Special Report: Cybercrime Down Under - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Special Report: Cybercrime Down Under

By Philip Luces, ZDNet Australia
May 11, 2001
URL: http://www.zdnet.com.au/news/security/soa/Special-Report-Cybercrime-Down-Under/0,130061744,120221108,00.htm

Cybercrime

What types of cybercrime occur in Australia and what are the authorities doing to combat the problem? To what extent is this new form of crime impacting on our lives and our livelihood? How exposed is your business to the threat of cybercrime and what can you do minimise the risks? Learn more in the first part or our Cybercrime Down Under special report

Cyberlaw: Handcuffed by definitions
Online or computer-related criminal activity in Australia is fraught with much uncertainty, particularly since authorities such as the Federal Police are unsure as to the actual extent of the problem.

Cybercrime Prevention: Who's doing what?
The breadth of offences that are encompassed by the term "cybercrime" or "e-crime" is a complicating factor in attempting to police it. In fact, no single authority has absolute control of the issue and some state police departments have developed their own strategies regarding particular elements of cybercrime.

Cyberstalking: Is someone watching you?
A brief report issued by criminology experts has identified three major forms of cyberstalking: email stalking, Internet stalking and computer stalking. What are they and how do you know when you are a victim?

E-crime: Breaching the corporate network
Although it's easy to blame hackers for breaches in business technology security, it's often the victim that should wear much of the blame.

Security: Is your business on top of things?
The protection of your company's data is not a simple issue and shouldn't be brushed aside by merely throwing money at it and hoping it will go away. ZDNet takes a look at your priorities and how they should be addressed.

Outsourcing: The answer to your security issues?
Tim Smith, chief technology officer of security for Australian ASP and network integrator Com Tech Solutions, says that the primary issue for security has not really changed much in the last six years.

Risk Analysis: First step to protection
Experts have agreed that the initial step for Australian organisations looking to implement an effective security solution and protect themselves from cybercrime is to undertake a comprehensive risk analysis process.

CPOs and CSOs: Solutions or just titles?
Chief Privacy Officers or Chief Security Officers are becoming more prevalent in large US companies to help combat breaches of company assets. Will this trend take off in Australia?

Read the second part in this series to learn more about hackers and their role in cybercrime and the enterprise

Cyberlaw: Handcuffed by definitions

The issue of online or computer-related criminal activity in Australia is one fraught with much uncertainty, particularly since authorities such as the Federal Police are unsure as to the actual extent of the problem.

In a report submitted by the Australian Federal Police (AFP) last year, entitled "The Virtual Horizon: Meeting The Law Enforcement Challenges-Developing an Australasian law enforcement strategy for dealing with electronic crime", it stated that although there was a greater degree of co-ordination between national authorities, the level of the problem in Australia is not fully understood.

An article based on the report, which appeared in the AFP's journal, Platypus, last December, Steve Jiggins, director of the AFP's media and public relations, highlighted the issues of attempting to measure the problem. "Electronic crime varies in its manifestations, so it is difficult to discuss in terms of aggregate incidence and impact," he writes. "As a result, definitive information on the present extent and impact of electronic crime in Australia, New Zealand and overseas is not available."

But it is often the victim of these crimes that are resistant to informing authorities of electronic crime. "A significant amount of this crime is simply not reported," explained Jiggins. "This is in part... to avoid any potentially adverse impact on consumer confidence, or perhaps because of a lack of confidence in the capacity of law enforcement to deal with such issues in a timely way."

According to the report, only two major Australian studies had been done to establish the extent of the problem--one in 1997 conducted by the Office of Strategic Crime Assessments (OSCA) and the Victoria Police, and one in 1999 by the Victorian Police and Deloitte Touche Tohmatsu.

The study from 1997 concluded that 37 percent of businesses had been subjected to some form of electronic attack or unauthorised computer access. Of those that were attacked, 90 percent experienced some breach from within the organisation and 60 percent were external. The 1999 study offered similar results but also concluded that of those organisations that were attacked, 42 percent didn't even report the breach. Also, of those companies that experienced a breach, one third refused to provide a dollar value on what damage or loss had been incurred.

Another issue which complicates the matter is that cybercrime, or rather computer-related crime, covers so much ground that it can't necessarily be covered under one banner for protection. The AFP outlines several electronic crimes including: theft of telecommunications services (much like the phone phreakers of old), communications for the advancement of criminal conspiracies, piracy, dissemination of offensive material (which often relates to offences such as cyberstalking), electronic money laundering and tax evasion, electronic vandalism and terrorism, sales and investment fraud, illegal interception of telecommunications signals, and electronic funds transfer fraud.

Nevertheless, one of the important facets of what is outlined in the report is that the majority of electronic crime revolves around traditional forms of criminal offence. The report explains, "While some behaviour is new, such as hacking and denial of service attacks, the majority of offending involving the use of technology is traditional crimes where the computer is an instrument/tool or a target."

Cybercrime Prevention: Who's doing what?

The breadth of offences that are encompassed by the term "cybercrime" or "e-crime" is a complicating factor in attempting to police it. In fact, no single authority has absolute control of the issue and some state police departments have developed their own strategies regarding particular elements of cybercrime.

The Victorian Police Service, for example, has had a Computer Crime Investigation Squad (CCIS) in place since 1993 and its task has been to aid in the discovery and handling of technology-related offences. It liaises with Internet Service Providers (ISPs) and is primarily responsible for developing computer crime investigation and computer evidence handling procedures, as well as Internet investigation practices.

Interestingly, a special section of the NSW police, the Child Protection Enforcement Agency, has established the Child Exploitation Internet Unit to help with the crackdown on Net-related offences regarding children. These include offences relating to child paedophilia and child pornography. It tends to take a more proactive approach with this problem by analysing Web sites and newsgroups which could lead to possible offenders.

All state police departments have units that handle several types of fraud, including those that are technology related. South Australia's Serious Fraud Investigation Branch handles the state's problems relating to cybercrime offences that have a white-collar aspect, including fraud and false pretences, theft, breach of trust and secret commissions.

The widely varying types of cybercrime tend to be reflections or instantiations of "real" world crimes. A particularly disturbing variant of this is the offence generally referred to as cyberstalking.

Cyberstalking: Is someone watching you?

A brief report issued by the Australian Institute of Criminology (AIC) during September last year examined the complex issues surrounding this new form of stalking. The report--compiled by post-doctoral fellow of the Criminology Research Council Dr Emma Ogilve--identifies three major forms of cyberstalking: email stalking, Internet stalking and computer stalking.

Email stalking is similar in many respects to traditional forms of stalking, according to Ogilve. "In many ways, stalking via email represents the closest replication of traditional stalking patterns," writes Ogilve. "Given that the most common forms of stalking behaviour are telephoning and sending mail, the adoption of email by stalkers is not surprising."

Email combines the immediacy of a telephone call with the separation entailed in a letter, explains Ogilve, and is often used to threaten or traumatise a person. Fortunately, it is this particular type of cyberstalking that tends to get prosecuted.

The first cyberstalking case to be prosecuted in Queensland related to a woman who received email correspondence that "began amicably, but then became more threatening once she sought to end the communication". Eventually, the offender sent death threats and also threatened to have her videotaped while being pack-raped and then post the resulting images to the Internet.

Ogilve believes that, while some may think that email communications are "less-invasive" than telephone calls, "email harassment constitutes an uninvited and arguably threatening incursion into private space".

Internet stalking is a much broader method and generally moves from the private sphere to the public realm. Offenders might choose to take on the identity of the person they are stalking in chat rooms or they might publish to a Web site personal details of the victim. Ogilve explains that this form of cyberstalking is the one most likely to spill over into the real world.

One example of this occurred in the US where a young man maintained a Web site dedicated to a female high school classmate whom he believed had humiliated him. After 2 years of discovering and posting intimate details of the woman--including social security number, license plate number and place of employment--he outlined his plans to murder her. Less than an hour after his final Web site update the offender drove to the woman's workplace and shot her as she got into her car.

A similar case in Australia had an older male stalking a young boy who he followed with a camera. The older male placed updates of the boy's activities on his personal Web site where the offender also included descriptions of his own paedopillia and detailed his dangerousness to others that might threaten him. Fortunately, the offender was charged with stalking before he could act out his desires.

The final form of cyberstalking, computer stalking, requires a reasonably high level of technical knowledge and is not as common--or distancing--as the other forms. Essentially this form of stalking results in the offender somehow being able to control the victim's computer via the Internet, using various software tools and scripts.

This is not a common form of stalking and, in fact, there only appears to be one recorded instance of this type of offence. Ogilve writes: "A woman received a message stating 'I'm going to get you', the interloper then opened the woman's CD-ROM drive in order to prove he had control of her computer."

While Ogilve accepts that these offences impinge on personal freedom in "cyberspace", she also notes that the most effective means of control is prevention, either through personal protection or using technological solutions such as filtering.

"Personal information should not be recorded on the Internet and people should hesitate before filling in electronic forms which request names, age, addresses, together with likes and dislikes," says Ogilve. "Similarly, people can be proactive before signing on to an ISP by researching beforehand whether there are specific policies prohibiting harassment, abusive behaviours and cyberstalking."

E-crime: Breaching the corporate network

Although it's easy to blame hackers for breaches in business technology security, it's often the victim that should wear much of the blame.

There is certainly no simple answer to avoiding hacks and potential security problems, but a reasoned and well-thought out policy can save you money and time in the long run. Perhaps one of the greatest risks to your data and to your network is what your own staff may tell someone else.

Infamous hacker Kevin Mitnick, who currently resides in jail for his 15-odd year cyber criminal history, was renowned all over the world for his "uncanny" ability to hack multiple systems. He was able to gain access to the FBI and US Department of Motor Vehicle (DMV) networks, as well as numerous mobile phone networks.

However, his main asset for breaking into these systems was not his killer abilities as a programmer, but rather his ability to manipulate people, otherwise known as "social engineering". He was able to imitate a lineman's jargon, impersonate a superior, sift through trash, con unsuspecting employees out of their field manuals, as well as exploit his own knowledge of a phone company's organisational chart.

No denial of service attacks. No sophisticated programming techniques (although he was able to socially-engineer tools away from those who had already done that work), he simply used his basic technical knowledge and attacked what can sometimes be the most vulnerable part of a network--the human factor.

But are Australian businesses vulnerable to such attacks. Admittedly, most of Mitnick's attacks occurred around five years ago. Surely things have changed since then and Australian companies are now a savvy bunch. Or are they?

Security: Is your business on top of things?

First and foremost, it seems that the protection of your company's data is not a simple issue and shouldn't be brushed aside by merely throwing money at it and hoping it will go away. There are certain priorities that need to be addressed.

Natasha David, senior software analyst for IDC Australia, said to ZDNet Australia, "Corporate data has become more valuable in the information and Internet age, and businesses need to make the mental shift between protecting physical assets to protecting their intellectual capital and investment."

Similarly, James LaLonde, vice president in charge of the Asia-Pacific region for Brocade Communications systems, recently stated during his visit to Australia that data has become more valuable than the technology in which it is contained.

IDC's David also believes that another major security issue for online Australian and international businesses is the privacy of its clients. This has been exacerbated by the bad press surrounding dot-com failures that pursue "names for sale" type liquidations. "Companies need to realise that having an enforceable privacy policy is one of the key things consumers to e-commerce sites look for before transacting online," she says.

But it seems that it is the human factor that has one of the most profound effects on the security of businesses in Australia. David says that security has never just been a technical issue, since there is always a human element to consider. "Often the human response to emails is the primary reason companies are still vulnerable to virus attacks--for example in the recent cases of 'Naked Wife' and 'Anna Kournikova' viruses," explains David.

Although antivirus tools are being deployed at the server level to prevent these attacks from reaching clients, IDC believes that these attacks will become more targeted to exploit the human factor.

"Another issue to consider is that technology can not compensate for cavalier attitudes," says David. "By this I mean employees who leave their desks without logging off their stations or critical applications (including email)... It is no use having a state-of-the-art security software solution when the company does not augment that solution with an enforceable security policy."

Outsourcing: The answer to your security issues?

Echoing a similar sentiment to David, Tim Smith, chief technology officer of security for Australian ASP and network integrator Com Tech Solutions, says that the primary issue for security has not really changed much in the last six years.

"Systems [are] being implemented with default settings, unpatched or [have] ancillary services running that are not required (and open to abuse)," says Smith. "Default settings and unpatched systems cover a multitude of exposures, from site defacement all the way through to backend compromise including the acquisition of private data such as customer databases and credit card numbers."

The other major exposure for cybercrime in Australia is the extent to which companies are lax about maintaining a certain level of vigilance with their security solutions once they're in place. "Security is a moving target and keeping up-to-date is a full-time job," explains Smith.

Smith cites the human factor as a particularly vulnerable area to attack for most Australian businesses, mainly because of the complete lack of staff training in that area.

"With the exception of those specially trained on counter-social engineering techniques (such as the military), almost all organisations are susceptible to social engineering," said Smith. "Most organisations do not address this issue at all... The only way to defend against it is [through] a security awareness program."

This problem occurs not because staff are complacent, as such, but because they sometimes wish to help out someone in need. "The problem is, people generally want to help--if someone appearing to have forgotten their key or password is roaming the office (or phones in), the immediate reaction is to try and help" says Smith. "[It is] very difficult to address this with technology."

Leigh Purdie, co-director of the InterSect Alliance, an information technology security consultancy, still believes that this type of attack on a business can often be the most effective. "One of the oldest and more successful mechanisms to gain access to an organisation's information resources, is the 'social engineering' attack," says Purdie. "It basically involves hitting the organisation in a perceived 'soft spot'--employees who may not have an awareness of the security implications of their actions."

The lack of perspicacity of some corporate employees plays right into the hands of prospective infiltrators. "We've known of situations where external attackers ring a random number inside an organisation, claim to be a network administrator doing network testing from the IT cell, and ask the user to log off their system and log back on again--all the while reading out what they are typing," explains Purdie.

One possible solution that Com Tech's Smith recommends is for Australian businesses to take their security to someone who can dedicate specific resources to it and is specially trained in that area. "If an organisation does not have the necessary skill sets to keep systems secure as well as operational then they should look at outsourcing their security to a third party dedicated to managing security for them... Managed security companies are more process [rather than technology] driven and generally more aware of social engineering techniques."

Risk Analysis: First step to protection

Both Smith and David agreed that the initial step for Australian organisations looking to implement an effective security solution and protect themselves from cybercrime is to undertake a comprehensive risk analysis process.

"Businesses should first and foremost design an enforceable security policy," says IDC's David. "This should be based on risk management principles. While the business can not totally eliminate all risk from breaches in security, it can mitigate areas where it will have most damage to corporate reputation, assets and revenues."

Smith stated, "Security needs to be taken seriously and have buy-in from the executive level down. A Risk Assessment [should be done] to determine the likelihood of compromise and the associated risk (and cost) to the business." According to Smith, this Risk Assessment report is important to help management determine the potential exposure of the business and justify expenses required to cover those problems.

Part of the problem in the past for businesses has been the lack of a risk analysis before going live with a particular technology, an issue that Smith believes has been downplayed by companies and IT consultancies in Australia. "The tendency in the past has been to throw a technology at the security problem without even defining what that problem is," said Smith.

One aspect which IDC's David believes is underestimated in the Australian market is the fact that most organisations only implement a security solution after their systems have already been compromised. "There is a dangerous complacence when it comes to online security in Australia," she warns.

Nevertheless, InterSect Alliance's Purdie suggests that one of the major difficulties with implementing a proper security policy in Australia businesses involves inappropriate technical solutions. "[The biggest problem is] without question, understanding how to map organisational objectives to security counter measures, and how to effectively apply and manage such countermeasures," says Pudie. "Often, the reason that an ineffective security solution may be chosen is that communication was poor, and an adequate understanding of the organisational priorities was not achieved in the risk analysis process."

CPOs and CSOs: Solutions or just titles?

One area of possible improvement in Australian businesses tackling the cybercrime issue is to adopt a trend that is taking off in the US. Chief Privacy Officers or Chief Security Officers are becoming more prevalent in large US companies to help combat breaches of company assets. These officers are responsible for all aspects of security, not just the IT-based counter-intrusion area.

Unfortunately, it seems Australian organisations are slow to adopt this idea.

"The trend of a dedicated CxO has not followed in other arenas that are equally important to busineses, such as the Chief Knowledge Officer, the Chief Technology Officer and the Chief Morale Officer," says David. "I would not expect this trend to be any different when it comes to privacy and security, as it has already been shown that Australian businesses are on the whole complacent about security at the moment."

Com Tech's Smith believes that Australian businesses are getting there but it is taking time. "In most cases, security is the responsibility of the CIO [Chief Information Officer]," Smith explains. "That said, some corporate and financial institutions have Risk Management departments and security managers that feed the relevant information to the CIO."

Overall, however, both Smith and David agree that the key to solving this issue lies in conducting proper risk analysis and then implementing a solution that reflects the results of that analysis. More importantly, after a technical and staff security solution is put into place it should be updated and maintained on a regular basis. Ideally, this should be done by a dedicated security officer, or added to an existing officer's duties.

"Security is a process, not a solution," says Smith. Implementation and maintenance is a continual process--ensure that the organisation is aware of the continual issues they face and employ (or outsource) the relevant expertise at the outset."

InterSect Alliance's Purdie also agrees with conducting a risk analysis and suggests that companies should take the organisation's risk profile into consideration when training employees and IT staff. Purdie also notes that most of the employee training with regards to security issues tends to take place in-house. In fact, considering the diversity of many organisations' systems and network architecture, this is essential.

"In situations that we've been called on to offer such training, we try to spend time with some key players in the organisation to get a good understanding of their business objectives, and how those objectives are reflected in their security risk profile," says Purdie. "Although there are some general security concepts that are common between many organisations, we generally find that the differences outweigh the commonalities."

However, Purdie also notes that there is a major security issue with former employees that have technical knowledge of an organisations' infrastructure and might have left under difficult circumstances. "The risk posed by disgruntled, technically literate employees is, unfortunately, often significant," explains Purdie. "When such a person is released from employment, it often promotes an interest in IT security as managers consider the potential repurcussions."

These risks can be counteracted so long as security issues remain a pervasive part of the organisation's operations, says Purdie. "The challenge for an IT security team is to make sure that thinking about IT security issues doesn't occur in such exceptional circumstances but is an everyday part of business."