Written evidence submitted by Finmeccanica
Cyber Solutions (Malware 06)
The Committee seeks submissions on the following
matters:
What proportion of cyber-crime is associated with
malware?
1. The experience of Finmeccanica Cyber Solutions'
CERT team is that malware plays a crucial role in the types of
attack associated with cyber-crime. Aside from the very basic
"phishing" attacks that tend to be based more on social-engineering
techniques malware is now generally introduced into the majority
of technical attacks occurring via email and web.
Where does the malware come from? Who is creating
it and why?
2. Fundamentally malware is developed in response
to vulnerabilities in operating-systems or in software. The vulnerabilities
that malware exploits naturally arise as part of the common software
engineering processes that have been used over the past thirty
years. Vulnerabilities that affect very popular operating systems
(such as one of the Microsoft Windows variants) and popular pieces
of software (such as one of the common web browsers) quickly become
publicised, often with exploit code being released into the public
domain.
3. Where this is done as part of the "white
hat" philosophy, the vendor of the operating-system or software
is first informed so that the so-called "fix" or "patch"
is released before the news becomes public. However many individuals
do not keep up-to-date with operating-system and software patches
and remain vulnerable. This makes it easy for technically savvy
criminals to attempt to inject malware through a variety of known
vulnerabilities.
4. These individuals (sometimes so-called "black
hats") rather than inform the software vendors, keep the
vulnerabilities to themselves or publicise it within an underground.
5. Recent years have seen a criminal "IT
service industry" visibly emerge. A number of groups produce
"malware packs", which can be purchased (via suitably
anonymous means) by organised crime or even state sponsored organisations
to launch wide-scale and targeted attacks via email and the web.
Such packs often include a subscription that entitles the purchaser
to regular updates ensuring that the latest vulnerabilities in
operating-systems are covered.
6. Certain classes of malware, generally those
that practice denial-of-service attacks, focus on weaknesses of
the design of the internet itself and are difficult to mitigate.
For example, huge "bot nets" can disrupt ecommerce sites
by bombarding them with traffic from a diverse range of IP addresses.
It is currently very difficult to defend against such attacks.
What level of resources are associated with combating
malware?
7. Finmeccanica Cyber Solutions is aware of one
global FTSE-100 corporation that has spent between one and five
million pounds to specifically address malware through technical
controls. We understand that spending in the financial sector,
particularly the retail banks, is similar.
8. The countermeasures and safeguards against
malware are technical (anti-malware software and so on) and procedural
(user awareness, staff awareness).
What is the cost of malware to individuals and
how effective is the industry in providing protection to computer
users?
9. Finmeccanica Cyber Solutions works on many
customer sites and notes that basic controls against malware and
virus infection are now almost universally implemented. The effectiveness
of such measures depends not only on their extensively and individual
effectiveness but also the procedures surrounding them.
10. Security controls are often said to be in
competition with usability in that they can make the users' business
internet business activities more difficult. This seems to be
borne out by Finmeccanica Cyber Solutions' observation that when
users are left responsible for updating their operating-system
patches and software they often neglect to perform this activity
regularly, even when the process only involves a few mouse clicks.
11. As the technical details of malware are beyond
the full understanding of the layman some "internet security"
companies scaremonger, scam, and even introduce their own malware
in the guise of anti-malware.
12. The potential cost of malware to individuals,
in an age of internet banking, internet shopping and social networking
is spreads across financial loss, identity theft, loss of earnings
and damage to reputation.
13. Malware targeted at specific companies and
organisations is likely to be focussing on making a financial
gain. Obviously any successful attack against a consumer organisation
that is publicised will affect customers' views of the organisation.
Should the Government have a responsibility to
deal with the spread of malware in a similar way to human disease?
14. As the internet continues to pervade individual
and work life it compliments or supplants pre-internet facilities
that many may consider the government should protect. For example,
the postal system for carrying letters, television and radio broadcasts,
access to news and so on. The internet can replace the need for
physical access to work, physical access to couriers, replace
the need for paper-copies of documents. The government's has the
related responsibility to protect therefore probably extends to
education, clarity of law and law enforcement.
15. In all these senses the Finmeccanica Cyber
Solutions view is that the government should continue to legislate
to protect and maintain the essential infrastructure of businesses
and public life including when these cross-over to the internet.
This should then include measures to control cyber-crime and planning
for emergencies.
16. Government does have a duty to protect its
own networks and the data it holds on behalf of UK subjects. Although
it is making strides to do this, it is facing the growing issue
that its cyber footprint, and the value of the data and funds
it holds in cyber space, are beyond the capacity of its own organisation
to protect. Government needs to reach out to trusted parties to
expand this capability.
How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
17. Finmeccanica has over many years built close
relationships with the law enforcement communities in both the
UK and Italy and our response to this question is informed by
these relationships. We believe that the UK government's response
to cyber-crime generally is amongst the best in the world, especially
since responsibility for tackling the cyber threat across the
crime and terrorism fields were brought together at the ministerial
level.
18. However, there are still many different bodies
involved depending on the nature of the crime being committed.
For example, child exploitation crimes are dealt with by CEOP,
fraud by the SFO, theft by PCeU and counter-terrorism operations
by SOCA. Such a division of responsibilities was entirely appropriate
in the pre-internet and pre-malware days. In the current climate,
where new forms of malware and new ways of exploiting their potential
are emerging at an exponentially growing rate, we believe it would
be appropriate to examine the potential for either centralisation
or resource sharing across the different groups involved in policing
cyber space.
19. We recognise that the knowledge and skills
required to investigate and prosecute child abuse are necessarily
different from those for financial crime. However we believe that
the similarities in the use of malware and other forms of cyber
attack by different categories of crime warrant the synergies
and subsequent cost savings which could accrue from centralising
the capabilities required to identify that a cyber crime has been
committed and provide the digital forensic evidence to support
subsequent investigation and prosecution by specialist units.
DECLARATION OF
INTEREST
Finmeccanica Cyber Solutions is part of Finmeccanica
in the UK and offers information assurance and cyber security
services for organisations across public and private sector.
6 September 2011
|