Friday, September 9, 2011

Cybercrime claimed 431 million adult victims last year and cost $114 billion

Cybercrime claimed 431 million adult victims last year and cost $114 billion, according to a report published Wednesday.

The Norton Cybercrime Report 2011 said over 74 million people in the United States were cybercrime victims last year, suffering $32 billion in direct financial losses.

Cybercrime cost China around $25 billion, Brazil $15 billion and India $4 billion in the past 12 months, said the report from computer security firm Symantec, maker of the Norton anti-virus software.

According to the report, more than two-thirds of online adults -- 69 percent -- have been victims of cybercrime at some point in their lives, resulting in more than one million cybercrime victims a day.

Cybercrime rates were even higher in China and South Africa. Eighty-five percent of Chinese respondents to the Norton survey and 84 percent of South Africans said they have been victims of cybercrime.

The report found a growing threat from cybercrime on mobile phones.

Ten percent of adults online have experienced cybercrime on their mobile phones and the number of reported new mobile operating system vulnerabilities increased from 115 in 2009 to 163 in 2010.

"There is a serious disconnect in how people view the threat of cybercrime," said Adam Palmer, Norton lead cybersecurity advisor. "Cybercrime is much more prevalent than people realize.

"Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year," Palmer said.

For the survey, interviews were conducted with nearly 20,000 people in 24 countries, Symantec said.

Wednesday, July 6, 2011

Spear Phishing

By now most everyone has heard the term “phishing”.

Wikipedia defines phishing as an attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

IDP recently carried out an authorized phishing attack for one of its customers and found that over 50% of the staff gave up their email passwords in an email that, if examined closely, was obviously bogus.

So what is spear phishing?

The difference between phishing and spear phishing is while the former floods thousands or even millions of inboxes, the latter targets a small group of previously-identified people, sometimes only a handful who work at the same company or in the same organization.

With the increased popularity of social networking sites (Facebook, Twitter, etc.), the bad guys are now able to select specific individuals (and businesses) and direct their malicious activity in a very granular fashion, just as you’d spear a fish.

"Today's spear phishing is not only more prevalent but also much more technically proficient," say Dave Jevans, chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft.

"They're not going for a password, anymore, they're getting people to install crimeware on their computers," said Jevans.

Like the more common phishing, spear phishing attacks are launched as emails that try to con the recipient into clicking a link that leads to a malicious Web site. Those sites can take almost infinite forms, from fake account log-in screens to ones that tout a software upgrade to widely-used software, such as Adobe Flash.

Once the malicious link or email is clicked the attacker is able to install a program that infects the computer, giving criminals access to that machine -- and through it, others -- or to confidential information, like account passwords obtained by secretly monitoring the PC's keystrokes.

According to reports by the likes of Bloomberg, the recent IMF spear-phishing attack targeted one of its workers and planted malware on a machine, which was then presumably used to scout the network for data to steal.

But the IMF incident is only the most recent in a series of specialized attacks this year aimed at targets from the Oak Ridge National Laboratory and the French foreign ministry to Google's Gmail.

All have one thing in common: They relied on spear phishing to fool users into installing malware or revealing account information.

So what can individuals you do?

Well, very simply, maintain awareness, think before you click, keep your antivirus and antimalware software up to date and remember that anyone can be an unwitting target.

What about businesses?

Educating staff is first and foremost. Make sure there are polices, processes and procedures in place that everyone follows – but more importantly, that they understand.

From a technical perspective, ensure that your perimeter defenses (stateful firewalls, IDS / IPS, VPNs, blacklists, access control, etc.) are current, properly configured, monitored and regularly tested.

In summary, maintaining a defensive posture is not rocket science. Common sense, diligence and thoughtfulness is 90% of the game.

Friday, July 1, 2011

Defending Against Insider Threats To Reduce Your Risk

Insider threats are often overlooked when it comes to information security, but in fact insider threats account for the large majority of information theft and compromised systems. Who better to leverage their access and knowledge than those who often times have the keys to the kingdom.

I read a good white paper this morning by CA Technologies (ca.com) entitled Defending Against Insider Threats To Reduce Your Risk. You can read an excerpt here:

http://www.idpnow.net/documents/Defending_Against_Insider_Threats.pdf

The focus of the article is that insider threats are increasing. The 2009 e-Crime Watch surveyed 523 organizations and found that 51% of these organizations had experienced an insider attack, up from only 39% of organizations three years earlier. That number is probably much higher in that insider attacks often go unreported. The point is that businesses must be vigilant in looking at insider risk the same way they do external risk – perhaps even more.

The white paper goes on to talk about how insider risks manifest themselves and how these attacks are carried out, but the recommendations to reduce these risks is the important takeaway. If businesses would ensure these relatively simple “best practices” are in place, the odds of an insider attack being successful are greatly diminished.

Develop and enforce comprehensive written acceptable use policies. All organizations should have detailed acceptable use policies for all employees and should make employees review and sign the policy annually. This is a basic step but one that organizations often overlook. Having a written security policy will not necessarily prevent insider attacks, but it can still be useful for providing the entire organization with a baseline of what is acceptable usage and the proper methods for handling sensitive data.

  • Ineffective management of privileged users. All IT environments have privileged users (admin, root) that have total access to key systems, applications, and information. This is not only a security risk, but it can also make compliance much more difficult. Sharing administrator passwords is another common problem which could lead to inappropriate access to your systems and information and an inability to identify specifically who performed which action on each system.
  • Inappropriate role and entitlement assignment. The management of user roles and entitlements is one of the biggest challenges that many IT organizations face. Overlapping roles and duplicated or inconsistent entitlements are all common problems that can Lead to improper access to, and use of, sensitive information. In addition, the lack of automated de-provisioning can Lead to excessive entitlements or orphan accounts, both of which provide openings through which disgruntled insiders can Launch an attack.
  • Poor information classification and policy enforcement. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.
  • Weak user authentication. Access to highly sensitive information often only requires simple password authentication, and does not take into account other contextual information (e.g., the user's location) that might raise the risk of breach.
  • Poor overall identity governance. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.
  • Inadequate auditing and analytics. Many companies have no way to continuously audit access to help ensure that only properly authorized individuals are gaining access, and that their use of information complies with established policy. Even if they have auditing tools in place, the sheer volume of Log data generated makes it very difficult for organizations to sift through the data and identify breaches or threats.

Monday, June 27, 2011

Hackers want your passwords

Password exploitation is the hacker’s most common objective when it comes to compromising a system or stealing information. Why then don’t we pay more attention to securing this critical piece of information?

We are forever being told that we should use complex and difficult (to remember) passwords. This is not the best advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

How to hack a password

The work involved in hacking passwords is very simple. There are five proven ways to do so:

  1. Asking: Amazingly, the most common way to gain access to someone's password is simply to ask for it. As social engineering becomes more pervasive, users are often tricked into providing their passwords by various means, but at the end of the day, the hacker’s modus operandi is simply to ask for it. My experience from social engineering engagements says that as many as 50% of users in a business will willingly give up their password if the request is made in an innocent context. Not only that, but people often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
  2. Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
  3. Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. The plethora of free automated brute force attack tools make this method as easy for the hacker as sitting back and letting his computer do the work. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just them).
  4. Common word attacks: A simple form of brute-force attack is where the hacker attempts to sign-in using a list of common words. Instead of trying a different combination of letters, the hacker tries different words. Numerous lists of these “common” passwords exist on the Internet for easy download.
  5. Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words. Again, there are hundreds of dictionaries available for free download from the Internet. Many of these dictionaries have been specifically constructed for the sole purpose of hacking passwords.

When is a password secure?

The single most important thing you can do when creating a password, aside from not telling it to someone, is to do so knowing how passwords are hacked and to create one that makes the hacking process longer; i.e. days, months or years. Knowing that a hacker will most likely be using an automated tool or script, you want to make the script take longer to run in the hope that the hacker will give up and move on to a more attractive target.

The measure of a secure password is how many password guesses or requests can be accomplished each second. The number varies, but most web applications cannot handle more than 100 sign-in requests per second. In other situations, especially if the hacker has gained access to a local network, literally thousands of requests can be generated each second.

There are 94 printable ASCII characters on the keyboard (printable characters represent upper and lower case letters, digits, punctuation marks, and miscellaneous symbols). That means each character in a password can have one of 94 possible values.

So, in an 8-character password, there are 6.09568939 × 1015 possible combinations.

Regardless of the number and power of a single or multiple computers for that matter, a password with that many possible combinations will be hard to break.

Making usable and secure passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

  • Password length should be around 12 to 14 characters if permitted, but in no case less than 8 characters.
  • Avoid any password based on repetition, dictionary words, names of any sort, letter or number sequences, usernames, or dates.
  • Include numbers, and symbols in passwords.
  • Use capital and lower-case letters.
  • Avoid using the same password for multiple sites or purposes. For example:

Construct by some random pattern known only by you and prepend it with the second letter of the website or application, then append it with the first letter of the website or application. This way all you have to remember is the base 6-character password – but it becomes unique for each website or application by using a characteristic from the website or application.

Wednesday, June 22, 2011

Cybercrime is generational

The motivation behind cybercrime is ever evolving and has become generational. That means businesses must remain proactive in knowing their enemy. If you understand the methods and motivation of your enemy, you are more likely to mount a viable defense.

The first generation of cybercriminals (early to late 1990’s) had a common theme: “I did it to prove that I could”. Notoriety and ego were the primary motivators. They also tended to be younger – often students.

First generation cybercriminals focused in being disruptive and making their presence known by causing indiscriminate damage to any vulnerable computer on the Internet. Their first priority was to get noticed.

The second generation of cybercriminals (early 200x’s) turned their attention to money as in “Show me the money!” Now the focus, motivation and priority became profit.

Botnets (large networks of infected computers) became the preferred attack vector allowing cybercriminals to generate millions of spam emails and execute distributed denial of service (DDoS) attacks. Interestingly, these cybercriminals did little to cover their tracks and evade detection.

The third generation of cybercriminals (mid 200x’s) was marked by a higher level of sophistication where the attackers became more organized and discrete.

Hacker groups evolved and began to operate like more traditional organized criminal enterprises. Similar to the previous generation, they had one motive: profit. The technology became secondary. For these criminals, cybercrime was just a means to an end – an easier way to extort and conduct fraud.

This generation looked to target businesses handling large sums of money, particularly in the financial sector.

The fourth generation of cybercriminals (late 200x’s to present) is marked by the development and sale of exploit kits and other hacking software. The rise of criminal-to-criminal activity distinguishes the fourth generation of cybercriminals.

As characterized by “organized crime”, cybercrime evolved into a robust and efficient underground, providing the opportunity for cybercriminals to buy and sell goods and services to each other. As vulnerabilities in software and networks were discovered, cybercriminals developed malware to exploit those vulnerabilities – often selling malware to others or taking their “cut” – even going so far as to “license” their malware.

Malware distribution services, such as IFRAMES.BIZ, evolved that were capable of pushing malware out to infect thousands of hosts. The sophistication of the malware enabled cybercriminals to quickly infect large numbers of computers, send spam, host illegitimate sites, steal sensitive information, execute DDoS attacks and conduct many other criminal activities.

Fourth generation of cybercriminals are also characterized by identity theft and brought the buying and selling stolen identity data to a new level.

Social networks for cybercriminals also emerged, with sites providing reputational rankings of buyers, sellers and partners in the cybercrime marketplace.

As the cybercrime economy has matured, it brings cybercriminals the benefits of specialization and distributed risk. Cybercriminals talented in finding new vulnerabilities and writing exploits can specialize in that area and easily support themselves by selling their exploits.

The same dynamic applies to malware authors, distributors, botnet owners and others in the cybercrime supply chain. Because of this specialization, the sophistication of cyber-attacks increased across the board. This specialization and distribution enables cybercriminals to distribute the risk of being caught.

The current generation of cybercriminals continues to leverage the “power” of malware.

Cybercriminals are continuing to refine and fine-tune each element of the cybercrime supply chain. Today’s cybercriminals are more entrepreneurial and business-savvy than past generations. As a result, attacks continue to grow in sophistication and frequency.

Other evolving current generation threats include:

Pay-Per-Install (PPI)

These scams work where a single PPI site may partner with thousands of “affiliates” who then distribute the malware. The affiliates are paid based on the number of malware installs they can generate – often thousands each month. The exponential factor can result in millions of infected system every month.

APT: Advanced Persistent Threats

I blogged about APT recently: http://idpnow.blogspot.com/2011/06/apt-advanced-persistent-threat-what-is.html. This focus has become much more prominent beginning in 2010 a as name or “label” for targeted attacks on specific organizations by determined, well-coordinated cybercriminals.

Productivity In Cyber Crime

Automation is the name of the game. Just like legitimate businesses, cybercriminals look to do more with less. Automation enables cybercriminals to be more productive using malware authoring tools and scripting techniques.

Malware Tech Support

Leveraging the trend in licensed malware has resulted in the commercialization of malware to the extent that some malware authors even offer technical support under the guise that what they do is for “research only.”

Unfortunately, the legal consequences for selling malware is fuzzy. It is generally not illegal as long as the malware author does not use the malware himself to compromise another computer. Further, many of these malware authors operate from countries that effectively shield them from civil actions.

What Can Businesses Do?

It goes without saying that the only constant is change. Cybercriminals will continue to change and evolve – both from the motivational aspects as well as from the increasingly sophisticated techniques they use.

Businesses can best defend themselves by:

  • Conducting ongoing, comprehensive information security risk assessments. Risk awareness, risk assessment and risk mitigation should form the basis from which businesses develop their cyber defenses. IDP has experience and proven methodologies to assist businesses with this important first step.
  • Investing in security products that are made based on supporting the risk-based information security policy. Simply throwing hardware and software at the problem is not the answer. Investments in this area need to be strategically and thoughtfully deployed. Security investments need to be based on policy, with organizational (upper management – board level) acceptance.
  • Engaging an in-house or strategic security partner. This is essential to staying ahead of cybercriminals curve.
  • Deploying real time monitoring and threat detection / prevention capabilities. This can be accomplished in-house or through a trusted third party who specializes in this area.
  • Establishing a threat intelligence capability to monitor existing trends and emerging threats that could impact your business. Many businesses participate with or establish relationships with peers, industry groups, government agencies and vendors as trusted sources

Friday, June 17, 2011

Privacy Rights Clearinghouse - See how pervasive cyber attacks really are.

Lately, it seems like every day there is a new disclosure by a well-known company who has had their network compromised – and client data stolen. Just yesterday, the WSJ had an article about ADP being the latest victim. Add their name to Citigroup, Sony, RSA, the CIA and Lockheed Martin and you get the sense that this is just the tip of the iceberg. How many other successful exploits have taken place that were not publicized or occurred below the radar?

I found an interesting site that is worth taking looking at: Privacy Rights Clearinghouse. Specifically, http://www.privacyrights.org/data-breach/new provides a great menu-based approach to seeing just how many exploits have actually taken place and you can slice and dice the information in a variety of ways:

Selecting all the boxes resulted in a 531-page report that looks like this:

As you can see, malicious attacks are pervasive and their frequency, sophistication and success just keeps growing as businesses of all sizes try to defend their digital assets.

It all starts with governance, best practices, awareness and training. If businesses would focus on these areas, fully 80% of what the bad guys are doing could be stopped. The time is now.