cybercrime future perspectives

Isec Africa 2000:Computer Attacks -

Profiling fraud and cyber crime

in the future

November 2000 CYBERCRIME

Future Perspectives

CYBERCRIME

Future Perspectives

charl van der waltwww.sensepost.com



in the future

November 2000

Commercial CrimeCommercial CrimeCommercial CrimeCommercial Crime

• Commercial crime up 3.5% from last year

– R 3.4 billion in the first half of '99 alone

• 84.3% of cases involved fraud

– 25,000 incidents

– R 2.9 billion

• Gauteng occupies a first position with regard to Commercial Crime

• www.saps.org.za

SECURITY TRENDS

&STATISTICS



in the future

November 2000

Computer CrimeComputer CrimeComputer CrimeComputer Crime

• 61% of the organizations surveyed have

experienced losses due to unauthorized

computer use.

• The average loss resulting from security

breaches in all categories was approximately $

1,000,000

FBI / CSI Survey, 1999

SECURITY TRENDS

&STATISTICS



in the future

November 2000

Crime Costs MoneyCrime Costs MoneyCrime Costs MoneyCrime Costs Money

SECURITY TRENDS

&STATISTICS

“Just ask Edgars, the clothing retail group, which lost more than R1m after a

computer programmer brought down more than 600 stores for an entire day.”

Financial Mail - April 2000



in the future

November 2000

Computers & Commercial Computers & Commercial CrimeCrimeComputers & Commercial Computers & Commercial CrimeCrime

SECURITY TRENDS

&STATISTICS

KPMG:

‘63% of top-level managers in South Africa rate their company's dependence on IT for the

successful running of business as "Extremely High”’



in the future

November 2000

Did they have it coming?Did they have it coming?Did they have it coming?Did they have it coming?

SECURITY TRENDS

&STATISTICS

charl van der walt

• access control 93%

• biometrics 9%

• encrypted files 61%

• anti-virus software 98%

• reusable passwords 61%

• firewalls 91%

• encrypted log-in/sessions 46%

• physical security 91%

• PCMCIA, smart cords, one-time tokens 39%

• intrusion detection 42%

• digital Ids, certificates 34%

FBI / CSI Survey, 1999



in the future

November 2000

• Theft of proprietary info 20%

• Sabotage of data or networks 15%

• Telecom eavesdropping 10%

• System penetration by outsider 24%

• Insider abuse of net access 76%

• Financial fraud 11%

• Denial of service 25%

• Virus contamination 70%

• Unauthorized access to info by insider 43%

• Telecom fraud 13%

• Active wiretapping 2%

• Laptop theft 54%

Threat Distribution - USAThreat Distribution - USAThreat Distribution - USAThreat Distribution - USA

SECURITY TRENDS

&STATISTICS

charl van der walt



in the future

November 2000

Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA

SECURITY TRENDS

&STATISTICS

Some form of breach 89%

Virus incident 87%

Theft of equipment 80%

E-mail intrusion 27%

Loss of company documents 12%

Breach of confidentiality 8%

External systems attack 8%

Internal systems attack 6%



in the future

November 2000

The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics

• What we know:

– There is a threat to our Information Resources

– The threat has direct financial implications

– The threat is growing

– A large part of the threat is internal

– There are a number of distinguishable trends

• What we don’t know:

– How accurate are the statistics?

– Are international statistics relevant in SA?

– Are international solutions relevant in SA?

– What does this all mean to me?

You need to determine your own unique risk profile



in the future

November 2000

• What is Risk?

– Valuable resources + exploitable technology

• What is “Secure”?

– When the financial losses incurred are at an acceptable

level

• Your “Risk-Profile”:

– The value of your Information

– The degree of technological vulnerability

– A level of loss that is acceptable to you

Unique to your organisation. Today.

Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk

SECURITY TRENDS

&STATISTICS

charl van der walt



in the future

November 2000

Trends in IT securityTrends in IT securityTrends in IT securityTrends in IT security

SECURITY TRENDS

&STATISTICS

• There is a continual phase shift security risks

• And in security solutions

• In the beginning

– Physical Attacks

• Yesterday

– Network Attacks

• Today

– Application Attacks

• The industry is typically technology driven, not problem driven.

Can we afford to follow the ‘solutions’ trend?



in the future

November 2000

Future ThreatsFuture ThreatsFuture ThreatsFuture Threats

SECURITY TRENDS

&STATISTICS

• Denial of Service– Distributed

– Anonymous

– Depends on 3rd parties to solve

– Directly impacts the “e” world

• Trojans & Worms– Stealthy

– Remote Controlled

– Fetch Model

• Corporate Backdoors– How will we ever know?

• Semantic Attacks



in the future

November 2000

Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk

SECURITY TRENDS

&STATISTICS

charl van der walt

The magnitude of the risk is a product of the value of the

information and the degree to which the vulnerability can be

exploited.



in the future

November 2000

Understanding the InternetUnderstanding the InternetUnderstanding the InternetUnderstanding the Internet

INFORMATION SECURITY

FUNDAMENTALS

charl van der walt

• Host

• Network

• LAN

• WAN

• Internet

• Protocol

• IP

• Packet

• Server / Service

• Port



in the future

November 2000

Four Pillars of Information Four Pillars of Information SecuritySecurityFour Pillars of Information Four Pillars of Information SecuritySecurity


FUNDAMENTALS

charl van der walt

• Access Control

– Control who may and who may not access data

• Confidentiality

– Ensure data is viewed only by intended audience

• Integrity

– Ensure data is not changed by unauthorized parties

• Authenticity– Ensure that data originated where you think

• #5 - Availability

– Ensure data is there when you need it



in the future

November 2000

Security Control MethodsSecurity Control MethodsSecurity Control MethodsSecurity Control Methods


FUNDAMENTALS

charl van der walt

• Information Security Policy

• Sound system design

• Access Control

– Physical

– Network

– Operating System

– Application

• Encryption

• Audit and Review



in the future

November 2000

More about EncryptionMore about EncryptionMore about EncryptionMore about Encryption


FUNDAMENTALS

charl van der walt

• Encrypt– Convert information into unreadable format

• Crypto-Text

• Decrypt– Change data back to normal format

• Clear-Text

• Algorithm– Steps followed to encrypt or decrypt the

information

• Key– Secret shared between parties

• Key Length– An indication of how hard the key is to guess



in the future

November 2000

Still more about EncryptionStill more about EncryptionStill more about EncryptionStill more about Encryption


FUNDAMENTALS

charl van der walt

• Public Key Cryptography

– A special type of encryption using a key pair

• Private Key

– Kept strictly secret

• Public Key

– Published with a Certificate

• Certificate

– A way of linking your Key to your Identity

• Certificate Authority (CA)

– Responsible for verifying the Certificate

• Public Key Infrastructure (PKI)

– Structures needed to make the process work



in the future

November 2000

Security TechnologiesSecurity TechnologiesSecurity TechnologiesSecurity Technologies


FUNDAMENTALS

charl van der walt

• Firewalls– Network Level

– Application Level

– Content Level

• Authentication Systems– Something you know

– Something you have

– Something you are

• Encryption Protocols– SSH

– SSL

– IPSec

• Intrusion Detection Systems



in the future

November 2000

Security ProductsSecurity ProductsSecurity ProductsSecurity Products


FUNDAMENTALS

charl van der walt

• Firewalls– Check Point FW-1 (www.checkpoint.com)

– NAI Gauntlet (www.nai.com)

– Linux IPchains (www.linux.org)

• Authentication Systems– RSA SecurID (www.rsa.com)

– Alladin eToken (www.aks.com)

• Encryption– Windows EFS -

– Trispen IPGranite (www.trispen.com)

• Intrusion Detection Systems– AXENT Netprowler (www.axent.com)

– SNORT (www.snort.org)



in the future

November 2000

. .


FUNDAMENTALS

charl van der walt

Content removed



in the future

November 2000

SECURITY SECURITY DEMONSTRATEDDEMONSTRATEDSECURITY SECURITY DEMONSTRATEDDEMONSTRATED

SECURITY DEMO

1. A server is connected to the Internet.

2. Passwords are used to restrict access to the MS file service.

roelof temmingh



in the future

November 2000


SECURITY DEMO

3. An firewall is used to restrict server access to the web service port - 80.

roelof temmingh



in the future

November 2000


SECURITY DEMO

4. An IDS system is used to detect and report on attempted attacks on the web server.

roelof temmingh



in the future

November 2000

Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Locate weaknesses

• Controls in place

• LT cost effective

• No or weak controls

• Try plug security

holes

• Least effective

• Costly



in the future

November 2000

The Process…The Process…The Process…The Process…

THE INFORMATION

SECURITY PROCESS

jaco van graan

Threat/RiskAnalysis

Security PolicyCreation

PlanningPolicy Enforcement/Implementation

Monitor & Manage

Intrusion detection

Security Audit

1

2

3

4

5

67



in the future

November 2000

Threat/risk AnalysisThreat/risk AnalysisThreat/risk AnalysisThreat/risk Analysis

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Value you assets (information/reputation).

• Determine the acceptable level of loss.

• Some losses will inevitably occur.

– Eliminating ALL loses would be either too

costly or impossible.

• Level of acceptable losses need to be set

– dictates how much you are willing to

spend on security.

• Set time period for the acceptable losses.



in the future

November 2000

Security PolicySecurity PolicySecurity PolicySecurity Policy

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Practical, understandable.• Control document.• Communicated.• Endorsed by management.• Applies to all users of infrastructure.• Gives security administrator a mandate

A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard

those assets.



in the future

November 2000

PlanningPlanningPlanningPlanning

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Enforcement of controls - security policy

• Select products to ensure compliance

• Determine required implementation and

maintenance skills

• Evaluate impact on business



in the future

November 2000

PlanningPlanningPlanningPlanning

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Resources– People

– Time

– $$$

• Evaluate possible security partner– Experience: references

– Financial backing

– Trust relationship

– Support: training/skills transfer/SLA’s

– Product range



in the future

November 2000

ImplementationImplementationImplementationImplementation

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Remember your exposure!

• Security partner?

• Schedule change control - security policy

• Inform all users / business partners

• Ensure skill level of implementers

• Roll back plan



in the future

November 2000

Manage & MonitorManage & MonitorManage & MonitorManage & Monitor

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Physical audit of infrastructure

• Responsibility handover

– Security alerts, advisories, bug fixes

– Equipment load

– Configuration changes

• Catch ‘em! (If you can…)



in the future

November 2000

Internal & External AuditInternal & External AuditInternal & External AuditInternal & External Audit

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Collect and evaluate evidence to

determine whether a computer system:– safeguards assets.

– maintain data integrity.

– allow the goals of an organisation to be

achieved efficiently and effectively.

• Security policy as control document.

• International standards: SAS 70; Bs 7799.



in the future

November 2000

Internal AuditInternal AuditInternal AuditInternal Audit

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Compare to internal audit division.

• Independence, thus not involved in

implementation or operations.

• Report to IT manager.



in the future

November 2000

External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Organisation– Independence

– References

– Experience

– Certification

– Cost

– Ethics

– Services offered

– Backing: subsidiary/insurance



in the future

November 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Methodology– Certification/benchmark

– Audit plan

– Execution according to plan

– Report

– Recommendations & resolution



in the future

November 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Resources– Business skills

– Experience: qualification; Certifications; Bodies

– Individual background

• The brief… How; What; Where?– Type: logical; Physical or social

– Restrictions / conditions

– Internal /external



in the future

November 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Toolbox.– Tool combinations: wider vulnerability

exposure.– Proprietary or off the shelf.

• Confidentiality.



in the future

November 2000

Intrusion DetectionIntrusion DetectionIntrusion DetectionIntrusion Detection

THE INFORMATION

SECURITY PROCESS

jaco van graan

• If all else failed…

• Regular updates.

• Follow up of intrusion attempts.

• Play it again, Sam.



in the future

November 2000

Adjust Security PolicyAdjust Security PolicyAdjust Security PolicyAdjust Security Policy

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Recommendations from internal &

external audits.

• New business requirements.



in the future

November 2000

DefinitionDefinitionDefinitionDefinition


CERTIFICATION

charl van der walt

The evaluation of the security of a computer system by a recognised third party.

If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.



in the future

November 2000

ObjectiveObjectiveObjectiveObjective

• To enforce structure on your security program

• A means of assessing your own security

• A means of measuring against best-of-breed

• A means of convincing others of your security


CERTIFICATION

charl van der walt



in the future

November 2000

Leading StandardsLeading StandardsLeading StandardsLeading Standards


CERTIFICATION

charl van der walt

• BS 7799– British Standards Institute– Outlines 10 controls that must be addressed– Uses the c:cure program for accreditation– www.bsi.org.uk / www.bsi.org.za– www.c:cure.org

• TCSEC – Trusted Computer System Evaluation Criteria– “Orange Book”– Published by the US National Security Agency– Defines different ‘Levels’ of trust

• Minimal -> Formally Proven

– www.radium.ncsc.mil/tpep



in the future

November 2000


• ITSEC– Information Technology Security Evaluation

Criteria– Recognised by most European countries– Concentrates on product evaluations– Defines different levels (E0 - E6)– www.itsec.gov.uk

• CCITSE– Common Criteria for IT Security Evaluation– Joint American / European Evaluation Standard– Successor to TCSEC and ITSEC– Defines ‘levels’ similar to TCSEC, but more

flexible• Protection Profiles

– http://csrc.nist.gov/cc/INFORMATION

SECURITY CERTIFICATION

charl van der walt



in the future

November 2000



CERTIFICATION

charl van der walt

• ISO / GMITS – Guidelines to the Management of IT Security– Published by the JTC

• Joint Technical Committee of ISO and IEC

– www.iso.ch– www.diffuse.org/secure.html

• COBIT– Control Objectives for Information and Related

Technologies– Information Systems Audit and Control

Association• ISACA

– ‘Business Oriented & Practical’– www.isaca.org



in the future

November 2000



CERTIFICATION

charl van der walt

• ICSA– International Computer Security Association– Commercial Venture represented world-wide– Product certification and security assurance

services• TrueSecure

– Internet focused– www.icsa.net

• Ernst & Young SAS70– Statement of Auditing Standards # 70– American version of a similar international

standard– Specifically for the outsourced environment– Business focused– www.ey.com



in the future

November 2000

Is Certification for you?Is Certification for you?Is Certification for you?Is Certification for you?


CERTIFICATION

charl van der walt

• Yes, if:– You’re a large corporation– You’re publicly owned– You offer IT-based services to clients– You have legal obligations– You’re comfortable with formal processes

• No, if:– You have a small, manageable infrastructure– You’re only responsibility is to yourself– You have an informal culture and strong skills– You believe certification will make you secure



in the future

November 2000

Choosing the right standardChoosing the right standardChoosing the right standardChoosing the right standard


CERTIFICATION

charl van der walt

• Recognition– Respect in your target market

• Focus– Support for your own security objectives

• Local Presence– A program that can be certified in SA

• Total cost– Good return on investment

• Overhead– Reasonable implementation time and life-span

• Impact– A tangible effect on your systems



in the future

November 2000

THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE

THE BOTTOM LINE

1. Take security seriously

2. Don’t panic!

3. Value your information

4. Evaluate your risk

5. Be requirement driven,

not technology driven

6. Enable your business

jaco van graan

cybercrime future perspectives

Technology

physical security

security solutions

security breaches

value of statistics

computer crime

financial losses

unique risk profile

financial fraud11