Comment: Managing Cybercrime

Verizon's van der Wel says: "Obtaining evidence of foul play is always tricky – it’s a matter of looking for the right indicators"
Verizon's van der Wel says: "Obtaining evidence of foul play is always tricky – it’s a matter of looking for the right indicators"

New doors are opening every day for cybercriminals seeking to profit from valuable corporate data. Today’s cybercriminals not only steal money and sensitive information, but they also prey on organizations’ peace of mind. However, the security community now has the opportunity to create a unified front in the fight against cybercrime by leveraging their collective knowledge to analyze and collate cybercrime data – and therefore gain a more complete picture of cybercrime than has ever before been possible.

We can’t escape the fact that cybercrime is prevalent, and one of the key drivers is the increased involvement of organized crime syndicates. For example, there has been an increase in phishing scams throughout Southeast Asia where computer users have been fooled into revealing their banking information to bogus tax officials.

Remember Albert Gonzalez? He and his accomplices were involved in the credit card theft and subsequent reselling of more than 130 million card numbers from 2005 through 2007 – one of the largest data breaches ever reported. With web-enabled TV and mobile internet connectivity becoming ingrained in everyday life, the availability of technology-enabled applications to fuel cybercrime looks set to increase exponentially.

Cybercriminals targeting financial organizations is hardly surprising. Stealing money from electronic information systems is basically the modern form of bank robbery. Financial organizations hold large volumes of sensitive customer data for significant periods of time – data that can be exploited by criminals seeking financial gain.

Likewise, industries relying on point-of-sale (PoS) and payment card technology for their daily operations – such as retailers, restaurants and hotels – are often popular targets for credit card crime. They offer criminals an easy way to convert sensitive data to into cash. Personal details and financial information are some of the most easily compromised types of data.

In fact, according to the 2010 Verizon Data Breach Investigations Report, personal information and financial data accounted for the top two most compromised data types. The report features aggregated findings from Verizon’s own caseload as well as hundreds of computer crime cases investigated by the US Secret Service, in a first-of-its-kind collaboration. The study series now spans six years, 900-plus breaches and over 900 million compromised records.

While both attackers and defenders are constantly vying for an advantage, there is no doubt that the information security industry has made some encouraging improvements to its defenses. Research helps businesses understand the methods that cybercriminals employ, identify what information they attempt to steal, and how they obtain it.

Threats: Malware

The Verizon DBIR found that external threat actions accounted for 70% of data breaches. Threat actions describe what the cybercriminal has done to contribute to the breach. This includes malware, hacking and socially engineered breaches. In many large-scale data breaches, attackers often access the victim’s network (usually by exploiting a weakness) and install malware on the system to collect the data.

One of the most frequent ways that malware enters a system is through an SQL injection by a remote attacker – one of the most widespread and harmful attack methods out there – or after the attacker has access to the system. However, either method means trouble, as they both have the ability to evade detection by anti-virus software.

The web is an increasingly popular vector for malware for the simple reason that people everywhere are merging their personal and business lives and interacting through the internet. Over-trusting browsers and users operating with administrative privileges turned ‘on’ only increases vulnerabilities. However, cybercriminals are also getting more prolific in developing new and innovative methods to capture data.

Obtaining evidence of foul play is always tricky – it’s a matter of looking for the right indicators. Organizations need to pay attention to what goes in and out of their systems. For example, if you don’t have any customers in certain countries, yet are noticing periodic outbursts of traffic sent there from your networks, should you be suspicious? It might be nothing, but it is always worth investigating.

Threats: Hacking

Hacking is the second most popular cybercriminal activity, as it affords the criminal many luxuries – for example (and probably most importantly), it can be accomplished remotely and anonymously. The use of stolen credentials is the number one hacking type. Stolen credentials offer the attacker many advantages, including the ability to be disguised as a legitimate user. Cybercriminals can easily cover any tracks that may be left behind as they disappear with the victim’s sensitive data.

Although the findings of research such as Verizon’s shifts and evolves over time, rarely are the results new or unexpected.

What business must remember is that, although today’s cybercriminals are smart and resourceful, the necessary tools and resources are available to fight back. The challenge will always be selecting the right tools for the right job, and making sure those tools are used properly, effectively and for maximum impact.
Top Tips for Securing a Network

Restrict and monitor privileged users: Don’t give users more privileges than they need, and use separation of duties. Make sure employees know policies and expectations, and have appropriate supervision to make sure they adhere to the policies.

Watch for ‘minor’ policy violations: Be wary of and adequately respond to policy violations, however minor they may seem. The presence of illegal content on user systems is a reasonable indicator of a future data breach.

Implement measures to prevent stolen credentials: Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
Monitor and filter network traffic: By monitoring, understanding and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity.

Change the approach to event monitoring and log analysis: Make sure there are enough people, adequate tools and sufficient processes in place to quickly recognize and respond to any anomalies.

Matthijs van der Wel is the manager of the forensics practice in EMEA for Verizon Business Security Solutions. In this role, he is responsible for incident response and investigation.

What’s hot on Infosecurity Magazine?