Criminal Threats to Business on the Internet

A White Paper


  

June 23, 1997
Revised: February 1, 1999


Prepared by:

Kent Anderson
Global Technology Research, Inc.
Portland, OR USA

[1] (503) 203-8295 (Voicemail & Fax)
kea@aracnet.com


This paper has been accessed: 5133 times.








Business in the Information Age


Information has been an essential criterion to business success in the global marketplace and most organizations understand the need to protect their information assets from damage and disclosure, whether accidental or malicious. However, a new business revolution is taking place: Electronic commerce. This new method of transacting business goes beyond simple information processing to re-define the relationship between a company and its customers, partners, suppliers, vendors, and competitors.

The foundation of this new environment is technology. Several attributes of this technology have profound implications on electronic commerce, driving the re-definition of business. These attributes include global connection and access, technological complexity and change, time to market, and legal and regulatory requirements. These same attributes play an important role as enablers of threats to the business’ information infrastructure.

Global Connection and Access

When businesses first automated their operations, information was stored and processed in large mainframe systems, physically isolated and controlled. Today, information may reside throughout a network of large servers and many smaller desktop clients. These local networks are increasingly connected to networks outside the individual business organization, primarily through the Internet. These connections are indiscriminate; they cross international borders and connect businesses, homes, schools, and government.

It is estimated that these connections are increasing 10 percent every month. With the implementation and modernization of telecommunication systems in developing countries, this trend will continue for the near future.

With this explosion in network connections comes access. Just as any telephone in the world can access another, any computer system can potentially connect and share information with other networked computer systems. It is important to note that there is no underlying access control within networks like the Internet. Each individual computer system must authenticate and authorize access.

Technological Complexity and Change

The old mainframe computers previously used for business operations were relatively simple. A system administrator could understand and control every aspect of the computer system. The administrator understood the operating system controlling the computer, the number of users was limited, and the applications were easy to manage. Any deviation or abnormal event was simple to detect and correct.

In today’s computer networks, the layers of system, network, and application software are often too complex for a single individual to understand completely. The distinction between individual computer systems is becoming fuzzy as more applications are distributed across multiple systems (leading to the phrase: The network is the system). The number of potential users and applications is no longer static and usually not centrally controlled.

In addition, technology is changing beyond the ability of most individual system administrators to keep up. Whole new technologies appear and become widespread within just a few years such as the World Wide Web and network-transportable code like Javaä and ActiveXä.

Time to Market

The fast change and introduction of new technologies creates significant time to market pressures within the computer industry. With the increased release of new versions of software and hardware platforms, development cycles are now measured in months. This urgency requires developers to focus on essential functionality and limit testing. Unfortunately, security is too often an afterthought.

With the introduction of electronic commerce, these pressures effect the development of applications used by businesses to compete in global networks.

Legal and Regulatory Requirements

As stated earlier, today’s networks cross national and legal boundaries. In a global economy, businesses must be able to communicate and function on an international scale. However, most legal and regulatory institutions are nationally based. Even within individual counties, legislative, regulatory, and standards bodies are ill equipped to absorb the vast implications of technical changes. They deliberate in a thoughtful (and slow) manner before providing suitable guidance and direction. This can lead to confusion and potential hazards in transacting business on global networks.

For example, activity that is a disruptive threat to a business in one country may not be illegal in another. Conversely, the protections (such as encryption) implemented may be legal in one country and prohibited or strongly regulated in others.

Within this environment, businesses are venturing into global electronic commerce. The opportunities are limitless but threats are also increasing. It is imperative that organizations understand these threats, adapt prudent controls, and manage risks. Security should not be a limiting factor. When properly designed and implemented it acts as an enabler of new opportunities.

This paper will address information security in global networks and look at the current threats facing businesses connected to the Internet.


Components of Information Security


Information security has several components and attributes that must be considered when analyzing potential risk. Broadly, these fall into three categories: availability, confidentiality, and integrity. Threats in any of these categories can seriously disrupt business. The importance each plays in business operations (and therefore the level of potential disruption) varies from industry to industry and business to business. Most businesses can tolerate at least short disruptions in availability. Likewise, many businesses have large quantities of information that, if released to the public or competitors, would have little or no business impact. Because of these variations, it is important for each business to evaluate their particular requirements and plan accordingly. This is the first step in identifying potential threats and what protections should be implemented to mitigate and control risk.

Availability

In electronic commerce, the availability of information, system resources, applications and network bandwidth will play a critical roll. Whether a business is providing order fulfillment or electronic fund transfers over the network, customers expect to have quick access and response. This is potentially a major competitive advantage: A business can operate 24 hours a day, providing services and information to customers at their convenience. In fact, convenience becomes a commodity.

When considering criminal threats to today’s information systems, denial of service attacks are the simplest to carry out. By simply flooding a system with inquiries or e-mail, applications can be overloaded and become unresponsive to legitimate service requests. A recent example of this was the attack on the Web server of Microsoft Corporation making the site unavailable for two days. Microsoft’s web site is an important part of its business. It serves 1 million individual visits to their home page alone and up to 80 million hits a day across the whole site.

Confidentiality

This is the most familiar aspect of information security and is well understood based on governmental requirements for safeguarding classified information. Unfortunately, most businesses do not have the need to manage information at the same level as government agencies. In fact, most of the information a business works with on a daily basis has little value and requires little protection. However, almost every business does have information that, if released or stolen, could have significant impact on stock price, revenues, or competitive advantage. In addition, a company may be liable for the inadvertent release of personal information.

It is critical that a business identify the types of information that are critical to its operation, understand the potential threats and implement appropriate safeguards.

While strong security solutions are available to protect the confidentiality of information, there is significant governmental and international barriers and confusion concerning their implementation. Even when these are not a significant factor, the implementation of cryptographically strong solutions can require a very high investment in resources and information management. Because of these issues, it is imperative that a business understands the threats to the confidentiality of valuable information and evaluates all methods of mitigating risk.

Integrity

The accuracy and reliability of information, systems, and networks are critical to many business applications. Current models of commerce are based on trust between a business, its customers, vendors, and suppliers using established business codes and practices.

In an electronic, networked environment, both the business and customer must trust the infrastructure supporting the electronic interchange of information and services. Unfortunately, today’s networks were not designed with this level of trust in mind. Again, businesses must understand the threats to the integrity of information and resources in order to develop methods of minimizing risk.


The Nature of Threats to Information Systems


There are many types of threats facing information systems. Accidents, software errors, hardware failures, or environmental influences such as fire may affect a business’ operation. Each of these threats requires proper planning and control. Malicious threats also cover a wide range of activity, from robbery and physical theft to destruction of property. This paper will focus on malicious and deliberate electronic threats and in particular, criminal threats motivated by fraud.

The perpetrator of criminal threats may be an insider or external to the organization. The activity may be from an individual, a loosely knit group, organized criminal elements, corporations, or governments. While the motive behind criminal threats is important in evaluating risk, any attack against the information infrastructure of a business can cause severe disruption and may result in loss of funds, productivity, market share, or reputation.

A fundamental question for security experts and law enforcement: What is the current level of criminal threat to information systems and what are the likely trends in the near future? The answers are not simple for several reasons:

Criminal activity against information systems is growing. This increase is due in part to:

Almost every type of crime in the physical world has or probably soon will have an online, computer-based counterpart. In fact, networks become another tool to further criminal goals.

With this said, there are several fundamental criteria for most profit motivated criminals to use information systems:

Is the expense of using information systems lower than traditional, physical means?

Most profit based criminal activity involves some measure of a cost-benefit analysis: Criminals tend to use the easiest, fastest, and cheapest means to their end to maximize their potential return.

Does using information systems reduce the risk of being identified?

Information systems provide a low level of authentication and therefore a higher degree of anonymity. This lessens the chance of arrest or, in some cases, even detecting that a crime has occurred.

Today, criminal activity against information systems can be categorized as follows:

Low-Level Intruders

This group makes up a subset of the stereotypical "hacker". These individuals may evolve from online trespass and vandalism to more criminal activity such as theft of information, extortion, and credit card fraud. In addition, this group is a pool of potential resources for more traditional criminal elements to exploit either directly or indirectly. For example:

In 1995, a loosely knit group of low-level "hackers" was arrested for using computer systems to steal credit card numbers. These numbers were sold to European-based organized crime groups for telecommunication fraud.

In 1996, low-level intruders accessed $1.9 million in the Czech Republic. The funds were recovered.

The potential impact of business by this amateur group should not be underestimated. A recent survey of 136 "operational hackers" revealed "half [of the intruders] did commit some form of sabotage once they were in. More than a third accessed confidential information and passed it on".

For-Profit Fraud

The online activity of this group is highly variable and may include scams, extortion, deceptive advertising, theft, securities fraud or illegal fund transfers. Many of these cases are classified as computer assisted crimes. In other words, information systems are used as a tool, not a target. For example:

Document fraud was involved in a multimillion dollar case involving theft from a pair of California banks last year using desktop publishing software and equipment to create false payroll checks.

Incidents of extortion by individuals who attacked computer systems occurred as early as 1987 (an U.S. computer vendor) and 1990 (London financial institutions). In these and other cases, intruders requested payments to reveal the weaknesses they discovered in the victim’s network.

Organized Crime

Many elements of organized crime are recognizing that they need to understand and use information systems to maintain their traditional level of influence and revenue. The motivation for organized crime to become involved in high technology information systems goes beyond simple fraud and extortion to include surveillance of law enforcement, money laundering, and secure and anonymous communication.

A new aspect of this activity is the emergence of eastern European and Russian organized crime groups. The economic situation of many high tech labs in these regions has provided a rich pool of resources that are being exploited for many different types of criminal activity. Specific areas of concern are the reverse engineering of hardware, software, and access control devices and high-tech methods of disrupting information systems. The Moscow Times reported:

"Many specialists became jobless over the last few years, and criminal groupings took advantage of this. A criminal group, which specialized in hacking bank networks, was arrested last year. Its ringleaders were ordinary criminals with several convictions, but computer specialists were on their payroll. The gang had worked out a special program for each electronic theft. In this way, they misappropriated several billion rubles. The gang had planned to steal another 40 Billion Rubles in Moscow and St. Petersburg, but was prevented."

This trend should not be underestimated. During testimony before the U.S. House of Representative’s Committee on International Relations hearings on Global Organized Crime, Jim Moody, the Deputy Assistant Director of the FBI stated:

"Organized crime groups have moved into the banking industry at an unprecedented rate."

"With Russian organized crime’s infiltration of Russian banking systems comes their easy access to the international banking community."

"According to the Russian Ministry of the Interior, some 700 banking institutions and 2000 companies have been implicated in organized criminal activity."

Yuri Skuratov, the Prosecutor General in Moscow stated in a speech before the 1996 Collegium on Corruption Issues:

"Law enforcement bodies are finding more and more perpetrators of corruption-related crimes among employees of Russia’s Central Bank and its territorial management."

Moreover, Russian hackers made almost 500 attempts to access computer networks of the Central Bank of Russia from 1994 through 1996 and stole 250 billion rubles ($4.7M) in 1995.

Another area of concern is the increased use of information systems by organized drug cartels. In a recent speech, the Deputy Director of Intelligence for the CIA, John Gannon, noted this trend:

"…traffickers are also using more sophisticated computer and encryption technology to protect and enhance their operations."

Fringe Groups: Political, Religious, and Anarchists

Although this group rarely has fraudulent motives, there has been an increased use of information systems by some groups to further their agendas. Most of the attacks in this arena have involved either the theft of information or denial of service attacks. A recent example was the attempt by the German Chaos Computer Club to disrupt the French telecommunications and Internet infrastructures to protest French Nuclear Testing. To quote the CCC:

"Make their ears ring, their fax machines burn out, their telephone systems collapse and their Internet lines glow."

Industrial Espionage and Sabotage

Because few companies report cases of industrial espionage, accurate statistics are difficult to produce. However, several reputable surveys have produced some insight into the potential size of the problem:

The Computer Security Institute in conjunction with the FBI produces "Computer Crime and Security Survey". The 1996 results stated:

"Over 50% of respondents said that the information sought in probes would be of use to U.S.-owned corporate competitors."

The 1997 report went on to conclude:

"Over 50% also consider U.S.-owned corporate competitors a likely source [of industrial espionage]. Over 50% of respondents also cited that information sought in recent attacks would be of use to U.S.-owned corporate competitors. And reflecting the increased competition in the global marketplace, 26% cited foreign competitors as a likely source of attack and 22% also cited foreign governments as a likely source of attack."

"Trends in Intellectual Property Loss" a study from the American Society for Industrial Security (ASIS) stated:

"Potential losses from intellectual property theft for U.S.-based companies are estimated to be $24 billion annually. The ASIS study also ranked hacking second only to pre-text phone calls (i.e., social engineering) as a means of acquisition."

International Espionage & Information Warfare

Two aspects of international espionage may be of concern to businesses: First, several well documented cases have come to light of national intelligence agencies gathering economic information to assist their nation’s businesses in competitive situations. Some of the methods for gathering this information have extended into attempts to access information and communication systems. The U.S. National Counterintelligence Center, an interagency organization staffed from the FBI, CIA, NSA, DIA, and the Departments of Defense and State recently stated:

"Because they are so easily accessed and intercepted, corporate telecommunications-particularly international telecommunications-provide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts cost-effective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are large - approximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers'' connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intelligence collectors find this information invaluable."

Secondly, there are several indicators that governments and other entities are studying the potential use of information systems offensively to disrupt whole information infrastructures. While this problem is beyond the scope of any individual organization, solutions will require a cooperative effort by government and the private sector.

Terrorism

Several indicators have been discovered that traditional terrorist organizations are viewing information systems as both potential tools and targets. In particular, the ability to gather targeting information from credit records, financial institutions and healthcare providers appears to be an increasing threat recently demonstrated by the IRA.


Evolution of Criminal Activity Against Information Systems


The movement of traditional criminal activity into online networks is evolutionary in nature and follows a predicable pattern: general use of information systems, misuse, and offensive use. The table below summarizes the different categories of criminal elements and examples of the type of activities seen in each evolutionary stage.

Category

Use of IS

Misuse of IS

Offensive Use

Low-level

communications

illegal entry, theft of telecommunication resources

revenge, vandalism

Fraudulent

communications and bookkeeping

theft, monitor law enforcement

extortion

Organized Crime

communications and bookkeeping

theft, monitor law enforcement

extortion

Fringe Groups: Political, Religious and Anarchists

press, communications, propaganda

theft

sabotage,

disruption,

information warfare

Industrial Espionage

business

theft

sabotage

International Espionage

data collection & analysis

espionage

information warfare

Terrorism

communications

theft, targeting, intelligence gathering

information warfare, sabotage

Analysis of current activity has shown an interesting trend: Almost every individual or group involved in online criminal activity appear to "re-invent the wheel" by repeating the same evolutionary steps. This is due in part to the economics of knowledge in the information underground. Information on methods can be considered a currency. Generally, the more effective a particular method or technique is, the greater its value. Sharing reduces this value by increasing the likelihood that the method or technique will be detected and counter-measures established. Because of this, sharing of effective methods is minimized and usually based on self-interest or profit.


Current State of Criminal Activity


In many aspects, criminal activity against information systems is in its infancy. Many of the intrusions seen today depend on the skills and methods developed by low-level intruders and lack technical and operational sophistication. Particularly in the arenas of organized crime, espionage and terrorism, many attempts seem to be "testing the waters" to evaluate the potential for exploitation.

A common factor in almost all activity detected and analyzed to date is the lack of technical sophistication. Even so, many were detected by accident rather than any particular warning from proper security procedures.

Although the learning curve is steep, it would be unwise to assume future attacks will remain at an amateur level.


Next Steps


Businesses today have a tremendous opportunity to use information technologies to their competitive advantage. Securing information and communication systems will be a necessary enabler to move forward into these new markets.

However, no security measure will guarantee a risk free environment in which to operate. In fact, many businesses will need to provide easier access by customers to portions of their information systems, thereby increasing potential exposure.

Proper controls require planning and careful implementation and are not simply the installation of a "security tool". Careful monitoring and management are required to forestall potential breaches.

It is critical that these controls deter real problems. Threats change as fast as both technology and business. Therefore, it is vital that threat assessments be used to analyze, understand and monitor these changes and to develop a clear understand of risk.