**6. Cyber-attack types**

In a sample study of 50 organizations conducted in 2011, researchers found that on average a successful cyber-attack occurs over than 70 times per year, or on average, 1.4 times per week. This represents an increase of 44% from 2010. If this growth continues, fifteen years from now organizations will be responding to a **successful** attack every 30 minutes (Ponemon Institute, 2011).

The exact type of attack can vary in type and sophistication. Fortunately, many of these attacks are fairly simple in nature. Automated vulnerability probes along with known and recognizable self-propagating malware (worms) form the bulk of attack attempts. These are generally easy to detect and prevent using standard off-the-shelf firewalls, and intrusion protection/detection systems. The primary danger in these attacks is the noise they generate, which can make it difficult to locate the more serious threats. In excess, however, they can constitute a Denial of Service (DoS), or Distributed Denial of Service attack (DDoS), leading to a much more serious degradation of service, unpredictable behavior and even complete loss of service. Although relatively infrequent, DoS and DDoS attacks are one of the most costly types of attack.

The actors that typically have these motivations can be categorized as: organized groups; loosely-organized groups; and lone wolves. These categories are points in a continuum.

An example of an organized group would be the espionage organization of a nation (such as the CIA); an example of a criminal organized group would be the Russian Business Network. These groups are typically highly organized, they pursue specific objectives, and

More recently, there has been a surge in the category of loosely-bound groups with varying motivations. Some of the best-known of these groups include Lulzsec and Anonymous. Collectively these groups are responsible for dozens of the highest-profile attacks in recent times (Wikipedia, 2012). Indeed, many of the aforementioned attacks against Sony came from one of these groups (Security Curmudgeon, 2011). Their targets range from governments, to corporations, to religious institutions (to date having hacked the Vatican twice). Self-labeled as part of the 'Antisec' movement, they encourage other groups to join their cause and represent a politically and geographically diverse group of individuals with skills ranging from basic script kiddie, to more advanced exploitations. Recently, a new group known as The Consortium (BBC News Technology, 2012) claimed affiliation with Anonymous in a hack against a pornography website resulting in the loss of subscriber information. While some may argue that these groups have political motives, it appears that they seek organizations with a low-security profile to publically embarrass at every

A lone wolf or solo hacker, often incorrectly stereotyped as a basement-dwelling spotty teenager, can in some instances pose an equal threat. An example of the lone wolf includes the case of the Scottish systems administrator, Gary McKinnon, and is perhaps one of the more famous of these. Driven by self-curiosity he hacked into multiple US government agencies before being apprehended (Boyd, 2008). Such hackers are greatly assisted by

In a sample study of 50 organizations conducted in 2011, researchers found that on average a successful cyber-attack occurs over than 70 times per year, or on average, 1.4 times per week. This represents an increase of 44% from 2010. If this growth continues, fifteen years from now organizations will be responding to a **successful** attack every 30 minutes

The exact type of attack can vary in type and sophistication. Fortunately, many of these attacks are fairly simple in nature. Automated vulnerability probes along with known and recognizable self-propagating malware (worms) form the bulk of attack attempts. These are generally easy to detect and prevent using standard off-the-shelf firewalls, and intrusion protection/detection systems. The primary danger in these attacks is the noise they generate, which can make it difficult to locate the more serious threats. In excess, however, they can constitute a Denial of Service (DoS), or Distributed Denial of Service attack (DDoS), leading to a much more serious degradation of service, unpredictable behavior and even complete loss of service. Although relatively infrequent, DoS and DDoS attacks are one of

organizations or individuals that provide tools for creating malware.

they are well funded.

opportunity.

**6. Cyber-attack types** 

(Ponemon Institute, 2011).

the most costly types of attack.

Another type of cyber attack against infrastructure is stealing Internet access. An example of this type of security compromise is the case of Ryan Harris, the owner of TCNISO. His company produces products that enable users to steal Internet service (Poulsen, 2009).

One very successful form of attack today focuses on exploiting vulnerabilities in websites and web applications. These attacks pose the greatest danger to most organizations due to the relative simplicity with which they may be attempted and with the immense volumes of valuable information that can be stolen if successful. Many websites are connected to backend databases, which not only contain information that may be of interest to criminals, but provide an entry point into the organization's internal network. The latter form of attacks are known as pivoting attacks and enable the attacker to pivot from a principal entry point to attack other systems deeper in an organizations infrastructure. Pivoting attacks are a severe form of web-based attacks as they allow attackers to completely bypass perimeter security controls at the network edge.

Web attacks involve the attacker identifying a potential vulnerability in a web system. There are several types of vulnerabilities that allow for different forms of attacks. The most common of these are cross-site scripting (XSS) and SQL injection.

Cross-site scripting allows an attacker to plant malicious code in an organization's website and from there attack clients visiting a company's site, stealing passwords, subverting network traffic, and monitoring communications. In many instances, XSS attacks enable attackers to leverage further vulnerabilities in client web browsers to install malicious software on the visitor. Thus unknowingly a visitor of an infected site can become themselves infected, and in some instances, part of a group of infected computers known as a botnet. This form of client infection is known as a drive-by-download and is one of the principal ways attackers gain control of systems. Controlled systems can be used for a variety of purposes including sending unsolicited e-mails (SPAM), targeted cyber-attacks against organizations, and DDoS attacks. Using a victim's system to attack another victim is known as an indirect attack and can be done with relative anonymity.

The vulnerability to these type of attacks can be easily reduced by careful website programmers who include checks to validate the length of user-entered information, and remove any illegal characters. Failing to do this introduces a significant probability that the site is vulnerable to both cross-site scripting and SQL injection attacks.

An SQL injection permits the attacker to access and manipulate a backend database, revealing customer records, intellectual property and even opening routes deeper into the organization's network. Most experts agree that SQL injection attacks were used in most of the 21 independent successful attacks against Sony that occurred between 21 April and 7 July 2011 (Security Curmudgeon, 2011). Targeted attacks of this nature currently form the majority of successful cyber-attacks and are the most cost-effective for attackers.

A further category of attacks are known as Advanced Persistent Threats, or APT's. These attacks are becoming more common as attackers become more skilled, knowledgeable and resourceful in infiltrating specific networks for a specific purpose. Their title reflects the danger posed by these attacks. APT's can be technically advanced and contain advanced attack techniques, use an advanced combination of simpler attacks for a specific purpose, or

Cyber Security 27

The effects of cyber crime are listed above. Some previous sections have said other things about cost in specific instances. Many successful cyber attacks have been widely reported in the media, yet the frequency of successful cyber attacks continues to increase, along with

In their second annual report, the Ponemon report (Ponemon Institute, 2011) had the

 Cyber crimes can do serious harm to an organization's bottom line. We found that the median annualized cost of cyber crime for 50 organizations in our study is \$5.9 million per year, with a range of \$1.5 million to \$36.5 million each year per company. This represents an increase in median cost of 56 percent from our first cyber cost study

 Cyber attacks have become common occurrences. The companies in our study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44 percent from last year's successful

 The most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM and enterprise governance, risk management and

The time it takes to resolve a successful cyber attack is a key factor in the cost. The sooner the organization detects, analyzes and contains the attack, the lower their recovery and postrecovery costs will be, and the lower the overall cost will be. Therefore, it is important that

Table 2, taken from this Ponemon report, gives the average annualized cyber crime cost, weighted by the attack frequency. While the institutions studied in this report are not necessarily representative of the industry as a whole, the data are highly informative.

compliance (GRC) solutions. (Executive Summary, p. 2).

all organizations constantly be on the alert against cyber attacks.

Denial of service \$187,506 Web-based attacks \$141,647

Malicious code \$126,787

Malicious insiders \$105,352

Phishing & social engineering \$30,397 Stolen devices \$24,968

Botnets \$1,727

Malware \$1,579 Viruses, worms, trojans \$1,517

**Type of Attack Average Annualized Cost** 

Table 2. Types of attacks and their associated costs (Ponemon Institute, 2011).

associated costs.

following key takeaways:

published last year.

attack experience.

both. They are persistent, indicating that the attacker has a defined objective and often will not quit until their goal is realized. This can often lead to attacks being multi-pronged, where the organization's systems and security are studied and monitored for months before an actual attack, or series of attacks, take place. APT's pose a significant threat with a high probability to succeed and be damaging to an organization. This can indicate external funding or support that provides resources for the development and deployment of the attack.

The only positive aspects of APT's are that they are targeted against a specific organization and hence are much less prevalent than other threat types. In other terms, they are akin to the sniper who studies his prey and observes its habits. The sniper waits, sometimes for days, for the perfect moment to take his shot, with a high degree of accuracy. It is very difficult to locate the sniper before the attack, and after the attack, the damage is localized but still significant, and often costly. Non-APT attacks in contrast may be thought of as 'the shotgun approach', or 'spray and pray' tactic of many video gamers. The attacker will point in a general direction, and blast away, hoping to hit something. With enough shots, a kill is guaranteed. These attackers generate a lot of noise, and can do a lot of damage if they are lucky enough to land a hit. If unsuccessful, an attacker will often move on to another target. Success at a low cost, against any target, is more important than any specific target.

Understanding the type of attack in the context of its objective and sophistication allows those responsible for information systems to gain insight to the potential damages caused. This next section looks at some of the costs a cyber-security breach can incur.
