**5. The motivation for cyber attacks**

An important question to ask IT professionals is how they would make a system completely secure from any and all attacks. The authors have done this in a number of settings, and have observed that many individuals reach the conclusion that disconnecting all network interfaces and powering down the system is the only way to ensure security. However, physical security – when viewed as a component of cyber-security - suggests that the only true way to be totally secure is to not exist in cyberspace at all!

Table 1. Cost of Cyber Crime. Data sourced from the 2011 Ponemon Institute Research Report

The point of this discussion is to illustrate that every system is a target. Information is one of our most valuable assets and wherever it is stored, transmitted or processed it becomes a target for cyber-attackers. In November 2011, the US Office of the National Counterintelligence Executive drew significant media attention for their 2009-2011 congressional report which reported the headline "Foreign Spies Stealing US Economic Secrets in Cyberspace". (Security Counterintelligence, 2011). The 31-page report is rife with examples of industrial espionage by foreign state actors using a variety of cyber-attacks. Among the responses from the accused, the Chinese government pointed out the West's

and all types of data storage. And cyber-crime has become a business, operating without

An important question to ask IT professionals is how they would make a system completely secure from any and all attacks. The authors have done this in a number of settings, and have observed that many individuals reach the conclusion that disconnecting all network interfaces and powering down the system is the only way to ensure security. However, physical security – when viewed as a component of cyber-security - suggests that the only

**Average annualized cost of cyber‐**

**crime by industry sector in USD in**

**2011**

Table 1. Cost of Cyber Crime. Data sourced from the 2011 Ponemon Institute Research

The point of this discussion is to illustrate that every system is a target. Information is one of our most valuable assets and wherever it is stored, transmitted or processed it becomes a target for cyber-attackers. In November 2011, the US Office of the National Counterintelligence Executive drew significant media attention for their 2009-2011 congressional report which reported the headline "Foreign Spies Stealing US Economic Secrets in Cyberspace". (Security Counterintelligence, 2011). The 31-page report is rife with examples of industrial espionage by foreign state actors using a variety of cyber-attacks. Among the responses from the accused, the Chinese government pointed out the West's

\$0 \$5 \$10 \$15 \$20

**Millions**

borders, and has become increasingly difficult to arrest (BCS Security Forum, 2010).

**5. The motivation for cyber attacks** 

Defense

Healthcare Transportation Consumer products

Retail

Financial services Communications

Report

true way to be totally secure is to not exist in cyberspace at all!

tendency to outsource information technology projects to Asia. This tit-for-tat accusation and response is by no means a recent development, with China and Russia frequently mentioned in counterintelligence reports over the last twelve years (ibid).

Very few press reviews of the preceding congressional report covered the alarming discussion of a growing number of other unnamed countries, as well as activist and terrorist groups, who are increasing in their cyber-attack capabilities. Today we see an evolving marriage of capability and intent from groups with far more sinister objectives than espionage. Some of these groups have sought to wreak havoc and damage critical infrastructure and have shown no aversion to the taking of human life.

Until recently, the principal threat to the private sector has been from 'traditional hackers' – skilled individuals seeking information freedom, money or fun, and 'script kiddies' – using tools created by others primarily for personal entertainment. The aforementioned events and reports indicate a very obvious shift of intentions. The cost-to-benefit tradeoff of a successful cyber-attack, and the availability of the internet as a delivery mechanism, effectively arms the masses. With the right skills, anyone, anywhere, can launch a potentially devastating cyber-attack. Several of these attacks were discussed in a recent whitepaper that analyzed the cyber-attack capabilities and vulnerabilities of Libya under the anti-Gadaffi uprising (CSFI, 2011). For example, a SCADA targeted cyber-attack against Libya's oil refineries could limit Gadaffi's funding, but risks severe economic damage to already-struggling countries such as Italy and Ireland who are dependent on Libya for most of their oil.

In the last few years, studies have highlighted the vulnerability of critical infrastructure to cyber-attack. Nuclear plants, electric smart-grids, gas pipelines, traffic management systems, prison systems, and water distribution facilities have all been identified as at risk from a cyber-attack. Fortunately at the time of this publication, actual attacks like these remain the subject of academic discussion. Many security analysts fear this situation will be short-lived.

It should be clear by now that there is no such thing as an uninteresting target for cyberattackers. We know that certain industries and organizations may be targeted more persistently and receive more attacks than others, but should realize that every system and organization is at risk. Understanding the motivation an attacker may have to attack our systems can help us to be more prepared for the eventuality of an attack.

In summary, the motivation for cyber-attacks may include:


In the next section, we shall see how recent cyber-attacks are being targeted to realize these objectives and describe their potential impact to information systems and organizations.

Cyber Security 25

Another type of cyber attack against infrastructure is stealing Internet access. An example of this type of security compromise is the case of Ryan Harris, the owner of TCNISO. His company produces products that enable users to steal Internet service (Poulsen, 2009).

One very successful form of attack today focuses on exploiting vulnerabilities in websites and web applications. These attacks pose the greatest danger to most organizations due to the relative simplicity with which they may be attempted and with the immense volumes of valuable information that can be stolen if successful. Many websites are connected to backend databases, which not only contain information that may be of interest to criminals, but provide an entry point into the organization's internal network. The latter form of attacks are known as pivoting attacks and enable the attacker to pivot from a principal entry point to attack other systems deeper in an organizations infrastructure. Pivoting attacks are a severe form of web-based attacks as they allow attackers to completely bypass perimeter

Web attacks involve the attacker identifying a potential vulnerability in a web system. There are several types of vulnerabilities that allow for different forms of attacks. The most

Cross-site scripting allows an attacker to plant malicious code in an organization's website and from there attack clients visiting a company's site, stealing passwords, subverting network traffic, and monitoring communications. In many instances, XSS attacks enable attackers to leverage further vulnerabilities in client web browsers to install malicious software on the visitor. Thus unknowingly a visitor of an infected site can become themselves infected, and in some instances, part of a group of infected computers known as a botnet. This form of client infection is known as a drive-by-download and is one of the principal ways attackers gain control of systems. Controlled systems can be used for a variety of purposes including sending unsolicited e-mails (SPAM), targeted cyber-attacks against organizations, and DDoS attacks. Using a victim's system to attack another victim is

The vulnerability to these type of attacks can be easily reduced by careful website programmers who include checks to validate the length of user-entered information, and remove any illegal characters. Failing to do this introduces a significant probability that the

An SQL injection permits the attacker to access and manipulate a backend database, revealing customer records, intellectual property and even opening routes deeper into the organization's network. Most experts agree that SQL injection attacks were used in most of the 21 independent successful attacks against Sony that occurred between 21 April and 7 July 2011 (Security Curmudgeon, 2011). Targeted attacks of this nature currently form the

A further category of attacks are known as Advanced Persistent Threats, or APT's. These attacks are becoming more common as attackers become more skilled, knowledgeable and resourceful in infiltrating specific networks for a specific purpose. Their title reflects the danger posed by these attacks. APT's can be technically advanced and contain advanced attack techniques, use an advanced combination of simpler attacks for a specific purpose, or

common of these are cross-site scripting (XSS) and SQL injection.

known as an indirect attack and can be done with relative anonymity.

site is vulnerable to both cross-site scripting and SQL injection attacks.

majority of successful cyber-attacks and are the most cost-effective for attackers.

security controls at the network edge.

The actors that typically have these motivations can be categorized as: organized groups; loosely-organized groups; and lone wolves. These categories are points in a continuum.

An example of an organized group would be the espionage organization of a nation (such as the CIA); an example of a criminal organized group would be the Russian Business Network. These groups are typically highly organized, they pursue specific objectives, and they are well funded.

More recently, there has been a surge in the category of loosely-bound groups with varying motivations. Some of the best-known of these groups include Lulzsec and Anonymous. Collectively these groups are responsible for dozens of the highest-profile attacks in recent times (Wikipedia, 2012). Indeed, many of the aforementioned attacks against Sony came from one of these groups (Security Curmudgeon, 2011). Their targets range from governments, to corporations, to religious institutions (to date having hacked the Vatican twice). Self-labeled as part of the 'Antisec' movement, they encourage other groups to join their cause and represent a politically and geographically diverse group of individuals with skills ranging from basic script kiddie, to more advanced exploitations. Recently, a new group known as The Consortium (BBC News Technology, 2012) claimed affiliation with Anonymous in a hack against a pornography website resulting in the loss of subscriber information. While some may argue that these groups have political motives, it appears that they seek organizations with a low-security profile to publically embarrass at every opportunity.

A lone wolf or solo hacker, often incorrectly stereotyped as a basement-dwelling spotty teenager, can in some instances pose an equal threat. An example of the lone wolf includes the case of the Scottish systems administrator, Gary McKinnon, and is perhaps one of the more famous of these. Driven by self-curiosity he hacked into multiple US government agencies before being apprehended (Boyd, 2008). Such hackers are greatly assisted by organizations or individuals that provide tools for creating malware.
