Peter Woollacott, CEO of Tier 3, gives a global analysis of cybercrime and shows why misuse, abuse and fraud is now a major compliance issue.

Cybercrime has come a long way since 1988 when the Morris worm - considered by many to be the first piece of malware and certainly the first to gain widespread media attention - hit the internet. The worm, technically a Trojan Horse piece of malware, was written by a student at Cornell University, Robert Tappan Morris, and launched on 2 November 1988.

The replicating and 'clogging' concept of the worm, which effectively brought the internet to a grinding halt, has since been copied many times, although no-one could have foreseen the developments in the world of malware and cyber-attacks that would ensue in the years to come.

If we fast-forward just over 18 years to January 2007, we see the Nordea Bank in Sweden reporting a loss of $1.1 million to Russian organised criminals over a three-month period, with a key-logging Trojan at the heart of the scam.

According to BBC news reports, the bank lost its money in relatively small amounts over the three months, with debits spread across the accounts of around 250 business and consumer (retail) customers. Reports note that the Russian criminals developed their own custom Trojan, which was sent to the bank's customers disguised as an anti-spam application.

Because the Trojan was custom-made and only sent to a small number of internet users, it fell below the radar of conventional IT security software.

Once the bank's customers downloaded the application, they were infected by a modified version of the haxdoor.ki Trojan, which triggered key-logging when users accessed their Nordea bank accounts online.

These details were then relayed to a group of servers in Russia, where an automated routine started siphoning money from the customer's accounts.

The bank has borne the costs of reimbursement to all the affected customers and is seeking ways of preventing further attacks of this nature. Unfortunately for customers worldwide, this type of low-value, multi-account fraud is extremely difficult to counter, unless the bank concerned has both heuristic and holistic IT security technologies to protect its IT resources.

The Nordea bank incident illustrates the fact that modern cybercrime has 'come of age' driven at least in part by the arrival of organised criminals using sophisticated techniques to extract significant amounts of money from organisations both large and small without detection.

Most modern organisations have installed multi-vector security technology, including perimeter security systems, to protect their IT resources against almost every conceivable form of external attack, whether it is an email-borne virus, hybrid malware, or a sustained brute force attack on their EFTPOS/financial systems.

But this is only part of the security equation. Today there is also the very real issue of internal attacks, originated by anyone from a disgruntled employee to a WiFi-wielding cracker who gains access to the company’s internal network using a wireless backdoor, courtesy of a new Centrino-driven notebook sitting on the marketing director’s desk.

Employing user privilege-based control systems on the IT network, as well as installing event monitoring/response technology that can block any unauthorised and/or unusual activity on the IT resource, can protect against loss through internal attacks of this type, as well as sophisticated hybrid attacks from the Russian criminals involved in the Nordea Bank scam.

Unfortunately for hard-pressed IT managers the world over, some of the best IT monitoring/control systems can be relatively expensive option to install and operate, meaning that a compromise in terms of security and cost might seem the order of the day. This could prove to be a false economy and impact good governance.

Modern legislation, like the Sarbanes-Oxley Act in the US, the Companies Act in the UK and other equivalent laws around the world, impose a duty of care on senior officers within organisations to install an auditable IT security system that protects against all known and unknown security threats that might impact their organisation.

Perhaps worse, these new laws do not take account of the fact that hacker techniques - as clearly illustrated in the Nordea Bank attack - are becoming more sophisticated and specifically designed to evade existing detection methodologies.

Many of the forensic accounting and data auditing software seen in the last decade, in fact, is now significantly out of date against a backdrop of the increasing levels of authorised misuse, unwitting internal participation and fraud that are starting to appear in many major organisations.

Authorised misuse is a grey area that many IT security managers overlook at their peril. If, for example, an office worker starts downloading the entire company customer base, it may be that a legitimate back-up is in progress, or it might be the beginnings of a major contravention of local data protection legislation. But which is it?

An effective monitoring system capable of alerting IT management staff to such an event and taking pre-defined lock-down action as appropriate, goes a long way towards protecting against loss, keeping the auditors at bay, and, perhaps more importantly, keeping the management on the right side of the law.

This is because a failure to address such increasingly prevalent internal security matters is a breach of a growing number of compliance legislation such as Sarbanes-Oxley in the US and the Companies Act in the UK.

All is not lost, however, as a new generation of monitoring systems, capable of using real-time heuristic and holistic analysis techniques alongside more conventional auditing and IT security software, can help IT managers meet the demands of increasingly complex risk environments set against increasingly draconian compliance legislation.

An increasing number of major organisations around the world that do business with their US counterparts are now adhering to the provisions of the Sarbanes-Oxley Act. This leads to the conclusion that most US companies will soon include Sarbanes-Oxley or similar compliance requirements into their commercial trading terms and conditions with other parties.

Improved governance is good business practice and so even those non-US organisations not forced into a 'comply or die' situation with international legislation will, we believe, find it advantageous to move to this best practice approach on IT security.

For this reason, organisations should consider moving from a point-solution based IT security system to an integrated approach, with multi-faceted security technology installed, at all technology levels, across the organisation under the control of a fully automated and auditable database-driven ICT threat management system.

Had the business recipients of the Nordea Bank Trojan installed such a system, their account details could have been protected and the resulting losses prevented from leaking out to the Russian criminal's servers.

In addition to this, if an organisation takes steps to perform a continually updated research and risk analysis on its IT systems and resources, then it is well on its way to ensuring relevant regulatory compliance, as well as protecting against organised criminal gangs using customised Trojans to extract money from the organisation's bank accounts.

Whichever security products you choose, it pays to check it meets the diverse requirements of the current threat landscape and satisfies the specific requirements of compliance guidelines and regulations.