Supplement to the 2012/3 South African Cyber Threat Barometer
UK Case Study Report
Foreword Africa is considered to be the cradle of mankind. There is evidence that some of the earliest people lived in southern Africa. The hunter-gatherer San roamed widely over the area and the pastoral KhoiKhoi wandered in the wellwatered parts where grazing was available. Tribes from central Africa moved southwards into the eastern and central parts of the area known today as South Africa. Milestones in South African history: 1652 - Dutch Settlers arrive under the leadership of Jan van Riebeeck 1795 - British occupation of the Cape 1800 onwards - the Zulu kingdom under King Shaka rises to power 1835 - The Great Trek - Dutch and other settlers leave the Cape colony 1879 - Anglo-Zulu war 1880 - First Anglo-Boer war 1899 - Second Anglo-Boer War I am referring to the scourge of 1912 - The African National Congress (ANC) is founded cybercriminal activity that is rapidly 1961 - South Africa becomes a republic becoming a global concern and one 1990 - Mandela is freed after 27 years in prison and that we as Africans need to prioritise. opposition groups are unbanned We hope this project and proposed 1994 - South Africa's first democratic election initiatives will go a long way towards "rallying the troops" to urgently address the growing cyber threat facing South Africa has journeyed through many great obstacles our country. to become a nation whose dream of unity and common purpose is within grasp of all its people. We must not I wish to offer my sincere appreciation lose sight of this dream. As proud stakeholders of this to the British High Commission for great country we are now called upon to join hands in their funding and support to complete the fight against a new threat that is targeting all areas this vital research project. of our society - no organisation, community or child is immune to its impact. I also wish to convey my warmest thanks to all participating companies and teams for their input and For a copy of the full 2012/3 South African independent review of this report. Your Cyber Threat Barometer report and other country passion to make a positive impact in supplements please visit the research section this country has been amazing to of our website. witness. I would finally like to acknowledge the Wolfpack team for their dedication shown in the research, analysis, layout and distribution of this report. I am very proud of what we have achieved.
Corporate contact details: Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Email: info@wolfpackrisk.com Website: www.wolfpackrisk.com
Craig Rosewarne Managing Director Wolfpack Information Risk (Pty) Ltd
1
United Kingdom In October 2010, the UK government committed to providing GBP650 million (US$1 billion) to cyber security initiatives. By February 2011, GBP63 million (US$100 million) had been allocated for cyber security. According to a UK government spokesman, "The government is determined to build an effective law enforcement response to the cyber crime threat, building upon the existing expertise within SOCA (national police unit responsible for pro-active operations against serious and organized crime) and the MetPolice Central e-Crime Unit.� By 2015, the aspiration is that the measures outlined in this strategy will mean the UK is in a position where: law enforcement is tackling cyber criminals; citizens know what to do to protect themselves; effective cyber security is seen as a positive for UK business; a thriving cyber security sector has been established; public services online are secure and resilient; and the threats to the UK national infrastructure and national security have been confronted.
%
10
5%
ng kli e ac im e t cr fic er Of cyb
t for 2% Departmen novation Business,dIn ds an Standar
me Ho
Cabin co-or et Office, maint dinating an opera aining a vied tional w threat of
National Cyber Security Programme investment (2011 - 2015)
%
14
e, nc ber e ef y D gc f o in y am r t is tre ce in ins en M a ef m d in
Si
ng
le bu In t In cap ildi elig fo a ng e rm bi c nc at liti ro e A io es ss c n in c co As c ut un su lud tin t ra in g 5 nc g 9% e
10%
2
Government ICT, building secure online services
History of Cybersecurity Legislation in the UK (A look at the last 10 years) Bill / Act
Description
2003
Criminal Justice Act
It is a wide ranging measure introduced to modernise many areas of the criminal justice system.
2003
Privacy and Electronic Communications (EC Directive) Regulations
Law that made it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber. It includes all electronic communications such as email or SMS mobile phone messages.
2008
UK Information Protection Act (DPA)
Defines UK law on the processing of information on identifiable living people. It is the main piece of legislation that governs the protection of personal information in the UK
2010
National Security Strategy
October - categorised hostile attacks upon UK cyberspace by other states and large scale cybercrime as one of the top four risk priorities.
2011
UK Cyber Security Strategy
November - Addresses how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
Year
National Security Tasks:• Identify and monitor national security risks and opportunities. • Tackle at root the causes of instability. • Exert influence to exploit opportunities and manage risks. • Enforce domestic law and strengthen international norms to help tackle those who threaten the UK and our interests. • Protect the UK and our interests at home, at our border, and internationally, in order to address physical and electronic threats from state and non-state sources. • Help resolve conflicts and contribute to stability. Where necessary, intervene overseas, including the legal use of coercive force in support of the UK’s vital interests, and to protect our overseas territories and people. • Provide resilience for the UK by being prepared for all kinds of emergencies, able to recover from shocks and to maintain essential services. • Work in alliances and partnerships wherever possible to generate stronger responses. Strategy Plan objectives:• Tackling cyber crime and making the UK one of the most secure places in the world to do business • Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace • Helping to shape an open, vibrant and stable cyberspace which the UK public can use safely and that supports open societies • Building the UK’s cross-cutting knowledge, skills and capability to underpin all cyber security objectives
3
Industry Collaboration, Partnership Developments and Initiatives in Cybersecurity Organisation / initiative
Description
Cybercrime Initiatives as part of the Cybersecurity Strategy
• Expand the use of ‘cyber-Specials’ to help the police tackle cyber crime : The Metropolitan Police’s Police Central e-crime Unit (PCeU) has made groundbreaking use of Police Specials with relevant specialist skills to help tackle cyber crime. • Create a cyber crime unit within the National Crime Agency by 2013: The unit will help deal with the most serious national-level cyber crime and to be part of the response to major national incidents. It will draw together the work of the e-crime unit in SOCA and PCeU and provide support to all elements of the NCA, and all police forces. • Encourage the police and the courts to make more use of existing cyber sanctions for cyber offences: • Make it easier to report financially motivated cyber crime by establishing a single reporting system for businesses and the public: Action Fraud – the national fraud reporting and advice centre run by the National Fraud Authority – will become the central portal for reporting any financially motivated cyber crime. • Create a new Defence Cyber Operations Group in the MOD (National Cyber Crime Unit) • Protecting the Critical National Infrastructure (CNI) • Develop ‘kitemarks’ for cyber security software: This will help consumers and businesses navigate the range of cyber security solutions available, allowing them to make more informed choices and avoid unnecessary ‘scareware’. • Seek to agree a set of voluntary 'guiding principles' with ISPs: This could include seeking agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems. • Identify Centres of Excellence in cyber security research and provide investment to plug any gaps: This will improve our research capabilities and expand the number of people with the highest levels of skills and knowledge in cyber security. • Improve cyber security at all levels of education: so that people are better equipped to go online safely. • Establish a scheme to certify cyber security specialists by March 2012: This will drive up the skill levels of information assurance and cyber security professionals
Government Communications Headquarters (GCHQ)
GCHQ provides intelligence, protects information and informs relevant UK policy to keep society safe and successful in the Internet age. GCHQ is one of three UK Intelligence Agencies and forms a crucial part of the UK’s National Intelligence and Security machinery. The National Security Strategy sets out the challenges of a changing and uncertain world and places cyber attack in the top tier of risks, alongside international terrorism, a major industrial accident or natural disaster, and international military crisis. GCHQ, in concert with Security Service (also known as MI5) and the Secret Intelligence Service (also known as MI6) play a key role across all of these areas and more. Their work drives the UK Government’s response to world events and enables strategic goals overseas.
4
Organisation / initiative
Description
The High Technology Crime Investigation Association (HTCIA)
• Dedicated to the advancement of training, education and information sharing information between law enforcement and corporate and cybercrime investigators.
Get Safe Online
• A public-private organisation that provides information on cyber crime threats and how members of the public and business can protect themselves. Cyber Security Operations Centre (CSOC) • Plans to bring together existing functions: to actively monitor the health of cyber space and co-ordinate incident response; to enable better understanding of attacks against UK networks and users; and to provide better advice and information about the risks to business and the public
National Cyber Crime Unit
• Will be created within the new FBI-style National Crime Agency by 2013. The cybercrime unit brings together the Metropolitan Police Central e-Crime Unit, which will investigate botnets and other high-level e-crime, with the Serious Organised Crime Agency, which will provide intelligence.
Cybersecurity Hub
• Set up as a brokerage for the public and private sectors to exchange information about threats and technologies. • The government plans to launch a pilot for the hub in December, involving companies from five sectors — defence, finance, telecommunications, pharmaceuticals and energy — as well as GCHQ. If successful, businesses in other industries will be invited to join in March 2012
PROTECT Partnership
• Research Centre for Critical Infrastructure Computer Technology and Protection • An initiative of the School of Computing and Mathematical Sciences within the Faculty of Technology and the Environment at Liverpool John Moores University • Contribute to improving the cyber capability of the UK and collaborating problem solving, knowledge transfer and research that work toward community resilience. • Benefits of PROTECT Partnerships o Improving the 'cyber capability' of the UK o Facilitating trusted relationships o Sharing best practice o Dissemination of information o New tools and techniques o A world-class research centre • Activities of PROTECT Partnerships include: - providing a forum, education/training, investigating problems, solves problems and publication. • Members of PROTECT Partnerships include: - public sector, critical infrastructure, law enforcement and industry.
5
UK Cybersecurity Strategy 2011 Objective 1: Tackling cyber crime and making the UK one of the most secure places in the world to do business Cyberspace is an important and expanding part of our economy. Our objective is to tackle cyber crime and make the UK one of the most secure places in the world to do business. Objectives Tackling cyber crime and making the UK one of the most secure places in the world to do business
Approach
Description 1. Encourage the courts in the UK to use existing powers to impose appropriate online sanctions for online offences. 2. Create a new national cyber crime capability as part of the new National Crime Agency by 2013. 3. Encourage the use of ‘cyber-specials’ to bring in those with specialist skills to help the police. 4. Significantly increase the law enforcement agency capability on cyber crime by March 2012, and develop new training, giving more capability to understand, investigate and disrupt cyber crime. 5. More resources will go into working with the private sector and our international partners in 2012, and from now SOCA will increase the focus of cyber crime in its international network. 6. Promote greater levels of international cooperation and shared understanding on cyber crime as part of the process begun by the London Conference on Cyberspace, in addition to promoting the Council of Europe’s Convention on Cyber crime (the Budapest Convention) and building on the new EU Directive on attacks on information systems. Contribute to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security. 7. Review existing legislation, for example the Computer Misuse Act 1990, to ensure that it remains relevant and effective. 8. By the end of 2011, build a single reporting system for citizens and small businesses to report cyber crime so that action can be taken and law enforcement agencies can establish the extent of cyber crime (including how it affects individuals and the economy). 9. Commencing this year, the police will mainstream cyber awareness, capacity and capabilities throughout their service. 10. Take action to tackle hate crime on the internet with a plan to be published in Spring 2012. 11. Exploring the ways in which GCHQ’s expertise could more directly benefit economic growth and support the development of the UK cyber security sector without compromising the agency’s core security and intelligence mission.
Tackling cyber crime • Reducing online vulnerability • Restricting criminal activity online • Promoting more effective partnerships Government lead: Home Office Making it safer to do business in cyberspace • Increasing awareness and visibility of threats • Improving incident response • Protecting information and services • Fostering a culture that manages the risks • Promoting confidence in cyberspace Government lead: BIS
6
Objectives
Approach
Description 12. Starting in January 2012, harnessing the wider private sector joint working initiative on cyber security to ensure that law enforcement fully engages with business in information sharing and minimising the risks from cyber crime. 13. Working with domestic, European, global and commercial standards organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate good cyber security products. 14. Work with business services providers (including insurers, lawyers and auditors) to discuss how they can develop the services they offer to businesses to help them manage and reduce the risks. 15. Work with other countries to make sure that we can co-operate on cross-border law enforcement and deny safe havens to cyber criminals. 16. Ensure that new national procedures (adopted in May 2011) for responding to cyber incidents, and the developing partnership between government and the private sector, facilitate agile information sharing on threats to business, with mitigating advice aimed at reducing impacts. 17. Bolstering (and, where necessary, building at pace) new operational partnerships between the public and private sectors to share information on threats, manage cyber incidents, develop trend analysis and build cyber security capability and capacity. Led by the Prime Minister and representatives of industry, an initial operating capability will be in place by March 2012. 18. Support GetSafeOnline.org to become the single authoritative point of advice on responding to cyber threats (for example, the recent publication of an internet safety guide). 19. Promote robust levels of cyber security in online public services, allowing people to transact online with government with confidence. 20. Enable the UK cyber security industry to thrive and expand, supporting it in accessing overseas markets. 21. Develop a better understanding of the cyber security industry’s strengths, growth potential and barriers to success. 22. Develop a marketing strategy to promote internationally the capabilities of the UK cyber security industry, by March 2012. 23. Raise awareness amongst businesses of the threat and actions that they can take to protect themselves including working through strategically important sectors to raise cyber security issues throughout their supply chains. 24. Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point.
7
Objective 2: Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace Making the UK more resilient and better able to protect our interests in cyberspace will mean reorganising and refocusing our existing resources to find new ways to strengthen our national security. Objectives Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace
Approach
Description 1. Work with the companies that own and manage our Critical National Infrastructure (CNI) to ensure key data and systems continue to be safe and resilient 2. Expand the government advice to include a wider range of organisations whose resilience is a priority for the UK economy. 3. Ensure that new national procedures for responding to cyber incidents (ensuring that key services can be maintained or restored quickly) are fully tested, both within the UK and in exercises with international partners. This will include a programme of exercises and plans for an EU-wide event in 2012. This builds on a minister-led incident management/response exercise (July 2011) and government’s ongoing exercise programme. 4. Work with allies to ensure implementation of NATO’s cyber defence policy (agreed in June 2011). 5. Through the Government ICT strategy, ensure that we build and maintain appropriately secure government ICT networks. 6. Supporting Olympic cyber security by joining up the relevant government departments and conducting exercises to ensure preparations for cyber incidents are robust. 7. Through the CONTEST strategy, increase our disruption of online radicalisation and recruitment, and safeguarding against cyber attack. 8. Sharpen our ability to identify the nature and attribution of cyber attacks. 9. Create and build a dedicated and integrated civilian and military capability within the MoD. Mainstreaming cyber within the organisation and setting up a Defence Cyber Operations Group (DCOG). An interim DCOG will be in place by April 2012 and will achieve full operational capability by April 2014. 10. Maintain and strengthen our ability to anticipate, prepare for and disrupt hostile acts in cyberspace (including improving information sharing across government and industry partners, enhancing defence against hostile acts and increasing law enforcement capability to investigate and prosecute those carrying out hostile acts). 11. Maintain capabilities that enable the UK’s freedom of action and cyber advantage and preserve our sovereign capabilities in niche areas.
Defending our national infrastructure from cyber attacks • Strengthening defences in cyberspace • Improving resilience and diminishing the impact of cyber attacks • Countering terrorist use of the internet Government lead: Cabinet Office Ensuring that the UK has the capability to protect our interests in cyberspace • Improving our ability to detect threats in cyberspace • Expanding our capability to deter and disrupt attacks on the UK Government lead: MOD
8
Objective 3: Building the UK’s cross-cutting knowledge, skills and capability to underpin all cyber security objectives We will build a foundation of flexible knowledge, skills and capability in the UK, supporting all of our objectives. Objectives Building the UK’s cross-cutting knowledge, skills and capability to underpin all cyber security objectives
Approach
Description 1. Improve our ability to anticipate the technological, procedural and societal behaviour developments that affect our use of cyberspace. 2. Expand our understanding of the threats and vulnerabilities in cyberspace that affect the UK. 3. By March 2012, conduct research on how to improve educational involvement with cyber security significantly at all levels – including higher education and postgraduate level. 4. During 2012, establish a programme of exercises to improve our capability to respond to incidents in cyberspace, building on the experience gained exercising response mechanisms for the Olympics. 5. Improve levels of professionalism in information assurance and cyber defence across the public and private sector. Establishing a scheme for certifying the competence of information assurance and cyber security professionals by March 2012, and a scheme for certifying specialist training in 2012. Continuing to support the Cyber Security Challenge as a way of bringing new talent into the profession. 6. Put in place clear leadership of cyber across Government, with a dedicated minister and oversight at the highest levels of Government. 7. Support the application of research, working with the Government Office for Science and others to build innovative cyber security solutions, building on our world-leading technical capabilities in support of our national security interests and wider economic prosperity. 8. Manage crucial skills and helping to develop a community of ‘ethical hackers’ in the UK to ensure that our networks are robustly protected. 9. Enhance the world-class technical skills of GCHQ. 10. Identify Centres of Excellence in cyber research to locate existing strengths and providing focused investment to address gaps. First focused investment by March 2012. 11. Raise awareness amongst the public and businesses of the threat and the actions they can take to protect themselves.
Extending knowledge • Building a coherent cross-sector research agenda • Deepening understanding of the threats, vulnerabilities and risks Government lead: BIS Enhancing skills • Building a culture that understands the risks and enables people to use cyberspace and improving cyber security skills at all levels Government lead: BIS Expanding capability • Building technical capabilities • Increasing ability to respond to incidents Government lead: Cabinet Office
9
Objective 4: Building the UKís cross-cutting knowledge, skills and capability to underpin all cyber security objectives We will work in partnership with other nations and organisations to help shape the development of cyberspace to support its role as a driver of open societies, whilst promoting stability and reliability. Objectives Helping to shape an open, vibrant and stable cyberspace which the UK public can use safely and that supports open societies
Approach
Description 1. Continue the process started by the London Conference on Cyberspace to establish international norms of acceptable behaviour in cyberspace. 2. Undertake a review of policy and regulation of the UK communication sector, with a view to publishing a Green Paper early in 2012 followed by a White Paper and a draft Bill by 2013. 3. Support the open internet, working with the Broadband Stakeholder Group to develop industry-wide principles on traffic management and non-discrimination and reviewing its transparency code of practice in early 2012. 4. Implement bilateral commitments set out in high-level communiqués (agreed in 2010 15 and 2011) with the US, Australia and France. 5. Develop new bilateral relationships on cyber with those emerging powers that are active in cyberspace. 6. Encourage international and regional organisations to support capacity building, for example working with the Commonwealth to promote model legislation on cyber crime, with the International Telecommunications Union (ITU) to support training on technical standards, with the Council of Europe (during our chairmanship starting in November 2011) and with the Organization for Security and Cooperation in Europe (OSCE) to promote freedom of expression online. 7. Use multilateral and bilateral channels to discuss how to apply the framework of international human rights law in cyberspace and new challenges in guaranteeing such rights. 8. Strengthen international systems to build confidence among states in cyberspace, including through engagement within the OSCE on confidence-building measures. 9. Actively engage in the UN Group of Governmental Experts, which will reconvene in 2012, to ensure that a constructive report is made to the Secretary-General in 2014 in line with UN General Assembly Resolution 65/141. 10. Work closely with the European Commission and the External Action Service to encourage greater coherence within the EU on cyber issues. 11. Seek agreement with ISPs on the support they might offer to internet users to help them identify, address, and protect themselves from with malicious activity on their systems.
Helping to shape the development of cyberspace • Promoting an open and interoperable cyberspace • Promoting the fundamental freedoms and rights that we enjoy Government lead: Department for Culture, Media and Sport (DCMS) Protecting our way of life • Ensuring our security without compromising our values Government lead: FCO
10
UK Case Studies Two men, arrested in May 2011, were charged in March in the United Kingdom with hacking into Sony Music’s computers and stealing music valued at approximately GB£160 million. Britain’s Serious Organised Crime Agency said the hacking reportedly took place last year just as other hackers accessed the PlayStation Network, and downloaded personal information from 77 million registered users. This case is not believed to be linked to Anonymous or LulzSec attacks, (McAfee Threats Report: First Quarter 2012, By McAfee Labs) Malvertising (malware advertising) that delivers fake AV hits Autotrader.co.uk, plus Ebay.co.uk, Myvue.com and the londonstockexchange.com over the weekend when security staff are relaxing. These websites were not compromised; however the ads within from Unanimis lead to malware that exploited Internet Explorer, Adobe Acrobat Reader and Java. The exploit kit similar to Blackhole, the PDF file and Java JAR file all had low AV detection rates on VirusTotal at the time of analysis. The dropped file installed a Fake AV program that disrupted PC functions by hogging CPU and displaying annoying pop-ups, plus the offer to clean the system with payment leading to credit card theft. http://wb-sn.com/GUhdys DarkMarket was a secretive online group whose specific purpose was to provide a market for stolen information and facilitate the sale of malware, technical infrastructure and money laundering services needed to support this criminal activity. It enabled technical specialists to work directly with career fraudsters and provided an environment in which cyber criminals could work together anonymously and across borders. The forum was infiltrated by an FBI agent during a long-term undercover operation. The undercover officer then used the intelligence gained by their trusted position within the hierarchy to gather intelligence and pass it on to other international legal authorities. As a result, one of the founder members were sentenced in 2010 for 54 months imprisonment. Several operations similar to this are currently underway by various law enforcement authorities. http://www.fco.gov.uk/en/global-issues/london-conferencecyberspace/cyber-crime/case-studies/darkmarket Cyber criminals are taking advantage of the recent disruption to NatWest's banking services by targeting its customers with a series of phishing emails. UK government agency Action Fraud warned on Wednesday that fraudsters are sending customers fake emails designed to look like they are from NatWest, with some even claiming to be from the bank's chief executive. The emails reportedly offer users access to their account in exchange for personal information. "The latest opportunistic scam is cleverly designed to play on the anxiety of NatWest customers locked out of their accounts," read Action Fraud's warning. The email then contains a link that directs the customer to a fake NatWest page requesting their account login details. Problems with NatWest's service first arose last Thursday when RBS Group confirmed its systems had failed to properly update customers' balances and payments were no longer being processed. The news comes just after the FBI concluded a massive anti-card theft operation, arresting 24 individuals believed to have mounted similar fraud campaigns. http://www.v3.co.uk/v3-uk/news/2186313/natwest-branches-late-technical-glitc Two British citizens responsible for phishing scams that stole over £1.5m from UK students have received jail sentences totalling almost ten years. Damola Clement Olatunji was sentenced by the Southwark Crown Court to 6.5 years on 8 July for his involvement in the scam. Earlier, a second man, Amos Njoroge Mwangi was sentenced to three years, three months in jail for his involvement in a similar scheme. The two were involved in phishing scams that reportedly targeted hundreds of UK students using compromised personal data to dupe its victims. "Mwangi and Olatunji were determined fraudsters who systematically targeted British students in order to steal large amounts of money," said Metropolitan Police Central e-Crime Unit (PCeU) detective inspector Jason Tunn. The two stole between £1,000 to £5,000 from each victim they successfully duped. The PCeU claimed that computers seized from Mwangi revealed he had numerous computer programmes which enabled him to build phishing emails and register fake websites. The unit also found in excess of 1,300 student loan account log-in details on assets seized from Olatunji, linking him to £304,000 worth of actual fraud and a further £162,000 attempted fraud. http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-cyber-security-strategy-final.pdf
11