Situational Prevention of Cyber-crime Pieter Hartel.

Situational Prevention of Cyber-crime

Pieter Hartel

Cyber-crime Science2

http://www.popcenter.org/25techniques/

Cyber-crime Science3

Increase effort

1. Harden targets» Firewalls; Steering column locks and immobilizers

2. Access control» Two factor authentication; Electronic card access

3. Screen exits» Audit logs; Ticket needed for exit

4. Deflect offenders» Honey pots; Segregate offenders

5. Control tools & weapons» Delete account of ex-employee; Smart guns

Cyber-crime Science4

5. Smart gun

Cyber-crime Science5

Increase risks

6. Extend guardianship» RFID tags; Neighbourhood watch

7. Assist natural surveillance» Show were laptops are; Improve street lighting

8. Reduce anonymity» Caller ID for Internet; School uniforms

9. Utilise place managers» IDS; CCTV for on buses

10.Strengthen Formal surveillance» Lawful interception; Burglar alarms

Cyber-crime Science6

9. IDS

Cyber-crime Science7

Reduce rewards

11.Conceal Targets» Use pseudonyms; Gender-neutral phone directories

12.Remove targets» Turn off when not in use; Removable car radio

13.Identify property» Protective chip coatings; Property marking

14.Disrupt markets» Mining for money mules; Monitor pawn shops

15.Deny benefits» Blacklist stolen mobiles; Speed humps

Cyber-crime Science8

13. Protective coatings

Cyber-crime Science9

Reduce provocation

16.Reduce frustrations and stress» Good helpdesk; Efficient queues and polite service

17.Avoid disputes» Chat site moderation; Fixed taxi fares

18.Reduce emotional arousal» Controls on gaming; Controls on violent pornography

19.Neutralise peer pressure» Declare hacking illegal; “Idiots drink and drive”

20.Discourage imitation» Instant clean-up; Censor details of modus operandi

Cyber-crime Science10

20. Instant clean-up

Cyber-crime Science11

Remove excuses

21.Set rules» Ask users to sign security policy; Rental agreements

22.Post instructions» Warn against unauthorized use; “No parking”

23.Alert conscience» License expiry notice; Roadside speed display boards

24.Assist compliance» Free games if license is valid; Public lavatories

25.Control disinhibitors (drugs, alcohol)» User education; Alcohol-free events

Cyber-crime Science12

22. Warn against misuse

http://www.homeoffice.gov.uk/

Phishing Case study

Cyber-crime Science16

Examples of the 25 techniques

Increase effort» 1. Target Hardening : Train users to be vigilant» 2. Control access to facilities : Control inbox & account

Reduce rewards» 11. Conceal targets : Conceal the email address» 14. Disrupt markets : Control Mule recruitment

Remove excuses» 22. Post Instructions : “No phishing”

Cyber-crime Science17

1. Target Hardening

Training: Anti-phishing Phil http://cups.cs.cmu.edu/antiphishing_phil/new/

Cyber-crime Science19

How well does training work?

515 volunteers out of 21,351 CMU staff+stud.» 172 in the control group, no training» 172 single training, day 0 training» 171 double training, day 0 and day 14 training

3 legitimate + 7 spearphish emails in 28 days No real harvest of ID

[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536

Cyber-crime Science20

Good but could be better

On day 0 about 50% of participants fell» Constant across demographic» Control group remains constant» Single training reduces clicks» Multiple training reduces clicks more

People click within 8 hours of receiving email Room for improvement:

» Participants were self selected...» No indication that this reduces crime...

Cyber-crime Science22

2. Control access to facilities

The target’s online banking site» Two factor authentication (TAN via SMS, gadget)

[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6

Cyber-crime Science23

11. Conceal targets

The victim’s email address» Use Disposable email address – Clumsy

The victim’s credentials» Fill the database of the phishers with traceable data

[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0-387-79026-8_2

Cyber-crime Science25

22. Post Instructions

The bank’s website» Post notice that active anti phishing measures are

being taken... – Do banks do this? Would this work?

Phishers will be prosecuted

Cyber-crime Science26

?

Cyber-crime Science27

Anti-phishing research is risky

Crawling social network site violates terms of service – use api properly

Copyright prohibits cloning web sites – work with the target, change the law

Confusing trademarks damages good name of target – idem

Phishing is illegal in California – avoid Make sure that your research is not in any

way linked to commercial activities!

[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971

Laptop theft Case study

Cyber-crime Science29

Laptop theft

62 simulated offences of which 31 succeeded

Cyber-crime Science

Crime scripts

Steps Succeeded Failed

Enter building 61 1(locked door)

Enter office 47(1×cleaner)

14

Unlock Kensington

31(5×bolt cutter)

16

Leave building 62(1×emergency exit)

0

30

Cyber-crime Science

Results

Social engineering works» 30 of 47 attempts with social engineering succeeded» 1 of 15 attempts without social engineering succeeded

Managers more likely to prevent attack than the target

Offender masquerading as ICT staff twice as likely to be successful

31

Chapter 7 of [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317

Cyber-crime Science32

Conclusions

Crime Science approach:» Might have avoided experimental flaws» Might have come up with new ideas» Would have looked at crime prevention

How to bridge the gap between crime science and information security?

An ounce of prevention is worth a pound of cure