Confusion over the scale & nature of cyber crime
16th December 2016
Keith Cottenden, CYFOR’s Forensic Services Director, shares his thoughts on cyber crime, the risks that organisation’s face and how to protect business interests….
There is widespread confusion over the scale and nature of cyber crime, which is undermining efforts to tackle a menace that may be costing the economy billions of pounds a year.
Businesses have been at fault, with company bosses delegating responsibility to internal IT specialists in a deliberate effort to keep a problem they may not understand at ‘arm’s length’; the issue of cyber-risks needs to be made accessible for those who are neither familiar with technology nor highly IT literate.
Cyber crime is committed by individuals, or groups, whereas cyber warfare is committed by governments. It can damage your business; every organisation has a role to play in creating a global security culture. Everyone in the information chain must assume responsibility and take steps to improve the security of their systems and networks. Cyber crime prevention is mission critical but there is no one-size-fits-all solution. However, it’s not difficult to identify the steps to take to secure your business from cyber threats.
Until a few years ago, malicious programs were just cyber vandalism, anti-social form of self-expression exploiting computer technology. Few of them were deliberately written to cause harm, although a small number caused damage to data or made the computer unusable (quite often as a side-effect, rather than by design). The bulk of malicious programs in circulation at this stage were viruses and worms. Today, by contrast, the greatest threat comes from cyber crime. The criminal underground has realised that malicious code can be used to make money in our constantly connected world and they use it to steal confidential data.
A range of security threats
Cyber attacks include viruses, worms, Trojans, hacking, phishing and more. Cyber threats are becoming increasingly sophisticated and their volume is growing exponentially. However, the most prevalent malicious programs today are Trojans. There are many different types of Trojan. Some record which keys you press, some take a picture of your screen when you visit a banking web site, some download additional malicious code, and some provide a remote hacker with access to your computers. Moreover, they all have one thing in common: they allow cyber criminals to harvest confidential information to make money.
The range of security threats includes:
• Malicious threats, such as viruses and other malware
• Fraud threats such as phishing emails and spyware
• Unauthorised access from hacking, data leakage, botnets, unsecured wireless, and user name/password insecurity, etc.
• Operational threats, such as distributed denial of service (DDoS) attacks, attacks on VoIP, the failure of cloud computing suppliers to secure your network, or security risks from remote workers.
• Newer threats such as social networking insecurity, web application threats, smartphone insecurity and poor security for converged voice/data applications on the network
Service availability is the name of the game, with an almost universal requirement for a 24 x 7 service to those who should receive it at the time and place of need; are the risks associated with this requirement being adequately managed?
Remember, what is adequate for a charity may not be adequate for a bank and what is adequate for a bank may not be adequate for a nuclear power station!
Are you at risk?
If you answer ‘yes’ to one or more of the questions below you are at risk and need to take steps to review the security of your systems and networks:
– Is any of your important company or personal information (whether yours or that of employees, customers, contractors or partners) stored on a computer?
– Do you or your employees access any important information (including banking, credit card, and supplier or delivery information) across an internal network?
– Do you have a company website?
– Do you or your employees use the Internet at work?
– Do you or your employees use e-mail at work?
– Your organisation would not survive if it lost the use of its computers for several days or longer?
Becoming a victim of cyber crime is not a question of the size of your business. All organisations use similar tools across their IT infrastructures, including operating systems, office products, web browsers, storage for critical data (customers, employees, financial) and the laptops and mobile devices used by employees. All of these are equal targets for cyber criminals.
Hacker intrusion, malware, spyware and spam can lead to lost or stolen data, computer downtime, decrease of productivity, lost sales andeven loss of reputation. Even those organisations that consider themselves less dependent on computers need to protect their data.
Cyber criminals do not care about the nature or size of your business. They are not concerned who a computer or network belongs to. Cyber criminals want to own any system they can gain access to carry out illegal activity and achieve financial gain at your expense.
What would happen to your organisation if:
– Customer details or credit card data were stolen
– Child porn were to be placed on you web server
– Money was transferred without authorisation from your bank account
– A senior manager’s computer was accessed remotely
– All your computers become unusable
– Information about a new product leaked to a competitor
Threats of cyber crime
Threats to vital information are becoming ever more malicious and complex. While in the past the main problem will have been hardware downtime, today much more is at stake:
- Loss of intellectual property
- Identity theft
- Liability claims
- Damaged reputation
Unfortunately, ignorance is no excuse for inaction. In today’s networked world, information on an unsecured system can be quickly compromised, or the system itself can be used as a launch pad for attacks on other systems and networks.
Even if you’re not an expert, you still need to take steps to protect your organisation and others.
Your business needs protection that is simple to install and easy to maintain. Your time should be dedicated to the success of your business, not the constant safeguarding of the network.
Maintain system and network security
Even with limited resources and expertise, you can maintain the security of your systems and network. Consider the points below; are you taking these steps?
- Routinely ask key questions before purchasing any new product to determine that your software, hardware, business processes and procedures will work together to keep your business secure. Such questions include:
– What do I really need this product to do?
– How well will it work with what I already have?
– What do I do to achieve its best performance?
- Look for affordable and proven technologies.
- Look for security solutions that are easy to use and quickly deployed.
- Make sure your solution offers comprehensive protection. Threats are becoming more integrated. You should look for solutions that stop multiple attack methods.
- Look for a solution that can provide protection both against internal and external threats across your network.
- Install security software on workstations, laptops and servers.
- Ensure that the security you install includes the following components for comprehensive protection:
– Personal firewall
– Intrusion prevention
– Proactive technologies to defend against new, unknown threats
- If you have the resources and it’s appropriate, consult a local expert on the configuration and deployment of your IT system.
- Make security an important criterion when choosing software or service providers.
- Understand the security functions of the software and hardware you already have.
- Update your security software regularly.
- In addition to relying on real-time protection, scan your system at least once a week.
- Always install security patches for your operating systems and applications.
- If you use Microsoft Office, remember to update this regularly.
- Take steps to physically secure computers, especially laptops and mobile devices.
- Don’t open emails with attached files (Word documents, Excel spread sheets, EXE files, etc.), don’t open them unless you know who sent them and only then if you’re expecting them. NEVER open an attachment sent in an unsolicited (spam) email.
- Back up all data regularly; if data on acomputer’s hard disk has been damaged or encrypted by a malicious program, a backup will ensure that you don’t lose the data.
- If an employee doesn’t need a software application for legitimate business purposes, don’t permit the installation on their computer.
- Ensure your systems are password protected with strong passwords.
- Educate your employees on information security.
- Inform employees on what information they may and may not give to callers and visitors.
Look closely at your most valuable assets and ensure they are well protected. For one business this may be protecting its customer database, or protecting intellectual property, and for another it might be securing financial information.
Whatever steps you do take, be sure your business is protected.
Dealing with cyber crime within a legal and regulatory framework means that there are six potential end-game scenarios depending on whether it is as a result of either an internal or external attack. These are discipline, resignation, dismissal, civil prosecution, criminal prosecution, or make it go away.
Adopt a Forensic Readiness Plan
If an organisation does not have a forensic readiness plan then it is likely to be unprepared for the consequences of an incident investigation. Law enforcement agencies could conduct a search of premises and seize business critical computer systems which could cause major business continuity issues. Also, an organisation may be prone to significant liabilities if it cannot collect digital evidence to a standard required during civil proceedings and tribunals in response to employee abuse of an organisation’s computer systems.
Potential incident investigations include:
- Threats and extortion
- Accidents and negligence
- Stalking and harassment
- Commercial disputes
- Disagreements, deceptions and malpractice
- Intellectual property rights infringement
- Content abuse
- Invasion of privacy and identity theft
- Employee disciplinary issues
- Employee Internet misuse / abuse
- Employee Email Misuse / abuse
- Employee performance issues
- Electronic bullying / harassment
- Formal Police / legal request for digital evidence
- Social Networking evidence
- Production of audit logs
- Back up data
- Removable media
- Network intrusion / prevention audit records such as cyber-attacks (hacking attempts etc)
- Mobile phone and desk phone investigation
Adoption of a forensic readiness policy is a mandatory requirement for Government Departments. But if you work with (or plan to work with) a Government Department then they may require, or expect, an organisation to have a forensic readiness policy. Other business benefits of adopting a forensic readiness policy include:
- Incident investigations will proceed in a more cost effective manner;
- It is a deterrent to computer misuse and re-occurrences of abuse are reduced;
- It assists with security awareness training for employees.
Benefits of a Forensic Readiness Policy
The benefits to the organisation of creating a forensic readiness policy consist of the following:
- Enterprise defence mechanisms are captured
- Acts as a deterrent to insider threats
- In the event of an incident, this would enable minimum disruption and also link in to Business Continuity plans
- Reduced cost and time for internal investigations
- Extends information security to the wider threat from cyber crime
- Demonstrates due diligence and good enterprise governance arrangements
- Compliance with guidelines and other regulatory requirements
- Improve the prospects for successful legal action if required
- Supports employee sanctions based on digital evidence