Photo: Intergraph
Cybercrime and siphoned data
Richard Walters, Product Director, Overtis Systems describes how combining endpoint security with CCTV, physical access control systems and RFID, true perimeters can be created that can prevent data quite simply walking out of the door and into the cybercrime community
Criminals and foreign governments are now fully exploiting the interconnected online world. Traditional viruses now account for less than five per cent of all malicious software (malware) infections. Trojans and worms, with highly invasive capabilities, are now a global pandemic problem, designed to capture sensitive information from infected systems.
A Whitehall report in January this year stated that "the UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own military, technological, political and economic programmes". The report highlighted Foreign intelligence services with the Russians and Chinese being of greatest concern (to support this comment it's worth noting that over 50 per cent of malware currently originates from China). It pointed out that the number of Russian intelligence officers in London "has not fallen since the Soviet times".
In March this year Canadian researchers at the University of Toronto uncovered a network of more than 1,200 infected machines in over 100 countries, within ministries, embassies, banks and news organisations, controlled from servers based almost exclusively in China. 'GhostNet' was observed stealing documents and watching and listening to users remotely.
The FBI and Metropolitan Police are currently co-operating to find a group of six Ukrainians responsible for building a botnet of more than 1.9 million computers worldwide with the ability to record keystrokes, copy files and take screenshots. Assembled in the space of two or three months the network is rented out for various activities at up to £130,000 per day. The criminals can remotely execute anything they like on the infected systems.
Cybercrime is now an enormous business and as the criminals increase their knowledge – organically as well as through recruiting experienced technical 'staff' – attacks become more sophisticated and targeted. Attacks against employees of specific companies, or specific senior executive teams, are well documented and increasingly commonplace. The first large scale attack of this type was reported by the National Infrastructure Security Co-ordination Centre (NISCC) in the middle of 2005.
Since then targeted phishing, or spear phishing, has grown exponentially. A highly organised cybercrime group, the Russian Business Network (RBN) based in St Petersburg, was responsible for almost half of the phishing attacks in 2006 and continue to grow internationally through a network of partners and marketing affiliates. RBN provide "bullet proof" hosting services to spammers, child pornography sites, malware, phishing and cybercrime networks. Trading exclusively in untraceable electronic transactions they are almost impossible to trace.
Criminals are organising themselves rapidly into a 'global malware manufacturing facility' with a distributed production line. Highly targeted malware development can now be outsourced to Russia and then passed on to criminals in other parts of the world for distribution and management. In contrast China is still producing 'finished product' themselves.
In parallel with external attacks the insider threat facing organisations has also increased in the current economic climate as employees are losing their jobs and generally uncertain about their futures. Companies often use more contractors and outsource functions during difficult times in an effort to control or reduce costs; the corresponding insider threat rises as the workforce becomes more transient and is one step removed from corporate controls.
Individuals who have lost their jobs are taking more than memories away from the office: an enormous amount of valuable data is walking out on iPhones, iPods, USB flash drives, laptops, DVDs and CDs. Ex-employees may steal data to give them a competitive advantage in their role with a new company, or simply to cause operational or reputational problems for the organisation he or she has just left. It doesn't matter which of the two provide the catalyst; the result of either is a major impact on the company.
The second reason the insider threat increases in a downturn is that the international highly-organised criminal community see it as a clear opportunity. Individuals, concerned about their personal finances, can be more easily persuaded to deal in information. Whether the threat originates externally or internally the target – the information asset - is the same. And in order to address the external and internal threat a layered approach is required, both at the gateway and at the endpoint.
Multiple anti-virus tools should be used to prevent malware infection, combined with strong device control (to thwart the 10 per cent of malware that propagates on removable media – such as the recent Conficker worm). AV products should not only scan devices, web and email content on the fly, they should also automatically update. Otherwise there is a risk that policy or process will still result in infection. Technology alone is not enough.
Addressing the insider threat is in some respects more difficult. Controls need to be placed where they are most effective, between the user and the information, and be positioned to monitor exactly how users access, process, store and transmit data. Policies can then be enabled that restrict which applications can run, but also shape the functionality available within applications (restricting the ability to cut and paste information from a key financial spreadsheet into an IM chat session, or web mail message).
The vast majority of data losses are unintentional and most malware infections are down to carelessness. Staff education and awareness training is a vital component of any information security strategy. Users should be warned if a confidential file is attached to an email with external recipients on the distribution list. And educated in the use of encryption to protect data at rest as well as share information more securely.
Integrating physical and logical (IT) security systems can prevent data loss over the threshold as well as over the wire. By combining endpoint security with CCTV, physical access control systems and RFID, true perimeters can be created that can prevent data quite simply walking out of the door and into the cybercrime community.
Richard Walters, Product Director, Overtis Systems can be contacted at richard.walters@overtis.com
