FEATURE References 1. The Third Interpol Symposium on International Fraud, Saint-Cloud, Paris, France, December 11-13, 1979. 2. Computer-related criminality: Analysis of Legal Politics in the OECD Area (1986). 3. Ministerial Conference of the G-8 Countries on Combating Transnational Organised Crime, Moscow October 19-20, 1999, Annex 1. 4. Abraham D Sofaer; Seymour E Goodman. ‘A Proposal for an International Convention on cybercrime and Terrorism’. CISAC, 2000. http://cisac.stanford.edu/publications/11912. 5. Chief Judge Stein Schjølberg. ‘Report of the Chairman of HLEG’. International Telecommunications
Union, Sept 2008. www.itu.int/osg/ csd/cybersecurity/gca/docs/Report_ of_the_Chairman_of_HLEG_to_ ITU_SG_03_sept_08.pdf. 6. ‘A Paper for the 12th Conference of Directors of Criminological Research Institutes: Criminological Aspects of Economic Crime’. Strasbourg, 15-18 November 1976, page 225-229. 7. Computer-related crime: Recommendation No. R (89) 9, adopted by the Committee of Ministers of the Council of Europe on 13 September 1989 and Report by the European Committee on Crime Problems. (Published in Strasbourg 1990). 8. Council of Europe: Recommendation No. R (95) 13 Concerning Problems of Criminal Procedural Law connected with Information Technology,
adopted by the Committee of Ministers on 11 September 1995. 9. Council of Europe: Convention on Cybercrime, adopted by the Committee of Ministers of the Council of Europe at its 109th Session (8 November 2001). http:// conventions.coe.int/Treaty/en/ Treaties/html/185.htm. 10. Stein Schjølberg. ‘The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva’. December 2008. www. cybercrimelaw.net/documents/cybercrime_history.pdf. 11. Lolita Baldor. ‘U.S. report blasts China, Russia for cybercrime’. USA Today, 3 Nov 2011. www. usatoday.com/money/industries/ technology/story/2011-11-03/Cyberattacks/51058852/1.
Boosting your spam arsenal Ronan Kavanagh, SpamTitan
Ronan Kavanagh
Phishing attacks remain a clear and present threat to businesses. There is no evidence to suggest that network security measures are discouraging the number of phishing campaigns. In fact, the arrival of social networking in the workplace has presented scammers with an even bigger pond to phish in. Clear policies, along with improvements in user education and awareness supported by robust preventative tools, are the best way to beat phishing in all its forms. The best phishing protection tools use a multi-layered approach. And malware detection mechanisms need to be regularly enhanced to keep pace with the ever-changing threat climate. For example, a recent malware attack was able to change the DNS settings of infected computers, routing queries to rogue DNS servers. This attack allows criminals to infect computers, direct them to servers they control, then redirect traffic to unintended websites, and reap the reward in terms of a financial windfall from this redirected traffic. February 2012
Comprehensive protection A phishing protection scan engine should contain a comprehensive set of phishing signatures, support for Spam URL Realtime Blocklists (SURBLs) and heuristic rule tests. Enhanced and more-generic detection of phishing emails can be enabled by searching for URLs in email messages, which can help to detect and protect against zeroday phishing emails. DNS allows you to either convert a hostname to an IP
address or, alternatively, convert the IP address to a name (reverse lookup). Some anti-phishing features, such as RBL and SURBL tests, depend on DNS availability in order to correctly categorise messages. With the use of Twitter and Facebook expanding and the number of people using these sites within the workplace also growing, these platforms have to contend with an everlarger number of malware incidences. These events are varied and include click-jacking, phishing, trojans, and hacks that are allowing cyber-criminals to use Twitter and Facebook for launching assaults across the web. A well-known example is the Cross-Site Scripting (XSS) virus that attacked Twitter in 2009. Trending topics such
Computer Fraud & Security
15
FEATURE as the thanksgiving holiday or the recent death of Gadhafi are nirvana for spammers. Such events generate enormous levels of online interest worldwide, providing scammers with plenty of potential new victims. By piggybacking on news headlines, they can increase traffic volume to their websites. Grabbing headlines from CNN, Sky, BBC and other major news channels, the scammers randomise spam in a bid to increase traffic to their websites and therefore get a higher percentage of people purchasing their products. To date it is estimated that over $40bn has been lost to 419 scams alone, explaining why these scam emails continue to exist and grow in frequency and ferocity.
Business problems Left unchecked, spam can create huge problems for businesses. User mailboxes may be overrun, leading to lost productivity. Unchecked spam can also contain viruses capable of infecting the entire network. Gateway solutions are designed to catch the spam before it ever reaches users – some antispam systems, for example, might use multiple anti-virus engines – such as Kaspersky and ClamAV – to scan messages for malicious code before they enter the network.
“Grabbing headlines from CNN, Sky, BBC and other major news channels, the scammers randomise spam in a bid to increase traffic to their websites” A gateway solution needs to take a multi-layered approach to eliminating spam. This cocktail approach of determining if a message is spam ensures that there is a minimum of false positives – ie, clean mail misclassified as spam. A spam score is assigned to each message that is calculated by combining the scoring from each layer of the 16
Computer Fraud & Security
message. The following tests are typically performed on each message: • Harvesting/dictionary attack protection • Collaborative spam fingerprint checks • RBL tests • SURBL tests • Bayesian analysis • Rule-based spam scoring • Whitelist/blacklist filters. Further measures, such as the whitelisting of individual email addresses or entire domains, mean that you can be confident that messages coming from important colleagues, clients or partners will not be inadvertently caught in the filters. The bulk addition of a number of domains or whitelists can be cumbersome for some users, so many gateway solutions offer the ability to do this via an API to make the task much simpler.
“SPF can only stop spammers from forging the ‘From’ field in the email and it does not stop spammers from sending emails from a domain of which it is a member”
Sender identification Sender Policy Framework (SPF) technology is often touted as an important anti-spam technology. But to dispel any misconceptions about the use of SPF, it is important to define the technology and its key purpose. It’s an anti-forgery approach in which the Internet domain of an email sender can be authenticated for that sender, thereby discouraging spam mailers who routinely disguise the origin of their email, a practice known as email spoofing. A recent survey by SpamTitan revealed that some 43% of small and medium-size businesses (SMBs) were under the misconception that SPF is a method that can be used to stop spam from being sent using unauthorised domain names. Approximately 52% of organisations surveyed were not aware that SPF can only stop spammers from
forging the ‘From’ field in the email and it does not stop spammers from sending emails from a domain of which it is a member. While SPF is effective in stopping email spammers from forging email headers, SMBs should absolutely not consider using SPF as an anti-spam solution. SPF is not a standalone antispam technology and treating it as such is leaving organisations extremely vulnerable to such email security threats as viruses, trojans, phishing and malware, in addition to spam. With spam and viruses growing exponentially as highrisk threats to businesses, leaving an organisation exposed to these nefarious threats is highly reckless.
Virtual models Virtualisation is now firmly embedded in the enterprise mainstream. Cloud computing is quickly catching up. By moving away from the ‘one application per server’ deployment model to a cloud computing model, enterprises have been able to reap a broad set of benefits including cost reductions, improved availability and increased agility. However, many SMBs continue to view virtualisation as an enterpriseonly technology that would not be viable in their smaller organisations – and that is a misconception.
“SMBs are now able to benefit from enterpriseclass IT at a fraction of the normal cost.” Cloud computing allows the maximum use of resources and maintains an organisation’s competitive edge. Many email security solutions are available for deployment using virtualisation, which means that SMBs are now able to benefit from enterprise-class IT at a fraction of the normal cost. Every organisation will weigh up the pros and cons of what assets to move into the cloud on a caseby-case basis. Most will likely benefit from an increase in security after makFebruary 2012
FEATURE ing the transition, since a third-party provider is likely to have far superior security resources to those available inhouse to SMBs. For services such as email hygiene, that already have a credible track record as cloud services, SMBs can use private cloud services to evaluate the return on investment from cloud while waiting for external offerings to
mature. Over time, private and public cloud resources are expected to merge as hybrid services. SMBs may well find themselves relying on private cloud services for many years, perhaps decades, as public cloud offerings mature.
About the author Ronan Kavanagh is CEO of SpamTitan, a division of Copperfasten
Technologies, and is responsible for global sales and marketing for the SpamTitan suite of products. Educated in NUI Galway, Ireland, he joined Copperfasten Technologies in June 2004, prior to which he’d held posts at Eurokom, an Internet security services provider, and WorldofFruit.com, an Internet portal for the global fruit industry.
The inside threat to public organisations Marc Lee, Courion Corporation
Marc Lee
Recent high-profile security breaches within public organisations have highlighted the need to create effective preventive measures against security threats. Schools, hospitals and government organisations are frequent targets for data theft. The NHS data breaches, as well as the recent data theft cases in UK schools, clearly demonstrate that minor incidents such as losing a work laptop or failing to protect an office password could cost organisations millions of pounds in lost data as well as in long-term damage to their reputations. Outside hackers have a hammerlock on the collective imagination when it comes to data theft. But, in reality, internal users – people with legitimate access to the corporate network – are often the greater danger. Contractors, vendors, and current and former employees can do as much damage as an outside hacker while often leaving a much less visible trail. Public institutions expose themselves to risk by: not reviewing and certifying who should have access to what information; not properly changing or disabling access when necessary; and not controlling segregation of duties violations. It’s natural for public organisations to want to open themselves up for easy navigation, but they must still consider the potential security risks. By offering web-based self-service access to users, for example, and managing overhead costs by using the web to streamline interaction with vendors, contractors
February 2012
and outside service providers, organisations are acting as responsible public service entities. But as they pursue such initiatives, they must take reasonable steps to safeguard sensitive information entrusted to them or risk losing public confidence.
“It’s natural for public organisations to want to open themselves up for easy navigation, but they must still consider the potential security risks”
anyone who has legitimate access to public information systems, as opposed to hacking their way in forcibly. Addressing the data security risks of internal users requires three complementary initiatives. The first is creating data security policies based on industry best practices that meet the policy and regulatory requirements of the organisation. The second is implementing the technology systems to ease the enforcement of these policies. The third is instilling the importance of these security measures and actions into the organisational structure and culture.
Defining risks
“User access intelligence can then help determine associations and patterns that might violate compliance guidelines and company policies, or indicate hidden risks”
To meet the highest standards of data protection, public organisations need to define and assess internal risks and enact strict control of access to sensitive information. ‘Internal’ in this context doesn’t just mean people who work in public buildings. Internal refers to
Together, policies and technology systems yield a stream of user access data that security administrators can analyse to identify, quantify and manage risks to vital information such as intellectual property, medical records Computer Fraud & Security
17