Running head: THE FIGHT AGAINST CYBER CRIME The Fight Against Cyber Crime: What Can We Do? Abstract Cyber crime is on the rise and every organization must recognize the danger and take necessary steps to help mitigate the threat. While many institutions worry more about hackers than cyber criminals, it is cyber crime that can cause the most damage. A hacker is more easily detected while a cyber criminal may already be in your network undetected. While a hacker may try to breach a network for the thrill or to annoy, a cyber criminal will breach a network for monetary gain.
This paper is intended to point out some of the risks of cyber crime and what a financial institute can do to help mitigate the threat of attack. Keywords: cyber crime, cyber attack, Information Technology Information Sharing and Analysis Center, IT-ISAC, Financial Services Information Sharing and Analysis Center, FS-ISAC The Fight Against Cyber Crime: What Can We Do? While many institutions worry more about hackers than cyber criminals, it is cyber criminals that should make us more wary.
A hacker is more easily detected while a cyber criminal may already be in your network undetected. While a hacker may try to breach a network for the thrill value or to annoy their victim, a cyber criminal will breach a network for monetary gain. This may include “data acquisition and storage, stealthy access to systems, identity collection and theft, misdirection of communications, keystroke identification, identity authentication, and botnets, among others” (Deloitte, 2010).
According to a survey conducted in August 2011 by Ponemon Institute, for the 50 participating companies (see chart 1), the average time it takes an organization to resolve a cyber attack is 18 days with an average cost of $23,000 a day. An insider attack can average 45 days to contain. This does not include the value of any data lost, modified, or stolen in the process. This survey also showed the average annualized cost of cyber crime to financial institutions was $14,700,000 for 2011, up from $12,370,000 the previous year (see Chart 2).
Chart 3 summarizes the types of attack methods experienced by the companies that participated in the survey (Ponemon, 2011). According to security firm Imperva, “The average large business sees 27 attacks per minute hitting its Website. Attackers can use automation technologies to generate up to seven attacks per second, or 25,000 attacks per hour” (Rashid, 2011). To build a sufficient IT security posture, it is important to assume that an unauthorized user can gain access to the network, and then structure the network to best protect the most valuable data.
The valuable data can then “be tagged and monitored so that the organization knows where it is, where it is going, where it has gone, and on whose authority” (Deloitte, 2010). The organization also needs to understand that they need to not only monitor what is coming into their network but also what is leaving their network. This will help “detect activities enabled by techniques and technologies that mimic, exploit, or piggyback on the access of authorized users” (Deloitte, 2010).
Using standard firewalls and anti-virus programs alone will not accomplish this. The organization must take a more proactive approach to protect its financial data. Now that we know what we need to do, how do we accomplish this? Some very basic steps include employee screening, employee training to help mitigate against social engineering, disabling account access of terminated employees, ensuring software updates and patches are properly implemented, and ensuring firewalls are properly configured.
More advanced steps include, but are not limited to, setting up a demilitarized zone to help block the network from outside access, installing a honeynet system to look like an authentic part of the network to entice and trap intrusion attempts for further analysis, installing hard drive encryption and remote data wipe capability on all laptops and other mobile devices, and requiring smart card and pin number authentication (or some other form of multifactor authentication) to access sensitive data.
The Ponemon survey revealed companies utilizing security information and event management (SIEM) solutions such as these average 24 percent less expense in dealing with cyber crime attacks (see chart 5). This reduction in cost is because companies that use SIEM solutions are better able to detect and contain, and therefore recover, from such attacks (see chart 6). Another important step for a financial institute to take is to become a member of the FS-ISAC (Financial Services Information Sharing and Analysis Center).
The FS-ISAC was founded in 1999 and led the way for the IT-ISAC (Information Technology Information Sharing and Analysis Center) which was founded in 2001. The purpose of these groups is for organizations to have the opportunity to share the security attacks and vulnerabilities they have experienced with other organizations in their field of industry. Given the sophistication, complexity, and evolution of cyber crime technologies and techniques, no sizable organization can plan and implement the necessary response alone. CIOs, CSOs, CROs, and cyber security rofessionals should share information, techniques, and technologies in their battle against cyber crime. (Deloitte, 2010) The importance of FS-ISAC was proven in 2000 when member companies where saved from a major denial-of-service attack that many other companies experienced (Hurley, 2001). As shown in chart 4, a denial-of-service attack can be costly. A more recent example of FS-ISAC at work is the August 23, 2011 report of the Help Net Security (International) Ramnit worm which uses Zeus Trojan tactics for banking fraud.
As the FS-ISAC points out, “When attacks occur, early warning and expert advice can mean the difference between business continuity and widespread business catastrophe” (FS-ISAC, 2011). Knowing and having the chance to combat against these attacks can save an institute millions. In conclusion, financial institutions must stay vigilant to current and new cyber threats. Table 1 through 3 gives a breakdown of cyber threats and controls that can help reduce the impact if these threats become reality. It is important for an organization to enroll in its respective ISAC and to share in the lessons learned from previous attacks.
While it would be almost impossible to learn about and prevent every type of attack, staying vigilant will help reduce the likelihood and the impact. References Deloitte Development LLC. (2010). Cyber Crime: A Clear and Present Danger. Retrieved December 23, 2011, from the World Wide Web: http://eclearning. excelsior. edu/webct/RelativeResourceManager/Template/pdf/M7_Deloitte_CyberCrime. pdf FS-ISAC. (2011). Current Banking and Finance Report, Retrieved 24 December, 2011, from the World Wide Web: http://www. fsisac. com/ Hurley, E. (2001, January 29).
IT-ISAC: A Matter of Trust. Retrieved 24 December, 2011, from the World Wide Web: http://searchsecurity. techtarget. com/news/517824/IT-ISAC-A matter-of-trust Ponemon Institute LLC. (2011, August). Second Annual Cost of Cyber Crime Study. Retrieved December 24, 2011, from the World Wide Web: http://www. arcsight. com/collateral/whitepapers/2011_Cost_of_Cyber_Crime_Study_August. pdf Rashid, F. (2011, July 25). Cyber-Criminals Use Botnets, Automation to Launch Multiple Blended Attacks. Retrieved December 24, 2011, from the World Wide Web: http://www. week. com/c/a/Security/CyberCriminals-Use-Botnets-Automation-to-Launch-Multiple-Blended-Attacks-656032/ Chart 1. Sample of Participating Companies by Industry (Ponemon, 2011) Average annualized cost by industry sector ($1M) *Industry was not represented in the FY2010 benchmark sample. Chart 2. Average annualized cost by industry sector (Ponemon, 2011) Types of Attack Methods Experienced Chart 3. Types of Attack Methods Experienced (Ponemon, 2011)
Average annualized cyber crime cost weighted by attack frequency *The FY 2010 benchmark sample did not contain a DoS attack. Chart 4. Average annualized cyber crime cost (Ponemon, 2011) Comparison of SIEM and non-SIEM sub-sample of average cost of cyber crime Chart 5. Comparison cost of SIEM and non-SIEM companies (Ponemon, 2011) Chart 6 Percentage cost for recovery, detection & containment (Ponemon, 2011) categoryFinancial Impact Regulatory ComplianceIndustry Reputation 4CriticalIncrease in costs greater than $1MFines in excess of $1MSignificant, sustained negative media exposure.
Significant loss of business due to blemish on public image. 3MajorIncrease in costs $100K to $1MFines between $100K and $1MNegative media exposure. Loss of business due to blemish on public image. 2ModerateIncrease in costs less than $100KFines under $100KSome negative media exposure. Slight loss of business due to blemish on public image. 1MinorNo significant cost increase expectedNo fines expectedNo media exposure or loss of business expected. Table 1. Impact 4Imminent 3Highly Likely 2Possible 1Unlikely Table 2. Probability PxI (before controls / after controls)
Financial Impact Regulatory Compliance Industry Reputation Controls Denial of service1x3=3 / 1x2=21x3=3 / 1x1=11x4=4 / 1x2=2Implement router filters, install patches to guard against SYC flooding, disable unused services Web-based attack2x3=6 / 2x2=42x3=6 / 2x2=42x4=8 / 2x2=4Restrict website access to only what customer needs, disable account log-in after 3 failed log-in attempts, require multifactor authentication to access sensitive data Malicious code2x4=8 / 2x2=42x4=8 / 2x2=42x4=8 / 2x2=4Software updates and patches, anti-virus and anti-spam software pdates, firewall configuration, employee training Malicious insider1x4=4 / 1x2=21x4=4 / 1x2=21x4=4 / 1x2=2Employee screening, disable account access for terminated employees, require multifactor authentication for access to data servers, least privilege, separation of duty Phishing & social engineering 2x3=6 / 1x3=32x3=6 / 1x3=32x3=6 / 1x3=3Employee training, least privilege, separation of duty Stolen devices2x4=8 / 2x1=22x4=8 / 2x1=22x4=8 / 2x1=2Hard drive encryption, remote data wipe capability Botnets 3x3=9 / 3x1=33x3=9 / 3x1=33x3=9 / 3x1=3Software updates and patches, anti-virus and anti-spam software updates, firewall configuration, employee training Malware3x3=9 / 3x1=33x3=9 / 3x1=33x3=9 / 3x1=3Software updates and patches, anti-virus and anti-spam software updates, firewall configuration, employee training Viruses, worms, trojans4x3=12 / 4x1=44x3=12 / 4x1=44x3=12 / 4x1=4Software updates and patches, anti-virus and anti-spam software updates, firewall configuration, employee training Table 3. Risk Analysis