant to George Mason University School of Laws National Center for Technology Law and James Madison University in Harrisonburg, Va. to collaborate on what is know as the Critical Infrastructure Protection Project. â€Å"The project is aimed at providing outreach and education, serve as a pool of knowledge, and development of special programs for small businesses and information sharing†.   [41] However, the grants are part of a reaction to 9/11, which seeks to promote research in counterterrorirsm and national security. The problem of identity theft is much closer to home, or at least need not be on the scale of national security. Generally, identity theft can occur to as small as the scale of a home computer. A report by Internet security solutions provider Preventon has shown that in the UK, approximately 67% of   the surveyed consumers manage their own security software, mostly anti-virus, firewalls or anti-spyware software. However, only 22% considered â€Å"phishing† a serious threat to their security. New Products For financial call centers, a product has been developed by EMC’s Security Division called the RSA[R] Adaptive Authentication for Phone, which seeks to provide a reliable authentication protocol for telephone banking as required by the Federal Financial Institutions Examination Councils Authentication in the Internet Banking Environment guidance. It is an offshoot of the RSA Adaptive Authentication for Web in use by 35 of the largest financial institutions and banks in the world. The system makes use of the voice biometric solution based on Vocent technology and Nuance’s voiceprint engine. It is designed to conduct a risk-based assessment by analyzing voiceprint and user behavior based on predetermined parameters during retail and commercial banking transactions. Aside from the technology, users of the product will also have access to the database of the RSA eFraudNetwork community which has fraudster profiles. [10] There has been some opinion that an overlap approach may be more effective, where a combination of firewalls, intruder protection and detection and vulnerability testing be used in concert instead of isolation. [25] A software that goes one step further is PCImmunity, which is designed to combine the security features of Norton, McAfee, SpyBot, SpySweeper, Ad-Aware, ZoneAlarm, Avast, and AVG while supplementing them with a restart feature in cases where one or more of the active applications is deactivated by a hacker or virus. One of its maintenance features is the automatic update of these software and the daily scans of anti-spyware software. [14] Two projects that are geared towards anticipating industrial-grade security measures for VoIP has been initiated by the VoIP Security Alliance, or VOIPSA, which aims to establish a â€Å"threat taxonomy† and and a list of VoIP security requirements These protocols will be of particular use for session border controllers, or SBCs, which serves as an intermediary between the unique architecture of VoIP and web-based protocol that would otherwise be incompatible with VoIP. VoIP with SBC    Source: http://www.cisco.com/warp/public/cc/general/bulletin/software/general/3001_pp/3001_p24.jpg Other functions of the SBC is to enable network address translation, VoIP peering and compliance with   the Communications Assistance for Law Enforcement Act.   Security-wise, SBCs as the â€Å"man-in-the-middle,† is theoretically in a good position as the front-liner for any unauthorized access or interception. SBCs also serve to mask the presence of VoIP systems and softswitches and other devices. However, the integrity of its security features has yet to be rigorously tested. [40] The JavaScript malware that confounds most automated detection needs special treatment, using decoding tools such as NJS, SpiderMonkey or Rhino which separates the malware from the browser tool at the command-line level after cleaning up the HTML. It decodes in layers until the malware is completely stripped of its code. The tools are based on JavaScript and designed to be a re-entrant. It is not guaranteed, however, because such tools have limitations and it is only a matter of time before hackers find a way around it as well. [33] Another breakthrough that is a double-edged sword is a framework being developed by security expert Roelof Temmingh called Evolution. Though still in its infancy, the framework can be used as both a hacker’s tool as well as a security application. What it does is to use any identity information and extract other hidden data. For example, it can transform a domain into e-mail addresses and telephone numbers with the use of the Whois domain name lookup service, so hackers need only one type of information to get a whole slew of information. It can also identify targets for client-side attacks and war-dialing ranges. In the interest of security, however, Evolution can be invaluable in various ways. It can be used as a footprinting to identify phishing sites and identify alliances with weak security postures. In the long run, however, Evolution can be used to illustrate the future capabilities of hackers and research to pro-actively counteract such developments would be of immense benefit. [33] The important development from a security standpoint is that many companies are finally coming to terms with the magnitude of the battle before them. In a conference in Phoenix, the focus was on new products that were designed to renew the onslaught on incidents of phishing, adware and spyware spurred on by Web 2.0. Products such as NewsGator Hosted Solution allows companies to put an RSS aggregator in their websites, eliminating the need to get feed directly from the original content originator. For security compliance, LogLogic produced the appliance-based solution LogLogic 3 r2 that allows tracking of Microsoft Exchange log activity to identify security risks. [16] One product with added features was announced recently by Barracuda Networks which helps identify spam messages even if it is being sent by an apparently innocuous e-mail address. The Spam Firewall e-mail security appliance is now able to analyze sender behavior, facilitating reputation analysis. When a previously normal nehaving e-mail address suddenly stars unloading massive amounts of email, it is presumed that it has been infected by a botnet and turned into a spam server. [20] DIY Security Protocols With the rise of DIY security came the development of self-help websites that provide security tips and information as well as recommended freeware for downloads. One such website is the Gibson Research Corp. website (www.grc.com) headed by Steve Gibson. He provides three suggestions: Stealth or hide seldom-used ports, of which a typical system has 65,000 for an internet scanner to exploit. Disconnect services not in use, which Windows provides and connects by default but which only represents a vulnerability. Bind only the modem to the TCP/IP. Windows binds all network resources to the Internet by default as well, such as a shared printer, which is unnecessary and potentially dangerous. Among Gibson’s offerings that have provided some security is Shields Up! and LeakTest scans, and Gibsons DCOMbobulator, Shoot the Messenger, Socket-Lock, UnPlug n Pray and Xpdite make security a little tighter.   Another website that may bear investigation is The Human Firewall (www.humanfirewall.org) which focuses more on companies. [36] In IM, the best way to prevent identity and other information theft is to use an IM service that allow encryption. Unnecessary file tranfers via IM should also be restricted. Another suggestion is the use of Really Simple Syndication (RSS) as an alternative to joining an e-mailing list. The RSS feed is secure because here is no need for an e-mail address, it merely gets the desired material from the feed’s server. It makes the inbox and spam mail easier to manage as well as reducing the risk of spyware infiltration. [31] To confound IRC bots, McAfee experts suggests the use of IRC servers in constructing and IRC honeypot and a network sniffer. The sniffer identifies the IRC channel used by the malicious bot and the IRC honeypot routes all IRC channels to pass through it and an outbound query is allowed. A rogue bot will try to home into the attacker’s IRC server and the honeypot then issues commands to unistall the bot. [44] Enterpise Security Governance On the executive level, the Carnegie Mellon Software Engineering Institute (SEI) reports in â€Å"Governing for Enterprise Security† that the need to address information security as an enterprise-level governance concern is paramount. It identified several characteristics that define a company that employes governance in enterprice security: Security is given the same importance as other aspects of business; Security is part of the organization’s strategic planning cycle; Security is considered an integral part of all enterprise functions; Key executives and network staff alike have an appreciation of the responsibilities and issues involved in network security. Because of the prevalence of confidentiality breaches in the corporate world and the high costs involved in such breaches, an enterprise with a strong, healthy respect and care for the security of the information in their care but still with the ability to communicate efficiently and effectively with their clients will come across as a company that can be relied on and trusted. [29] ATT’s Research Labs president Hossein Eslambolchi agrees that security cannot be an afterthought, and states that the state of network security is so pathetic that hackers can bring down a whole network with very little effort. [13] Government Initiatives The US government has come to realize the real threat of security and information breach, especially when it involves government agencies. Several intitiatives deal with ensuring vigilance in both public and private enterprises that deal with network security. E-Government Act 2002, a privacy assessment mandate that is designed to protect the personal information of citizens who volunteer their data on government sites, is touted as one of the most significant privacy guidelines. The aim of the mandate is to ease the government into e-government, overcome resistance to change and to emphasize the need for cyber-security and privacy as well as coordination concerns. [21] Another government mandate is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which came into effect in April 2005 which regulates the use of e-mail and other Internet-based communications by health professionals in efforts to secure sensitive medical information. The guidelines are particularly focused on some key points that may arise in a clinician-patient communication. The rule of thumb is that the e-mail is mos probably not secure, and ealth professionals should not solicit confidential patient information via email, nor should patients supply such information. If it is absolutely imperative, the guidelines require tat such e-mail be encoded and encrypted. In cases of sharing benchmarking information and statistical data, it would be advisable to take out pertinent patient information as much as possible. There are 18 HIPAA Patient Identifiers that should be taken out, a list available on the HIPAA website (www.hipaa.org). [3] With regard to schools, some efforts at the district levels are being made to establish some security guidelines to protect the integrity of school records. The Consortium for School Networking, together with the Mass Networks Education Partnership in Allston, Mass., has produced the Cyber Security for a Digital District program (www. securedistrict.cosn.org) which provides administrators with an outline of what constitutes a secure database. [43] However, cost is still a major consideration for many school districts, one that has no immediate solution unless administrators and school boards alike are convinced of the importance of cyber-security in the schools. There have been some suggestions that law enforcement agencies take a more offensive take on cyber criminals and ISPs that host such activities, but this move is fraught with legal and ethical issues. Cyber crime is difficult to pin down because it is nealy amorphous in character. Unless it is proven without doubt that such a person or ISP is knowingly involved in the commission of cyber crimes such as identity theft, any law enforcement actions against what may prove to be an innocent party who may in turn be victims themselves would be ineffective. A recent development has been an unprecedented move by the US District Court in Alexandria, Va. On behalf of Project Honey Pot of anti-spam company Unspam Technologies, a $1 billion lawsuit was filed against spammers as well as those who harvest e-mail addresses for spammers. The lawsuit is the first and largest of its kind made possible by the efforts of members of Project Honey Pot who have been able to gather enough data to prosecute the alleged perpetrators with the use of the honey pot software, which identifies spam mail and IP addresses of the e-mail harvesters. The gathered data will enable prosecutors to subpoena ISP records for the involved IP addresses and its owners. The results of this litigation could well provide cyber criminals at least a pause in their activities. [28] Outstanding Issues One of main problems with countering unauthorized invasions is the lack of government spending on network security. Moreover, universities are churning out an inadequate supply of graduates with enough knowledge in network security to come up with practical and effective counters to what hackers can come up with. According to National Academy of Engineering (NAE) president William Wulf, there are perhaps about 200 serious computer security researchers in the US. Academic research is also notoriously slow in coming out with publications, much too slow to be of practical use in the rapid development of cyber-crime. Much of the brain drain is due to the demand of private enterprises, which pays a lot better than academic research, for talent to staff short-term projects that has nothing to do with security research. Purdue University Professor Eugene Spafford characterizes the attitude to security issues as most people view insurance. Software Engineering Institute’s Timothy J. Shimeall agrees as senior technical staff member of its Networked Systems Survivability Program. Not enough attention and resources is being devoted to security issues until it becomes a problem. For those who are involved in academic research in security, most are theoretical, with little or no practical basis, according to Columbia University computer science professor Salvatore J. Stolfo. [30] Another issue that has yet to be addressed is the management of the distributed-computing environment, in which the traditional, centralized concept of a security perimeter, known as the Orange Book architecture of the US Department of Defense’s Trusted Computer System Evaluation Criteria, is of little use. What is needed is long-term, systemic, non-theoretical view of the problem, rather than disaster management and short-term product cycle thinking. A survey, called the Risk of Sharing, of 300 companies in the US, UK and Australia revealed gaps in the business communications process due mainly to lack of process auditability, inadvertent exposure of confidential data, review cycle inaccuracies and resource loss through dealing with spam, amendments and approvals. [5] It has also been observed that many companies fail to make full use of the security softwar they already possess, and the reason for this appears to be data overload. When security software provides audit information for instances of attempts at invasion, it spews out a lot of information, much of it extraneous. Systems analysts must figure out which are the significant entries out of thousands of entries, and some companies resourt to outsourcing the work. [25] Conclusion The story of infected networks and compromised information has become all too familiar, a state of affairs that has begun to make itself felt with a vengeance. Of particular concern is the increasing number of incidents of identity theft. It is of concern to the individuals and corporations that are directly affected by it, but it is also a matter of national security, especially since the onslaught of terrorist attacks on the US. One side of the hackers economics is selling of legitimate identities to identified individuals who are persona non grata in the US. Identity theft is should thus be a priority for individuals, business entities and government agencies alike. Efforts by researchers to come up with defensive foils to stem the malware tide have met with mixed success as each step to successfully battling existing threats is countered by newer, more sophisticated and more dangerous threats. The economics behind the hacking industry has become huge as the world becomes more and more enmeshed in the cyber world, and the opportunities for profit is increasing as more and more industries are hooking up. However, the benefits of being connected still outweighs the drawbacks and the key to maintaining equilibrium is vigilance. On the far end of the security spectrum is government agencies that exact compliance for security regulations to deter cyber crime. Businesses follow suit as required because it is also to their benefit to do so, although many small companies have resistance because they have yet to feel the squeeze of an all-out hack attack. Big enterprises are more in the picture because they are bigger targets, although hackers are migrating more and more to softer targets whose resistance to regulations make them more vulnerable to attack. On the other end of the spectrum is the individual user, whether in the office or home setting. It is the responsibility of each user to be aware of the dangers, whether they are hooked up to local area network with the potential to infect from two to 50 other terminals because of a security suite that lacks maintenance, or the home user with an address book full of friends and family which has the potential of spreading malware with the ease of a click of a mouse. The tools to combat malicious cyber crime is available but users need to be educated about their responsibilities. Users need to be vigilant about their computer use, with their e-mails, with their IM sessions, even with their browsing behavior. As Uncle Ben said to Peter Parker, â€Å"with great power comes great responsibility.† Being interconnected has unleashed great power, and the responsibility to harness this power for the common good is very much in the hands of each user. Acknowledgment References â€Å"Bill authorizes $877 million for cyber security research.† Communications Today. December 7, 2001. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0BMD/is_228_7/ai_80639935 â€Å"CinTel develops a network security solution that enables content filtering proxy.† EDP Weekly IT Monitor. August 8, 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0GZQ/is_30_46/ai_n14939952 â€Å"Do your e-mails comply with new security regs? HIPAA regs cover security and confidentiality.† HealthCare Benchmarks and Quality Improvement. May 2005. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0NUZ/is_5_12/ai_n13759944 â€Å"Global threat trends in March 2007.† com. April 3, 2007. Retrieved April 27, 2007 from http://www.eset.eu/press_release_threats_march â€Å"New research uncovers security and audit risks.† International Journal of Micrographics Optical Technology. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_qa4077/is_200501/ai_n1363351 â€Å"Organisations fear network security threats from Instant Messaging.† Internet Business News. October 3, 2005. Retrieved April 27, 2007 from   http://findarticles.com/p/articles/mi_m0BNG/is_2005_Oct_3/ai_n15658965 â€Å"Research by prevention reveals UK home PC user are turning to DIY security.† Internet Business News. July 6, 2005. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0BNG/is_2005_July_6/ai_n14724817 â€Å"RSA survey reveals online security concerns.† Internet Business News. August 22, 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0BNG/is_2005_August_22/ai_n14924483 â€Å"Security appliance protects consumer data with encryption.† ThomasNet, Incorporated. February 27, 2007. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0PIL/is_2007_March_19/ai_n18727208 â€Å"Security system strengthens phone authentication processes.† Product News Network. November 13, 2006. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0PIL/is_2006_Nov_13/ai_n16836088 â€Å"Security.† Telecom Asia. August 2003. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0FGI/is_8_14/ai_108312261 â€Å"Security.† Telecom Asia. December 2004. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0FGI/is_12_15/ai_n9481318 â€Å"Security.† Telecom Asia. June 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0FGI/is_6_16/ai_n16879846 â€Å"Software automates and maintains PC security programs.† Product News Network. September 28, 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0PIL/is_2005_Sept_28/ai_n15636236 A paper that is focused on a current security research issue of your own choosing. â€Å"RSS network optimization, fraud prevention tools take demo stage.† eWEEK.com. February 6, 2006. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1759,1920117,00.asp?kc=EWNKT0209KTX1K0100440 â€Å"ID thieves turn sights on smaller e-businesses: for online shoppers, security seals no guarantee that hackerts aren’t watching.† Washingtonpost.com. September 28, 2006. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0NTQ/is_2006_Sept_28/ai_n16753298 â€Å"Can ID theft be solved with more regulation?† eWEEK.com. February 8, 2007. Retrieved April 26, 2007 from http://www.eweek.com/article2/0,1895,2092459,00.asp Prince. â€Å"Report shows spike in online identity theft.† eWEEK.com. January 16, 2007. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,2084453,00.asp [20]  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚   C. Garretson. â€Å"Barracuda Networks enhances reputation analysis technology with behavior data.† Network World. April 17, 2007. Retrieved April 27, 2007 from http://www.networkworld.com/news/2007/041707-barracuda-e-mail-security-appliance-profiling.html Webb. â€Å"Government IT Review.† Washingtonpost.com. October 2, 2003. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0NTQ/is_2003_Oct_2/ai_108454056 Chandler. â€Å"Storage services for data security: big business byte for enlightened operators.† Telecommunications Americas. August 2005. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0NUH/is_9_39/ai_n15631277 Khun, T. Walsh and S. Fries. â€Å"Security considerations for Voice over IP systems.† January 2005. National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Sweeney. â€Å"Focus turns to network security: while many consider the telecoms infrastructure a vulnerable target for terrorists, the more immediate threats are attacks by individual hackers and authors of malicious code, which are presenting new security challenges for service providers.† Telecom Asia. January 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0FGI/is_1_16/ai_n9772934 Shein. â€Å"Spy vs. spy: companies are spending billions on network security, but staying ahead of hackers may be a pipe dream.† CFO: Magazine for Senior Financial Executives. February 2004. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m3870/is_2_20/ai_113051525 Paget. â€Å"Identity theft.† McAfee Avert Labs. December 15, 2006. Retrieved April 27, 2007 from www.mcafee.com McPartlin. â€Å"Somebodys watching you: spyware has come in from the cold to become corporate Americas top security threat.† CFO: Magazine for Senior Financial Executives. Summer 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m3870/is_9_21/ai_n15787661 Vijayan. â€Å"E-mail harvesters hit with $1 billion antispam lawsuit.† Computerworld. April 26, 2007. Retrieved April 27, 2007 from http://www.networkworld.com/news/2007/042607-e-mail-harvesters-hit-with-1b.html Whitley. â€Å"Report stresses security governance.† Internal Auditor. October 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m4153/is_5_62/ai_n15763501 [30]  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚   L. Paulson. â€Å"Wanted: More Network-Security Graduates and Research.† Computer Science at the University of Virginia. February 1, 2002. Retrieved April 27, 2007 from http://www.cs.virginia.edu/csnews/show.php?artID=79 Seltzer. â€Å"Security watch: Windows wireless threat†¦not.† PC Magazine. January 2006. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_zdpcm/is_200601/ai_n16015170 Seltzer. â€Å"Security Watch: Windows, Firefox, Winamp, all report flaws.† PC Magazine. February 2006. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_zdpcm/is_200602/ai_n16043071 Vaas. â€Å"Tools will help personalize ID theft by 2010.† eWEEK.com. April 19, 2007. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,2115879,00.asp Vaas. †JavaScript attacks get slicker.† eWEEK.com. April 18, 2007. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,2115638,00.asp Hines. â€Å"Cookie holes expose browsers.† eWEEK.com. January 31, 2006. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,1917283,00.asp Hogan. â€Å"Not-so-good fellas: keep the bad guys at bay with these steps to improve your companys computer security.† Entrepreneur. June 2004. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0DTI/is_6_32/ai_n6055133 Hindocha. â€Å"Instant insecurity: security issues of instant messaging.† Security Focus. January 13, 2003. Retrieved April 27, 2007 from http://www.securityfocus.com/infocus/1657 Roberts. â€Å"FBI computer crime survey finds widespread attacks.† eWEEK.com. January 20, 2006. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,1913633,00.asp Roberts. â€Å"IBM predicts 2006 security threat trends.† eWEEK.com. January 23, 2006. Retrieved April 27, 2007 from http://www.eweek.com/article2/0,1895,1913864,00.asp Poe. â€Å"VoIP industry moves to bolster network security: new group to define requirements.† America’s Network. May 2005. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0DUJ/is_5_109/ai_n15622587 Roach. â€Å"Cybersecurity research at two schools gets boost from ATT Foundation.† Black Issues in Higher Education. July 1, 2004. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0DXK/is_10_21/ai_n6145384 Roach. â€Å"Virginia universities team up on nations cyber security; focus on public policy and law gives research effort unique focus.† Black Issues in Higher Education. June 20, 2002. Retrieved April 26, 2007 from http://findarticles.com/p/articles/mi_m0DXK/is_9_19/ai_89077199 Lafee. â€Å"Cyber security at the distriCt level: are you ready to prevent unlawful, unauthorized or simply misguided use of your technology?† School Administrator. April 2005. Retrieved April 27, 2007 from http://findarticles.com/p/articles/mi_m0JSD/is_4_62/ai_n13667747 Thomas and N. Jyoti. â€Å"Defeating IRC bots on the internal network.† McAfee Avert Labs. February 6, 2007. Retrieved April 27, 2007 from www.virusbtn.com