The Cancer Running Through IT Cybercrime and Information Security

Transcription

1 WHITE PAPER The Cancer Running Through IT Prepared by: Richard Brown, Senior Service Management Consultant Steve Ingall, Head of Consultancy 60 Lombard Street London EC3V 9EA T: +44 (0) E: icore 2014 P a g e 1

2 WARNING icore believe that Cybercrime is such a serious threat to your businesses that we are giving you the main links here: For details on cybercrime on the UK Government website click here. For details on cybercrime on the New Scotland Yard click here. For details on cybercrime on the FBI website click here. 1 Executive Summary Information Security is becoming rapidly more important, with ever increasing incidents of data theft or other cybercrime and associated costs of recovery. Government and Businesses are expending more resource on training, live exercises, specialist staff, accreditations and improved systems to detect and prevent intrusions and recover after an incident. The Finance sector are amongst those taking cybercrime very seriously with the Bank of England running two live exercises (2011 and 2013) in the last 3 years with participating organisations representing a broad range of financial firms, infrastructure providers and financial authorities. The Bank of England has in February 2014 published the results of their second cybercrime exercise, Waking Shark II, with recommendations for further action which include the need for better coordination of communication between organisations affected by cybercrime, the requirement for organisations to report major incidents to relevant regulatory bodies as soon as possible, and the need to report cybercrimes that constitute criminal offences to the appropriate authorities including law enforcement. UK Government has committed 650 million to the National Cyber Security Programme (NCSP) to improve the nation's cyber capabilities in order to help protect the UK's national security, its citizens and growing economy in cyber space. As the Government strives to reduce overall expenditure, it is of note that this significant resource is being directed against online threats. 2 Background Cybercrime is defined by the Cabinet Office as the illegal activities undertaken by criminals for financial gain by exploiting vulnerabilities in the use of the internet, and icore 2014 P a g e 2

3 other electronic systems to illicitly access or attack information and services used by citizens, business and the Government. Threats to cyber security manifest themselves in the following ways: Theft of intellectual property (IP) Industrial espionage Access to government and defence related information Disruption to government and industry service Exploitation of information security weaknesses, by targeting partners, subsidiaries and supply chains at home and abroad. The Cabinet Office estimated in 2011 that the annual cost of Cybercrime in the UK was 27BN and growing. The biggest losers by sector are: Financial Services Software and Computer Services Electronic and Electrical Equipment Pharmaceuticals and Biotech Mining, Aerospace, Chemicals, and Charities 3 Real Examples of Cyber Threats The following are some of the real examples of cybercrime from the last few years, some of which had significant economic impact on the victims: Stuxnet Worm (July 2010). This was used to target industrial control systems, and seemed to be directed at Iran and its nuclear programme. It allowed hackers to manipulate real world equipment without operators knowing. The worm targeted Siemens systems used in the energy sector to control nuclear and gas infrastructure and also manufacturing and automotive industries. The complexity and access to systems involved indicated a highly organised and well-funded project. Operation Aurora (December 2009). Google detected a highly sophisticated and targeted attack on its corporate infrastructure originating from China. The attack was found to have installed malware via on computers in another 30 companies and Government Agencies. Large scale fraud (2009/10). An Essex based gang, linked to Eastern Europe was prosecuted for an online fraud making 2m a month by stealing log in details from 600 UK bank accounts and tricking users into providing additional information. The Police e- crime unit working with the banking sector detected the fraud which targeted weak security on individuals computers using Zeus Trojan malware. Malware targeting SMEs (September 2013). icore 2014 P a g e 3

4 The National Cyber Crime Unit (NCCU) warned of a mass borne malware campaign. The s appear to be from financial institutions but carry a malicious attachment that can install Cryptolocker malware, which is a type of ransomware. It was estimated that 250,000 PCs were affected. The malware was designed to encrypt files on the infected computer and any network it is attached to and then demand payment of around 500 to unlock the files. Snowden (2013). Edward Snowden worked for the National Security Agency (NSA) in the US, and disclosed a huge number of top secret NSA documents to several media outlets including the Guardian newspaper in the UK. The leaked documents revealed operational details of global surveillance apparatus run by the NSA and other commercial and international partners. Snowden was charged with Espionage and theft of government property. Whatever the rights and wrongs of what he did, the fact remains that his actions revealed a serious failure by the NSA to adequately control and protect their data. Barclays Bank computer theft (Sept 2013). A gang stole 1.3m from Barclays Bank after taking control of a computer. This was done simply by a gang member pretending to be an IT engineer, gaining access to a high street branch and deploying a KVM switch attached to a 3G router, which then subsequently gained access to the branch server. Funds were transfer to accounts owned by the gang. A similar attack was planned on a branch of Santander but was foiled. The gang members were arrested. Marriott Hotel Data Breach (Feb 2014). Fraud involving several hundreds of credit cards was linked to a number of Marriott Hotels in the US. The same article in Information Week also referred to the theft of 40 million credit and debit card details from a company called Target also in the US. The latest updates on Cybercrime from the BBC click here. 4 Types of Cyber Crime and the effect on Business There are several distinct flavours of cybercrime that can affect business: Theft from Business. Cyber criminals steal revenue online directly from businesses, which involves fraudulently obtaining access and looting company accounts and monetary reserves. In some cases this activity is assisted by an insider. Extortion. Cyber criminals hold a company to ransom by a deliberate denial of service (DOS) attack or by manipulating company website links, which can lead to extensive brand damage (for example redirecting links to a pornography website). Customer data loss. Theft of sensitive customer data (such as customer financial, medical or criminal record details) with the purpose of selling the icore 2014 P a g e 4

5 data on to other criminal networks or using it themselves. Industrial Espionage. This takes many forms such as a rival organisation illegally accessing confidential information to gain competitive advantage, or to gain insider information at an early stage of an M&A deal. IP Theft. Criminals sponsored by rival organisations or nation states, steal ideas, designs, product specifications, trade secrets process information or methodologies which can erode competitive advantage. These types of crime can cause damage or cost to business in terms of: Loss of competitive advantage Loss of business Reputational damage Preventative and remedial action Regulatory fines Reduced confidence All these will lead to a loss of Revenue, Share Price and Profitability, with severe knock on effects to the national economy such as loss of taxation, increased law enforcement costs, loss of exports, increased unemployment, damage to pension values, decrease in investment and lost opportunity costs. 5 How to Increase Cyber Security There is certainly no simple cure to prevent cybercrime however the following areas, summarised in the diagram below, should be considered. These comprise of: 5.1 Information Risk Management Organisations should apply the same rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This should be done by embedding an information risk management process across the organisation, which is supported by the Board and senior managers. Employees, contractors and suppliers must be aware of the organisations information risk management policies and procedures. 5.2 Secure Configuration Simply put, ensuring that any unnecessary ICT functionality is disabled or removed, and that all devices are patched against known vulnerabilities, and that a continuous process for ensuring Secure Configuration is maintained is established. 5.3 Network Security Develop policy and procedures to protect corporate networks by applying the necessary security controls in order to minimise the risk of connecting to untrusted networks such as the Internet. 5.4 Managing User Privileges Actively manage the access privileges that users have. All users should only be provided with the access they need to do their jobs, and this must be regularly icore 2014 P a g e 5

6 reviewed. Snowden apparently started with a low level admin access, which enabled him to fabricate digital certificates to access information areas that he should not have had privileges to. He also coerced colleagues into handing over their usernames and passwords. All employees, and contractors and suppliers must be clearly aware of the organisation policy on usernames and passwords and the need to keep them confidential. 5.5 User Education and Awareness It is critical that all staff are aware of their personal security responsibilities and the requirement to comply with corporate security policies. This can be achieved by the delivery of a security training and awareness programme that increases the levels of security awareness and knowledge across the organisation, as well as fostering a security conscious culture. 5.6 Security Incident Management Organisations should invest in establishing effective incident management policies and processes and this will help improve the resilience, support business continuity, improve customer and stakeholder confidence and reduce the financial impact of any security incident. 5.7 Malware Prevention icore 2014 P a g e 6

7 Any information exchange carries a degree of risk as it could expose the organisation to malicious code and content (malware) which could seriously damage the confidentiality, integrity and availability of the organisation's information and Information and Communications Technologies (ICT) on which it is hosted. The risk must be reduced by implementing security controls to manage the risks to all business activities. 5.8 Monitoring Monitoring ICT activity allows businesses to detect attacks and react to them appropriately whilst providing a basis upon which lessons can be learned to improve the overall security of the business. In addition, monitoring the use of ICT systems allows the business to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with security, legal and regulatory requirements. 5.9 Removable Media Controls Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite Home and Mobile Working Mobile working offers great business benefit but exposes the organisation to risks that are challenging to manage. Mobile working extends the corporate security boundary to the user's location. Organisations should establish risk-based policies and procedures that cover all types of mobile devices and flexible working to effectively manage the risks. Organisations should also plan for an increase in the number of security incidents and have a strategy in place to manage the loss or compromise of personal and commercially sensitive information and any legal, regulatory or reputational impact that may result. 6 CONCLUSIONS AND RECOMMENDATIONS Cyberspace has revolutionised how many of us live and work. The internet, with its more than 2 billion users, is powering economic growth, increasing collaboration and innovation, and creating jobs. Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is. Companies benefit from managing risks across their organisations; drawing effectively on senior management support, risk management policies and processes, a risk aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk management approach to cyber security, including: icore 2014 P a g e 7

8 Strategic Benefits Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation. Financial Benefits Providing financial benefit to the organisation through the reduction of losses and improved value for money potential. Operational Benefits Organisations are prepared for most eventualities, being assured of adequate contingency plans. If you are uncertain about your company's ability to manage its information risks, there are some practical steps that can be taken through Corporate Governance mechanisms: Confirm that you have identified your key information assets and the impact on your business if they were to be compromised; Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks; Confirm that you are appropriately managing the cyber risks to your information and have the necessary security policies in place. Companies may not have all the expertise needed to implement these steps and assure themselves that the measures they have in place meet the threats; in the first instance audit partners should be able to provide assistance. For information risk management expertise, organisations should seek advice from appropriate organisations who have attained industry recognised qualifications. To find out how icore can highlight your exposure to Cybercrime you can contact us on +44 (0) and icore 2014 P a g e 8