From Awareness to Zoning

Transcript From Awareness to Zoning

The A to Z of Cybercrime & Security A quick introduction to some key concepts

By Mark Johnson Produced by The Risk Management Group 2012

Introduction

This is the fourth in our popular series of free A to Z Guides on fraud, risk and security.

This Guide tackles the combined topics of cybercrime and security, both of which are important issues in today’s cyber-dependent world.

Other Guides in the series address safe social media practices, online safety for children and financial crime awareness.

http://www.trmg.biz

All of our Guides can be downloaded for free, without a need to register, at Any of our Guides can also be freely shared or hosted on your own website. Even those with only a passing interest should find them useful, although they will not prepare anyone to sit an exam and they don’t purport to provide exhasutive coverage of these very broad topics.

What we do envision is that the Guides will highlight some key points and support discussions or further reading, while also illustrating the exciting breadth and depth of the eCrime and Cyber Security domain.

We hope that you find this latest A to Z Guide useful and that it will inspire you to find out more about this fascinating subject.

is for…

ttackers

There are many different kinds of cyber attacker and they have various motives: • • • • • • Hackers want to break into systems, possibly to steal or expose secret data.

Hacktivists launch attacks for political or other ideological reasons.

Malware creators are often motivated by criminal greed.

Spammers may seek to sell products or services.

Spies want to gather competitor or state secrets.

Cyber warriors attack or survey the information assets of other States.

Hackers & Hacktivists Malware creators & Spammers Spies & Cyber Warriors

Produced by The Risk Management Group 2012 Copyright TRMG, 2013 1

is for…

SPAM, SPAM, SPAM, SPAM… B

otnet

2 A ‘Botnet’ is a network of infected computers controlled by a single person or criminal group. Botnets are often used to send out SPAM or to launch large scale attacks against other systems.

Botnets are setup by infecting large numbers of computers with ‘malware’. This Botnet malware then gives the Botnet ‘herder’ or controller remote control over the network of infected machines.

Users can continue to use their machines without ever knowing that the infection has taken place.

Thousands, or even millions, of computers can be involved.

The largest ever Botnet infection to-date is believed to have been the ‘Conficker’ Botnet. This Botnet infected more than 12 million computers worldwide, including many used by various government, police and military networks, although the ‘Mariposa’ Botnet is not far behind.

is for…

ybercrime

A crime deserves to be described as a ‘Cybercrime’ if the primary mechanism by which the crime was committed involved the use of the Internet, and: • The primary target of the attack was data, code or other digital material stored on an Internet connected device, or; • The primary motive of the attack was to disrupt remote systems or services, or the Internet itself.

Cybercrime is therefore distinct from eCrime in which technology & data are tools but not the goal or target.

1

…committed via the Internet when… …the target is digital material on a connected device, or…

2

…the aim is to disrupt systems and services.

3

Produced by The Risk Management Group 2012

is for…

enial of service

Flood of messages

?!?

A Distributed Denial of Service Attack involves a network of computers, possibly infected by malware and controlled by one person, attacking a target network or device.

The machines are used to flood a target system with messages. A recent example involved a massive series of attacks directed at the financial services industry in late 2012. At the time, the US Secretary of Defence alluded to a potential ‘Cyber Pearl Harbor’, suggesting that this kind of attack could cause the financial system to fail.

During the 2012 attack, tens of thousands of people downloaded a free attack tool called the Low Orbit Ion Cannon (LOIC).

Supported by YouTube training videos, otherwise non-technical people with a grudge against the banks were able to participate in this cyber attack.

4 Copyright TRMG, 2013 Produced by The Risk Management Group 2012

is for…

xfiltration

Some advanced cybercrime infections use what is known as the ‘Dropper, Reporter, Wiper’ model: • • • The malware is dropped onto the target machine.

The malware reports what it finds back to its controller and may steal data and send that back as well.

Finally, the malware wipes itself from the infected system and hides its tracks.

The process by which data is sent back to the attacker is known as ‘Exfiltration’. It may be done directly or by sending it first to ‘staging’ server for temporary storage.

2. Exfiltrate the data!

5 Copyright TRMG, 2013 1. Drop the malware… Produced by The Risk Management Group 2012

is for…

irewall Firewall setup Rule #1 Rule #2

6 A Firewall is an application or device designed to prevent unauthorised access to a network or system.

Firewalls do this by applying rules and other analysis to network traffic in an attempt to detect and block suspicious access attempts.

Firewalls are active parts of the network that inspect incoming data packets and attempt to filter out those that do have suspicious characteristics before they can enter the secure part of the network or device.

Firewalls can serve both as gateways and as filters; they allow some traffic to pass through and they filter out other traffic.

Firewalls normally sit on the boundary between the trusted network or system and the external or un-trusted network in what is commonly referred to as the Demilitarized Zone or ‘DMZ’.

is for…

overnance

'Governance' refers to a requirement for consistency, clearly defined ownership and accountability. Governance failures are often the first red flag that a regulator will look for when investigating a data breach.

The ‘organisation’ of information security describes the roles and responsibilities of all staff who engage in information & communications security at an operational level. Many organisations already have a Chief Information Security Officer or CISO.

However, the authority and reporting responsibilities of CISOs can vary between firms and regions.

is for…

acking

8 A ‘Hacker’ is: • • • • A person with expert skills Who accesses computer systems Without authorisation By circumventing or cracking security LinkedIn recently suffered a hacking attack that is thought to have exposed 6.5 million user names and passwords.

Hacking attacks are criminal access techniques and the manner in which they are then exploited, for example via lateral movement to other systems, or data theft, can vary widely.

Hackers are human and they live, breath and think just like you do. While you are dealing with an attack, there is every chance that the hacker is watching you operate, responding to your moves, wiping the evidence and exfiltrating data in parallel.

is for…

njection

Code ‘injection’ refers to efforts to exploit security weaknesses in systems by injecting commands that bypass controls and cause a computer system to act in a way that was not intended.

Expert hackers can change the way systems work and even extract secret data by injecting such commands remotely, for example, via an insecure web page.

When security controls are weak such commands can extract user name and password even tables major or corporate access firms other confidential information. In some cases, leave themselves vulnerable to such attacks.

is for… Buy! Buy! No! Sell!!!

ava

10 JAVA, named for the coffee drunk by the development team, is an underlying web technology that allows you to play online games, chat with people around the world, calculate your mortgage interest, and view images in 3D.

It's also integral to the intranet applications and other e-business solutions that are one foundation of corporate computing.

However, as with many new software products, the latest version of JAVA (Version 7) reportedly shipped with a number of security flaws.

malware infections from These flaws allegedly expose anyone using JAVA to malicious websites.

Some security experts have been advising users to revert to Version 6 of JAVA, but the company has been issuing fixes and patches and maintains that its software is safe to use.

is for…

eys

Encryption is the act of

encoding

information so that it cannot be read except by the intended recipients.

The science of encryption is known as Cryptography. It involves a combination of mathematics, computer science and

electronics

companies.

and is widely used by governments, the military and private In ‘private key’ encryption, the message or data is first encrypted using a secret encryption ‘key’ and an encryption algorithm.

The receiving party then decodes it, also using the secret key and algorithm. The message can now be read.

+ Secret Key + Encryption Ciphertext (coded message) + Secret Key + Decryption Hello!

Produced by The Risk Management Group 2012

is for… Log file… Log file… Log file…

ogging

Collecting & logging information on information security rule sets and events is an important cyber security control.

Examples of possible source systems or data include: • • • • • • Logons to workstations and servers Firewall logs Intrusion Detection Systems (IDS) Directory Name Servers (DNS) Dynamic Host Configuration Protocol servers (DHCP) Virtual Private Network servers (VPN) The integration of important log files into a centralised logging utility might be considered.

This supports both the detection and investigation of incidents.

Robust logging is a critical component of a good information security operation.

12 Copyright TRMG, 2013 Produced by The Risk Management Group 2012

is for…

alware

‘Malware’ is malicious software that can deliver a payload or disrupt & damage systems.

McAfee reported in Q3 2012 that online financial fraud attacks have spread worldwide, that malware which extorts money from its victims became one of the fastest growing areas of cybercrime and that the number of malware specimens in the 'zoo' has now topped 100 million.

Malware comes in many shapes and sizes but the most important categories are: • Viruses • Worms & Trojans • • Rootkits Spyware Copyright TRMG, 2013 13 Produced by The Risk Management Group 2012

is for…

etworks

14 Keeping external parties and malware off the network and connected devices using firewalls, intrusion detection, anti-virus Apps and other tools is only half the struggle.

The other half involves dealing with those issues that manifest themselves within the network itself, as summarised in this Top Ten list: • • • • • • • • • • • • Mobile device risks Wireless network access Bring your own device (BYOD) risks Child and family users Borrowed access and shared passwords Weak passwords Email address as username Printing (memory & printouts) USB drives and devices CD & DVD writers Physical intruders Human memory Copyright TRMG, 2013 Produced by The Risk Management Group 2012

Remote Host

is for…

utsourcing

‘The Cloud’ is a marketing term for the provision of infrastructure, virtualised services and computing resources on the Internet. It encompasses platforms, provided remotely online, scale-able upwards or downwards but with no requirement for ownership Co-located or Cloud-based systems and data are exposed to many of the same security threats as their in-house equivalents, but when you offshore your information assets you don’t offshore your accountability. Key risks include: • • Malware & Denial of Service attacks Malicious joint tenants Copyright TRMG, 2013

Internet

Company A Company B

Produced by The Risk Management Group 2012

is for…

ersistence

Advanced Persistent Threats (APTs) are malware exploits that primarily target business, industrial and political targets.

APTs require a high degree of stealth, may involve several threat actors and can operate over a prolonged duration.

APT malware is commonly deployed to: • • • • • • • Infect digital systems Hide from detection systems Navigate networks Capture and extricate key data Setup covert remote control Wipe or re-install itself Execute other payloads Recent examples of APTs, about which a wealth of information can be found online, include Flame, Stuxnet and Shamoon, all of which primarily attacked targets in Iran or the Middle East.

16 Copyright TRMG, 2013 Produced by The Risk Management Group 2012

is for…

uantification

The United Kingdom Threat Assessment produced by the Serious Organised Crime Agency (SOCA) includes cybercrime & related activities as key to the UK economy at £27 billion.

threats.

Meanwhile, in 2011 the UK Cabinet Office estimated the annual cost of cybercrime However, researchers reporting in a study titled Measuring the Cost of Cybercrime made online.

distinctions They between concluded that true cybercrimes & other crimes conducted be, quantification is clearly challenging.

the measureable loss is lower & that spending on cyber security greatly exceeds the actual losses. Whatever the truth might 17 Copyright TRMG, 2013 Produced by The Risk Management Group 2012

is for…

ootkits

Rootkits are a type of malware designed to operate at the lowest level of the operating system (OS), thus avoiding detection and providing system administrator-level access to the attacker.

In most cases, the installation of a Rootkit requires root-level access.

This can be gained when working on the machine (e.g. as a contractor), by cracking password protection, or online malware attacks.

by also contribute to such infections.

socially engineering the passwords from the authorised administrators, as well as via Poor staff practices, such as sharing passwords, can The purpose of a Rootkit can be to execute several types of malware attack.

The key point is that Rootkits are very difficult to detect and removal might require a complete re-install of the operating system itself.

18 Copyright TRMG, 2013 Produced by The Risk Management Group 2012

is for…

pyware

Spyware is a form of malware designed to sit secretly on an infected machine and capture information about the users' activities without their knowledge. This can include passwords and Internet usage habits, plus personal or financial data.

Spyware is often installed on computers via hidden downloads when a user browses to a malicious site, or as Trojan malware concealed within another application.

Spyware often comes bundled with other software that users download deliberately.

This is called a ‘Trojan’ attack.

often goes undetected.

Well designed Spyware has little impact on system performance or user processes and Copyright TRMG, 2013 19

Colleagues Infected PC Stolen info

Produced by The Risk Management Group 2012

is for…

oolkits

20 Finding security holes is a difficult task for most attackers but many web attack toolkits have been designed to make it easier for them.

These kits can be obtained online and are often well supported by their creators who will even engage in online social spaces to provide advice on usage and troubleshooting.

Most attack toolkits are clearly built with the non-technical user in mind and as a result they feature simple interfaces with no deep technical skill being needed to launch many of the attacks. This is an example of what is sometimes called the ‘Script Kiddie’ model.

Past examples of toolkits include: • Neosploit • MPack • • Icepack Adpack The Blackhole Exploit Kit is reportedly the most prevalent toolkit on this date.

is for…

nprotected

Anti-virus (AV) software is used to prevent, detect and remove malware of all descriptions.

Regularly updated AV software is generally considered essential.

As mobility becomes the norm, anti-virus software on mobile devices is increasingly important, yet very few mobile device owners have such software installed.

Some AV applications degrade device performance and users often opt to turn off or replace AV products in an attempt to optimise their systems. Less aware users uninstall AV and never reinstall, leaving themselves very exposed to malware.

21 Copyright TRMG, 2013

No more AV!!!

Produced by The Risk Management Group 2012

is for…

irtual wizards

22 Virtual Wizards specialise in the use of virtual currencies and other assets as a mechanism for transferring the proceeds of crime on behalf of third parties. This virtual money laundering might be carried out via web-based unregulated money services such as WebMoney Transfer and BitCoin, or by using the ‘currencies’ created by online gaming firms such as World of Warcraft, Second Life or Eve Online.

‘Mules’ and ‘cashiers’ are individuals who are persuaded or tricked into taking part in a chain of criminal financial transactions, sometimes innocently, by receiving and then forwarding funds in exchange for a commission. This is done in order to keep criminal’s transaction levels below those that trigger alarms in the financial services sector.

By spreading the flow of transactions across a number of mule or hacked accounts, online criminals can transfer and launder funds.

is for…

arfare

The complexity of stopping some countries from preparing to fight their wars there.

Cyberspace isn't All of the major powers are investing in the development of cyber warfare & espionage capabilities.

The US has published its strategy for operating in cyberspace: • • • • • Treat cyberspace as an operational domain.

Employ new defense operating concepts to protect networks and systems.

Partner with government agencies and the private sector.

Build robust relationships with allies and international partners.

Leverage the nation's cyber workforce & technological innovation.

is for… comple

ity

24 Three parameters determine average levels of user cyber security awareness and understanding: • • • The number of users, which is inversely proportional to the cost of device ownership.

The overall level of risk, which is a function of the number of devices in use and the number of discrete vulnerabilities that exist.

The mean level of user education, which declines as the user population increases.

Just as the mean educational level of the user base is declining, the complexity of the CyberComms ecosystem is rapidly increasing with mobility & new services. This increasing complexity is a function of the density of interconnections and the speed of change and development, both of which are overwhelming. We must assume that, given this complexity, a large segment of the global user base will never be made security aware.

is for…

ou

The main defence against cyber attack is not technology. The main defence is you, the user!

Cyber technology is our most essential economic and social tool. As we all share the same dependency on a single global network and technology every citizen worldwide.

set, cyber security awareness must be understood by Copyright TRMG, 2013 25 Produced by The Risk Management Group 2012

is for…

ero Day Risk

26 Older malware programs infected huge numbers of machines but this made them easier to detect. Modern malware Apps are designed to infect a smaller number of machines before they evolve into a new form, making detection harder.

This period during which a malware App’s existence is unknown is called the ‘Zero Day’ or ‘Oh-day’ period.

Some of the core measurements for describing a viral infection are the rate or speed at which: • • • • • External computers are connected to the network in question.

Infected computers recover due to the anti viral capabilities of the network.

One infected computer is removed from the network.

When having a connection to one infected computer, one additional susceptible computer can become infected.

The virus mutates to another form, creating new Zero Day risks.

A to Z

uides

To find more free A to Z Guides by The Risk Management Group, please visit us online at http://www.trmg.biz

At the time of writing, the following additional A to Z Guides were available: • • • The A to Z of Safe Social Media The A to Z of Safe Children Online The A to Z of Financial Crime You can contact TRMG via Email at [email protected]

About the author

Mark Johnson, is a prominent thinker and speaker on emerging communications security, online and social media risks. He is the author of Demystifying Communications Risk (ISBN 978-1-4094-2941-8), published by Gower Publishing, as well as numerous industry guides and papers.

Mark is currently working on his second book, Cybercrime, Security and Digital Intelligence, which will also be published by Gower. This second book is expected to be available from summer 2013.

About this work

This work has been published online by The Risk Management Group (TRMG) Compass House, Vision Park Chivers Way, Histon Cambridge CB24 9AD United Kingdom www.trmg.biz

All rights reserved. This Guideline is provided free of charge subject to the condition that it may be reproduced and distributed freely and without restriction but that it may not be resold or used for any commercial purpose without the written agreement of the publishers.

All images are either the work of the author or have been used under licence from iStockphoto.

Disclaimer

In creating this Guideline every effort has been made to offer the most current, correct, and clearly expressed information possible. Nevertheless, inadvertent errors in information may occur. In particular, the authors and the Publisher all disclaim any responsibility for any errors contained within the Guideline or in any related communications, web pages or other printed or online resources. The information and data included in the Guideline have been gathered from a variety of sources and are subject to change without notice. The authors make no warranties or representations whatsoever regarding the quality, content, completeness, suitability, adequacy, sequence, accuracy, or timeliness of such information and data.