AUCKLAND UNIVERSITY OF TECHNOLOGY

Team Public Source Intelligence Threat

November 2010

Research Report [Draft]

Supervisor: ____________ Coordinator: ____________ ________________ Project for Fonterra

Prepared by: Nadia Xing In Cooperation with: Shane Swinfen Dima Myrnyy

Page |2

CONTENTS
Introduction..............................................................................................................................................1 Background...........................................................................................................................................1 The Project Overview...........................................................................................................................2 The Project Team..................................................................................................................................2 The Objectives of Research...................................................................................................................4 Methodology.............................................................................................................................................6 Scope of Research.................................................................................................................................6 Within New Zealand........................................................................................................................6 Language: English only...................................................................................................................6 Solely Internet, excluding other media.............................................................................................6 Excluding business information exchange and/or publications.......................................................6 Literature review on internet security..................................................................................................7 Scenario Analysis .................................................................................................................................9 Category 1 (individual, how to use internet)....................................................................................9 Category 2 (individual, where to access internet)..........................................................................10 Category 3 (companys perspective)..............................................................................................10 Result Analysis.......................................................................................................................................12 Web Search Strategy...........................................................................................................................12 Website selection............................................................................................................................12 Key words and alternatives............................................................................................................12 Other methods................................................................................................................................12 Results Filtering..................................................................................................................................12 Numerical ......................................................................................................................................12 Abbreviation...................................................................................................................................12 Name..............................................................................................................................................13 Date................................................................................................................................................13 Frequency of repetition..................................................................................................................13 Classification......................................................................................................................................13 Based on Organizational Structure.................................................................................................13 Based on Information Type............................................................................................................13 Based on Channel...........................................................................................................................13 Summary.................................................................................................................................................14 Conclusion..........................................................................................................................................14 Recommendations...............................................................................................................................14 Managerial protection system........................................................................................................15 Technical protection system...........................................................................................................15 Further Studies...................................................................................................................................15 Appendices..............................................................................................................................................16 Result Analysis....................................................................................................................................16 Web Search Strategy...........................................................................................................................16 Website selection............................................................................................................................16 Key words and alternatives............................................................................................................16 Other methods................................................................................................................................16 Results Filtering..................................................................................................................................16

Page |3
Numerical ......................................................................................................................................16 Abbreviation...................................................................................................................................16 Name..............................................................................................................................................16 Date................................................................................................................................................16 Frequency of repetition..................................................................................................................17 Classification......................................................................................................................................17 Based on Organizational Structure.................................................................................................17 Based on Information Type............................................................................................................17 Based on Channel...........................................................................................................................17 Web Searching Results........................................................................................................................17 Distributions.......................................................................................................................................17 Reference.................................................................................................................................................18

Page |1

Introduction
Background
In modern world, threat coming from public sources of information is on the rise. Rapid development of social networks poses serious danger not only to personal, but also for a company as a whole, because people do not realize boundaries between general company information and company sensitive information. Other areas of information leaks existed before, but with development of search engines the entry level into data mining is lowering, at the same time increasing number of possible attackers. A sound information security management program involves more than a few strategically placed firewalls. These safeguards, while important, are only truly effective as part of an overall information security management system. The integration of existing security technologies and processes into a cohesive framework for security management will ultimately reduce inefficiencies and redundancy and ensure the manageability of those solutions. A comprehensive security program should contain the proper balance between people, processes and technology to effectively manage risk with minimal impact on normal business operations. In order to build an appropriate information security program, an organization should assess and define their specific security requirements, design a solution that meets those unique requirements, deploy the necessary policies, technology and procedures, and continuously maintain, adapt and improve that solution. An organizations overall security strategy will provide a framework for defining those elements necessary in building and maintaining a sound security management program. Strategic planning can take many forms, but the end result should yield a documented approach for achieving goals set within the framework of a specific strategic objective. In the case of information security, the strategic objective is the satisfaction of protection requirements for an organizations information assets.

Page |2

The Project Overview

To our knowledge Fonterra has no current system or protocol in place that actively sifts through information on the Internet analyzing the potential risk it could cause the company. This is one of the main reasons for the project as cybercrime is growing rapidly. All one needs to do is just Google cybercrime and your search results are littered with headlines like Cybercrime growing in emerging countries! Cybercrime shows significant growth from previous year.

To give some indication, In 2009, Symantec blocked an average of 100 potential attacks per second. Malicious code is as prevalent as ever, with more than 240 million distinct new malicious programs identified by Symantec in 2009a 100 percent increase over those found in 2008. Even though the scope of this project doesnt stretch far enough to cover malware, such programs are created to take advantage of vulnerabilities found in computer systems. All the attackers need to know is if a company houses these systems and they can be exploited.

The Project Team

Nadia: By completion of the project, I am hoping to learn knowledge researching and analyzing skills. I want to gain experience of how to work with a real company in the future. Also, I want to improve my communication skills with the team and the client.

As my major is information Service, I have taken the following papers: IT project management, CCNA, Network and System Administration and Needs Analysis and Acquisition and Training. I will use the knowledge gained from each of these papers to help me complete the project with my team. From the IT project management paper ive studied, I have experienced handling and controling a project with management silks. In CCNA and Network and System Administration, I have got the basic knowledge of an IT network.

Page |3 The Need analysis, acquisition and training which is really help me to do the research and analysis the information for the company. Dima: In general I am purely technical person, with strong interest in new technologies, mostly related to security issues. Also have strong interest in areas like social engineering and people psychology(how they are acting in critical situations). Technical skills relates to next areas: Network security Networking Software development

Team can gain from next personal capabilities: Result driven Capable of working under pressure Analytical thinking

Shane: This paper gives us the chance to really test all that weve learnt over the past few years and how we can adapt our skills to the real world tasks that have been set. Personally i feel i bring quite a lot to the table, Im a strong communicator and work well within groups where communication is such a key role in keeping projects afloat. Im a dedicated worker and enjoy motivating people around me to give their best in their work. Technically speaking I'm a network security/net centric major but have completed a variety of papers including project management, advanced Internet technology, data process modelling and management and Innovation. Each module has challenged me to develop new skills which I've thoroughly enjoyed learning. Professionally I've had the privilege of working with a couple companies over the summer break which has really taught me a lot. Im persistent in anything i do with an aggressive willingness to learn and improve my skills where i can.

Page |4

The Objectives of Research

The outcome of the project is to provide a series of reports detailing the different types of information that has been published, or has potential risks from the internet for the different areas of the Fonterra. The report will let the company find out what kind of public information can help the hackers attack their internal and external systems. This in turn means they have a better picture of what risk management process Fonterra can apply to stop such attacks from happening. The clients company wanted to deploy a proactive risk management approach in order to be able to deal with risks before they become problems. In addition, they also convey the message that they should also pursue opportunities. The report will show the potential threats and a potential opportunity for Fonterra to act on vulnerabilities before they can be exploited. This will also help them effectively manage strategic and business planning, as well as supporting effective use of resources and promoting continuous improvements to their structure. 1.1.1 We will widely research the different types of technical attacks and especially focus on the new emerging methods/trends hackers are now using. We need to categorize them which will present the client with an easy to read review. Then we will pass on our findings to the client to select and confirm what is he really interested. 1.1.2 Base on the clients feedback, we will analysis in detail each type of the attack. Follow our methodology step by step starting with defining information required for scenario, collecting required data, analysis and then report the data. For the first scenario, we will let the client review and signed off his approach if we have done it correctly. After that, we will keep the same approach to do roughly another five scenarios. 1.1.3 We will summarize the report of each scenario together 1.1.4 From the information gathered we will piece together what we believe the current organization structure of Fonterra is and then hand it to our client to see how accurate we were. This helps us build the bigger picture.

Page |5

Page |6

Methodology

Scope of Research
Within New Zealand
The project team is fully aware that Fonterra is a multi-national company with subsidiary organizations in many countries around the globe. Also, as part of its daily operation, the use of internet has been acting more and more importantly and even becoming indispensible in Fonterras communications, transactions, and information transmissions. However, due to the limits of time and available resources, this project is scoped to focus on the internet security issues of Fonterras operation within New Zealand. The project may cover some of cross-border internet use; nevertheless, the end users are located in Fonterra New Zealand.

Language: English only

For similar reasons as above, the researches of this project are limited to a linguistic scope of English only, as it is the official language used in Fonterra New Zealand.

Solely Internet, excluding other media

Some information is not only distributed via Internet, but also through other media. For example, employees CV can be submitted to potential employers or job brokers through Internet, meanwhile, CVs are commonly sent out by post letters, faxes, or even by phone calls. In this case, the project will focus on the information through Internet only. In other words, we would only study on what would be sensitive information sending out on the Internet, rather than study on whether and how CVs are spread out.

Excluding business information exchange and/or publications

Page |7

Literature review on internet security

Internet security can be defined as the protection of data from theft, loss or unauthorized access, use or modification. With the constantly evolving nature of the Internet, it is vital that users continuously protect themselves and their information. This issue is so important that many large firms employ full-time security experts or analysts to maintain network security. According to the statistics by Symantec Corp. (2010), there are several new trends on internet security issues in recent years, which could be summarized as: In 2009, Symantec blocks an average of 100 potential attacks per second Symantec releases new Threat Report: Cybercrime's Growth Shows No Slowdown during Economic Crisis Growth in threats focused on enterprises. Symantec finds attackers use personal info found on social sites Toolkits make cybercrime easier than ever for unskilled cybercriminals to compromise PCs and steal info Today's attackers use social engineering techniques to lure users to malicious websites Dramatic growth in targeted at PDF viewers, accounting for 49 percent of Web-based attacks in 2009 Malicious activity takes root in countries w/ emerging broadband infrastructure

The increased security threats are caused by some reasons as follows: Increased Usage: In the last 10 years the face of computing has changed dramatically. More and more businesses rely heavily on networked systems and the Internet to conduct business. In just a few years, we have turned into a wired world, with information of any type accessible from just about anywhere, by anyone. At the end of 1999, there were approximately 200 million users online worldwide. That number is expected to increase to 1.7 billion users by the year 2009. As more people use the Internet the number of potential targets increase. Furthermore, as more and more businesses store their valuable information online, the potential for theft or damage increases.

Page |8

Always-On Connections: In response to the need for greater speed and higher carrying capacity, most small or home businesses users rely on high-speed bandwidth always-on connections to the Internet such as DSL (digital subscriber line) or cable modems. Always-on connections have two important characteristics that increase vulnerability. Firstly, because they are always on, they are always available for potential attackers to access. An unprotected connection to the Internet is an open two-way channel that information goes in and out of the system unimpeded. As long an unprotected connection is maintained, it serves as a point of entry for potential intruders to enter or attack the system. Secondly, always-on connections have static or unchanging IP addresses. As high-speed connections often remain connected, even when the computer is not in use the IP address never changes. Once a potential hacker has found the computer, he or she will be able to return to it as long as it is using the same IP address, placing it at greater risk of malicious intrusion. Insecure Technology: Another factor that has increased the risk of intrusion for Internet users is the tremendous rate of technological change. The pace of technological development has never been faster, and the world is trying frantically to catch up with it. Software developers strive to make their programs more userfriendly, often sacrificing security or reliability. Many commercial software packages that are released to market contain inherent flaws that may be exploited by attackers. This puts the end user at risk: not only is the technology potentially vulnerable, but users are often unaware of how they may be at risk. Lack of Education: One of the biggest security concerns that a business organization may face today is a lack of information about the threats that exist on the Internet. This doesnt mean that people dont care, or arent concerned, but in todays world of doing business at light-speed, managers do not have the time or resources to stay on top of the latest developments in information security. For most large sized enterprises, employing someone full-time to maintain system security is commonly seen as an option, and these IT security people are making great efforts in internet security; however, as greatly more employees are using internet in their daily jobs than ever before, it is significantly harder than ever for IT security people to maintain

Page |9 the companys system safe from fast developing threats as well as to educate every employee with internet security knowledge up to date. Furthermore, for those companies with higher personnel turnover, more staff changes in a working team would bring more difficulty in educating of IT security.

Scenario Analysis
From the above literature reviews, the security issues that a company, like Fonterra, may confront in its operations can be commonly seen as several typical scenarios, these scenarios can be classified into few categories as follows:

Category 1 (individual, how to use internet)

Scenario A: People expose their email address, date of birth, cell phone number, telephone number and/or extension number, employee ID, car registration number, etc. on internet. This information can be used by hackers to help to break into companys system, especially in those brute force attacks, as this information are very high frequently used in ID and/or passwords. For example, if a person uses his cell phone number as his password to his email, and happens to be his password to his access to companys system; when the hacker somehow knows his cell phone number, it would be very easy for the hacker to break into his email box and even into the companys system. Scenario B: For their own convenience, employees use their working ID and/or password for other purposes, such as forum, alumni, etc. In this case, once the forum or alumni has been broken through by hackers, these universal IDs and passwords would be very helpful for the hackers to access the companys system, therefore cause leaking of data and sensitive information. Scenario C: Through social websites, such as Facebook, Linkedin, and microblogs, personal information can be all linked. It is almost sure that some Fonterras employees are using this kind of websites, the potential risk for using these websites is that personal information are easy to be shared by people thus spread out unpredictably fast. Recently, mobile phones are more linked to

P a g e | 10 internet, thus giving much more accessible possibility for hackers to access this personal information. For example, some people may use mobile phone to access unsafe websites, thus give chances for hackers o scan the memories of these phones to get some sensitive or personal information, such as working contacts, job notes, etc.

Category 2 (individual, where to access internet)

Scenario D: Employees use unsafe computers to access companys system and left trace behind, such as use clients computers, computers at internet caf, etc. Nowadays, people are getting much more aware that accessing their personal online banking through unsafe computers are risky; nevertheless, are these people really aware that access company system through unsafe computers would risk the company and its computer system? Scenario E: Employees use wireless internet access at home or other places, these intranets, such as Wi-Fi are not protected and leave accessibility to other users that covered. Wireless internet accessibility is more and more available and has shown its convenience to use. However, some Wi-Fi system is not protected, or the protections are not in use. This will leave possibility for information leaking. For example, an employee is using internet to access his companys system when he is at home, he believes that the computer he is using is pretty safe comparing with other public accessible ones; but, the Wi-Fi system at his home is not protected properly and what he is doing on his home computer are easily spread out to other computers. Scenario F: Mobile accessibility for travelling employees, VPN? What about the employees on business trips? Their laptops are supposed to be safe, nevertheless, how they access the companys system remotely will determine whether it is really safe or not.

Category 3 (companys perspective)

Scenario G: Company uses server and/or data base that managed by other IT service providers, this is always the major concern of the internet security to a company. When the companys system is managed and maintained by agent, the agent (service provider) always has high level of accessibility to the system and

P a g e | 11 database, once there is serious information leakage happened, the IT agent is always doubted. Scenario H: Employees or company build up chat room, forum, etc. that is out of the companys control, such as the alumni of Fonterra at Linkedin. In this case, the company almost has no control that what information would be published on these web sites. The worst case the that the out-hooked forum or chat room is for business use, in most cases, they are more likely not 100 percent for business use but to some extent business relevant. The company basically has no control what people would talk about in these websites, and the company has very limited control on who can access these forum or chat rooms. Scenario I: Employees are using computers at company while they opening other software such as outlook, MSN, etc. therefore leaving a side door for spyware or malware to access to the companys system. The workable way to prevent this is to abandon some social applications on companys computers; however, it is in need of relevant management policies as well. Scenario J: Foreign/unauthorized mobile storage devices, such as USB drive, memory cards, etc. physically connected into companys computers: passing virus, digging information. This is a difficult part to get control, as it is always related to technical authorization and management policies. Numerous mobile devices are supposed to connect to the companys system during the daily operations of a large company like Fonterra, they are a very possible way to spread virus. Scenario K: Email management: Email is always the largest aspect of internet use for the company. Therefore it is the most likely way in virus and spyware spreading. Technically, spam management and antivirus software are most common way seen in businesses, the updating and maintenance of these protective software are as important as having them. There is one point here that should be noticed: in business practice, the security issues of Internet applications are very likely not limited to above scenarios. These scenarios that listed as above are

P a g e | 12

Result Analysis
In this section, we will try to search the Internet to find out whether the scenarios stated as above section are possibly happening or actually happening in Fonterras business Internet applications. If so, then we will try to identify which scenario/s are more often amongst other; in other words what are more risky than others in Internet applications for Fonterra. Then the following section will work on providing solutions.

Web Search Strategy

Website selection
Email and attachments Blog Chat tool/room Macro blog Form submission Online survey Forum

Key words and alternatives

Other methods

Results Filtering
Numerical

Abbreviation

P a g e | 13

Name

Date

Frequency of repetition

Classification
Based on Organizational Structure

Based on Information Type

Based on Channel

P a g e | 14

Summary
Conclusion
Internet Security incorporates not only the technology needed to support a solid security strategy but also those policies and processes that must be incorporated in order for that strategy to work. New methods of breaking into corporate networks are resulting in major losses. This book provides the latest information on how to guard against attacks and informs the IT manager of the products that can detect and prevent break-ins. Crucial concepts such as authentication and encryption are explained, enabling the reader to understand when and where these technologies will be useful. Due to the authors' experiences in helping corporations develop secure networks; they are able to include the newest methods for protecting corporate data. This book helps you to shield data from both the internal and external intruder, discover products that can detect and prevent these break-ins, protect against major losses with the latest incident handling procedures for detecting and recovering data from new viruses, and get details of a full security business review from performing the security risk analysis to justifying security expenditures based on your company's business needs.

Recommendations
There should be a review regarding to the current status of the internet applications in Fonterra, and all the improvement should be based on the review. The review might be with focuses on the following questions: 1. What is Fonterra using: Dynamic Password/ Dynamic Cipher system or security question? 2. Does Fonterra have any kind of forum and/or alumni out of the companys system? How the Fonterras employees and ex-employees set their IDs and passwords? 3. How many company mobile phones are using internet? Are these phone protected? 4. Is Fonterras system accessible through unauthorized computers? Is there any protection? 5. How many Fonterras employees access the companys system at home, and how many of them using Wi-Fi? 6. How do Fonterras employees access the companys system remotely? VPN?

P a g e | 15 7. Does Fonterra have its own server? Are all the system and database under the companys full control? 8. How many forums and chat rooms related to Fonterras employees are known by the company? Is there any control over them? 9. What about the current policy in Fonterra regarding to the computer and internet using? 10. How is Fonterra dealing with the mobile storage devices connected to the companys system? 11. How many employees of Fonterra are using social mail addresses, such as hotmail, Gmail, as their working email? And how many employees are using their working emails as their social email?

Managerial protection system

Rules and regulations in daily internet use Internet security education Internal monitoring

Technical protection system

Firewall and antivirus Information scanning and screening System enclosure and hardware identification

Further Studies

P a g e | 16

Appendices
Result Analysis Web Search Strategy
Website selection
Email and attachments Blog Chat tool/room Macro blog Form submission Online survey Forum

Key words and alternatives

Other methods

Results Filtering
Numerical

Abbreviation

Name

Date

P a g e | 17

Frequency of repetition

Classification
Based on Organizational Structure

Based on Information Type

Based on Channel

Web Searching Results

Distributions

P a g e | 18

Reference

P a g e | 19