Cyber-crime Prevention

Report
Situational Prevention of
Cyber-crime
Pieter Hartel
http://www.popcenter.org/25techniques/
2
Cyber-crime Science
Increase effort
1. Harden targets
» Firewalls; Steering column locks and immobilizers
2. Access control
» Two factor authentication; Electronic card access
3. Screen exits
» Audit logs; Ticket needed for exit
4. Deflect offenders
» Honey pots; Segregate offenders
5. Control tools & weapons
» Delete account of ex-employee; Smart guns
3
Cyber-crime Science
5. Smart gun
4
Cyber-crime Science
Increase risks
6. Extend guardianship
» RFID tags; Neighbourhood watch
7. Assist natural surveillance
» Show were laptops are; Improve street lighting
8. Reduce anonymity
» Caller ID for Internet; School uniforms
9. Utilise place managers
» IDS; CCTV for on buses
10.Strengthen Formal surveillance
» Lawful interception; Burglar alarms
5
Cyber-crime Science
9. IDS
6
Cyber-crime Science
Reduce rewards
11.Conceal Targets
» Use pseudonyms; Gender-neutral phone directories
12.Remove targets
»
Turn off when not in use; Removable car radio
13.Identify property
» Protective chip coatings; Property marking
14.Disrupt markets
» Mining for money mules; Monitor pawn shops
15.Deny benefits
» Blacklist stolen mobiles; Speed humps
7
Cyber-crime Science
13. Protective coatings
8
Cyber-crime Science
Reduce provocation
16.Reduce frustrations and stress
» Good helpdesk; Efficient queues and polite service
17.Avoid disputes
» Chat site moderation; Fixed taxi fares
18.Reduce emotional arousal
» Controls on gaming; Controls on violent pornography
19.Neutralise peer pressure
» Declare hacking illegal; “Idiots drink and drive”
20.Discourage imitation
» Instant clean-up; Censor details of modus operandi
9
Cyber-crime Science
20. Instant clean-up
10
Cyber-crime Science
Remove excuses
21.Set rules
» Ask users to sign security policy; Rental agreements
22.Post instructions
» Warn against unauthorized use; “No parking”
23.Alert conscience
» License expiry notice; Roadside speed display boards
24.Assist compliance
» Free games if license is valid; Public lavatories
25.Control disinhibitors (drugs, alcohol)
» User education; Alcohol-free events
11
Cyber-crime Science
22. Warn against misuse
http://www.homeoffice.gov.uk/
12
Cyber-crime Science
Phishing Case study
Examples of the 25 techniques
 Increase effort
» 1. Target Hardening : Train users to be vigilant
» 2. Control access to facilities : Control inbox & account
 Reduce rewards
» 11. Conceal targets : Conceal the email address
» 14. Disrupt markets : Control Mule recruitment
 Remove excuses
» 22. Post Instructions : “No phishing”
16
Cyber-crime Science
1. Target Hardening
 Training: Anti-phishing Phil
 http://cups.cs.cmu.edu/antiphishing_phil/new/
17
Cyber-crime Science
How well does training work?
 515 volunteers out of 21,351 CMU staff+stud.
» 172 in the control group, no training
» 172 single training, day 0 training
» 171 double training, day 0 and day 14 training
 3 legitimate + 7 spearphish emails in 28 days
 No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.
Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on
Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.
ACM. http://dx.doi.org/10.1145/1572532.1572536
19
Cyber-crime Science
Good but could be better
 On day 0 about 50% of participants fell
» Constant across demographic
» Control group remains constant
» Single training reduces clicks
» Multiple training reduces clicks more
 People click within 8 hours of receiving email
 Room for improvement:
» Participants were self selected...
» No indication that this reduces crime...
20
Cyber-crime Science
2. Control access to facilities
 The target’s online banking site
» Two factor authentication (TAN via SMS, gadget)
[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The
Zürich trusted information channel - an efficient defence against man-in-the-Middle and
malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int.
Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume
4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer.
http://dx.doi.org/10.1007/978-3-540-68979-9_6
22
Cyber-crime Science
11. Conceal targets
 The victim’s email address
» Use Disposable email address – Clumsy
 The victim’s credentials
» Fill the database of the phishers with traceable data
[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd
IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the
Information Society, volume IFIP Int. Federation for Information Processing 262, pages
23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0387-79026-8_2
23
Cyber-crime Science
22. Post Instructions
 The bank’s website
» Post notice that active anti phishing measures are
being taken... – Do banks do this? Would this work?
Phishers
will be
prosecuted
25
Cyber-crime Science








26
Cyber-crime Science

?
Anti-phishing research is risky
 Crawling social network site violates
terms of service – use api properly
 Copyright prohibits cloning web sites –
work with the target, change the law
 Confusing trademarks damages good
name of target – idem
 Phishing is illegal in California – avoid
 Make sure that your research is not in
any way linked to commercial activities!
[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime
Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE.
http://dx.doi.org/10.1109/ECRIME.2008.4696971
27
Cyber-crime Science
Laptop theft Case study
Laptop theft
 62 simulated offences of which 31
succeeded
29
Cyber-crime Science
Crime scripts
30
Steps
Succeeded
Failed
Enter building
61
1
(locked door)
Enter office
47
(1×cleaner)
14
Unlock
Kensington
31
(5×bolt cutter)
16
Leave building
62
(1×emergency exit)
0
Cyber-crime Science
Results
 Social engineering works
» 30 of 47 attempts with social engineering succeeded
» 1 of 15 attempts without social engineering succeeded
 Managers more likely to prevent attack
than the target
 Offender masquerading as ICT staff twice
as likely to be successful
Chapter 7 of [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and
Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
31
Cyber-crime Science
Conclusions
 Crime Science approach:
» Might have avoided experimental flaws
» Might have come up with new ideas
» Would have looked at crime prevention
 How to bridge the gap between crime
science and information security?
 An ounce of prevention is worth a pound
of cure
32
Cyber-crime Science

similar documents