EDPACS The EDP Audit, Control, and Security Newsletter ISSN: 0736-6981 (Print) 1936-1009 (Online) Journal homepage: http://www.tandfonline.com/loi/uedp20 Mitigating Cybercrime Through Meaningful Measurement Methodologies Davey Winder & Ian Trump To cite this article: Davey Winder & Ian Trump (2015) Mitigating Cybercrime Through Meaningful Measurement Methodologies, EDPACS, 52:5, 1-8, DOI: 10.1080/07366981.2015.1113058 To link to this article: http://dx.doi.org/10.1080/07366981.2015.1113058 Published online: 21 Dec 2015. Submit your article to this journal View related articles View Crossmark data Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=uedp20 Download by: [62.255.165.58] Date: 22 December 2015, At: 04:04  THE EDP AUDIT, EDPACS CONTROL, AND SECURITY NEWSLETTER 2016 VOL. 52, NO. 5 MITIGATING CYBERCRIME THROUGH MEANINGFUL MEASUREMENT METHODOLOGIES DAVEY WINDER AND IAN TRUMP Downloaded by [62.255.165.58] at 04:04 22 December 2015 Abstract. Fear, Uncertainty and Doubt (FUD) has become a staple in the cyber-attack measurement and reporting diet. Be it sensationalist and hyperbole-filled language, or the lack of any meaningful and consistent measurement methodology, the end result is the same: zero clarity concerning an already complex subject matter that serves to continue rather than counter the cyber-crime threat. The public discussion (via media reports) and business insight (through myriad methodologies of mis-measurement) need to be better framed if we are to truly confront the growing problem of cyber-crime. Who the criminals were is of less import than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim. The measurement metric dial has moved too far towards attribution and needs to be reset to prevention and a business-based analysis of risk once more. The data upon which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to be more relevant across all business sectors. If we continue to go down the road of IN THIS ISSUE never disclosing or identifying the security components that failed or the components that were not in place when a breach happened, we will never n Mitigating Cybercrime make any progress against an elusive enemy. Through Meaningful Fredrick the Great of Prussia said it best when he declared, “he who Measurement defends everything, defends nothing”. We need data on how to defend and Methodologies this is only derived from an open sharing of relevant and accurate attack n Reducing Identity Theft information without fear of punitive litigation. Using One-Time Passwords and SMS Fear, Uncertainty, and Doubt, or FUD as it is better known, has sadly become something of a staple in the cyberattack measure- ment and reporting diet. Be it sensationalist and hyperbole-filled Editor DAN SWANSON language or the lack of any meaningful and consistent measure- ment methodology, the end result is the same: a lack of clarity Editor Emeritus concerning an already complex subject that serves to continue BELDEN MENKUS, CISA rather than counter the cybercrime threat. Both the public discus- sion, via media reports, and the business insight through myriad methodologies of measurement, need to be better framed if we as CELEBRATING OVER 4 DECADES OF PUBLICATION!  E D P A C S 2015 an industry are to truly confront the growing and increasingly expensive problem of cybercrime. Clearly defining cybercrime has to be a pre-requisite to mean- ingful measurement; you cannot count something if you are not sure what it is you are counting to begin with. This is the approach taken by both the United Kingdom’s Home Office, and the Office for National Statistics, which would appear to look for a separation of cyber-enabled crime and cyber-depen- dent crime in order to facilitate accurate reporting of cybercrime per se. While there are reasons for taking this approach in order to produce statistical reports, mainly to do with separating tradi- tional crime from the “new” cybercrimes, ultimately it’s neither accurate nor helpful when it comes to understanding the true scale of the problem or how to tackle it. Why so? Well, cyber-dependent crimes are defined as those that exist because of the technology concerned, while cyber-enabled ones are existing offenses that can be assisted by it. Hacking, malware, and Distributed Denial of Service (DDoS) attacks would Downloaded by [62.255.165.58] at 04:04 22 December 2015 all fall into the cyber-dependant group under this definition, whereas sexual offenses and fraud would be seen as cyber- enabled because the offenses pre-date the technology being used to commit them. Yet these examples themselves throw up an obvious problem: what about those crimes that are neither clearly one nor the other, but rather both? WHY THE “COST PER RECORD” METRIC IS DOOMED TO FAIL “… the real eye-opening numbers are around data breach costs to an affected enterprise or SMB, the first time Verizon has ventured into putting a solid number on the cost of a breach. ‘People have for years tried to get us to talk about the impact of breaches, but we just haven’t had the data,’ said Jay Jacobs, a Verizon data scientist and one of the report [Verizon Data Breach Intelligence Report 2015] co-authors. Jacobs said one partner, Net Diligence, contributed cyberliability insurance claim data from its partner network of cyber insurance carriers. “This is what people are claiming they lost; it’s a very objective data set to work with.” “The data set of 191 claims with loss of payment card informa- tion, customer personal information and medical records was the If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 530 Walnut Street, Suite 850, Philadelphia, PA 19106. Subscription rates: US$407/£247/€327. Printed in USA. Copyright 2015. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish material or to incorporate material into computerized databases or any other electronic form, or for other than individual or internal distribution, should be addressed to Editorial Services, 530 Walnut Street, Suite 850, Philadelphia, PA 19106. All rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis, provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00 + $0.00. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis Group, LLC., 530 Walnut Street, Suite 850, Philadelphia, PA 19106. 2 ª 2015 LogicNow Ltd. All rights reserved.  2015 E D P A C S basis for a fresh look at data breach cost impact. The result was a string of new conclusions that cast doubt onto older models that derive a cost-per-record by dividing the sum of loss estimates by the total number of records lost. “The annual Ponemon Institute Cost of a Data Breach study, for example, puts that number at $201 per lost record in 2014. Applying that same formula to Verizon’s numbers of $400 million in estimated losses divided by 700 million compromised records puts the cost-per-record at 58 cents”1 DEFINING CYBERCRIME Blackmail is an “old” offense, yet DDoS attacks (the majority of which clearly have blackmail at their core) are seen as new crimes? Similarly, when does fraudulent intent jump the boundary from old to new? Attempts to over-define cybercrime actually make matters worse, not better, by introducing confusion rather than producing clarity. If you think about it, cybercriminals are doing nothing Downloaded by [62.255.165.58] at 04:04 22 December 2015 more than emulating their crime forefathers who would threaten a “physical” business with extortion or theft, fraud, or vandalism. The evolutionary move has taken these criminal acts and digi- tized them, enabling the criminal to conduct an electronic attack across the Internet, often originating from countries with a ques- tionable rule of law shall we say, which serve to inflict the same levels of damage or monetary gain as the local organized crime gangs of old. The truth is that the Internet quite simply provides criminals with an almost unlimited reach when it comes to the victimization of target businesses and organizations. Extortion has evolved to include the holding of data (as evi- denced by attacks such as CryptoLocker malware) or an entire online operation (as evidenced by a DDoS attack) to ransom. Theft is no longer a physical smash and grab of physical goods, but extends to the intellectual property of a business, along with any kind of account information that can lead the criminal to further potential monetary gain. Fraud is fraud; however, it is conducted, and in cyber terms that can mean man-in-the-middle attacks and social engineering to facilitate bank, point of sale, or ecommerce fraud. And finally, vandalism may be tied into politics through DDoS attacks against Internet connectivity or defacement of Web-based property itself. COMPARING ORANGES WITH APPLES Start compartmentalizing cybercrime from the measurement per- spective, and very quickly the difficulties of comparing oranges with apples becomes apparent. Indeed, attempting such a com- parative exercise is fraught with peril and serves to highlight where we, as an industry, are getting our metrics wrong. The accepted cost per record metric when dealing with a breach, for example, is far too broad a sweeping brush to be of any real-world use. Look at how this works in practice: a breach occurs and the number of records at risk of access from the compromised database is then multiplied by a “cost per record” factor taken from a source ª 2015 LogicNow Ltd. All rights reserved. 3  E D P A C S 2015 such as, for example, the Verizon Data Breach Report, which is used to produce the estimated overall loss to the business figure. Immediately it is clear that this measurement of cost to the business of the breach is dependent on which source was chosen to provide the multiplier. What is less immediately obvious is that the real cost to the business is also dependent on far too many external factors, which are often unknown until much further down the post-attack time line. Such things as the cost of forensi- cally investigating the breach, restoring business operations, repairing reputational damage, and paying the costs associated with potential subsequent lawsuits. By way of example, look at the case of the RSA attack2 where the algorithm for tokens was most likely stolen by Chinese nation-state hackers; how can you possibly hope to accurately determine the per record cost? A single stolen record that leads to the looting of the Predator Drone Program, Reaper Drone Program, and F-35 Lightning Program, including the Internet Protocol (IP) design blue prints, and in turn sees a Chinese prototype rolled out 18 months Downloaded by [62.255.165.58] at 04:04 22 December 2015 later changes everything. WHAT WAS THAT COST PER RECORD AGAIN? At best, any cost per record estimate is going to be so broad as to be pointless; at worst it is going to be misleading and could impact on the business recovery operation. To put it mildly, deriving a meaningful generic cost per record is all but impossible as the type of record, data breach scenario, and litigation potential varies so considerably. Start trying to compare this to a DDoS attack, where the metric is most commonly that of the amount of traffic per second used to perpetuate the attack, and we enter an entirely new level of statistical obfuscation. How can you determine an economic baseline value from a DDoS attack? Connectivity costs may well be a constant, but the value and protection of the business Internet connection may vary substantially dependent on how much the connection under attack is relied on to provide core business services. In both these cases, where the metrics commonly used and com- monly reported on are open to media influenced fluctuation (head- lines attract readers, sensational headline attract sensational numbers of readers) the temptation to over-egg the impact measure- ment pudding can be all too great. When you consider that the recipe for that pudding more often than not comes from the security indus- try itself, with vendors looking to provide enough sensationalism within their press releases covering a breaking story to hopefully win a mention in whatever coverage may be on offer, the role of clarity and consistency in the use of terminology comes to the fore. UNDERSTANDING THE REAL IMPACT OF CYBERCRIME Of organizations, 72% suffered some form of cyberattack in the past 12 months; 31% of organizations confirmed data was compromised; 11% of UK organizations do not prioritize cybersecurity; 61% of UK organizations do not rank cybersecurity in their top three priorities (The State of Cybersecurity 2015 Report by Tenable Network Security via smileonfridays.com press release.) 4 ª 2015 LogicNow Ltd. All rights reserved.  2015 E D P A C S SENSATIONALIZED STORIES SELL SOLUTIONS Even allowing for the fact that the media is, perhaps understand- ably, going to be drawn toward choosing the highest cost per record base it can find, or the biggest DDoS traffic rate, we still have to ask if these would be the correct metrics were restraint shown and acceptable averages agreed on. In other words, is there enough clarity and consistency in the use of terminology by both the security industry and the media when discussing cyberattacks? The answer is quite patently no; in fact, just the opposite. About the only consistency is the endless parade of security researchers pro- claiming how the attack in question is the biggest, longest, most costly or most advanced. Let’s look at some examples, starting with reports about the work of the Equation Group from earlier in the year. Kaspersky Labs used language such as “the God of cyberespio- nage” and “an astonishing technical accomplishment” not to men- tion that “Death Star of the Malware Galaxy” line from the title itself.3 While researchers have undoubtedly done good in uncovering Downloaded by [62.255.165.58] at 04:04 22 December 2015 the activity of this almost certainly state-sponsored (National Security Agency [NSA] it would appear) group, the report does itself and the security industry no favors by being vague with statements such as “busy infecting thousands, or perhaps even tens of thou- sands” that serve only to sensationalize the story. A story, and a sensationalist angle, that was quickly picked up within the specialist security news analysis sector and the wider online media alike. FierceGovernmentIT quoted a Kaspersky spokesperson calling the group “the most advanced threat actor we have ever seen,”4 while The Observer talks about the “brilliant encryption techni- ques” used,5 and the Inter-national Business Times focuses on “the sophisticated methods used throughout their operations.”6 The hyperbolic language spreads throughout the media, cour- tesy of one headline-grabbing article from a respected security source. Yet this group was involved in a cyber-intelligence opera- tion, not a cybercrime attack per se and you would expect a degree of sophistication from state-sponsored actors targeting hostile nation states and terrorist organizations. The impact of such language, however, is to give the impression that cybercrime has evolved to the same level of sophistication and advanced methodology, and this is something that business needs to fear and, of course, budget more to defend against. There was yet more sensationalist language used when reporting the Carbanak malware that was estimated to have cost banks (mostly located in Russia) anything up to a billion dollars in finan- cial losses. Kaspersky called this “The Great Bank Robbery” and talked of it as being “an unprecedented cyber robbery” marking “the beginning of a new stage in the evolution of cybercriminal activity”7 while Computer Business Review spoke of it being “the greatest series of cybercrimes committed in history”.8 LACK OF CLARITY IS HURTING THE INDUSTRY Again, there is no real clarity here when you consider that the loss was actually between a quarter of a million and a billion dollars, a wide estimate courtesy of the unwillingness of the banks to reveal ª 2015 LogicNow Ltd. All rights reserved. 5  E D P A C S 2015 exactly how much they lost and a certain degree of actually not knowing how much as the malware mimicked legitimate banking operations. To assume that this would once again up the stakes when it comes to necessary security defenses is a little premature. For a start, as with the Equation Group, the targets were very specific and if your organization falls outside of these cross hairs then there’s no point spending more to defend against an attack that is not going to happen. And, even if an attack did happen, the actual methodology to get the malware inside the organization was far from new and far from sophisticated. Look behind the headlines and you will find, where reporters bothered to cover the actual process of the attack, the malware came in a targeted e-mail with an infected .cpl (control panel) or Word document attachment, something that a combination of trained staff, patched machines, and a policy that enforced such attachments to be dropped would have mitigated without much effort or cost. Reports such as that which appeared on the U.S. News site with Downloaded by [62.255.165.58] at 04:04 22 December 2015 the headline “U.S. Nukes Face Up to 10 Million Cyber Attacks Daily” are another prime example of how sensationalist reporting can skew the reality of the threat.9 For a start, are those 10 million daily “attacks” actually attacks at all? The sub-head hints at the truth when it talks about “mil- lions of hacking attempts daily” and within a few column inches we discover that “Of the (10 million) security significant events, less than one hundredth of a percent can be categorized as suc- cessful attacks against Nuclear Security Enterprise computing infrastructure,” which drops it to about 1,000 a day, and we are still no closer to knowing how “successful” is defined in this exam- ple. It’s highly unlikely that such a secure defense system would be successfully hacked 1,000 times a day. And this is the point: When reporting and discussing the scale and impact of cybercrime it is imperative that we move away from sensationalizing of one part of the story or consequence of the breach, that which will create the biggest search engine feeding frenzy. Who the criminals were is of less importance than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim (espe- cially when, as we have already said, financial loss varies so considerably from business to business and attack scenario to attack scenario). Moving the Measurement Needle Back from Attribution to Prevention The measurement metric dial has, ultimately, moved too far toward attribution and needs to be reset to prevention and a business-based analysis of risk once more. That business-based analysis itself needs to be more realistic, so there also has to be a move away from the kind of threat intelligence reporting that is almost exclusively domi- nated by data derived from the large enterprise sector and conse- quently of little relevance to the Small and Medium Business (SMB) market. The data on which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to become more relevant across all business sectors. 6 ª 2015 LogicNow Ltd. All rights reserved.  2015 E D P A C S That data granularity can be driven by disclosure is something that has always been a hot corporate potato. However, slowly but surely both the security industry and business itself is coming around to the need for responsible disclosure as part of an informed and effective threat mitigation landscape. The days of companies keeping quiet for fear of reputational damage must come to an end, just as reckless whistle-blowing and sensational breach reporting has to stop. The keyword is respon- sible, and that responsibility has to come from all sides. One solu- tion would be the introduction of a standards-based scorecard for responsible data breach disclosure, and the likes of the NIST Computer Security Resource Center (CRSC),10 SANS Institute,11 and Australian Signals Directorate (ASD)12 would seem ideally placed to take the lead. Such a scorecard would be useful to iden- tify those controls that have either mitigated, failed, or simply had no impact as far as breach prevention was concerned. The Importance of Intelligence Sharing Downloaded by [62.255.165.58] at 04:04 22 December 2015 Of malicious files, 99.3% used a Command & Control Uniform Resource Locator (URL) that has been previously used by one or more other malware samples (2014). Of malware authors, 98.2% used Command & Control URLs found in five other types of malware.13 Of observed attacks, 75% spread from one victim to another within 24 hours. Of observed attacks, 40% hit a second organization within the hour.14 SCORECARD SYSTEMS WILL HELP DEFEND AGAINST ATTACK As there is just too much variability in determining both “worth” and “impact” of a breach across industry verticals using a numerical estimate, the scorecard system would surely be a more constructive way forward. This standards templating in a disclosure scorecard format would show which security controls were taken advantage of during a breach and other organizations in similar verticals could then make progress in defending against attack. Seen within a regulatory carrot approach, rather than the liti- gation stick option, this could come complete with a tradeoff of the threat intelligence made available to other businesses being balanced against a subsequent litigation cap upon the disclosed information. Benchmarking the adoption of specific controls iden- tified in a framework would collectively help other organizations defend against similar attacks. Without resorting to accusations of negligence unless the breach was devastatingly egregious, sharing mitigation successes and failures is better for the collective good. If we continue to go down the road of never disclosing or identifying the security components that failed or the components that were not in place when a breach happens, we will never make any progress against an elusive enemy. Fredrick the Great of Prussia said it best when he declared “he who defends everything, defends nothing.” ª 2015 LogicNow Ltd. All rights reserved. 7  E D P A C S 2015 We need data on how to defend and this is only derived from an open sharing of relevant and accurate attack information without fear of punitive litigation. Note 1. https://threatpost.com/verizon-dbir-challenges-data- breach-cost-estimates/112229 2. http://www.darkreading.com/attacks-breaches/china- hacked-rsa-us-official-says/d/d-id/1137409? 3. https://securelist.com/blog/research/68750/equation-the- death-star-of-malware-galaxy/ 4. http://www.fiercegovernmentit.com/story/kaspersky- uncovers-death-star-malware-galaxyexpertssuspect-nsa- link/2015–02-19 5. http://observer.com/2015/02/equation-group/ 6. http://www.ibtimes.co.uk/equation-group-meetnsa-gods- cyber-espionage-1488327 Downloaded by [62.255.165.58] at 04:04 22 December 2015 7. http://www.kaspersky.com/about/news/virus/2015/ Carbanak-cybergang-steals-1-bn-USD-from-100-financial- institutions-worldwide 8. http://www.cbronline.com/news/cybersecurity/data/carba nak-hackpoints-to-future-of-safe-computing-4512976 9. http://www.usnews.com/news/articles/2012/03/20/us- nukesface-up-to-10-million-cyber-attacks-daily 10. http://csrc.nist.gov/ 11. https://www.sans.org/critical-security-controls/ 12. http://www.asd.gov.au/infosec/ 13. Websense Security Labs 2015 Threat Report, https://com munity.websense.com/blogs/websense-news-releases/ archive/2015/04/08/websense-2015-threat-report-cyber crime-gets-easier-attribution-gets-harder-quality-over-quan tity-and-old-becomes-the-new.aspx 14. Verizon 2015 Data Breach Investigations Report, http:// www.verizonenterprise.com/DBIR/2015/ Davey Winder has been writing about IT security for more than two decades, and is a three-time winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious “Enigma” award for his “lifetime contribution” to infor- mation security journalism in 2011. An Editorial Fellow at Dennis Publishing, Davey is Contributing Editor at PC Pro, IT Pro, and Cloud Pro. Ian Trump, CD, CPM, BA, is an ITIL certified Information Technology (IT) consultant with 20 years’ experience in IT security. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF MP Reserves and retired as a Public Affairs Officer in 2013. His previous contract was managing IT projects for the Canadian Museum of Human Rights. Currently, Ian is the Security Lead at LogicNow working across all lines of business to define, create, and execute security solutions to promote a safe, secure Internet for businesses worldwide. 8 ª 2015 LogicNow Ltd. All rights reserved.