WWW.SA.I-PDF.INFO
FREE ELECTRONIC LIBRARY - Abstracts, books, theses
 
<< HOME
CONTACTS



Pages:     | 1 || 3 | 4 |   ...   | 6 |

«June 2011 BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 ...»

-- [ Page 2 ] --

In any dynamic marketplace, the prices claimed for a commodity will fluctuate with supply and demand. In any technology marketplace, prices will also fluctuate with the utility of the commodity, given changes in technology landscape. The dollars commanded for stolen commodities listed in Table 2 motivated the creation of secondary malware markets that produce software tools that make malware increasingly effective at enabling information theft. Individuals use software generally to automate tasks that are both tedious and resource intensive, and malware perpetrators are no exception. Automating malware delivery and data harvesting tasks reduces operating costs and © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report allows malicious perpetrators to obscure their activities. Malware delivery and operations systems have become increasingly modular, and these modules have themselves become a commodity. Prices obtained for modular software information theft enablers are listed in Table 3. The prices were observed in the same timeframe as the prices that were commanded for stolen information in Table

2. It is obvious that information on financial accounts may be sold for multiples above the cost to purchase the tools that enable the theft.

–  –  –

When such malware software support systems are discovered to exist, the software is referred to as crimeware [12]. Continuing the Zeus malware example from Section 2, a good example of crimeware is the Zeus toolkit. Zeus malware was introduced in 2006, and its corresponding crimeware followed in 2007. Zeus’ crimeware takes advantage of its modular design, so attackers can configure and deploy new functionality very quickly. A user-friendly graphical interface allows an attacker to select the capabilities to be incorporated in a “release” as well as to select a personal encryption key for harvested data. Over 5,000 releases of the Zeus software have been created using Zeus crimeware [13]. Although several Zeus users have been identified and charged with cybercrimes, the Zeus crimeware authors remain at large.

3.1 The Malware Industry

Malware development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime. Just as the software industry has spawned a business model in reselling, installing, and maintaining legitimate code, the malware industry has spawned distribution and support networks to assist criminals in successful © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report malware usage. Developers of crimeware profit from the sale or lease of the malware to third parties who then use it to perpetrate identity theft and account fraud. Figure 4 illustrates the interaction between components in a typical crimeware business model. Individual groups of criminals coordinate their efforts, and the product is Crimeware as a Service (CAAS).

Figure 4: Malware Industry Process

The process depicted in Figure 4 leads with software vulnerabilities being sought by criminals in a systematic way. The figure begins with “zero-day” vulnerabilities, because these are more valuable to malware creators because potential victims are unsuspecting. These vulnerabilities are sold to criminals who engineer malware to exploit the vulnerability, and aggregate multiple malware vulnerability exploits into kits whose components can be systematically installed as in the iFrame example in Section 2.3. Because many vulnerabilities exist in unpatched systems long after they have been announced, exploit kits may include combinations of zero-day and older attacks. The kits are configured to send harvested data to private hosting services, and this configuration may be customized for a given buyer. Crimeware market makers contact potential customers via email and chat, agree on prices and sell not just software, but crimeware services. They engage malware delivery services to operate the malware on behalf of buyers, who pay the market makers via anonymous ecommerce payment systems.

Crimeware operation is blatantly illegal, yet individual risk of criminal prosecution is minimized by the overall business model. Each malware profit center has a level of exposure corresponding only to its role in the overall marketplace. For example, in academic circles, the study of vulnerabilities is common. Academics write papers on engineering and reverse engineering of exploits, and this is not © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report considered criminal activity. The relative prosecution risk to profit ratio for each activity in Figure 4 is estimated in Figure 5.

Figure 5: Relative Risk to Profit for Participation in Crimeware Activity

3.2 Malware Supply Chain Earnings for malware development are time sensitive but are very low risk. During the lifecycle of malware, protections are developed to mitigate the risk. To remain competitive and profitable new malware must be released frequently. Security analysts are seeing dramatic increases in the number of malware specimens created and distributed. One report claims that a full third of all viruses that exist were created in 2010 [14]. The profit incentive driving these activities creates a persistent risk for financial institutions.





The supply chain in the malware industry encompasses more than just software. It is an elaborate collection of organizations, people, technologies, processes, services, and products. Financial services such as moneygrams, virtual credit cards, and online money transfer services allow anonymity between buyers and sellers. However, not all of the players in this black market are criminals. The marketing of malware, crimeware, and associated services and products can be found on both black market forums and legitimate sales channels. Crimeware operators will use legitimate online payment services to process purchases and then the payment details are used to facilitate fraudulent transactions. They will also use legitimate Internet Service Providers (ISP) to host databases of stolen data. Hence, another way to view the malware industry depicted in Figure 4 is to © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report follow the money. Figure 6 demonstrates the interaction between legal and illegal transaction flow in the malware market.

–  –  –

In Figure 6, solid lines show legal financial flows and dotted lines show illegal financial flows. The

lines are numbered with types of transactions included, and these are described as follows [4]:

1: Extortion payments, click fraud, compensated costs of ID theft and phishing 2: Uncompensated costs of ID theft and phishing, click through, stock price pump and dump schemes, email scams, and other forms of consumer fraud 3, 4, 5, 6: Hardware purchases by criminals, corporate and individual users 7, 8, 9, 10: Security service purchases by hardware manufacturers, corporate and individual users, ISPs 11, 12, 13: ISP services purchased by corporate and individual users, criminals 14: Payments to compensate consumers for damages from ID theft The inclusion of legitimate business interests in the ecosystem of malware-enabled cybercrime sometimes makes crimeware and malware operators difficult to distinguish from Internet entrepreneurs.

3.3 Beyond Crime

In addition to its use for criminal purposes, malware also enables other malicious actors that pose risks for the financial services sector. The term Advanced Persistent Threat (APT) is now increasingly used to describe a category of malicious activities facing a growing number of government institutions and commercial organizations. As described in a recent Financial Services © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report Information Sharing and Analysis Center (FS-ISAC) report, “APT refers to an advanced, clandestine means to gain continuous, persistent intelligence on an individual, company or foreign nation state government or military [15].” The report shows there has been a history of APT attacks since 1986.

Key risks posed by APT actors generally include efforts to access and exfiltrate data that contains sensitive and/or classified information. The information may be related to technology and operations, intellectual property, proprietary business processes, business strategy, and/or personal data pertaining to executives. APT activities include network mapping and software modification to gain and maintain remote access to a variety of systems within the target domain. Such sustained access, knowledge of networks and business processes allows perpetrators to lay groundwork for future disruptive activities. Increasingly, APT discussions also include the use of tools specifically designed to achieve disruptive effects such as Stuxnet, which is malware designed to attack Iran’s nuclear power plants [16]. The possibility of attacks focused on data corruption in the future has

also been identified. Key characteristics of APT activities include, but are not limited to:

 threat actors with clearly identified long-term objectives guiding their attacks  structured, sustained intrusive activities to deploy, support and maintain exfiltration operations  ability to conduct intelligence on individuals, organizations and processes that will prove to be valuable targets  use of sophisticated software tools and techniques to conduct activities  flexible and adaptable operations to avoid detection.

Public recognition of these activities has risen dramatically. Numerous reports exist related to ongoing activities against governments and defense industries worldwide, specific activities focused on the US energy industry and the highly publicized attacks against Google, as part of Operation Aurora [17-19]. With regard to financial services, limited open source information exists regarding specific activities but the financial services sector is often identified in discussions and doctrinal writings about cyber warfare between nations [20].

The conduct of APT activities relies fundamentally on the use of malware to establish access, to maintain footholds within organizations and to exfiltrate sensitive data and/or conduct disruption of IT systems or networks. Directed efforts using spearphishing have been a principal approach of many of the operations against governments and the defense industry. Often, the payloads of spearphishing attacks include a range of malware targeted at the most common types of applications for enterprise users, particularly those in Microsoft Office and Adobe products. Often this malware uses well known code exploiting well known vulnerabilities, but APT activities also employ new and custom code not detectable by enterprise intrusion detection and anti-virus systems. APT actors are generally highly aware of the state of enterprise information security practices. They employ code and techniques not only to avoid detection but also frequently use malware to disable anti-virus, intrusion detection systems, and other security software on exploited computers, and even across broader portions of the enterprise. More significantly, APT actors may have a portfolio of capabilities at hand to ensure the ability to continue activities even when discovered. Malware © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report more unique to APT activities often includes redundant and diverse tools to conduct exfiltration of user credentials and sensitive data.

FIs must be cognizant of the growing risks posed by malware specifically designed to disrupt operations, particularly the operation of industrial control systems (ICS). The emergence of the Stuxnet worm in 2010 targeted at the Siemens ICS provides concrete evidence that cyberspace can have devastating effects on physical resources such as data center environment and power systems, electric grids, gas pipelines, water delivery systems, and manufacturing equipment [16]. While the original purpose of this malware appears to be targeted at the Siemens ICS utilized in nuclear programs in Iran, key features of the worm pose much larger concerns that should inform the financial services sector. The possibility of another actor capturing the code and repurposing it for other purposes such as disrupting power grids is a significant possibility. As a Department of Homeland Security official testified before a Senate committee, “What makes Stuxnet unique is that it uses a variety of previously seen individual cyber attack techniques, tactics, and procedures, automates them, and hides its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring. The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors [21].” More generally, the financial services sector could be targeted by disruptive ICS malware specifically designed to exploit vulnerabilities in ICS applications used in this sector, specifically heating, ventilating, air-conditioning (HVAC) and power supply equipment used to monitor and control data centers.

The FS-ISAC has conducted a more detailed analysis of APT threats, risks and mitigations available to FS-ISAC members.

4. Malware in Financial Services Malware is used by malicious parties, both inside and external to the organization, with different motivations. Examples of such motivations include financial gain, competitive advantage or, potentially, revenge for some perceived slight or adverse event. For example, according to the United States Computer Emergency Readiness Team (US-CERT), malware, as logic bombs, has been distributed by disaffected insiders to delete massive amounts of data. In one such case, malware “was designed to disrupt business operations [22].” In another case, a disgruntled systems administrator employed by a financial services firm caused more than $3 million in damage to the company's computer network, and was convicted of securities fraud for his failed plan to drive down the company's stock price upon activation of the logic bomb [23]. Cyber espionage, or theft of information to receive a competitive advantage, could be aimed at stealing information about a new technology product, uncovering strategic plans about a potential acquisition, or confidential data regarding litigation. A House Conference Report that accompanied the US Consolidated Appropriations Act of 2010 accurately observed “Cyber-based attacks and intrusions upon U.S.

computer networks... result in substantial loss of critical intelligence by U.S. government, © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report

academia, military, industry, financial and other domains [24].”

It is evident from past and ongoing cybercrime investigations that the financial industry hosts a good deal of malware. The US Secret Service (USSS) is the primary investigation resource for the US Department of Treasury. For the past two years, USSS shared their cybercrime case reports with the Verizon Incident Response team so they could be included in a collaborative effort to establish cybercrime metrics [25, 26]. The resulting report contains details on confirmed security breaches within firms that are either Verizon clients or in the investigative jurisdiction of the Secret Service (141 Verizon cases and 257 USSS cases in 2009, 94 Verizon cases and 661 USSS cases in 2010).

Financial services firms were the primary targets in 33% of 2009 and 22% of 2010 cases, making them the most targeted sector in 2009, though in 2010 they were surpassed by hospitality and retail.



Pages:     | 1 || 3 | 4 |   ...   | 6 |


Similar works:

«Nebula8.1, December 2011 A Theological Reflection on Mbiti’s Conception of Salvation in African Christianity. By Adewale J. Adelakun Abstract In his book titled Bible and Theology in African Christianity, John Mbiti shares his beliefs about theological issues such as faith, prayer and salvation and how they are understood in African Christianity. He is able to prove that Africans have internalized Christian beliefs to the extent that Christianity is no more regarded as a foreign religion but...»

«BOEING-STL 2000P0001 Hypersonic Airplane Space Tether Orbital Launch System NASA Institute for Advanced Concepts Research Grant No. 07600-018 Phase I Final Report BOEING-STL 2000P0001 07 January 2000 Hypersonic Airplane Space Tether Orbital Launch System NASA Institute for Advanced Concepts University Space Research Association Research Grant No. 07600-018 Phase 1 Final Report Principal Investigator: Thomas J. Bogar, Boeing/MDC Phantom Works St. Louis, MO Co-Investigators: Michal E. Bangham,...»

«MOTHERS’ UNION – SOUTHWARK DIOCESE Annual Report and Statement of Financial Activities For the year ended 31 December 2014 Registered Charity Number: 249815 Mothers’ Union Office Trinity House 4 Chapel Court Borough High Street London SE1 1HW Bankers: HSBC 66 High Street New Malden Surrey KT3 4HD Independent Examiner: Michael Folger 15 Hillcrest Road, Hythe Kent CT21 5EU The Mothers’ Union Southwark Diocese Registered Charity Number 249815 Registered office: Mothers’ Union Office,...»

«T.Nivethitha et al, International Journal of Computer Science and Mobile Computing, Vol.3 Issue.2, February2014, pg. 328-336 Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320–088X IJCSMC, Vol. 3, Issue. 2, February 2014, pg.328 – 336 RESEARCH ARTICLE VAMPIRE ATTACKS: PROTOCOL ROUTING INFRASTRUCTURE IN WIRELESS SENSOR NETWORKS T.Nivethitha1, S.Muthukrishnan2, S....»

«Enterprise Strategy Group | Getting to the bigger truth.™ ESG Lab Review Simplifying Infrastructure Upgrades with VCE Converged Infrastructure Systems and VCE Vision Intelligent Operations Software Date: June 2016 Author: Mike Leone, Senior Lab Analyst Abstract This ESG Lab Review documents the benefits of leveraging VCE Vision Intelligent Operations with VCE converged infrastructure systems and the VCE Release Certification Matrix (RCM) to simplify the process of upgrading a complete IT...»

«Funeral advice for Buddhists in the Tibetan tradition & ‘When I go’ a summary of your wishes Buddhist Funeral Services KAGYU SAMYE LING MONASTERY & TIBETAN CENTRE Eskdalemuir, Langholm, Dumfries & Galloway, Scotland, DG13 0QL Tel: 013873 73232 ext 1 www.samyeling.org E-mail: bardo@samyeling.org Funeral advice for Buddhists, according to the Tibetan tradition We hope the enclosed information will be useful to Buddhists and their carers when the time comes for them to die. Buddhists believe...»

«PRESIDENTIAL THANKSGIVING PROCLAMATIONS 1950-1959: Harry S. Truman, Dwight D. Eisenhower THANKSGIVING DAY, 1950 BY THE PRESIDENT OF THE UNITED STATES OF AMERICA A PROCLAMATION In keeping with the custom established by our forefathers and hallowed by faithful observance throughout the years, it is fitting that once again at this season we set aside a day for giving thanks to God for the many blessings which He has bestowed upon us. We are deeply grateful for the bounties of our soil, for the...»

«Dalal International Journal for Educational Integrity (2015) 11:4 DOI 10.1007/s40979-015-0002-6 ORIGINAL ARTICLE Open Access Responding to plagiarism using reflective means Nikunj Dalal Correspondence: nik@okstate.edu Abstract Oklahoma State University, Stillwater, Oklahoma, USA Academic integrity violations have become widespread and pervasive in the university. The manner in which we respond to such violations is important. The prevalent approaches based on procedures, policies, appeals, and...»

«Una interpretación bíblica feminista a partir de una aproximación a (Hch16,13-15,40) y (Hch 16,16-18) en diálogo con testimonios de mujeres cabeza de familia en Colombia* Adriana Alejandra Hoyos Camacho** Resumen Una aproximación entre mujeres del Nuevo Testamento y de hoy, permite que la teología, a partir de una interpretación feminista, evidencie el protagonismo de la mujer en contextos de inequidad. Además, facilita descubrir la revelación de Dios, voluntad de Dios, en el ser...»

«Revelation: God shows himself to believers. This is the only way anybody can really know anything about God. General revelation: God making himself know through ordinary, common human experiences. Special Revelation: God making himself known through direct personal experience or an unusual specific event. Vision: seeing something, especially in a dream or trance, that shows something about the nature of God. Immanence: the idea that God is present in and involved with life on earth and in the...»

«Variants and Homographs: Eternal Problem of Dictionary Makers⋆ Jaroslava Hlav´ˇov´ and Mark´ta Lopatkov´ ac a e a ´ Charles University in Prague, UFAL MFF, {lopatkova,hlavacova}@ufal.mff.cuni.cz Abstract. We discuss two types of asymmetry between wordforms and their (morphological) characteristics, namely (morphological) variants and homographs. We introduce a concept of multiple lemma that allows for unique identification of wordform variants as well as ‘morphologicallybased’...»

«Unnecessary Image Pair Detection for a Large Scale Reconstruction Jaekwang Lee1 and Chang-Joon Park2 Smart Game Research Team, Contents Research Division, Electronics and Telecommunications Research Institute (University of Science and Technology), Daejeon, Korea Smart Game Research Team, Contents Research Division, Electronics and Telecommunications Research Institute, Daejeon, Korea ljk3815@naver.com, chjpark@etri.re.kr Abstract. This paper proposes an algorithm to detect unnecessary image...»





 
<<  HOME   |    CONTACTS
2017 www.sa.i-pdf.info - Abstracts, books, theses

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.