Sie sind auf Seite 1von 10

Cybercrime: Threats and Solutions

MARK JOHNSON

PUBLISHED BY

IN ASSOCIATION WITH

Cybercrime: Threats and Solutions


is published by Ark Group

UK/EUROPE/ASIA OFFICE
Ark Conferences Ltd
6-14 Underwood Street
London N1 7JQ
United Kingdom
Tel +44 (0)207 566 5792
Fax +44 (0)20 7324 2373
publishing@ark-group.com

NORTH AMERICA OFFICE


Ark Group Inc
4408 N. Rockwood Drive
Suite 150
Peoria IL 61614
United States
Tel +1 309 495 2853
Fax +1 309 495 2858
publishingna@ark-group.com

AUSTRALIA/NZ OFFICE
Ark Group Australia Pty Ltd
Main Level
83 Walker Street
North Sydney NSW 2060
Australia
Tel +61 1300 550 662
Fax +61 1300 550 663
aga@arkgroupasia.com

Online bookshop
www.ark-group.com/bookshop

UK/Europe/Asia enquiries
Hannah Fiddes
hannah.fiddes@wilmington.co.uk

ISBN: 978-1-78358-069-9 (hard copy)


978-1-78358-070-5 (PDF)

Commissioning Editor
Helen Roche
hroche@ark-group.com

US enquiries
Daniel Smallwood
dsmallwood@ark-group.com

Copyright

Reports Publisher International


Fiona Tucker
ftucker@ark-group.com

Australia/NZ enquiries
Steve Oesterreich
aga@arkgroupasia.com

The copyright of all material appearing within


this publication is reserved by the authors and
Ark Conferences 2013. It may not be reproduced,
duplicated or copied by any means without the
prior written consent of the publisher.

ARK2431

Cybercrime: Threats and Solutions


MARK JOHNSON

PUBLISHED BY

IN ASSOCIATION WITH

Contents
Contents ............................................................................................................................III
Executive summary ............................................................................................................VII
About the author................................................................................................................XI
Part One: The cyber threat landscape in 2013
Chapter 1: Cyber criminals Profiles, motives, and techniques ........................................... 3
An interview with (ISC)2.......................................................................................................... 3
The Blackhole exploit kit ........................................................................................................ 6
Other exploit kits and CaaS attack tools ................................................................................. 9
Increasingly varied threats...................................................................................................... 9
A Cyber Pearl Harbor .......................................................................................................... 10
From one-to-one towards many-to-many .......................................................................... 11
The cybercrime perfect storm scenario ................................................................................ 13
Threat actors The cast of cybercrime characters .................................................................. 13
Conclusion ......................................................................................................................... 16
Chapter 2: Why cyber attacks occur ................................................................................. 19
Strategy versus operations ................................................................................................... 19
Horizontal versus vertical sectors .......................................................................................... 20
Access versus exploit ........................................................................................................... 21
Why are organisations vulnerable?....................................................................................... 23
Awareness need not have a technical focus .......................................................................... 24
Cyber challenges facing the world in 2013 ........................................................................... 25
Conclusion ......................................................................................................................... 35
Chapter 3: The impact and cost of cybercrime .................................................................. 37
Financial ............................................................................................................................ 38
Brand, reputation, and customer confidence ......................................................................... 39
Fake online profiles ............................................................................................................. 40
Personal and social effects ................................................................................................... 41
Tracking and privacy ........................................................................................................... 41
A risk-based approach to planning ....................................................................................... 43
Conclusion ......................................................................................................................... 43

III

Contents

Part Two: Cyber attack techniques


Chapter 4: From an army of one to the botnet ................................................................. 47
The typical stages of a cyber attack ...................................................................................... 47
Attack objectives ................................................................................................................. 48
Common tools and techniques ............................................................................................ 48
Organised crime................................................................................................................. 49
A growing threat ................................................................................................................. 53
Chapter 5: E-crime .......................................................................................................... 55
Social engineering .............................................................................................................. 55
Phishing ............................................................................................................................. 56
Pharming ........................................................................................................................... 57
Data theft ........................................................................................................................... 57
Online fraud ...................................................................................................................... 57
Conclusion ......................................................................................................................... 57
Chapter 6: Employees and risk ......................................................................................... 59
Hostile online investigations and social media....................................................................... 59
Unauthorised Cloud deployments......................................................................................... 60
USB sticks and other media ................................................................................................. 60
Conclusion ......................................................................................................................... 62
Part Three: The road ahead
Chapter 7: Governance.................................................................................................... 65
The evolution of cyber security and the regulatory framework ................................................. 65
Winning the argument ......................................................................................................... 68
Governance, risk, and compliance ....................................................................................... 68
Auditing vs penetration testing ............................................................................................. 69
A high level governance action plan for cyber security ........................................................... 71
Chapter 8: Assessing risks ................................................................................................ 73
Information technology and data asset inventories ................................................................. 73
Threat assessments.............................................................................................................. 76
Vulnerability assessments ..................................................................................................... 78
ICT risk registers ................................................................................................................. 79
Risk velocity ........................................................................................................................ 80
Risk tolerance and the
goldilocks zone ................................................................................................................. 80
Cyber crisis response........................................................................................................... 80
Conclusion ......................................................................................................................... 84

IV

Cybercrime: Threats and Solutions

Chapter 9: Devising or updating controls ......................................................................... 85


Data classification and segmentation.................................................................................... 86
Encryption .......................................................................................................................... 87
Authentication .................................................................................................................... 88
Network flooding attacks ..................................................................................................... 90
Anti-malware solutions ........................................................................................................ 90
Mobile device security ......................................................................................................... 91
Cloud security .................................................................................................................... 92
Mobile payments security..................................................................................................... 95
Machine-to-machine auditing .............................................................................................. 97
Citizen developers............................................................................................................... 98
ISO 27001 compliance....................................................................................................... 98
Conclusion ......................................................................................................................... 99

Executive summary
IN MARCH 2013 cyber criminals launched
an attack on a little known non-profit
organisation called Spamhaus which is an
organisation that contributes to the fight
against internet spam. The attack was then
extended to include a service provider
and the organisations network provider.
The attack, described as the largest of its
type ever seen, caused serious operational
problems at the London Internet Exchange
and affected quality of services across
several parts of western Europe. Some
informed commentators suggested that
it highlighted important vulnerabilities in
internet infrastructure.
Cybercrime, in its various guises, costs
the global economy untold sums of money
and much social and personal harm. In
February 2011 the UK Cabinet Office
sponsored a report by Detica, titled The
Cost of Cybercrime,1 that put the financial
cost to the UK economy at 27 billion per
annum, even without factoring in issues
such as child exploitation. Although widely
challenged by many experts, the Cabinet
Office figure is useful for the insight it
provides into the seriousness with which the
UK Government views the problem.
A more refined assessment was
produced by a mixed group of experts
in 2012.2 This broke the costs down into
three separate categories: the direct cost
of cybercrime; the social and other indirect
costs; and finally, the cost of cyber security
defences or responses to cybercrime. The
authors found that the direct losses resulting

from cybercrime and, significantly, criminal


gains from cybercrime, are far outweighed
by the other costs. One important conclusion
emerging was that expenditures on technical
defences greatly exceed recorded losses.
In late 2012 the respected European
Network and Information Security Agency
(ENISA) issued its own updated assessment
of the threat landscape.3 In this report,
ENISA stated that of 16 top cyber threats
monitored by the Agency, 11 are increasing,
four are stable, and only one is decreasing.
Cybercrime, the assessment confirmed, is on
the rise.
It is difficult to assess the full implications
of these observations. Are the defences
working well and reducing the amounts lost?
Or are organisations over-reacting to hype
by throwing money at the problem? What
role does awareness play in either the level
of exposure to risk or in the decisions being
made about the acquisition of solutions?
A widespread lack of awareness is a major
obstacle to progress; it increases operational
risks, skews decision making, and allows
hype to dictate the direction of travel.
This report arrives at some very important
conclusions about the nature of the threat
and the requirements on organisations
in terms of a response. These can be
summarised as:
An army of one has the power
to cripple key systems and
infrastructure: The proliferation of
easy-to-use attack tools means that the

VII

Executive summary

asymmetric nature of the cyber menace


is more pronounced than ever before;
Raising awareness amongst
non-technical users and leaders
should be job one: Users and their
leaders are sometimes unaware of the
perils and, without better user awareness,
attackers will always have a hefty set
of loopholes to exploit;
It is not all about China: Doubts are
starting to emerge in some quarters
about the veracity of reports blaming
China for the preponderance of reported
cyber-attacks and intrusions;
Dependency is the biggest area
of vulnerability: Because business,
governments, and citizens have such
a great dependency on cyber and
communications technologies, and
because those technologies have
converged on the internet, they now
represent a single point of failure for the
globalised system of trade and finance;
Forget hacking, poor user habits,
purpose-made exploit kits and Cloud
risks are far more substantial threats
to our cyber security: Anonymity
online, the ease with which social
engineering attacks can be executed,
and the virtualisation of key data and
systems in the Cloud all mean that
traditional hacking attacks on corporate
servers are likely to become less frequent
and significant than attacks on virtualised
platforms, as well as on employees
operating in the social spaces;
Governance of information is the
top priority for boards: In the
information age, data assumes primacy
as a business asset. Accordingly,
those responsible for the well-being,
compliance, and security of the business
are now recognising that information
security is a top priority; and

VIII

Network providers must take


responsibility for network security:
Recent attacks have demonstrated that
once malicious data have arrived
at the targeted server it may be too
late to block the attack the networks
capacity to function has already been
affected. Therefore it is the network
provider itself that must detect and
block potential attacks.
The previously mentioned lack of
awareness surrounding cyber security
may seem surprising given the plethora
of cybercrime and security reports available
from solutions vendors and government
agencies alike. However, very few of
the reports published are intended for
non-technical audiences and, in the main,
reports on cybercrime assume a certain
level of knowledge on the part of the
reader. Perhaps as a consequence, they
provide little in the way of explanations of
basic cyber security principles or simple
depictions of attack techniques.
There is increasing concern that
the cyber message is not getting across
to those who really need to hear it; to
the decision makers and senior executives
in non-technical fields who are unlikely
to take the time necessary to understand
the issues presented, or to appreciate the
impact these threats may have on their
operations, revenues, and reputations.
At the end of the day, cyber security and
IT professionals are to the enterprise as
mechanics are to motor vehicles. They
understand and can often mend problems,
but what they cannot do is to ensure
that everyone else drives carefully and
responsibly. This report is produced with
the non-technical reader in mind and is
aimed at decision makers and mid-level
managers from all organisations.

Cybercrime: Threats and Solutions

References
1. See: https://www.gov.uk/government/uploads/
system/uploads/attachment_data/file/60942/
THE-COST-OF-CYBER-CRIME-SUMMARYFINAL.pdf.
2. Anderson, R. et al. Measuring the
Cost of Cybercrime, 2012. See:
http://weis2012.econinfosec.org/papers/
Anderson_WEIS2012.pdf.
3. ENISA Threat Landscape, Responding to
the Evolving Threat Environment, 2012.
See: www.enisa.europa.eu/activities/riskmanagement/evolving-threat-environment/
ENISA_Threat_Landscape/at_download/
fullReport.

IX

About the author


MARK JOHNSON is a prominent writer, speaker, and thinker on current and emerging high
technology risks and the author of two books on the subject. Immensely proud of his complete lack
of technical education, Mark specialises in painstakingly deciphering the computer talk emanating
from conventional subject matter experts and formulating common-sense explanations, conclusions,
and recommendations for the layperson.
Mark is chairman of The Risk Management Group (TRMG) which provides consultancy and
training in several areas of high technology risk. Areas covered include cybercrime and security,
mobile payments risk and fraud, and cyber crisis response, as well as telecoms revenue assurance.
TRMG is also very active on the conference circuit and it supplies a number of free educational
resources on various aspects of risk via its website at www.trmg.biz. With its long list of blue chip
references, TRMG was recently selected by the Association of Chief Police Officers (ACPO) Data
Communications Group (DCG) Futures Group to prepare illustrated guidance for the UK Police
on emerging mobile payments technology risks and investigations.

XI