cybercrime

ICM: Effective Fraud Prevention &

Detection Strategies

August 2000

charl van der waltjaco van graan

roelof temmingh

CYBERCRIMECYBERCRIME



August 2000

1. INFORMATION SECURITY AWARENESSJaco van Graan

2. PROFILING THE ENEMYRoelof Temmingh

3. SECURITY TRENDS AND STATICSCharl van der Walt

4. INFORMATION SECURITY FUNDAMENTALSCharl van der Walt

5. SECURITY DEMONSTRATEDSensePost Information Security

6. THE INFORMATION SECURITY PROCESSJaco van Graan

7. INFORMATION SECURITY CERTIFICATIONCharl van der Walt

8. THE BOTTOM LINEJaco van GraanCYBERCRIME

charl van der waltjaco van graan

roelof temmingh

AGENDAAGENDAAGENDAAGENDA



August 2000

INTRODUCTIONINTRODUCTIONINTRODUCTIONINTRODUCTION

• About the speakers– jaco van graan

– charl van der walt

– roelof temmingh

• Objective

• Approach

• References:– http://wips.sensepost.com/misc/cybercrime.zip

– http://www.sensepost.com

– [email protected]

– [email protected]

– [email protected] CYBERCRIME

jaco van graan



August 2000

1. The Age of the Net

2. Threats and Risks in IT

3. Examples

4. What’s this hacking stuff?

5. What do hackers do?

6. But why hack?

7. Why they do it

8. Security Breaches in the past 12 months

AGENDAAGENDAAGENDAAGENDA

INFORMATION SECURITY

AWARENESS

jaco van graan



August 2000

Age of the Net...Age of the Net...Age of the Net...Age of the Net...

• Global village

• Information overload

• Evernet

• E - Commerce

• Removing the middleman

• Information replaces inventory


AWARENESS

jaco van graan



August 2000

Threats and Risks in ITThreats and Risks in IT Threats and Risks in ITThreats and Risks in IT

• Lack of security in IT

• Networks transfer data without security

• System administrators are trusted

(completely)

• Theft

• People

– Untrusted, Outsourcing

• Internet designed with open architecture

• HackingINFORMATION SECURITY

AWARENESS

jaco van graan



August 2000

What’s this hacking stuff?What’s this hacking stuff?What’s this hacking stuff?What’s this hacking stuff?

• “Hacker”

– clever programmer

– Enjoys learning details of a programming

language or system

– Enjoys actually doing the programming rather

than just theorizing about it

– Capable of appreciating someone else's hacking

– Picks up programming quickly

– Expert at a particular programming language or

system, as in “UNIX ”hacker" INFORMATION

SECURITY AWARENESS

jaco van graan



August 2000

What hackers do:What hackers do:What hackers do:What hackers do:

• Steal

– information - to use and to sell

– money from accounts

– goods through e-buying

– resource - time and equipment

• Talk

• Leave backdoors open

• Launch new attacks


AWARENESS

jaco van graan



August 2000

But why hack?But why hack?But why hack?But why hack?

• Fun– technical challenges

– curiosity

– harmless pranks

– thrills

• Emotional– pride

– hate

– revenge

– psychological


AWARENESS

jaco van graan



August 2000

How do they do it?How do they do it?How do they do it?How do they do it?

• Social engineering

• Networking

• Resources from the web...


AWARENESS

jaco van graan



August 2000

Security breaches past 12 monthsSecurity breaches past 12 monthsSecurity breaches past 12 monthsSecurity breaches past 12 months


AWARENESS

jaco van graan

87%

80%

27%

8%

26%

73%

1%

18%

22%

14%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Virus Theft Mail intrusion External attacks Internal attacks

South Africa

Europe



August 2000

1. Statistics on Commercial Crime

2. Statistics on Computer Crime

3. Computers and Commercial Crime

4. The value of Trends and Statistics

5. Trends in Computer Security

6. Determining your own Risk Profile…

TRENDS & STATISTICSTRENDS & STATISTICSTRENDS & STATISTICSTRENDS & STATISTICS

SECURITY TRENDS

&STATISTICS

charl van der walt



August 2000

Statistics on Commercial CrimeStatistics on Commercial CrimeStatistics on Commercial CrimeStatistics on Commercial Crime

• Commercial crime up 3.5% from last year

– R 3.4 billion in the first half of '99 alone

• 84.3% of cases involved fraud

– 25,000 incidents

– R 2.9 billion

• Gauteng occupies a first position with regard to Commercial Crime

• www.saps.org.za

SECURITY TRENDS

&STATISTICS

charl van der walt



August 2000

Statistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer Crime

• 61% of the organizations surveyed have experienced losses due to unauthorized computer use.

• The average loss from theft of proprietary information is over $1.2M.

• The average loss from data or network sabotage is over $1.1M.

• 50% of all organizations surveyed reported insider abuse of net access.

FBI / CSI Survey, 1999SECURITY TRENDS

&STATISTICS

charl van der walt



August 2000

Statistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer Crime

SECURITY TRENDS

&STATISTICS

charl van der walt

“Just ask Edgars, the clothing retail group, which lost more than R1m after a

computer programmer brought down more than 600 stores for an entire day.”

Financial Mail - April 2000



August 2000

Threat Distribution - InternationalThreat Distribution - InternationalThreat Distribution - InternationalThreat Distribution - International

SECURITY TRENDS

&STATISTICS

charl van der walt

Theft of proprietary info 20%

Sabotage of data or networks 15%

Telecom eavesdropping 10%

System penetration by outsider 24%

Insider abuse of net access 76%

Financial fraud 11%

Denial of service 25%

Virus contamination 70%

Unauthorized access to info by insider 43%

Telecom fraud 13%

Active wiretapping 2%

Laptop theft 54%



August 2000

Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA

SECURITY TRENDS

&STATISTICS

charl van der walt

Some form of breach 89%

Virus incident 87%

Theft of equipment 80%

E-mail intrusion 27%

Loss of company documents 12%

Breach of confidentiality 8%

External systems attack 8%

Internal systems attack 6%



August 2000

Computers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial Crime

SECURITY TRENDS

&STATISTICS

charl van der walt

KPMG:

‘63% of top-level managers in South Africa rate their company's dependence on IT for the

successful running of business as "Extremely High”’

Business today simply doesn't run without IT

Neither does fraud or other commercial crime



August 2000

The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics

SECURITY TRENDS

&STATISTICS

charl van der walt

• Local and International statistics differ

– “Internal”: 76% vs 6%

– “External”: 24% vs 8%

• Statistical methodologies differ

• Many incidents are never discovered

• Most are never reported

• Statistics probably won’t tell you much,

• Except:

– Create an awareness

– Stimulate technology

– Indicate trends



August 2000

Trends in IT securityTrends in IT securityTrends in IT securityTrends in IT security

SECURITY TRENDS

&STATISTICS

charl van der walt

The industry is typically technology driven:

• Host Security

• Firewalls

• Virus scanners

• Proxies

• VPN

• Content Scanners

• Intrusion Detection

• Hacker-in-a-Box

• Host Security

• File Security



August 2000

Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk

SECURITY TRENDS

&STATISTICS

charl van der walt

The magnitude of the risk is a product of the value of the

information and the degree to which the vulnerability can be

exploited.



August 20001. Media and "hackers" - utter confusion

2. The intellectual and emotional makeup of a good "hacker"

3. Types of "hackers"

4. What motivates "hackers" ?

5. The real threat - should we be worried about "hackers"?

PROFILING THE ENEMYPROFILING THE ENEMYPROFILING THE ENEMYPROFILING THE ENEMY

PROFILING THE ENEMY

roelof temmingh



August 2000

1. Understanding the Internet

2. The four Pillars

3. Control Methods

4. More about Encryption

5. Security Technologies

6. Security Products

7. Case Study

SECURITY FUNDAMENTALSSECURITY FUNDAMENTALSSECURITY FUNDAMENTALSSECURITY FUNDAMENTALS


FUNDAMENTALS

charl van der walt



August 2000

Understanding the InternetUnderstanding the InternetUnderstanding the InternetUnderstanding the Internet


FUNDAMENTALS

charl van der walt

• Host

• Network

• LAN

• WAN

• Internet

• Protocol

• IP

• Packet

• Server / Service

• Port



August 2000

Four Pillars of Information SecurityFour Pillars of Information SecurityFour Pillars of Information SecurityFour Pillars of Information Security


FUNDAMENTALS

charl van der walt

• Access Control

– Control who may and who may not access data

• Confidentiality

– Ensure data is viewed only by intended audience

• Integrity

– Ensure data is not changed by unauthorized parties

• Authenticity– Ensure that data originated where you think

• #5 - Availability

– Ensure data is there when you need it



August 2000

Security Control MethodsSecurity Control MethodsSecurity Control MethodsSecurity Control Methods


FUNDAMENTALS

charl van der walt

• Information Security Policy

• Sound system design

• Access Control

– Physical

– Network

– Operating System

– Application

• Encryption

• Audit and Review



August 2000

More about EncryptionMore about EncryptionMore about EncryptionMore about Encryption


FUNDAMENTALS

charl van der walt

• Encrypt– Convert information into unreadable format

• Crypto-Text

• Decrypt– Change data back to normal format

• Clear-Text

• Algorithm– Steps followed to encrypt or decrypt the

information

• Key– Secret shared between parties

• Key Length– An indication of how hard the key is to guess



August 2000

Still more about EncryptionStill more about EncryptionStill more about EncryptionStill more about Encryption


FUNDAMENTALS

charl van der walt

• Public Key Cryptography

– A special type of encryption using a key pair

• Private Key

– Kept strictly secret

• Public Key

– Published with a Certificate

• Certificate

– A way of linking your Key to your Identity

• Certificate Authority (CA)

– Responsible for verifying the Certificate

• Public Key Infrastructure (PKI)

– Structures needed to make the process work



August 2000

Security TechnologiesSecurity TechnologiesSecurity TechnologiesSecurity Technologies


FUNDAMENTALS

charl van der walt

• Firewalls– Network Level

– Application Level

– Content Level

• Authentication Systems– Something you know

– Something you have

– Something you are

• Encryption Protocols– SSH

– SSL

– IPSec

• Intrusion Detection Systems



August 2000

Security ProductsSecurity ProductsSecurity ProductsSecurity Products


FUNDAMENTALS

charl van der walt

• Firewalls– Check Point FW-1 (www.checkpoint.com)

– NAI Gauntlet (www.nai.com)

– Linux IPchains (www.linux.org)

• Authentication Systems– RSA SecurID (www.rsa.com)

– Alladin eToken (www.aks.com)

• Encryption– Windows EFS -

– Trispen IPGranite (www.trispen.com)

• Intrusion Detection Systems– AXENT Netprowler (www.axent.com)

– SNORT (www.snort.org)



August 2000

Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com


FUNDAMENTALS

charl van der walt

• Use a firewall– Restrict access to port 80 and 443 only



August 2000



FUNDAMENTALS

charl van der walt

• Use a secure web server– Netscape Enterprise 3/6



August 2000



FUNDAMENTALS

charl van der walt

• Use SSL to encrypt the connection



August 2000



FUNDAMENTALS

charl van der walt

• Use SSL for authentication



August 2000



FUNDAMENTALS

charl van der walt

• Data Confidentiality– No credit card numbers to foreign sites



August 2000



FUNDAMENTALS

charl van der walt

• Use two-factor authentication– The BlueBean credit card



August 2000



FUNDAMENTALS

charl van der walt

• Account Lockout



August 2000



FUNDAMENTALS

charl van der walt

• Potential Weaknesses– Credit card number can be guessed

– User PC could be attacked

– User could be tricked

– Cycle through the card numbers, not the PINs?



August 2000

SECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATED

THE INFORMATION

SECURITY PROCESS

1. Connecting to the firewall

2. Using passwords to restrict access to data

3. Using a firewall to protect or servers

4. Using IDS to warn us of attacks

jaco van graan



August 2000


SECURITY DEMO

1. A server is connected to the Internet.

2. Passwords are used to restrict access to the MS file service.

roelof temmingh



August 2000


SECURITY DEMO

3. An firewall is used to restrict server access to the web service port - 80.

roelof temmingh



August 2000


SECURITY DEMO

4. An IDS system is used to detect and report on attempted attacks on the web server.

roelof temmingh



August 2000

THE SECURITY PROCESSTHE SECURITY PROCESSTHE SECURITY PROCESSTHE SECURITY PROCESS

THE INFORMATION

SECURITY PROCESS

1. Proactive or Reactive?

2. The Process

3. Threat / Risk Analysis

4. Security Policy

5. Planning

6. Implementation

7. Manage & Monitor

8. Internal & External Audit

9. Intrusion Detection

10. Adjust Security Policy

jaco van graan



August 2000

Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Locate weaknesses

• Controls in place

• LT cost effective

• No or weak controls

• Try plug security

holes

• Least effective

• Costly



August 2000

The Process…The Process…The Process…The Process…

THE INFORMATION

SECURITY PROCESS

jaco van graan

Threat/RiskAnalysis

Security PolicyCreation

PlanningPolicy Enforcement/Implementation

Monitor & Manage

Intrusion detection

Security Audit

1

2

3

4

5

67



August 2000

Threat/risk AnalysisThreat/risk AnalysisThreat/risk AnalysisThreat/risk Analysis

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Value you assets (information/reputation).

• Determine the acceptable level of loss.

• Some losses will inevitably occur.

– Eliminating ALL loses would be either too

costly or impossible.

• Level of acceptable losses need to be set

– dictates how much you are willing to

spend on security.

• Set time period for the acceptable losses.



August 2000

Security PolicySecurity PolicySecurity PolicySecurity Policy

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Practical, understandable.• Control document.• Communicated.• Endorsed by management.• Applies to all users of infrastructure.• Gives security administrator a mandate

A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard

those assets.



August 2000

PlanningPlanningPlanningPlanning

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Enforcement of controls - security policy

• Select products to ensure compliance

• Determine required implementation and

maintenance skills

• Evaluate impact on business



August 2000

PlanningPlanningPlanningPlanning

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Resources– People

– Time

– $$$

• Evaluate possible security partner– Experience: references

– Financial backing

– Trust relationship

– Support: training/skills transfer/SLA’s

– Product range



August 2000

ImplementationImplementationImplementationImplementation

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Remember your exposure!

• Security partner?

• Schedule change control - security policy

• Inform all users / business partners

• Ensure skill level of implementers

• Roll back plan



August 2000

Manage & MonitorManage & MonitorManage & MonitorManage & Monitor

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Physical audit of infrastructure

• Responsibility handover

– Security alerts, advisories, bug fixes

– Equipment load

– Configuration changes

• Catch ‘em! (If you can…)



August 2000

Internal & External AuditInternal & External AuditInternal & External AuditInternal & External Audit

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Collect and evaluate evidence to

determine whether a computer system:– safeguards assets.

– maintain data integrity.

– allow the goals of an organisation to be

achieved efficiently and effectively.

• Security policy as control document.

• International standards: SAS 70; Bs 7799.



August 2000

Internal AuditInternal AuditInternal AuditInternal Audit

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Compare to internal audit division.

• Independence, thus not involved in

implementation or operations.

• Report to IT manager.



August 2000

External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Organisation– Independence

– References

– Experience

– Certification

– Cost

– Ethics

– Services offered

– Backing: subsidiary/insurance



August 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Methodology– Certification/benchmark

– Audit plan

– Execution according to plan

– Report

– Recommendations & resolution



August 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Resources– Business skills

– Experience: qualification; Certifications; Bodies

– Individual background

• The brief… How; What; Where?– Type: logical; Physical or social

– Restrictions / conditions

– Internal /external



August 2000


THE INFORMATION

SECURITY PROCESS

jaco van graan

• Toolbox.– Tool combinations: wider vulnerability

exposure.– Proprietary or off the shelf.

• Confidentiality.



August 2000

Intrusion DetectionIntrusion DetectionIntrusion DetectionIntrusion Detection

THE INFORMATION

SECURITY PROCESS

jaco van graan

• If all else failed…

• Regular updates.

• Follow up of intrusion attempts.

• Play it again, Sam.



August 2000

Adjust Security PolicyAdjust Security PolicyAdjust Security PolicyAdjust Security Policy

THE INFORMATION

SECURITY PROCESS

jaco van graan

• Recommendations from internal &

external audits.

• New business requirements.



August 2000

SECURITY CERTIFICATIONSECURITY CERTIFICATIONSECURITY CERTIFICATIONSECURITY CERTIFICATION


CERTIFICATION

1. Definition

2. The purpose of Certification

3. Leading standards today

4. Is Certification for you?

5. Choosing the right standard

charl van der walt



August 2000

DefinitionDefinitionDefinitionDefinition


CERTIFICATION

charl van der walt

The evaluation of the security of a computer system by a recognised third party.

If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.



August 2000

ObjectiveObjectiveObjectiveObjective

• To enforce structure on your security program

• A means of assessing your own security

• A means of measuring against best-of-breed

• A means of convincing others of your security


CERTIFICATION

charl van der walt



August 2000

Leading StandardsLeading StandardsLeading StandardsLeading Standards


CERTIFICATION

charl van der walt

• BS 7799– British Standards Institute– Outlines 10 controls that must be addressed– Uses the c:cure program for accreditation– www.bsi.org.uk / www.bsi.org.za– www.c:cure.org

• TCSEC – Trusted Computer System Evaluation Criteria– “Orange Book”– Published by the US National Security Agency– Defines different ‘Levels’ of trust

• Minimal -> Formally Proven

– www.radium.ncsc.mil/tpep



August 2000


• ITSEC– Information Technology Security Evaluation

Criteria– Recognised by most European countries– Concentrates on product evaluations– Defines different levels (E0 - E6)– www.itsec.gov.uk

• CCITSE– Common Criteria for IT Security Evaluation– Joint American / European Evaluation Standard– Successor to TCSEC and ITSEC– Defines ‘levels’ similar to TCSEC, but more

flexible• Protection Profiles

– http://csrc.nist.gov/cc/INFORMATION

SECURITY CERTIFICATION

charl van der walt



August 2000



CERTIFICATION

charl van der walt

• ISO / GMITS – Guidelines to the Management of IT Security– Published by the JTC

• Joint Technical Committee of ISO and IEC

– www.iso.ch– www.diffuse.org/secure.html

• COBIT– Control Objectives for Information and Related

Technologies– Information Systems Audit and Control

Association• ISACA

– ‘Business Oriented & Practical’– www.isaca.org



August 2000



CERTIFICATION

charl van der walt

• ICSA– International Computer Security Association– Commercial Venture represented world-wide– Product certification and security assurance

services• TrueSecure

– Internet focused– www.icsa.net

• Ernst & Young SAS70– Statement of Auditing Standards # 70– American version of a similar international

standard– Specifically for the outsourced environment– Business focused– www.ey.com



August 2000

Is Certification for you?Is Certification for you?Is Certification for you?Is Certification for you?


CERTIFICATION

charl van der walt

• Yes, if:– You’re a large corporation– You’re publicly owned– You offer IT-based services to clients– You have legal obligations– You’re comfortable with formal processes

• No, if:– You have a small, manageable infrastructure– You’re only responsibility is to yourself– You have an informal culture and strong skills– You believe certification will make you secure



August 2000

Choosing the right standardChoosing the right standardChoosing the right standardChoosing the right standard


CERTIFICATION

charl van der walt

• Recognition– Respect in your target market

• Focus– Support for your own security objectives

• Local Presence– A program that can be certified in SA

• Total cost– Good return on investment

• Overhead– Reasonable implementation time and life-span

• Impact– A tangible effect on your systems



August 2000

THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE

THE BOTTOM LINE

1. Take security seriously

2. Don’t panic!

3. Value your information

4. Evaluate your risk

5. Be requirement driven,

not technology driven

6. Enable your business

jaco van graan

cybercrime

Technology

adjust security

intrusion

security trends

intrusion

security policy

leading standards

internal amp

manage amp