- Email: [email protected]
Living with cybercrime
FEATURE
Living with cybercrime EJ Hilbert, Kroll Advisory Solutions Cybercrime is one of the most talked about issues facing the world today. The new appointee for the role of Director of the US’s FBI has stated that cybercrime will be the primary focus of the agency upon his confirmation. The political arena is dominated by discussions of ‘credibility of cyber-threats’ and the need for companies to undergo a ‘cyber health check-up’ to determine their level of ability to withstand the coming cyber-storm. The threat has moved from introverts living in their parents’ basements defacing websites, to a full underground economy where all data is for sale and the players range from a ‘newbie’ hacker to ‘elite’ cyber-warriors doing the bidding of their home nation-state. This is no longer a threat, it is an everyday reality. And as such, a problem that must be addressed. And as with any problem, in order to address it you must first understand it. The media uses the term ‘cybercrime’ to describe any cyber-based attack. As a result, it can be difficult to keep sight of the real issues and understand how to best protect ourselves and our companies.
Four categories Cybercrime as we refer to it today can be broken into four categories: cybercrime, cyber-espionage, cyber-warfare and cyber-activism. In essence, cybercrime is the use of a computer or computer network to conduct a criminal act motivated by some form of profit, usually monetary, or some other gain. This includes identity theft, fraud, stalking, online extortion, spamming and phishing. Today, a high proportion of crime that is committed in the ‘real world’ is also committed online through the use of computers. And, just as real-world fraudsters change the method of their attack, so do the cyber-criminals. The attack vectors range from compromising passwords via social engineering, to sending phishing emails. Phishing emails are mail messages sent to unsuspecting individuals with links that, when clicked, will install software designed to steal information such as usernames, passwords, and bank account and social media account information. A more sophisticated form of phishing
November 2013
is spear-phishing. These messages are specifically tailored to a person or group of people to increase the likelihood of the email being opened and links clicked. Fraudsters may even provide links to ‘free’ movie downloads or give away free USB thumb drives in the real world, as a method to gain access to the recipient’s accounts.
“Cybercrime happens multiple times a day around the world and will continue to occur at this rate due to the profits that can be made and the relative ease with which these crimes can be carried out” The intent of cyber-criminals is usually to gain access to the victim’s accounts to facilitate their fraud schemes. A common scheme is to gain access to a user’s online email account, such as Gmail or Outlook, and utilise the account to send emails to the user’s contacts asking them to click on links for ads. The hacker is exploiting the recipient’s familiarity with the email address and hoping for a click so they can get paid by the advertisers for every person who clicks on the ads. The hacker also sets up email filters on these accounts so that if anyone complains or tries to notify the user about the spam emails, those emails are immediately deleted. The real owner of the account usually never realises his/her account is compromised. A variation of such a scheme is often used against lawyers and wealth
EJ Hilbert
managers – with a twist. Rather than sending spam email, the hacker impersonates the lawyer or wealth manager and authorises fraudulent transactions on behalf of their clients simply by having access to their mail account and filtering what messages the account owner can see. Cybercrime, as defined above, happens multiple times a day around the world and will continue to occur at this rate due to the profits that can be made and the relative ease with which these crimes can be carried out. The perpetrators can be absolutely anyone – from individuals to highly organised crime groups.
Information theft In contrast, cyber-espionage is motivated by the theft of information, and though in the case of industrial espionage the motivation may also be money, the focus of the attack is usually different. Cyber-espionage is long term. Those behind the schemes work slowly and methodically to gain access to a system or network, building multiple ways in and out of the system and siphoning off small amounts of data at a time. The intention here is not to get caught until you have built so many backdoors that once you are detected, the victim can shut down the primary door and develop a false sense of security while the hackers are simply entering by other routes. These hackers are patient and will often work for months if not years to gain complete access to a system, taking the data they need either through exfiltration (downloading the files) or simply viewing the files online and taking screen captures to circumvent any security measures in place.
Network Security
15
FEATURE Cyber-espionage is often perpetrated by major hacking groups, rival economic competitors and nation-states. This fact makes them incredibly difficult to detect and stop given their sophistication and the power and resources of those behind the attacks.
“No company is immune to cyber-espionage attacks. Most companies hold information that is valuable in some way to others and thus information that needs to be protected” The vector of cyber-espionage is not as straightforward as many believe. Why launch a cyber-attack – which means having to overcome and infiltrate usually robust security measures – when a much easier target is the company’s employees? Companies that allow employees to use computers at home on personal networks are far easier to infiltrate than cracking the corporate firewall. Bring Your Own Device (BYOD) policies often don’t take in to account the ever-changing methods of attack and many companies have incident response plans based on straightforward attack avenues, never fully addressing or preparing for the risk from its own employees either via training or incident management. As recent reports from security experts, including Kroll’s own reports, have shown, no company is immune to cyberespionage attacks. Most companies hold information that is valuable in some way to others and thus information that needs to be protected.
Cyber-weapons Cyber-warfare is yet another type of cyber-attack with specific intentions. Cyber-warfare is intended to disable or destroy systems. A cyber-based weapon is designed to be deployed into a hostile system and destroy various aspects of that system. A well-publicised example is the Stuxnet virus that was used against the Iranian nuclear complex. It was intended to cause the centrifuges to spin out of control and thus destroy the enrichment 16
Network Security
process. Stuxnet reportedly set the Iranian nuclear program back 10 years. Cyber-warfare can be perpetrated for many reasons and is not only used by governments. It can be used by technically savvy groups looking to make a mark on the world stage who have no use for data in the systems they destroy. We also see these tactics used by rival companies and disgruntled employees who want to destroy the companies they work for by way of a logic bomb (software designed to delete or corrupt the corporate databases). What makes cyber-warfare very different that from other methods of warfare (save for it being through the Internet) is a cyber-warfare weapon, once used, can be redeployed by the target against the attacker. Stuxnet was launched and after it inflicted damage on the target, computer forensics were able to recover the code for the virus from the infected system. Now the target, in this case the Iranians, and their allies, have a copy of the code which they could modify and deploy against others. Before any cyber-weapon is deployed against another entity, the attacking entity will usually ensure that it has a defence against such an attack. As with all cyber-based attacks, it is not a matter of if but when will the attack occur.
Activist causes The newest category of cybercrime is cyber-activism. This is when an individual or group of individuals utilises the web to publicise their cause. Social media outlets such as Twitter, Facebook, LinkedIn and Reddit used to be the primary sites where consumers could complain about companies, laws, rules, etc. But for the new generation of tech-savvy users, that is not enough – they are taking their protests to the companies themselves. Denial of Service (DoS) attacks, overloading the servers with requests so the servers fail and the company is knocked offline, and website defacements are protests similar to real world civil protests such as sit-ins or graffiti on corporate bill boards. Others take it further still and utilise their skills online to extract data about
the key executives of the company, including internal emails, debated policies and data about their homes and families. Cyber-criminals post the data online in an attempt to embarrass the executives and the company. Such tactics can have damaging long-term effects on the company and its brand, as the embarrassing data – real or made-up – can remain on the Internet indefinitely and can be re-posted by the company’s opponents any number of times.
Range of protocols Each of these categories of the overarching term cybercrime are all very real and require different security protocols in place to address them. These range from firewalls to access control models and employee training.
“If your company is online, it has probably already been compromised. The only question is to what level” However, for many companies, they see security as a cost – something that must be addressed but adds no value to the company. As such, securing the system is delegated down the chain to an individual or group of individuals who are typically already over-worked trying to keep the IT systems up and running and who have very limited knowledge of the methods of cybercrime and little expertise in how to protect their IT systems. Often the answer is perceived to be ‘build a bigger wall’ without realising the attackers are already inside and can walk through the gates as they please. Cyber-security is an investment with very real and measurable returns. Security has gone from a ‘what have you done for me lately’ to a ‘what have we avoided because of you’. This is why governments are seeking to mandate levels of security for all companies. Physical and logic security should be fully integrated into every company as well as business continuity/disaster recovery plans. The new reality is, if your company is online, it has probably already been compromised. The only question is
November 2013
FEATURE to what level. Was the compromise minimised by the current systems in place or is your system ‘owned’ by a hostile third party? Just as the cyber-threats evolve, so must the way in which we address them. Though the world likes to refer to this threat as being ‘cyber’, evoking images of a supercomputer operating without humans and running The Matrix, the fact is all of these threats involve a human element for both attack and defence. By understanding the threat, by educating others to its true nature and
by effectively planning for and properly handling the impending attack, the impact of cybercrime can be mitigated.
About the author Ernest ‘EJ’ Hilbert is a managing director for Kroll Advisory Solutions (www.krolladvisory.com) where he leads a team of cyber professionals dedicated to addressing clients’ cyber-security and investigative needs. Hilbert is considered an authority on all aspects of cybercrime with a focus on identity thieves, fraudsters, international hacking groups and threats to US critical infrastructure.
Colin Tankard, Digital Pathways: confusion in the cloud
He spent eight years as a Special Agent for the FBI, and led one of the largest cybercrime investigations addressing the computer intrusion, theft of data and extortion of over 600 financial institutions. He also served as an online undercover agent utilising social media sites, chat rooms and forums to identify hackers and gain intelligence regarding attacks against US corporations, the government and individual persons. Hilbert has worked in co-ordination with multiple government agencies to include the DIA and CIA on counter-intelligence investigation.
Steve MansfieldDevine
Steve Mansfield-Devine, editor, Network Security We’ve been talking about cloud security for so long that you’d think it would have been fixed by now. A great deal of work has been done, not least through the auspices of organisations such as the Cloud Security Alliance (CSA).1 And yet many firms remain nervous about venturing into the cloud, fearing a lack of control. And there are many loud voices both for and against cloud computing, from a security perspective. There seems to be little consensus about whether it’s safe. We spoke to Colin Tankard of Digital Pathways, a firm that offers secure managed services, about this apparent confusion.
Somewhere else Network Security (NS): No two people seem to share the same opinion about whether it’s safe to use the cloud, or even if the cloud can be secured. What’s your impression of where we stand? Colin Tankard (CT): “You’re right, it is very confusing. I think it comes down to what people define as being secure, in some ways. I think first and foremost the way you have to think of the cloud is, the data is away from you, it’s somewhere else. So the first thing that I think people need to think about is, who else could view that data? And generally it’s the people that you’re storing the data with. Thereafter, cloud security
November 2013
starts to come down to how you access the information, and a lot of companies are just using the same old weak passwords, or weak ways of accessing the data, and I see that as a big failing. Then finally, what people aren’t doing is really monitoring what’s going on with their data. They’re not gathering their logs, or even putting logs in place, to see who, or what applications, have been accessing their data. “If that were down on the ground, in their own servers, they would have those things in place. They would have log management. They would be looking at who’s accessing the data, its uptime, its availability, all those good things. They would have strong authentication to
it, and then they would be protecting it, so that only certain people in the organisation can view that information. It seems to me that, as soon as we start talking about cloud, a lot of those basic rules disappear, and they are all available for people that want to use the cloud. They just need to do a little bit more research, or get their thought processes around [the fact] that the data is still able to be secured, and put the appropriate measures in place.”
Reinventing the wheel NS: There was an article in Computer Fraud & Security recently that suggested one shouldn’t think of the cloud, or cloud security, as a totally separate issue from the rest of the security that you do, and that there are processes and policies that you’ve spent money and effort developing, that you could actually carry over.2 Two of the things you said there fit with that idea, but in contradictory ways. You mentioned using the same old
Network Security
17
Living with cybercrime EJ Hilbert, Kroll Advisory Solutions Cybercrime is one of the most talked about issues facing the world today. The new appointee for the role of Director of the US’s FBI has stated that cybercrime will be the primary focus of the agency upon his confirmation. The political arena is dominated by discussions of ‘credibility of cyber-threats’ and the need for companies to undergo a ‘cyber health check-up’ to determine their level of ability to withstand the coming cyber-storm. The threat has moved from introverts living in their parents’ basements defacing websites, to a full underground economy where all data is for sale and the players range from a ‘newbie’ hacker to ‘elite’ cyber-warriors doing the bidding of their home nation-state. This is no longer a threat, it is an everyday reality. And as such, a problem that must be addressed. And as with any problem, in order to address it you must first understand it. The media uses the term ‘cybercrime’ to describe any cyber-based attack. As a result, it can be difficult to keep sight of the real issues and understand how to best protect ourselves and our companies.
Four categories Cybercrime as we refer to it today can be broken into four categories: cybercrime, cyber-espionage, cyber-warfare and cyber-activism. In essence, cybercrime is the use of a computer or computer network to conduct a criminal act motivated by some form of profit, usually monetary, or some other gain. This includes identity theft, fraud, stalking, online extortion, spamming and phishing. Today, a high proportion of crime that is committed in the ‘real world’ is also committed online through the use of computers. And, just as real-world fraudsters change the method of their attack, so do the cyber-criminals. The attack vectors range from compromising passwords via social engineering, to sending phishing emails. Phishing emails are mail messages sent to unsuspecting individuals with links that, when clicked, will install software designed to steal information such as usernames, passwords, and bank account and social media account information. A more sophisticated form of phishing
November 2013
is spear-phishing. These messages are specifically tailored to a person or group of people to increase the likelihood of the email being opened and links clicked. Fraudsters may even provide links to ‘free’ movie downloads or give away free USB thumb drives in the real world, as a method to gain access to the recipient’s accounts.
“Cybercrime happens multiple times a day around the world and will continue to occur at this rate due to the profits that can be made and the relative ease with which these crimes can be carried out” The intent of cyber-criminals is usually to gain access to the victim’s accounts to facilitate their fraud schemes. A common scheme is to gain access to a user’s online email account, such as Gmail or Outlook, and utilise the account to send emails to the user’s contacts asking them to click on links for ads. The hacker is exploiting the recipient’s familiarity with the email address and hoping for a click so they can get paid by the advertisers for every person who clicks on the ads. The hacker also sets up email filters on these accounts so that if anyone complains or tries to notify the user about the spam emails, those emails are immediately deleted. The real owner of the account usually never realises his/her account is compromised. A variation of such a scheme is often used against lawyers and wealth
EJ Hilbert
managers – with a twist. Rather than sending spam email, the hacker impersonates the lawyer or wealth manager and authorises fraudulent transactions on behalf of their clients simply by having access to their mail account and filtering what messages the account owner can see. Cybercrime, as defined above, happens multiple times a day around the world and will continue to occur at this rate due to the profits that can be made and the relative ease with which these crimes can be carried out. The perpetrators can be absolutely anyone – from individuals to highly organised crime groups.
Information theft In contrast, cyber-espionage is motivated by the theft of information, and though in the case of industrial espionage the motivation may also be money, the focus of the attack is usually different. Cyber-espionage is long term. Those behind the schemes work slowly and methodically to gain access to a system or network, building multiple ways in and out of the system and siphoning off small amounts of data at a time. The intention here is not to get caught until you have built so many backdoors that once you are detected, the victim can shut down the primary door and develop a false sense of security while the hackers are simply entering by other routes. These hackers are patient and will often work for months if not years to gain complete access to a system, taking the data they need either through exfiltration (downloading the files) or simply viewing the files online and taking screen captures to circumvent any security measures in place.
Network Security
15
FEATURE Cyber-espionage is often perpetrated by major hacking groups, rival economic competitors and nation-states. This fact makes them incredibly difficult to detect and stop given their sophistication and the power and resources of those behind the attacks.
“No company is immune to cyber-espionage attacks. Most companies hold information that is valuable in some way to others and thus information that needs to be protected” The vector of cyber-espionage is not as straightforward as many believe. Why launch a cyber-attack – which means having to overcome and infiltrate usually robust security measures – when a much easier target is the company’s employees? Companies that allow employees to use computers at home on personal networks are far easier to infiltrate than cracking the corporate firewall. Bring Your Own Device (BYOD) policies often don’t take in to account the ever-changing methods of attack and many companies have incident response plans based on straightforward attack avenues, never fully addressing or preparing for the risk from its own employees either via training or incident management. As recent reports from security experts, including Kroll’s own reports, have shown, no company is immune to cyberespionage attacks. Most companies hold information that is valuable in some way to others and thus information that needs to be protected.
Cyber-weapons Cyber-warfare is yet another type of cyber-attack with specific intentions. Cyber-warfare is intended to disable or destroy systems. A cyber-based weapon is designed to be deployed into a hostile system and destroy various aspects of that system. A well-publicised example is the Stuxnet virus that was used against the Iranian nuclear complex. It was intended to cause the centrifuges to spin out of control and thus destroy the enrichment 16
Network Security
process. Stuxnet reportedly set the Iranian nuclear program back 10 years. Cyber-warfare can be perpetrated for many reasons and is not only used by governments. It can be used by technically savvy groups looking to make a mark on the world stage who have no use for data in the systems they destroy. We also see these tactics used by rival companies and disgruntled employees who want to destroy the companies they work for by way of a logic bomb (software designed to delete or corrupt the corporate databases). What makes cyber-warfare very different that from other methods of warfare (save for it being through the Internet) is a cyber-warfare weapon, once used, can be redeployed by the target against the attacker. Stuxnet was launched and after it inflicted damage on the target, computer forensics were able to recover the code for the virus from the infected system. Now the target, in this case the Iranians, and their allies, have a copy of the code which they could modify and deploy against others. Before any cyber-weapon is deployed against another entity, the attacking entity will usually ensure that it has a defence against such an attack. As with all cyber-based attacks, it is not a matter of if but when will the attack occur.
Activist causes The newest category of cybercrime is cyber-activism. This is when an individual or group of individuals utilises the web to publicise their cause. Social media outlets such as Twitter, Facebook, LinkedIn and Reddit used to be the primary sites where consumers could complain about companies, laws, rules, etc. But for the new generation of tech-savvy users, that is not enough – they are taking their protests to the companies themselves. Denial of Service (DoS) attacks, overloading the servers with requests so the servers fail and the company is knocked offline, and website defacements are protests similar to real world civil protests such as sit-ins or graffiti on corporate bill boards. Others take it further still and utilise their skills online to extract data about
the key executives of the company, including internal emails, debated policies and data about their homes and families. Cyber-criminals post the data online in an attempt to embarrass the executives and the company. Such tactics can have damaging long-term effects on the company and its brand, as the embarrassing data – real or made-up – can remain on the Internet indefinitely and can be re-posted by the company’s opponents any number of times.
Range of protocols Each of these categories of the overarching term cybercrime are all very real and require different security protocols in place to address them. These range from firewalls to access control models and employee training.
“If your company is online, it has probably already been compromised. The only question is to what level” However, for many companies, they see security as a cost – something that must be addressed but adds no value to the company. As such, securing the system is delegated down the chain to an individual or group of individuals who are typically already over-worked trying to keep the IT systems up and running and who have very limited knowledge of the methods of cybercrime and little expertise in how to protect their IT systems. Often the answer is perceived to be ‘build a bigger wall’ without realising the attackers are already inside and can walk through the gates as they please. Cyber-security is an investment with very real and measurable returns. Security has gone from a ‘what have you done for me lately’ to a ‘what have we avoided because of you’. This is why governments are seeking to mandate levels of security for all companies. Physical and logic security should be fully integrated into every company as well as business continuity/disaster recovery plans. The new reality is, if your company is online, it has probably already been compromised. The only question is
November 2013
FEATURE to what level. Was the compromise minimised by the current systems in place or is your system ‘owned’ by a hostile third party? Just as the cyber-threats evolve, so must the way in which we address them. Though the world likes to refer to this threat as being ‘cyber’, evoking images of a supercomputer operating without humans and running The Matrix, the fact is all of these threats involve a human element for both attack and defence. By understanding the threat, by educating others to its true nature and
by effectively planning for and properly handling the impending attack, the impact of cybercrime can be mitigated.
About the author Ernest ‘EJ’ Hilbert is a managing director for Kroll Advisory Solutions (www.krolladvisory.com) where he leads a team of cyber professionals dedicated to addressing clients’ cyber-security and investigative needs. Hilbert is considered an authority on all aspects of cybercrime with a focus on identity thieves, fraudsters, international hacking groups and threats to US critical infrastructure.
Colin Tankard, Digital Pathways: confusion in the cloud
He spent eight years as a Special Agent for the FBI, and led one of the largest cybercrime investigations addressing the computer intrusion, theft of data and extortion of over 600 financial institutions. He also served as an online undercover agent utilising social media sites, chat rooms and forums to identify hackers and gain intelligence regarding attacks against US corporations, the government and individual persons. Hilbert has worked in co-ordination with multiple government agencies to include the DIA and CIA on counter-intelligence investigation.
Steve MansfieldDevine
Steve Mansfield-Devine, editor, Network Security We’ve been talking about cloud security for so long that you’d think it would have been fixed by now. A great deal of work has been done, not least through the auspices of organisations such as the Cloud Security Alliance (CSA).1 And yet many firms remain nervous about venturing into the cloud, fearing a lack of control. And there are many loud voices both for and against cloud computing, from a security perspective. There seems to be little consensus about whether it’s safe. We spoke to Colin Tankard of Digital Pathways, a firm that offers secure managed services, about this apparent confusion.
Somewhere else Network Security (NS): No two people seem to share the same opinion about whether it’s safe to use the cloud, or even if the cloud can be secured. What’s your impression of where we stand? Colin Tankard (CT): “You’re right, it is very confusing. I think it comes down to what people define as being secure, in some ways. I think first and foremost the way you have to think of the cloud is, the data is away from you, it’s somewhere else. So the first thing that I think people need to think about is, who else could view that data? And generally it’s the people that you’re storing the data with. Thereafter, cloud security
November 2013
starts to come down to how you access the information, and a lot of companies are just using the same old weak passwords, or weak ways of accessing the data, and I see that as a big failing. Then finally, what people aren’t doing is really monitoring what’s going on with their data. They’re not gathering their logs, or even putting logs in place, to see who, or what applications, have been accessing their data. “If that were down on the ground, in their own servers, they would have those things in place. They would have log management. They would be looking at who’s accessing the data, its uptime, its availability, all those good things. They would have strong authentication to
it, and then they would be protecting it, so that only certain people in the organisation can view that information. It seems to me that, as soon as we start talking about cloud, a lot of those basic rules disappear, and they are all available for people that want to use the cloud. They just need to do a little bit more research, or get their thought processes around [the fact] that the data is still able to be secured, and put the appropriate measures in place.”
Reinventing the wheel NS: There was an article in Computer Fraud & Security recently that suggested one shouldn’t think of the cloud, or cloud security, as a totally separate issue from the rest of the security that you do, and that there are processes and policies that you’ve spent money and effort developing, that you could actually carry over.2 Two of the things you said there fit with that idea, but in contradictory ways. You mentioned using the same old
Network Security
17