IT Security and Cybercrime - How theory transforms into best practice? Arthur Keleti.

IT Security and Cybercrime - How theory transforms into best practice?Arthur Keleti

KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 2

Agenda

• Threats (Cybercrime)• What is cybercrime from the practical point of view?• What are the main risk factors, threats?• Trends and problems in the EU

• Solutions (IT Security)• How regulation materializes in the real world?• Size, role, place of the IT Security organization locally• Who are the role players of IT Security and where are the frontlines?• What is the classic security procedure?• Minimizing or eliminating risk in real life? IT Security solutions• IT Seurity spending• Future trends

THREATS AND CYBERCRIME


What that could be?

Land object

Width: ~6 m

Height: ~7 m

Age: 2000 years

Length: 6.400 km

The Big Wall of China


Many changes, development on the wallA thousand year of buildingWatchtowers in 400 m distance14 gatesContinuous guard shifts on full length


The 1st gate: Shanhaiguan Gateway


The 1st gate: Shanhaiguan Gateway


Weak point: the humanWu Sangui general: the most trusted, most faithful strategist guarded the 1st gate.There was a rebel among inhabitants. Wu’s “service” maid was kidnapped.Wu, thinking he would get back his lady he willingly opened the gate for two thousand hundred mandurian horsemen.That put an end to the rule of the Ming dynasty.


What is cybercrime from the practical point of view?

• It is “complicated” > simply 'crime' with some sort of 'computer' or 'cyber' aspect

• The Council of Europe's Cybercrime Treaty uses the term 'cybercrime' to refer to offenses ranging from criminal activity against data to content and copyright infringement [Krone, 2005]

• [Zeviar-Geese, 1997-98] suggest that the definition is including activities such as fraud, unauthorized access, child pornography, and cyberstalking

• The United Nations Manual on the Prevention and Control of Computer Related Crime includes fraud, forgery, and unauthorized access [United Nations, 1995] in its cybercrime definition

• Symantec says: any crime that is committed using a computer or network, or hardware device

Source: Symantec



Type I cybercrime has the following characteristics:• It is generally a single event from the perspective of the victim. For

example, the victim unknowingly downloads a Trojan horse which installs a keystroke logger on his or her machine.

• It is often facilitated by crimeware programs such as keystroke loggers, viruses, rootkits or Trojan horses.

• Software flaws or vulnerabilities often provide the foothold for the attacker.

• Examples of this type of cybercrime include but are not limited to phishing, theft or manipulation of data or services via hacking or viruses, identity theft, and bank or e-commerce fraud.

Source: Symantec



Type II cybercrime has the following characteristics:• At the other end of the spectrum, includes, but is not limited to

activities such as cyberstalking and harassment, child predation, extortion, blackmail, stock market manipulation, complex corporate espionage, and planning or carrying out terrorist activities

• It is generally an on-going series of events, involving repeated interactions with the target. For example, the target is contacted in a chat room by someone who, over time, attempts to establish a relationship. Eventually, the criminal exploits the relationship.

• It is generally facilitated by programs that do not fit into under the classification crimeware. For example, conversations may take place using IM (instant messaging) clients. Source: Symantec


Barclays chairman’s identity stolen

Marcus Agius, chairman of board at Barclays Bank was a victim ofidentity theft and fraud of 10.000 GBP. The amount was withdrawnfrom his account using a credit card trick.

The thief collected personal data of Aqius and used them to deceive a help desk operator to send him a new credit card as if he was Mr Aqius himself. The card was sent to him. The guy took the card to a high street branch of Barclays and withdrew the amount.

"It was down to human error. Procedures were not followed fully and we have learned from it," Barclaycard told the BBC.

…Experts have already warned that 2008 will be a bumper year for identity fraudsters.

http://www.pcw.co.uk/vnunet/news/2207085/barclays-chairman-identityBy Iain Thomson, vnunet.com, 11 Jan 2008

http://www.pcw.co.uk/vnunet/news/2207085/barclays-chairman-identity


How hacker work? Real life example of hacking into FBI’s National Crime Information Center in 6 hours, Chris Goggans – pen.testerSource: http://www.infosecnews.org/hypermail/0805/14877.html, May 27., 2008

1. Goggans (PatchAdvisor Inc.) during a routine network scan, he discovered a series of unpatched vulnerabilities in the civilian government agency's Web server.

2. He used a hole in the Web server to pull down usernames and passwords that were reused on a host of enterprise systems.

3. In those systems, he found further account details that allowed him to get Windows domain administrator privileges -- a classic escalation-of-privileges attack.

4. Using this privileged access, he was able to gain full control of almost all Windows-based systems in the enterprise, including workstations used by the on-site police force.

5. He noticed that several police workstations had a second networking card installed that used the SNA protocol to directly talk to an IBM mainframe.

6. By covertly installing remote control software on those workstations, he found programs on their desktops that automatically connected the workstations to the FBI's NCIC database.

7. "That software, coupled with a keystroke capture program, would allow an attacker to grab the credentials needed to log into the FBI's National Crime Information Center database," Goggans says.

http://www.infosecnews.org/hypermail/0805/14877.html


Cybercime – two things to knowNo.1. • Don’t care about regulations

• Don’t know borders or continents• Are awake when we are asleep• Know a lot more about IT than a regular

IT employee• Tend to erase their tracks• Target more and more precisely• Capable of unleashing attack/intelligence

powers that could be beyond our resource capacity to block

HackersAgencies


• Know more about our organization than anybody else

• Are part of critical business procedures• Are difficult to manage 100% properly

from the HR point of view• Differ widely in IT knowledge and in level

of education• Tend to be negligent towards regulations

and controls affecting their freedom• Are more naive than suspicious

Employees

Cybercime – two things to knowNo.2.


Summary Threat Timeline 2008


Current Threats 2008


Trends and threats in the EU

• Data theft represents the primary information security threat – more significant than either viruses or hacker infiltration

• Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other

• Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums

• Only 11% of those surveyed were confident their company’s information security had not been breached over the last year

• The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies

Source: InfoWatch Internal IT Threats in Europe 2006


Trends and threats in the EU (top threats)

Source: InfoWatchInternal IT Threatsin Europe 2006


Trends and threats in the EU (internal vs. external)



Trends and threats in the EU (internal threats)



Trends and threats in the EU (primary information leakage concerns)


SOLUTIONS (IT SECURITY)


How regulation materializes in the real world?



Management (CEO)

IT

Security I.

Riport

Budget

Budget

Financial

Security II.

BudgetRiport

Risk Assessm.

Security III.

BudgetRiport

Phys. sec.

Security IV.

BudgetRiport

Security V.

BudgetRiport

Global IT Security

Riport

Budget

Size, role, place of the IT Security organization locally


Changing of roles

Full IT Securitysystem

operation

Outer, seasonalcontrol

Development and controlof criteria system

Making of internaldocumentation

Ongoingcontrol

of operation

Responsibility

Regular checkof system logs

Operation of certainsystems related to

IT Securityi.e. IDAM

Operation of certainIT Security systems

Ie. Firewalls

Handling ofincidents,

prevention,development

0.5 1 1-2 2 2-3 4 5-7 8-9

Size (headcount) Outsourcing possibilities

Part of operation Separate divisionLone ranger Separate div. / shared budget

Cost

Position

3

Size, role, place of the IT Security organization locally


Who are the role players of IT Security and where are the frontlines?

Role player

Role player’s duty and motivation

the system… the function… procedures… users…

IT operationie. CIO

is working well,is efficient

is available,could be used

in operation,are fast,are reported

are kings

Developerie. CDO

must change,improves

to be made,is comfortable

are part of the application

to be happy,limits reached

IT Securityie. CSO

is secure,will NOT change

is controlled,is monitored

is controlled,is monitored

faults blocked,are restrained

Company and organizational motifs, its will and strategy


What is the classic security procedure? Where are the possibilities of outsourcing?

AssessmentAssessmentMethods ie. CobITMethods ie. CobIT

Tools ie. CarismaTools ie. Carisma

ActionsActions DocsDocsTechnologyTechnologyPolicies

BCP, DRPOperation

documentation…

PoliciesBCP, DRPOperation

documentation…

ProceduresProcedures

Firewall, IPS, PKI,

AntivirusLoganal.

…

Firewall, IPS, PKI,

AntivirusLoganal.

…

MonitoringMonitoring

ControlControl

ReportReport

FeedbackFeedback

Potential of outsource

Outsource

Regulations ie. PSZÁF,laws, company policiesRegulations ie. PSZÁF,laws, company policies

Risk assessementRisk assessement


What are the typical IT Security technology areas?IT Security solutions

Risk assessment and vulnerability management

Ethical hacking and social engineering

Audit of security configuration on servers and clients

Antivirus (client, server, gateway, content filter) – appliance and software solutions

Firewall systems (two defense lines, diff. technology)

Intrusion Prevention System (IPS) – host and gateway side

End-point security solutions

Digital signature and PKI (Public Key Infrastructure)

Policy enforcement

Data Leak Protection solution (ie. Harddrive encryption or USB port protection)

Log analyzing and incident handling (SIEM) solution

Identity and Access, Rights management solutions (IDAM)

What are they good for?

To know where probs. are?

To find probs. from outside

To know if they are secure.

To shield against viruses and other malware.

To block attacks

To detect attempts of exploit

To prevent theft of data

To provide non repudiation

To keep those rules on track

To protect the data on move, at rest, in use

To find out what’s happening

To regulate access, rights


Gartner says: Markets Converging: Endpoint Security, IAM and SWG

Endpoint Protection Platform

AntivirusPersonal Firewalls

Host Intrusion Prevention

Data Loss PreventionDisk and Data Encryption

NAC

Endpoint SecurityIdentity Access

Management

DirectoryUser Provisioning

WorkflowIdentity Auditing/ReportingWeb Access Management

IAM Suites

Internet Gateway Security

URL FilteringMalicious Code FilteringWeb Application-Level

Control

Secure Web Gateway Suite


Outer, frame-layer

Laws

Standards

Audits

Internal regulations

Financial possibilities

The most important

1992. LXIII. act on protecting personal data and publicly available information.

simply speaking DATA PROTECTION act and its extension

2003. XLVIII. act as a modification of 1992. LXIII. act

ISO/IEC 17799:2000, BS 7799-1:1999 és BS 7799-2:1999, MSZ ISO/IEC

17799:2006, MSZE 17799-2:2004, Cobit

Data Leakage Problem


Abstraction layer

Data routes

Processes

Users, people

Roles, duties

Administrators

Data…

• how much value they represent for the company? Is their protection efficient?

• who would get access to them and what could be done to them?

• are there properly developed rules, processes to handle them?

• classification? Where do they materilaze, where and for how long we store them?

• access? Information should be available to those who need them for completing their tasks.

• Not to store them unnecessary but have them promptly available in need.



Te

chn

olo

gy

lay

er



Abstraction layer Technology layer

Servers

Laptops

Mobileequipments

Configuration

Application

Databases

Data Leakage ProblemOuter, frame-layer

Laws

Standards

Audits

Financial possibilities

Data routes

Processes

Users, people

Roles, duties

Administrators

Internal regulations


Outer, frame-layer Abstraction layer

Developing a control environment for handling of data Preparation of datamapping

ie. Data – data owner,Financial factors of risks

ie. Frequency of accessRequired availability

IT Security classification of data

Developing a control environment for handling of data Developing a policy environment

ie. Roles, duties, responsibilitiesRegulation of Data Classification Procedures

ie. Handling of classified dataCreation, Handling, Access, Deletion,

Modification, Archiving

Benefits and results


Te

chn

olo

gy

lay

er

1. Encryption of mobile equipments and personal computersFor protecting certain areas:well known PGP, Utimaco or full disc encryption:Pointsec (Checkpoint), McAfee, Utimaco etc.

2. It is important to follow the data on move in order to block data leakage.

Mobile tools (ie. USB):a Pointsec (Checkpoint), McAfee, Utimaco, Microsoft etc.Complex national developments:pl. EagleEyeOS, ISeeSec for Hungary

3. Content Monitoring and Filtering Websense és Surfcontrol

Data Loss Prevetion solutions

McAfee Data Loss Prevention

4. Continuously monitoring the logs of applications

SIEM category:SymantecAttachmate (NetIQ)EMC (RSA enVision)Cisco (Mars)



Te

chn

olo

gy

lay

er

Source: Gartner Hype Cycle for Data and Application Security, 2007



SSDistributorDistributor

SystemintegratorSystemintegrator

Laws, rules etc.

Laws, rules etc.

ClientClient

ControlPSZÁFControlPSZÁF

ConsultantConsultant

VendorVendor

Strategy, shareholderStrategy, shareholder

Strategy, shareholder


Technological and worldwide trends

Technological and worldwide trends

Real risksReal risks



Sector specific

standardsie. ISO, Cobit,

BASEL II

Sector specific

standardsie. ISO, Cobit,

BASEL IIControl

ÁSZControl

ÁSZ

Other control authorities

ie. NHH

Other control authorities

ie. NHH

FinancialFinancial TelcoTelcoGovernmentalGovernmental IndustryIndustry

Roles and how they affect each other? Europe, Hungary 2008


Budget? Just how much we should spend on IT Security?

• It depends on the role• If one operates IT Security, he needs shifts, professional knowledge, certification

(vendor + CISA, CISSP) Managable and measurable security. That is definitively not cheap.

• If one “just” analyses logs and monitors the IT Security components operated by someone else, he needs the eye of a professional and some technology to get the most out of logs and available resources, that’s not cheap but requires less people to deal with

• What market researches say• A middle size company should spend at least 15-20% of their IT budget on IT security.• That’s a lot. Today, most of those companies are not spending that much here in

Hungary.


EMEA IT Security Services Market Overview (according to Gartner 01.2008)

• The IT 2008 security services market is expected to increase about 9% compared with 2007.

• Spending on IT security services will reach $8.7 billion by 2010. • IT management services will be the fastest-growing sector, while the

more-sizable consulting services segment is expected to grow at a much-lower rate.


Forecast: IT Security Services, EMEA, 2004-2010 (according to Gartner)

0 1,000 2,000 3,000 4,000

2004

2005

2006

2007

2008

2009

2010

Millions of Dollars

IT Management

Development andIntegrationConsulting

Software Support

Hardware Maintenanceand Support


Questions?Thank You for keeping with us!

[email protected]@yahoo.com

mailto:[email protected]

mailto:[email protected]


Course questions

1. What is the most significant, top threat for EU IT Security? (one answer applies)

• A. Data theft• B. Virus attacks• C. Spam attacks• D. Malware problems


Course questions

2. What source most of the attacks were coming from at a typical organization in EU in 2006? (one answer applies)

• A. Internal attacks (80%)• B. Internal attacks (55%)• C. External attacks (55%)• D. External attacks (75%)


Course questions

3. What would You think the best place is for IT Security division in the organizational chart? (one answer applies)

• A. Under IT operation, CIO• B. Under CEO, management• C. Under Financial department• D. Under Physical Decurity division

Date post:	24-Dec-2015
Category:	Documents
Upload:	caroline-price
View:	216 times
Download:	0 times

IT Security and Cybercrime - How theory transforms into best practice? Arthur Keleti.

Documents