Cybercrime needs to be fought through industry partnership

by Mark Goudie | ASM May-June 2010

As the IT security sector gathered for the AusCERT 2010 conference in May 2010, Mark Goudie called for cooperation to defeat a common enemy: the cybercriminal.

The rise of the global extended enterprise and the proliferation of data availability have diminished the traditional boundaries that once contained information. Giving employees, customers, suppliers and partners access to the same single global network has optimised productivity and performance, but has also opened new doors to cybercriminals seeking to profit from valuable corporate data.
However, the security community now has the opportunity to create a unified front in the fight against the cybercriminal by leveraging their collective knowledge to analyse and collate cybercrime data – and thereby gain a more complete picture of cybercriminality than has ever before been possible.

Research findings

According to the 2009 Verizon Business Data Breach Investigations Report, corporations fell victim to some of the largest cybercrimes ever. This second annual study - based on data analysed from Verizon Business’ actual caseload comprising 285 million compromised records from 90 confirmed breaches – revealed that more electronic records were breached in the previous year than the previous four years combined, fuelled by a targeting of the financial services industry and a strong involvement of organised crime. The financial services sector accounted for 93 per cent of all compromised records and a staggering 90 per cent of these records were breached by groups engaged in organised crime.

These key findings both support the previous report’s conclusions and provide new insights. In the 2009 report, as in 2008, most data breaches investigated were caused by external sources (74 per cent), while 32 per cent were linked to business partners. Insiders were identified as the cause of only 20 per cent of breaches, a finding that may be contrary to certain widely held beliefs.

The majority of breaches resulted from a combination of events rather than a single action, and 64 per cent of breaches were attributed to hackers using a combination of different methods to attack an organisation. However, there was again a common denominator – in most successful breaches, the attacker exploited a mistake made by the victim. This initial mistake enabled the attacker to hack into the network, and install malware on a system to collect data.

Knowledge is power

One of the most critical and persistent challenges plaguing efforts to combat cybercrime and manage information risk is a lack of relevant data. Many organisations or individuals do not have data of sufficient quality or quantity on actual data breaches and cybercrime activity to enable them to consistently make informed decisions or take justified action to protect information assets. What is more, as there is no common standard for the collection and analysis of security-incident data, there is no possibility to aggregate across different organisations - making it difficult for businesses or government agencies to quickly identify major trends in security breaches so they can take collective action.

There is also a common misunderstanding regarding what actual data is required in order to enable effective measurement. Despite many initiatives to amass and share security-incident data, there has been limited success – not least because of the lack of a commonly accepted taxonomy. Data-sharing efforts are too often paralysed because they are based upon incompatible or inadequate systems of classification.

Collective response

A common incident-sharing framework – including an agreed set of measurements - could provide a structure for describing, analysing and investigating security incidents, and give businesses and governments the ability to compare and contrast their security data with available research from other industry organisations.

This sharing of structured results and data would assist individual companies and the security community as a whole to gain a better understanding of how security breaches occur and what can be done to better manage risk. An open-source security-incident sharing program could provide a universal foundation for data collection and analysis. This could help organisations to work together in the ongoing fight against cybercrime.

Organisations could improve their ability to make sound security decisions by using first-hand information taken from an organisation’s actual investigations to elicit insight into security attacks.

The development of a standard framework for the collection and analysis of breach data is a first step in a community solution to a wider community problem.The ultimate goal is for customers, partners, and indeed anyone responsible for incident response, to be able to create data sets that can be used and compared with each other as a result of their ‘common language’. This gives the security community real knowledge of its adversaries’ identities, what they want and how they are getting the information they crave.

It is only by working together that the security community can work to eliminate both equivocation and uncertainty, and help defend today’s global enterprise from the threat of cybercrime.

Tips on securing your enterprise

  • Change default credentials often: change user names and passwords on a regular basis and make sure third-party vendors do as well.
  • Avoid shared credentials: passwords should be unique and should not be shared among users or used on different systems.
  • Review user accounts: use a formal process to confirm that active accounts are valid, necessary, properly configured and have appropriate privileges.
  • Employ application testing and code review: web application testing has never been more important.
  • Patch comprehensively: patch completely and diligently. There’s no need to rush.
  • Ensure human resources departments use effective termination procedures: formal, comprehensive employee-termination procedures should be in place for disabling user accounts and removal of all access permissions.
  • Enable application logs and monitor: standard log-review policy should be in place. Organisations need to review data beyond network, operating system and firewall logs to include remote access services, web apps, and databases, among other critical applications.
  • Define ‘suspicious’ and ‘anomalous’: know what data is stored and where. Be prepared to defend these critical assets.

About the author: Mark Goudie is the Managing Principal, Asia-Pacific - Investigative Response for Verizon Business.

Article Added: 27/06/2010

« Back