Presentation is loading. Please wait.

Presentation is loading. Please wait.

Situational Prevention of Cyber-crime

Similar presentations

Presentation on theme: "Situational Prevention of Cyber-crime"— Presentation transcript:

1 Situational Prevention of Cyber-crime
Pieter Hartel

2 Cyber-crime Science

3 Increase effort Harden targets
Firewalls; Steering column locks and immobilizers Access control Two factor authentication; Electronic card access Screen exits Audit logs; Ticket needed for exit Deflect offenders Honey pots; Segregate offenders Control tools & weapons Delete account of ex-employee; Smart guns Cyber-crime Science

4 5. Smart gun Cyber-crime Science

5 Increase risks Extend guardianship RFID tags; Neighbourhood watch
Assist natural surveillance Show were laptops are; Improve street lighting Reduce anonymity Caller ID for Internet; School uniforms Utilise place managers IDS; CCTV for on buses Strengthen Formal surveillance Lawful interception; Burglar alarms Cyber-crime Science

6 9. IDS Cyber-crime Science

7 Reduce rewards Conceal Targets
Use pseudonyms; Gender-neutral phone directories Remove targets Turn off when not in use; Removable car radio Identify property Protective chip coatings; Property marking Disrupt markets Mining for money mules; Monitor pawn shops Deny benefits Blacklist stolen mobiles; Speed humps Cyber-crime Science

8 13. Protective coatings Cyber-crime Science

9 Reduce provocation Reduce frustrations and stress
Good helpdesk; Efficient queues and polite service Avoid disputes Chat site moderation; Fixed taxi fares Reduce emotional arousal Controls on gaming; Controls on violent pornography Neutralise peer pressure Declare hacking illegal; “Idiots drink and drive” Discourage imitation Instant clean-up; Censor details of modus operandi Cyber-crime Science

10 20. Instant clean-up Cyber-crime Science

11 Remove excuses Set rules
Ask users to sign security policy; Rental agreements Post instructions Warn against unauthorized use; “No parking” Alert conscience License expiry notice; Roadside speed display boards Assist compliance Free games if license is valid; Public lavatories Control disinhibitors (drugs, alcohol) User education; Alcohol-free events Cyber-crime Science

12 22. Warn against misuse
Cyber-crime Science

13 Phishing Case study

14 A course in phishing Characters Bob’s bank has website
Customer Charlie has address Phisher Pete buys + bulk addresses Scenario Pete sends Charlie a more or less credible From: Dear customer, please renew your online banking subscription by entering your account details at Charlie believes it’s from his bank and clicks on the link provided Charlie enters his username and password Pete uses Charlie’s credentials to log in to Charlie’s account and to takes Charlie’s money Cyber-crime Science

15 What is phishing? A form of social engineering
Phishers try to get your sensitive info by masquerading as someone you trust Spear phishers search the web for context info. Phishing is a big and growing problem Phishing is cheap and easy to automate Losses rose by 40% in 2008 (Gartner, but beware!) Phishers are hard to catch Victims are gullible Phishing is not new  False billing Cyber-crime Science

16 Examples of the 25 techniques
Increase effort 1. Target Hardening : Train users to be vigilant 2. Control access to facilities : Control inbox & account Reduce rewards 11. Conceal targets : Conceal the address 14. Disrupt markets : Control Mule recruitment Remove excuses 22. Post Instructions : “No phishing” Cyber-crime Science

17 1. Target Hardening Training: Anti-phishing Phil
Cyber-crime Science

18 The message of the training
Ignore asking to update personal info Ignore threatening Ignore from bank that is not yours Ignore /url with spelling errors Ignore url with ip address Check url using Google Type url yourself, don’t click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul ACM. Cyber-crime Science

19 How well does training work?
515 volunteers out of 21,351 CMU staff+stud. 172 in the control group, no training 172 single training, day 0 training 171 double training, day 0 and day 14 training 3 legitimate + 7 spearphish s in 28 days No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul ACM. Cyber-crime Science

20 Good but could be better
On day 0 about 50% of participants fell Constant across demographic Control group remains constant Single training reduces clicks Multiple training reduces clicks more People click within 8 hours of receiving Room for improvement: Participants were self selected... No indication that this reduces crime... Cyber-crime Science

21 2. Control access to facilities
The addresses Few $ per million addresses – too late The mail service Client puzzles – different devices The target’s inbox Spam filter – False positives & negatives Signed – Phisher will use this too Reputation based filtering – Whose reputation? Caller-id – Major changes in the Internet [Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages , Montréal, Canada, Oct IEEE. Cyber-crime Science

22 2. Control access to facilities
The target’s online banking site Two factor authentication (TAN via SMS, gadget) [Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar Springer. Cyber-crime Science

23 11. Conceal targets The victim’s email address
Use Disposable address – Clumsy The victim’s credentials Fill the database of the phishers with traceable data [Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug Springer, Boston. Cyber-crime Science

24 14. Disrupt Markets Money mule = target = victim
Role: traceable, reversible  untraceable, irreversible Credentials sell for pennies to the dollar US Regulation E of Federal Reserve board Only backend detection will protect against fraud Before After Target -$100 $0 Bank Mule +$10 -$90 Offender +$90 [Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec IEEEE. Cyber-crime Science

25 Phishers will be prosecuted
22. Post Instructions The bank’s website Post notice that active anti phishing measures are being taken... – Do banks do this? Would this work? Phishers will be prosecuted Cyber-crime Science

26 ? Cyber-crime Science

27 Anti-phishing research is risky
Crawling social network site violates terms of service – use api properly Copyright prohibits cloning web sites – work with the target, change the law Confusing trademarks damages good name of target – idem Phishing is illegal in California – avoid Make sure that your research is not in any way linked to commercial activities! [Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct IEEE. Cyber-crime Science

28 Laptop theft Case study

29 Laptop theft 62 simulated offences of which 31 succeeded
Cyber-crime Science

30 Crime scripts Steps Succeeded Failed Enter building 61 1 (locked door)
Enter office 47 (1×cleaner) 14 Unlock Kensington 31 (5×bolt cutter) 16 Leave building 62 (1×emergency exit) Cyber-crime Science

31 Results Social engineering works
30 of 47 attempts with social engineering succeeded 1 of 15 attempts without social engineering succeeded Managers more likely to prevent attack than the target Offender masquerading as ICT staff twice as likely to be successful Chapter 7 of [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, Cyber-crime Science

32 Conclusions Crime Science approach:
Might have avoided experimental flaws Might have come up with new ideas Would have looked at crime prevention How to bridge the gap between crime science and information security? An ounce of prevention is worth a pound of cure Cyber-crime Science

Download ppt "Situational Prevention of Cyber-crime"

Similar presentations

Ads by Google