This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination

This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination 1

FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME The economic impacts of cybercrime This project has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under grant agreement n 607775. E-CRIME Coordinator: Trilateral Research & Consulting (TRI) Crown House 72 Hammersmith Road London 14 8 TH T: +44 207 559 3550 www.ecrimeproject.eu 2

Project Acronym Project full title Website E-CRIME Grant Agreement # 607775 Funding Scheme Deliverable number: D3.1 Title The economic impacts of cybercrime www.ecrime-project.eu FP7-SEC-2013-1 Due date: 31/01/15 Actual submission date: 31/01/15 Lead contractor: Contact: Anti-Cybercrime Technologies and Best Practices assessment and monitoring Warwick Bil Hallaq Authors: Collaborative Work between assigned partners of WP3 Reviewers: Dissemination Level: WWU GCSEC Public Version control: Word document Version Action Name Date Title 0.21 To be Reviewed BH 25/01/15 3.1 0.22 Internal Review MC 27/01/15 3.1 0.23 Internal JN 27/01/15 3.1 Sectional Review 0.24 Internal Review PW, BH 27/01/15 3.1 0.25 Internal Review PW 27/01/15 3.1 0.26a Merge changes and BH 28/01/15 3.1 share with partner reviewer 0.27 Reviewing Partners AC/MC/TN 29/01/15 3.1 0.29 Consolidated Comments BH 30/01/15 3.1 and reviews 0.31 Internal Review ML/MC 30/01/15 Final 3

Contents 1. Abstract... 7 2. Executive Summary... 7 3. Introduction... 7 3.1 Context... 9 3.2 Objectives... 9 3.3 Methodology... 10 4. Applying existing cyber security classifications as criteria... 10 4.1 Introduction... 10 4.2 Security control... 11 4.3 Classification of security controls... 11 4.3.1 Theoretical approach... 11 4.3.2 Practical approach... 13 4.4 Assessment of security controls... 13 4.5 Review & considerations... 13 5. Criteria for assessing anti-cybercrime technologies and best practices... 15 5.1 Criteria... 15 5.1.1 Criteria effectiveness by type of cybercrime... 15 5.1.2 Relevance and effectiveness of criteria to industry use... 15 5.1.3 Use in the stages of the cybercrime... 15 5.1.4 Maturity... 16 5.1.5 Costs... 16 5.1.6 Usability... 16 5.1.7 Impact on business processes... 16 5.1.8 Accuracy and resilience... 17 5.1.9 Impact on privacy and societal rights... 17 5.1.10 Ability to work within the law... 17 5.1.11 Level of diffusion/adoption... 17 5.2 Should criteria be industry specific?... 17 6. Anti-cybercrime technologies... 20 6.1 Technological... 21 6.1.1 Authentication... 21 4

6.1.1.1 Multi-factor authentication... 21 6.1.1.2 Smart cards... 23 6.1.1.3 Secure federated identity management and relative protocols... 24 6.1.2 Access Control... 26 6.1.2.1 Policy modelling and enforcement (XACML)... 26 6.1.2.3 Semantic web for access control... 27 6.1.3 Cryptography... 29 6.1.3.1 TLS/SSL for web server authentication and encryption... 29 6.1.3.2 Signed and/or encrypted mail... 30 6.1.3.4 Trusted platform modules... 32 6.3.4 Homomorphic cryptography... 33 6.3.5 Quantum Key Distribution... 35 6.4 Other techniques... 37 6.4.1 Intrusion detection & prevention systems and security information & event management... 37 6.4.2 Semantic networks... 39 6.4.3 Secure platform for mobile applications... 40 7. Best practices evaluation criteria... 42 7.1 Cyber security exercises... 42 7.2 Information security awareness training... 44 7.3 Sector-agnostic information security standards... 45 7.4 Sector-specific information security standards... 46 7.5 Enterprise risk management frameworks... 48 7.5.1 International information security best-practices... 48 7.6 Secure information sharing and analysis centres... 50 7.7 Application security & vulnerability testing... 52 8. Pathways of cybercrime... 54 8.1 Data theft crime scenario... 55 8.2 Cyber espionage scenario... 57 8.3 Phishing attack scenario... 58 8.4 Ransomware attack scenario... 60 9. Conclusion & future work... 61 8. Bibliography... 62 APPENDIX A Risk components... 66 5

APPENDIX B ISO 27001 security controls... 67 APPENDIX C NIST security controls... 69 APPENDIX D NIST assessment procedure... 72 APPENDIX E Security INdustry Actors... 74 APPENDIX F ISO - NIST ConTrols... 75 6

1. Abstract Current techniques of mitigating, preventing and recovering from cybercrimes rely heavily on the use of technologies and best practices. First, this report proposes a set of criteria to assess such anticybercrime technologies and industry best practices, which are flexible enough to be adopted for various Non-ICT sector types and all sizes of organisations. These assessment approaches can also be adapted by industries and categorisation of crimes. Finally, this document also presents the findings of a second task, which was a desktop analysis of 20 representative examples of existing anticybercrime technologies and best practices. Using a mix of case studies and cyber range replication in a controlled environment a selection of criminal journeys from WP2 (D2.3) have been explored in order to derive evaluation insights on the selected anti-cyber crime technologies and best practices. The appropriate findings are compared against the assessment criteria and presented in this report. 2. Executive Summary Vast majorities of society and industry are now dependent on digital communications and networked devices for tasks, ranging from simple instant messaging to complex financial transactions and mission critical activities such as national critical infrastructure controls. Our reliance on the internet and the growth of the Internet of Things (IoT) has increased our reliance on cyber domain within a plethora of routine daily activities. This interconnectivity is a critical component for driving collaboration, productivity and innovation for industry. This positive growth has also provided criminals the ability to develop new channels and take advantage of more covert platforms for their malicious activities. Criminals are finding new ways of creating technologies and take advantage of vulnerabilities within the sometimes poorly woven cyber fabric that we are connected to. News reports on data thefts, hacktivism, denial of service attacks and fraud perpetrated via cyber methods are in the press daily. In order to combat these attacks, organisations often rely on anti-cybercrime technologies, risk management programs and a range of best practice guidelines. However within these there is no one size fits all. Furthermore, defining a set of criteria in which the usefulness and efficacy of such programmes is often elusive. Within this report, we initially suggest a robust set of criteria for evaluating anti-cybercrime technologies and best practices, then such a set of criteria is assessed and deployed against a selection of 20 representative examples of such anti-cybercrime technologies and best practices. This report represents an early milestone within the E-CRIME project and is a component of identifying and developing concrete measures to manage and deter cybercrime, one of the overall objectives of this project. 3. Introduction This work carries on from the previous findings from Work Package 2 of this project, where a general taxonomy of cybercrime was provided along with a framework and categorisation of cybercrime in non-ict sectors, which we then used to develop perpetrator and victim journeys. As a reminder, 7

the various types of cybercrime as defined in the DoW and further developed in Deliverable 1.2 were defined as; Traditional crimes: Those that are now cyber because they are also conducted online and makes uses of cyberspace as providing more opportunities for crime. Hybrid cybercrimes: Those which are traditional crimes whose effectiveness, nature and modus operandi have significantly changed as result of new opportunities provided by the Internet. True cybercrimes: Those consisting of opportunities created purely by the Internet and carried out only within cyberspace. Cyber platform crimes: Such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. Based on this initial definition and the initial general, cross-sector criminal journeys identified in D2.3 as key concerns for stakeholders, key examples of cybercrime related to several e non-ict industry sectors are presented in the table below. Traditional Crimes (now cybercrimes) Hybrid Cybercrimes True Cybercrimes Platform Cybercrimes Traditional fraud ID theft Click Fraud Botnets Piracy Pornography Denial of service Hire a hacker Espionage Dating Scams Phishing Illegal shops 1 Table 1: Non-ICT Industry related cybercrime In the fight against these defined cybercrimes the identification of the main classes of vulnerabilities and the most effective technologies and best practices to avoid or mitigate the associated risk is crucial. To help toward addressing this, we have defined a set of evaluation criteria, in order to analyse different aspects of these cybercrime examples, which can aid Non-ICT organisations measure and select the most effective anti-cybercrime technologies and best practices for their requirements. These proposed evaluation criteria assess amongst other things, the maturity, effectiveness, and the applicability of the technologies and best practices, taking into account social aspects and regulatory differences among the EU Member States. The evaluation criteria also consider possible differences among sectors. For an industry organisation, it is important to understand how a specific technology can actually mitigate the risk associated to possible cyber-attacks. The same set of evaluation criteria is applied not only to anti-cybercrime technologies but also to best practices. 20 representative examples of technologies and best practices have been identified for the testing. Due to the rapid growth of technological solutions, considering only mature technologies may be 1 These would include shops which may also sell counterfeit copies of products or illegitimately represent themselves as associated or maliciously clone an actual organisations presence online. 8

limited, therefore our research on technologies against cybercrime tries to look ahead towards the more immediate horizon, considering emerging and promising solutions. Best practice examples represent different families of approaches. Common security standards and guidelines are considered, both the sector-agnostic (i.e. the ISO 27000 series) and the more technical ones that are usually sector-specific (such as some NIST special publications). Standards and guidelines do not cover completely the relevant best practices. For this reason the utilisation of controlled cyber synthetic environments and consideration of growing information sharing initiatives (often sector specific like FS-ISAC) were included. Such activities and initiatives provide insights and foster collaboration, crucial components in the fight against cybercrime. 3.1 Context This work is the output of Task 3.1 in Work Package 3, which focuses on providing criteria to assess anti-cybercrime technologies and industry best practices. It builds on the journey mapping from WP2, Tasks 2.1 and 2.2, and also provides a review of existing classification approaches and/or controls used in the cyber security sector. These controls are compared and contrasted against typical existing security controls such as those laid out as part of the ISO 27000 series and those from the National Institute for Standards and Technology (NIST). An inventory of 20 representative examples of existing anti-cybercrime technologies best practices is researched through collecting and studying technology reports and roadmaps in the field of cybercrime. Each of these technologies and best practices are evaluated according to the criteria defined. In addition, a selected number of cybercrime journeys have been mapped, based on the current output from WP2. These are presented as case studies for the selected technologies and best practices via a mix of desktop analysis as well as physical mapping across a cyber-synthetic environment (cyber range). 2 Further work will continue in this area as additional journeys are provided. This work will be added as a further Appendix to this report and made available ahead of WP7, which identifies gaps and solutions for cybercrime, and WP8, which enhances sector specific countermeasures as they are both dependent upon the output of this work. Ongoing monitoring of anti-cybercrime technologies and best practices will be reviewed during the lifetime of this project. 3.2 Objectives The objective of this work is to both define the criteria for the assessment of existing cybercrime practices and anti-cybercrime technologies and best practices and assess the selected anti-cybercrime technologies and best practices via case studies. It assesses the effectiveness of these countermeasures for preventing, deterring and managing cybercrime and includes the on-going monitoring of these counter-measures through the lifespan of the project with a specific focus on non-ict sectors. 2 A cyber range is a realistic environment that is used for cyber warfare training, cyber resiliency testing and cyber technology development. Historically these had a military focus to test and run simulations on cyber assets as well as training personnel. More recently, these have had greater use across industry and critical infrastructure. 9

3.3 Methodology In defining the criteria for assessing anti-cybercrime technologies and best practices, desktop analysis and direct contact with stakeholders and contacts from law enforcements and industry were made. From this a proposed set of criteria was established and then contrasted against existing security controls such as those from the ISO 27000 series and NIST. The proposed criteria were documented and then validated at the E-CRIME Workshop in Rome January 19 th -20 th, 2015. The anti-cybercrime technologies were selected after an extensive desktop analysis. While it was impossible to cover all the possibilities, these examples provide a well-rounded view on the technologies that are effectively used today while considering those which represent realistic possibilities of important breakthrough in the near future. Some examples, like smart cards and TLS/SSL, are very mature and widely used technologies to protect confidential data and to provide secure authentication method. Others such as semantic web, are mature technologies that have been applied within the cyber security domain only recently. Further examples such as, quantum key cryptography and homomorphic encryption are very promising techniques that might be ground breaking solutions once they obtain greater maturity and adoption, yet are already important to analyse and consider. Similarly, the best practice examples have been selected to give a good perspective of how procedures, guidelines, exercise, and information sharing can be as effective as technologies against cybercrime. Each example works to summarise families of best practices rather than specific ones. These were both validated at the E-CRIME Workshop in Rome January 19 th -20 th, 2015. Selected criminal journeys from D2.3 were then physically replicated in a highly controlled environment (the cyber range). Through a mix of desktop analysis and testing on the cyber range, the proposed criteria were then assessed against the representative examples to evaluate the performance of the examples. The scale used for rating has been qualitatively constructed from insights coming from the desktop analysis and the result of the testing on the cyber range. 4. Applying existing cyber security classifications as criteria 4.1 Introduction This section provides a review of classifications currently used in the cyber security sector. These are proposed to aid in developing the project s own criteria to assess anti-cybercrime technologies and best practices. This section ties the notion of anti-cybercrime technologies and best practices to the notion of security controls that is widely used in information security standards. 3 A security control, in a simplified way, can be explained as any measure that helps to protect an entity from unwanted incidents. It can be a technical measure, e.g. a firewall that helps to protect a network from cyberattacks; a physical measure, e.g. the restriction of physical access to entities premises or network; an administrative control, e.g. courses to educate personal not to open email attachments with potentially malicious files. The essence of anti-cybercrime technologies and best practices can be seen as a series of security controls. 3 ISO, NIST, COBIT, ETSI, ENISA 10

4.2 Security control Most IT security standards rely on the notion of security control. Common definitions, which are used in different security standards, are provided below; o o o (ISO27000) Control measure that is modifying risk; *Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk. Within this, the prime 27000 series standard that covers information security risk management is ISO27005 which can be defined as; [sic] Providing guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001. (ISO.ORG 2014) (ISACA, COBIT) Control The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. *Scope Note: Also used as a synonym for safeguard or countermeasure. (ISACA 2014) (NIST) Security Control A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. (NIST 2013 - SP800-53r4) Security controls are usually based on the notion of risk. 4 Risk is one of the key elements of information security and in particular of security controls. Specifically ISO/IEC 27005 is the name of the prime 27000 series standard covering information security risk management.. 4.3 Classification of security controls Before the criteria to assess security controls are defined, this section will give a brief overview of the different classifications of security controls. Although the project does not yet touch upon classification of anti-cybercrime technologies and best practices (i.e. security controls), a short insight will surely be useful. 4.3.1 Theoretical approach Security controls can be classified in many different ways. One approach is rather theoretical (taxonomical), and it usually can be found in information security literature (Harris, Shon 2013). The categorization in this case has a treelike structure that aims to look at security controls from different perspectives, to aid explaining the nature of security controls. The excerpt below provides an example of such an approach. 4 But not in NIST s definition. 11

Figure 1: Categorization of Security Controls 5 In this taxonomy security controls are divided into three types Preventive, Detective and Corrective. The NIST security standard distinguishes between five functions Identify, Protect, Detect, Respond and Recover. ISHandbook (Sewell, 2009) defines three commonly accepted forms of Controls: a) Administrative These are the laws, regulations, policies, practices and guidelines that govern the overall requirements and controls for an Information Security or other operational risk program. For example, a law or regulation may require merchants and financial institutions to protect and implement controls for customer account data to prevent identity theft. The business, in order to comply with the law or regulation, may adopt policies and procedures laying out the internal requirements for protecting this data. These requirements are a form of control. (Sewell, 2009) b) Logical These are the virtual, application and technical controls (systems and software), such as firewalls, anti-virus software, encryption and maker/checker application routines. (Sewell, 2009) c) Physical Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities. (Sewell, 2009) Sewell states that all three forms are critical to the creation of an effective control environment. However, these elements do not provide clear guidance on measuring the degree to which the controls mitigate the risk. Instead, [sic] the risk model presented here utilizes an alternative set of elements that provide better means of assessing the level of mitigation: a) Preventive, b) Detective and c) Corrective 5 As referred to in the ISHandbook, Sewell, 2009 12

Sewell goes on to state that As well as classifying the type of control, this simple risk model also has a series of classifications on the value of that control. These are listed below. a) Effective, b) Efficient, c) Complexity, d) Access and e) Privilege 6 4.3.2 Practical approach Information security standards 7, on the other hand, usually use another approach to classify security controls. It is a more practical and goal driven approach. ISO and NIST standards, for example, have very broad lists of security controls, which are divided into categories. The objective of such divisions is to cover all possible aspects of information security from the perspective of different entities. Below are stated examples of ISO s and NIST s groups. 4.4 Assessment of security controls Instead of having universal criteria for assessing security controls, NIST has specific assessment criteria for every group. 8 NIST s assessment has such characteristics as: a) assessment method (examine, interview and test); b) assessment expectations (low, moderate and high); c) assessment procedure (consists of objectives, methods and objects). An example illustrating the assessment procedure for the subgroup Malicious Code Protection (group System and Information Integrity) is given in Appendix C. At a high level the ISO s recommendations on the assessment of security controls are that he level of risk depends on the adequacy and effectiveness of existing controls. Questions which need to be addressed include: What are the existing controls for a particular risk? Are those controls capable of adequately treating the risk so that it is controlled to a level that is tolerable? In practice, are the controls operating in the manner intended and can they be demonstrated to be effective when required? (ISO, 2013) Within these guidelines it is also noted that in the majority of instances that a high level of accuracy is not warranted 9 (ISO27001, 2013) 4.5 Review & considerations As was described above, two approaches in classification for convenience can be distinguished - theoretical and practical. To determine which better fits E-CRIME needs and specifically, Deliverable 3.1, categorisation of the type of industry actor should also be considered. As established by a 6 As defined under control types, control effectiveness and control limitations, ishandbook.bswell.com 7 NIST, ISO. 8 NIST 2008 - SP800-53A (Guide for Assessing the Security Controls). 9 ISO27001, 2013 Information security management systems Requirements 13

consortium partner 10 incentives: there are three types of industry actors with different capabilities and 1. Security providers: actors who in principle are in a position to decide (explicitly or implicitly) about the security properties in ICT infrastructures typical examples: ICT industry, standard setters, infrastructure providers. 2. Security consumers: actors who depend on the security properties available in products and services offered on the marketplace typical examples: non-ict companies, public institutions, individuals. 3. Security industry: specialises on selling security products and services to security providers (e.g., code review, hardening, security libraries) and to security consumers (off-the-shelf security tools, diagnostics & filters). While such categorisation is not codified yet, it is used within some academic circles to describe the security ecosystem. The term security provider might be confusing, as these are in fact all ICT providers. However, it should be stressed, that ICT providers are the ones than can and need to provide security in their products. The distinction between these actors is important, because each actor applies substantially different defensive technologies and best practices, due to their varying capabilities and incentives based on their role in the value network (See Appendix E). If it were to be mainly information security specialists, then a more practical approach might be preferable (similar to the NIST s security standard where specific assessment criteria are used for the narrowly predefined groups of security controls). Such an example is presented in the table below. Function (NIST) 11 identify protect detect respond recover Effectiveness (ISO) - Adequateness (ISO) - Information (Figure 2) confidentiality integrity availability Nature (generally used) Physical controls Procedural controls Technical controls Legal and regulatory or compliance controls 10 Prof: Dr Rainer Böhme (See Appendix E)- WWU. 11 Type on Figure 2. 14

Limitations (Figure 2) complexity access privilege Table 2: Security Controls However, it should also be considered that the results of this assessment will be disseminated and used by the project stakeholders and/or those who are mentioned in the dissemination strategy decision-makers in the EU and other categories of key stakeholders and citizens 12. Therefore it not just limited to one type of industry actor or simply to information security specialists. With these points considered, the next section proposes a set of criteria for assessing anti-cybercrime technologies and best practices that are flexible and could be applied by various industry actors (as defined in this section), organisational sizes and industry verticals. 5. Criteria for assessing anti-cybercrime technologies and best practices 5.1 Criteria 5.1.1 Criteria effectiveness by type of cybercrime a) Do they prevent a crime? b) Do they identify a crime? c) Do they limit the potential damage of a crime? d) Do they successfully identify the criminal(s) (attribution)? 5.1.2 Relevance and effectiveness of criteria to industry use Best practice guidelines and regulatory requirements are often industry specific and it is within these specific contexts that their relevance and efficacy is understood and appreciated. While cybercrimes may vary by industry, in some cases there is an overlap between industry sectors. This should be considered when measuring relevance and efficacy of any anti-cybercrime technologies. 5.1.3 Use in the stages of the cybercrime a) Pre-Crime/Preventative; Technologies and best practices that work to identify cybercrime before it occurs or while it is in the early planning stages. 12 E-Crime Work Package 9 15

b) During Crime; Technologies and best practices which provide detection of cybercrime, with possible mitigation and/or real time attribution. c) Post Crime; Technologies and best practices which provide the ability to successfully triage, investigate and attribute cybercrimes after they have occurred or when they are suspected (post incident). These should also include a recovery aspect (allowing recovering the attacked systems back to their original state, prior to the criminal incident). We also include in this category all the technologies and best practices that aim to increase resilience to cybercrimes. 5.1.4 Maturity This is based directly on how long have the technologies and best practices been established and how widely are they accepted across industry or within specific industry sectors. New technologies or best practice guidelines should not be dismissed but included and balanced against more mature guidelines and technologies. The method in which weight or ranking of maturity is allocated should be considered in the context of the industry in which it is being used. For example in industries where innovation is lacking, less mature technologies may need to be considered even if they are not presently widely adopted. Additional consideration should be given to newer technologies, which may be widely adopted but have limited maturity. 5.1.5 Costs The cost to acquire or implement the technology or best practice is a key factor. Some consideration should be given to the cost effectiveness for the industry sector they relate to as some industry sectors may have more complex business and regulatory requirements than others. Equally important are ongoing and subsequent operating costs, such as maintenance, upgrades, training and residual license fees. Within the validation 13 workshop, stakeholders commented that the link between this criterion and those in 2.1.1 should be considered in tandem when possible and useful. 5.1.6 Usability The level of difficulty for users and/or administrators within the industry to operate or adopt specific technologies and best practices should be taken into account before such technologies and/or practices are ultimately taken up. This ensures that the users and/or administrators do not end up looking for shortcuts or ways to bypass key features or controls and thereby invalidating their efficacy. 5.1.7 Impact on business processes It is imperative to ensure that the technology or best practice adopted, which may be effective in addressing certain issues, does not have a negative impact significant enough to directly or indirectly disrupt the business processes. It is also important to ensure that they do not have a negative impact on innovation and/or generative processes within an organisation. 13 E-Crime Workshop January 19-20 th, Rome Italy. 16

5.1.8 Accuracy and resilience There are established and specific guidelines and/or frameworks which provide methodologies in which to test specific technologies, to ensure resilience and accuracy. In the field of digital forensics one such example is the National Institute for Standards and Technology Computer Forensic Tool Testing Methodology (CFTT). This guideline provides assurances that the tools that have been tested are both accurate and resilient. By way of a different example, the accuracy of identifying attacks is a key component to an Intrusion Prevention System and its ability to maintain fidelity during an attack is a critical part of ensuring resilience. 5.1.9 Impact on privacy and societal rights Assessments should be made to ensure that any technologies or best practices take into account privacy and key and agreed societal rights. 5.1.10 Ability to work within the law Anti-cybercrime technologies and best practices need to work within the laws of a given country and ideally they need to display the ability to be utilised across all EU Member States without the need for modification. However tools and best practice guidelines which are specific to certain jurisdictions should not be ruled out as they may provide best value for crimes focused within those jurisdictions. 5.1.11 Level of diffusion/adoption This point was specifically brought up by various stakeholders and consortium partners at the validation workshop. It was agreed that this was a critical point to include in such a set of criteria, as it is often the way that while some technologies or guidelines might meet many of the other proposed criteria, they are not widely adopted for various reasons. Reasons include a lack of awareness (amongst the relevant personnel in the non-ict organisations) of the availability of such guidelines and technologies. This is different than maturity as not all mature technologies or best practices are widely adopted. In such cases it would be beneficial to identify and understand why such solutions are not being adopted or used. 5.2 Should criteria be industry specific? A report released July 2014 titled, Critical Infrastructure: Security Preparedness and Maturity, by the Ponemon Institute (sponsored by UNISYS), outlines in section 6b what respondents believe are the least effective security technologies in addressing cybersecurity in threats (Ponemon, 2014). These (in order) are: 1. Web application firewalls (WAF) 2. Data Loss Prevention Systems (DLP) 3. Automated code review or debugger 4. Virtual private network (VPN) 5. Encryption of data in motion 17

This report documents what a specific (Critical Infrastructure) industry feels is important and not important. The views change by industry for example an online retailer would consider a WAF as a key and highly effective part of their security infrastructure, while email or remote file storage service provider would consider the encryption of data in motion as a key and highly useful part of their anti-crime arsenal. Exploring this further we can determine that cybercrimes by industry may vary. Some examples of recent high profile cybercrimes are: Retail: Target Retail (2013): the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores. (RetailFraud, 2013) TJMaxx Retail (2007) :..the company later learned that thieves had used the store s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country (infosecmaestros.com, 2014) Finance: Heartland Payment Systems (2009):..disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards. (krebsonsecurity.com, 2013) Japanese PostBank (2014):..hackers target banking credentials by dropping malware when users visit popular Japanese porn-sites. (Symantec, 2014) Media & Entertainment: SkyTV (2014).criminals sell hacked SKY boxes [sic] (which work around the encryption) at a fraction of the cost of normal sky subscription (BBC, 2014) Game of Thrones (2012); Game of Thrones is the top TV show on the internet piracy chart: Torrentfreak (BBC, 2012) Education: University of Iowa (2014) Records of current and former students were exposed due to a server breach, [sic] however the University stated the primary purpose of the attackers was to use the server to mine bitcoins. These examples highlight the variance in types of crimes in different Industries. The attack vector to commit a cybercrime against a retailer s Electronic Point of Sale System (epos) system by placing malware is different than reverse engineering SKY TV proprietary encryption in order to get a free or cheap service. While the issue of hijacking banking details via drive by malware has its own attack footprint. Further supporting this point, are examples of cybercrimes against supervisory control and data acquisition (SCADA) systems, where unique technologies are used to prevent and mitigate attacks and have been launched specifically for these environments. (automationworld.com, 2014) Also to be considered is the example of the Chinese barcode readers being shipped with spyware which was recently reported (Scharr, 2014). Additionally, there is the issue of cyber security 18

vulnerabilities in embedded healthcare appliances which could potentially require different or specially created anti-crime technologies. (FDA.GOV, 2013) These examples serve as a reminder that anti-cybercrime technologies are not just limited to solutions which can protect an enterprises Internet facing servers and build a strong case for them being industry specific. To further determine this, using a similar validation approach contrasting against traditional security controls, a review of the ISO standards is undertaken. Starting with a set of industry independent technologies and best practices and then selecting those which are industry specific. In the family of the ISO standards, for example, ISO/IEC 27002 is sector independent, and it sets up a general approach. Other ISO standards are sector specific: Telecommunication - ISO/IEC 27011 Information technology - Security Techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002; Financial services - Payment Card Industry Data Security Standard (PCI DSS); ISO/IEC TR 27015 Information security management guidelines for financial services; Health - ISO 27799 Information security management in health using ISO/IEC 27002; Energy utility - ISO/IEC 27019 (In preparation) Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry. Therefore it can be concluded that the criteria to assess them should be based on the attack vector as well as the industry yet with the understanding that some of the industries may not need a fully separate assessment as there will be very similar technologies deployed elsewhere (e.g. Retail and Hospitality) Consolidating these, the consensus was that while some of the criteria will be general, many may be sector specific. Therefore the recommendation is to start with a sector specific approach in order to accurately identify and also allow a better insight into cultural or environmental differences which are important. In any areas where overlaps have been identified, only one set of criteria is required. Criteria for Assessing Anti-Cybercrime Technologies and Best Practices Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Accuracy and resilience Diffusion/Adoption 19

Relevance and effectiveness to the industry Impact on privacy and societal rights Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business Table 2: Validated Criteria These were presented and validated at the E-Crime Workshop January 19 th -20 th, 2015. 6. Anti-cybercrime technologies The identification of existing cybercrime technologies and industry best practices has been undertaken by collecting and studying technology reports and roadmaps in the field of cybercrime. This desktop analysis provides an inventory of 20 representative examples of existing technologies and relative best practices which can be used against cybercrime. A description is provided, together with a short explanation about how the technologies or the best practices can mitigate the security issue related to cybercrime. Moreover, each technology and best practice is evaluated according to the criteria validated in the previous section of this report and summarised below. For clarity, three specific criteria, currently, are under study; Cost, Usability and Impact. The research revealed that in these three areas there is a common theme and that often these criteria become subjective depending upon industry and organisations risk appetite. To determine their value, deeper analysis from the organisation would be required. In fact, the choice of a countermeasure depends strongly on the level of risk, a company wants to accept and how much they are willing or able to invest in it. The deployment of an Intrusion Detection System, for example, could be cost effective and considered a key objective at board level by an organisation with a resilient and extensive IT network. However, the same might not always be the case for those organisations with extensive level of complexities within their IT model or even organisations of significant magnitude, but less related to information technology, in which the cost of the countermeasure could be much higher of the likelihood and impact of an attack to the IT infrastructure. Furthermore, the solutions, proposed by vendors, are usually built on modules and this creates other issues related to the cost. Affordability can vary significantly by industry and even by organisations within the same industry sectors. These also directly link to the impact on business. It is an established fact that the risk appetite and level of affordability varies across industries and organisations sizes. There is no one size fits all for these as already clarified, factors such as topologies and enterprise structure can affect how the business perceives and evaluates cost, usability and business impact. Therefore, while these three criteria are highly relevant, they should be evaluated for segment and/or individual organisation on a segment by segment or case by case. This is reflected in the comments within the findings of the following section. 20

Certain technologies such as firewalls, anti-virus technologies and back-up solutions were left off deliberately from the 20 representative examples as it was agreed that the awareness and implementation of these is generally widespread. Within Section 6 Cybercrime pathways, some of them have been cited, confirming that they are still useful examples of technological countermeasures. Regardless of how widely established these technologies are it does not mean that such solutions are always configured accurately, patched regularly and monitored effectively, hence the need for incorporating best practices. Highly specific guidelines such as Payment Card Industry Data Security Standard (PCI-DSS) or similar industry specific guidelines were not included in order to reflect those which could be useful across a wide range of organisations. 6.1 Technological 6.1.1 Authentication 6.1.1.1 Multi-factor authentication Description Authentication factors are usually classified as: 1. knowledge factor: something that the user knows e.g. a secure password 2. possession factor: something that the user has e.g. a token or a proper configured mobile device 3. inherence factor: something that the user is e.g. a biometric characteristic such as a fingerprint or eye iris Multi-factor authentication is an approach requiring two or more factors belonging to different classes. For example, a service can require a user to authenticate using both a password and a fingerprint. Of course the probability that an attacker is able to provide both authentication factor is lower than providing only one, thus this approach reduces the likelihood of false authentication. On the other hand, this approach relies on the user s ability to provide both, and it is generally less usable. As a consequence users tend to avoid this kind of authentication for services that they perceive do not require a high level of security. Relevance to anti-cybercrime Multi-factor authentication combats online identity theft and fraud through adding an extra layer of verification when accessing online services and accounts. Attacks such as phishing or spyware may successfully steal the first factor, however without the second factor the cyber-criminal cannot gain access to the account or service. Evaluation criteria 21

Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of cyber-crime Maturity medium-high medium-high medium-high Preventive High Diffusion/adoption Medium, the use of digital identities will increase year by year following the market digitalization that will require strong authentication solutions to protect digital identities 14 Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business High high (very sector-agnostic concept) Low very high very high Sector-specific remarks Multi-factor authentication is sector-agnostic. However, it cannot be used in all contexts where authentication is necessary. This can depend on the nature of the installation: for example systems of persistent authentication (combining standard RFID technologies with CCTV running face recognition for example), which may equate to two-factor authentication. These are and/or will-be increasingly introduced into high-value targets within our considered industries (i.e. airports, government buildings, financial trading-floors, power-stations, critical infrastructure, etc.). This will not be usable in all industrial installations but may be used in those determined to be the most critical by end-users on a sector-by-sector risk analysis. 14 http://www.libertyglobal.com/pdf/public-policy/the-value-of-our-digital-identity.pdf. 22

6.1.1.2 Smart cards Description Smart cards are pocket-sized cards with an embedded microchip that can store large amounts of data, encrypt data and communicate with other devices. In particular they can store secret keys and present different tamper-proof characteristics. The computational capabilities of smart cards allow them to make computations using the secret keys without the need to extract them, thereby enabling cryptographic mechanisms suitable for different security services such as data origin authentication and confidentiality to be used. Relevance to anti-cybercrime Smart cards combat cybercrime in a number of ways including: automatically encrypting the data transferred in an online transaction to prevent tampering providing extra sources of verification, such as encrypted card identifiers and unique PINs to increase the difficulty of committing identity theft and fraud providing a possession factor token for secure authentication providing a sophisticated but simple-to-use device able to keep the digital signature keys and the related required cryptographic algorithm providing a platform that can be customised to provide secure services for different sectors; electronic payments and mobile communication being the best known examples. Evaluation Criteria Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Diffusion/adoption Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights medium-high medium-high medium-high Preventive high high in some sectors (electronic payment, mobile communications) NFC and contactless technologies contribute to the adoption of smart cards in different contexts, e.g. as access token to working buildings or even hotel rooms or houses. High High very low 23

Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business very high very high 15 Sector-specific comments The banking sector has been using smart cards for several years. Credit cards and ATMs are now based around smart cards and provided a good payment platform which is supported by detailed standards adopted by all the major e-payment companies. Telco operators have been using smart cards in order to authenticate users and encrypt their voice traffic since GSM adoption. The flexibility of smart cards, their tamper-proof characteristics, and ease of use for the user make smart cards suitable for a plethora of uses across different sectors. 6.1.1.3 Secure federated identity management and relative protocols Description Most web applications and services require a user authentication phase in order to identify the user and then to provide the services according to his/her access rights. This requires a system able to manage the identity of the users and the related information. Originally each service provider used to have its own identity management system, but recently large corporations such as Facebook and Google provided identity management as a service for other service providers. Federated identity management systems are currently based on standard protocols such as SAML and OAuth. These protocols provide a way to demand the authentication of the user to the third party upon receipt for a particular request of information about the user. Relevance to anti-cybercrime Standards technologies for identity management enable service providers to avoid customer data handling. This means that they are less attractive targets of attacks. The adoption of a proper identity management system increases the security level of authentication because the available solutions are well studied and mature. Moreover, if the identity provider is a 15 The Regulation (EU) n 910/2014 in electronic identification and trust services for electronic transactions in the internal market (eidas Regulation) provides a regulatory environment to enable secure and seamless electronic interactions. This regulation will allow european citizens to be identified in each country through the national digital identity they have (one solution is Smart Card) 24

well trusted entity, like national public administrations and governments, a service provider that demands user authentication to such an identity provider receives reliable information about users. Evaluation Criteria Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Diffusion/adoption Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights High High High preventive medium-high It depends on the sector. Web services are increasingly adopting third party identity management (typically Google and Facebook account authentication). A federated multi-national identity management system, providing strong authentication of strong identities for tax/legal/administrative services for the citizens are not yet available. medium-high High Potential to be high. An assessment should be done case-by-case. Privacy is a relevant issue Ability to work within local laws (by EU member country) National and international regulations are still limited in their scope and reach across industry and borders. Federated digital identity management is the subject of different initiatives of e- government and public services. Belgium and Estonia seem the most advanced EU member states on this subject. EU projects like STORK 16 and similar initiatives provide research and development effort in order to reach agreed and secure technologies and platform. 16 http://www.cspforum.eu/uploads/csp2014presentations/track_1/2014_05_21_stork_eidas_economics_athens.pdf 25