Deter, detect and defeat


Deter detect and defeatBy Sarosh Bana

Armed with this mission, cybercrime intelligence across the world is evolving ever newer tools to thwart the changing threat landscape of internet fraud and crime

Web threats and frauds continue to increase in number and sophistication as the profitability of cybercrime transforms the nature of the game, with a fraud discovered just weeks ago likely to have compromised $3.75 billion worth of transactions across 30 Brazilian banks.

The Washington-based Center for Strategic and International Studies (CSIS), in fact, sees cybercrime as a “growth industry” where the returns are great and risks, low.

The 2013 Fraud Report of RSA, the security division of EMC Corporation, estimates global losses from phishing attacks alone last year at US$5.9 billion, a jump over US$1.5 billion in 2012. Phishing perpetrators send out emails that appear official and direct the recipients to legitimate-looking websites for the purposes of information or identity theft.

The shift towards software-defined networks, cloud infrastructures and smartphones replete with apps has added complexity, posing challenges to companies like RSA and EMC in devising products that shield official and personal data and information from cyber threats. The worldwide smartphone market alone reached a new milestone in 2013 with one billion units shipped in a single year, up 38 per cent from the 725 million units shipped in 2012. Both EMC Corporation and RSA are headquartered in Massachusetts and have offices across the world, including in Australia.

In its June 2014 report, Net Losses: Estimating the Global Cost of Cybercrime, CSIS estimates cybercrime to cost the global economy more than US$400 billion annually. “A conservative estimate would be US$375 billion in losses, while the maximum could be as much as US$575 billion,” it notes. “Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.” The report avers that the most important cost of cybercrime is from its damage to company performance and to national economies, as it damages trade, competitiveness, innovation, and global economic growth.

Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA, regrets that the international community has yet to establish acceptable norms of behaviour or rules of engagement for an interdependent digital world. In his inaugural address at the 22-23 July RSA Conference Asia Pacific Japan (APJ) in Singapore, the widely acknowledged sage of cyber security deemed information sharing as another area that needed cooperation. “Almost without government help, industries and verticals are sharing information about the latest attack methodologies, malware, and compromised IP addresses,” he pointed out. “The problem is that there are no set standards that allow us to organise the data in a consistent and coherent manner that make it actionable while eliminating redundancies.”

Coviello also indicated that US-China relations were getting marred with both countries engaging in digital activities the other found offensive. Beijing complained about the digital intelligence gathering by the US’s National Security Agency, while Washington took umbrage at Chinese cyber-espionage for economic gain. He added that the nascent bilateral work on cyber crime prevention ground to a halt after the US Justice Department indicted five Chinese military officers in May for this type of activity. He added that even the long-standing relationships between the US and European countries had been strained by a growing cloud of distrust about each other’s digital agenda and activities.

“Let’s begin to create the rules of engagement, the rules of the road for the digital highway,” Coviello suggested. “Let’s all come to the table and intentionally draw up the new norms of behaviour.” He hailed the recommendations enshrined in the US State Department’s draft report on a Framework for International Cyber Stability as a step in the right direction.

There were over 3,200 registrations from countries across the Asia Pacific for this second annual edition in Singapore of the RSA Conference APJ. The event had 65 sessions spanning Cloud and Data Security, Cybercrime and Law Enforcement, Mobile Security, Security Infrastructure, and Threats and Risk Management, and featured more than 70 exhibitors and sponsors. Singaporean start-up Digify was adjudged the winner of the Most Innovative Company contest for 2014, among finalists that included AirSig, Capy Inc., and Stratokey Pty Ltd.

Lucas Zaichkowsky, Enterprise Defence Architect of California-based AccessData that makes the world’s most advanced and intuitive incident resolution solutions, says small retail and hospitality businesses have their own share of risk in securing their systems and terminals that process customers’ payment card transactions. These retailers retain ‘point of sale’ (POS) providers to maintain their systems, but these dealers themselves are not security savvy, normally providing technical support in the form of elementary remote access tools and port-forwarding. A remote access tool is software for remotely accessing or controlling a computer. It can be used legitimately by system administrators, but also maliciously as it can perform key logging, screen and camera capture, file access, code execution, registry management and password sniffing. Port forwarding is the technique of translating the address or port number of a packet to a new destination.

Jason Rader, Director of Cyber Threat Intelligence at RSA, says cyber defenders may at times be guided by their clients whether they wish to block the fraudsters right away to curb further damage or to continue monitoring their activity with a view to eventually track them down. The RSA’s chief security strategist finds conventional authentication unable to support the universal shift to mobile devices. “Even the most basic authentication methods like username and password fail to meet user requirements for convenience,” he explains. “Mobile is forcing user authentication to finally move into the Jetson-era when new unified authentication solutions will be developed in the next one to three years to support a range of methods that are built into smart devices, leveraging behaviour and biometrics.”

Not only is malware getting more sophisticated, even simple malware can cause unspeakable damage, says Rader. For instance, the Zbot or Zeus trojan horse computer malware that attacks Windows operating systems is not just being used for classic financial malware attacks, but also in fraud schemes such as referral abuse and SEO, or search, poisoning. SEO poisoning is an attack method in which cybercriminals use search engine optimisation tactics that prominently show up malicious websites they have created. Rader hence deems advance threat intelligence vital for improving defences.

Vic Mankotia, Singapore-based vice president for Solution Sales, Asia Pacific and Japan (APJ), at mainframe software firm CA Technologies, based in Long Island, New York, says the starting premise is that as we live in a hyper-connected world, any mobile system is hostile unless secured. At the same time, developments would be throttled if security overwhelmed innovation. “Security needs to evolve round enablements, as it would thwart development if it preceded it,” he explains. “It is crucial to have data sovereignty built into a system, as technology has to be relevant in an application economy.”

CSG Invotas Global President Michael Henderson says his company was borne out in February of its parent CSG International’s desire to fill a gap in how enterprises address security. “For 30 years, CSG has delivered solutions that accurately manage high volumes of complex network-based operations, from call centre to retail, to devices and the web,” he mentions. “But it recognised that enterprises typically focus their network and data security efforts around identifying attacks and threats versus dynamically addressing the threats at machine speed and the result has been CSG Invotas.”

“Security analysts’ success hinges on their ability to rapidly investigate events, weed out false positives from real incidents, and enrich data from multiple feeds to deliver contextual and actionable information,” notes CSG Invotas Principal Security Architect Bernie Thomas. “Their efforts are hindered by manual and repetitive tasks, requiring them to log in to a multitude of disparate solutions.” He says his company helps save precious time and resources in an attack by unifying incident-related data and security technologies under a single management platform.”

According to CSG Invotas Global Business Operations Chief Colin Troha, security orchestration minimises the time required to contain and mitigate security incidents as it blocks threats and attacks holistically, rather than solely through one-off sequential processes. “The ability to respond in minutes or seconds effectively stops the intruder in his tracks, limiting the damage and risk to the organisation,” he explains. In this regard, the company launched the Invotas Security Orchestrator for the first time in Asia at the RSA Conference. CSG Invotas Regional Sales Director (APAC Region) Kenedi Celik mentions that the platform delivers optimised response capability for large global organisations with security operation centres to unify security tools and information feeds, orchestrate defensive action, and automate repetitive tasks.

Akamai-IDG Connect’s research white paper titled Under Siege from Web Threats: APAC [Asia Pacific] Countries respond in Patchwork and Tardy Fashion finds the APAC region beset by security threats and taking diverse routes in response. “Web applications appear to be the main target of attacks,” it says. “Denial of service, cross-site scripting, compromised authorisation process and domain name system (DNS) attacks formed the vast bulk of problems and these are forms of attack that can effectively take a domain offline or see the victim’s brand defaced.”

The online research reports 45 per cent of the respondents experiencing a DNS Compromised or Amplified attack in the past year and 28 per cent, Distributed Denial of Service (DDoS) attacks. The study polled decision-makers and executives at mid-sized and larger organisations (250-plus staff) in Australia, Hong Kong, India, Japan, the Philippines, Singapore, South Korea, Taiwan and Thailand.

Recalling the cyber attack a year ago on The New York Times (NYT), the report points out it was in part due to a DNS compromise in Australia. “Such attacks are difficult to defend against because, although they target a particular domain, the actual hack is carried out against the DNS server over which most organisations have little control,” it explains. The website of NYT, one of the world’s largest newspapers, and the image service of Twitter, a popular social networking website, were taken offline in August 2013 by hacking group Syrian Electronic Army (SEA) that supports Syria’s embattled President, Bashar al-Assad.

SEA used phishing tactics to acquire log-in details to enter the IT system of Australia’s Melbourne IT that handles hosting for NYT and Twitter, among others. It then proceeded to change the DNS records of several domain names, one of which was DNS is a virtual phone book that leads to the website required to be visited. SEA was able to reroute traffic to to its own address, taking the media company offline. The damage had been done by the time Melbourne IT could address the breach by changing DNS records back and locking them, while altering the affected reseller credentials to deny SEA further access.

Stressing that cyber security is one of the Australian government’s highest national security priorities, Dr. Carolyn Patteson, Executive Manager at CERT Australia, says the 2013 Cyber Crime and Security Survey by the national computer emergency response team (CERT) reveals that cyber attacks are mainly motivated by a competitor seeking commercial advantage. “This aligns with the cyber threat of most concern to businesses, which is theft or breach of confidential information or intellectual property,” she notes.

CERT Australia, which comes under the purview of the Australian Attorney-General’s Department, helps protect Australian businesses from cyber attacks and provides assistance on request. It received responses from 135 partner businesses for its latest survey, which reports that Australian enterprises have overall good cyber security measures in place, including policies and standards, as well as a range of technologies and mitigation strategies. The survey discovers, however, that only 27 per cent of those surveyed increased expenditure on IT security in 2013, a decrease of 25 per cent from 2012, while 16 per cent have no staff dedicated to IT security.

Manatosh Das, Senior Analyst Serving Security & Risk Professionals in Asia-Pacific at Forrester Research, says that in the last few years the threat landscape has not evolved, but rapidly mutated. “The security gap between new attack methods and traditional controls continues to grow in favour of the attackers,” he remarks. “Hackers today are highly organised well-funded crime syndicates, or in some cases, state-sponsored agents.” Forrester sees few fundamental changes occurring, with attacks overall becoming more targeted, sophisticated and resourceful.

Uri Fleyder, security researcher managing RSA’s Cybercrime Research Lab, points out that in early July, his team, through a coordinated investigation spanning three continents, uncovered a massive malware-based fraud ring that had targeted 30 Brazilian banks over the last two years. The ring had infiltrated the Boleto, the second most popular payment method in Brazil after credit cards. RSA Research discovered that the Boleto malware or ‘Bolware’ may have compromised almost 500,000 transactions. While no evidence could be gleaned on whether the fraudsters were successful in collecting on all of these compromised transactions, evidence did yield as regards their value, estimated at US$3.75 billion. “Often, a breach may not be discerned for months and may take even longer to resolve,” he says.

Fleyder says that while this fraud is an apt instance of cybercrime that seeks personal gain, the internet is also targeted through hacktivism, which largely peddles a cause to gain it publicity, and through nation-state attacks, which are most sophisticated and complex, as also most costly in the harm they cause. A long-time hacktivist has been the international computer hacker network, Anonymous, that attacked many government and corporate websites in Brazil during the recent FIFA World Cup there to make a stand against corruption and the high costs (of US$11 billion) of holding this football championship. It had also sought to disrupt the World Cup advertising spend of companies to the Brazilian television network Globo.

Dr. Hugh Thompson, Chief Security Strategist at Blue Coat, too notes that it is no longer just cybercriminals that have been behind the massive number of attacks over the past few years, but hacktivists and nation-state attackers as well. “It used to be that security was seen as black or white, either you’re breached or you’re not, you’re secure or you’re not,” he remarks. “But now we’re starting to see security for what it is, a constant continuum between those things.”

“The persistent change in the threat landscape is what gives cyber defenders the passion to do what we do every day,” says RSA’s Jason Rader. “Nobody can ever call our jobs dull or boring, but at the same time, it demonstrates how difficult it is to truly predict and prepare for “what’s next”.”