An effective governance framework for monitoring cyber activities and a process for gathering, analyzing and sharing cyber intelligence are two of the weapons in an organization’s arsenal to counter cybercrime, according to the not-for-profit Information Security Forum. SD Times asked Steve Durbin, ISF’s global executive vice president, about cybercrime, and how enterprises can counter its effects and prevent privacy breaches.

SD Times: What factors are driving cybercrime?
Steve Durbin: Cybercrime at its basic level is really being driven by the criminal fraternity. So we’ve seen organized crime come into that space. And they’ve determined that, by collaborating, they’re able to be much more effective and efficient than they have been in the past.

We also then have cyber-terrorism, which is slightly more worrisome than pure cybercrime. And then, on the other end of the spectrum, we have state-sponsored espionage, which has moved from the guys who were sort of walking the streets to those that are sitting at computers instead and stealing information—particularly when it comes to things like R&D or state secrets.

How are organizations being affected by cybercrime?
From an organization standpoint, what we have seen is a lot of these things moving out of the general environment to become much more pertinent and relevant to individual organizations. So, if we walk through each of those different areas, let’s start with state-sponsored espionage, for instance. If you imagine that you are one of the leading missile or defense manufacturers in the United States, of course, then the sort of information that you have and that you are holding are going to be particularly interesting to certain rogue states that are out there.

Certainly a number of individuals might haveSteve Durbin information that they’re holding—particularly if they’re CEOs or if they’re senior executives within organizations—that would be interesting for you (if you were a cyber criminal) to get a hold of at the individual, personal level. Because you might want to combine that information with their Facebook page and then build some social engineering profile that will enable you to access their bank accounts or their stock portfolios. You don’t need too many data points to be able to do this kind of thing. But this is actually a known problem. What is really more concerning, I think, is the unknown. It is that combination of these sorts of things that, when applied in a number of different ways, provide you with inputs or opportunities that you probably hadn’t imagined were out there.

How does ‘malspace’ affect individuals and organizations?
ISF’s research goes into quite some detail about the way in which what we call ‘malspace’—which is where the bad guys live—is developing. The fact is, we’re all potentially victims to it because we all exist in a joined-up environment, whether it be at the personal level, organizational level or state level. Nobody actually works in isolation anymore. Our research has looked at the different attack types, the roots of attack, the services and tools that can be used, and really works through, from an information security standpoint, the sorts of things that enterprises can do in order to guard against them.

What are cybercrime’s four major attack types?
We’re seeing much more sophistication in the combination of different attacks that are now being used. So, we’re seeing them fitting into a number of different areas that we would call “reconnaissance” or “disruption” or “extraction” or “manipulation.” Those tend to be the four major attack types that we’re seeing when we talk about cybercrime.

Reconnaissance is really intended to just gain information about a potential victim or victims that you can then use to help plan or implement further attacks. So, if you imagine we’re talking about a high net worth individual, what we’re seeing now is a move from phishing (which is going after the likes of you and I, perhaps) to whaling, which is really targeting the people who have really high net worth. So, to do that initially, there would probably be a reconnaissance type attack which, again, is just about gaining more information about them that can help you then be more focused in terms of how you might want to attack that individual.

The second attack type is more about disruption. This is where it’s intended to do what it says, to disrupt a business, a system or a service—to take down a website, at a simplistic level. And clearly those sorts of services have been available for quite some time. You have been able to buy these things on the black market for some while now.

The third attack type is extraction, where you are extracting data from the victim. The victim could be an individual or the victim could be an enterprise.

So then you have the fourth attack type, which is manipulation. This is where you are manipulating data, changing it or deleting it, maybe. And that can be pretty nasty as well. And the thing about them, I think, is that attacks are very often carried out in such a way as to avoid detection, prevent remediation, and enable repeat attacks. An example would be one of our members in the financial service space who did actually find that it had been attacked with a manipulation type of attack. They managed to isolate it, they managed to take the system down, rebuild it over a two-week period, and put it back up again. And within two days, they had been attacked again in the same area. So, it is not the sort of thing that you particularly want to have happen, but it does happen out there, and we need to be aware of it.

How can enterprises handle the BYOD trend when it comes to securing the devices?
In terms of the tools and devices and so on that people are using, if we get into BYOD or personal devices, it is about, first of all, making sure you have clarity around what people can and cannot do with those devices. Are you, for example, going to allow them to access Facebook on the same device that they’re accessing your corporate system? And how are you going to manage those devices? So you then get into ownership issues. If you have provided the device, then you have rights over how you can monitor it or how you can remote manage it. If it’s somebody else’s device, you don’t have the same rights. People would have to agree to allow you access to their devices.

So, a lot of it is thinking about the policies and the governance that you’re putting in place in order to deal with a BYOD environment. Many organizations haven’t gone through that process and that, obviously, is opening them up to certain threats and vulnerabilities. So some of these things sound very, very simple, but it is about just sort of standing back and thinking these things through from an enterprise standpoint, and deciding how you’re going to deal with some of these things.

How can organizations protect BYOD devices?
I think organizations are rightly concerned about BYOD. But I think there are ways to secure that, but you have to move away from the device. I think this obsession with the device is actually the wrong place to be starting. You have to go back to the data. So you have to categorize the data, determine what is highly secure and what is not so secure. And then you put in place your security processes based around the data, rather than around the devices. And that may well mean that, irrespective of whether you’re using a tablet or a laptop, unless you’re actually in a secure location, you can’t access certain types of data. So it’s a different way of looking at it. And that’s the way that we have to start looking at things, from the data standpoint rather than anything else.

How important is it for organizations to collaborate with others regarding security?
The size of the problem has now gotten so large that no one organization is able to deal with this in isolation. So there is an ongoing need for collaboration, not just across organizations, but also across jurisdictions. So, law enforcement working collaboratively with private enterprise, for instance, to resolve some of these issues, or to catch some of the people that are up to these sorts of things. I think the point that we would make is that international standards, as in traditional standards, the ISOs and so on, really were never designed with this kind of thing in mind. And so there is a need for a much more collaborative approach, particularly when we get into the interconnectivity that goes on because, as an organization or enterprise, you’re only ever going to be as strong as the weakest link, and that could be in a third-party organization that is providing you with services or indeed with materials. So you do have to view this from a much more holistic standpoint than we’ve been able to look at things in the past. And that’s why collaboration, whether it be across, say, the supply chain or with law enforcement agencies or state agencies, is becoming so important.

What is “cyber resilience” and how can organizations gain it?
We always say there are just two organizations: Those that have been attacked and those that will be attacked. So it’s like paying your insurance premium and hoping that your car is never going to get dinged. Yet you have to come at it from a different perspective. And so we talk now about “cyber resilience” as opposed to anything else. Cyber resilience is all about really trying to ensure that the enterprise is going into this with its eyes open. It’s about looking at the impact and the associated costs of impact, versus the costs of information security controls and cybersecurity responses. So we have a cyber resilience framework that we have produced that consists of four components or pieces.

The first piece is overall governance and partnering. And what we’re saying is that the organization or enterprise should have an effective governance framework for monitoring cyber activities. And that includes collaboration with partners, and it also includes risks and certain obligations that might exist in cyberspace. So that’s the first step.

The second piece is all about what we call situational awareness, where an organization should have a process for gathering, analyzing and sharing cyber intelligence. That’s within the enterprise, but also potentially across supply chain partners or with law enforcement.

The third piece is all about cyber-resilience assessment. This is about an organization having a process for accessing and adjusting their resilience to impacts from attack from the past, present and potentially future cyberspace activity. So there’s a bit of stargazing that goes on in that, in terms of trying to anticipate some of things that might come along.
And the fourth piece is cyber response. That’s about how the organization effectively prevents or detects and responds to cyber instances, and minimizing the impacts that they have on the enterprise.

What advice can you give enterprises regarding cyber security?
You can’t set out to try to boil the ocean. You have to be particularly focused around the challenges that you face within your own enterprise. So they could be, for instance, governance-related challenges. So you might be in an organization that has difficulty communicating threats to business leaders, for instance, or getting business leaders to take ownership of the risks related to cyber threats. There could be this lack of engagement between business and information security, there could be a poor understanding of the risks associated with cyber threats, or there might even be, more typically, a limited budget for responding to cyber threats. So in this kind of instance, the challenge that the security people face is really, how do they speak the language of the business? How do they communicate with the business some of the challenges that are being faced?

How important is it for the security and business folks to be on the same page?
Certainly within a cyber security environment, it is about how you engage with the business and get the business to understand that these are not isolated information security issues. They do have large business impact. And, unfortunately, we have some very good examples that are very, very public about the kind of impact that these sorts of things can have on the business. So if we look at, say, the global payments issues that happened recently, there was a very clear impact on stock price within about 24 hours of the global payment people announcing that they’d had a breach; their stock price took a very significant dive. And the massive attack last year on the credentials of Sony PlayStation users would be another example, for instance, of how you can point to different organizations that have suffered from an attack and the impact that that has had, on either the ability of the business to function or on stock value and price.”

How do budgets affect security decisions?
It is about the fact that, increasingly, pretty much every enterprise that you talk to is still operating with limited budgets, which means having to make very hard decisions as to where to spend those dollars. And those have to be business decisions. And so we’re seeing a move of security people not just being able to focus on the security or technology, but also having to articulate some of these risks in a language that the business can understand in order to position it within that business context and, therefore, make the right determinations as to whether or not budget should be made available to address some of these issues.

How can software development managers handle security issues?
From a software development standpoint, you have to look at whether you’re outsourcing some of that development or whether you’re doing it all in-house. If you’re outsourcing it, where are you outsourcing it to? What are the checks that you’ve got in place to make sure that the code that is coming back is—I don’t want to use the word safe, but at least, has it been tested? And so, therefore, if we go back to the budget issue, if you have to do extensive testing on code that has come back in from an outsourced provider, is it still cost-effective to outsource it, or would you better advised to retain it in-house and produce it in-house? So it’s those sorts of decisions that people then get into in terms of, where do I have my code written and how do I manage that third-party process?