| Increase effort |
Increase Risks |
Reduce Rewards |
Reduce Provocation |
Remove Excuses |
1.Harden targetFirewalls [Bee05,Bro07a,Mor04b,New03]Vulnerability patches [Bee05,Mor04b]Encryption [Bro07a]ISP as a first line of defence [Mor04b]IDS [Mor04b]Closed ports [Bee05]Antivirus [Bro07a]Promote security best practice [Mor04b]Safeguards for children [Mor04b]Industry should develop and promote greater use of deterrents [Mor04b]Design and build systems for a hostile Internet, not a trusted one [Mor04b]Government action should be informed by risk analysis [Mor04b]Initiatives need to focus on smaller firms and individuals [Mor04b]Build security requirements into the design of IT systems and outsourcing arrangements [Mor04b]Companies should use a best practice patching and security configuration checking policy [Mor04b]More focus on e-crime prevention rather than response [Mor04b]Design security into operating system languages [New03]Design out security holes in software [New03]Keep computing devices in a physically secure place [New03]Robust packaging for home delivery [New03]Keyless entry and ignition for delivery vehicles [New03]RFID Verification that purchased product meets relevant standard [Whi09]Limit exposure -- Do not accept any messages from unknown parties, do not reciprocate (L:6,7,8) [Rey10]Limit exposure -- If you choose to participate, keep personal information vague (for example, do not give out address or phone number) (L:5) [Rey10]Limit exposure -- do not divulge personal information (L:1,2,3,4,9) [Rey10]Limit exposure -- Never reply to a cyberstalker (L:1,2,3,4) [Rey10]Limit exposure -- Change online identity if necessary (L:3,4) [Rey10]Limit exposure -- Stay out of problem chat rooms (L:9) [Rey10] |
6.Extend guardianshipRFID [Bro07a]Use Fraud Information Gathering System (FIGS) [Bro07a]RFID readers in second-hand shops and routinely used in vet/PDSA clinics? [Whi09]Enhance surveillance by providing more ways to report abuse, and unwanted contacts (R:4,6) [Rey10] |
11.Conceal TargetsMinimize reconnaissance info [Bee05]No port bannering [Bee05]DMZ [Bro07a,Bee05]Make blue tooth non-discoverable [Bro07a]Immediately repair damage to system [New03]Limit publicity about new security [New03]Regulate fraudulent advertising and scam web sites [New03]Adopt filtering software [New03]Advise customers to resist too-good-to-be-true offers [New03]RFID disabled parking badges [Whi09] |
16.Reduce frustrationsGood helpdesk [Bro07a]Speeds crowd movement into sports grounds measured with RFID [Whi09] |
21.Set rulesEducate end-users [Mor04b]Provide a clear code of conduct [Rey10]Acceptable use policy [Bee05]User agreements [Bee05]Clear laws [Bee05]Information security policies [Wil09]Consumers should be more aware of risks [Mor04b]ICT industries could work with regulatory and consumer bodies [Mor04b]Push strongly on BS7799 (ISO17799) programme for government departments [Mor04b]Encourage industry to comply with IT security standard ISO 17799 [Mor04b]Enforce the law in simple area such as data protection [Mor04b]Provide or recommend best practice configuration guides [Mor04b]Industry should increase awareness to home users of threats [Mor04b]Industry to do their part, training employees and create suitable 'usage' policies [Mor04b]Prosecute offenders, enforce harsher penalties [Mor04b]Industry should attempt to understand and comply with relevant guidelines [Mor04b]Regulators (e.g. FSA) should make information security requirements explicit [Mor04b]Take cases involving new technologies to court to establish precedents [Mor04b]Amend Computer Misuse Act [Mor04b]Government should Issue guidance on risks and protection measures [Mor04b]Organisations need an up-to-date security policy [Mor04b]Review legislation so that cybercrimes are recognised and punishable [Mor04b]Theft Act isn't strong enough [Mor04b]UK government needs to provide leadership [Mor04b]Develop security policy and procedures for employees [New03]Adopt secure transaction protocol [New03]International agreements for copyright law, grey market commerce [New03]Promulgate best practice guides [New03]Rights and responsibilities policy for ISP [New03]Require proof of delivery for merchandise [New03]Access by RFID renders physical attempts at entry conspicuous [Whi09] |
2.Control accessAuthentication using passwords, pins [Bee05,Bro07a,New03]Caller ID like technology for Internet [Mor04b]Digital certificates [Bee05]Smartcards [Bro07a]Wireless device Authentication [Mor04b]Differentiated access control [New03]Refuse suspect sellers at auctions [New03]Vet employees [Mor04b,New03]Do not open suspect e-mail or files [New03]Only give credit card information on secure sites [New03]Query requests for personal data [New03]Do not use public access computers (e.g. Internet cafes) for purchase [New03]Be wary of grey market web sites [New03]RFID-bearing card access [Whi09]Restrict access of all accounts to ``friends" only (R:3) [Rey10] |
7.Natural surveillanceReport suspect email and information request to ISP [New03]Tamper-proof network cabling [Bee05]Network monitoring [Bee05,Bro07a]Bluesnarfing warning [Bro07a]Establish community watch on auction sites [New03]Monitor for illegal sales [New03]Provide customer feedback on auction transactions [New03]RFID checks in vet surgeries to identify stolen animals [Whi09] |
12.Remove TargetsInformation & hardware segregation [Bee05]Bluetooth off when not in use [Bro07a]Keep valuable databases offline [New03]No dial-up access to database [New03]Refuse auction of stolen, counterfeit or unethical items [New03]Discourage payment in cash for auction items [New03]Provide third party escrow services and card acceptance for auction customers [New03]RFID allied to direct billing reduces need to carry cash [Whi09] |
17.Avoid disputesModerators in chat rooms [Bro07a]Definitive proof of ownership of goods with RFID [Whi09] |
22.Post instructions`Authorised use only' login banners [Bro07a]Security policy [Bro07a]RFID Tagging Practiced Here signs [Whi09] |
3.Screen exitsIDS [Bee05]Audit trail [Bro07a]Audit trail [Mor04b,New03]Antivirus [Bee05]Lawful interception [Bro07a]Quarantine feature [Mor04b]Analyse use patters to detect deviant use [New03]Check for sniffers and remove [New03]Check for rogue files [New03]Minimise cookies [New03]RFID as merchandise tag [Whi09] |
8.Reduce anonymityRFID [Bro07a]Caller ID [Bro07a]RFID embedded in soccer season tickets [Whi09]Increase effort required to obtain an account (R:1,3) [Rey10]Embed personal identifiers into every sent message (R:1,6,7,8,9) [Rey10] |
13.Identify propertyRFID [Bro07a,New03]Information classification [Bee05]Watermarking [Bee05]IMEI [Bro07a]Digital signature standards [Bro07a]Copyright web pages [New03]prominent display copyright material on software and other elctronic products [New03]General retail goods identification with RFID [Whi09] |
18.Reduce arousalMakes shop theft less attractive if goods believed chipped with RFID [Whi09] |
23.Alert consciencePublic awareness on the consequences of crime [Mor04b]educate: `copying software is stealing' [New03]Multi-level warning banners [Bee05]Codes of ethics [Bee05]Pop ups warning of illegal access attempt [Bro07a]Insert piracy awareness raising notifications [Bro07a]Government should educate citizens on e-crime prevention [Mor04b]Responsible use agreements [New03]Visible RFID tags [Whi09] |
4.Deflect offendersHoneypots/ honeynets [Bee05]Segregation of information [Bee05]Segregation of duties [Wil09]Accept only credit card [New03]Use digital cash and digital certificates [New03]Promote use of smart cards [New03]Auctions: No cash payments [New03]Install biometric authentication [New03]Revocable club RFID-enabled cards [Whi09]Limit exposure -- Spam filters on incoming emails (L:1) [Rey10] |
9.Place ManagersIDS [Bro07a]Resource usage info [Bee05]Include regular employees in security team [New03]Train all employees in correct security procedures [New03]Offer incentives for employee vigilance [New03]Equipment hire company checking on integrity of hired equipment on return with RFID [Whi09] |
14.Disrupt marketsISP should be keen to assist investigations [Mor04b]Penalise customers for breaches of security [New03]Hold auction websites responsible for illegal services [New03]Hold college campuses responsible for hackers [New03]Insist that merchants acknowledge security errors [New03]Remove user rights if rules of use not followed [New03]Sanctions against corporations if appropriate protective and remedial measures are not taken [Mor04b]Pressure/legislation on ISPs to improve services that enable counter-measures to be taken. [Mor04b]IT users need to accept some responsibility for security issues. [Mor04b]Counterfeit goods will not have RFID [Whi09] |
19.Neutralize peer pressureAdvertise that hacking is illegal [Bro07a]Provides excuses not to steal pets tagged with RFID [Whi09] |
24.Assist complianceSecurity education of staff [Wil09]Hacker challenges [Bee05]Employment opportunities for ex-hackers [Bee05]Remove the need for sharing passwords [Bro07a]Provide a central public attack warning notice when incidents are expected [Mor04b]Government to accredit independent advisors for the prevention of computer related incidents [Mor04b]CESG and the Office of the e-Envoy should be funded to distribute free protective software [Mor04b]Global security alerts from credible source. CERT is okay but only addresses technical community [Mor04b]Devise easy backup and restoration for customers' software [New03]Easy access to information about copyright holders [New03]Publish names and links to trusted online merchants [New03]Provide links to organisations that rate online businesses and survey online fraud [New03]Easy remote payment with RFID [Whi09] |
5.Control facilitatorsCaller ID [Bro07a]Make the ISP accountable for the traffic [Mor04b]Masking IP addresses [Bee05]Leased lines [Bee05]No broadcast [Bee05]Blacklists [Bro07a]Unique ID wireless equipment [Mor04b]Remove anonymity [Mor04b]Delete account of ex-employee [Wil09]Check attributes of critical files [New03]Use public key and other digital identification [New03]Governments should allow high level cryptography to be used internationally [New03]Advise customers to keep records of all transactions with online retailers [New03]Smart bullets with RFID [Whi09] |
10.Formal surveillanceAuditing and trail reviews [Bee05]RFID [Bro07a]Early warning systems of viruses and hacking attacks [Mor04b]IDS [Wil09]Anomaly detection [Bee05]Lawful interception [Bro07a]Network monitoring [Mor04b]Appoint CSO [Mor04b]Publicise use of encryption and strong security surveillance [New03]Electronic tracking of delivery vehicles [New03]Maintain hidden presence on news groups and bulletin boards [New03]Fine art tagging in galleries and museums with RFID [Whi09]Monitor public websites, blogs, rooms etc for misuse (R:2,4,5,9) [Rey10] |
15.Deny benefitsEncrypt valuable data [Bee05,Wil09,New03]Automatic data destruction mechanisms [Bee05]Remove defaced web site immediately [Bro07a]Blacklists [Bro07a]Use Fraud Information Gathering System (FIGS) [Bro07a]Antipiracy mechanisms [Mor04b]Business continuity plans [Mor04b]Contingency arrangements in case of a major hi-tech crime [Mor04b]Make software inoperable if user not authenticated [New03]Products only work with corresponding RFID [Whi09] |
20.Discourage imitationPublish failed hacks, keep silent about successful hacks [Bro07a]Prompt software patching [Wil09]Witnessing alarms triggered by RFID deters [Whi09] |
25.Control disinhibitorsCyber-ethics education [Bee05]Campaign against hacker culture [New03]Supervised computer use [Bee05]`Hackers hurt innocent people' [New03]RFID tags in proof of age ID [Whi09]RFID tagging of controlled substances [Whi09] |