• No results found

The Cancer Running Through IT Cybercrime and Information Security

N/A
N/A
Protected

Academic year: 2021

Share "The Cancer Running Through IT Cybercrime and Information Security"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

White Paper

Cybercrime and Information Security

W

HITE

P

APER

The Cancer Running Through IT

Cybercrime and Information Security

Prepared by:

Richard Brown, Senior Service Management Consultant

Steve Ingall, Head of Consultancy

60 Lombard Street London

EC3V 9EA

T: +44 (0)207 464 8883

(2)

White Paper

Cybercrime and Information Security

WARNING

iCore believe that Cybercrime is such a serious threat to your businesses that we are giving you the main links here:

For details on cybercrime on the UK Government website click here.

For details on cybercrime on the New Scotland Yard click here.

For details on cybercrime on the FBI website click here.

1 Executive Summary

Information Security is becoming rapidly more important, with ever increasing incidents of data theft or other cybercrime and associated costs of recovery. Government and Businesses are expending more resource on training, live exercises, specialist staff, accreditations and improved systems to detect and prevent intrusions and recover after an incident.

The Finance sector are amongst those taking cybercrime very seriously with the Bank of England running two live

exercises (2011 and 2013) in the last 3 years with participating organisations representing a broad range of financial firms, infrastructure providers and financial authorities.

The Bank of England has in February 2014 published the results of their second cybercrime exercise, Waking Shark II, with recommendations for further action which include the need for better coordination of communication between organisations affected by cybercrime, the requirement for organisations to report major incidents to relevant regulatory bodies as soon as possible, and the need to report cybercrimes that constitute criminal offences to the appropriate authorities including law

enforcement.

UK Government has committed £650 million to the National Cyber Security

Programme (NCSP) to improve the nation's cyber capabilities in order to help protect the UK's national security, its citizens and growing economy in cyber space. As the Government strives to reduce overall expenditure, it is of note that this significant resource is being directed against online threats.

2 Background

Cybercrime is defined by the Cabinet Office as “the illegal activities undertaken by criminals for financial gain by exploiting vulnerabilities in the use of the internet”, and

(3)

White Paper

Cybercrime and Information Security

other electronic systems to illicitly access or attack information and services used by citizens, business and the Government. Threats to cyber security manifest

themselves in the following ways:

• Theft of intellectual property (IP) • Industrial espionage

• Access to government and defence related information • Disruption to government and industry service

• Exploitation of information security weaknesses, by targeting partners, subsidiaries and supply chains at home and abroad.

The Cabinet Office estimated in 2011 that the annual cost of Cybercrime in the UK was £27BN and growing. The biggest losers by sector are:

• Financial Services

• Software and Computer Services • Electronic and Electrical Equipment • Pharmaceuticals and Biotech

• Mining, Aerospace, Chemicals, and Charities

3 Real Examples of Cyber Threats

The following are some of the real examples of cybercrime from the last few years, some of which had significant economic impact on the victims:

Stuxnet Worm (July 2010).

This was used to target industrial control systems, and seemed to be directed at Iran and its nuclear programme. It allowed hackers to manipulate real world equipment without operators knowing. The worm targeted Siemens systems used in the energy sector to control nuclear and gas infrastructure and also manufacturing and automotive industries. The complexity and access to systems involved indicated a highly organised and well-funded project.

Operation Aurora (December 2009).

Google detected a highly sophisticated and targeted attack on its corporate infrastructure originating from China. The attack was found to have installed malware via email on computers in another 30 companies and Government Agencies.

Large scale fraud (2009/10).

An Essex based gang, linked to Eastern Europe was prosecuted for an online fraud making £2m a month by stealing log in details from 600 UK bank

accounts and tricking users into providing additional information. The Police e-crime unit working with the banking sector detected the fraud which targeted weak security on individuals’ computers using Zeus Trojan malware.

(4)

White Paper

Cybercrime and Information Security

The National Cyber Crime Unit (NCCU) warned of a mass email borne malware campaign. The emails appear to be from financial institutions but carry a malicious attachment that can install Cryptolocker malware, which is a type of ransomware. It was estimated that 250,000 PCs were affected. The malware was designed to encrypt files on the infected computer and any network it is attached to and then demand payment of around £500 to unlock the files.

Snowden (2013).

Edward Snowden worked for the National Security Agency (NSA) in the US, and disclosed a huge number of top secret NSA documents to several media outlets including the Guardian newspaper in the UK. The leaked documents revealed operational details of global surveillance apparatus run by the NSA and other commercial and international partners. Snowden was charged with Espionage and theft of government property. Whatever the rights and wrongs of what he did, the fact remains that his actions revealed a serious failure by the NSA to adequately control and protect their data.

Barclays Bank computer theft (Sept 2013).

A gang stole 1.3m from Barclays Bank after taking control of a computer. This was done simply by a gang member pretending to be an IT engineer, gaining access to a high street branch and deploying a KVM switch attached to a 3G router, which then subsequently gained access to the branch server. Funds were transfer to accounts owned by the gang. A similar attack was planned on a branch of Santander but was foiled. The gang members were arrested.

Marriott Hotel Data Breach (Feb 2014).

Fraud involving several hundreds of credit cards was linked to a number of Marriott Hotels in the US. The same article in Information Week also referred to the theft of 40 million credit and debit card details from a company called Target also in the US.

The latest updates on Cybercrime from the BBC click here.

4 Types of Cyber Crime and the effect on Business

There are several distinct flavours of cybercrime that can affect business:

Theft from Business. Cyber criminals steal revenue online directly from businesses, which involves fraudulently obtaining access and looting company accounts and monetary reserves. In some cases this activity is assisted by an “insider”.

Extortion. Cyber criminals hold a company to ransom by a deliberate denial of service (DOS) attack or by manipulating company website links, which can lead to extensive brand damage (for example redirecting links to a

pornography website).

Customer data loss. Theft of sensitive customer data (such as customer financial, medical or criminal record details) with the purpose of selling the

(5)

White Paper

Cybercrime and Information Security

data on to other criminal networks or using it themselves.

Industrial Espionage. This takes many forms such as a rival organisation illegally accessing confidential information to gain competitive advantage, or to gain insider information at an early stage of an M&A deal.

IP Theft. Criminals sponsored by rival organisations or nation states, steal ideas, designs, product specifications, trade secrets process information or methodologies which can erode competitive advantage.

These types of crime can cause damage or cost to business in terms of:

• Loss of competitive advantage • Loss of business

• Reputational damage

• Preventative and remedial action • Regulatory fines

• Reduced confidence

All these will lead to a loss of Revenue, Share Price and Profitability, with severe knock on effects to the national economy such as loss of taxation, increased law enforcement costs, loss of exports, increased unemployment, damage to pension values, decrease in investment and lost opportunity costs.

5 How to Increase Cyber Security

There is certainly no simple cure to prevent cybercrime however the following areas, summarised in the diagram below, should be considered. These comprise of:

5.1 Information Risk Management

Organisations should apply the same rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This should be done by embedding an information risk management process across the organisation, which is supported by the Board and senior managers. Employees, contractors and suppliers must be aware of the organisations information risk management policies and procedures.

5.2 Secure Configuration

Simply put, ensuring that any unnecessary ICT functionality is disabled or removed, and that all devices are patched against known vulnerabilities, and that a continuous process for ensuring Secure Configuration is maintained is established.

5.3 Network Security

Develop policy and procedures to protect corporate networks by applying the necessary security controls in order to minimise the risk of connecting to untrusted networks such as the Internet.

5.4 Managing User Privileges

Actively manage the access privileges that users have. All users should only be provided with the access they need to do their jobs, and this must be regularly

(6)

White Paper

Cybercrime and Information Security

reviewed. Snowden apparently started with a low level admin access, which enabled him to fabricate digital certificates to access information areas that he should not have had privileges to. He also coerced colleagues into handing over their usernames and passwords. All employees, and contractors and suppliers must be clearly aware of the organisation policy on usernames and passwords and the need to keep them

confidential.

5.5 User Education and Awareness

It is critical that all staff are aware of their personal security responsibilities and the requirement to comply with corporate security policies. This can be achieved by the delivery of a security training and awareness programme that increases the levels of security awareness and knowledge across the organisation, as well as fostering a security conscious culture.

5.6 Security Incident Management

Organisations should invest in establishing effective incident management policies and processes and this will help improve the resilience, support business continuity, improve customer and stakeholder confidence and reduce the financial impact of any security incident.

(7)

White Paper

Cybercrime and Information Security

Any information exchange carries a degree of risk as it could expose the organisation to malicious code and content (malware) which could seriously damage the

confidentiality, integrity and availability of the organisation's information and

Information and Communications Technologies (ICT) on which it is hosted. The risk must be reduced by implementing security controls to manage the risks to all business activities.

5.8 Monitoring

Monitoring ICT activity allows businesses to detect attacks and react to them

appropriately whilst providing a basis upon which lessons can be learned to improve the overall security of the business. In addition, monitoring the use of ICT systems allows the business to ensure that systems are being used appropriately in

accordance with organisational policies. Monitoring is often a key capability needed to comply with security, legal and regulatory requirements.

5.9 Removable Media Controls

Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.

5.10 Home and Mobile Working

Mobile working offers great business benefit but exposes the organisation to risks that are challenging to manage. Mobile working extends the corporate security boundary to the user's location. Organisations should establish risk-based policies and

procedures that cover all types of mobile devices and flexible working to effectively manage the risks. Organisations should also plan for an increase in the number of security incidents and have a strategy in place to manage the loss or compromise of personal and commercially sensitive information and any legal, regulatory or

reputational impact that may result.

6 CONCLUSIONS AND RECOMMENDATIONS

Cyberspace has revolutionised how many of us live and work. The internet, with its more than 2 billion users, is powering economic growth, increasing collaboration and innovation, and creating jobs.

Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.

Companies benefit from managing risks across their organisations; drawing effectively on senior management support, risk management policies and processes, a risk aware culture and the assessment of risks against objectives.

There are many benefits to adopting a risk management approach to cyber security, including:

(8)

White Paper

Cybercrime and Information Security

Strategic Benefits

Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation.

Financial Benefits

Providing financial benefit to the organisation through the reduction of losses and improved “value for money” potential.

Operational Benefits

Organisations are prepared for most eventualities, being assured of adequate contingency plans.

If you are uncertain about your company's ability to manage its information risks, there are some practical steps that can be taken through Corporate Governance

mechanisms:

• Confirm that you have identified your key information assets and the impact on your business if they were to be compromised;

• Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks;

• Confirm that you are appropriately managing the cyber risks to your information and have the necessary security policies in place.

Companies may not have all the expertise needed to implement these steps and assure themselves that the measures they have in place meet the threats; in the first instance audit partners should be able to provide assistance. For information risk management expertise, organisations should seek advice from appropriate organisations who have attained industry recognised qualifications.

To find out how iCore can highlight your exposure to Cybercrime you can contact us on

References

Related documents

innovation in payment systems, in particular the infrastructure used to operate payment systems, in the interests of service-users 3.. to ensure that payment systems

Standardization of herbal raw drugs include passport data of raw plant drugs, botanical authentification, microscopic & molecular examination, identification of

Using NHANES 1999-2006 data on adults aged >20 years, we investigated the relationship between urinary BPA (N=2,534), monoethyl-phthalate (mEP, N=5,431), monobutyl-

Their discourses on the Kharijite‘s ideology indicate that the influence of this group continued to exist in the Muslim societies, which is why scholars raised

This essay asserts that to effectively degrade and ultimately destroy the Islamic State of Iraq and Syria (ISIS), and to topple the Bashar al-Assad’s regime, the international

• Safe braking and maximum lateral grip, even on rock faces guaranteed by the front tyres knobs with different stiffness. Size Pirelli-Tread Pattern

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic