Cybercrime and Converged Threats

Let’s start with a general knowledge question – which of the following statements were encountered in the media in 2009? a) economic downturn, b) global recession and c) diminished gross domestic product (GDP)? Most, if not all, readers will be familiar with all such statements. Of course, the real-time impact of the current downturn is economic shrinkage, manifesting in just above flat-lining growth.

The sociological pain this economic crisis has created has resulted in closure of businesses, loss of employment, income and/or lowered standards of living – very grim times indeed. However in this time of economic austerity, it is not all gloom and doom, as one particular sector is enjoying significant growth, establishing strong lines of continued and increasing revenue and is enjoying what may only be described as exceptional success. This is an industry open to anyone and it is that of ‘crimeercialised’ (as opposed to ‘commercialised’) operations – e.g. fraud and crime.

One example is an Actimize survey conducted in 2009. The survey asked 70 global financial institutions if they believed the threat of employee fraud was a real issue. Their response was that 82% felt it was on the increase, largely driven by the current economic situation.

Further, in April 2010, PwC reported in its annual survey that e-crime had doubled in two years, with an estimated cost to the UK economy in 2009 of £10bn. Inter-organisational security is therefore of paramount importance. However, the challenge is that this may be easier said than achieved as, even today, in most organisations the surfaces of presented risk may reside in uncoordinated areas with little, or no effective communication running between inter-organisational security disciplines.

Let us consider the internal challenges of today’s complex national and multinational operations, earning, spending and moving enormous lines of revenue, traversing multiples of diverse communications channels, systems, applications and even international boarders, all in the name of trade. In most cases, such transactions may only represented by a logical string, made up of a 1 or a 0. Thus, once fraud enters the system, this could multiply into a long-term string of miscreant actions, levering open both known and unknown flaws in the system.

Enhanced Controls

So just where does a business start to enhance its controls and security profile to keep its financial assets safe? What should be encompassed in the security plan? The first and most important fact to accept is, these new threats are no longer working in isolation, but are in most cases presented in a profile of convergence. As an example, history can attest that internal attacks do converge. In turn, these may be aligned to misuse of electronic data processing systems and applications, misdirection of communications, and transfers, which in most cases have the objective of illicitly rerouting funds, goods, or services to some waiting endpoint. Thus, it is important to keep an open mind and consider all threats in their many guises – as well as the possibility of them being converged.

Internal corporate silos should be considered against this backdrop of modern-day converged threats. At this juncture it may be appropriate to punch some holes between those various areas of operational and administrative ownership, examples of which are:

  • Physical security.
  • Human resources.
  • Data protection.
  • Internal audit.
  • Information technology.
  • Telephony.
  • Partners and outsourced areas.
  • The business.

Breaking Down Silos

These various areas of operational and administrative domains each clearly have their part to play in securing the business and extended operational enterprise. There is no doubt that within their own ownership domains and disciplines, they are very effective at delivering their focused services in support of the business mission. However, the problems the silo-effect can present are, lack of communications, lack of a holistic view. Such an approach can also be devoid of ‘joined-up thinking’.

There are many real-life examples in both the private and public sectors, where for example, the physical security division does not freely communicate with the area of IT. This can also occur where IT does not have close operational relationships with human resources (HR), or where the business deal with their own security challenges inter-departmentally.

The following is an example from such an encountered event in the private sector, in ‘Organisation A’. Organisation A followed very strict disciplines where the various areas of Physical, IT and so on, were owned and dealt with by designated managers. One Monday morning, the service desk of facilities and physical security received a call from a senior member of the accounts department, reporting the theft of a 32 GB USB drive, containing business accounting information.

A scripted, process-driven response was followed and the caller was asked for their details, when and where the item was stolen from and to confirm that the incident had been reported to the police, to ascertain if responder had a crime number. At the end of the brief conversation, as it was the facilities department who managed portable media, the user was advised to notify their immediate line manager in order that a new asset could be reissued. This was done and within 24 hours, the newly-supplied, much larger drive was again populated with critical business and accounting information assets and all was well. However, I am sure that the security-savvy among the readers have seen the black holes. What was the value and sensitivity of the information assets? Were they encrypted? Does this incident present any potential to affect reputation?

Just in case you are wondering, the drive contained 15 GB of the most sensitive of accounting information assets and they were not encrypted. Even more worrying, the person who had lost the drive was in fact leaving the organisation at the end of that calendar month.

A Converged Response

It is clear that there is a very real and immediate need for a converged response, encompassing physical/facilities, IT, HR and the concerned business area. Such a path of converged response supports opportunities to leverage and take value-add input from each owner area to protect the business. A further advantage of achieving a holistic view from such a partnership of responders is that everybody learns from the event.

This means accepting that, in the modern operational enterprise, business critical and sensitive information assets are populated across multiples of systems, PCs, workstations and at times, hand held devices, such as PDAs. So it is equally important to assure commensurate and appropriate access controls and tracking are in place. Do you care if Dave or Julie from the accounts or treasury department access, move, rename, or copy sensitive account files? Should you care if such information assets are mailed out of the organisation to a personal Google account? In all of the above, most, if not all, chief financial officers (CFOs) would require clarification that an agreed set of security policies and controls were deployed to serve the business with security.

Most businesses would wish to have secure and appropriate access rights and controls in place and that access to and manipulation of sensitive and critical information assets would be accommodated with high levels of visibility and tracking. Furthermore, most responsible organisations would require deployed technological solutions and associated processes to underpin tracking of actions, leading to accountability and even, where necessary supporting a forensic first responder activity for the purpose of follow-up investigations.

Based on experience, one very useful Black Box solution is LanGuardian. With such an appropriately configured tool deployed, it will sit quietly in the background, logically observing the logical goings on of the network, or more importantly the interaction of its intelligent user community. Such technological security solutions provision the organisation with very powerful capabilities to track, audit and where required, investigate some inferred, or suspect or adverse occurrence. In the case of employees surreptitiously copying data, the software, could compile a complete report of what was done, when and under what user account, complete with an associated time stamp. Clearly, with such powerful security capabilities in place in the business, they are equipped with very quick response capabilities, complete with selective holistic views of culpable user actions and, where required, the basis for forensic investigation capabilities.

It may be reasonably concluded that organised crime, insider threats, linked to the wide diversity of sensitive information assets, can at times come together to present opportunistic converged surfaces of attack. These expose the business, its information and finances to compromise, abuse and/or illicit misdirection.

With a model of converged response capabilities deployed, with security resources, disciplines of a virtual security team, it is possible to increase the intrinsic value of the overall security mission to the complete advantage of the business. Add to these technological capabilities first responder forensics and reporting and while they will not enable 100% security, they will provision the business with a significant increase to the overall security mission to preserve and secure the integrity of the organisation. Furthermore, such an approach will accommodate the business with real-time response and timely security capabilities to enable detection of any adverse matters of security interest before they have a chance to threaten the business. In this age of converged threats, anything less will simply not suffice.

The Control Objectives for Information and Related Technology (COBIT) Security Baseline from ISACA is an information security survival kit offers the following action list specifically for executives:

  1. Establish a security organisation and function that assists management in the development of policies and assists the enterprise in carrying them out.
  2. Assign responsibility, accountability and authority for all security-related functions to appropriate individuals in the organisation.
  3. Establish clear, pragmatic enterprise and technology continuity programmes, which are then continually tested and kept up-to-date.
  4. Conduct information security audits based on a clear processes and accountabilities, with management tracking the closure of recommendations.
  5. Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.
  6. Develop and introduce clear and regular reporting on the organisation’s information security status to the board of directors based on the established policies, guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions and important security projects.
  7. Ensure effective co-ordination among all of the organisation’s security and risk management functions.

18 views

Related reading