1) Cyber-crime is a growing problem as online banking fraud has increased significantly from 2010 to 2012. The human element of security is often the weakest link, as shown through social engineering experiments.
2) A case study on the DigiNotar hack revealed that poor security practices like weak passwords and lack of antivirus software allowed hackers to issue false digital certificates.
3) Situational crime prevention focuses on reducing criminal opportunities and can provide techniques to address phishing through education and awareness training, as well as ensuring computers have up-to-date security systems. However, training may have limited effectiveness without broader changes to influence actual criminal behavior.
14. Example 1 : Simulated laptop theft experiment
14
15. 62 simulated offences of which 31 succeeded
Steps Succeeded Failed
Enter building 61 1
(locked door)
Enter office 47 14
(1×cleaner)
Unlock 31 16
Kensington (5×bolt cutter)
Leave 62 0
building (1×emergency exit)
15
16. Results
Social engineering works
30 out of 47 attempts with social engineering succeeded
1 out of 15 attempts without social engineering succeeded
Managers more likely to prevent attack than the target
Offender masquerading as ICT staff twice as likely to be successful
[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.
PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
16
19. What went wrong?
No anti virus and weak passwords
Offenders hacked the system and issued rogue certificates
DigiNotar has been hacked before (2009)
No backup certificates
False certificates still accepted by browsers that have not been
patched...
DigiNotar now bankrupt.
19
20. How to deal with the human element?
Focus on the offender
Focus on the offence
[Fel10a] M. Felson. What every mathematician should know about modelling crime.
European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.
http://dx.doi.org/10.1017/S0956792510000070 20
21. [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged
children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
21
22. Situational crime prevention focuses on the offence
1. A theoretical foundation.
2. A standard methodology based on action research.
3. A set of opportunity-reducing techniques.
4. A body of evaluated practice including studies of displacement.
22
24. 2. Methodology: Action Research
1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.
First car theft
4
index published
5
2,3
# of 1
Vehicles
Stolen Years 24
25. 3. A set of opportunity-reducing techniques.
http://www.popcenter.org/25techniques/
25
27. 4. A body of evaluated practice
Example: Phishing case study
27
28. How can we use the 25 techniques to fight Phishing?
Increase the effort
1. Target Hardening : Train users to be vigilant
2. Control access to facilities : Control inbox & account
3. Control weapons and tools : Keep your PC up to date
Reduce Rewards
1. Conceal targets : Conceal the email address
2. Disrupt markets : Control Mule recruitment
Remove Excuses
1. Post Instructions : “No phishing”
28
30. The message of the training
1. Ignore email asking to update personal info
2. Ignore threatening email
3. Ignore email from bank that is not yours
4. Ignore email/url with spelling errors
5. Ignore a url with an ip address
6. Check a url using Google
7. Type a url yourself, don’t click on it
[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and
susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),
pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.
http://dx.doi.org/10.1145/1143120.1143131
30
31. How well does training work?
515 volunteers out of 21,351 CMU staff+stududents.
172 in the control group, no training
172 single training, day 0 training
171 double training, day 0 and day 14 training
3 legitimate + 7 spearphish emails in 28 days
No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.
Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on
Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.
ACM. http://dx.doi.org/10.1145/1572532.1572536 31
32. Good but could be better
On day 0 about 50% of participants fell
Constant across demographic
Control group remains constant
Single training reduces clicks
Multiple training reduces clicks more
Unfortunately:
Participants were self selected...
No indication that this reduces crime...
32
33. 5. Control weapons and tools
Is it a good idea to: Is it a good idea to:
Let people surf the Internet Let people drive on the road
without a license ? without a license ?
Allow manufacturers to sell the Allow manufacturers to sell the
anti-virus of a PC as an optional brakes of a car as an optional
extra ? extra ?
Expect people to maintain their Expect people to maintain their
own anti-virus, fire wall, OS ? own car ?
34. An idea that we would like to test
1. User pays the ISP an “Insurance” premium
2. Security vendor serves the user with updates
3. Security vendor notifies an ISP when user does not update
4. ISP ensures that non-compliant user does not endanger others
5. ISP remunerates vendor
6. Government controls ISPs and vendors
36. Conclusions
Crime Science approach:
Gives a human perspective on all things technical
Might have come up with new ideas
Avoids experimental flaws
An ounce of prevention is worth a pound of cure
[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science
+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct
2010. http://eprints.eemcs.utwente.nl/18500/
36
Notas del editor
Cyber crime has a bright future because the engineers responsible for the technology of the Internet have largely ignored the human element. We will review the history of the Internet briefly to see why have ended up in the present situation. We will look at a number of case studies into cyber crime, such as the DigiNotar case, but also more mundane offences like laptop theft. To conclude we suggest how the principles of situational crime prevention that have been shown to be successful in the prevention of “traditional” crime could be applied to cyber crime.
Queensland, 2000, 46 times!
2011
I will make more precise later what I mean by the human element To understand how we got into this let’s review the history of the Internet Life is easy for the cyber criminal You can commit a cyber crime yourself Examples from our research and from other Gloss over many important issues Once upon a time
Researchers trying to do better research with the help of the Internet
Issues but they could all be dealt with by the family using the rules of the net etiquette
Many innovative services thanks to the design philosophy No security still
Self management by netiquette broke down
Backstitching security technology is costly But there is a bigger problem
Offender does not follow the rules Rational person maximizing his profits and minimizing his efforts This is the human element!
Back to the human element So Internet security will remain an oxymoron for as long as network and security engineers focus on the technology, and ignore the human element.
Forthcoming thesis of Trajce Dimkov
James Heckman Nobel prize Economics 2000
motivated offender meets a suitable target in the absence of capable guardians motivated offender acts rationally but has limited time and knowledge to make optimal decisions.