Businesses are struggling to stay healthy and operational under the shadow of financial pressures. Yet, whilst dealing with this, it would seem that at every opportunity, there may be someone, somewhere ready to take advantage of a vulnerability, poor system configuration, or a badly coded application to gain some position of leverage, or financial compensation for their criminal efforts. During this economic downturn, those involved in the imaginative world of cyber crime, hacktivism, cyber extortion, and those annoying drive‑by‑hackers are all, or would seem to be, doing very nicely.
There has been recent debate about the levels of cyber-risk faced by users, business, governments, and the Interconnected Global Village and a modicum of time invested in research will soon reveal the levels of real‑time risk faced by society today. The simple fact of the matter is, if you or your business uses the Internet you are potentially exposed to cyber exploitation. A small research project running under the academic banner of Nottingham Trent Computing and Informatics Department is measuring the scale of cyber attackers, and incidents on a day-by-day basis. To date there have been some interesting revelations for instance, whilst the US were suffering the after effects of Hurricane Sandy, it was noted that the levels of attack on the eastern seaboard dramatically increased over the same period. These attacks were possibly driven by those who have their own government, hacktivists, ideological, and politically motivated axe to grind, thus taking advantage of the weakened state of their victims.
Active attack groups
There are a number of active groups who may launch an attack, ranging from those focused on specific individuals; companies; or even governments. Individuals may be targeted by those with an interest in deviance and personal exploitation, seeking to locate targets for purpose of grooming, abuse, be that on, or off-line (e.g. Paedophiles). We must then consider persons, or groups who utilise cyber space to drive political, antisocial activities, who we may refer to as hacktivists, and the associated ideological factions. And then that brings us to the world of serious and organised cyber criminals, seeking to make a quick profit by exploitation of selected targets. And let us not overlook those cyber warfariens, acting as mercenaries, or state sponsored groups – all of which pose varying levels of risk, to all levels of society.
Consider the classifications of cyber threats, and what they have in common with their predecessors from the eons prior to our reliance on computers. It was just a matter of them morphing conventional crime to fit the logical landscape, representing increased opportunities to reach a wide target audience. For example, take the good old extortion rackets, leveraging some opportunity to target subjects for financial exploitation to pay up, or suffer a consequence. Well consider how this has changed from the blue collar hands-on approach, to that of the much more respectable cyber extortion. Say finding a supposed vulnerability, and demanding payment, or else! Or just threatening the target with a Denial of Service Attack, unless that is, they pay up!
This is a problem that is more common than realised – it is just that those within their various sectors, be that online gambling, or financial houses don’t report these events – in some cases, they simply blunder along under the watchful eye of their wanting, and at times, junior CISO.
An underpinning fact of the criminal groups is their increasing level of sophistication utilising crime ware, hacking tools, and logical opportunities (e.g. Advanced, Threats, and Advanced Evasion Techniques) which are available at a click of a mouse. Like any businesses, there is no doubt that having the right tools to do the job will increase the rate of success. To accomplish this, well‑engineered applications may be sourced such as CotS (Crimeware-off-the-Shelf), or CaaS (Crimeware-as-a-Service) ready-made, ready to go, or even bespoke metered applications.
Again, this is nothing new, as from way back in heyday of Computer Viruses, such utilities were then readily available in the form of virus creation kits, with which the average fledgling hacker could create his/her own vector of infection, to set loose on the unsuspecting public. However what has changed with the advance of time is that such malicious products are now more sophisticated, and commercially oriented in the criminal sense, and no longer seek to simply announce their logical presence, but are honed with covert operations as a clear objective.
And then we may look at Anonymous, a group motivated by political, or radical opinions, or what may be described as an anarchistic conscience, with the clear objective of expressing protest through electronic means, seeking to disrupt, embarrass, or to exemplify a target.
The concern here is what may spark the attention of an attack of hacktivism, focusing on any given individual, site, brand, or community. It is here of course where some may wish to challenge the ethics of any miscreant social conscience, on a collision course with a particular target be that international government, through to any commercials interest – all potentially sitting ducks. For instance, after the arrest of 6 prime LulzSec members, Anonymous declared that, by association, the security firm Imperva were on their hit list, and stated that, notwithstanding key members of LulzSec had been removed, “You haven’t stopped us. You have merely disrupted the active faction.” Here, in the case of Imperva, Anonymous also clarified that the firm were considered a nuisance to them, and had earned a place for future attention.
To balance an objective view of Anonymous, and other like-minded groups, one should also consider potentials anarchistic sentiment, driven within such adversarial communities, who feel they must redress the balance with cyber-protest, against what are considered wrongs to society. And, not wishing to raise any political debate, but one may appreciate that, out of the financial collapse, corrupt and fraudulent public servants, outrageous actions of media moguls, and modern day social impact across the entire global population, some individuals have been radicalised to protest in frustration. Thus one should recognise that ideological forms of protects can be very dangerous.
And when we look back to 2007, with the advent of Titan Rain, we may recall cyber attacks aimed at UK, US, and German Governments. There have also been a number of attacks against the 13 root servers, upon which the very backbone of the Internet relies, and in more recent times. On top of this logical adversity, if we are to believe reports, there are millions of compromised home, and business computers recruited into Botnets, with the personal financial impact of cyber crime resulting in a potential illicit revenue being generated from say, a compromised banking transaction, there is real cause for concern.
Other major contributors to the world of cyber insecurity is that of the Botnet manifesting in adverse impacts on a system near you, and probably right now – unaware users at both work, and at home may be infiltrated with malicious logic in the form of Phishing, or Scams, which could result in identity theft, or the exploitation of local system resources for whatever intended purpose manifesting from the attackers imagination. Imagine if such exploitation was to employ your personal or company Internet connection to download pirate, or bootleg software, films, or music – under some new Act’s, the individual, or company are potentially culpable of an offence.
For many years, Cyber War has also been discounted as a matter of fiction which would be better associated with the writings of HG Wells. However, as of 2012, this opinion is no longer valid, and it is recognised that the prospect of computers being used as a weapon is a reality. In fact, utilisation of computers in such an aggressive guise may only be limited by the imagination of the attacker. It could be that cyber attacks could be a selective strike to impact a particular target, infrastructure; or the attack may represent a precursor which would be launched alongside a Kinetic capability against targets like SCADA (Supervisory Control, and Data Acquisition). SCADA is used to control nearly every utility network from energy to transport. As an example of what an attack against a SCADA system could impose, just look up at the light in your office, or the computer on your desk, both of which are enjoying the life-blood of electrical current to keep them operating the delivery of such power could be stopped by interfering with a SCADA component.
But just how exposed and vulnerable are the systems we use each day to run our businesses? Given reported cyber attacks, and levels at which successful infiltrations occur, one could argue that exposure already exists which should not be considered acceptable. It may also be concluded with speculation, that it could be the case that criminal entities may just be waiting for the next opportunity to exploit, maybe using the platform of Virtualisation, Cloud, or BYOD – who can say?
Professor John Walker is chair, London chapter, of the ISACA Security Advisory Group. ISACA is an independent, not‑for‑profit association which engages in the development, adoption and use of globally accepted, industry‑leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Visit www.isaca.org for further information