Combating the rising cybercrime trend with SIEM
by Fabian Libeau - ArcSight - Monday, 30 March 2009.
Judging from articles in the press, there appears to be a steady increase in the frequency of cybercrime. Whether it is one country attacking the infrastructure of another, or a payment processor losing credit card data, nearly a day does not pass without a new, scary story about cybercrime. To add some perspective to this issue, let’s examine the categories of cybercrime and how one might deal with each.

Let’s first set aside cross-country “cyberwarfare” – those attacks from one country against another's information infrastructure. These attacks are really a category of their own, and one that most private organizations rarely have to worry about. Instead, let’s focus on activities not designed to cripple an institution, but instead to seek financial gain though criminal activities, delivered via information technology. In this regard, cybercrime tends to fall into three categories.

The first is some form of identity theft, typically via account takeover. In this scenario, criminals gain access to person’s financial accounts and use that access to withdraw funds directly, to transfer funds out of the account, or to make unauthorized purchases. By the time the account holder discovers what is happening, the funds are gone and it may not be possible to replace them. Even if the bank or merchant has liability for reimbursement, this may be limited and the consumer may simply have to bear the loss. Criminals may gain access via phishing, or via social engineering that tricks a consumer into providing account credentials.

The second category is due to some type of malware, planted on the corporate network. This may be a keylogger that captures account numbers and passwords, or it may be some other form, as in the Heartland Payment Systems data security breach example, that captures payment card numbers as they reside on a server. The malware may in fact be in place for quite some time, operating quietly and regularly sending captured data to an external domain. These attacks can be very difficult to detect, as they do not generate enough traffic at any one time to be noticed.

The third category of cybercrime is due to the malicious insider, the trusted user who has rights to access confidential data, and then uses that access to steal and sell that data. Privileged users can be trusted employees such as database administrators, finance administrators, etc. They can also be trusted outsiders such as IT contractors, outsourcing partners, or distribution or supply chain partners. These activities can also be difficult to detect, because the user does in fact have access to the data or applications in question. The point is to understand the difference between normal and authorized use, and irregular or unauthorized use. Gaining the necessary context can be difficult, though new solutions make this much easier.

Unfortunately, in tough economic conditions all three categories will become more frequent. Banks and merchants will push customers to the web as a means of cutting costs, which increases the number of uses who can fall prey to phishing attacks. Firms will move operations to outsourcers to cut costs, and that opens up more possibilities for someone to quietly plant a keylogger to capture confidential information. And of course, as firms look to layoff employees to save money during difficult times, some of those employees may see an opportunity for gain, via data theft, on the way out the door. Moreover, reduced headcount also means fewer people to detect problems, leading to potentially greater risks.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th