White Paper
Cybercrime and Information Security
W
HITE
P
APER
The Cancer Running Through IT
Cybercrime and Information Security
Prepared by:
Richard Brown, Senior Service Management Consultant
Steve Ingall, Head of Consultancy
60 Lombard Street London
EC3V 9EA
T: +44 (0)207 464 8883
White Paper
Cybercrime and Information Security
WARNING
iCore believe that Cybercrime is such a serious threat to your businesses that we are giving you the main links here:
For details on cybercrime on the UK Government website click here.
For details on cybercrime on the New Scotland Yard click here.
For details on cybercrime on the FBI website click here.
1 Executive Summary
Information Security is becoming rapidly more important, with ever increasing incidents of data theft or other cybercrime and associated costs of recovery. Government and Businesses are expending more resource on training, live exercises, specialist staff, accreditations and improved systems to detect and prevent intrusions and recover after an incident.
The Finance sector are amongst those taking cybercrime very seriously with the Bank of England running two live
exercises (2011 and 2013) in the last 3 years with participating organisations representing a broad range of financial firms, infrastructure providers and financial authorities.
The Bank of England has in February 2014 published the results of their second cybercrime exercise, Waking Shark II, with recommendations for further action which include the need for better coordination of communication between organisations affected by cybercrime, the requirement for organisations to report major incidents to relevant regulatory bodies as soon as possible, and the need to report cybercrimes that constitute criminal offences to the appropriate authorities including law
enforcement.
UK Government has committed £650 million to the National Cyber Security
Programme (NCSP) to improve the nation's cyber capabilities in order to help protect the UK's national security, its citizens and growing economy in cyber space. As the Government strives to reduce overall expenditure, it is of note that this significant resource is being directed against online threats.
2 Background
Cybercrime is defined by the Cabinet Office as “the illegal activities undertaken by criminals for financial gain by exploiting vulnerabilities in the use of the internet”, and
White Paper
Cybercrime and Information Security
other electronic systems to illicitly access or attack information and services used by citizens, business and the Government. Threats to cyber security manifest
themselves in the following ways:
• Theft of intellectual property (IP) • Industrial espionage
• Access to government and defence related information • Disruption to government and industry service
• Exploitation of information security weaknesses, by targeting partners, subsidiaries and supply chains at home and abroad.
The Cabinet Office estimated in 2011 that the annual cost of Cybercrime in the UK was £27BN and growing. The biggest losers by sector are:
• Financial Services
• Software and Computer Services • Electronic and Electrical Equipment • Pharmaceuticals and Biotech
• Mining, Aerospace, Chemicals, and Charities
3 Real Examples of Cyber Threats
The following are some of the real examples of cybercrime from the last few years, some of which had significant economic impact on the victims:
• Stuxnet Worm (July 2010).
This was used to target industrial control systems, and seemed to be directed at Iran and its nuclear programme. It allowed hackers to manipulate real world equipment without operators knowing. The worm targeted Siemens systems used in the energy sector to control nuclear and gas infrastructure and also manufacturing and automotive industries. The complexity and access to systems involved indicated a highly organised and well-funded project.
• Operation Aurora (December 2009).
Google detected a highly sophisticated and targeted attack on its corporate infrastructure originating from China. The attack was found to have installed malware via email on computers in another 30 companies and Government Agencies.
• Large scale fraud (2009/10).
An Essex based gang, linked to Eastern Europe was prosecuted for an online fraud making £2m a month by stealing log in details from 600 UK bank
accounts and tricking users into providing additional information. The Police e-crime unit working with the banking sector detected the fraud which targeted weak security on individuals’ computers using Zeus Trojan malware.
White Paper
Cybercrime and Information Security
The National Cyber Crime Unit (NCCU) warned of a mass email borne malware campaign. The emails appear to be from financial institutions but carry a malicious attachment that can install Cryptolocker malware, which is a type of ransomware. It was estimated that 250,000 PCs were affected. The malware was designed to encrypt files on the infected computer and any network it is attached to and then demand payment of around £500 to unlock the files.
• Snowden (2013).
Edward Snowden worked for the National Security Agency (NSA) in the US, and disclosed a huge number of top secret NSA documents to several media outlets including the Guardian newspaper in the UK. The leaked documents revealed operational details of global surveillance apparatus run by the NSA and other commercial and international partners. Snowden was charged with Espionage and theft of government property. Whatever the rights and wrongs of what he did, the fact remains that his actions revealed a serious failure by the NSA to adequately control and protect their data.
• Barclays Bank computer theft (Sept 2013).
A gang stole 1.3m from Barclays Bank after taking control of a computer. This was done simply by a gang member pretending to be an IT engineer, gaining access to a high street branch and deploying a KVM switch attached to a 3G router, which then subsequently gained access to the branch server. Funds were transfer to accounts owned by the gang. A similar attack was planned on a branch of Santander but was foiled. The gang members were arrested.
•
Marriott Hotel Data Breach (Feb 2014).Fraud involving several hundreds of credit cards was linked to a number of Marriott Hotels in the US. The same article in Information Week also referred to the theft of 40 million credit and debit card details from a company called Target also in the US.
The latest updates on Cybercrime from the BBC click here.
4 Types of Cyber Crime and the effect on Business
There are several distinct flavours of cybercrime that can affect business:
• Theft from Business. Cyber criminals steal revenue online directly from businesses, which involves fraudulently obtaining access and looting company accounts and monetary reserves. In some cases this activity is assisted by an “insider”.
• Extortion. Cyber criminals hold a company to ransom by a deliberate denial of service (DOS) attack or by manipulating company website links, which can lead to extensive brand damage (for example redirecting links to a
pornography website).
• Customer data loss. Theft of sensitive customer data (such as customer financial, medical or criminal record details) with the purpose of selling the
White Paper
Cybercrime and Information Security
data on to other criminal networks or using it themselves.
• Industrial Espionage. This takes many forms such as a rival organisation illegally accessing confidential information to gain competitive advantage, or to gain insider information at an early stage of an M&A deal.
• IP Theft. Criminals sponsored by rival organisations or nation states, steal ideas, designs, product specifications, trade secrets process information or methodologies which can erode competitive advantage.
These types of crime can cause damage or cost to business in terms of:
• Loss of competitive advantage • Loss of business
• Reputational damage
• Preventative and remedial action • Regulatory fines
• Reduced confidence
All these will lead to a loss of Revenue, Share Price and Profitability, with severe knock on effects to the national economy such as loss of taxation, increased law enforcement costs, loss of exports, increased unemployment, damage to pension values, decrease in investment and lost opportunity costs.
5 How to Increase Cyber Security
There is certainly no simple cure to prevent cybercrime however the following areas, summarised in the diagram below, should be considered. These comprise of:
5.1 Information Risk Management
Organisations should apply the same rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This should be done by embedding an information risk management process across the organisation, which is supported by the Board and senior managers. Employees, contractors and suppliers must be aware of the organisations information risk management policies and procedures.
5.2 Secure Configuration
Simply put, ensuring that any unnecessary ICT functionality is disabled or removed, and that all devices are patched against known vulnerabilities, and that a continuous process for ensuring Secure Configuration is maintained is established.
5.3 Network Security
Develop policy and procedures to protect corporate networks by applying the necessary security controls in order to minimise the risk of connecting to untrusted networks such as the Internet.
5.4 Managing User Privileges
Actively manage the access privileges that users have. All users should only be provided with the access they need to do their jobs, and this must be regularly
White Paper
Cybercrime and Information Security
reviewed. Snowden apparently started with a low level admin access, which enabled him to fabricate digital certificates to access information areas that he should not have had privileges to. He also coerced colleagues into handing over their usernames and passwords. All employees, and contractors and suppliers must be clearly aware of the organisation policy on usernames and passwords and the need to keep them
confidential.
5.5 User Education and Awareness
It is critical that all staff are aware of their personal security responsibilities and the requirement to comply with corporate security policies. This can be achieved by the delivery of a security training and awareness programme that increases the levels of security awareness and knowledge across the organisation, as well as fostering a security conscious culture.
5.6 Security Incident Management
Organisations should invest in establishing effective incident management policies and processes and this will help improve the resilience, support business continuity, improve customer and stakeholder confidence and reduce the financial impact of any security incident.
White Paper
Cybercrime and Information Security
Any information exchange carries a degree of risk as it could expose the organisation to malicious code and content (malware) which could seriously damage the
confidentiality, integrity and availability of the organisation's information and
Information and Communications Technologies (ICT) on which it is hosted. The risk must be reduced by implementing security controls to manage the risks to all business activities.
5.8 Monitoring
Monitoring ICT activity allows businesses to detect attacks and react to them
appropriately whilst providing a basis upon which lessons can be learned to improve the overall security of the business. In addition, monitoring the use of ICT systems allows the business to ensure that systems are being used appropriately in
accordance with organisational policies. Monitoring is often a key capability needed to comply with security, legal and regulatory requirements.
5.9 Removable Media Controls
Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.
5.10 Home and Mobile Working
Mobile working offers great business benefit but exposes the organisation to risks that are challenging to manage. Mobile working extends the corporate security boundary to the user's location. Organisations should establish risk-based policies and
procedures that cover all types of mobile devices and flexible working to effectively manage the risks. Organisations should also plan for an increase in the number of security incidents and have a strategy in place to manage the loss or compromise of personal and commercially sensitive information and any legal, regulatory or
reputational impact that may result.
6 CONCLUSIONS AND RECOMMENDATIONS
Cyberspace has revolutionised how many of us live and work. The internet, with its more than 2 billion users, is powering economic growth, increasing collaboration and innovation, and creating jobs.
Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.
Companies benefit from managing risks across their organisations; drawing effectively on senior management support, risk management policies and processes, a risk aware culture and the assessment of risks against objectives.
There are many benefits to adopting a risk management approach to cyber security, including:
White Paper
Cybercrime and Information Security
Strategic Benefits
Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation.
Financial Benefits
Providing financial benefit to the organisation through the reduction of losses and improved “value for money” potential.
Operational Benefits
Organisations are prepared for most eventualities, being assured of adequate contingency plans.
If you are uncertain about your company's ability to manage its information risks, there are some practical steps that can be taken through Corporate Governance
mechanisms:
• Confirm that you have identified your key information assets and the impact on your business if they were to be compromised;
• Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks;
• Confirm that you are appropriately managing the cyber risks to your information and have the necessary security policies in place.
Companies may not have all the expertise needed to implement these steps and assure themselves that the measures they have in place meet the threats; in the first instance audit partners should be able to provide assistance. For information risk management expertise, organisations should seek advice from appropriate organisations who have attained industry recognised qualifications.
To find out how iCore can highlight your exposure to Cybercrime you can contact us on