Professional Documents
Culture Documents
It Crimes & Cyberattacks and The Legislation Relevant To Information Technology
It Crimes & Cyberattacks and The Legislation Relevant To Information Technology
CYBERATTACKS AND
THE LEGISLATION
RELEVANT TO
INFORMATION
TECHNOLOGY
1. Malware Attack
This is one of the most common types of cyberattacks. “Malware” refers to malicious software
viruses including worms, spyware, ransomware, adware, and trojans.
The trojan virus disguises itself as legitimate software. Ransomware blocks access to the
network's key components, whereas Spyware is software that steals all your confidential data
without your knowledge. Adware is software that displays advertising content such as banners
on a user's screen.
Malware breaches a network through a vulnerability. When the user clicks a dangerous link, it
downloads an email attachment or when an infected pen drive is used.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
2. Phishing Attack
Phishing attacks are one of the most prominent widespread types of cyberattacks. It is a type
of social engineering attack wherein an attacker impersonates to be a trusted contact and
sends the victim fake mails.
Unaware of this, the victim opens the mail and clicks on the malicious link or opens the mail's
attachment. By doing so, attackers gain access to confidential information and account
credentials. They can also install malware through a phishing attack.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
3. Password Attack
It is a form of attack wherein a hacker cracks your password with various programs and
password cracking tools like Aircrack, Cain, Abel, John the Ripper, Hashcat, etc. There are
different types of password attacks like brute force attacks, dictionary attacks, and keylogger
attacks.
Listed below are a few ways to prevent password attacks:
• Use strong alphanumeric passwords with special characters.
• Abstain from using the same password for multiple websites or accounts.
• Update your passwords; this will limit your exposure to a password attack.
• Do not have any password hints in the open.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
4. Man-in-the-Middle Attack
A Man-in-the-Middle Attack (MITM) is also known as an eavesdropping attack. In this attack,
an attacker comes in between a two-party communication, i.e., the attacker hijacks the
session between a client and host. By doing so, hackers steal and manipulate data.
As seen below, the client-server communication has been cut off, and instead, the
communication line goes through the hacker.
MITM attacks can be prevented by following the below-mentioned steps:
• Be mindful of the security of the website you are using. Use encryption on your devices.
• Refrain from using public Wi-Fi networks.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
6. Denial-of-Service Attack
A Denial-of-Service Attack is a significant threat to companies. Here, attackers target
systems, servers, or networks and flood them with traffic to exhaust their resources and
bandwidth.
When this happens, catering to the incoming requests becomes overwhelming for the servers,
resulting in the website it hosts either shut down or slow down. This leaves the legitimate
service requests unattended.
It is also known as a DDoS (Distributed Denial-of-Service) attack when attackers use multiple
compromised systems to launch this attack.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
7. Insider Threat
As the name suggests, an insider threat does not involve a third party but an insider. In such
a case; it could be an individual from within the organization who knows everything about the
organization. Insider threats have the potential to cause tremendous damages.
Insider threats are rampant in small businesses, as the staff there hold access to multiple
accounts with data. Reasons for this form of an attack are many, it can be greed, malice, or
even carelessness. Insider threats are hard to predict and hence tricky.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
8. Cryptojacking
The term Cryptojacking is closely related to cryptocurrency. Cryptojacking takes place when
attackers access someone else’s computer for mining cryptocurrency.
The access is gained by infecting a website or manipulating the victim to click on a malicious
link. They also use online ads with JavaScript code for this. Victims are unaware of this as the
Crypto mining code works in the background; a delay in the execution is the only sign they
might witness.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
9. Zero-Day Exploit
A Zero-Day Exploit happens after the announcement of a network vulnerability; there is no
solution for the vulnerability in most cases. Hence the vendor notifies the vulnerability so that
the users are aware; however, this news also reaches the attackers.
Depending on the vulnerability, the vendor or the developer could take any amount of time to
fix the issue. Meanwhile, the attackers target the disclosed vulnerability. They make sure to
exploit the vulnerability even before a patch or solution is implemented for it.
10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023
Let's now see how we can prevent the watering hole attack:
• Update your software and reduce the risk of an attacker exploiting vulnerabilities. Make
sure to check for security patches regularly.
• Use your network security tools to spot watering hole attacks. Intrusion prevention
systems(IPS) work well when it comes to detecting such suspicious activities.
• To prevent a watering hole attack, it is advised to conceal your online activities. For this,
use a VPN and also make use of your browser’s private browsing feature. A VPN delivers a
secure connection to another network over the Internet. It acts as a shield for your
browsing activity. NordVPN is a good example of a VPN.
HOW TO PREVENT CYBER ATTACKS?
Although we had a look at several ways to prevent the different types of cyberattacks we
discussed, let's summarize and look at a few personal tips which you can adopt to avoid a
cyberattack on the whole.
• Change your passwords regularly and use strong alphanumeric passwords which are
difficult to crack. Refrain from using too complicated passwords that you would tend to
forget. Do not use the same password twice.
• Update both your operating system and applications regularly. This is a primary prevention
method for any cyber attack. This will remove vulnerabilities that hackers tend to exploit.
Use trusted and legitimate Anti-virus protection software.
• Use a firewall and other network security tools such as Intrusion prevention systems,
Access control, Application security, etc.
HOW TO PREVENT CYBER ATTACKS?
• Avoid opening emails from unknown senders. Scrutinize the emails you receive for
loopholes and significant errors.
• Make use of a VPN. This makes sure that it encrypts the traffic between the VPN server
and your device.
• Regularly back up your data. According to many security professionals, it is ideal to have
three copies of your data on two different media types and another copy in an off-site
location (cloud storage). Hence, even in the course of a cyber attack, you can erase your
system’s data and restore it with a recently performed backup.
• Employees should be aware of cybersecurity principles. They must know the various types
of cyberattacks and ways to tackle them.
HOW TO PREVENT CYBER ATTACKS?
Kroll, an independent provider of global risk and financial advisory solutions, today
announced its report State of Incident Response: Asia Pacific. The report finds that
businesses in Asia Pacific and the Philippines are feeling the impact of cyberattacks, but
many are yet to build appropriate response plans or have regular access to relevant cyber
expertise. One of the notable findings is that 3 out of 4 businesses in the Philippines have
experienced a cyberattack, much higher than the APAC average of 59%.
CYBERCRIMES IN THE PHILIPPINES AND ASIA PACIFIC
The report was commissioned by Kroll and conducted by Opinium. It surveyed 700 decision-makers in
IT, risk, security and legal professionals evenly split across the following Asia Pacific markets: Hong
Kong, Singapore, Malaysia, Philippines, Australia, Indonesia and Japan.
SHORT QUIZ
The legislation sought to both improve the reliability of public companies' financial reporting
as well as restore investor confidence in the wake of high-profile cases of corporate crime.
The act was named for its sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael
Oxley, (R-Ohio). Former U.S. President George W. Bush, who signed the act into law on July 30,
2002, called the act "the most far-reaching reforms of American business practices since the
time of Franklin Delano Roosevelt.“
Federal lawmakers enacted the Sarbanes-Oxley Act in large part due to corporate scandals at
the start of the 21st century. One such scandal involved energy firm Enron Corp. Enron was
considered one of the largest, most successful and innovative companies in the United
States.
HISTORY AND WHY THE ACT WAS CREATED
• Around 2000, Enron unraveled in less than two years as both the company's fraudulent
practices and its executives' criminal activities came to light.
• Similarly, the telecommunications giant WorldCom became embroiled in scandal as its own
fraudulent accounting practices made the news. After filing for bankruptcy in 2002, the
company was hit with a $750 million SEC fine. Its chief executive officer (CEO) was
sentenced to 25 years in prison, and the chief financial officer (CFO) received a five-year
jail sentence as a result of criminal charges in the case.
• The financial scandal at Tyco International also preceded the Act. In this case, the
company's former CEO and CFO were convicted of stealing hundreds of millions of dollars
from the company, falsifying business records and violating other business laws. The Act
enhanced accounting compliance regulations to keep such a scandal from occurring again.
KEY PROVISIONS AND REQUIREMENTS
There are 11 titles to SOX, each of which contains sections detailing their requirements and
responsibilities as well as possible penalties for non-compliance.
• Title I: Public Company Accounting Oversight Board (PCAOB)
• Title II: Auditor Independence
• Title III: Corporate Responsibility
• Title IV: Enhanced Financial Disclosures
• Title V: Analyst Conflicts of Interest
• Title VI: Commission Resources and Authority
• Title VII: Studies and Reports
• Title VIII: Corporate and Criminal Fraud Accountability
• Title IX: White Collar Crime Penalty Enhancement
• Title X: Corporate Tax Returns
• Title XI: Corporate Fraud Accountability
KEY PROVISIONS AND REQUIREMENTS
Two sections of particular note are Section 302 and Section 404.
• Section 302 pertains to "Corporate Responsibility for Financial Reports." It established, in
part, that CEOs and CFOs must review all financial reports and that the reports are "fairly
presented" and don't contain misrepresentations. This section also established that CEOs
and CFOs are responsible for internal accounting controls. The Act requires year-end
financial disclosure reports and that all financial reports come with an Internal Controls
Report. Financial disclosures must contain reporting of material changes in financial
condition.
• Section 404 deals with "Management Assessment of Internal Controls" and requires
companies to publish details about their internal accounting controls and their procedures
for financial reporting as part of their annual financial reports. Section 404 requires
corporate executives to personally certify the accuracy of their company's financial
statements and makes them individually liable if the SEC finds violations.
KEY PROVISIONS AND REQUIREMENTS
The Whistleblower Protection Act under the Sarbanes-Oxley Act mandates protection for
whistleblowers, stating that employees and contractors who report fraud and/or testify about
fraud to the Department of Labor are protected against retaliation, including dismissal and
discrimination.
Other key provisions and requirements under the Act include:
• mandated disclosure in periodic reports of transactions and relationships that are off-
balance sheet that could impact financial status;
• near-ubiquitous prohibition of personal loans from a corporation to executives;
• establishment of fines and terms of imprisonment for tampering or destroying documents
in events of investigations or court action; and
• requirements for attorneys who represent public companies before the SEC to report
security violations to the CEO.
AUDITING UNDER THE SARBANES-OXLEY ACT
The Sarbanes-Oxley Act also created new requirements for corporate auditing practices.
Among its many requirements, the Act requires public corporations to hire independent
auditors to review their accounting practices and defines the rules of engagement for
corporate audit committees and external auditors.
It also created rules for separation of duties by detailing a number of non-audit services that
a company's auditor cannot perform during audits. These rules are designed to further guard
against fraudulent financial practices and conflicts of interest.
Furthermore, the Act led to the creation of the Public Company Accounting Oversight Board
(PCAOB), which sets standards and rules for audit reports. Under the Act, all accounting firms
that audit public companies are required to register with the PCAOB. The PCAOB investigates
and enforces compliance at the registered accounting firms.
PENALTIES FOR NONCOMPLIANCE WITH SOX
Noncompliance penalties vary according to the section violation and are at their greatest
when information has been deliberately falsified, altered, or destroyed. They range from the
loss of exchange listing and loss of directors and officers liability insurance (D&O) to
multimillion dollar fines and prison sentences for company officers.
If a CEO or CFO knowingly certifies a periodic report that does not satisfy the requirements of
the Act, he or she is subject to fines of up to $1 million and imprisonment for up to 10 years.
If he or she falsifies the certification willfully, the fine may be up to $5,000,000 and
imprisonment up to 20 years.
CRITICISM OF THE SARBANES-OXLEY ACT
The Act had critics from the start, including many executives who felt they were unfairly
burdened by new regulations due to the dishonest and negligent acts of a few others. In
2008, Newt Gingrich blamed the financial crisis on the Act, citing it as the reason for a low
number of initial public offerings, and asked Congress to repeal the Act.
Critics also charged that the Act was a politically motivated reaction to a few, albeit high-
profile, corporate financial scandals and that the law would hinder competition and business
growth.
Corporate leaders also voiced concerns that meeting the regulations laid out in the Sarbanes-
Oxley Act would take too much executive time and that compliance costs would amount to an
exorbitant amount of money. Many complained about Section 404 in particular and said it
was overly burdensome.
BENEFITS OF THE SARBANES-OXLEY ACT
On the other hand, some business leaders acknowledged the need for improvements and felt
the Act could spur better financial practices that would benefit companies and their
stakeholders.
Indeed, even some of those skeptical of the Act when it was first passed later acknowledged
its benefits as the law was fully implemented in subsequent years.
Specifically, proponents of the law acknowledged that the Act helped businesses improve
their financial management by strengthening controls, standardizing processes, improving
documentation and creating stronger board oversight.
Studies also have found that the Act increased investor confidence.
UPDATES SINCE ITS INCEPTION
Despite early and ongoing criticism, the Sarbanes-Oxley Act remains in place, essentially
unchanged from when it was first enacted in 2002, with studies showing that the law
improves financial reporting.
However, many business leaders continue to believe that the resources required to meet the
law's mandates are burdensome, noting that research has found that smaller companies are
disproportionately burdened by the Act.
Although proponents and critics continue to assess the overall impact of the law, it is seen as
the most significant piece of security legislation since the Securities Exchange Act of 1934.
ISO 27001
ISO/IEC 27001:2013 (ISO 27001) is an international
standard that helps organizations manage the security of
their information assets. It provides a management
framework for implementing an ISMS (information security
management system) to ensure the confidentiality,
integrity, and availability of all corporate data (such as
financial information, intellectual property, employee
details or information managed by third parties).
ISO 27001
The ISO 27001 framework was published in 2013 by the
ISO (International Organization for Standardization) and
IEC (International Electrotechnical Commission) and
belongs to the ISO 27000 family of standards. It is the only
internationally recognized certifiable information security
standard.
ISO 27001 is supported by its code of practice for
information security management, ISO/IEC 27002:2013,
which explains how to implement information security
controls for managing information security risks.
WHAT IS ISO 27001 CERTIFICATION?
ISO 27001 certification demonstrates that your organization has invested in the people,
processes, and technology (e.g., tools and systems) to protect your organization’s data and
provides an independent, expert assessment of whether your data is sufficiently protected.
Certification is achieved through an accredited certification body. It provides evidence to your
consumers, investors, and other interested parties that you are managing information
security according to international best practices.
ISO 27001 compliance is becoming increasingly important as regulatory requirements (such
as the GDPR, HIPAA, and CCPA) pressure organizations to protect their consumer and
personal data.
Certification can be obtained once a certification body has conducted an external audit.
Auditors will review the organization’s practices, policies, and procedures to assess whether
the ISMS meets the requirements of the Standard.
Certification usually lasts for three years, but organizations have to conduct routine internal
audits as a continual improvement process.
Once certified, a certification body will usually conduct an annual assessment to monitor
compliance.
WHAT IS AN ISMS (INFORMATION SECURITY MANAGEMENT SYSTEM)?
ISO 27001 consists of 114 controls (included in Annex A and expanded on in ISO 27002) that
provide a framework for identifying, treating, and managing information security risks.
A summary of the ISO/IEC 27001: 2013 controls
In addition to the controls, ISO 27001 compromises ten management system clauses that
guide an ISMS's implementation, management and continual improvement.
1, 2, and 3: Scope, normative references, and terms and definitions
4: Context of the organization
5: Leadership
6: Planning
7: Support
8: Operation
9: Performance evaluation
10: Improvement
ISO 27001 CONSULTING SERVICES
In addition to training, software and compliance tools, IT Governance provides specialist ISO
27001 consulting services to support compliance with the Standard. This includes an ISO
27001 gap analysis and resource determination, scoping, risk assessments, strategy, and
more.
SARBANES–OXLEY AND ISO 27001
ISO/IEC 27001 is the ideal solution for businesses that need to ensure that they comply with
Sarbanes–Oxley IT control requirements. The rapidly changing world of corporate governance
makes it essential for listed companies to implement effective IT governance structures.
Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and
the GLBA) often seek registration to ISO 27001, since this international standard can
centralize and simplify disjointed compliance efforts.
SARBANES–OXLEY AND ISO 27001
Integrity
Auditors:
• Shall perform their work with honesty, diligence, and responsibility.
• Shall observe the law and make disclosures expected by the law and the profession.
• Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
• Shall respect and contribute to the legitimate and ethical objectives of the organization.
RULES OF CONDUCT FOR AUDITORS
Objectivity
Auditors:
• Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
• Shall not accept anything that may impair or be presumed to impair their professional
judgment.
• Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
RULES OF CONDUCT FOR AUDITORS
Confidentiality
Auditors:
• Shall be prudent in the use and protection of information acquired in the course of their
duties.
• Shall not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.
RULES OF CONDUCT FOR AUDITORS
Competency
Auditors:
• Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
• Shall perform internal audit services in accordance with the International Standards for
the Professional Practice of Internal Auditing (Standards).
• Shall continually improve their proficiency and the effectiveness and quality of their
services.
WHAT IS AN ETHICAL ISSUE/DILEMMA
An ethical issue is a circumstance in which a moral conflict arises in the workplace; thus, it is
a situation in which a moral standard is being challenged.
Ethical issues in the workplace occur when a moral dilemma emerges and must be resolved
within a corporation. Many areas of a company's general operating standards can be affected
by ethical issues. Although each ethical dilemma is unique, there are a few commonalities.
In every ethical dilemma, right and incorrect choices exist. When faced with an ethical issue,
one must choose between doing the right thing and doing the wrong thing. There may be no
right or incorrect answer when faced with a common challenge or issue. A person may suffer
harm as a result of a wrong decision in an ethical quandary. Even if the harm is limited to
physical discomfort, it might also include emotional distress. Ethical dilemmas also frequently
deal with legal issues. Ethical behavior is an important component of obeying the law.
WHAT IS AN ETHICAL ISSUE/DILEMMA
A high ethical standard might lead to increased costs for a corporation. This is because
ethically sourced products tend to be more expensive. As a result, the corporation may fear a
loss in market share and profit margins due to the policy. Individuals and businesses can
both suffer from unethical conduct. Moreover, behavior that harms an organization's
reputation, morale, or production can lead to significant fines and financial losses.
Business ethics raise the bar for acceptable conduct above and beyond what the government
may mandate. Companies use business ethics to maintain the trust of key stakeholders and
the integrity of their employees. This leads to better decision-making and higher morale in the
workplace.
WHAT IS AN ETHICAL ISSUE/DILEMMA
4. Use of AI
Artificial intelligence certainly offers great business potential. But, at what point do AI
systems cross an ethical line into dangerous territory?
• Facial recognition: Use of software to find individuals can quickly become a less-than-ethical
problem. According to the NY Times, there are various concerns about facial recognition,
such as misuse, racial bias and restriction of personal freedoms. The ability to track
movements and activity quickly morphs into a lack of privacy. Facial recognition also isn’t
foolproof and can create bias in certain situations.
• Replacement of jobs: While this is anticipated to a certain degree, AI is meant to increase
automation of low-level tasks in many situations so that human resources can be used on
more strategic initiatives and complicated job duties. The large-scale elimination of jobs has
many workers concerned about job security, but AI is more likely to lead to job creation.
FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY
4. Use of AI
• Health tracking: The pandemic brought contact tracing into the mainstream. Is it ethical to
track the health status of people and how will that impact the limitations we place on
them?
• Bias in AI technology: Technology is built by programmers and inherits the bias of its
creators because humans inherently have bias. “Technology is inherently flawed. Does it
even matter who developed the algorithms? AI systems learn to make decisions based on
training and coding data, which can be tainted by human bias or reflect historical or social
inequities,” according to Forbes. Leading AI developer Google has even experienced an
issue where AI software believes male nurses and female historians do not exist.
FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY
5. Autonomous Technology
• Self-driving cars, robotic weapons and drones for service are no longer a thing of the
future—they’re a thing of the present and they come with ethical dilemmas. Robotic
machines in place of human soldiers is a very real possibility, along with self-driving cars
and package delivery via unmanned drone.
• Autonomous technology packs a punch when it comes to business potential, but there is
significant concern that comes with allowing programmed technology to operate seemingly
without needed oversight. It’s a frequently mentioned ethical concern that we trust our
technology too much without fully understanding it.
6 QUESTIONS TO ASK YOURSELF WHEN CONFRONTED WITH ETHICAL ISSUES
Unlike business ethics, ethical technology is about ensuring there is a moral relationship that
exists between technology and users.
It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and growth. The
State recognizes the vital role of information and communications technology in nation-
building and its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and
protected.
SHORT QUIZ