Crime and Abuse in e-Business

Neil Mitchison and Robin Urry, Institute for Protection and Security of the Citizen (IPSC), JRC

Issue: The criminal or abusive misuse of information and communications technology is a problem of growing significance in the information
society. E-Business, in particular, will require user confidence if it is to grow.

Relevance: Common reporting procedures for computer crime incidents and standards of evidence are an important part of the response to
cyber-crime. Policy initiatives in this area, however, need to be flexible enough to respond to the rapid evolution of both ICT technology and its
exploitation by criminal elements.

The importance of cyber-crime

Few who work in the field of electronic communications and transactions are in any doubt as to the
importance of cyber-crime. Combating computer-based crime –in particular that internal to a company– has
long been a concern of developers, implementers and administrators of computer systems, especially in the
financial sector; although it sometimes seems as if the world of politics and the media has only just become
aware of the possibilities of cyber-crime, and is now insisting on an instant, and totally effective, response.
The vulnerabilities which have led to this awareness are real enough: among them is the very nature of e-
business, which requires the automation of various types of security procedures and "reality checks"; the
ease with which a vulnerability, once identified, can be exploited from anywhere in the world; and the
sheer quantity of traffic over the Internet, which makes any sort of monitoring difficult. Some new tools
have had to be developed to cope with these specific vulnerabilities; but many computer security
procedures and standards had already been developed long before the Internet arrived.

The computing industry has long been concerned with security issues, particularly in the financial sector,
but the spread of the Internet has given many of these concerns a much higher public profile

It is extremely difficult to put hard figures on the incidence of cyber-crime, whether Internet-based or more
"traditional", but it certainly exists: many different types of incident and attack have been identified, and
some users have reported very large numbers of attempted intrusions, sometimes successful. There is a
widespread belief among those dealing with the subject that cyber-crime is substantially under-reported,
whether through ignorance, lack of faith in response measures, or a desire to avoid bad publicity.

There is a widespread belief that cyber-crime is substantially under-reported, whether through ignorance,
lack of faith in response measures, or a desire to avoid bad publicity

Whatever the incidence of cyber-crime, there is little doubt about the widespread vulnerabilities; and it is
reasonable to suggest that public policy should encourage protection and countermeasures without waiting
for proof that these vulnerabilities are being widely exploited. Indeed, the experience of law enforcement in
other areas has shown that where there are opportunities for crime, criminals soon arrive to exploit them.

A lack of confidence in protection and response measures against cyber-crime would appear to be a
significant brake on the development of electronic business, particular "B2C" or "Business to Consumer"
transactions

A further consequence of cyber-crime –or perhaps more specifically, of the perception of cyber-crime– is
its effect on confidence. Again hard figures are difficult to obtain, but it appears that lack of confidence in
protection and response measures against cyber-crime is a significant brake on the development of
electronic business, particular "B2C" or "Business to Consumer" transactions. Before a consumer starts
electronic commerce, he will have some "confidence requirements". These might include:

• that the business is honest

• that the business is financially sound
• that redress in the case of dispute is a practical option
• that there is reasonable protection against criminals intervening in the transaction.

Various mechanisms are under development to help consumers to acquire this confidence in appropriate
cases (see http://econfidence.jrc.it/), but there is still much to be done. Recent incidents have attracted
much media attention, and this has certainly had the positive effect of alerting system developers and e-
commerce providers to the vulnerabilities of their systems; but in the absence of reliable figures on cyber-
crime it is hard to evaluate the effect of media attention on the general public’s perception. Thus, although
it may have corrected over-confidence, it may also have led to excessive caution.

Taxonomy

One of the first questions to be addressed is the definition and classification of "cyber-crime". This can be
interpreted as meaning any criminal or abusive activity involving computers, but that definition is too wide
to be of use technically. The first and most fundamental distinction is that between using a computer as a
tool in a crime and the computer system (or its data) being the target of the crime. The focus here is on the
latter1.

Although cyber-crime broadly includes any criminal or abusive activity involving ICTs, a fundamental
distinction exists between using a computer as a tool in the perpetration of a crime, or making it the target

When we come to ask which activities should be considered, it is clearly unsatisfactory to use a definition
based on criminal or civil law; these differ from one jurisdiction to another, are in rapid evolution in several
countries, and leave considerable "grey areas" as to what is or is not covered in the event of activities
spanning several jurisdictions. Therefore, the definition used here is based on what administrators and users
of computer systems find unacceptable rather than any strictly legal definition.

Of course the failure to use a legal definition could lead to problems, in particular not knowing whether a
particular activity is or is not covered. However, from a technical point of view the legal status of a
particular abusive activity is usually of minor interest; what is important is to know what is going on, and
detect and stop what is unacceptable. The exception perhaps comes in the area of the reaction to incidents,
where the possibility of legal proceedings may constrain severely the process of gathering evidence; in that
case it may be appropriate to take quite different actions against "antisocial" activities and "criminal" ones.

The three main approaches to a taxonomy of cyber-crime are based on the technical actions carried out,
the intent of the perpetrator, and the effects of the actions

If the external boundaries of the domain covered are somewhat fuzzy, the same is true for some of its
internal distinctions. Various taxonomies have been proposed for cyber-crime incidents, but we found none
of them to be fully convincing and comprehensive2. There are three fundamental approaches to such a
taxonomy: one based on the technical actions carried out, the second based on the intent of the perpetrator,
and the third based on the effects (real or hypothetical) of the actions. But none of these is fully defined,
nor fully satisfactory. Thus if we use the technical taxonomy of actions for the top level, we would want to
distinguish between:

• gaining access to data

• modifying data
• attacking computer functioning
 • attacking network functioning

However, this top-level distinction groups together very different activities. "Gaining access to data" means
different things if the data concerned represents:

• the root administrator’s password

• a file of credit card numbers
• a pop song

Moreover, an individual incident is likely to involve more than one of these activities - having found the
root administrator’s password, what is the cracker going to do next?

Similarly, however important the attacker’s intent may be in legal proceedings, it does not yield a
satisfactory basis for a technical classification of cyber-crime incidents: it is often not known at the time of
an incident, and can only be established with the aid of external information. Distinguishing by the effects –
real or hypothetical– of the actions is tempting in some instances, and is indeed standard industry practice.
However it leaves a lot to be desired as a formal analytic tool, in particular because the possible effects of
any sort of "cracking" attack are almost unlimited.

Although a fully developed taxonomy does not appear to be within reach at present, it is possible to identify
the five main areas of concern listed below:

• Fraudulent transactions in e-business (whether from provider or client)

• Identity theft and "passing off"
• Credit card number and similar thefts (can be seen as a form of identity theft)
• Theft of IPR
• Denial of service and internet attacks.

Prevention and Detection

In the areas of prevention and detection of cyber-crime, there is a wide range of commercially available
software products, as well as some more specialised toolkits for particular markets3.

Security needs to be understood as a process not a product. Software tools are not enough in themselves,
but need correct installation and use, and continuous monitoring

Two areas stand out as needing further attention. Firstly "security is a process not a product": software tools
are not enough in themselves, they must be correctly installed and used, and continuous monitoring is
essential. Secondly –and this is of course related to the first point– there is still a widespread need for
training concerning awareness and basic precautions (among staff and clients), the selection and use of
particular prevention tools, and whether and when to call in expert help.

In some countries and industry sectors across Europe, a market appears to be developing for centralized
monitoring services to help detect cyber-crime in real time. Monitoring transactions to detect cyber crime
requires specialist staff and equipment, and only the very largest companies are likely to have the resources
to carry this out effectively in-house. Many of the large business consultancies now offer computer forensic
services to their clients for internal security and incident investigation.

The growth of CERTs (Computer Emergency Response Teams) over the last few years has added
significantly to the armoury available to deal with cyber-crime incidents. However the provision of CERT
facilities is still fragmentary, apparently at least in part owing to a lack of awareness among potential
clients. The European Commission has recently called for a strengthening of the CERTs and improving
cooperation among them4.
Response

When an incident has happened, there are two –sometimes conflicting– needs: the integrity of the system
has to be restored, and the incident has to be investigated5. This means collecting, preserving, organizing,
and subsequently presenting the evidence of what happened. If this evidence is to be presented to the
system administrators to help them protect their system better, a very informal approach may be acceptable;
but as soon as there is any possibility of the investigation going further, it is necessary to ensure that the
evidence produced meets the requirements of the authorities involved. These authorities could range from
internal company disciplinary procedures, through mediation and out-of-court settlement, to civil or
criminal courts. Each of these bodies may have its own rules on the admissibility of evidence, and it is
important that initial investigations of suspected incidents do not contaminate the electronic evidence so
that it cannot be used.

After an incident has taken place, the need to restore the system quickly may conflict with the need to
collect, preserve and organize evidence which may be required in criminal proceedings

There are many "forensic" tools available on the market for investigation of computer incidents. With the
aid of these, log files can be studied and interrogated; deleted and discarded data can be salvaged; the
crucial points in a complex system can be identified; and the events which occurred in the incident can be
reconstructed. Some of these tools also help in the construction of a coherent chain of evidence. However,
there is need for further work to produce an overall methodology to ensure that the chain of evidence is
fully guaranteed; and even when that is available, it will have to be integrated with the target system.
Ultimately, the aim must be not merely to be able to demonstrate "this was the state of the computer system
and data when we started investigations", but "this is the proof of what had happened previously".

If such an investigation goes to court –especially a criminal court with its high standards of proof– in order
to fully satisfy the court of the accuracy of the statements made, it may be necessary to produce source files
for the forensic tools used, and even for the operating system and software. This is a challenge which the
industry has not fully faced up to yet, and it may be that over time this requirement leads to much more
widespread use of open source software, not just for computer forensic tools, but also for e-business
applications and servers running them.

Standards

The question of European or worldwide standards often comes up in this context, but two particular areas
stand out: reporting procedures and evidence analysis standards.

Common reporting procedures would clearly not resolve all the difficulties of data, such as under-
reporting, but they would give some sort of basis for comparing countries, sectors, or activities, etc.

It is simply not possible today to determine precisely the incidence of cyber-crime. Figures can be collected
here and there, but it is not clear what they mean and how one can be compared with another. The only
figures which have some element of comparability are figures for financial losses (always assuming (a) that
the companies concerned know how much they have lost, and (b) that they report it truthfully). While
common reporting procedures for computer crime incidents would not resolve all the difficulties of data -
in particular the problem of under-reporting - they could at least give some sort of basis for comparing one
sector, one country, one time, or one activity with another. The US model is potentially instructive; it
comprises an Internet Fraud Complaints Centre and a National White Collar Crime Centre which provide
useful clearing-houses for incident reporting, thereby offering a certain amount of consistency across
different sectors and different types of incident.

As for evidence analysis standards, there is a need for the development, in parallel with integrated evidence
collecting systems, of agreed standards for the collection and analysis of log data and other similar files.
These standards should ensure that the investigators also respect the requirements of European Data
Protection laws, to protect the privacy of innocent parties during investigations. In the absence of a well-
defined approach respecting data protection and privacy, then either incidents will not be investigated or
innocent parties’ right to privacy will be violated.

Conclusions

At the end of 2000, IPSC staff, along with a team from other European research organizations, launched a
study on the fight against criminal and abusive activities ("cyber-crime") affecting e-business. The study
aims at establishing a technical "state of the art", in other words to define the present situation and expected
evolution of tools and procedures to combat cyber-crime. The study group identified three principal
technical areas of concern: the prevention of cyber-crime, the detection of cyber-crime, and response to
incidents of cyber-crime. However it soon became clear that a further area had to be addressed, namely the
development of standards.

At the time of writing (June 2001), the study’s report is still in draft form. The preliminary work of the
study group has highlighted areas where further work is needed on the technical aspects of the prevention,
detection, and response to cyber-crime. This is not all; policy initiatives, in terms of both legal and
administrative actions, are also needed, and are indeed under way in many countries of the European Union
and at EU level. However, these policy initiatives will take time, and the world of computers –and of
criminals–moves fast. There is a lot that can be done by the developers, providers, and users of e-commerce
systems to provide better protection against cyber-crime.

Keywords

cyber-crime, taxonomy, prevention and detection, data reporting standards

Notes

1. This is not to exclude the possibility of some "spill-over", in particular in the domain of response and evidence gathering: a reliable system
for gathering and preserving electronic evidence could be useful in investigating and judging many sorts of crime which use computers as a
tool.

2. The only well-developed international effort at a legally-defined taxonomy is the Council of Europe’s draft convention on cyber-crime - see
http://conventions.coe.int/treaty/EN/projets/cybercrime25.htm for the 25th draft. However that is deliberately limited in its scope.

3. The study group is evaluating the core toolkits against a general threat analysis, with a view to developing a common security model. This
work is ongoing.

4. http://europa.eu.int/information_society/eeurope/news_library/pdf_files/netsec_en.pdf

5. There is some suggestion that a further reason for the under-reporting of cyber-crime incidents is that commercial pressure to get the system
running again takes priority over incident investigation.

Contacts

Robin Urry, JRC

Tel.: +39 (0332) 78 92 63, fax: +39 (0332) 78 95 76, e-mail: [email protected]

Neil Mitchison, JRC

Tel: +39 (0332) 78 53 25, fax: +39 (0332) 78 90 07, e-mail: [email protected]

Laurent Beslay, IPTS

Tel.: +34 954 488 206, fax: +34 954 488 208, e-mail: [email protected]

About the authors

• Neil Mitchison has a degree in mathematics from Cambridge (UK), and spent ten years as a
computer consultant working on research in artificial intelligence and the development of
financial reporting systems for large companies. He joined the Joint Research Centre in 1988,
where he has worked on real-time monitoring systems, safety-critical systems, and on challenges
of safety and security in both the on-line and off-line environments.
• Robin Urry qualified as a mechanical engineer, and subsequently also studied politics and
business administration. He has worked for some 20 years in the IT industry, 10 of them as a
senior manager with Digital and 4 with Scottish Enterprise working on e-commerce development.
He has been a Special Constable for 6 years. He is currently Director of Cybersecure Scotland Ltd.,
and is spending a year as Visiting Scientist at the Joint Research Centre.

Contents Report 57

About The IPTS Report

Subscriptions
E-Mail: [email protected]