Cybersecurity threats: medium-term outlook

Dr Ian Brown

Oxford University University College London

Outline

• Recent DDoS attacks and extent of the threat• Other cybersecurity threats to global financial

services• Impact on global firms, feasible solutions or

precautions• Future outlook for Internet security

Definitions

• Distributed Denial of Service (DDoS)• Botnets• Phishing (spear, rock, pharming)

DDoS threat

• ~5% machines part of BotNets (20m)• Rent your own! 3-7c/machine/week

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

DDoS extortion

• Market participants - custom virus writers, bot herders, mafias

• Gambling companies have been hardest hit, but other industries also targeted

• No “silver bullet” technology solutions available in medium term

Recent attacks upon Estonia

• Sustained DDoS attacks during April on Estonian govt websites, banks and telecoms

• Russian govt widely blamed, but no evidence

• Govts undoubtedly have such cyberwarfare capability - China

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Phishing

• Symantec alone blocking 8m e-mails daily in 2006• Similar criminal ecology to DDoS - custom virus writers, botnet herders, site operators,

spammers, mules

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Source: Anti-Phishing Working Group May 2007 report. 96.6% of attacks are on financial services insitutions

Scale of phishing threat

• UK online banking losses £33.5m in 2006

• US losses estimated $2bn• Theft being supplemented

by more sophisticated scams such as pump-and-dump, cut-outs

UK online banking fraud

0

10

20

30

40

2004 2005 2006

£m

Data: House of Lords Personal Internet Security report (2007) p.15

Taking down the phishers?

• Targeted financial services institutions can ask hosts to take down sites

• Some hosts still unresponsive

• Phishers moving to botnet hosts and more sophisticated frauds (escrow, “sales reps”)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Source: R. Clayton & T. Moore (2007)

Redistributing liability

• House of Lords concluded liability must be shifted to some combination of software vendors, ISPs and financial institutions

• Intended to lead to innovations such as RBS off-line consumer card terminal

Conclusions

• DDoS, phishing and other attacks are merging into an Internet criminal economy

• Financial services vulnerable both to direct attack and as guardians of customer assets

• Security opinion leaders moving to liability redistribution as key solution - could be new insurance market and concern for banks