Irish Cybercrime Conference Targets Top ThreatsCybersecurity Experts See Inaction, Urge Enterprise Security Education
Organizations in Ireland - as in the rest of the world - continue to get pummeled by online attacks. But despite near-constant warnings from law enforcement agencies and the information security community, too many organizations still aren't taking proper steps to respond, experts said at the Nov. 19 Irish Cyber Crime Conference in Dublin (see Cybercrime Experts Hit Dublin).
The view from Ireland is that online attacks are continuing to surge. The Irish Reporting and Information Security Service - Ireland's computer emergency response team - recorded 26,137 incidents against Irish businesses since November 2014, said Brian Honan, who heads IRISS. That's a massive increase from the 6,534 incidents the CERT saw for the 12 months prior to November 2014, and part of the problem is that despite repeated warnings, organizations are still failing to take tackle basic security hygiene, such as improving passwords, installing patches, eliminating application vulnerabilities, updating their antivirus software and monitoring networks, said Honan, who's also a cybersecurity adviser to the association of European police agencies known as Europol. And he adds that those are the exact same threats he's been warning about since at least 2012.
Part of the impetus for the conference, which is run by IRISS and drew 300 attendees, is to try and disseminate that security message to businesses across Ireland, Honan said. Throughout the day, 12 different speakers touched on a number of related issues, including how to craft effective security-awareness and risk-management programs, as well as the need for CEOs to do something about this problem. Meanwhile, a capture-the-flag exercise was designed not just to allow ethical hackers to display their skills, but also to show Irish businesses how easily their own networks could be compromised, Honan said.
The consequences for organizations that have poor information security practices in place are by now well-known (see FFIEC Issues Extortion Attack Alert). Of the incidents logged by IRISS, 45 percent involved criminals exploiting organizations' sites to host malware or redirect visitors to infected sites, 26 percent involved organizations' sites being to serve as distributed denial-of-service attack launch pads for attackers, 11 percent were incoming DDoS attacks, and another 11 percent were infections relating to botnet command-and-control servers. Overall, IRISS believes that 74 percent of all incidents in the past year related to organized crime, while 26 percent were everything else - hacktivism, politically motivated attacks or espionage.
Top 4 Cybercrime Concerns
Speaking at the conference, Inspector Michael Gubbins from the Computer Crime Investigations Unit of An Garda Siochana - the Irish police - said they see four dominant types of cybercrime activity targeting businesses:
- CEO fraud: Also known as business email compromise scams or "man in the email" attacks, this type of fraud involves people trying to socially engineer firms out of their money, for example by pretending to be the CEO, and instructing an employee to immediately wire money to a specified bank account.
- DDoS attacks: Criminal groups such as DD4BC have been attempting to extort Irish businesses. "Be prepared," Gubbins said, noting that organizations should have DDoS mitigation services and a response plan ready in advance.
- PABX/IRSF Fraud: By accessing an organization's PABX - for private automatic branch exchange - a hacker can instruct it to dial expensive toll numbers that they control, thus earning them illicit revenue. When attackers partner with a local phone carrier to run these scams, it's then known as International Revenue Shared Fraud.
- Phishing: Fake email scams may be less prevalent than before, but they still remain a favorite of attackers because they're so easy to launch, Gubbins said.
Addressing the conference attendees, which included not just information security experts but also IT professionals and senior executives, Gubbins emphasized that CEO fraud in particular is just a digitized take on an age-old scam. "These are not new crimes - they've been going on for years," he said. " Previously [criminals] would have used phone or a fax."
Of course, criminals favor attacks that continue to work (see FBI Alert: Business Email Scam Losses Exceed $1.2 Billion). And to better block attacks that attempt to socially engineer firms out of their money, Honan said it's essential to add safety checks into all money-transfer processes. "Consider using alternative means of communication to confirm any requests received via email, and be suspicious of any email requesting payments urgently or requiring secrecy," he said. Other essentials, he added, include training, technical controls to detect and block spam email and spoofed emails as well as ensuring that computers are always kept up to date with the latest antivirus signatures and software updates.
Ransom Demands Don't Pay
When it comes to DDoS extortion, Honan said European police primarily see two groups at work - DD4BC and the Armada Collective - and that a typical ransom note says that unless the group receives 100 bitcoins, currently worth about $35,000, within 24 hours then the group will double the ransom demand and launch a DDoS disruption. But the ransom demand typically promises that if the victim pays, they will avoid the DDoS attack. "We do bad things, but we keep our word," reads one ransom script often used by DD4BC, Honan said.
Regardless of those promises, Honan urged organizations to never pay such ransoms and to always report the incidents to police, not least so officials can better understand just how prevalent these types of extortion attempts might be.
Gubbins said all organizations that are online must be prepared to face a DDoS extortion attempt and then potentially an actual DDoS attack. And he appealed to the audience to work more closely with police to create stronger relationships, in advance of needing their help. "If you get one of these emails, relax," he said, and then ideally call the police for help and to report the fraud.
Working With Police
When businesses do suffer a data breach or fall for a CEO fraud attack, meanwhile, Gubbins said that any related emails - with all headers intact - as well as complete log files are must-have evidence, not least for facilitating related digital forensic investigations.
"I generally take two statements: one [from] who owns the company, and one who's more technical," meaning they have knowledge of the log files, he said. By doing so, he emphasized, police could better understand - and hopefully block and disrupt - the groups and individuals behind these attacks (see How Do We Catch Cybercrime Kingpins?).