The document discusses how the Cyber Self Defence Framework (CSDF) can help individuals prioritize cybersecurity efforts using Situational Crime Prevention (SCP) strategies. The CSDF identifies 101 unique safeguards across three priority levels to deter, deflect, and defend against cybercrime. It takes a holistic approach, focusing on practices like using unique passwords, antivirus software, firewalls, and backing up data. The CSDF aims to help overwhelmed users by stating clear actions and benefits. Future versions could tailor recommendations based on user profiles and provide time-bound or budget-bound "recipes" through distribution channels like the police or apps.
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
1. Save Yourself!
How the Cyber Self Defence Framework can help you prioritise and apply
defence in depth efforts using traditional Situational Crime Prevention strategies
9. “cybercrime is safe and profitable,
occurs in an environment that is
constantly expanding and thrives in
vulnerable systems”
• Cybercrime pays and can be easy to commit
• Policing is (mostly) constrained to a pre-internet model
• Risk of detection, arrest, prosecution and jail time is low
• Connectivity is ubiquitous and more time is spent online
10. Stir in ingredients…
• Low interest rates
• Pandemic anxiety
• Isolation and loneliness
• Widespread loss of income
• Digital transformation to
WFA
11.
12. Victorians had the highest reported losses - $49m, up 115% YoY
“likely attributable to the long lockdown periods the
population experienced in 2020, which created
opportunities for scammers as people were forced into
unusual economic and social situations that had the
potential to increase their susceptibility to scams”
13. Enforcement
Education
Wide
Focus
Narrow
Focus
NZ Police – Districts
- NZ jurisdiction
- Offshore limitations
NCSC
- CNI threats
- FVEY partnerships
NZ Police - NCCC
- Specialist
cybercrime unit
- Support
nationwide ops
Consumer Affairs
- Scamwatch owner
- Protection education
NetSafe
- Scamwatch triage
- HDCA education/response
DIA EMCU
- UEMA 2007 - Spam / 7726
- Txt, email, fax channels
IDCARE
- Identity theft and fraud
- Victim support across A/NZ
FMA
- Securities legislation
- Investment scams
Commerce Commission
- Fair Trading Act
Citizens Advice
- Advice and education
Domain Name Commission
- .nz domainspace
- Registry compliance
“the New Zealand landscape for
cybercrime is cluttered and
fragmented… unclear and
overlapping roles… multiple,
overlapping information sources
and entry points for members of
the public”
CERT NZ
- Cyber security focus
- COVID scams
OPC
- Data breaches (2020 Act)
14. Enforcement
Education
Wide
Focus
Narrow
Focus
NZ Police – Districts
- NZ jurisdiction
- Offshore limitations
NCSC
- CNI threats
- FVEY partnerships
NZ Police - NCCC
- Specialist
cybercrime unit
- Support
nationwide ops
Consumer Affairs
- Scamwatch owner
- Protection education
NetSafe
- Scamwatch triage
- HDCA education/response
DIA EMCU
- UEMA 2007 - Spam / 7726
- Txt, email, fax channels
IDCARE
- Identity theft and fraud
- Victim support across A/NZ
FMA
- Securities legislation
- Investment scams
Commerce Commission
- Fair Trading Act
Citizens Advice
- Advice and education
Domain Name Commission
- .nz domainspace
- Registry compliance
“the New Zealand landscape for
cybercrime is cluttered and
fragmented… unclear and
overlapping roles… multiple,
overlapping information sources
and entry points for members of
the public”
CERT NZ
- Cyber security focus
- COVID scams
OPC
- Data breaches (2020 Act)
2020:
$16.9m
4,740
reports
2020:
$19.23m
13,926
reports
15.
16.
17. NZ Police Stats
(NZCVS, 2019)
• Only 10% of fraud or cybercrime incidents reported to the Police
• The most common type of offence, more common than burglary
• Most commonly recognised by the victim as a crime
• Rated most ‘high seriousness’ (42%) but least reported
• Why such under-reporting?
32% reported to other authorities, 22% because “Police couldn’t
have done anything”
19. Bruce Schneier
“Why are we trying to fix
the user instead of solving
the underlying security
problem?”
20. 4 models of crime prevention
Type Intent Effectiveness
Law enforcement Criminal justice system deters
and punishes offenders and
delivers rehabilitation
Poor
Developmental Early intervention addresses
the causes of criminality in
youth
Poor
Social Strengthening
neighbourhoods to build
community relationships
Poor
Situational prevention Reducing the opportunities for
crime through 5 mechanisms
Good
26. “a package of measures that:
(1) are directed at highly specific forms of crime
(2) involve the management, design or
manipulation of the immediate environment in
as systematic and permanent a way as possible
(3) so as to reduce the opportunities for crime and
increase the risks as perceived by a wide range
of offenders”
Situational Crime Prevention is…
36. Internet users:
• Have limited ‘compliance budgets’
• Make time/benefit tradeoffs
• Struggle to understand and apply advice
• Lack ability to judge effectiveness
• Rates guidance based on cost, effort and
effectiveness
• States the action and the benefits
• Helps you navigate a sea of poorly
prioritised advice
The CSDF:
38. Holistic techniques
• Identify your digital crown jewels - data and devices
• Use unique complex passwords
• Use trusted anti-virus/anti-malware software
• Use a supported OS on all connected devices
• Use a firewall
• Use secure networks
• Use HTTPS everywhere
• Use secure DNS
• Back up critical data and devices and test restoration
• Do not pay ransoms
• Use privacy and security enhancing browser add-ons
• Review privacy and terms of service statements
• Use services with good privacy protecting defaults
• Use a webcam cover
• Protect personal and financial information
• Use privacy settings on all platforms to limit sharing
• Protect phone numbers
• Avoid oversharing online
• Avoid high risk online activities when impaired
• Keep your clothes on
Privacy
Security
39. Foundational practices
to deter, deflect and
defend against cybercrime:
• Set clear online boundaries
• Avoid oversharing online
• Undertake security awareness training
• Communicate how and when to report incidents
• Communicate online policies/rules
• Do not provoke trolls/doxers
• Do not respond to trolls/doxers
• Do not support bullying and doxing behaviours
• Report abuse to service providers
• Report to law enforcement
• Use services with good security practices
• Use services with good privacy protecting defaults
42. Distribution channels?
• Crime prevention guidance with NZ
Police
• Neighbourhood Support groups
• Partnership with Personal Cyber cover
providers
• SaaS / App-based subscription service:
Task based checklists
Set your own ‘nudge’ cadence -
DuoLingo
Maturity pathway - Gamification
Continuous monitoring and
improvement
Presenting to ISACA Auckland – Wednesday 16th June 2021
At the end of 2020, The Center for Strategic and International Studies (CSIS) declared cybercrime to be a "$1 trillion dollar drag on the global economy" that can harm public safety, undermine national security, and damage economies.
Incidents of cybercrime have increased by anything from 40% to 400% in the fraught environment of a global pandemic and the true scale of the problem remains unknown in New Zealand with only 10% of fraud or cybercrime incidents reported to Police.
Digital safety and security advice can be confusing or packed full of jargon that leaves the average internet user unsure on how to protect themselves and where best to start.
The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud – that can help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments.
Attendees at this session can help refine the framework and break the causal chains to prevent cybercrime from occurring.
The Center for Strategic and International Studies (CSIS) declared cybercrime to be a "$1 trillion dollar drag on the global economy" that can harm public safety, undermine national security, and damage economies.
Fourth biannual report estimates the monetary loss from cybercrime at approximately $945 billion, an increase of $345bn in just 2 years
Jürgen Stock, INTERPOL Secretary General - Cybercrime is one of the most prolific forms of international crime, with damages set to cost the global economy USD 10+ trillion annually by 2025
Lindy Cameron, NCSC UK CEO spoke this week (whilst the G7 event was taking place in the UK) about the real threat to UK individuals, businesses and CNI operators in light of events at Colonial Pipeline and the Irish health system.
- Cybercrime pays and can be easy to commit
- Policing is (mostly) constrained to a pre-internet model of sovereign nation states with jurisdictional boundaries
- The risk of detection, arrest, prosecution and punishment is low
- Connectivity is ubiquitous and more time is spent online
Australians lost over $850 million to scams and made 444,164 scam reports in total to Scamwatch, ReportCyber, other government agencies, banks and payment platforms in 2020. Based on this combined data, the scams causing the most financial harm to Australians in 2020 were:
- $328 million lost to investment scams
- $131 million lost to romance scams
- $128 million lost to business email compromise (payment redirection scams)
“Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people”- https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams
Startling metrics coming out of Oz where 444,000 incident reports from Scamwatch, ReportCyber, other government agencies and 10 banks and financial intermediaries have been aggregated. Great to see this level of cooperation between private and public sector.
KEY FINDINGS:
- “As people spent more time online during the COVID-19 pandemic lockdown, reports and losses for some scams also increased”
- a 75% increase in phishing scams
- “Investment scams accounted for the biggest losses, with $328 million, and made up more than a third of total losses. Romance scams were the next biggest category, costing Australians $131 million, while payment redirection scams resulted in $128 million”
And despite the various reporting points pooling their data it’s believed these numbers will still not reflect the true picture due to under reporting.
Neil Hallett from IDCARE indicates in NZ they have helped 1000 Kiwis losing around $10m ($10,000 each on average)
This illustration aptly demonstrates the complexity of reporting and responding to cybercrime
8% of Kiwis were victims of cybercrime in 2019 but only 10% was reported to NZP – what is the true picture?
New Zealand Crime and Victims Survey (NZCVS) – September 2019 - https://www.justice.govt.nz/assets/Documents/Publications/NZCVS-Y2-A5-KeyFindings-v2.0-.pdf
Over 320,000 adults (7.9%) experienced 420,000 fraud or cybercrime incidents over last 12 months. (Fraud and cybercrime offences are grouped)
The estimated number of fraud and cybercrime offences reported in the NZCVS over the last 12 months is 421,000, which equated to an incidence rate of 11 fraud and cybercrime
offences per 100 adults. The estimated total number of adults who experienced one or more fraud and cybercrime offences over the last 12 months is 328,000, which equated to a
prevalence rate of 8%.
The groups significantly more likely than the NZ average to experience fraud and cybercrime offences were:
• having low life satisfaction and a low feeling of safety
• experiencing a moderate or high level of psychological distress
• having high household income ($150,001 or more).
The groups significantly less likely to experience fraud and cybercrime offences were:
• older (aged 65 and over)
• Asian (especially Chinese)
• widowed
• retired
• having high life satisfaction and a high feeling of safety
• having household income between $30,001 to $40,000.
In the real world, crime prevention is a key part of tackling social harms
The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud – that can help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments.
Attendees at this session can help refine the framework and break the causal chains to prevent cybercrime from occurring.
10+ years to stand up CERT, 10 years to sign up to the Budapest Convention, Ministers committing to publishing flow charts – Govt action is not going to save you….
SCP is designed to break the causal chains to prevent crime from occurring
SHIELD is the inspiration…
Deploy an Active Defense with MITRE Shield - https://medium.com/mitre-shield/three-simple-ways-to-deploy-an-active-defense-with-mitre-shield-95ae639a50b5
ADVERSARY ATTRITION - What adversaries do deplete though is time and the resources associated with it and their personnel. Depleting an adversary’s resources, including their time to plan and achieve their objectives, is of critical importance to a defender. Passive Defenses help achieve this.
The Sliding Scale of Cyber Security - Robert M. Lee
The U.S. military has unofficially and commonly used the actions of “deny, disrupt, deceive, degrade, and destroy” to describe a cyber attack.29
Rational choice, routine activity and crime pattern theories emphasise that crimes occur in specific situations and result from a nexus of a motivated offender, suitable target or victim, and the absence of a capable guardian (not focused on criminals and their motivations)
Visual examples of SCP
In NZ
Links to CPTED and physical security controls
Most obvious example is prevention for burglary
SCP is a framework utilising 5 mechanisms and under each 5 techniques designed to modify the environment and deter the attackers (Ron Clarke)
My efforts to apply this to cybercrime have identified a control set for the average internet users, informed by best practice at CERT, CIS and others
CSDF will be the security ‘meal kit’ for the masses
The masses who post pandemic understand layers of protection and the swiss cheese model
Situational security measures tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud
Help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments
Intent to address CRAVED items – in SCP world a hot product: Concealable, Removable, Available, Valuable, Enjoyable, and Disposable
For more information see https://www.ubisec.nz/csdf/ - we welcome feedback!