Cyber Crime: Prevention, Protection and · PDF fileCyber Crime: Prevention, Protection ......

© Peter Sommer, 2011

Cyber Cyber Crime:Crime: Prevention,Prevention, Protection Protection

andand PunishmentPunishment

Peter SommerPeter SommerLondon School of Economics, Open UniversityLondon School of Economics, Open University

ppetereter@@pmsommerpmsommer.com.comp.m.p.m.sommersommer@@lselse.ac..ac.ukuk


We used to call it “Computer Crime”We used to call it “Computer Crime”

1973: journalist’s 1973: journalist’s book on book on

“Computer Crime”“Computer Crime”



•• 1973: A “mutual fund” 1973: A “mutual fund” linked to insurance linked to insurance which became a which became a Ponzi Ponzi schemescheme

•• Computer created Computer created fake “lives” to sell on fake “lives” to sell on to insurance to insurance companies to raise companies to raise cashcash

•• “Data diddling”“Data diddling”•• Dirks V SECDirks V SEC



•• 1978: $10.2m from 1978: $10.2m from Security Pacific Security Pacific bankbank

•• Computer Computer contractor who contractor who learnt wire transfer learnt wire transfer codescodes

•• Converted money Converted money into 8.6 kg into 8.6 kg diamondsdiamonds



War Games: 1983 movie War Games: 1983 movie

PrePre--Internet, PreInternet, Pre--BroadbandBroadband


We used to call it “Computer We used to call it “Computer Crime”Crime”

Viruses, Viruses, MalwareMalware•• 1960s1960s--70s: Christmas Tree: IBM 360/37070s: Christmas Tree: IBM 360/370•• 1985?? : IBM PCS: Brain, Vienna, Cascade 1985?? : IBM PCS: Brain, Vienna, Cascade -- Boot Boot

SectorSector•• 1988: Jerusalem1988: Jerusalem•• 1989: 1989: Datacrime Datacrime etc reformats hard disksetc reformats hard disks•• 1990: Chameleon1990: Chameleon•• 1992: Polymorphic virus epidemic, Virus Creation 1992: Polymorphic virus epidemic, Virus Creation

LaboratoryLaboratory•• 1995: Macro viruses (Microsoft Word)1995: Macro viruses (Microsoft Word)•• 1996: Windows1996: Windows--specific virusesspecific viruses



Internet Worm 1988: Robert MorrisInternet Worm 1988: Robert Morris



HacktivismHacktivism: 1989: 1989Attacked VAX VMS computers over Attacked VAX VMS computers over DECNetDECNet

PrePre--Internet, PreInternet, Pre--BroadbandBroadband



1995: Black 1995: Black Baron Baron

circulates circulates “SMEG”“SMEG”



DataStream Cowboy: the DataStream Cowboy: the Rome Labs hack, 1994Rome Labs hack, 1994


Distributed Denial of Services AttacksDistributed Denial of Services Attacks

•• August 1999: August 1999: TrinooTrinoo•• February 2000: Yahoo, Amazon, February 2000: Yahoo, Amazon,

Buy.com, CNN, Buy.com, CNN, EbayEbay, E*Trade, , E*Trade, ZDNetZDNet


Cyber Crime: Main FeaturesCyber Crime: Main Features

•• Social EngineeringSocial Engineering•• MalwareMalware•• Exploitation of poor management / access Exploitation of poor management / access

control / authorisationscontrol / authorisations•• Insider ThreatInsider Threat•• Data Diddling / Program manipulationData Diddling / Program manipulation•• Exploitation of poorly designed softwareExploitation of poorly designed software•• Hardware HackingHardware Hacking


Internet Growth Statistics Internet Growth Statistics


Internet Growth StatisticsInternet Growth Statistics

•• World Population: 7 World Population: 7 bnbn; Internet ; Internet Users: 2.1 Users: 2.1 bnbn

•• Growth 2000Growth 2000--2011: 480% 2011: 480% (2,500% in Africa, (2,500% in Africa, 700% in Asia, 1,990% in Middle East)700% in Asia, 1,990% in Middle East)

•• Facebook Facebook Penetration: 10.3% Penetration: 10.3% (US: 48%)(US: 48%)•• ((InternetWorldStatsInternetWorldStats))


UK Growth StatisticsUK Growth Statistics

•• 77% of UK homes have at least one PC; many 77% of UK homes have at least one PC; many have several, including older PCs; 93% are have several, including older PCs; 93% are connected via broadbandconnected via broadband

•• 97% of all businesses have broadband Internet 97% of all businesses have broadband Internet connections; 70% have a websiteconnections; 70% have a website

•• Cost of data media halves every 18 monthsCost of data media halves every 18 months•• 130 130 cellphones cellphones per 100 of population, 27% are per 100 of population, 27% are

smart phones (for early teens, nearly 50%)smart phones (for early teens, nearly 50%)


FileFile--SharingSharing

•• 1984: 1984: FidonetFidonet•• 1999: Napster1999: Napster•• 2000: Gnutella, 2000: Gnutella, FreenetFreenet, ,

MorpheusMorpheus•• 2001: 2001: KazaaKazaa•• 2002: 2002: eMuleeMule, , SuperNovaSuperNova

Has legitimate uses in Has legitimate uses in file distribution but file distribution but

mostly used in piracymostly used in piracy


Social NetworkingSocial Networking

•• A research resourceA research resource•• Social engineeringSocial engineering•• Compromised “apps”Compromised “apps”


Batch OperationsBatch OperationsOffline Input

Instructionsawaiting

processing

ProcessingOutput


Interactive ComputingInteractive ComputingCentral Unit + Dumb TerminalsCentral Unit + Dumb Terminals

All processing takes place in

mainframe, but each user

interacts in real-time


Traditional Computer SecurityTraditional Computer SecuritySecurity by RingSecurity by Ring--Fence.....Fence.....

Physical Barriers - Computer RoomLogical Barriers - Access ControlPersonnel Controls


The PC: DeskThe PC: Desk--top Computingtop Computing

Computing Power & Data on the Desk Democratising Computing…the beginning of the end of “DP departmental power”

originally: originally: standstand--alonealone


Client / ServerClient / Server

Data is held centrally; PCs

interrogate using local progams


Client / ServerClient / Server

Some of these links may be by remote dial-up


Open Systems Open Systems -- HybridsHybrids


Open Systems Open Systems -- HybridsHybrids

Corporate resources are held in a cluster of Corporate resources are held in a cluster of mainframes / minismainframes / minis

Most workers have PCs on a LANMost workers have PCs on a LANLAN server may contain local officeLAN server may contain local office--based based

information and applicationsinformation and applicationsCorporate data is accessed as needed and Corporate data is accessed as needed and

transparentlytransparentlyInformation from one office may be Information from one office may be

available across the corporate WANavailable across the corporate WAN


Internet Connections ...Internet Connections ...

EDI Banking Service /Credit Verification

Associate Business

Internet !Internet !

E-mailhub


Internet Connections ...Internet Connections ...

EDI Banking Service /Credit Verification

Associate Business

E-mailhub

Users expect to be able to access Users expect to be able to access corporate resources from anywhere corporate resources from anywhere

via a webvia a web--type interface, on any type interface, on any device, including phone & tabletdevice, including phone & tablet


EE--commercecommerce

•• General public induced to enter General public induced to enter corporate computer systems to make corporate computer systems to make purchasespurchases

Need to facilitate their needsNeed to facilitate their needsWhile protecting the “shop”While protecting the “shop”


The CloudThe Cloud


ICT TrendsICT Trends

Since 1995:Since 1995:•• Corporate computing has become more complex Corporate computing has become more complex

and embedded into organisations:and embedded into organisations:Provides more information about the business, Provides more information about the business, customers, etccustomers, etcUses Web and Internet for a very wide variety of Uses Web and Internet for a very wide variety of customer/client interactions customer/client interactions –– many of these are heavily many of these are heavily automatedautomatedMakes much greater use of JustMakes much greater use of Just--InIn--Time operationsTime operationsMuch use of semi selfMuch use of semi self--organising systemsorganising systemsGives staff much more computing power on the desk Gives staff much more computing power on the desk and while mobile and while mobile


Software ComplexitySoftware Complexity

•• Source Lines of CodeSource Lines of Code1993: Windows NT 3.1 = 4.5m SLOC1993: Windows NT 3.1 = 4.5m SLOC1995: Windows NT 3.5 = 7.5m SLOC1995: Windows NT 3.5 = 7.5m SLOC2001: Windows XP = 40m SLOC2001: Windows XP = 40m SLOCVista, Windows 7 = ???Vista, Windows 7 = ???

•• More difficult to test / more prone to More difficult to test / more prone to flawsflaws


Out sourcingOut sourcing

•• AdvantagesAdvantagesBusinesses do not need to keep a permanent cadre of IT Businesses do not need to keep a permanent cadre of IT specialistsspecialistsOpportunities for balance sheet, taxation etcOpportunities for balance sheet, taxation etc

•• DisadvantagesDisadvantagesLoss of control of essential functionsLoss of control of essential functionsContract may not cover all eventualities, particularly Contract may not cover all eventualities, particularly emergenciesemergenciesLockLock--in dependence on supplierin dependence on supplier

•• Cloud computing is an extreme form of Cloud computing is an extreme form of outsourcing in which you are also dependent on outsourcing in which you are also dependent on permanent availability of communications permanent availability of communications facilitiesfacilities


MultipliersMultipliers

•• Growing population of computer usersGrowing population of computer users•• More complex systemsMore complex systems•• Wider cheaper Internet accessWider cheaper Internet access•• More “social” linksMore “social” links•• Easier dissemination of exploitsEasier dissemination of exploits•• Easier for computer criminals to meetEasier for computer criminals to meet


MeasuresMeasures

•• Most crimes are variations on what Most crimes are variations on what has happened beforehas happened before

Basic technical and management Basic technical and management responses take care of most threatsresponses take care of most threatsIain Iain LobbanLobban, GCHQ: 80% of protection , GCHQ: 80% of protection is simple hygieneis simple hygiene


Traditional Protective Measures: Traditional Protective Measures: TechnicalTechnical

•• Risk AnalysisRisk Analysis•• Access Control / Identity ManagementAccess Control / Identity Management•• AntiAnti--Malware Malware DetectionDetection•• FirewallsFirewalls•• Intrusion Detection SystemsIntrusion Detection Systems•• Anomalous Activity Detection SystemsAnomalous Activity Detection Systems


Traditional Protective Measures: Traditional Protective Measures: System Design MeasuresSystem Design Measures

•• Threat / Risk AnalysisThreat / Risk Analysis•• Security by DesignSecurity by Design•• System Specification includes “outcomes System Specification includes “outcomes

you don’t want”you don’t want”


Traditional Protective Measures: Traditional Protective Measures: ManagerialManagerial

•• Risk AnalysisRisk Analysis•• Employee education: counter social Employee education: counter social

engineeringengineering•• Employee vettingEmployee vetting•• Employee monitoringEmployee monitoring


Management MeasuresManagement Measures

•• Who takes responsibility?Who takes responsibility?It is not good enough to employ some It is not good enough to employ some “specialist techies” and give them budget“specialist techies” and give them budget

•• Frequent threat landscape surveysFrequent threat landscape surveysChanges to the organisationChanges to the organisationChanges to relationships with outsidersChanges to relationships with outsidersChanges to ICT infrastructureChanges to ICT infrastructureChanges to the external threat landscapeChanges to the external threat landscape



•• Arrangements for Incident ManagementArrangements for Incident ManagementTo whom should suspicions be reported?To whom should suspicions be reported?A capacity for initial investigationA capacity for initial investigation

•• Forensic ReadinessForensic ReadinessKnow how to identify potential evidenceKnow how to identify potential evidenceKnow how to safely preserve itKnow how to safely preserve itKnow how safely to carry out an initial investigationKnow how safely to carry out an initial investigationUnderstand legal constraints and issuesUnderstand legal constraints and issues

Evidence is needed by law Evidence is needed by law enforcement, for insurance claims, enforcement, for insurance claims, for civil litigation and efor civil litigation and e--disclosuredisclosure


New 3New 3rdrd edition soon!edition soon!www.www.iaaciaac.org..org.ukuk



•• Recovery PlanRecovery PlanRestoring ICT operationsRestoring ICT operationsAsset recoveryAsset recoveryReRe--issue of credentials to use systemissue of credentials to use systemPublic Relations etcPublic Relations etc



•• In the longer term:In the longer term:As security becomes more complexAs security becomes more complexWe may need to slow the rate of innovation in We may need to slow the rate of innovation in

order properly to test systemsorder properly to test systemsWe may need to end up with simpler, but safer We may need to end up with simpler, but safer

and more reliable and stable systemsand more reliable and stable systems


Cyber Cyber Crime:Crime: Prevention,Prevention, Protection Protection

andand PunishmentPunishment

Peter SommerPeter SommerLondon School of Economics, Open UniversityLondon School of Economics, Open University

ppetereter@@pmsommerpmsommer.com.comp.m.p.m.sommersommer@@lselse.ac..ac.ukuk

Cyber Crime: Prevention, Protection and · PDF fileCyber Crime: Prevention, Protection ......

Documents

Transcript of Cyber Crime: Prevention, Protection and · PDF fileCyber Crime: Prevention, Protection ......