Cisco's Annual Security Report Spotlights Human Factor in Cybercrime

| 0 Comments | 0 TrackBacks

Page:   1   2  Next  »

If any aspect of enterprise security seems immune to convergence, cybercrime is probably it. After all, isn't defending against cybercrime the exclusive job of information security professionals? What's physical security got to do with phishing, malware, viruses, Trojans, spam, worms and the like? 

From our view at Security squared, the answer is: Quite a lot. Why? Because physical security professionals understand criminals and how they think in a way many IT security professionals are not trained to do. And judging from Cisco Systems' 2009 Annual Security Report, released this morning, dealing effectively with cybercrime requires enterprise management and employees to understand there are adversaries out there who want to do bad things to them, for political and/or personal gain.


The report includes the "Cisco Cybercrime Showcase," which names the worm "Koobface" as the "Most Notable Criminal Innovation." Koobface has infestedcisco security report cover.jpg Facebook and Twitter, infecting nearly 3 million computers, according to the report. The infection essentially spreads by human contact. That is, to launch Koobface, human criminals use basic con artist techniques: They pretend to be someone they aren't.

Cisco itself was attacked this way, as detailed in the report announcement webcast today. Someone posted to Cisco's LinkedIn group, pretending to be a new employee, replete with work and personal history and photo, and requested connections from "fellow employees."

 As real Cisco employees connected to their apparent colleague, they began to receive email from the faux employee recommending a YouTube video. Visiting the supposed video prompted users to upgrade their Flash software, but clicking to do so loaded the Koobface worm to their computing devices.

Once loaded, Koobface generates more email from the user's legitimate social network accounts so that the user's circle of connections also is prompted to click on links that further propagate the worm. The user doesn't realize the email is being generated; the recipients trust it because it's from someone they know.

A similar scam involves Facebook users being tricked into handing over their social network login credentials. The criminals then use these to log in to the account and send legitimate-appearing messages that range from recommending infected or scam websites to asking recipients to wire money to their "friend in need."

The Money Trail

In the report's Cybercrime Return on Investment Matrix, Cisco suggests criminals will continue to follow the money by following the people to their most popular websites, which increasingly are the social networking sites like Facebook. Banking fraud, like the Zeus Trojan, which hijacks online banking sessions, is another "rising star," the company's term for attacks growing in popularity.

Then there are the "cash cows," the proven schemes that still net big profits, such as scareware ("Your machine is infected! Click here to clean it!"), spyware click frauds, "advanced fee" frauds ("I am the former president of K----. If you would but send me $$$, I can then forward you millions of dollars being held in my bank account"); and pharma spam, the selling of questionable weight loss and other health aids.

Cisco also expects "smishing" attacks to grow in 2010, where criminals "phish" via short messaging services (SMS). As smartphones and netbooks become ubiquitous, they too are
likely targets. VoIP network hacking is on the rise, according to the report, leading to "vishing" (voice scam plus phishing). One example is a criminal calling a cell phone number and threatening harm to the owners' family unless the victim sends money.

Some criminal organizations are even making money by selling software kits for building malware and other exploits. Other criminals specialize and collaborate, each managing a
different part of the scheme and making the whole difficult to trace.  "The complexity of the end-to-end scam is really high," said Scott Olechowski, security researcher, Cisco Systems, in a pre-release briefing with Security Squared.

Page:   1   2  Next  »

If any aspect of enterprise security seems immune to convergence, cybercrime is probably it. After all, isn't defending against cybercrime the exclusive job of information security professionals? What's physical security got to do with phishing, malware, viruses, Trojans, spam, worms and the like? 

From our view at Security squared, the answer is: Quite a lot. Why? Because physical security professionals understand criminals and how they think in a way many IT security professionals are not trained to do. And judging from Cisco Systems' 2009 Annual Security Report, released this morning, dealing effectively with cybercrime requires enterprise management and employees to understand there are adversaries out there who want to do bad things to them, for political and/or personal gain.


The report includes the "Cisco Cybercrime Showcase," which names the worm "Koobface" as the "Most Notable Criminal Innovation." Koobface has infestedcisco security report cover.jpg Facebook and Twitter, infecting nearly 3 million computers, according to the report. The infection essentially spreads by human contact. That is, to launch Koobface, human criminals use basic con artist techniques: They pretend to be someone they aren't.

Cisco itself was attacked this way, as detailed in the report announcement webcast today. Someone posted to Cisco's LinkedIn group, pretending to be a new employee, replete with work and personal history and photo, and requested connections from "fellow employees."

 As real Cisco employees connected to their apparent colleague, they began to receive email from the faux employee recommending a YouTube video. Visiting the supposed video prompted users to upgrade their Flash software, but clicking to do so loaded the Koobface worm to their computing devices.

Once loaded, Koobface generates more email from the user's legitimate social network accounts so that the user's circle of connections also is prompted to click on links that further propagate the worm. The user doesn't realize the email is being generated; the recipients trust it because it's from someone they know.

A similar scam involves Facebook users being tricked into handing over their social network login credentials. The criminals then use these to log in to the account and send legitimate-appearing messages that range from recommending infected or scam websites to asking recipients to wire money to their "friend in need."

The Money Trail

In the report's Cybercrime Return on Investment Matrix, Cisco suggests criminals will continue to follow the money by following the people to their most popular websites, which increasingly are the social networking sites like Facebook. Banking fraud, like the Zeus Trojan, which hijacks online banking sessions, is another "rising star," the company's term for attacks growing in popularity.

Then there are the "cash cows," the proven schemes that still net big profits, such as scareware ("Your machine is infected! Click here to clean it!"), spyware click frauds, "advanced fee" frauds ("I am the former president of K----. If you would but send me $$$, I can then forward you millions of dollars being held in my bank account"); and pharma spam, the selling of questionable weight loss and other health aids.

Cisco also expects "smishing" attacks to grow in 2010, where criminals "phish" via short messaging services (SMS). As smartphones and netbooks become ubiquitous, they too are
likely targets. VoIP network hacking is on the rise, according to the report, leading to "vishing" (voice scam plus phishing). One example is a criminal calling a cell phone number and threatening harm to the owners' family unless the victim sends money.

Some criminal organizations are even making money by selling software kits for building malware and other exploits. Other criminals specialize and collaborate, each managing a
different part of the scheme and making the whole difficult to trace.  "The complexity of the end-to-end scam is really high," said Scott Olechowski, security researcher, Cisco Systems, in a pre-release briefing with Security Squared.

<!--nextpage-->

A New ARMS Race

How successful are these attacks? One measure is Cisco's new Global Adversary Resource Market Share (ARMS) Race Index, designed to give a snapshot of how much of the world's computing resources are controlled by cybercriminals. Cisco plans to track this metric over time: today, the Index is at 7.2, meaning "Enterprise networks are experiencing persistent infections. Consumer systems are infected at levels capable of producing consistent and alarming levels of service abuse."

At the highest ARMS level, 9.5 or above, no computer or network connection could be considered trustworthy, with more computing resources under "rogue control" than are held by legitimate users.

Another measure is financial. A single criminal individual has made as much as $5 million per year with a scareware scam, Cisco senior security researcher Henry Stern said in the pre-release briefing.

How does an enterprise combat these kinds of attacks? Cisco made it clear that simply forbidding access to social networking sites is not the answer: in fact, the company uses
YouTube, Facebook and Twitter for business. Many CISOs we've spoken with say the same: People will use the technology that makes them productive, regardless of whether it's
permitted.

Cisco also points out that today's security technology can't always recognize or thwart these cyberattacks because they trick legitimate users into questionable activities instead of directly assaulting network perimeter protection schemes. Further, digital protection that does exist can't do its work if users don't stay current on latest versions of software on all their devices--or if they engage in password sharing, use weak passwords, etc. 

Championing technology that helps verify identities and their locations, such as two-factor authentication and physical identity management, could also address some cybercrime. Yet some exploits, like Zeus, even get around one-time-only passwords because they hijack a real, verified banking session in midstream with a "screen injection." 

Getting to Know the Bad Guys

Education and awareness, then, are critical defenses. Cybersecurity policies should help employees understand the variety of risks now current as well as the general nature of
many of today's popular criminal cyberschemes. When possible, the policies should spell out employees' responsibilities for protecting their computing devices in the enterprise,
at home and on the road. For instance, just because an airport or coffee shop offers a WiFi network does not mean that network is secure.

Part of the awareness also is understanding cybercriminals are not cute or clever: they are raking in millions of dollars by stealing from ordinary people and businesses. More and more, these criminals are successful because they convince a victim to part with personally identifiable information, from bank account data to social security numbers to credit card data--or even "just" social networking passwords.

In big cities, we know to keep our wallets out of sight, not to venture into lonely alleys and be wary of any stranger asking for money. Users need those same survival skills to
navigate cyberspace without harm to them or the enterprise. Who better to help educate enterprise management and users about cybercriminal risk than physical security
professionals? Many of these experts have law enforcement backgrounds and understand how con artists work, regardless of whether they're on a street corner or lurking on
LinkedIn.

Developing cybersecurity policies and explaining them to users offer a tremendous opportunity for physical and IT security specialists to partner, sharing information and knowledge with each other and users to create a barrier to cybercrime that technology can't match.

# # # .





No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/147

Leave a comment