The Eighth Annual Conference

Thurs. Break-out Session

Richard Henson – Cybercrime – Latest Developments February 2014

Tally Ho Conference Centre, Birmingham

Hacking, Consumers, and Business in the Hyperconnected

World

Richard Henson Worcester Business School

r.henson@worc.ac.uk http://staffweb.worc.ac.uk/hensonr

February 2015

The Hyperconnected World

networks social media Skype, VOIP Cloud BYOD Internet of

Things…

Where does the Small Business fit in? Hackers may be after corporate data, but

don’t bother with SMEs… right? no wrong, very wrong…

Hackers use weak security in SMEs to get at large businesses, or government…

And the Consumer

Being driven online for financial transactions

Has to send sensitive data through the Internet… potentially DANGEROUS!

Most self-taught many myths and untruths Cyber security specialists screaming “be

careful…” but few listening!

High Level Threat: The Reality

Corporate/UK critical

infrastructure hacker X X

Internet… (800+ million Gateways!)

No Joke! Known to US government for some years… In 2007, hackers exploited vulnerabilities to

access/copy technical data of a US govt. fighter jet via networks with supply chain partners. Reported in 2009:prototype Chinese fighter, 2011

In 2009, “Night Dragon” threatened US energy

networks http://www.nextgov.com/nextgov/ng_20090421_4305.php

US government response...

Conclusion (US gov, 2009): “…there needs to be a new-order

requirement on companies doing business with the federal government.”

Public-private initiative: VP of McAfee

wrote the strategy: http://www.inboundlogistics.com/cms/article/s

ecurity-guard-questions-and-answers-with-dennis-omanoff/#sidebar1

If this could happen in the US… UK’s critical infrastructure also potentially

under threat… from its business partners! information assurance scheme developed

locally… IASME meets requirements of Cyber Essentials

new government certification greater security in govt. supply chain…

Impact of Cyber Essentials on SMEs…? from October 2014: “sensitive” govt. contracts!

SMEs, and being hijacked!

SMEs, and even larger businesses often don’t even know it’s happening… http://www.deloitte.com/view/en_GB/uk/services/audit/enterprise-risk-

services/aaeeeb6f047b3310VgnVCM2000001b56f00aRCRD.htm

Features of this hack: keyloggers… malware via email attachment others?

Why are businesses caught out…?

Why didn’t they detect the intrusion? What should they have done to prevent their

network being hijacked?

Which UK laws will have been broken? How could they educate their employees? How could they make sure employees take

notice?

The first big corporate hack…

TKMax hack started in 2005 still in business today… OK then?

Academic longitudinal study in 2012

from first penetration to final compensation payout

TKMax Study July 2005 First breach―possibly started in Minnesota September 2005 Second intrusion September 2005 TJX plans to upgrade their wireless encryption. October 2005 TJX begins upgrading their wireless encryption software. November 2005 Fidelity Homestead (Louisiana savings bank) customers started noticing

fraudulent transactions from Wal-Mart in Mexico. January 2006 Fidelity Homestead discovers bogus purchases from various stores in California. Fall 2006 $8 million worth of merchandise is purchased at various Wal-Mart stores in Florida. May–December 2006 Third intrusion September 29, 2006 TJX receives an audit report stating that they are not complying with Visa

and MasterCard standards. November 2006 Wal-Mart discovers $8M in fraudulent purchases. December 18, 2006 An audit finds abnormalities in TJX card processing. December 19, 2006 TJX hires IBM and General Dynamics Corp to investigate the problem. December 22, 2006 TJX notifies the U.S. Secret Service and other law enforcement agencies of

the breach. December 26–27, 2006 TJX begins notifying banks and card issuers, FTC, SEC, etc.

TKMax continued Early December 2006 TJX notifies Canadian authorities. December 19, 2006– January 17, 2007 Investigators try to catch the hackers in the

act. TJX also is being investigated by the Privacy Commissioner of Canada. January 17, 2007 TJX makes a public announcement of the breach and begins

sending credit card lists to issuers. January 19, 2007 The first set of class-action lawsuits is filed, followed by a number

of lawsuits mostly in the U.S. and Canada January 2007 TJX completes the upgrade of their wireless encryption software. February 21, 2007 TJX files a report that indicates a larger breach than initially

thought (started earlier and of a larger scope). October 24, 2007 The number of compromised cards may be as high as 94 million. October 29, 2007 Fifth Third Bancorp is fined $880,000 by Visa for its role in the TJX

case. November 30, 2007 TJX settles with Visa. Settlement agreement is $41 million. March 27, 2008 TJX and FTC settle. No monetary penalty is imposed. April 2, 2008 TJX settles with Master Charge. Settlement agreement is $24 million.

Could TKMax “triple intrusion” happen to a smaller business?

Conclusions big company, brand managed, compensated

customers and stakeholders promptly similarly with SONY hack of gamers details in 2010

also had cyber insurance…

Criminal gangs mostly not caught… even with all those US police resources

What would happen… to a small business?

What about the business website?

Potentially highly vulnerable… shop window to the world can be “rearranged” protected by a single password

Why would anyone be interested… competitor… ruin your reputation anonymous etc… may think you are unethical

Other threats SQL injection (database) cross-site scripting (divert customers)

Could small, online businesses become dodos?

Of Course Not!

Education: home users? small businesses?

New Laws? Robust enforcement of existing laws? Better technology

to defend against hackers? to go after cybercriminals…

Put data into The Cloud?

UK Government Advice CESG website:

list of 10 things for small businesses to do

CPNI website more detailed: guidelines include 20 named technical controls to

minimize the chance of a data breach…

Problem: little guidance on physical or behavioural controls surveys consistently show 60-80% of breaches caused

by people being people (!)

Predictions for 2014 coming true…

ZDNet (IT magazine) analysis: http://www.zdnet.com/cybersecurity-in-2014-a-roundup-

of-predictions-7000023729/ 7 lists. All included one new threat…

security breaches of “Internet of Things” Previous years predictions still growing

malware on mobile phones breaches through merging of home and work

computers

How does all this fit in with police work? Prevent… advise SMEs on plugging

vulnerabilities, raise staff awareness, reveal consequences of a breach

Protect… against criminal gangs, cyber bullies, etc.

Prepare… offer advice to (potential) victims, gather evidence for court

Pursue… catch the cybercriminals

At the “macro” level

Government (OCSIA) vision: “make Britain the safest place in the world to do

online business” potentially very good for UK business…

Bold aim: Make those dodos safe… How can the law & police work help society?

We’ve been there before: analogy

How safe were the roads in the 1920s? over 4000 deaths in 1926

And the 1930s/40s?

approaching 10000 deaths by 1941

And today? 1721 deaths in 2012… How come?

Questions?

Technology and Society

New Technology opens up opportunities…

Society finds out ways to use that technology SAFELY to improve peoples lives… role for academics? politicians?

What if technology moves fast too quickly

(c.f. motor car?)… society gets left behind

Academics and IT (especially Information Security)

A lot to answer for !?

Dangers started to emerge as soon as PCs became networked (mid-late 1980s)

Too timid? Stereotyped? Decision-makers didn’t understand? Just not listened to…

Relevant Research (not necessarily technical IT…) Human factors

60-80% of data breaches… employees (!) Why? What can be done about it

Economics of Information security

Balancing costs of breaches v costs of “taking the risk”

Knowledge Transfer: feeding research findings to business

Lots of talk… more often with large companies

No too much effective action?

SMEs don’t engage/not invited to engage cascade model doesn’t work in a competitive

environment

Technology Strategy Board

Set up in 2005: encourage development of new technology address the knowledge transfer problem Cyber Security KTN a welcome development

Cyber Security subsumed into IT (!)

made advising SMEs on security even more difficult

The Good News

Relevant research areas in information security growing very rapidly…

Government funding for SME cyber security through TSB innovation vouchers

Police are catching cyber criminals

What can (all) SMEs do?

Become aware of the problem

Acknowledge that it relates to them

Demand more support from govt agencies to help deal with it…

Questions?

What can the “savvy” SME do?

Get strategic support at board level Convincing ROI arguments

Devise a plan

needs investment… assistance from TSB affordable guidance from HEIs

What should the plan contain? Information Security Policy

boorriinngg! maybe that local HEI can help…

Strategy for implementation of policy

that means… telling employees and being transparent Otherwise this can happen: BBC IT, 2010

Internal and External Some confusion…

Internal Information System (company data)

Rest of the World via the Internet

Protection: good software, well configured

Internal

Employees using organisation’s information systems, wherever they may be…

must understand Information Security policy

must understand consequences of not

adhering… may need an investment in education (again, HEI can help!)

External

Other people using organisation’s information systems Partners… is access appropriate for purpose? Hackers…? All… website

How can you know?

Do we have a problem?

Perceptions “from the inside” quite different from “outside looking in”

Solution: Penetration Testing

Questions?