The Fight against Cybercrime

by Mathijs van der Wel | ASM | Nov-Dec 2010

New doors are opening every day for cybercriminals seeking to profit from valuable corporate data. However, as Matthijs van der Wel writes, the security community now has the opportunity to create a unified front in the fight against cybercrime.

This can be done by leveraging collective knowledge to analyse and collate cybercrime data – and therefore gain a more complete picture of cybercrime than has ever before been possible.

We can’t escape the fact that cybercrime is prevalent and one of the key drivers is the increase in involvement of organised crime. For example, there has been an increase in phishing scams throughout southeast Asia where computer users have been fooled into revealing their banking information to bogus tax officials.

With web-enabled TV and mobile internet connectivity becoming ingrained in everyday life, the availability of technology-enabled applications to fuel cybercrime looks set to increase exponentially.
Cybercriminals targeting financial organisations is hardly surprising.

Stealing money from electronic information systems is basically the modern form of bank robbery. Financial organisations hold large volumes of sensitive customer data for significant periods of time – data which can be exploited by criminals seeking financial gain.

Likewise, industries relying on Point of Sale (PoS) and payment card technology for their daily operations – such as retailers, restaurants and hotels – are often popular targets for credit card crime. They offer criminals an easy way to convert sensitive data into cash. Personal details and financial information are some of the most easily compromised types of data.

In fact, according to the 2010 Verizon Data Breach Investigations Report, personal information and financial data accounted for the top two most compromised data types.

While both attackers and defenders are constantly vying for advantage, there is no doubt that the information security industry has made some encouraging improvements to its defences. Research helps businesses understand the methods that cybercriminals employ and identify what information they attempt to steal and how they obtain it.

Malware

The Verizon DBIR found that external threat actions accounted for 70 per cent of data breaches. Threat actions describe what the cybercriminal has done to contribute to the breach; this includes malware, hacking and social breaches. In many large-scale breaches, attackers often access the victim’s network (usually by exploiting a weakness) and install malware on the system to collect the data.

One of the most frequent ways that malware enters a system is through an SQL injection by a remote attacker – one of the most widespread and harmful attack methods out there – or after the attacker has access to the system. However, either method means trouble as they both have the ability to evade detection by anti-virus software.

The web is an increasingly popular vector for malware for the simple reason that people everywhere are merging their personal and business lives and interacting through the internet. Over-trusting browsers and users operating with administrative privileges turned ‘on’ only increase vulnerabilities. However, cybercriminals are also getting more proficient and prolific in developing new and innovative methods to capture data.

Obtaining evidence of foul play is always tricky – it’s a matter of looking for the right indicators. Organisations need to pay attention to what goes in and out of their systems. For example, if you don’t have any customers in certain countries yet are noticing periodic outbursts of traffic sent there from your networks, should you be suspicious? It might be nothing, but it is always worth investigating.

Hacking

Hacking is the second most popular cybercriminal activity as it affords the criminal many luxuries – for example (and probably most importantly), it can be accomplished remotely and anonymously. The use of stolen credentials is the number one hacking type. Stolen credentials offer the attacker many advantages, including the ability to be disguised as a legitimate user. Cybercriminals can easily cover any tracks that may be left behind as they disappear with the victim’s sensitive data.

Although the findings of research such as Verizon’s shifts and evolves over time, rarely are the results new or unexpected. What business must remember is that, while today’s cybercriminals are smart and resourceful, the necessary tools and resources are available to fight back. The challenge will always be selecting the right tools for the right job and making sure those tools are used properly, effectively and for maximum impact.

 

Top tips for securing a network

Restrict and monitor privileged users

  • Don’t give users more privileges than they need and use separation of duties. Make sure employees know policies and expectations and have appropriate supervision to make sure they adhere to the policies.

Watch for ‘minor’ policy violations

  • Be wary of and adequately respond to policy violations however minor they may seem. The presence of illegal content on user systems is a reasonable indicator of a future data breach.

Implement measures to prevent stolen credentials

  • Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.

Monitor and filter network traffic

  • By monitoring, understanding and controlling outbound traffic, an organisation will greatly increase its chances of mitigating malicious activity.

Change the approach to event monitoring and log analysis

  • Make sure there are enough people, adequate tools and sufficient processes in place to recognise and respond to any anomalies quickly.

This article first appeared in Australian Security Magazine (ASM), November-December 2010 edition. It was titled, "Managing cybercrime", p.11.

About the author: Matthijs van der Wel is the manager of the forensics practice in EMEA for Verizon Business Security Solutions, responsible for incident response and investigation, including stolen information, hacked servers and applications, anonymous email threats and fraud.

 

Article Added: 09/01/2011

« Back