Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Cybercrime: Threats and Solutions

    Enviado por

    Ark Group
    100 visualizações10 páginas
    IN MARCH 2013 cyber criminals launched an attack on a little known non-profit organisation called Spamhaus which is an organisation that contributes to the fight against internet spam. The attack was then extended to include a service provider and the organisation’s network provider. The attack, described as the largest of its type ever seen, caused serious operational problems at the London Internet Exchange and affected quality of services across several parts of western Europe. This report arrives at some very important conclusions about the nature of the threat and the requirements on organisations in terms of a response. These can be summarised as: * An army of one has the power to cripple key systems and infrastructure: The proliferation of easy-to-use attack tools means that the asymmetric nature of the cyber menace is more pronounced than ever before; * Raising awareness amongst non-technical users and leaders should be job one: Users and their leaders are sometimes unaware of the perils and, without better user awareness, attackers will always have a hefty set of loopholes to exploit; * It is not all about China: Doubts are starting to emerge in some quarters about the veracity of reports blaming China for the preponderance of reported cyber-attacks and intrusions; * Dependency is the biggest area of vulnerability: Because business, governments, and citizens have such a great dependency on cyber and communications technologies, and because those technologies have converged on the internet, they now represent a single point of failure for the globalised system of trade and finance; * Forget hacking, poor user habits, purpose-made exploit kits and Cloud risks are far more substantial threats to our cyber security: Anonymity online, the ease with which social engineering attacks can be executed, and the virtualisation of key data and systems in the Cloud all mean that traditional hacking attacks on corporate servers are likely to become less frequent and significant than attacks on virtualised platforms, as well as on employees operating in the social spaces; * Governance of information is the top priority for boards: In the information age, data assumes primacy as a business asset. Accordingly, those responsible for the well-being, compliance, and security of the business are now recognising that information security is a top priority; and * Network providers must take responsibility for network security: Recent attacks have demonstrated that once malicious data have arrived at the targeted server it may be too late to block the attack – the network’s capacity to function has already been affected. Therefore it is the network provider itself that must detect and block potential attacks.

    Título original

    Cybercrime: Threats and Solutions

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    IN MARCH 2013 cyber criminals launched an attack on a little known non-profit organisation called Spamhaus which is an organisation that contributes to the fight against internet spam. The attack was then extended to include a service provider and the organisation’s network provider. The attack, described as the largest of its type ever seen, caused serious operational problems at the London Internet Exchange and affected quality of services across several parts of western Europe. This report arrives at some very important conclusions about the nature of the threat and the requirements on organisations in terms of a response. These can be summarised as: * An army of one has the power to cripple key systems and infrastructure: The proliferation of easy-to-use attack tools means that the asymmetric nature of the cyber menace is more pronounced than ever before; * Raising awareness amongst non-technical users and leaders should be job one: Users and their leaders are sometimes unaware of the perils and, without better user awareness, attackers will always have a hefty set of loopholes to exploit; * It is not all about China: Doubts are starting to emerge in some quarters about the veracity of reports blaming China for the preponderance of reported cyber-attacks and intrusions; * Dependency is the biggest area of vulnerability: Because business, governments, and citizens have such a great dependency on cyber and communications technologies, and because those technologies have converged on the internet, they now represent a single point of failure for the globalised system of trade and finance; * Forget hacking, poor user habits, purpose-made exploit kits and Cloud risks are far more substantial threats to our cyber security: Anonymity online, the ease with which social engineering attacks can be executed, and the virtualisation of key data and systems in the Cloud all mean that traditional hacking attacks on corporate servers are likely to become less frequent and significant than attacks on virtualised platforms, as well as on employees operating in the social spaces; * Governance of information is the top priority for boards: In the information age, data assumes primacy as a business asset. Accordingly, those responsible for the well-being, compliance, and security of the business are now recognising that information security is a top priority; and * Network providers must take responsibility for network security: Recent attacks have demonstrated that once malicious data have arrived at the targeted server it may be too late to block the attack – the network’s capacity to function has already been affected. Therefore it is the network provider itself that must detect and block potential attacks.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    100 visualizações10 páginas

    Cybercrime: Threats and Solutions

    Enviado por

    Ark Group
    IN MARCH 2013 cyber criminals launched an attack on a little known non-profit organisation called Spamhaus which is an organisation that contributes to the fight against internet spam. The attack was then extended to include a service provider and the organisation’s network provider. The attack, described as the largest of its type ever seen, caused serious operational problems at the London Internet Exchange and affected quality of services across several parts of western Europe. This report arrives at some very important conclusions about the nature of the threat and the requirements on organisations in terms of a response. These can be summarised as: * An army of one has the power to cripple key systems and infrastructure: The proliferation of easy-to-use attack tools means that the asymmetric nature of the cyber menace is more pronounced than ever before; * Raising awareness amongst non-technical users and leaders should be job one: Users and their leaders are sometimes unaware of the perils and, without better user awareness, attackers will always have a hefty set of loopholes to exploit; * It is not all about China: Doubts are starting to emerge in some quarters about the veracity of reports blaming China for the preponderance of reported cyber-attacks and intrusions; * Dependency is the biggest area of vulnerability: Because business, governments, and citizens have such a great dependency on cyber and communications technologies, and because those technologies have converged on the internet, they now represent a single point of failure for the globalised system of trade and finance; * Forget hacking, poor user habits, purpose-made exploit kits and Cloud risks are far more substantial threats to our cyber security: Anonymity online, the ease with which social engineering attacks can be executed, and the virtualisation of key data and systems in the Cloud all mean that traditional hacking attacks on corporate servers are likely to become less frequent and significant than attacks on virtualised platforms, as well as on employees operating in the social spaces; * Governance of information is the top priority for boards: In the information age, data assumes primacy as a business asset. Accordingly, those responsible for the well-being, compliance, and security of the business are now recognising that information security is a top priority; and * Network providers must take responsibility for network security: Recent attacks have demonstrated that once malicious data have arrived at the targeted server it may be too late to block the attack – the network’s capacity to function has already been affected. Therefore it is the network provider itself that must detect and block potential attacks.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 10

    Cybercrime: Threats and Solutions

    MARK JOHNSON

    PUBLISHED BY

    IN ASSOCIATION WITH

    Cybercrime: Threats and Solutions


    is published by Ark Group

    UK/EUROPE/ASIA OFFICE
    Ark Conferences Ltd
    6-14 Underwood Street
    London N1 7JQ
    United Kingdom
    Tel +44 (0)207 566 5792
    Fax +44 (0)20 7324 2373
    publishing@ark-group.com

    NORTH AMERICA OFFICE


    Ark Group Inc
    4408 N. Rockwood Drive
    Suite 150
    Peoria IL 61614
    United States
    Tel +1 309 495 2853
    Fax +1 309 495 2858
    publishingna@ark-group.com

    AUSTRALIA/NZ OFFICE
    Ark Group Australia Pty Ltd
    Main Level
    83 Walker Street
    North Sydney NSW 2060
    Australia
    Tel +61 1300 550 662
    Fax +61 1300 550 663
    aga@arkgroupasia.com

    Online bookshop
    www.ark-group.com/bookshop

    UK/Europe/Asia enquiries
    Hannah Fiddes
    hannah.fiddes@wilmington.co.uk

    ISBN: 978-1-78358-069-9 (hard copy)


    978-1-78358-070-5 (PDF)

    Commissioning Editor
    Helen Roche
    hroche@ark-group.com

    US enquiries
    Daniel Smallwood
    dsmallwood@ark-group.com

    Copyright

    Reports Publisher International


    Fiona Tucker
    ftucker@ark-group.com

    Australia/NZ enquiries
    Steve Oesterreich
    aga@arkgroupasia.com

    The copyright of all material appearing within


    this publication is reserved by the authors and
    Ark Conferences 2013. It may not be reproduced,
    duplicated or copied by any means without the
    prior written consent of the publisher.

    ARK2431

    Cybercrime: Threats and Solutions


    MARK JOHNSON

    PUBLISHED BY

    IN ASSOCIATION WITH

    Contents
    Contents ............................................................................................................................III
    Executive summary ............................................................................................................VII
    About the author................................................................................................................XI
    Part One: The cyber threat landscape in 2013
    Chapter 1: Cyber criminals Profiles, motives, and techniques ........................................... 3
    An interview with (ISC)2.......................................................................................................... 3
    The Blackhole exploit kit ........................................................................................................ 6
    Other exploit kits and CaaS attack tools ................................................................................. 9
    Increasingly varied threats...................................................................................................... 9
    A Cyber Pearl Harbor .......................................................................................................... 10
    From one-to-one towards many-to-many .......................................................................... 11
    The cybercrime perfect storm scenario ................................................................................ 13
    Threat actors The cast of cybercrime characters .................................................................. 13
    Conclusion ......................................................................................................................... 16
    Chapter 2: Why cyber attacks occur ................................................................................. 19
    Strategy versus operations ................................................................................................... 19
    Horizontal versus vertical sectors .......................................................................................... 20
    Access versus exploit ........................................................................................................... 21
    Why are organisations vulnerable?....................................................................................... 23
    Awareness need not have a technical focus .......................................................................... 24
    Cyber challenges facing the world in 2013 ........................................................................... 25
    Conclusion ......................................................................................................................... 35
    Chapter 3: The impact and cost of cybercrime .................................................................. 37
    Financial ............................................................................................................................ 38
    Brand, reputation, and customer confidence ......................................................................... 39
    Fake online profiles ............................................................................................................. 40
    Personal and social effects ................................................................................................... 41
    Tracking and privacy ........................................................................................................... 41
    A risk-based approach to planning ....................................................................................... 43
    Conclusion ......................................................................................................................... 43

    III

    Contents

    Part Two: Cyber attack techniques


    Chapter 4: From an army of one to the botnet ................................................................. 47
    The typical stages of a cyber attack ...................................................................................... 47
    Attack objectives ................................................................................................................. 48
    Common tools and techniques ............................................................................................ 48
    Organised crime................................................................................................................. 49
    A growing threat ................................................................................................................. 53
    Chapter 5: E-crime .......................................................................................................... 55
    Social engineering .............................................................................................................. 55
    Phishing ............................................................................................................................. 56
    Pharming ........................................................................................................................... 57
    Data theft ........................................................................................................................... 57
    Online fraud ...................................................................................................................... 57
    Conclusion ......................................................................................................................... 57
    Chapter 6: Employees and risk ......................................................................................... 59
    Hostile online investigations and social media....................................................................... 59
    Unauthorised Cloud deployments......................................................................................... 60
    USB sticks and other media ................................................................................................. 60
    Conclusion ......................................................................................................................... 62
    Part Three: The road ahead
    Chapter 7: Governance.................................................................................................... 65
    The evolution of cyber security and the regulatory framework ................................................. 65
    Winning the argument ......................................................................................................... 68
    Governance, risk, and compliance ....................................................................................... 68
    Auditing vs penetration testing ............................................................................................. 69
    A high level governance action plan for cyber security ........................................................... 71
    Chapter 8: Assessing risks ................................................................................................ 73
    Information technology and data asset inventories ................................................................. 73
    Threat assessments.............................................................................................................. 76
    Vulnerability assessments ..................................................................................................... 78
    ICT risk registers ................................................................................................................. 79
    Risk velocity ........................................................................................................................ 80
    Risk tolerance and the
    goldilocks zone ................................................................................................................. 80
    Cyber crisis response........................................................................................................... 80
    Conclusion ......................................................................................................................... 84

    IV

    Cybercrime: Threats and Solutions

    Chapter 9: Devising or updating controls ......................................................................... 85


    Data classification and segmentation.................................................................................... 86
    Encryption .......................................................................................................................... 87
    Authentication .................................................................................................................... 88
    Network flooding attacks ..................................................................................................... 90
    Anti-malware solutions ........................................................................................................ 90
    Mobile device security ......................................................................................................... 91
    Cloud security .................................................................................................................... 92
    Mobile payments security..................................................................................................... 95
    Machine-to-machine auditing .............................................................................................. 97
    Citizen developers............................................................................................................... 98
    ISO 27001 compliance....................................................................................................... 98
    Conclusion ......................................................................................................................... 99

    Executive summary
    IN MARCH 2013 cyber criminals launched
    an attack on a little known non-profit
    organisation called Spamhaus which is an
    organisation that contributes to the fight
    against internet spam. The attack was then
    extended to include a service provider
    and the organisations network provider.
    The attack, described as the largest of its
    type ever seen, caused serious operational
    problems at the London Internet Exchange
    and affected quality of services across
    several parts of western Europe. Some
    informed commentators suggested that
    it highlighted important vulnerabilities in
    internet infrastructure.
    Cybercrime, in its various guises, costs
    the global economy untold sums of money
    and much social and personal harm. In
    February 2011 the UK Cabinet Office
    sponsored a report by Detica, titled The
    Cost of Cybercrime,1 that put the financial
    cost to the UK economy at 27 billion per
    annum, even without factoring in issues
    such as child exploitation. Although widely
    challenged by many experts, the Cabinet
    Office figure is useful for the insight it
    provides into the seriousness with which the
    UK Government views the problem.
    A more refined assessment was
    produced by a mixed group of experts
    in 2012.2 This broke the costs down into
    three separate categories: the direct cost
    of cybercrime; the social and other indirect
    costs; and finally, the cost of cyber security
    defences or responses to cybercrime. The
    authors found that the direct losses resulting

    from cybercrime and, significantly, criminal


    gains from cybercrime, are far outweighed
    by the other costs. One important conclusion
    emerging was that expenditures on technical
    defences greatly exceed recorded losses.
    In late 2012 the respected European
    Network and Information Security Agency
    (ENISA) issued its own updated assessment
    of the threat landscape.3 In this report,
    ENISA stated that of 16 top cyber threats
    monitored by the Agency, 11 are increasing,
    four are stable, and only one is decreasing.
    Cybercrime, the assessment confirmed, is on
    the rise.
    It is difficult to assess the full implications
    of these observations. Are the defences
    working well and reducing the amounts lost?
    Or are organisations over-reacting to hype
    by throwing money at the problem? What
    role does awareness play in either the level
    of exposure to risk or in the decisions being
    made about the acquisition of solutions?
    A widespread lack of awareness is a major
    obstacle to progress; it increases operational
    risks, skews decision making, and allows
    hype to dictate the direction of travel.
    This report arrives at some very important
    conclusions about the nature of the threat
    and the requirements on organisations
    in terms of a response. These can be
    summarised as:
    An army of one has the power
    to cripple key systems and
    infrastructure: The proliferation of
    easy-to-use attack tools means that the

    VII

    Executive summary

    asymmetric nature of the cyber menace


    is more pronounced than ever before;
    Raising awareness amongst
    non-technical users and leaders
    should be job one: Users and their
    leaders are sometimes unaware of the
    perils and, without better user awareness,
    attackers will always have a hefty set
    of loopholes to exploit;
    It is not all about China: Doubts are
    starting to emerge in some quarters
    about the veracity of reports blaming
    China for the preponderance of reported
    cyber-attacks and intrusions;
    Dependency is the biggest area
    of vulnerability: Because business,
    governments, and citizens have such
    a great dependency on cyber and
    communications technologies, and
    because those technologies have
    converged on the internet, they now
    represent a single point of failure for the
    globalised system of trade and finance;
    Forget hacking, poor user habits,
    purpose-made exploit kits and Cloud
    risks are far more substantial threats
    to our cyber security: Anonymity
    online, the ease with which social
    engineering attacks can be executed,
    and the virtualisation of key data and
    systems in the Cloud all mean that
    traditional hacking attacks on corporate
    servers are likely to become less frequent
    and significant than attacks on virtualised
    platforms, as well as on employees
    operating in the social spaces;
    Governance of information is the
    top priority for boards: In the
    information age, data assumes primacy
    as a business asset. Accordingly,
    those responsible for the well-being,
    compliance, and security of the business
    are now recognising that information
    security is a top priority; and

    VIII

    Network providers must take


    responsibility for network security:
    Recent attacks have demonstrated that
    once malicious data have arrived
    at the targeted server it may be too
    late to block the attack the networks
    capacity to function has already been
    affected. Therefore it is the network
    provider itself that must detect and
    block potential attacks.
    The previously mentioned lack of
    awareness surrounding cyber security
    may seem surprising given the plethora
    of cybercrime and security reports available
    from solutions vendors and government
    agencies alike. However, very few of
    the reports published are intended for
    non-technical audiences and, in the main,
    reports on cybercrime assume a certain
    level of knowledge on the part of the
    reader. Perhaps as a consequence, they
    provide little in the way of explanations of
    basic cyber security principles or simple
    depictions of attack techniques.
    There is increasing concern that
    the cyber message is not getting across
    to those who really need to hear it; to
    the decision makers and senior executives
    in non-technical fields who are unlikely
    to take the time necessary to understand
    the issues presented, or to appreciate the
    impact these threats may have on their
    operations, revenues, and reputations.
    At the end of the day, cyber security and
    IT professionals are to the enterprise as
    mechanics are to motor vehicles. They
    understand and can often mend problems,
    but what they cannot do is to ensure
    that everyone else drives carefully and
    responsibly. This report is produced with
    the non-technical reader in mind and is
    aimed at decision makers and mid-level
    managers from all organisations.

    Cybercrime: Threats and Solutions

    References
    1. See: https://www.gov.uk/government/uploads/
    system/uploads/attachment_data/file/60942/
    THE-COST-OF-CYBER-CRIME-SUMMARYFINAL.pdf.
    2. Anderson, R. et al. Measuring the
    Cost of Cybercrime, 2012. See:
    http://weis2012.econinfosec.org/papers/
    Anderson_WEIS2012.pdf.
    3. ENISA Threat Landscape, Responding to
    the Evolving Threat Environment, 2012.
    See: www.enisa.europa.eu/activities/riskmanagement/evolving-threat-environment/
    ENISA_Threat_Landscape/at_download/
    fullReport.

    IX

    About the author


    MARK JOHNSON is a prominent writer, speaker, and thinker on current and emerging high
    technology risks and the author of two books on the subject. Immensely proud of his complete lack
    of technical education, Mark specialises in painstakingly deciphering the computer talk emanating
    from conventional subject matter experts and formulating common-sense explanations, conclusions,
    and recommendations for the layperson.
    Mark is chairman of The Risk Management Group (TRMG) which provides consultancy and
    training in several areas of high technology risk. Areas covered include cybercrime and security,
    mobile payments risk and fraud, and cyber crisis response, as well as telecoms revenue assurance.
    TRMG is also very active on the conference circuit and it supplies a number of free educational
    resources on various aspects of risk via its website at www.trmg.biz. With its long list of blue chip
    references, TRMG was recently selected by the Association of Chief Police Officers (ACPO) Data
    Communications Group (DCG) Futures Group to prepare illustrated guidance for the UK Police
    on emerging mobile payments technology risks and investigations.

    XI

    Você também pode gostar