The Fight Against Cyber Crime: What Can We Do? Abstract Cybercrime is on the rise and every organization must recognize the danger and take necessary steps to help mitigate the threat. While many institutions worry more about hackers than cybercriminals, it is a cybercrime that can cause the most damage. A hacker is more easily detected while a cybercriminal may already be in your network undetected. While a hacker may try to breach a network for the thrill or to annoy, a cybercriminal will breach a network for monetary gain. This paper is intended to point out some of the risks of cybercrime and what a financial institution can do to help mitigate the threat of attack. Keywords: cybercrime, cyber attack, Information Technology Information Sharing, and Analysis Center, IT-ISAC, Financial Services Information Sharing, and Analysis Center, FS-ISAC The Fight Against Cyber Crime: What Can We Do? While many institutions worry more about hackers than cybercriminals, it is cyber criminals that should make us warier.
A hacker is more easily detected while a cybercriminal may already be in your network undetected. While a hacker may try to breach a network for the thrill value or to annoy their victim, a cybercriminal will breach a network for monetary gain. This may include “data acquisition and storage, stealthy access to systems, identity collection and theft, misdirection of communications, keystroke identification, identity authentication, and botnets, among others”. According to a survey conducted in August 2011 by Ponemon Institute, for the 50 participating companies (see chart 1), the average time it takes an organization to resolve a cyber attack is 18 days with an average cost of $23,000 a day. An insider attack can average 45 days to contain. This does not include the value of any data lost, modified, or stolen in the process. This survey also showed the average annualized cost of cybercrime to financial institutions was $14,700,000 for 2011, up from $12,370,000 the previous year (see Chart 2).
Chart 3 summarizes the types of attack methods experienced by the companies that participated in the survey. According to security firm Imperva, “The average large business sees 27 attacks per minute hitting its Website. Attackers can use automation technologies to generate up to seven attacks per second or 25,000 attacks per hour”. To build a sufficient IT security posture, it is important to assume that an unauthorized user can gain access to the network and then structure the network to best protect the most valuable data. The valuable data can then “be tagged and monitored so that the organization knows where it is, where it is going, where it has gone, and on whose authority”. The organization also needs to understand that they need to not only monitor what is coming into their network but also what is leaving their network. This will help “detect activities enabled by techniques and technologies that mimic, exploit, or piggyback on the access of authorized users”.
Using standard firewalls and anti-virus programs alone will not accomplish this. The organization must take a more proactive approach to protect its financial data. Now that we know what we need to do, how do we accomplish this? Some very basic steps include employee screening, employee training to help mitigate against social engineering, disabling account access of terminated employees, ensuring software updates and patches are properly implemented and ensuring firewalls are properly configured. More advanced steps include, but are not limited to, setting up a demilitarized zone to help block the network from outside access, installing a honeynet system to look like an authentic part of the network to entice and trap intrusion attempts for further analysis, installing hard drive encryption and remote data wipe capability on all laptops and other mobile devices, and requiring smart card and pin number authentication (or some other form of multifactor authentication) to access sensitive data.
The Ponemon survey revealed companies utilizing security information and event management (SIEM) solutions such as these average 24 percent less expense in dealing with cybercrime attacks (see chart 5). This reduction in cost is because companies that use SIEM solutions are better able to detect and contain, and therefore recover, from such attacks. Another important step for a financial institute to take is to become a member of the FS-ISAC (Financial Services Information Sharing and Analysis Center). The FS-ISAC was founded in 1999 and led the way for the IT-ISAC (Information Technology Information Sharing and Analysis Center) which was founded in 2001. The purpose of these groups is for organizations to have the opportunity to share the security attacks and vulnerabilities they have experienced with other organizations in their field of industry. Given the sophistication, complexity, and evolution of cybercrime technologies and techniques, no sizable organization can plan and implement the necessary response alone. CIOs, CSOs, CROs, and cybersecurity professionals should share information, techniques, and technologies in their battle against cybercrime. The importance of FS-ISAC was proven in 2000 when member companies where saved from a major denial-of-service attack that many other companies experienced. As shown in chart 4, a denial-of-service attack can be costly. A more recent example of FS-ISAC at work is the August 23, 2011 report of the Help Net Security (International) Ramnit worm which uses Zeus Trojan tactics for banking fraud.
As the FS-ISAC points out, “When attacks occur, early warning and expert advice can mean the difference between business continuity and widespread business catastrophe”. Knowing and having the chance to combat against these attacks can save institute millions. In conclusion, financial institutions must stay vigilant to current and new cyber threats. 3 gives a breakdown of cyber threats and controls that can help reduce the impact of these threats become reality. It is important for an organization to enroll in its respective ISAC and to share in the lessons learned from previous attacks. While it would be almost impossible to learn about and prevent every type of attack, staying vigilant will help reduce the likelihood and impact.
Deloitte Development LLC. (2010).
Cyber Crime: A Clear and Present Danger. Retrieved December 23, 2011, from the World Wide Web: http://eclearning.excelsior.edu/webct/RelativeResourceManager/Template/pdf/M7_Deloitte_CyberCrime. pdf FS-ISAC. (2011).
Current Banking and Finance Report, Retrieved 24 December 2011, from the World Wide Web: http://www. fsisac.com/ Hurley, E. (2001, January 29).
IT-ISAC: A Matter of Trust. Retrieved 24 December 2011, from the World Wide Web: http://searchsecurity. techtarget.com/news/517824/IT-ISAC-A matter-of-trust Ponemon Institute LLC. (2011, August).
Second Annual Cost of Cyber Crime Study. Retrieved December 24, 2011, from the World Wide Web: http://www.arcsight.com/collateral/whitepapers/2011_Cost_of_Cyber_Crime_Study_August. pdf Rashid, F. (2011, July 25).
Cyber-Criminals Use Botnets, Automation to Launch Multiple Blended Attacks. Retrieved December 24, 2011, from the World Wide Web: http://www. week. com/c/a/Security/CyberCriminals-Use-Botnets-Automation-to-Launch-Multiple-Blended-Attacks-656032/Chart 1.Sample of Participating Companies by Industry (Ponemon, 2011).
Average annualized cost by industry sector ($1M). The industry was not represented in the FY2010 benchmark sample. Chart 2. Average annualized cost by industry sector. Types of Attack Methods Experienced Chart 3. Types of Attack Methods Experienced.
Average annualized cybercrime cost weighted by attack frequency. The FY 2010 benchmark sample did not contain a DoS attack.
Average annualized cybercrime cost. Comparison of SIEM and non-SIEM sub-sample of the average cost of cybercrime.
Comparison cost of SIEM and non-SIEM companies (Ponemon, 2011).
Percentage cost for recovery, detection & containment (Ponemon, 2011).
Financial Impact Regulatory ComplianceIndustry Reputation 4CriticalIncrease in costs greater than $1MFines in excess of $1MSignificant sustained negative media exposure.
Significant loss of business due to blemishes on public image. 3MajorIncrease in costs $100K to $1MFines between $100K and $1MNegative media exposure. Loss of business due to blemishes on public image. 2ModerateIncrease in costs less than $100KFines under $100KSome negative media exposure. Slight loss of business due to blemishes on public image.