situational prevention of cyber-crime pieter hartel
TRANSCRIPT
Situational Prevention of Cyber-crime
Pieter Hartel
Cyber-crime Science3
Increase effort
1. Harden targets» Firewalls; Steering column locks and immobilizers
2. Access control» Two factor authentication; Electronic card access
3. Screen exits» Audit logs; Ticket needed for exit
4. Deflect offenders» Honey pots; Segregate offenders
5. Control tools & weapons» Delete account of ex-employee; Smart guns
Cyber-crime Science4
5. Smart gun
Cyber-crime Science5
Increase risks
6. Extend guardianship» RFID tags; Neighbourhood watch
7. Assist natural surveillance» Show were laptops are; Improve street lighting
8. Reduce anonymity» Caller ID for Internet; School uniforms
9. Utilise place managers» IDS; CCTV for on buses
10.Strengthen Formal surveillance» Lawful interception; Burglar alarms
Cyber-crime Science6
9. IDS
Cyber-crime Science7
Reduce rewards
11.Conceal Targets» Use pseudonyms; Gender-neutral phone directories
12.Remove targets» Turn off when not in use; Removable car radio
13.Identify property» Protective chip coatings; Property marking
14.Disrupt markets» Mining for money mules; Monitor pawn shops
15.Deny benefits» Blacklist stolen mobiles; Speed humps
Cyber-crime Science8
13. Protective coatings
Cyber-crime Science9
Reduce provocation
16.Reduce frustrations and stress» Good helpdesk; Efficient queues and polite service
17.Avoid disputes» Chat site moderation; Fixed taxi fares
18.Reduce emotional arousal» Controls on gaming; Controls on violent pornography
19.Neutralise peer pressure» Declare hacking illegal; “Idiots drink and drive”
20.Discourage imitation» Instant clean-up; Censor details of modus operandi
Cyber-crime Science10
20. Instant clean-up
Cyber-crime Science11
Remove excuses
21.Set rules» Ask users to sign security policy; Rental agreements
22.Post instructions» Warn against unauthorized use; “No parking”
23.Alert conscience» License expiry notice; Roadside speed display boards
24.Assist compliance» Free games if license is valid; Public lavatories
25.Control disinhibitors (drugs, alcohol)» User education; Alcohol-free events
Cyber-crime Science12
22. Warn against misuse
http://www.homeoffice.gov.uk/
Phishing Case study
Cyber-crime Science16
Examples of the 25 techniques
Increase effort» 1. Target Hardening : Train users to be vigilant» 2. Control access to facilities : Control inbox & account
Reduce rewards» 11. Conceal targets : Conceal the email address» 14. Disrupt markets : Control Mule recruitment
Remove excuses» 22. Post Instructions : “No phishing”
Cyber-crime Science17
1. Target Hardening
Training: Anti-phishing Phil http://cups.cs.cmu.edu/antiphishing_phil/new/
Cyber-crime Science19
How well does training work?
515 volunteers out of 21,351 CMU staff+stud.» 172 in the control group, no training» 172 single training, day 0 training» 171 double training, day 0 and day 14 training
3 legitimate + 7 spearphish emails in 28 days No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536
Cyber-crime Science20
Good but could be better
On day 0 about 50% of participants fell» Constant across demographic» Control group remains constant» Single training reduces clicks» Multiple training reduces clicks more
People click within 8 hours of receiving email Room for improvement:
» Participants were self selected...» No indication that this reduces crime...
Cyber-crime Science22
2. Control access to facilities
The target’s online banking site» Two factor authentication (TAN via SMS, gadget)
[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6
Cyber-crime Science23
11. Conceal targets
The victim’s email address» Use Disposable email address – Clumsy
The victim’s credentials» Fill the database of the phishers with traceable data
[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0-387-79026-8_2
Cyber-crime Science25
22. Post Instructions
The bank’s website» Post notice that active anti phishing measures are
being taken... – Do banks do this? Would this work?
Phishers will be prosecuted
Cyber-crime Science26
?
Cyber-crime Science27
Anti-phishing research is risky
Crawling social network site violates terms of service – use api properly
Copyright prohibits cloning web sites – work with the target, change the law
Confusing trademarks damages good name of target – idem
Phishing is illegal in California – avoid Make sure that your research is not in any
way linked to commercial activities!
[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971
Laptop theft Case study
Cyber-crime Science29
Laptop theft
62 simulated offences of which 31 succeeded
Cyber-crime Science
Crime scripts
Steps Succeeded Failed
Enter building 61 1(locked door)
Enter office 47(1×cleaner)
14
Unlock Kensington
31(5×bolt cutter)
16
Leave building 62(1×emergency exit)
0
30
Cyber-crime Science
Results
Social engineering works» 30 of 47 attempts with social engineering succeeded» 1 of 15 attempts without social engineering succeeded
Managers more likely to prevent attack than the target
Offender masquerading as ICT staff twice as likely to be successful
31
Chapter 7 of [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
Cyber-crime Science32
Conclusions
Crime Science approach:» Might have avoided experimental flaws» Might have come up with new ideas» Would have looked at crime prevention
How to bridge the gap between crime science and information security?
An ounce of prevention is worth a pound of cure