Corporate Security

Physical Security

IT Security

Personnel

Information Security

Reputation

Special Sections

Home » Critical Infrastructure Protection » Counting the critical cost

Counting the critical cost

by Leigh Funston | ASM | February 2008

New technology means criminals have a new battleground on which to fight. And as Leigh Funston reports, the finance "arm" of critical infrastructure protection has become a key target for criminals.

By any standards, it is a frightening security problem facing those managers responsible for protecting the nation's critical infrastructure.

Cyber crime. Its rapid growth in recent years has highlighted security gaps in the finance sector. And given the fundamental importance of an effective finance system to the country's well-being, authorities are entitled to be concerned.

According to a 2007 data security summary compiled by F-Secure, the level of malicious software code, or malware that was detected around the world last year doubled to half a million.

A spokesperson for F-Secure, an IT security company based in Helsinki said the figure indicated that network criminals were "producing new malware variants in bulk."

The rise in cyber crime comes at a time when financial institutions and many business corporations are seeking to reduce costs and improve bottom-line performance by increasing their customers' use of online services. Millions of Australians now use online banking services.

Those people engaged in cyber crime are generally young and are part of an international network.

Stole $20 million from banks

A New Zealand based teenager was arrested in December last year for online identity fraud after his global cyber crime network stole $20m from US banks.

The New Zealander's criminal organisation used malicious software code to gain control of more than one million computers. He was arrested after a joint operation involving the US Federal Bureau of Investigation and the New Zealand Police.

FBI Director, Robert Mueller III, said the campaign by police and security organisations around the world to fight cyber crime was an "enormous challenge."

He said the FBI would "continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The arrest of the New Zealander came just a few months after authorities charged John Schiefer, 26 of Los Angeles with felony counts for cyber crime offences relating to:

accessing protected computers to conduct fraud
disclosing illegally intercepted electronic communications
bank fraud
wire fraud.

Schiefer and his associates used malware code to infect and gain control of around a quarter of a million computers. Authorities describe computers infected with this code as "botnets".

First time in US

A spokesperson for the FBI said the Schiefer case was the "first time in the US that someone has been charged under the federal wiretap statute for conduct related to botnets."

Schiefer admitted guilt to the offences which carry a statutory maximum sentence of 60 years in prison and a (US) $1.75m fine.

The malware used by Schiefer allowed him to spy on the online commercial transactions of the users of the infected computers without their knowledge. In this way, Schiefer and other cyber criminals using sophisticated malware are able to access online bank accounts without the permission of the account holders.

Schiefer's transition from IT security expert to cyber crime king poses a serious dilemma for in-house security managers around the world. How do in-house security managers pick the good contractors from the bad?

The IT Compliance Institute described the Schiefer case as "white hat hacker turns to black hat botmaster."

Organisations need to boost their resources to fight cyber crime but the Schiefer case shows the utmost scrutiny needs to be followed when employing and monitoring the performance of IT security contractors.

From the point of view of the IT security contractors, the arrest of Schiefer will put extra pressure on them to prove their bona fides when seeking to win contract work.

Survey of online account holders

A survey by RSA of 1700 online account holders from eight countries including Australia revealed that 66 per cent of them believe that financial institutions should require "stronger authentication for online banking".

The results of the survey, which were made public in 2007 also showed that 82 per cent of account holders "would like their banks to monitor online banking sessions and telephone banking sessions for signs of irregular activity or behaviour".

It is clear that for financial institutions, security has emerged as an increasingly important competitive tool in the battle to attract new online account holders.

When it comes to protecting the finance element of Australia's critical infrastructure, security professionals in and outside of government need to work closely together, share information and ensure the necessary resources are in place to win the war against cyber crime.

About the author: Leigh Funston is a former Editor of Australian Security Magazine.

Article Added: 13/08/2008

« Back

Related Articles:

12th July, 2010

Q&A: Interview with Peter Major, IT Security Advisor, INTACT

21st April, 2010

Big challenges ahead for CIP

24th July, 2009

Defining the �critical� and the �protection� components of critical infrastructure protection

16th January, 2009

Saab completes first stage of Swedish contract