The Eighth Annual Conference
Thurs. Break-out Session
Richard Henson – Cybercrime – Latest Developments February 2014
Tally Ho Conference Centre, Birmingham
Hacking, Consumers, and Business in the Hyperconnected
World
Richard Henson Worcester Business School
[email protected] http://staffweb.worc.ac.uk/hensonr
February 2015
Where does the Small Business fit in? Hackers may be after corporate data, but
don’t bother with SMEs… right? no wrong, very wrong…
Hackers use weak security in SMEs to get at large businesses, or government…
And the Consumer
Being driven online for financial transactions
Has to send sensitive data through the Internet… potentially DANGEROUS!
Most self-taught many myths and untruths Cyber security specialists screaming “be
careful…” but few listening!
High Level Threat: The Reality
Corporate/UK critical
infrastructure hacker X X
Internet… (800+ million Gateways!)
No Joke! Known to US government for some years… In 2007, hackers exploited vulnerabilities to
access/copy technical data of a US govt. fighter jet via networks with supply chain partners. Reported in 2009:prototype Chinese fighter, 2011
In 2009, “Night Dragon” threatened US energy
networks http://www.nextgov.com/nextgov/ng_20090421_4305.php
US government response...
Conclusion (US gov, 2009): “…there needs to be a new-order
requirement on companies doing business with the federal government.”
Public-private initiative: VP of McAfee
wrote the strategy: http://www.inboundlogistics.com/cms/article/s
ecurity-guard-questions-and-answers-with-dennis-omanoff/#sidebar1
If this could happen in the US… UK’s critical infrastructure also potentially
under threat… from its business partners! information assurance scheme developed
locally… IASME meets requirements of Cyber Essentials
new government certification greater security in govt. supply chain…
Impact of Cyber Essentials on SMEs…? from October 2014: “sensitive” govt. contracts!
SMEs, and being hijacked!
SMEs, and even larger businesses often don’t even know it’s happening… http://www.deloitte.com/view/en_GB/uk/services/audit/enterprise-risk-
services/aaeeeb6f047b3310VgnVCM2000001b56f00aRCRD.htm
Features of this hack: keyloggers… malware via email attachment others?
Why are businesses caught out…?
Why didn’t they detect the intrusion? What should they have done to prevent their
network being hijacked?
Which UK laws will have been broken? How could they educate their employees? How could they make sure employees take
notice?
The first big corporate hack…
TKMax hack started in 2005 still in business today… OK then?
Academic longitudinal study in 2012
from first penetration to final compensation payout
TKMax Study July 2005 First breach―possibly started in Minnesota September 2005 Second intrusion September 2005 TJX plans to upgrade their wireless encryption. October 2005 TJX begins upgrading their wireless encryption software. November 2005 Fidelity Homestead (Louisiana savings bank) customers started noticing
fraudulent transactions from Wal-Mart in Mexico. January 2006 Fidelity Homestead discovers bogus purchases from various stores in California. Fall 2006 $8 million worth of merchandise is purchased at various Wal-Mart stores in Florida. May–December 2006 Third intrusion September 29, 2006 TJX receives an audit report stating that they are not complying with Visa
and MasterCard standards. November 2006 Wal-Mart discovers $8M in fraudulent purchases. December 18, 2006 An audit finds abnormalities in TJX card processing. December 19, 2006 TJX hires IBM and General Dynamics Corp to investigate the problem. December 22, 2006 TJX notifies the U.S. Secret Service and other law enforcement agencies of
the breach. December 26–27, 2006 TJX begins notifying banks and card issuers, FTC, SEC, etc.
TKMax continued Early December 2006 TJX notifies Canadian authorities. December 19, 2006– January 17, 2007 Investigators try to catch the hackers in the
act. TJX also is being investigated by the Privacy Commissioner of Canada. January 17, 2007 TJX makes a public announcement of the breach and begins
sending credit card lists to issuers. January 19, 2007 The first set of class-action lawsuits is filed, followed by a number
of lawsuits mostly in the U.S. and Canada January 2007 TJX completes the upgrade of their wireless encryption software. February 21, 2007 TJX files a report that indicates a larger breach than initially
thought (started earlier and of a larger scope). October 24, 2007 The number of compromised cards may be as high as 94 million. October 29, 2007 Fifth Third Bancorp is fined $880,000 by Visa for its role in the TJX
case. November 30, 2007 TJX settles with Visa. Settlement agreement is $41 million. March 27, 2008 TJX and FTC settle. No monetary penalty is imposed. April 2, 2008 TJX settles with Master Charge. Settlement agreement is $24 million.
Could TKMax “triple intrusion” happen to a smaller business?
Conclusions big company, brand managed, compensated
customers and stakeholders promptly similarly with SONY hack of gamers details in 2010
also had cyber insurance…
Criminal gangs mostly not caught… even with all those US police resources
What would happen… to a small business?
What about the business website?
Potentially highly vulnerable… shop window to the world can be “rearranged” protected by a single password
Why would anyone be interested… competitor… ruin your reputation anonymous etc… may think you are unethical
Other threats SQL injection (database) cross-site scripting (divert customers)
Of Course Not!
Education: home users? small businesses?
New Laws? Robust enforcement of existing laws? Better technology
to defend against hackers? to go after cybercriminals…
Put data into The Cloud?
UK Government Advice CESG website:
list of 10 things for small businesses to do
CPNI website more detailed: guidelines include 20 named technical controls to
minimize the chance of a data breach…
Problem: little guidance on physical or behavioural controls surveys consistently show 60-80% of breaches caused
by people being people (!)
Predictions for 2014 coming true…
ZDNet (IT magazine) analysis: http://www.zdnet.com/cybersecurity-in-2014-a-roundup-
of-predictions-7000023729/ 7 lists. All included one new threat…
security breaches of “Internet of Things” Previous years predictions still growing
malware on mobile phones breaches through merging of home and work
computers
How does all this fit in with police work? Prevent… advise SMEs on plugging
vulnerabilities, raise staff awareness, reveal consequences of a breach
Protect… against criminal gangs, cyber bullies, etc.
Prepare… offer advice to (potential) victims, gather evidence for court
Pursue… catch the cybercriminals
At the “macro” level
Government (OCSIA) vision: “make Britain the safest place in the world to do
online business” potentially very good for UK business…
Bold aim: Make those dodos safe… How can the law & police work help society?
We’ve been there before: analogy
How safe were the roads in the 1920s? over 4000 deaths in 1926
And the 1930s/40s?
approaching 10000 deaths by 1941
And today? 1721 deaths in 2012… How come?
Technology and Society
New Technology opens up opportunities…
Society finds out ways to use that technology SAFELY to improve peoples lives… role for academics? politicians?
What if technology moves fast too quickly
(c.f. motor car?)… society gets left behind
Academics and IT (especially Information Security)
A lot to answer for !?
Dangers started to emerge as soon as PCs became networked (mid-late 1980s)
Too timid? Stereotyped? Decision-makers didn’t understand? Just not listened to…
Relevant Research (not necessarily technical IT…) Human factors
60-80% of data breaches… employees (!) Why? What can be done about it
Economics of Information security
Balancing costs of breaches v costs of “taking the risk”
Knowledge Transfer: feeding research findings to business
Lots of talk… more often with large companies
No too much effective action?
SMEs don’t engage/not invited to engage cascade model doesn’t work in a competitive
environment
Technology Strategy Board
Set up in 2005: encourage development of new technology address the knowledge transfer problem Cyber Security KTN a welcome development
Cyber Security subsumed into IT (!)
made advising SMEs on security even more difficult
The Good News
Relevant research areas in information security growing very rapidly…
Government funding for SME cyber security through TSB innovation vouchers
Police are catching cyber criminals
What can (all) SMEs do?
Become aware of the problem
Acknowledge that it relates to them
Demand more support from govt agencies to help deal with it…
What can the “savvy” SME do?
Get strategic support at board level Convincing ROI arguments
Devise a plan
needs investment… assistance from TSB affordable guidance from HEIs
What should the plan contain? Information Security Policy
boorriinngg! maybe that local HEI can help…
Strategy for implementation of policy
that means… telling employees and being transparent Otherwise this can happen: BBC IT, 2010
Internal and External Some confusion…
Internal Information System (company data)
Rest of the World via the Internet
Protection: good software, well configured
Internal
Employees using organisation’s information systems, wherever they may be…
must understand Information Security policy
must understand consequences of not
adhering… may need an investment in education (again, HEI can help!)
External
Other people using organisation’s information systems Partners… is access appropriate for purpose? Hackers…? All… website
How can you know?
Do we have a problem?
Perceptions “from the inside” quite different from “outside looking in”
Solution: Penetration Testing