ISSN 1361-3723/13 © 2013 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS More accusations of hacking by China 1

Smaller businesses most at risk 3

FEATURES

A breach too far? 5 There seems to be no end in sight for the endless procession of data breaches. In spite of regulations and fines, the number of breaches continues to rise. The EU is in the process of bringing in a new Europe-wide law concerning the mandatory reporting of breaches. But will this have the desired effect, or might organisations be inclined to look away when breaches occur? Tim Ring finds out.

Cybercrime as a service: a very modern business 9 Cyber-criminals are more organised than ever. Their activities are now run as businesses, with definable supply chains and specialised groups offering services to each other. This has led to a new phenomenon – Crime as a Service. Derek Manky of FortiGuard Labs explains how cybercrime has become big business.

The three pillars of a secure hybrid cloud environment 13 There are few companies that haven’t considered using cloud services, and most have made the move to some degree or other. And in spite of the perception that security worries are keeping many firms from the benefits that the cloud has to offer, this need not be the case. Chris Jenkins of Dimension Data explains the most important considerations when considering cloud services.

Information warfare: a battle waged in public 15 While many think that information warfare is all about cyber-espionage and hacking attacks on critical infrastructure, there are many, rather more nuanced, forms of information warfare with a more political flavour. Danny Bradbury looks at how information can be suppressed or exploited in a variety of technical ways in the battle for public perception.

Defending your business from exploit kits 19 Exploit kits represent the dark but massively profitable side of cyber-security attacks. They are created, sold and rented, individually or in bundles, on the black market. These kits will be increasingly used because of their ease of deployment and the ease and speed with which they deliver infections. But there are ways to protect yourself, explains Florian Malecki of Dell SonicWall.

REGULARS

Editorial 2

News in brief 4

Events 20

Contents

computer FRAUD & SECURITYISSN 1361-3723 June 2013 www.computerfraudandsecurity.com

Featured in this issue:A breach too far?

Security breaches are reaching crisis levels – 93% of large UK

organisations were breached in the past 12 months and 87% of small businesses.

Meanwhile, a tough new EU law will make the reporting of data breaches mandatory and threatens those who

fail to report with serious fines. Yet reporting a data breach can cause massive reputational and brand damage. How should you best protect your organisation from data breaches? And how should you react if, or when, you are breached. Tim Ring investigates.

Full story on page 5…

Cybercrime as a service: a very modern business

Cybercrime has continued to evolve and today it exists in a

highly organised form. It has itself become big business, and as with all emerging markets, the suppliers and vendors that serve the cybercrime market have expanded their offer to encompass a range of activities.

Cybercrime has evolved into a

complex, highly organised hierarchy involving leaders, engineers, infantry, and hired money mules and a worrying new phrase has entered the lexicon of cybercrime – Crime as a Service (CaaS). Derek Manky of FortiGuard Labs examines how the cybercrime world has matured into big business.

Full story on page 9…

The three pillars of a secure hybrid cloud environment

Whatever mix of cloud services an organisation opts into, security

can’t be considered as an afterthought. The data businesses possess can be their most valuable asset, so cloud security should be a top priority.

There are three ‘pillars’ businesses need to consider – risk assessment,

a cloud supplier capable of offering transparent communication regarding security, and one with a proactive stance to sharing its security implementations and controls, argues Chris Jenkins of Dimension Data.

Full story on page 13…

More accusations of hacking by China

The flood of hacking accusations levelled at China continues

unabated. In what may be viewed as a ‘conveniently’ leaked report, Chinese hackers are claimed to have had access to secrets relating to more than 20 US defence programmes. And

there are also claims that Chinese cyber-spies helped themselves to the building plans of a new Australian intelligence service headquarters.

At the time of writing, US President Barack Obama was about to have

Continued on page 3…

NEWS

June 2013 Computer Fraud & Security3

…Continued from front pagediscussions with China’s President Xi Jinping in which the subject of alleged Chinese hacking of US military networks and defence firms was to be high on the agenda.

The Washington Post published parts of a secret report, leaked shortly before President Obama’s meeting, that included a long list of military programmes allegedly compromised by successful Chinese hacking. The National Intelligence Estimate report was prepared by the Defense Science Board and presented to the Pentagon.

Many of the attacks have already been publicly report, such as the 2007 hack that accessed sensitive information about the F-35 Joint Strike Fighter programme. Other systems allegedly ‘compromised’ include such high-profile programmes as the V-22 Osprey tilt-rotor aircraft, the Patriot Advanced Capability-3 missile programme, and the Littoral Combat Ship. However, some items on the list are very vague or generic, including ‘software code’ and personally identifiable information (PII).

The public version of the report, ‘Resilient Military Systems and the Advanced Cyber Threat’, was published in January 2013 and is available here: www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf.

According to the Australian Broadcasting Corp (ABC), Chinese hackers have managed to exfiltrate floorplans and other information relating to a new headquarters building for the country’s Security Intelligence Organisation. They did this by gaining access to the network of one of the contractors. This led to speculation that the hackers would be able to glean all kinds of sensitive intelligence, such as the location of server rooms. Australia’s Prime Minister Julia Gillard dismissed the reports as “inaccurate” while declining to provide any more information.

Meanwhile, security firm Mandiant, which has close links to the US defence and intelligence communities, says that the so-called APT1 cyber-espionage unit (or Unit 61398, to give it its official title) is back in business. Mandiant gave details of the Shanghai-based unit – part

of the People’s Liberation Army – in a recent report. After publication, activity apparently dropped, but now, Mandiant says, it is up to its old tricks again, operating at about 70% of its previous capacity and in many cases targeting the same organisations as before.

Finally, the 2010 attack on Google, known as Operation Aurora, may have been far more significant than was first admitted. At the time, Google admitted to having some of its source code stolen, but characterised the attack as being mainly targeted at accessing the email accounts of human rights activists.

Now, it seems, even more sensitive information was accessed. This seems to have included information relating to investigations being carried out by the FBI and the US Department of Justice. The data included the email messages of diplomats and people suspect of being spies or terrorists – primarily Chinese nationals. The database that was breached apparently contained years’ worth of surveillance data.

China’s Government has denied all the accusations of hacking and espionage.

Smaller businesses most at riskSmall and Medium-size Businesses

(SMBs) in the UK are among the most vulnerable to cybercrime, according to a report by the Federation of Small Businesses, with annual losses in the sector totalling as much as £785m. And highlighting another threat to small firms, Kaspersky believes that nearly two-thirds of SMBs have no idea what business information is being kept on employee’s mobile devices.

An FSB report, ‘Cyber security and fraud: the impact on small businesses’, claims that fraud and online crime has affected 41% of its members in the past year, with an average cost of around £4,000 per company. It says that 20% of its members had suffered from malware, 8% had been the victims of hacking and 5% had problems with other security breaches.

“Cybercrime poses a real and growing threat for small firms and it isn’t something that should be ignored,” said

Mike Cherry, national policy chairman of the FSB. “Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth. For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime. While we want to see clear action from the Government and the wider public sector, there are clear actions that businesses can take to help themselves.”

That’s something around 20% of the FSB’s members have failed to do, says the report, which also includes 10 tips to help small firms make themselves more secure.

“Cyber-security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business,” said James Brokenshire, MP, Parliamentary Under Secretary for Security, Home Office. “This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business.”

Meanwhile, in the midst of the Bring Your Own Device (BYOD) boom, a survey by TNS Infratest for Kaspersky Lab found that only 35% of IT managers in SMBs admitted to having strict enough rules and policies in place to provide an accurate overview of company information contained on personal devices. This, says, Kaspersky, is presenting a serious security risk to these companies. Some 525,000 mobile phones were reported stolen in 2011/2012 as part of the Crime Survey for England and Wales, which creates a huge potential for sensitive data to fall into the wrong hands.

“You only need to look at the statistics showing the number of devices lost or stolen each year to see why it is so important for SMBs to have an accurate overview of what company information employees have on personal devices,” said David Emm, senior security researcher, Kaspersky Lab. “Only when clear BYOD rules are in place, can adequate steps be taken to build a robust security solution should a device be lost or stolen.”