cybercrime future perspectives
DESCRIPTION
Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ISEC in 2000. The presentation begins with a discussion on commercial crime statics and trends. Security fundamentals such as encryption and the four pillars of information security are discussed. The presentation ends with a series of discussions on the seven steps of the security process.TRANSCRIPT
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000 CYBERCRIME
Future Perspectives
CYBERCRIME
Future Perspectives
charl van der waltwww.sensepost.com
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Commercial CrimeCommercial CrimeCommercial CrimeCommercial Crime
• Commercial crime up 3.5% from last year
– R 3.4 billion in the first half of '99 alone
• 84.3% of cases involved fraud
– 25,000 incidents
– R 2.9 billion
• Gauteng occupies a first position with regard to Commercial Crime
• www.saps.org.za
SECURITY TRENDS
&STATISTICS
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Computer CrimeComputer CrimeComputer CrimeComputer Crime
• 61% of the organizations surveyed have
experienced losses due to unauthorized
computer use.
• The average loss resulting from security
breaches in all categories was approximately $
1,000,000
FBI / CSI Survey, 1999
SECURITY TRENDS
&STATISTICS
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Crime Costs MoneyCrime Costs MoneyCrime Costs MoneyCrime Costs Money
SECURITY TRENDS
&STATISTICS
“Just ask Edgars, the clothing retail group, which lost more than R1m after a
computer programmer brought down more than 600 stores for an entire day.”
Financial Mail - April 2000
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Computers & Commercial Computers & Commercial CrimeCrimeComputers & Commercial Computers & Commercial CrimeCrime
SECURITY TRENDS
&STATISTICS
KPMG:
‘63% of top-level managers in South Africa rate their company's dependence on IT for the
successful running of business as "Extremely High”’
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Did they have it coming?Did they have it coming?Did they have it coming?Did they have it coming?
SECURITY TRENDS
&STATISTICS
charl van der walt
• access control 93%
• biometrics 9%
• encrypted files 61%
• anti-virus software 98%
• reusable passwords 61%
• firewalls 91%
• encrypted log-in/sessions 46%
• physical security 91%
• PCMCIA, smart cords, one-time tokens 39%
• intrusion detection 42%
• digital Ids, certificates 34%
FBI / CSI Survey, 1999
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
• Theft of proprietary info 20%
• Sabotage of data or networks 15%
• Telecom eavesdropping 10%
• System penetration by outsider 24%
• Insider abuse of net access 76%
• Financial fraud 11%
• Denial of service 25%
• Virus contamination 70%
• Unauthorized access to info by insider 43%
• Telecom fraud 13%
• Active wiretapping 2%
• Laptop theft 54%
Threat Distribution - USAThreat Distribution - USAThreat Distribution - USAThreat Distribution - USA
SECURITY TRENDS
&STATISTICS
charl van der walt
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA
SECURITY TRENDS
&STATISTICS
Some form of breach 89%
Virus incident 87%
Theft of equipment 80%
E-mail intrusion 27%
Loss of company documents 12%
Breach of confidentiality 8%
External systems attack 8%
Internal systems attack 6%
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics
• What we know:
– There is a threat to our Information Resources
– The threat has direct financial implications
– The threat is growing
– A large part of the threat is internal
– There are a number of distinguishable trends
• What we don’t know:
– How accurate are the statistics?
– Are international statistics relevant in SA?
– Are international solutions relevant in SA?
– What does this all mean to me?
You need to determine your own unique risk profile
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
• What is Risk?
– Valuable resources + exploitable technology
• What is “Secure”?
– When the financial losses incurred are at an acceptable
level
• Your “Risk-Profile”:
– The value of your Information
– The degree of technological vulnerability
– A level of loss that is acceptable to you
Unique to your organisation. Today.
Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk
SECURITY TRENDS
&STATISTICS
charl van der walt
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Trends in IT securityTrends in IT securityTrends in IT securityTrends in IT security
SECURITY TRENDS
&STATISTICS
• There is a continual phase shift security risks
• And in security solutions
• In the beginning
– Physical Attacks
• Yesterday
– Network Attacks
• Today
– Application Attacks
• The industry is typically technology driven, not problem driven.
Can we afford to follow the ‘solutions’ trend?
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Future ThreatsFuture ThreatsFuture ThreatsFuture Threats
SECURITY TRENDS
&STATISTICS
• Denial of Service– Distributed
– Anonymous
– Depends on 3rd parties to solve
– Directly impacts the “e” world
• Trojans & Worms– Stealthy
– Remote Controlled
– Fetch Model
• Corporate Backdoors– How will we ever know?
• Semantic Attacks
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk
SECURITY TRENDS
&STATISTICS
charl van der walt
The magnitude of the risk is a product of the value of the
information and the degree to which the vulnerability can be
exploited.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Understanding the InternetUnderstanding the InternetUnderstanding the InternetUnderstanding the Internet
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Host
• Network
• LAN
• WAN
• Internet
• Protocol
• IP
• Packet
• Server / Service
• Port
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Four Pillars of Information Four Pillars of Information SecuritySecurityFour Pillars of Information Four Pillars of Information SecuritySecurity
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Access Control
– Control who may and who may not access data
• Confidentiality
– Ensure data is viewed only by intended audience
• Integrity
– Ensure data is not changed by unauthorized parties
• Authenticity– Ensure that data originated where you think
• #5 - Availability
– Ensure data is there when you need it
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Security Control MethodsSecurity Control MethodsSecurity Control MethodsSecurity Control Methods
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Information Security Policy
• Sound system design
• Access Control
– Physical
– Network
– Operating System
– Application
• Encryption
• Audit and Review
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
More about EncryptionMore about EncryptionMore about EncryptionMore about Encryption
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Encrypt– Convert information into unreadable format
• Crypto-Text
• Decrypt– Change data back to normal format
• Clear-Text
• Algorithm– Steps followed to encrypt or decrypt the
information
• Key– Secret shared between parties
• Key Length– An indication of how hard the key is to guess
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Still more about EncryptionStill more about EncryptionStill more about EncryptionStill more about Encryption
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Public Key Cryptography
– A special type of encryption using a key pair
• Private Key
– Kept strictly secret
• Public Key
– Published with a Certificate
• Certificate
– A way of linking your Key to your Identity
• Certificate Authority (CA)
– Responsible for verifying the Certificate
• Public Key Infrastructure (PKI)
– Structures needed to make the process work
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Security TechnologiesSecurity TechnologiesSecurity TechnologiesSecurity Technologies
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Firewalls– Network Level
– Application Level
– Content Level
• Authentication Systems– Something you know
– Something you have
– Something you are
• Encryption Protocols– SSH
– SSL
– IPSec
• Intrusion Detection Systems
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Security ProductsSecurity ProductsSecurity ProductsSecurity Products
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Firewalls– Check Point FW-1 (www.checkpoint.com)
– NAI Gauntlet (www.nai.com)
– Linux IPchains (www.linux.org)
• Authentication Systems– RSA SecurID (www.rsa.com)
– Alladin eToken (www.aks.com)
• Encryption– Windows EFS -
– Trispen IPGranite (www.trispen.com)
• Intrusion Detection Systems– AXENT Netprowler (www.axent.com)
– SNORT (www.snort.org)
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
. .
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
Content removed
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
SECURITY SECURITY DEMONSTRATEDDEMONSTRATEDSECURITY SECURITY DEMONSTRATEDDEMONSTRATED
SECURITY DEMO
1. A server is connected to the Internet.
2. Passwords are used to restrict access to the MS file service.
roelof temmingh
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
SECURITY SECURITY DEMONSTRATEDDEMONSTRATEDSECURITY SECURITY DEMONSTRATEDDEMONSTRATED
SECURITY DEMO
3. An firewall is used to restrict server access to the web service port - 80.
roelof temmingh
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
SECURITY SECURITY DEMONSTRATEDDEMONSTRATEDSECURITY SECURITY DEMONSTRATEDDEMONSTRATED
SECURITY DEMO
4. An IDS system is used to detect and report on attempted attacks on the web server.
roelof temmingh
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Locate weaknesses
• Controls in place
• LT cost effective
• No or weak controls
• Try plug security
holes
• Least effective
• Costly
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
The Process…The Process…The Process…The Process…
THE INFORMATION
SECURITY PROCESS
jaco van graan
Threat/RiskAnalysis
Security PolicyCreation
PlanningPolicy Enforcement/Implementation
Monitor & Manage
Intrusion detection
Security Audit
1
2
3
4
5
67
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Threat/risk AnalysisThreat/risk AnalysisThreat/risk AnalysisThreat/risk Analysis
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Value you assets (information/reputation).
• Determine the acceptable level of loss.
• Some losses will inevitably occur.
– Eliminating ALL loses would be either too
costly or impossible.
• Level of acceptable losses need to be set
– dictates how much you are willing to
spend on security.
• Set time period for the acceptable losses.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Security PolicySecurity PolicySecurity PolicySecurity Policy
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Practical, understandable.• Control document.• Communicated.• Endorsed by management.• Applies to all users of infrastructure.• Gives security administrator a mandate
A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard
those assets.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
PlanningPlanningPlanningPlanning
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Enforcement of controls - security policy
• Select products to ensure compliance
• Determine required implementation and
maintenance skills
• Evaluate impact on business
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
PlanningPlanningPlanningPlanning
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Resources– People
– Time
– $$$
• Evaluate possible security partner– Experience: references
– Financial backing
– Trust relationship
– Support: training/skills transfer/SLA’s
– Product range
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
ImplementationImplementationImplementationImplementation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Remember your exposure!
• Security partner?
• Schedule change control - security policy
• Inform all users / business partners
• Ensure skill level of implementers
• Roll back plan
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Manage & MonitorManage & MonitorManage & MonitorManage & Monitor
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Physical audit of infrastructure
• Responsibility handover
– Security alerts, advisories, bug fixes
– Equipment load
– Configuration changes
• Catch ‘em! (If you can…)
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Internal & External AuditInternal & External AuditInternal & External AuditInternal & External Audit
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Collect and evaluate evidence to
determine whether a computer system:– safeguards assets.
– maintain data integrity.
– allow the goals of an organisation to be
achieved efficiently and effectively.
• Security policy as control document.
• International standards: SAS 70; Bs 7799.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Internal AuditInternal AuditInternal AuditInternal Audit
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Compare to internal audit division.
• Independence, thus not involved in
implementation or operations.
• Report to IT manager.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Organisation– Independence
– References
– Experience
– Certification
– Cost
– Ethics
– Services offered
– Backing: subsidiary/insurance
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Methodology– Certification/benchmark
– Audit plan
– Execution according to plan
– Report
– Recommendations & resolution
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Resources– Business skills
– Experience: qualification; Certifications; Bodies
– Individual background
• The brief… How; What; Where?– Type: logical; Physical or social
– Restrictions / conditions
– Internal /external
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Toolbox.– Tool combinations: wider vulnerability
exposure.– Proprietary or off the shelf.
• Confidentiality.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Intrusion DetectionIntrusion DetectionIntrusion DetectionIntrusion Detection
THE INFORMATION
SECURITY PROCESS
jaco van graan
• If all else failed…
• Regular updates.
• Follow up of intrusion attempts.
• Play it again, Sam.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Adjust Security PolicyAdjust Security PolicyAdjust Security PolicyAdjust Security Policy
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Recommendations from internal &
external audits.
• New business requirements.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
DefinitionDefinitionDefinitionDefinition
INFORMATION SECURITY
CERTIFICATION
charl van der walt
The evaluation of the security of a computer system by a recognised third party.
If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
ObjectiveObjectiveObjectiveObjective
• To enforce structure on your security program
• A means of assessing your own security
• A means of measuring against best-of-breed
• A means of convincing others of your security
INFORMATION SECURITY
CERTIFICATION
charl van der walt
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• BS 7799– British Standards Institute– Outlines 10 controls that must be addressed– Uses the c:cure program for accreditation– www.bsi.org.uk / www.bsi.org.za– www.c:cure.org
• TCSEC – Trusted Computer System Evaluation Criteria– “Orange Book”– Published by the US National Security Agency– Defines different ‘Levels’ of trust
• Minimal -> Formally Proven
– www.radium.ncsc.mil/tpep
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
• ITSEC– Information Technology Security Evaluation
Criteria– Recognised by most European countries– Concentrates on product evaluations– Defines different levels (E0 - E6)– www.itsec.gov.uk
• CCITSE– Common Criteria for IT Security Evaluation– Joint American / European Evaluation Standard– Successor to TCSEC and ITSEC– Defines ‘levels’ similar to TCSEC, but more
flexible• Protection Profiles
– http://csrc.nist.gov/cc/INFORMATION
SECURITY CERTIFICATION
charl van der walt
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• ISO / GMITS – Guidelines to the Management of IT Security– Published by the JTC
• Joint Technical Committee of ISO and IEC
– www.iso.ch– www.diffuse.org/secure.html
• COBIT– Control Objectives for Information and Related
Technologies– Information Systems Audit and Control
Association• ISACA
– ‘Business Oriented & Practical’– www.isaca.org
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• ICSA– International Computer Security Association– Commercial Venture represented world-wide– Product certification and security assurance
services• TrueSecure
– Internet focused– www.icsa.net
• Ernst & Young SAS70– Statement of Auditing Standards # 70– American version of a similar international
standard– Specifically for the outsourced environment– Business focused– www.ey.com
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Is Certification for you?Is Certification for you?Is Certification for you?Is Certification for you?
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• Yes, if:– You’re a large corporation– You’re publicly owned– You offer IT-based services to clients– You have legal obligations– You’re comfortable with formal processes
• No, if:– You have a small, manageable infrastructure– You’re only responsibility is to yourself– You have an informal culture and strong skills– You believe certification will make you secure
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
Choosing the right standardChoosing the right standardChoosing the right standardChoosing the right standard
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• Recognition– Respect in your target market
• Focus– Support for your own security objectives
• Local Presence– A program that can be certified in SA
• Total cost– Good return on investment
• Overhead– Reasonable implementation time and life-span
• Impact– A tangible effect on your systems
Isec Africa 2000:Computer Attacks -
Profiling fraud and cyber crime
in the future
November 2000
THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE
THE BOTTOM LINE
1. Take security seriously
2. Don’t panic!
3. Value your information
4. Evaluate your risk
5. Be requirement driven,
not technology driven
6. Enable your business
jaco van graan