Over the past decade, businesses have had to adapt to an array of technical changes, including an increasingly hostile cyber environment. We saw the early precursors of cybercrime decades ago when computer use was limited to a relatively small group of specialists and electronics enthusiasts. Innovative programmers, some still in high school, would find ways to display annoying messages on their friends' computers and from there spread to other devices via shared floppy disks. This kind of part practical joke‐part vandalism form of malware has been overshadowed by the more serious, technically complex, and financially lucrative form of today's cybercrime.
In this guide, we will examine major types of threats to information security that businesses face today as well as techniques for mitigating those threats. One of the most important tools available to us is SSL technology.
This is actually something of a misnomer. Secure Socket Layer (SSL) protocols have largely been replaced with Transport Layer Security (TLS) protocols but by convention, we continue to use the term "SSL."
With SSL technology, we enable secure communication, identity verification, and ultimately trust between businesses. SSL technology does not exist in a vacuum, though. Information security is a multifaceted challenge that requires coordination of a variety of security measures, so this guide will examine the business and technical practices that weaken security as well as best practices for improving information security.
Before delving into the details of today's cybercrime environment, let's dispel any last semblance of malware, hacking, and related activities as simply mischievous pranks or technical vandalism. Those days are gone.
Of course, there are curious, ingenious programmers experimenting with operating systems (OSs), browsers, and application software trying to break them or use them for unintended purposes. There are also less ingenious, less skilled dabblers, known as "script kiddies," who use tools provided by their more technically advanced colleagues. The former group is not a significant threat as long as their work is not let loose into the wild; the latter are not much of a threat because much of their computer‐generated malware is easily detected and contained by today's antivirus systems. More significant threats come from attackers with a different set of motives.
Cybercrime is blanket term that covers a broad range of crimes and malicious activities that can adversely impact a business' operations and even long‐term viability. Forms of cybercrime include:
Information technology (IT) has radically changed the way criminals can commit crimes and this exposes businesses to new types of threats. Of course, employees could steal trade secrets in the past by stuffing copies of documents in their brief cases. It is difficult to imagine one man stealing $1 billion worth of secrets using only a copier and a briefcase.
One thing to keep in mind about cybercrime is that the same IT that makes businesses more efficient and able to do more with less is the same technology that allows cybercriminals to do the same. IT professionals, fortunately, have the tools and practices to mitigate these risks. The purpose of this guide is to provide some guidance on which tools, such as SSL certificates, and practices, such as identity management, are appropriate for specific circumstances. Another thing to keep in mind about cybercrime is that the patterns of organization that have helped businesses, industries, and even global markets grow and succeed are now used to extend the reach and impact of cybercrime.
Several things that have made modern markets so successful—such as division of labor, specialization, brokers, and exchanges that bring buyers and sellers together—are emerging in the world of cybercrime as well. In 2006, Assistant Director Brian Nagel of the
U.S. Secret Service's Office of Investigations observed:
More recently, Kilian Strauss, of the Organisation for Security and Cooperation in Europe (OSCE) observed how difficult it is to keep up with the pace of innovation in cybercrime:
Cybercrime is now functioning like an industry. Like other industries, this one is profit driven, so patterns that work for businesses, such as outsourcing specialized services, forming markets to exchange goods and services, and countering competitive threats, will be found in cybercrime. As a first step to understanding this "industry," we need to understand the specialists that constitute the major actors, such as:
Each of these actors plays a critical role in current‐day cybercrime. Without any one of them, the nature of today's cybercrime would be significantly altered.
Figure 1.1: Cybercrime has evolved to support a complex mix of different skills and services much like legitimate businesses.
Malware developers are the innovators that produce the new tools for the cybercrime industry. These software creators are the source of viruses, worms, Trojan horses, bots, rootkits, and other exploits. Given the financial motivation of cybercriminals, the malware that is in greatest demand is that which can lead to financial gain, including the ability to steal:
There is a specialization of labor in cybercrime, so it is not surprising that malware developers are not necessarily using their own software. That is left to others, such as bot herders and spammers.
A bot, aka a zombie, is a computer under the control of someone other than its legitimate user. Put a group of bots together and you have a botnet.
Figure 1.2: A botnet is a collection of compromised computers controlled by a bot herder. The most resilient botnets do not depend on a single server for command and control structure; rather, they use more distributed communications methods and employ recovery techniques to work with different bots should other bots they had been working with become unavailable.
From a purely disinterested point of view, botnets are highly useful distributed systems. They provide on‐demand computing and networking services to the people that control them. They can generate phishing lures and send those lures to millions of email recipients or launch DoS attacks to disrupt business or government operations. The legitimate business world has an analog of botnets in the form of cloud computing.
Cloud services provide (legitimately) on‐demand computing resources, storage, and networking for specialized projects or ongoing business operations. Amazon's S3 storage service and EC3 computing services are probably the best known examples of cloud services. The reason botnets are popular in cybercrime is the same reason cloud computing is of growing interest to business: little or no capital investment is required, the ongoing operational costs are minimized, and you can scale rapidly to meet peak demand without having to maintain peak capacity during less‐demanding periods.
The resiliency of botnets became clear recently. In a well‐publicized counterattack against spammers in November 2008, the Internet service provider (ISP) that had been hosting command and control servers for the 450,000‐bot Srizbi botnet cut off service to the bot herder. For several days, there was guarded hope that this might put a dent into the amount of spam generated, but that hope was short lived. The botnet developers had planned for such a contingency and the bots were able to re‐establish communication with new command and control servers.
Spam is not the only potential way to make money with botnets; launching DoS attacks is another revenue stream. In one case, a Michigan business man was sentenced to 30 months in prison for conspiring with a bot herder to disrupt competitors' business by launching DoS attacks against their Web sites and online sales servers. Other businesses using the same ISP hosting the victim were also adversely affected. These included a major online retailer, banks, and a communications and data services company.
How big is the botnet problem? In 2007, 10% of online computers were infected by malware and by the end of 2008, that number is expected to have grown to 15%, according to researchers at the Georgia Tech Information Security Center.
Although most of us will not have much direct contact with malware developers and bot herders, we are all too familiar with the products of spammers and phishers. If we can say anything positive about these purveyors of unwanted and unsolicited email, it is that they are persistent, they are efficient, and they are effective.
The constant deluge of junk email we get in our email and content‐filtering systems is a testament to spammer's persistence. The problem shows no signs of abating and, given the resiliency of botnets like Srizbi and the expected increase in the size of botnets, it is prudent to assume that spamming and phishing are with us for the long term.
We can deduce the efficiency and effectiveness of spammers by the fact that they choose to continue to operate. The low cost of spamming means that minutely small response rates can still yield a profitable business model. In the case of phishing, we can deduce that extra time and effort to create smaller targeted attacks, known as "spear phishing," pay off as well.
Some attacks are launched at a broad pool of potential victims; the attackers are trolling with wide nets to catch as much as possible. Other attacks are more targeted and seek to victimize a single business. Some examples of this include:
Hackers and data thieves can use many different techniques to compromise corporate computers. Vulnerability scanners can probe networks and devices on networks looking for unpatched software that can be exploited to gain elevated privileges or access otherwise restricted data. Information sent over wireless networks that is not encrypted may be picked up by eavesdroppers. Poorly designed Web applications may expose databases to SQL injection attacks that can leak private and confidential data. Weak passwords and default passwords can leave servers and network devices vulnerable to dictionary attacks. With so much valuable data within business systems and so many ways to launch targeted attacks, it is not surprising that criminals have taken to this opportunity.
Markets depend on buyers and sellers being able to efficiently find each other. Brokers facilitate this process in many markets and cybercrime is once again following tried and true patterns of business. Cybercriminals who have managed to steal valuable data can sell it through collaborative systems such as underground forums.
Figure 1.3: Attackers can exploit multiple types of vulnerabilities on desktops, servers, databases, applications, and networks to steal private and confidential business data.
Some security researchers monitor communication channels as well as other indicators of overall cybercrime activity, and have observed patterns that indicate an upturn in cybercrime activity. For example:
Clearly, cybercriminals are adapting to new opportunities presented by the changing economic landscape. There are likely multiple reasons for the increase, on both the supply and the demand side. The global downturn leaves fewer legitimate opportunities for computer professionals, some of whom may be turning to cybercrime. Victims looking to make up for lost income can be easy prey for phishers and other scammers. Along with the increase in volume of attacks, there is an increase in sophistication of attacks.
From late 2007 to early 2008, a major supermarket chain was subject to a sophisticated data breach that netted more than 4 million credit and debit card numbers for the attackers. 300 stores in the Hannaford Bros. chain had servers infected with malware that intercepted credit card data and sent it to servers outside the country. Unlike other wellpublicized data breaches, Hannaford Bros. was not storing more data than allowed under industry rules and the company was in compliance with Payment Card Industry (PCI) standards.
The problem was that data was captured as it was transmitted from the point‐of‐sale device to transaction processing service. This example shows that even when in compliance with industry standards, data breaches can still occur. Even when data is transmitted on trusted networks, encrypting data in transit using SSL technologies can mitigate the risk of this type of attack.
Cybercrime is evolving and becoming more dangerous. It is useful to think of cybercrime as an industry with similar division of labor, service provider models, and drives to efficiency and revenue growth seen in legitimate businesses. We also need to keep in mind that compliance with regulations is a minimal set of requirements for securing business information. Malware developers, bot herders, spammers, phishers, and other attackers have demonstrated that they can and will develop new techniques to bypass security countermeasures.
Now that we have highlighted some of the structural characteristics of the cybercrime industry, let's turn our attention to business targets of their attacks.
Businesses have primarily two assets of value to cybercriminals: information and computing resources. Both are actively sought after in the cybercrime underground economy.
Information is in many ways an ideal target for criminals. It is intangible, so you do not need to be in physical proximity of the information to steal it. There are many ways to hide your identity and eliminate traces of malicious activity. Perhaps best of all, large amounts of valuable information tend to be stored in centralized repositories, such as databases, or are transmitted across common paths, such as from a point‐of‐sales system to a transaction processing server. In such cases, it takes only marginally more effort to steal thousands or even millions of credit cards than it does to steal one or two.
Three types of information of value to cybercriminals are:
Identity information is the key to successfully committing identity theft. The object of identity theft is to commit fraud using the credit profile of the victim. Identity theft victims may find fraudulent bank withdrawals, new accounts opened in their names, and even bankruptcy filed in their names. Specialized forms of identity theft can wreak even more havoc on victims. Medical identity theft, for example, occurs when someone uses another person's identity to receive payment for medical treatment or provide medical goods. In addition to the usual credit problems that follow for identity theft, these victims may have to correct inaccurate medical records. The ripple effects of identity theft can include complications with taxpayer records that need to be resolved with the Internal Revenue Service (IRS).
Credit card and bank account fraud is big business. One study found that almost one third of all advertisements in a cybercrime forum were for credit card data. In 2008, the FBI and other international law enforcement agencies shut down one forum, known as Dark Market, that had at its peak 2500 registered members. The forum was notorious as a market for credit card data, login credentials, and even some equipment used in financial crimes. Breaking up that one forum resulted in 56 arrests and prevented $70 million in losses due to fraud.
Identity theft and credit card fraud are well‐publicized aspects of cybercrime, so much so, that one might think cybercrime is primarily a problem for banks, retailers, and others with high volumes of consumer financial transactions. That is certainly not the case.
Trade secrets and other intellectual property are not the commodity products of cybercrime the way credit card and bank account data are, but it can still be a highly valued target. Consider some examples of cybercrime involving proprietary information:
Cybercrime provides the means to avoid the high cost of research and development in intellectual‐capital intense industries. It is not surprising that even within legitimate businesses, there are those that will turn to cybercrime or use IT systems in the course of their intellectual property theft.
When you consider the cost businesses incur to purchase and maintain IT infrastructure, it becomes clear why cybercriminals would have an interest in stealing computing assets.
Just as in legitimate businesses, cybercrime operators need to be able to ensure:
Botnet malware and bot herders are integral parts of acquiring and maintaining a cybercrime infrastructure. As noted earlier, botnets are designed to avoid single points of failure and to gracefully degrade and ultimately recover in response to isolated failures. The more sophisticated botnets also use blended threats to detect bots in competitors' botnets, disable the alternate bot software, and add the bot to their own botnet. The benefit of well‐designed bot software is a virtually free IT infrastructure; there are none of the typical support costs including power, hardware maintenance, service support, rent, software licensing, and so on.
As a baseline for the value of botnets, we can look to a legitimate provider of on‐demand computing and storage: Amazon. The Amazon Simple Storage Service (S3) and Elastic Compute Cloud (EC2) provide customers with long‐term storage and computing services for costs often below the charges small organizations, such as business IT departments, can offer. Nonetheless, there are costs.
Businesses are attractive targets for cybercriminals. They have valuable commodity data, such as credit card and bank account information, identity information sufficient to enable identity theft, as well as proprietary information that may be of value to less scrupulous competitors. Businesses also have well‐managed computing infrastructures with the computing, storage, and networking services needed in the cybercrime economy. The business consequences of cybercrime include the immediate effects of data breaches and related attacks as well as subtler and sometimes underappreciated impact on business.
Headlines about security breaches and data losses at major retailers, banks, and government agencies certainly do get attention, especially when costs are mentioned. The full cost of poor security is not captured even in these attention‐grabbing incidents. They are more like the proverbial tip of the iceberg than a reflection of the full impact of weak security measures. To understand the full extent of cybercrime's adverse impact on business, we should consider the obvious as well as the less obvious consequences.
The cost of poor security is apparent after a security breach. Consider a fictional but representative example. Suppose a disgruntled employee has decided that he has been underpaid and mistreated by his employer. To compensate himself, he decides to capture customer credit card data as it moves across the network. This employee has access to internal systems, so this task is not a problem, especially because this type of data is only encrypted when it is sent outside the trusted network. After the employee collects a sufficient amount of credit card data, he copies the data to his iPod, heads home, and posts an advertisement on a cybercrime forum. If he is successful, he will earn a couple of dollars for each account.
Now it is time to tally up the costs to the business:
These costs could have been avoided with the use of SSL technologies to encrypt communication between servers and endpoint devices.
Not all costs are as obvious as those related to data breaches and associated regulation violations. The less obvious costs come in the form of reduced effectiveness of business operations, and in particular:
Imagine a strategy session with executives and business managers planning to overhaul a business process with partners. Someone suggests working with suppliers to offer drop shipping from their facilities rather than maintain high levels of inventory within the company's warehouses. The company could work with the suppliers to leverage their shipping and order processing systems and rebrand the supplier's Web site to look like the company's when its customers are checking shipping information. A software development manager makes some suggestions about using Web services, passing customer data to the supplier, and receiving shipping details in return. So far, so good. Then one of the more security‐conscious members of the meeting chimes in with questions such as:
Without proper security measures, such as SSL technologies for encrypting data and verifying digital identities, innovative business processes such as these might be left on the drawing board. Ultimately, if we do not protect information assets, we can expose our businesses, partners, and customers to compromise.
Day‐to‐day operations can be adversely affected by poor security practices. Ad hoc responses to incidents such as malware infections and the need to patch applications can ultimately cost more than a more methodical approach. With proper asset management applications, patch management tools, and an incident response plan, businesses can more effectively and efficiently respond to adverse events.
Overall, the true cost of poor security is reflected in a combination of costs from data breaches and other security incidents and the opportunity cost of not implementing innovative procedures and processes because of fear of potential security problems. It is worth emphasizing that such fear is not unfounded; there may be significant risks to changing workflows and opening systems to work with business partners' applications when proper security measures are not in place. One of the goals of this guide is to provide you with information about techniques such as using SSL for encryption and digital identity verification to help control some of these risks.
Viruses and hacking are no longer just electronic forms of vandalism carried out by programmers demonstrating their technical prowess. Cybercrime has evolved into an industry‐like phenomenon complete with markets, specialization of services, and multiple business models for turning stolen information and computing resources into cash. For businesses to succeed and thrive in such an environment, they must manage security processes and leverage technologies such as SSL for encryption and digital identity verification. The remaining chapters of this shortcut guide will delve into details of how to accomplish this.