Cybercrime one of 5 top organized crime threats to Europe according to EUROPOL

Europol has recently released its 2017 report on organized (SOCTA) crime in the EU. In this report they identify 5 key threats to Europe from organized crime groups. In addition to cybercrime itself, the report pulls forward illicit drugs crimes, migrant smuggling, organized property crime and labor market crime. Cybercriminal activities are often integral to or supporting also the other key operations of organized crime groups.

090515_1236_Managinginf1.jpg
Organized crime groups are highly adaptable, and cybercrime is not an enabler of much of their more traditional criminal businesses. Threat intelligence becomes a key part of any defense strategy when the adversary is a powerful and diverse organization. 

Key tools of organized crime groups are

  • Corruption
  • Counterintelligence against law enforcement
  • Money laundering
  • Document fraud
  • Online trade
  • Technology
  • Violence and extortion

They carry out crimes through currency counterfeiting, various cybercrimes including child exploitation, payment fraud, data trade and malware campaigns. Also sports corruption is a major area for organized criminals, drawing profits from the gambling markets.

Document fraud is increasing and is a significant threat to Europe. It is an enabler of types of criminal activities, including terorrism. These documents are increasingly traded online.

Document fraud is one of the key drivers of identity theft. Document fraud can be necessary to facilitate other criminal activities, and cyberattacks may be used to steal credentials used to obtain documents.

Trade in illicit goods is increasing, and a lot of this trade is conducted on darknet sites. Key products are drugs, illegal firearms and malware. Other Crime-as-a-service segments are also of interest, like botnets for hire, ransomeware-as-a service, exploit coding. Europol sees Crime-as-a-Service as a growing threat to society, according to the SOCTA 2017 report. In particular the growth in ransomeware (#fiction #usecase) targeting not only individuals but also public and private organizations is worrying.

Geopolitical events are driving changes in organized crime in Europe. Conflicts close to European borders are influencing crime through migration, need for illicit goods, as well as European targets being picked by non-European fighters performing terrorist acts in Europe. Cybercrime is one source of funding for such terror groups, in addition to cybercrime being an enabler of the organized crime groups that support the needs of terrorism through illicit firearms trade, trade in drugs and narcotics and human trafficking.

Pulling EUROPOL’s intelligence into your cybersecurity threat context

What does this mean for European businesses? Depending on your exposure, technology base and value chain, this may affect the threat landscape for your organization.

  • Increasing the direct threat level, e.g. ransomeware and payment frauds
  • Supply chain effects, including money laundering schemes
  • Threats to your intellectual property
  • Corruption affecting your markets, including partners, owners, suppliers and customers
  • Potential investments from money laundering schemes into your infrastructure

If growth in the activities of organized crime groups affects your threat landscape, it may also mean that you need to rethink your cybersecurity defense priorities. Is availability still the main threat, or are confidentiality issues coming to the forefront?

 

Is complexity better than length when it comes to passwords?

Most organizations have password policies that require users to change their passwords every XX days, and that they use a minimum (or sometimes fixed!) length, and a combination of capital and small letters, numbers and special symbols. But what exactly makes a password “strong” or difficult to guess?

Entropy can be used to measure the complexity of an information string – or the number of possible combinations within the given “rule” for constructing a string if you want. To calculate the information entropy of your password, use this formule:

ENTROPY = LOG (Characters in set you make password from) / LOG (2) x (Length of password)

So, comparing a password using only lower case letters, and one with a combination of upper case and lower case, we get that the entropy in the first case is 37, and in the latter case it is 45. This means the latter case is harder to crack using brute-force attacks – but how much so? (Higher entropy is better). Open security research has made a calculator for brute force time that we can use to estimate that. The estimate is based on benchmarks for common cracking tools on a regular consumer grade PC. Assuming a SHA-encrypted salted password we get about 7 hours to crack the first but 2000 hours to crack the latter – entropy is obviously a big deal. As we see form the formula above, increasing the character set length is one way to increase entropy, the other one is increasing the length of the password itself. Note that in terms of cracking – using some symbols or characters not normally found in words is necessary to avoid dictionary based attacks – these brute force times are “worst-case times” seen from the attacker perspective – the time it takes to exhaust the entire character space.

What is better – more characters or longer passwords?

Turning to some basic maths, we can use the formula for entropy to look at the effects of increasing character set size versus password length. The entropy is proportional to the logarithm of the character set size – that means entropy growth rate with character set size c is 1/c. When c is large, the derivative approaches zero; increasing the set size is efficient for small set sizes but the value of doing so becomes smaller as the set size grows larger.

charset_entropy
The effect of increasing character set size on entropy is best when the charset is still small. 

The effect of increasing password length however, is linear, and remains the same for a given charset size for each length of the password. What does this mean in practice?

  • Add complextiy up to a certain level – that also takes away dictionary attacks as an efficient way to brute-force the password
  • Increase length after that instead of including more complexity

Using the brute force time calculator, we estimate the following exhaustion times:

  • Lower case letters, 8-character password: 7 hours to crack
  • Lower case and upper case letters, 8-character password: 2000 hours to crack
  • Lower case letters, 16-character password: 189 million years to crack
  • Lower and upper case letters, 16-character password: 12 trillion years to crack

Logical conclusion: use passphrases with some added complexity. This makes a brute-force attack on your password extremely difficult.

Top of the iceberg: politicians’ private email accounts and shadow IT

In CISO circles the term “shadow IT” is commonly used for when employees use private accounts, devices and networks to conduct work outside of the company’s IT policies. People often do this because they feel they don’t have the freedom to get the job done within the rules.

071615_1406_Treatyourpe1.jpg
If you deny your people a well-stacked toolbox, they will bring their own. That may not be the best solution for your security. 

This is not only for low-level clerks and helpdesk ninjas: top level managers are known to do this a lot, including politicians. Hillary Clinton probably lost the presidential election at least partially due to her poor security awareness. Now VP Mike Pence has also been outed as “private email wielding pubic servant” – and he was hacked too. Why do people do this?

Reasons why people do their business in the IT shadows

I’ll nominate 3 main reasons why people tend to use private and unauthorized tools and services in companies and public service. Then let’s look at what we can do about it, because this is a serious expansion of the organization’s attack surface! And we don’t want that, do we?

I believe (based on experience) the 3 main reasons are:

  1. The tools they are provided with are hard to use, impractical or not available
  2. They do not understand the security implications and have not internalized what secure behaviors really are
  3. The always-on culture is making the distinction between “work” and “personal” foggy; people don’t see that risks they are willing to take in their personal lives are also affecting their organizations that typically will have a completely different risk context

How to avoid the shadow IT rabbit hole of vulnerabilities

First of all, don’t treat your employees and co-workers are idiots. IT security is very often about locking everything down and hardening machines and services. If you go too far in this direction you make it very hard for people to do their jobs, and you can end of driving them into the far riskier practices of inventing their own workarounds using unauthorized solutions – like private email accounts. Make sure controls are balanced, and don’t forget that security is there to protect productivity – not as the key product of most organizations. Therefore, your risk governance must ensure:

  • Select risk-based controls – don’t lock everything down by default
  • Provide your employees with the solutions they need to do their jobs
  • Remember that no matter how much you harden your servers, the human factor still remains.

Second, make people your most important security assets. Build a security aware culture. This has to be done by training, by leadership and by grassroots engagement in your organization.

Third, and for now last, disconnect. Allow people to disconnect. Encourage it. Introduce separations between the private and what is work or for your organization. This is important because the threat contexts of the private sphere and the organizational sphere are in most cases very different. This is also the most difficult part of the management equation: allowing flexible work but ensuring there is a divide between “work” and “life”. This is what work-life balance means for security; it allows people to maintain different contexts for different parts of their lives.

 

Hijacking existing email threads: taking phishing to a new level

Phishing e-mails is the most common way for a hacker to breach the initial attack surface. Filters and blacklisting technologies have been less than effective in stopping such threats, and it is up to the cybersecurity training and awareness of the user to ensure safe choices are made. Now phishermen have new ideas about making their bait more trustworthy; hijacking existing mail threads, piggybacking on existing interpersonal trust. A received an e-mail sent me from a contact who told me he realized he’d fallen for a scam the second he submitted his username and password to the phoney login site he was led to. Here’s (a somewhat edited) excerpt of the e-mail thread leading him into the phisherman’s trap.

From: Jim Salesman
To: Danny Customer

Subject: Re: confirm order details

Dear Danny,

thank you for your purchase. Please download and check these documents.

clickphish

With best regards,
Jim


From: Danny Customer
To: Jim Salesman

Subject: Re: confirm order deetails

Dear Danny,

I agree to the conditions as you have suggested. Make sure the part serial numbers are indicated correctly on the labels.

With best regards,
Danny

——- (after multiple e-mails back and forth)

Where does the link lead to?

The link does not lead to a Google page, despite claiming to be a Google Docs file. Also the lack of Google branding in the download section could be an indicator. The URL is “ehbd-dot-ml/hbdesigns/gibberish/” and is rendered over http – no security. It displays a selection of “login credentials” to choose from.

phishinglogin

OK, so here are several well-known brand names.

So, who owns the domain ehbd-ml? A whois search shows the domain is registered to Mali Divi. B.V. in the Netherlands.This firm has been active since 2012 and owns a number of free domains. It has a VAT number and one employee, according to this site: https://www.opencompanies.nl/elektrotechniek-mali-dili-bv-amsterdam-56155794.

Why submitting your info is dangerous

My friend realized the mistake the moment he hit “submit”. He then called his company’s IT department, and was told to change his passwords and run a virus scan. That was the right thing to do. But why is this dangerous?

Giving hackers access to your e-mail makes it easy for them to:

  • your e-mails and attachments
  • they can impersonate you by sending e-mails as you
  • they can hijack other accounts where your email is used to reset your password

Lessons learned

Phishing scammers are skilled at exploiting established trust between you and your contacts. Always be suspicous about links in e-mails, even from people you know. Before clicking, always check:

  • Does the URL look reasonable?
  • Does the branding (logos etc.) look right for the contents?
  • Is the site it leads to secured when you would expect it to be? All major service providers will only serve https – not http
  • Is the domain name strange? The .ml top domain is the national domain for Mali in Africa. Google Docs does not use that as the default login site domain.

 

 

Cybersecurity for boards – the short story

A few days ago I wrote a post on the lack of cybersecurity skills in corporate boards, and how to fix that. This became one of the most popular posts on the blog. That’s why I created this short summary video – that you can easily share with your top management and board members.

The take-aways are:

  • Build an information security management system with the most important policies, guidelines, procedures, change mangement and monitoring processes in place
  • Select reporting metrics that make sense in terms of the company strategy. Relate impact to financial, customer, organnization and learning, and internal process perspectives.
  • Use compliance to drive board focus: regulatory compliance is already central in goverannce work.
  • Focus on people when communicating – build a positive security culture by combining bottom-up and top-down approaches.

Thanks to Kenneth Holley and eForensics Magazine for sharing the board post! Great accounts to follow on Twitter!

IEC 61511 Security – getting the right detail level

When performing the risk and vulnerability assessment required by the new IEC 61511 standard, make sure the level of detail is just right for your application. Normally the system integrator is operating at the architectural level, meaning signal validation in software components should probably already have been dealt with. On the other hand, upgrading and maintaining the system during the entire lifecycle has to be looked into. Just enough detail can be hard to aim for but digging too deep is costly, and being too shallow doesn’t help your decision making. Therefore, planning the security assessment depth level already from the beginning should be a priority!

Starting with the context – having the end in mind

The purpose of including cybersecurity requirements in a safety instrumented system design is to make sure the reliability of the system is not threatened by security incidents. That reliability requires each safety instrumented function (SIF) to perform its intended task at the right moment; we are concerned with the availability and the integrity of the system.

 

072115_1313_Uncertainty1.png
The probability of failure on demand for a safety critical function usually depends on random error distributions and testing regimes. How can hacker threats be included in the thinking around reliability engineering? The goal is to remain confident in the reliability calculations, so that quantitative risk calculations are still meaningful.

 

In order to understand the threats to your system you need to start with the company and its place in the world, and in the supply chain. What does the company do? Consider an oil producer active in a global upstream market – producing offshore, onshore, as well as from unconventional sources such as tar-sands, arctic fields and shale oil. The company is also investing heavily in Iraq, including areas recently captured from ISIS. Furthermore, on the owner side of this company you find a Russian oligarch, who is known to be close to the Kremlin, as a majority stock holder. The firm is listed on the Hong Kong stock Market. Its key suppliers are Chinese engineering firms and steel producers, and its top customers are also Chinese government-backed companies. How does all of this affect the threat landscape as it applies to this firm?

The firm is interfering with causes that may trigger the interest of hacktivists:

  • Unconventional oil production
  • Arctic oil production

It also operates in an area that can make them a target for terrorist groups, in one of the most politically unstable regions in the world, where the world’s largest military powers also have to some degree opposing interests. This could potentially draw the interest of both terrorist groups and of nation state hackers. It is also worth noting that the company is on good terms with both the Russian and Chinese governments, two countries often accused of using state sponsored hackers to target companies in the west. The largest nation state threat to this oil company may thus be from western countries, including the one headed by Donald Trump. He has been quite silent on cybersecurity after taking office but issued statements during his campaign in 2016 hinting at more aggressive build-ups of offensive capacities. So, the company itself should at least expect the interest of script kiddies, hacktivists, cybercriminals, terrorists, nation states and insiders. These groups have quite varying capacities and the SIS is typically hard to get at due to multiple firewalls and network segregations. Our main focus should thus be of hacktivists, terrorists and nation states – with cybercriminals and insiders acting as proxies (knowingly or not).

The end in mind: keeping safety-critical systems reliable also under attack, or at least make it an insignificant contribution to unreliability.

Granularity of security assessment

Our goal of this discussion was to find the right depth level for risk and vulnerability assessments under IEC 61511. If we start with the threat actors and their capabilities, we observe some interesting issues:

  • Nation states: capable of injecting unknown features into firmware and application software at the production stage, including human infiltration of engineering teams. This can also be “features” sanctioned by the producer in some countries. Actual operations can include cyberphysical incursions with real asset destruction.
  • Terrorists: infiltration of vendors less likely. Typical capabilities are ATP’s using phishing to break the attack surface, and availability attacks through DDoS provided the SIS can be reached. Physical attack is also highly likely.
  • Cybercriminals: similar to terrorists, but may also have more advanced capabilities. Can also act out of own interest, e.g. through extortion schemes.
  • Hacktivists: unlikely to threaten firmware and software integrity. Not likely to desire asset damage as that can easily lead to pollution, which is in conflict with their likely motivations. DDoS attacks can be expected, SIS usually not exposed.

Some of these actors have serious capabilities, and it is possible that they will be used if the political climate warrants this. As we are most likely relying on procured systems form established vendors, using limited variability languages for the SIS, we have little influence over the low-level software engineering. Configurations, choice of blocks and any inclusion of custom-designed software blocks is another story. Regarding our assessment we should thus, at least, include the following aspects:

  • Procurement – setting security requirements and general information security requirements, and managing the follow-up process and cross-organizational competence management.
  • Software components – criticality assessment. Extra testing requirements to vendors. Risk assessment including configuration items.
  • Architectural security – network segregation, attack surface exposure, monitoring, security technologies, responsible organizations and network operations
  • Hardware – tampering risk, exposure to physical attacks, ports and access points, network access points including wireless (VSAT, microwave, GSM, WiFi)
  • Organizational security risks: project organization, operations organization. Review of roles and responsibilities, criticality of key personnel, workload aspects, contractual interfaces, third-party personnel.

Summary

This post does not give a general procedure for depth of analysis decisions but it does outline important factors. Always start with the context to judge both impact and expected actions from threat actors. Use this to determine capabilities of the main threat actors. This will help you decide the granularity level of your assessment. The things that are outside of your control should also not be neglected by considered an uncertainty point that may influence the necessary security controls you need to put in place.

 

granularity
A sketch of key factors to include when deciding on the granularity for a cybersecurity risk assessment under IEC 61511

 

 

 

Free infosec crashcourse for insiders

Safecontrols is now giving away free stuff – like an 88-page slide deck covering the basics of cybersecurity from networking to attack surfaces, from risk assessments to incident response and secure development. All you have to do to get your hands on this resource is to sign up as a Safecontrols Insider.

summary_crash
Get a crash course slide deck that covers the basics of cybersecurity – you get 88 pages of best practice and background knowledge for free. 

More great stuff will be shared in the future, so don’t miss out!

Sign up now, and share this blog post with your friends and colleagues.