THE EVOLVING LANDSCAPE ON INFORMATION SECURITY By: Wilfred G. Tan , Carlos T. Tengkiat & Simoun S. Ung 31 October 2012 INTRODUCTION We all have a preconceived notion on information technology security; however for a lot of organizations this value is subjective because there is an acceptability of risk. This is not to imply a particular organization is unaware of the value of security; it may simply be that the organization needs to consider the allocation of its resources for security relative to the value of the asset being protected. A large number of organizations, as evidenced by strong growth and interest in security standards such as PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a security officer, planner or executive, one should always consider going beyond the existing standard and to be reminded that the security standards are developed in response to already recorded and occurring incidents. Moreover, security standards take time for the standard setting bodies to create, review, approve and implement. Security is a living practice and needs the proper attention, time and consideration. Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also involves careful thought, assessment, and constant refinement and adjustments. In addition, legal frameworks differ from country to country; therefore, best practices in one country are not directly portable to a different country, even within similar industries. Unlike more traditional crimes such as theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber- crime related incidents. Computer security related incidents have risen significantly over the past decade [2] and there is every indication that this trend will continue for the foreseeable future. The Global Security Report of Trustwave [3] presents the origin of cyber-attacks: Russia leads the statistics with 29.6% in the data [3]. However, because 32.5% of all attacks are from of unknown origin, it can be as likely (or equally unlikely) that any one nation is the single source or culprit of all of the incidents. Pinpointing the location in a timely manner is very difficult, if not impossible, given that the technology today allows users to use anonymous proxies to connect to the Internet which further compounds the problem.
This article was submitted for publication in the National Security Review Journal.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
THE EVOLVING LANDSCAPE ON INFORMATION SECURITY
By: Wilfred G. Tan , Carlos T. Tengkiat & Simoun S. Ung
31 October 2012
INTRODUCTION
We all have a preconceived notion on information technology security; however for a lot of organizations
this value is subjective because there is an acceptability of risk. This is not to imply a particular
organization is unaware of the value of security; it may simply be that the organization needs to consider
the allocation of its resources for security relative to the value of the asset being protected.
A large number of organizations, as evidenced by strong growth and interest in security standards such as
PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards
bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a
security officer, planner or executive, one should always consider going beyond the existing standard and
to be reminded that the security standards are developed in response to already recorded and occurring
incidents. Moreover, security standards take time for the standard setting bodies to create, review,
approve and implement. Security is a living practice and needs the proper attention, time and
consideration.
Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also
involves careful thought, assessment, and constant refinement and adjustments. In addition, legal
frameworks differ from country to country; therefore, best practices in one country are not directly
portable to a different country, even within similar industries. Unlike more traditional crimes such as
theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber-
crime related incidents.
Computer security related incidents have risen significantly over the past decade [2] and there is every
indication that this trend will continue for the foreseeable future. The Global Security Report of
Trustwave [3] presents the origin of cyber-attacks:
Russia leads the statistics with
29.6% in the data [3]. However,
because 32.5% of all attacks are
from of unknown origin, it can be as
likely (or equally unlikely) that any
one nation is the single source or
culprit of all of the incidents.
Pinpointing the location in a timely
manner is very difficult, if not
impossible, given that the technology
today allows users to use anonymous
proxies to connect to the Internet which further compounds the problem.
This article is written for non-technical executives and policy makers, whose responsibilities require them
to interact with information security professionals, as a primer on the current landscape of information
security as well as its likely evolution. Security professionals and practitioners are already well-versed in
the material contained herein. The paper examines the motivation behind cyber-attacks followed by a
survey of common threats and attack variants. It then presents the popular defensive strategies followed
by a discussion of future challenges and developments.
MOTIVATION
Behind all threats and cyber security breaches are either individuals or organizations. Cyber security
incidents do not occur in a vacuum. Generally, the motive behind a cyber-attack can be classified as
follows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes.
Personal Reasons
Personal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain or
satisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attack
and revel in the psychic income of being noted for notoriety.
Unlawful Profiteering
Perhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goal
of fraud is to gather information that can be used to access funds of other entities for illicit proceeds.
Popular targets include savings accounts and payment, debit and credit, card data. Organized criminal
syndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-faire
developed are often adopted for use in cyber-terrorism and other cyber-attacks.
Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010 [4] on a
simulated auction of stolen data determined that the relative value of data is primarily determined by
purchaser. The end goal remains the same, obtain information through illegal and fraudulent means
which can be used for financial gain. Information itself has become a commodity; it can be traded,
bought and sold.
Corporate or National Interests
The strategic objectives for a corporation or nation-state are sometimes achieved by attacking others using
cyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a more
mundane purpose such as spy, steal or subvert a rival‘s plans and secrets.
In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroy
Siemens industrial equipment which were specifically used to control centrifuges that create nuclear
material for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of the
computers infected by Stuxnet were in Iran suggesting a highly ‗targeted‘ operation. The worm‘s
sophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the
United States and Israeli forces were at least partially responsible for the development and deployment of
the worm. [5]
THREAT EVOLUTION
Approaches to attacks have evolved over time, adapting to developments in technology. Tools for
exploiting systems have evolved considerably; likewise, tools that are available for testing and exploiting
vulnerabilities are readily available in the market. There are even attack platforms freely available that
ironically were intended to test the security of a system. Several of the more common threats are outlined
below: physical, cyber-stalking, social engineering, phishing, distributed denial of service, network
attacks and malwares.
Physical
In the 1980s, the common practice was to actually go onto the premises of the target company or to
harvest data from unprotected sources. Criminals would find ways to physically obtain storage media or
hardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces of
information, is still practiced today. The careless disposal of seemingly innocuous information such as an
obsolete version of an information security plan, PIN mailers, passwords, social security numbers, et
cetera can facilitate an attack via social engineering or phishing.
Today, practices have improved to include tapping into data cabling that are accessible from unsecured
areas and the access of unlocked, accessible computer servers and systems. It is still a common
occurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flash
drives, laptops and cellular phones.
Cyber-Stalking
Cyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/or
posts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalking
tends to be of a more personal nature. Cyber-stalkers typically gather personal and private information
about their target then send them harassing or threatening messages.
Trolling is a form of cyber-stalking in which negative posts , comments or other defamatory statements
are made which are injurious to the reputation or emotional health of the victims. When committed by
more than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teens
which have resulted in the victims committing suicide.
Social Engineering
Social engineering cyber-attack involves the manipulation of people to perform certain actions that can
compromise security; this requires a solid understanding of human responses and behaviour. Although
physical contact is not necessary, some form of trickery to gain the confidence of the target is employed.
Social engineering attack occurs in two phases: information gathering then the pretext stage in which a
believable story is crafted in order to earn legitimacy and gain the trust of the target.
Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with other
forms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a common
combination with social engineering. Many enterprise systems are well protected and require significant
time and effort to breach. However, if the attackers are able to use social engineering to insert physical
media such as USB flash drives into the internal network, then all the external defences are immediately
bypassed.
Based on recently conducted social engineering study [6], companies with well-implemented security
awareness protocols are more resistant to social engineering tactics. Participants in the oil industry fared
better compared to less security aware industries like retail. This study was designed such that questions
were designed that would expose security design and architecture of the respondent‘s organization:
The study [6] revealed that certain data can be harvested from the internet itself. Researchers were able to
utilize the data culled from the internet in their social engineering tasks to profile a target‘s internal
security implementation. The table below displays the details gathered from the questionnaire above in
blue while the additive information garnered from the internet is shown in red:
Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it may
expose the targeted individual to physical danger.
Phishing
Phishing is an email-based fraud method using legitimate looking email designed to gather personal and
financial information from its targets. Crafting emails blending a false premise while spoofing
trustworthy websites, victims are encouraged to click on links, send information and otherwise respond.
The attackers then use social engineering techniques to extract information to steal personal and financial
information. Since emails are generally from an external source, incorporating dangerous payloads in the
message requires negligible effort. There are several types of phishing techniques:
Phishing – Emails are masqueraded so as to obtain usernames and passwords from the users via
electronic communication.
Spear Phishing – Targeted phishing to specific individuals, personal information on target are
gathered to increase probability of success.
Clone Phishing – A previously legitimate and delivered email is used as a template and cloned;
the cloned email, with links and attachments modified, is resent to the victim. This method
exploits the social trust between the parties that sent the email.
Whaling – Phishing targeting high profile victims.
Phishing is not restricted to electronic information nor to electronic communication channels. Some
phishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim is
lured to call and unwittingly give personal information that can later be used by the attacker. One of the
best known phishing emails is the ―Nigerian scam.‖ Although there are many variations, the content is
essentially the same with the sender pretending to have access to large amount of funds and requiring the
assistance of the victim to gain access to the said funds:
FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO.