How to Determine Your Organization's Vulnerability to Crimeware
In our recent book, "Crimeware: Understanding New Attacks and Defenses," Zulfikar Ramzan and I present a snapshot of the threat that crimeware poses today and a vision of a likely future. While we are both positive and happy people, it is hard to be very optimistic when talking about crimeware. We are, in fact, very concerned.
Short History of Malware
Not long ago, malware was largely a matter of mental exercise for under-stimulated college kids. It has now shed its innocence. These days it is pushed by organized crime, aided by phishing-like deceit tactics and spread via advertisements, social networks and shrink-wrapped electronics. It captures keystrokes of individuals, spies on corporations and politicians and threatens our national security by means of server takeovers, information leakage and a potential deterioration of trust in the infrastructure. We no longer call it malware - that would be to understate the threat it poses. We call it crimeware.
Crimeware: Who Is at Risk?
We are all at risk for crimeware. But is your organization on the frontline? To a large extent, you can find out the answer to that question by scrutinizing your own users.
First of all, how are machines used? Organizations where users maintain their own computers, or are allowed to use their work computers at home, face higher risks than other organizations. In spite of being careful at work, many users will approach security in a much more relaxed manner when they are at home. They may run socially propagated material such as movies forwarded by friends, and they may access material from infected peer-to-peer sites. Their home access points may be infected and may attempt to affect the connected computers - possibly by suppressing updates to the anti-virus system.
When traveling, users may be tempted or tricked into connecting to corrupted access points that steal credentials. Computers that are used both inside and outside the corporate firewall are posing a risk to the internal network. How can you tell what a machine has been exposed to?
How to Recognize Crimeware
Not too long ago, crimeware was a purely technical threat. Nowadays, it is a socio-technical affair. A recent type of crimeware attack starts its lifecycle as an attachment to an e-mail claiming to be from the Better Business Bureau. The e-mail, typically targeted to people dealing with customer feedback, specifies that a complaint has been lodged against the target organization and that a copy of the complaint is attached. The worried recipient opens the attachment - maybe even forwards it to legal. The more believable the ruse is, the higher the risk is that the recipient would open the attachment. And, of course, the better targeted the e-mail is, the likelier it is to be believed.
This also goes to show that your exposure to risk depends on what the adversary knows about your organization and its users. An attacker than can spoof an e-mail to appear to come from the manager of the intended victim can take advantage of the hierarchy within the organization. A good example of this would be an e-mail that looks like it is from one's manager and has a subject line of "Would you please install and run this application, then tell me if it seems like something we could use?" (By the time the recipient responds to his manager, it is too late - the installation has completed and the network has been searched for proprietary files.)
What Does Crimeware Want?
But crimeware only wants money, right? Wrong. List your valuable resources. Patent information, customer databases, employee information, medical data, next week's client presentations - the list goes on and on. It could be the access rights to other networks. Data of political value. A set of computers that can host phishing pages and send spam. A platform from which criminals can launch an attack without being traced. Anything that has value to anybody can be the target of a crimeware attack.
If we think critically, we realize that almost any resource we can name may be the target of an attack. And remember, it is not only machines that look like computers that can host crimeware. If it has a processor, it is a potential target. MP3 players, consumer access points, phones - how about RFID cards and SIM cards? Yes, them, too.
How Can Crimeware Be Addressed?
What can be done to address this threat? First of all, we have to understand how the threat expresses itself. Then, we have to understand all of the techniques used by the attackers. As new applications and services are introduced, don't think of how they can be used. Think of how they can be abused.
Then turn to the users. What will they do? How can they be tricked? How can you educate and warn them? If you make them too nervous, will the attackers take advantage of their worries and play on their insecurity? Think creatively, and think like the attackers.
In our book, Zulfikar Ramzan and I are sharing our fears in a constructive manner. We are telling the reader how to better understand the threat. Improved security always starts with an understanding of what the vulnerabilities are. We want to promote this understanding among researchers, application developers, system administrators, policy makers, politicians and educators. Crimeware is a problem that affects us all, and all sectors of society will have to join efforts in order to fight it.
Dr. Markus Jakobsson is a Principal Scientist at Palo Alto Research Center. He is a founder of the security startup RavenWhite, which addresses security problems associated with authentication, malware and click-fraud. He is also one of the founders of SecurityCartoon, an educational approach targeting typical Internet users.
Previously, he has held positions as Associate Professor at Indiana University, Adjunct Associate Professor at New York University, Principal Research Scientist at RSA Security, and was a member of the Technical Staff at Bell Labs. He is a visiting research fellow of the Anti-Phishing Working Group (APWG), and a consultant to the financial sector.
Dr. Jakobsson teaches on phishing and counter-measures, click-fraud, the human factor in security, cryptography, network security and protocol design. He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and co-author of "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008). He received his PhD in computer science from University of California at San Diego in 1997. He can be reached at firstname.lastname@example.org.