- Email: [email protected]
Security breaches cost UK firms billions
computer FRAUD & SECURITY ISSN 1361-3723 May 2012
www.computerfraudandsecurity.com
Featured in this issue:
Contents
The state of anti-fraud and AML measures in the banking industry
F
inancial institutions are under increasing regulatory and compliance pressures. Banks lose billions of dollars each year because of fraudulent transactions, and society in general has a vested interest in preventing money laundering and terrorist financing.
Anti-Money Laundering (AML)
surveillance systems and the sharing of information between financial institutions could help, but data protection laws have made it difficult. Mike Betron of Infoglide Software explains how technology can help with data sharing while keeping organisations compliant with a wide range of laws. Full story on page 5…
Inserting malware at the source
I
nserting malware in the supply chain is an excellent way to spread it around. After all, distribution is guaranteed if malware is bundled directly into a product. It will reach the computers of a very high percentage of purchasing customers, giving the malware vendor the chance to overcome any defences.
In addition to the deliberate or accidental compromise of legitimate systems, customers must also cope with the danger of counterfeit systems that can show up both at the consumer and the enterprise level. Danny Bradbury examines the problem of malware in the supply chain and what’s being done to combat it. Full story on page 7…
The impact of mandatory data infringement reporting
A
fter a year-long consultation, the EU Data Protection Directive is likely to come into force early in 2013. Every organisation will become responsible for reporting all data leaks and losses to the ICO within 24 hours. The new penalties for failing to do so are potentially very damaging.
Preparing workforces to meet this legal obligation and other mandatory requirements – such as appointing a ‘whistle blower’ – should begin at once. Anthony Pearlgood of PHS Datashred assesses the likely impact of the legislation, what to do about it and where you can find help. Full story on page 11…
Security breaches cost UK firms billions
W
e are witnessing historically high levels of security breaches and cybercrime in the UK, according to PwC’s latest report: ‘Information
Security Breaches Survey’. The cost to business and the country runs into billions of pounds a year.
Continued on page 3…
NEWS Security breaches cost UK firms billions
1
Google wifi snooping not entirely accidental
3
CERT warns of gas pipeline phishing
3
FEATURES The state of anti-fraud and AML measures in the banking industry 5 Financial institutions are under increasing regulatory and compliance pressures and lose billions of dollars each year due to fraudulent transactions. Anti-Money Laundering (AML) systems and the sharing of information could help, but data protection laws have made it difficult, explains Mike Betron of Infoglide Software. Inserting malware at the source 7 Inserting malware in the supply chain is an excellent way to spread it around. It will reach the computers of a very high percentage of purchasing customers, giving the malware vendor the chance to overcome any defences. Danny Bradbury examines the problem of malware in the supply chain and what’s being done to combat it. The impact of mandatory data infringement reporting 11 After a year-long consultation, the EU Data Protection Directive is likely to come into force early in 2013. Every organisation will become responsible for reporting all data leaks and losses to the ICO within 24 hours. Anthony Pearlgood of PHS Datashred assesses the likely impact of the legislation, what to do about it and where you can find help. Interview: Tatu Ylönen, SSH Communications Security 13 Since its creation in 1995, SSH has found its way into numerous software products and untold thousands of scripts and is among the favourite tools of system administrators wanting to log on securely to remote systems. Yet that same ubiquity is causing a serious issue that is leading not just to a management nightmare but also potential security vulnerabilities – the very problem it was intended to solve. The case for strong identities 16 The 2011 PwC report into global economic crime states that fraud is on the rise, with 34% of organisations surveyed reported as suffering at the hands of fraudsters. According to CIFAS, the UK’s fraud prevention service, 46% of all these were cases of identity fraud. John Lord of GB Group looks at how strong identities can help. Passwords are not enough 18 A simple username and password is no longer enough to keep your most private and personal information safe online. There have been dozens of recent headlines with examples of failed passwords: a new method of security needs to be discovered and used, says Tim Matthews of Symantec. Editorial
2
News in brief
4
Calendar
20
ISSN 1361-3723/12 © 2012 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from front page In the past two years, the number of serious hacking attacks on large organisations has doubled, the report claims. Yet firms are struggling to come to terms with both the problems and how to address them. PwC says that the cost of response and remediation far outweighs the cost of putting in place preventative measures. But organisations are not spending in the right places and are failing to address all three elements of the issue – people, process and technology. Most large organisations (93%) had some kind of security breach in the past year, and each saw around 54 significant attacks by outsiders, with about 15% of hackers successfully penetrating their defences. Nearly half (45%) of these firms breached data protection regulations, but only 18% had contingency plans in place for such breaches. Among large firms, the most serious breaches cost the organisations up to £250,000 each. Small firms weren’t as hard hit, although that may be because they present less attractive targets. Just over three-quarters of them had security breaches in the past year and around 15% were hit by Denial of Service (DoS) attacks. A fifth lost confidential information, with 80% of those being classified by PwC as ‘serious’. The average cost of the more serious breaches was up to £30,000. Training and staff awareness continue to present problems, says PwC. Nearly half of large firms carried out additional security training after being hit – presumably in recognition of earlier shortcomings. More than half of small firms (54%) have no training schemes for staff security awareness. On average, firms of all sizes spend only 8% of their IT budget on security, and in a fifth of large organisations it’s less than 1%, although half of larger organisations say they’re going to increase their security spend next year. There’s very little attempt to assess the value of what they do spend: some 80% of larger firms don’t try to measure return on investment of security expenditure and 58% of small firms don’t even bother with finding out the effectiveness of the systems.
May 2012
Some of the problems may stem from a lack of control. Of larger firms, nearly three quarters have outsourced business processes to Internet-based services. With smaller businesses, social networking plays a very large part in their operations, with more than half dependent on such sites, although only 8% actually monitor what staff put on services such as Facebook or Twitter. And then there’s the inevitable Bring Your Own Device (BYOD) dimension. Three quarters of large firms now allow staff to use their own smartphones and tablets. Only 39% ensure that company information on these devices is encrypted. The report is available here: http:// pwc.to/201205breaches.
Google wifi snooping not entirely accidental
I
t has emerged that the collection of private data from wifi Access Points (APs) by Google Street View cars may not have been quite as accidental as the firm first claimed.
Google – like other firms such as Apple and Microsoft – collects data on wifi APs as a way of improving geolocation services. The position of known APs is used for triangulation to complement GPS data, or where GPS is unavailable. However, the Street View cars also snatched fragments of any unencrypted data they could find as they moved past the APs. This data most likely included emails, web session data and potentially any usernames and passwords not protected by SSL. Google claimed this was accidental – that an engineer left some test code in the software and acted in an unauthorised manner. The company was later forced to delete the data and apologise for the error. However, an FCC report into the incident revealed that Google staff knew for years that such data was being collected. The coder responsible – identified only as ‘Engineer Doe’ in the report – told colleagues, including one superior, in 2007 and 2008 what was happening and that sensitive data
was involved. He also suggested that the project should be reviewed for potential privacy issues and made clear in his project proposal what was being done. Google managers said they never read it. The New York Times named the engineer as Marius Milner, author of the popular NetStumbler wifi discovery program used by many people for wardriving. For a while, the Google wifi logging software was known as Gstumbler. According to the FCC, Engineer Doe refused to assist with its investigation, taking the Fifth Amendment against self-incrimination. The FCC concluded that Google had not broken any rules, but had obstructed its investigation by failing to respond to requests for information, including identifying the employees involved. It ordered a $25,000 fine.
CERT warns of gas pipeline phishing
T
he Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US has warned firms in the gas pipeline business about a concerted spear-phishing campaign that appears to be targeted at them.
Spear-phishing can be an early stage in so-called Advanced Persistent Threats (APTs). While this is often an indication of criminal activity, such campaigns are sometimes part of state-sponsored cyber-espionage or cyber-attack activities targeted at critical national infrastructure. The spear-phishing appears to have started in December 2011 and is coming from a single source. According to ICSCERT, the phishing emails are tightly targeted on specific people and have been well-crafted to appear as though they come from trusted people within the same organisation. The Christian Science Monitor, which broke the story, said that sources in the Department of Homeland Security (DHS) had issued three confidential amber alerts – the second-highest – to organisations in the industry. It’s also claimed that the DHS asked the firms not to stop the malicious activity on their networks – presumably for forensic reasons.
Computer Fraud & Security
3
www.computerfraudandsecurity.com
Featured in this issue:
Contents
The state of anti-fraud and AML measures in the banking industry
F
inancial institutions are under increasing regulatory and compliance pressures. Banks lose billions of dollars each year because of fraudulent transactions, and society in general has a vested interest in preventing money laundering and terrorist financing.
Anti-Money Laundering (AML)
surveillance systems and the sharing of information between financial institutions could help, but data protection laws have made it difficult. Mike Betron of Infoglide Software explains how technology can help with data sharing while keeping organisations compliant with a wide range of laws. Full story on page 5…
Inserting malware at the source
I
nserting malware in the supply chain is an excellent way to spread it around. After all, distribution is guaranteed if malware is bundled directly into a product. It will reach the computers of a very high percentage of purchasing customers, giving the malware vendor the chance to overcome any defences.
In addition to the deliberate or accidental compromise of legitimate systems, customers must also cope with the danger of counterfeit systems that can show up both at the consumer and the enterprise level. Danny Bradbury examines the problem of malware in the supply chain and what’s being done to combat it. Full story on page 7…
The impact of mandatory data infringement reporting
A
fter a year-long consultation, the EU Data Protection Directive is likely to come into force early in 2013. Every organisation will become responsible for reporting all data leaks and losses to the ICO within 24 hours. The new penalties for failing to do so are potentially very damaging.
Preparing workforces to meet this legal obligation and other mandatory requirements – such as appointing a ‘whistle blower’ – should begin at once. Anthony Pearlgood of PHS Datashred assesses the likely impact of the legislation, what to do about it and where you can find help. Full story on page 11…
Security breaches cost UK firms billions
W
e are witnessing historically high levels of security breaches and cybercrime in the UK, according to PwC’s latest report: ‘Information
Security Breaches Survey’. The cost to business and the country runs into billions of pounds a year.
Continued on page 3…
NEWS Security breaches cost UK firms billions
1
Google wifi snooping not entirely accidental
3
CERT warns of gas pipeline phishing
3
FEATURES The state of anti-fraud and AML measures in the banking industry 5 Financial institutions are under increasing regulatory and compliance pressures and lose billions of dollars each year due to fraudulent transactions. Anti-Money Laundering (AML) systems and the sharing of information could help, but data protection laws have made it difficult, explains Mike Betron of Infoglide Software. Inserting malware at the source 7 Inserting malware in the supply chain is an excellent way to spread it around. It will reach the computers of a very high percentage of purchasing customers, giving the malware vendor the chance to overcome any defences. Danny Bradbury examines the problem of malware in the supply chain and what’s being done to combat it. The impact of mandatory data infringement reporting 11 After a year-long consultation, the EU Data Protection Directive is likely to come into force early in 2013. Every organisation will become responsible for reporting all data leaks and losses to the ICO within 24 hours. Anthony Pearlgood of PHS Datashred assesses the likely impact of the legislation, what to do about it and where you can find help. Interview: Tatu Ylönen, SSH Communications Security 13 Since its creation in 1995, SSH has found its way into numerous software products and untold thousands of scripts and is among the favourite tools of system administrators wanting to log on securely to remote systems. Yet that same ubiquity is causing a serious issue that is leading not just to a management nightmare but also potential security vulnerabilities – the very problem it was intended to solve. The case for strong identities 16 The 2011 PwC report into global economic crime states that fraud is on the rise, with 34% of organisations surveyed reported as suffering at the hands of fraudsters. According to CIFAS, the UK’s fraud prevention service, 46% of all these were cases of identity fraud. John Lord of GB Group looks at how strong identities can help. Passwords are not enough 18 A simple username and password is no longer enough to keep your most private and personal information safe online. There have been dozens of recent headlines with examples of failed passwords: a new method of security needs to be discovered and used, says Tim Matthews of Symantec. Editorial
2
News in brief
4
Calendar
20
ISSN 1361-3723/12 © 2012 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from front page In the past two years, the number of serious hacking attacks on large organisations has doubled, the report claims. Yet firms are struggling to come to terms with both the problems and how to address them. PwC says that the cost of response and remediation far outweighs the cost of putting in place preventative measures. But organisations are not spending in the right places and are failing to address all three elements of the issue – people, process and technology. Most large organisations (93%) had some kind of security breach in the past year, and each saw around 54 significant attacks by outsiders, with about 15% of hackers successfully penetrating their defences. Nearly half (45%) of these firms breached data protection regulations, but only 18% had contingency plans in place for such breaches. Among large firms, the most serious breaches cost the organisations up to £250,000 each. Small firms weren’t as hard hit, although that may be because they present less attractive targets. Just over three-quarters of them had security breaches in the past year and around 15% were hit by Denial of Service (DoS) attacks. A fifth lost confidential information, with 80% of those being classified by PwC as ‘serious’. The average cost of the more serious breaches was up to £30,000. Training and staff awareness continue to present problems, says PwC. Nearly half of large firms carried out additional security training after being hit – presumably in recognition of earlier shortcomings. More than half of small firms (54%) have no training schemes for staff security awareness. On average, firms of all sizes spend only 8% of their IT budget on security, and in a fifth of large organisations it’s less than 1%, although half of larger organisations say they’re going to increase their security spend next year. There’s very little attempt to assess the value of what they do spend: some 80% of larger firms don’t try to measure return on investment of security expenditure and 58% of small firms don’t even bother with finding out the effectiveness of the systems.
May 2012
Some of the problems may stem from a lack of control. Of larger firms, nearly three quarters have outsourced business processes to Internet-based services. With smaller businesses, social networking plays a very large part in their operations, with more than half dependent on such sites, although only 8% actually monitor what staff put on services such as Facebook or Twitter. And then there’s the inevitable Bring Your Own Device (BYOD) dimension. Three quarters of large firms now allow staff to use their own smartphones and tablets. Only 39% ensure that company information on these devices is encrypted. The report is available here: http:// pwc.to/201205breaches.
Google wifi snooping not entirely accidental
I
t has emerged that the collection of private data from wifi Access Points (APs) by Google Street View cars may not have been quite as accidental as the firm first claimed.
Google – like other firms such as Apple and Microsoft – collects data on wifi APs as a way of improving geolocation services. The position of known APs is used for triangulation to complement GPS data, or where GPS is unavailable. However, the Street View cars also snatched fragments of any unencrypted data they could find as they moved past the APs. This data most likely included emails, web session data and potentially any usernames and passwords not protected by SSL. Google claimed this was accidental – that an engineer left some test code in the software and acted in an unauthorised manner. The company was later forced to delete the data and apologise for the error. However, an FCC report into the incident revealed that Google staff knew for years that such data was being collected. The coder responsible – identified only as ‘Engineer Doe’ in the report – told colleagues, including one superior, in 2007 and 2008 what was happening and that sensitive data
was involved. He also suggested that the project should be reviewed for potential privacy issues and made clear in his project proposal what was being done. Google managers said they never read it. The New York Times named the engineer as Marius Milner, author of the popular NetStumbler wifi discovery program used by many people for wardriving. For a while, the Google wifi logging software was known as Gstumbler. According to the FCC, Engineer Doe refused to assist with its investigation, taking the Fifth Amendment against self-incrimination. The FCC concluded that Google had not broken any rules, but had obstructed its investigation by failing to respond to requests for information, including identifying the employees involved. It ordered a $25,000 fine.
CERT warns of gas pipeline phishing
T
he Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US has warned firms in the gas pipeline business about a concerted spear-phishing campaign that appears to be targeted at them.
Spear-phishing can be an early stage in so-called Advanced Persistent Threats (APTs). While this is often an indication of criminal activity, such campaigns are sometimes part of state-sponsored cyber-espionage or cyber-attack activities targeted at critical national infrastructure. The spear-phishing appears to have started in December 2011 and is coming from a single source. According to ICSCERT, the phishing emails are tightly targeted on specific people and have been well-crafted to appear as though they come from trusted people within the same organisation. The Christian Science Monitor, which broke the story, said that sources in the Department of Homeland Security (DHS) had issued three confidential amber alerts – the second-highest – to organisations in the industry. It’s also claimed that the DHS asked the firms not to stop the malicious activity on their networks – presumably for forensic reasons.
Computer Fraud & Security
3