Cybercrime: Swim between the flags and far from your workforce

By Nathan Statz

November/December Edition, 2007: Just like sharks in the ocean, we know cyber criminals are lurking somewhere within the world wide web but we believe we’re completely safe by swimming between the flags.

It will come as no surprise to hear Cybercrime is a danger on the rise. With hacking and phishing toolkits readily available from a simple Google search, it’s no longer enough to hide behind a firewall and think you’re completely safe.

Cybercrime covers crimes where computers are a target or the place where the criminal activity occurred. In a business sense, the real danger of cybercrime comes from intrusions, where malicious users hack into your network and make off with sensitive data ranging from financial information to trade secrets.The comfort of protection is often not enough. According to the Computer Security Institute, one in every three intrusions occurs when a firewall is in place, so while having an anti-virus software and a firewall doesn’t hurt it’s far from being absolute immunity.

Even behind the most advanced firewall and security system on the planet, it’s not worth anything within an un-educating workforce. If malicious users can obtain a password to login to the system, then the sophistication of technology is irrelevant.

Nigel Phair from the Australian Federal Police and National Crime Authority has 17 years experience with the police where he’s seen the nasty side of online scams and threats. “As a police officer I’ve carried out multiple search warrants and you’ll lift up the keyboard or mouse pad and there’s the Username and Password,” he says.

“Other major risks include users who have the same password for their Hotmail, Gmail, Myspace as well as sensitive work networks. People do that just because they’re lazy.”

Much of the problem originates with users providing information to networks like social networking sites Myspace and Facebook and instant messaging clients like MSN. It’s not uncommon for users to share their passwords across a variety of corporate and consumer networks, meaning their sensitive information is open for the taking on a variety of fronts.

“People are not using their real world sensibilities in the online environment,” says Phair. “The way people operate in the online environment is not the way they operate in the real world”.

I have a firewall so I’m safe, right?

The illusion of safety behind a firewall was put to the test by University Lecturer and LogicaCMG security representative, Ajoy Ghosh who began an ambitious project to test the security of hundreds of organisations websites behind certified secure gateways, both Government and private.

“As a lecturer I get my students to do interesting things, one of those was to get my students to hack into or do a vulnerability assessment on a whole range of websites. We deliberately picked websites behind a certified gateway. You would expect that behind a certified gateway that it would be secure” says Ghosh.

Ghosh was able to get authorisation to attempt the vulnerability test on the organisations involved, who would no doubt be less than impressed should their site be hacked for testing purposes without being asked first. The student team was mindful to approach management and not the actual IT departments wherever possible, as the aim was to test the reactions of normal security levels, not a well prepared department who are deliberately searching for the attack.

“We ran the exercise each time for 24 hours, after which we decided that if we couldn’t compromise it in 24 hours we would deem it to be a secure website. A compromise was when someone could get root access or we were able to change the content or we were able to take it offline, we checked it after an hour and if it was still offline after an hour then we would put it on our list,” says Ghosh.

Surprisingly, only 21% of the organisations tested were able to hold off the attack for the full 24 hours, with 12% falling in the first hour, 35% in the next three hours and the remaining 31% falling within 20 hours.

“Most of the 12% were actually compromised in the first few minutes, even though they were behind a certified gateway,” says Ghosh.

While it’s no surprise that a website can fall so easily considering how often it happens in the real world, it is alarming to note just how easily this can occur behind secure Government and private gateways and firewalls. Ghosh explains this should be of particular concern to Australians who are considered to be a ‘soft’ target compared to the rest of the world.

“For whatever reason, Australian organisations aren’t as concerned or aware that there information could be used for bad things. In countries that are more exposed to it like London which has had a number of bombs go off, it’s a little more on their minds,” says Ghosh.

Security Reports

One of the more interesting facts emerging from this years security reports is the nature of the attacker is changing, not just the type of the attacks. There has been a growing awareness of hackers being motivated by financial gain rather then the traditional fame and revenge motives. Where previously users were taking down high profile targets for a freedom fighting and fame reasons, they were now only going after targets where a profit could be turned.

Symantec Internet Security Threat Report for 2007

The Symantec report focused on the growing commercial motivations of cyber criminals and also revealed an increase in the use of professional attack methods. “In the last several Internet Security Threat Reports, Symantec discussed a significant shift in attackers motivated from fame to fortune,” saysArthur Wong, senior vice president, Symantec Security Response and Managed Services.

The money comes from selling hacking toolkits to amateurs who aspire to cause harm to websites and networks. The toolkits have been exploding in popularity and causing a nuisance for security companies as it effectively increases the pool of opponents by providing easy to use software for malicious purposes. This has lead to 47% of all known attacks originating from amateurs using the three major hacking toolkits, a figure which looks set to rise even higher.

According to Paul Crighton, director of Enterprise Sales at Symantec, 9% of all Australians have been victims of identify (ID) theft and a further 17% know someone who has. This is largely brought about by hackers compromising networks and accessing financial and personal information such as credit card details. Considering how detrimental ID loss can be on someone, this is a staggering figure as it is very close to 1 in 10 Australians becoming victims of ID theft.

Deloitte Global Security Survey for 2007

The 2007 Deloitte Global Security Survey has shown an increase in actual system breaches across the financial services industry. The survey concluded that all people (employees, customers, third parties and business partners) represent a risk to an organisation, with 39% of breaches caused by employee misconduct and errors.

Another interesting revelation to emerge is that the Asia Pacific region falls far below (7%) the global average (30%) when it comes to having the required skills and competencies to effectively handle security requirements. While this focuses mainly on financial service institutions, it does reveal an alarming weakness to cyber crime in our own backyard.

Looking at the actual attack statistics in the Deloitte report; over the last 12 months 79% of organisations surveyed had suffered repeated external breaches. This is a lot higher than the 36% of organisations suffering repeated internal breaches. The difference is the type of users, with external breaches coming from third party attacks and the internal breaches coming from internal user negligence.

“If you look at the 79% the top attacks are from email attacks, viruses, worms and phishing and pharming. The real risk comes from the internal breaches where users would have more authority and access and that is very low, that’s still 36 percent,” says Jean-Marie Abighanem, director of Enterprise Risk Services, Deloitte.

Deloitte phishing and pharming security tips for companies

1. Identify and classify your assets and protection required depending on the type, value and sensitivity of the asset.
2. Update or develop a security strategy
3. Ensure security strategy is led and embraced by line and functional business leaders
4. Have always an up-to-date policy, standards, processes and procedures in place.
5. Perform risk assessments and identify potential risk areas in your system. Special attention should be given to web applications, phishing, denial of service (DoS), and middleware systems.
6. Incorporate application security and privacy as part of your software development lifecycle
7. Assess and review your current Web and email filtering capabilities and adequacy
8. Know at a pointing time the changes occurring in your data, and how to return to a coherent state from audit trail if data is lost or corrupted
9. Enforce your logging policy and have enough logging and alerts information in place and safely saved.
10. Implement logging, monitoring and reporting tools that produce real-time and ad hoc correlation, analysis and virtualisation of the activities on your network, systems and data.
11. Implement an identity and access management solution that provides you with a centralised place to manage authentication, authorization and user provisioning. This makes users rights and access auditing and compliance easier.

Websense Australian Threat Report

The Websense threat report was carried out by independent research company, StollzNow and identified that security is poorly understood by employees. Meanwhile IT staff are focused on external attacks, with little attention being paid towards the threat of internal attacks.

Some alarming figures to emerge out of the Websense report include the fact that 47% of companies have protections in place for securing company information and only 56% are using spyware blockers.

One of the not-so-surprising features to emerge from the report was that 57% of IT managers believe the most frustrating part of there job is managing employee behaviour. This ranked even higher than budgetary concerns and time constraints.

IBM’s Internet Security Systems Report

Produced by IBM’s Xforce research and development division, the report showed a rise in the spread of Trojans, which are seemingly legitimate files that are actually malicious. Trojans became the most voluminous category of malware for 2007, surpassing downloaders which are low-profile pieces of software that will later download and install a more sophisticated malware agent onto infected computers.

“We’ve seen a move towards spam messages having embedded URLs to malicious websites. It was another interesting finding, not surprising because we understand the spam threat has been evolving,” says Vernon Jackson, engineering manager, IBM Internet Security Systems.

According to Jackson , 2008 will bring similar results as IBM does not expect to see a sharp change in any of the metrics, and while it isn’t known what deviations the new year will bring, there’s an expectation that it will be more of the same.

So what should you do?

While its one thing to widen your eyes in surprise at the amount of threats that are emerging and how little organisations are doing to combat them, it’s quite another to do something about it.

One of the biggest pitfalls about IT security is the vast range of products available on the market. If you were to indulge in endless levels of paranoia you could spend pools of money on different security software packages. This isn’t to say security software isn’t worthwhile, but rather you should ensure that you’re getting the appropriate software for your business and are implementing this in conjunction with employee training methods.

Employees need to be educated on the risks associated with spyware, viruses and most importantly email attachments and spam links. While it will be a decent upfront cost to put your employee’s through seminars and education sessions, if it means keyloggers won’t find themselves onto your network and record your financial data, then it’s more than worth it.

In terms of actually selecting the software you need to protect your network. In this day and age that means more than just a firewall, most security software companies will be able to offer advice and a sales pitch on why you should buy everything in their catalogue. Ask these vendors, but also ask your own IT department and get as many different sources of information as to what threats your business is likely to face and the software you need to face it.

Comment on this story.