Written evidence submitted by Dellsecureworks
(Malware 16)
1. What proportion of cyber-crime is associated
with malware?
Considering a couple of aspects of the evolution
of Internet connectivity:
(a) In the enterprise, firewalls and other network
layer security controls have become a commodity, the technologies
are effective and widely deployed, this places restrictions on
how a cyber-criminal can reach or communicate with his target.
(b) For consumers, widespread adoption of broadband
Internet access, which is generally deployed with network-address-translation
also limits the communication options for the cyber-criminal.
These two different evolutions in general deliver
the same result: web browsing traffic to the Internet is permitted,
traffic originating from the Internet is denied.
For a cyber-criminal to gain access to computers
to steal, control, observe they must have some software
agent, resident on the compromised computerwhich will initiate
connections outbound to the Internet.
The direct result of the improvement of basic network
security controls is an evolution of the tools of the cyber-criminal
where malware use is prevalent in cyber-crime.
In terms of proportion, this is not only difficult
to quantify but also difficult to define. Is proportion defined
by impacted individuals, direct losses or number of incidents?
It should also be noted that a proportion of cyber-crime (defined
in the most general sense) is conducted by insiders.
Our view at Dell SecureWorks is that the vast majority
of cyber-crime leverages malware on a daily basis as part of basic
cyber-criminal tradecraft.
2. Where does the malware come from? Who is
creating it and why?
Malware is a worldwide problem supported by a vibrant
underground economy.
Malware used to be created by individuals, for their
own purposes. Malware now tends to be created by professional
gangs, who sell it to the criminals who use it. Malware authors
will offer technical support, publish product roadmaps and bugfixes.
The malware developers are not talented amateurs, they are highly
organised, highly professional and of course have identified that
they are not breaking laws by producing malware that others deploy.
Malware is created for a number of reasons:
Recognition.
Early malware was written for "fun" and to see how many
computers could be infected before it was stopped. More malicious
versions would corrupt files and try to render the user's computer
unusable. The attack was generally against the hardware and data,
rather than the individual.
Theft
from an individual. Most recent malware is written with the aim
of capturing bank and credit card details. These can then be sold
onto other criminals, with the details being used to buy goods,
or steal from bank accounts.
Spam.
Malware is used to create botnets, which are then rented out to
criminals for activities such as mass email campaigns for things
like prescription drugs, or to conduct phishing scams; themselves
designed to trick people into handing over bank login details.
Intellectual
property theft from businesses: Malware which attempts to penetrate
a corporate environment and remain undetected for long periods
of time. The controllers of the malware, meanwhile, use it to
steal IP and other sensitive information from the infected company.
This information can then be used by competitors, or states, depending
on the nature of the company that was compromised.
Activism:
malware which is used for political means or to embarrass corporations.
Activists may leverage "botnets" to launch Denial of
Service attacks against targets.
Espionage/"Cyberwar":
General Malware used for online banking fraud or intellectual
property theft can be brought to bear by nation states. There
have also been examples of malware being crafted to bring to bear
on specific targetsfor example the Stuxnet worm which is
widely believed to have been written to damage the Natanz uranium
enrichment plant in Iran.
The last 12 months have seen actors in each of these
areas operating with a degree of sophistication. In some cases
the malware "tools" that are deployed are common across
the actors, in other cases the malware is highly specialised and
tuned to the task in hand.
Who is creating it? It is not possible to determine
absolutely but the indicators are clear that malware today is
being written by talented software professionals. Geographic indicators
point to Eastern Europe, and Asia.
3. What level of resources are associated
with combating malware?
Malware consumes an enormous amount of resources
and has a significant economic impact. According to Gartner GroupIT
Security spend represents around 5% of total IT spend within enterprises.
This, on average, translates to an investment level of around
$525 per employee per-annum. This doesn't take any account of
the business impact of malware and/or associated downtime.
It is worth noting that there is an asymmetry between
the number of threat actors and those combatting their actions.
The fight against malware can be likened to a guerrilla war, where
a relatively small number of combatants can cause havoc for a
much larger and organised adversary.
4. What is the cost of malware to individuals
and how effective is the industry in providing protection to computer
users?
For individuals, the costs range from buying anti-virus
and anti-spyware programs, (along with the associated annual subscription
fees), to the time and money involved in trying to recover from
an infection, possibly having their bank account hacked and their
credit card details and identity stolen.
The industry is moderately effective in providing
protection:
(a) Desktop anti-virus/anti-malware solutions
are a necessary and important protective control however they
are not 100% effective. It is unfortunate as this remains the
sole technical control deployed by the average consumer this leaves
individuals in a vulnerable state.
(b) Software vendors provide patches, software
update services to allow individuals to address vulnerabilities.
Software vendors have a duty-of-care to their customers to improve
testing and reduce the number of vulnerabilities in their software.
It should be noted that at an individual level, infections
are rarely reported to the authorities and the police have little
way of understanding the scale or impact of such crime.
5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
Given the nature of society I don't think there are
mechanisms which would allow the government to participate directly
in combatting the spread of malware.
It's likely any government which embarks on direct
action would have to define "what ismalware" and "what
is not malware". This would be better done at international
level so that countries can more easily work together on cybersecurity.
Another consequence of Government action would be a need to balance
fighting malware with privacy concerns and civil rights.
6. How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
The Government is not effective today in co-ordinating
response to cyber-crime using malware.
CESG (Communications-Electronics Security Group,
GCHQ) & CPNI (Centre for the Protection of National Infrastructure)
do communicate around such issues, however their communications
are directed at a small community (eg CESG Listed Advisers) and
often there are restrictions on whether such intelligence can
be forwarded out of the community.
Government should focus efforts on identifying and
prosecuting those involved in cybercrime. Industry should focus
on improving preventative and detective controls relating to the
spread of malware. Government and industry should work together
to share information to increase effectiveness against malware
in general.
It should also be remembered that overall security
needs to be maintained. Some cyber attacks originate because of
a lack of security in the physical world with people revealing
passwords or disclosing too much data to unknown people.
7 September 2011
|