Report on taxonomy and evaluation of existing inventories - E

D2.1 A Report on taxonomy and evaluation of existing
inventories
Deliverable submitted on 30 November 2014 in fulfilment of the requirements of the FP7
project, E-CRIME – Economic Impact of cyber crime
This project has received funding from the European Union’s Seventh Framework Programme for research,
technological development and demonstration under grant agreement n° 607775.
E-CRIME Coordinator:
Trilateral Research &
Consulting (TRI)
Crown House
72 Hammersmith Road
London
W14 8TH
1
T: +44 207 559 3550
www.ecrime-project.eu
Project Acronym
E-CRIME
Project full title
Economic impact of cyber crime
Website
www.ecrime-project.eu
Grant Agreement #
607775
Funding Scheme
FP7-SEC-2013-1
Deliverable number:
2.1
Title:
A
Report
on
Taxonomy
evaluation
of existing inventories
Due date:
31/10/14
Actual submission date:
nn/11/14
Lead contractor:
University of Lausanne
Contact:
Professor Solange Ghernaouti
Authors:
David Simms
Solange Ghernaouti
Reviewers:
WWU
Dissemination Level:
2
and
Version control: Word document
Version
Version 0.1
Version 0.2
Version 1.0
Version 2.0
Version 2.1
Version 2.2
Version 2.2
Version 2.2
Action
Originated by
Internal review
Unil
Reviewed by
Updated by
Internal review
Unil
Name
David Simms
Solange
Ghernaouti
Review partners
David Simms
Solange
Ghernaouti
Date
16/10/14
27/10/14
Title
E-CRIME Del 2.1 v0.1
E-CRIME Del 2.1 v0.1
31/10/14
14/11/14
17/11/14
Del 2.1 Report v1
E-CRIME Deliverable 2.1 20141114
E-CRIME Deliverable 2.1 20141117
Updated after
internal review
WWU
Review and
inclusion of
Excel file
Final review
David Simms
28/11/14
E-CRIME Deliverable 2.1 20141128
Timothy
MitchenerNissen
Monica Lagazio
28/11/14
E-CRIME Deliverable 2.1
20141128_TMN
29/11/14
E-Crime Deliverable 2 1
20141128_FINAL
3
Contents
1
Abstract .............................................................................................................................. 6
2
Executive Summary ........................................................................................................... 6
3
Introduction ....................................................................................................................... 7
3.1
3.2
3.3
4
Context ............................................................................................................................ 7
Objectives ....................................................................................................................... 8
Methodology ................................................................................................................... 8
Results and Commentary .................................................................................................. 8
4.1
Divergent approaches to building a taxonomy ............................................................... 8
4.1.1 Approaches based on traditional criminology ......................................................... 10
4.1.2 Approaches based on technologies, adversaries and threats .................................. 11
4.1.3 Approaches based on a classification of the authors ............................................... 14
4.1.4 Approaches based on the impacts of cybercrime on victims .................................... 15
4.2
Dissenting views ........................................................................................................... 17
4.3
Two dimension taxonomies .......................................................................................... 18
4.4
Three dimension taxonomies ........................................................................................ 20
4.5
Proposals by international bodies ................................................................................. 21
4.5.1 The Council of Europe Convention on Cybercrime ................................................. 21
4.5.2 The UN Manual on the prevention and control of computer related crime ............. 22
4.6
Police forces and investigation agencies ....................................................................... 23
4.6.1 Europol ..................................................................................................................... 23
4.6.2 Interpol ..................................................................................................................... 23
4.6.3 UK National Crime Agency ..................................................................................... 23
4.6.4 Bundeskriminalamt .................................................................................................. 24
4.6.5 Cybercrime Coordination Unit Switzerland ............................................................ 24
4.6.6 Federal Bureau of Investigation .............................................................................. 24
4.6.7 Summary of police and law enforcement approaches.............................................. 25
4.7
The taxonomy of information sources .......................................................................... 25
4.7.1 Structure of the taxonomy ........................................................................................ 25
4.8
Quality of the information ............................................................................................ 26
4.9
Timeliness of the information ....................................................................................... 27
4.10 Targets of the information ............................................................................................ 27
4.11 Usefulness of this information for this project ............................................................. 27
5
5.1
5.2
Commonalities and exclusions ........................................................................................ 28
Points of consistency..................................................................................................... 28
Exclusions ..................................................................................................................... 28
4
5.3
6
6.1
6.2
7
7.1
8
Complexities ................................................................................................................. 30
Conclusions....................................................................................................................... 31
Conclusions on the taxonomy of cybercrime................................................................ 31
Conclusions on the taxonomy of data sources .............................................................. 35
Appendices ....................................................................................................................... 36
Appendix A ................................................................................................................... 36
References ......................................................................................................................... 84
5
1
Abstract
In order to understand, measure and combat cybercrime, it is necessary to have a robust
framework in which different aspects of cybercrime can be classified and categorised. This
document presents an analysis of the existing attempts to present such a taxonomy and
considers how useful such classifications are, given the range of approaches that have been
followed and the rapidly evolving nature and extent of cybercrime.
The proposed taxonomy explicitly excludes activities that could be considered cyberterrorism
or cyberwarfare. It contains four main categories of activities that can have clear economic
impacts:
1. Criminal online financial activity.
2. Activities causing the breakdown, interruption or incorrect operation of services or
infrastructures.
3. The theft or hijacking of processing capacity.
4. The theft of information, secrets, intellectual property, or knowledge.
Within these categories, further classification could be performed according to the following
criteria:
1.
2.
3.
4.
Targeted or non-targeted attacks
High or low value targets
Aimed at consumers or companies
Direct cybercrime or infrastructure crime
This document also presents the findings of a second task, which was the identification and
evaluation of the sources of information in respect of cybercrime. This review task
demonstrates that detailed information in respect of a number of specific areas of cybercrime
is not widely publicly available, even though there are numerous sources of general
information and national centres for reporting cyberattacks and obtaining information on
security and vulnerabilities.
2
Executive Summary
This report marks an important milestone in the early stages of the E-CRIME project. In order
to be able to assess how users, both individual and organisational, of the Internet might be
able to inform themselves about the methods and identifying signs of cybercrimes and thereby
begin to protect themselves, it is essential at an early stage to be able to categorise
cybercrimes in a structured and coherent manner.
Many manifestations of cybercrime have predecessors or analogues in the non-digital world
and can be identified and categorised according to traditional taxonomies used in
criminology. Other types of activity are harder to classify, however, and experts differ on how
they should be treated.
There is no agreement among experts on the best approach to creating a taxonomy of
cybercrime. There exist numerous points of commonality, but such agreement is accompanied
by differences on structure, definitions and contents.
6
The taxonomy of cybercrime proposed for the purposes of further research within this project
explicitly excludes activities that could be considered cyberterrorism or cyberwarfare. It
contains four main categories of activities that can have clear economic impacts:
1. Criminal online financial activity.
2. Activities causing the breakdown, interruption or incorrect operation of services or
infrastructures.
3. The theft or hijacking of processing capacity.
4. The theft of information, secrets, intellectual property, or knowledge.
To allow for useful granularity across dimensions, it is suggested that within these categories,
further classification could be performed according to the following criteria:
1.
2.
3.
4.
Targeted or non-targeted attacks
High or low value targets
Aimed at consumers or companies
Direct cybercrime or infrastructure crime
In respect of the second task undertaken in this phase of work, the identification and
evaluation of the sources of information in respect of cybercrime, it has been demonstrated
that detailed information in respect of a number of specific areas of cybercrime is not widely
publicly available, even though there are numerous sources of general information and
national centres for reporting cyberattacks and obtaining information on security and
vulnerabilities. An inventory of publicly available information sources has been created,
classified and evaluated, and this inventory is attached to this document as Appendix A.
3
3.1
Introduction
Context
This deliverable is the first formal published output from work package 2, “Mapping
Cybercrime”. In this work package, partners will: investigate definitions of cyber crime and
provide a conceptual framework and categorisation of cyber crime in non-ICT sectors to be
used for the project; develop an inventory of crime committed against non-ICT sectors
through the use of communication networks; analyse the structures of cyber crime networks,
their interactions and the economies and criminal revenue streams that support these
networks; and develop perpetrator and victim “journeys”.
This report is being published at an early stage in the three-year project because of its
significance to other work packages. With the E-CRIME project consisting of a number of
concurrent and overlapping work packages, a number of tasks need to be completed as early
milestones and the deliverables published in order to permit the detailed planning and precise
scoping of other activities, specifically Tasks 1.2 and 1.3 as well as successive tasks within
work package 2.
This report presents the results of the work performed in respect of Tasks 2.1 and 2.2 of work
package 2. Task 2.1 consisted of conducting an interdisciplinary review of existing literature,
academic sources and policy documents in order to develop a taxonomy of cybercrime. Task
2.2 consisted of developing an inventory of cyber crime committed against non-ICT sectors,
7
initially based on external data sources, in Europe and beyond and of evaluating the reliability
and completeness of these data sources.
This report stands alone as a specific piece of work relating to the completion of two specific
tasks within work package 2, but it should be remembered that it is one deliverable among
many that will present a comprehensive view of the current state of cybercrime.
3.2
Objectives
The objectives for this task were to detail the development and the key categories of the
taxonomy of cybercrime in non-ICT sectors, evaluating existing taxonomies and inventories.
This has led to a synthesis of expert thinking on the subject as a basis for further work on
mapping victim journeys and determining the scale and scope of cybercrime.
3.3
Methodology
Task 2.1 was performed by means of a review of the existing literature and an evaluation of
the published approaches and classifications. Sources of information included, inter alia,
journals and conference proceedings in the fields of law, criminology and information
systems, reports published by think-tanks and law enforcement agencies, scholarly textbooks,
and the websites of police agencies.
Task 2.2 was performed by asking each partner organisation for contributions based around a
standard template designed by the lead partner for the task. The results obtained from each
partner were combined into a master worksheet and the taxonomy was derived from the
comments and inputs received. The draft output, including an outline version of this report,
was circulated among partners for review and comment and their comments incorporated into
the final version.
4
4.1
Results and Commentary
Divergent approaches to building a taxonomy
A number of divergent approaches to creating a cybercrime taxonomy have been proposed.
Some of these approaches, such as the comparisons to traditional crimes, stand alone, while
others are hybrid or can be combined to present more nuanced and focused classifications.
It is important to distinguish in this context approaches based on the technical nature of
cyberattacks and approaches based on the impacts of the activities and how these can be
classified according to a criminological perspective. This is significant within the overall ECRIME project, the focus of which is towards the effects of cybercrime on non-ICT domains.
The impacts on sectors such as critical infrastructure are more relevant than the technical
details of which parts of the IT infrastructure are manipulated during the perpetration of
crimes.
Williams (2008) [1] refers to the acute limitations of these traditional definitions of
cybercrime, particularly with reference to the application of existing criminal laws and
structures for prosecution to commonly committed cybercrimes. Depending on the type of
activity undertaken by attackers and the point at which it is detected and prosecuted, different
8
charges may be brought. Such complexity exists within local and national legal systems;
different approaches and philosophies exist in different territories.
Focusing on cyberattacks themselves rather than on their legal classification, Williams
discusses the need for “recourse strategies” to be adopted and implemented by organizations
to address cybercrime, featuring in particular proactive measures to offer preventive defence
rather than attempting to rely on reactive measures. In order to be effective, such strategies
need to be based on coherent taxonomies that enable easy and efficient information sharing.
Referring to Howard and Longstaff [2], Simmons et al. [3] suggest that “a successful
taxonomy should satisfy several requirements for its universal acceptance. Typical
requirements include the following:








Accepted – builds on previous work that is well accepted. Mutually exclusive – each attack can only be classified into one category, which
prevents overlapping. Comprehensible – clear and concise information; able to be understood by experts and
those less familiar. Complete/exhaustive – available categories are exhaustive within each classification,
it is assumed to be complete. Unambiguous – involves clearly defined classes, with no doubt of which class an
attack belongs. Repeatable – the classification of attack should be repeatable. Terms well defined – categories should be well defined, and those terms should
consist of established terminology that is compliant within the security community. Useful – use and gain insight into a particular field of study, particularly those having
great interest within the field of study.”
Such an analysis is surely critical if a taxonomy is to be useful, robust and widely adopted. As
we have seen above, however, and again in Section 4.1.3 below, the second criterion is
particularly problematic in respect of cybercrime because of the absence of exclusivity and
the problems of complexity. These aspects are further discussed in Section 5 below.
Moitra (2005) [4] discusses the issues involved in developing policies in respect of
cybercrime. He defines five key questions that need to be answered in order to develop
“effective, efficient and equitable polices”. These questions are:





What is cybercrime?
Who commits cybercrime?
How much cybercrime is there?
What are the impacts?
How can we respond effectively, efficiently and equitably?
A robust taxonomy is seen as essential as a starting point to addressing these questions.
Moitra argues that while there is a consensus that the Internet has become an arena for deviant
behaviour, there remain questions about the extent to which it has facilitated criminal activity,
and the nature of these crimes. He proposes what he acknowledges to be a wide definition of
cybercrime as any unauthorized, deviant, or illegal activity over the Internet that involves a
computer (or computers) as the tool to commit the activity and a computer (or computers) as
9
the target of the activity. Therefore, in this definition, it has at least three components: a
computer with which the action is perpetrated, a victim computer, and an intermediary
network. Although high-level and deliberately non-specific, this description is however
perhaps not wide-ranging enough.
The need for a taxonomy to respond to cybercrime is a practical measure: without a
disaggregation of cybercrime by crime type, meaningful policy responses cannot be
developed. Moitra also discusses the need to measure the relative seriousness of cybercrimes,
considering all the impacts, both tangible (loss of data, financial costs) and intangible (loss of
confidence in using the Internet, inhibitions). The question of intangible impacts is subtle but
important in an increasingly interconnected world.
4.1.1 Approaches based on traditional criminology
Some sources draw on the long and well-established traditions of criminal justice, viewing
computers and the Internet as a tool with which existing crimes are facilitated and thus
viewing cybercrime as an extension of traditional criminality. For example, Wall (2007) [5]
considers the rise and rapid adaptation of cybercrime from the perspective of criminal justice.
He bases his analysis on the idea that the Internet is an additional, new tool to commit crimes
and develops a high-level definition of three different types of crimes: traditional crimes
adapted to be committed through the new media; partially new crimes, which are known
crimes that are modified to better correspond and react to the new media; and new crimes that
have been made possible by the existence and scope of the Internet.
Brenner (2006) [6] discusses how the common working definition of cybercrime as “a crime
committed on a computer network” needs to be fitted into specific legal frameworks, both
national and international. She describes how the basic definition can cover a great deal of
traditional crime committed by different means, giving theft, extortion, harassment, vandalism
and trespassing as common examples and even speculating that homicide as a cybercrime
could be feasible.
She describes the development of new types of cybercrime, such as distributed denial of
service (DDoS) attacks, designed to overload servers and shut down websites. If done in order
to extort money from the victims, this is clearly a modern day take on an old-fashioned
protection racket. If done without such intentions, such as was the case of the February 2000
DDoS attacks on amazon.com and ebay.com, then it falls outside traditional definitions of
crime and cannot thus be effectively prosecuted.
Since Brenner’s work was published the concept of “Hacktivism” has entered the public
consciousness, with groups such as “Anonymous” (insofar as “Anonymous” can be
considered to be an organised group) carrying out attacks on the online presence of their
targets and using DDoS attacks as a form of visible and disruptive protest.
She also indicates another limitation of the simple definition of cybercrime. A stand-alone
computer can be used to counterfeit currency or forge documents, for example. This is an old
crime but one carried out using digital technologies. But because the computer is not
networked, the crime sits uneasily between traditional crime and cybercrime.
The dividing line between cybercrime and cyberterrorism is discussed, a key distinction
suggested that crime is “personal” while terrorism is “political”. Crimes are in general
10
committed for individual, personal reasons such as personal gain or personal revenge.
Terrorism may have the same results and use the same methods, but the motivations are
different. Such motivations may be to destabilise a country or to intimidate a population into
changing its government’s behaviour. Analysts and legislators are thus faced with the
problem of understanding the motivations of those carrying out a cyberattacks when trying to
classify it and determining how the perpetrators should be prosecuted.
An additional complication is added by the existence – increasingly reported over recent years
in such contexts as Stuxnet, US cyberattacks on Libyan air defences in 2011, and the
Snowden revelations in general – of cyberwarfare, the conduct of military operations by
virtual means. It “consists of nation-states using cyberspace to achieve the same general ends
they pursue through the use of conventional military force”. Once again, the techniques and
some of the results will be identical to certain instances of cybercrime, as fundamentally any
attacks will consist of individuals or groups seeking either to disrupt or take over
communications and information systems or to extract information by tapping a wire. A key
concept in this context is the “advanced persistent threat”, frequently employed in espionage
and cyberwarfare to continuously monitor and extract data from specific targets, using a set of
stealthy and continuous hacking processes. Such long-lasting attacks require capability,
resources and intent and are thus commonly seen as needing the resources and motivations of
governmental agencies. Cyberwarfare clearly, however, falls outside the scope of the criminal
justice system.
These questions have a clear significance for judicial investigation and law enforcement.
Procedures are needed to allow the police and other government agents to parse the
information they are receiving in respect of cyberthreats and actual cyberattacks and then
respond appropriately. Extreme cases should be reasonably easy to categorise: phishing aimed
at individuals on the one hand, which can lead to a variety of forms of attack such as scams
and identity theft, or fake anti-viruses to defraud users or a cryptolocker to extort money;
widespread attacks on military systems originating in a hostile state on the other. But in the
example that Brenner gives of a sequential attack on financial systems such as ATMs, how
can the authorities efficiently distinguish between cybercrime, cyberterrorism, hacktivism and
cyberwarfare? Historically warfare has been easy to identify as it has involved physical
actions carried out by military forces. Cyberwarfare is far less clear.
Brenner’s position is supported by a number of other sources, such as Kelly (2002) [7],
Sukhai (2004) [8], the Australian Centre for Police Research (2004) [9], Gordon and Ford
(2006) [10], and the Symantec Corporation (2007) [11].
4.1.2 Approaches based on technologies, adversaries and threats
Other sources focus primarily on the technological aspects of the crimes being committed and
the nature of the cyberadversaries, seeking to differentiate crimes based on how they are
carried out and which aspects of computer and network infrastructure are the targets or
vectors of attack. A number of such approaches are presented in this section, in chronological
order.
In an early analysis of attacks, Landwehr et al (1994) [12] chose to consider the nature of
computer security flaws as these permitted attacks and exploits. They identified three major
components: flaws by genesis (how the flaw arises); flaws by time of introduction (when the
11
flaw is introduced into a system); and flaws by location (where a flaw is located, hardware or
software). Each of these components was broken down into sub-categories.
Howard (1997) [13] alone and then in a further publication (Howard and Longstaff 1998) [2]
surveyed CERT/CC data on security incidents and proposed a five category taxonomy of such
incidents:





Attackers (hackers, criminals, terrorists, vandals);
Tools (scripts, toolkits, user commands);
Access (implementation or design vulnerabilities, access permissions);
Results (corruption, deletion or disclosure of data, theft of resources, denial of
service); and
Objectives (intellectual challenge, peer status, financial gain, damage).
Hansman and Hunt (2005) [14] extended previous taxonomies by introducing multiple tiers of
threats and increasing the level of detail of the descriptions. Their model consists of four main
categories:




Attack vectors (the means by which the target is reached);
Targets (hardware, software, network, data);
Specific vulnerabilities and exploits (security flaws); and
Payload (the outcome and effects).
Kjaerland (2005 [15], 2006 [16]) added a quantitative component to the classification of
attacks, using four categories:




Source sectors (top level domains);
Method of operation (resource theft, social engineering, malware, denial of service);
Impact (disruption, distortion, destruction, disclosure); and
Target services (commercial or governmental).
Williams (2008) proposes a taxonomy of cyberattacks based in a first instance on the
technical layer of abstraction that characterises the attack, abstraction being determined by
reference to where on the OSI network model the attack is directed. After this, attacks can be
categorised as system dependent – those occurring at the lowest levels of abstraction, hybrids
such as viruses that can be viewed as both system dependent and system assisted and occur at
all levels of abstraction, or system assisted, which occur at the highest level of abstraction.
This taxonomy aims to assist in defining appropriate strategies for responding to attacks and
is designed to be philosophically neutral in respect of the type and definition of the individual
cybercrimes. What is significant is how and where they strike infrastructures.
Meyers et al. (2009) [17] present an analysis of cyberadversaries and attacks, arguing that in
order to construct effective defences against cybercrime it is necessary to know who the
adversaries are and what threats they represent. They trace the development of taxonomies
from the earliest attempts in the 1980s.
12
Meyers et al. draw upon multiple sources to propose their own taxonomy of attacks:









Viruses;
Worms;
Trojans;
Buffer overflows;
Denial of service;
Network attacks;
Physical attacks;
Password attacks/user compromise; and
Information gathering.
Each category contains subtypes based on the specific approaches and objectives of the
attacks.
Rege-Patwardhan (2009) [18] focuses on attacks against critical infrastructures. Without
proposing a strict taxonomy, attack types and methods are distinguished as a means of
identifying attackers and categorising malicious activities. The methods described include:




Exploiting bugs and loopholes;
Rootkits;
Malware;
Botnets.
Reference is also made to the SCAREM (Stealth, Challenge, Anonymity, Reconnaissance,
Escape, Multiplicity) acronym for the characteristics of cyberspace that facilitate crime
(Newman and Clarke, 2003 [19]). While not directly incorporated into any of the taxonomies
under discussion, these characteristics are important factors to consider in considering the
significance and potential for success of any given cyberattacks.
Simmons et al. (2014) [3] refer to many of the sources discussed in this report in the
presentation of their AVOIDIT (Attack Vector, Operational Impact, Defense, Information
Impact, and Target) taxonomy of attacks. They underline the importance of taxonomy as a
means of defining “what data is to be recorded and how like and unlike samplings are to be
distinguished” and concentrate on so-called blended attacks, ones that “exploit one or more
vulnerabilities to perform an attack against a target”.
Limitations in the AVOIDIT taxonomy are noted: the lack of defence strategies, and the focus
on cyber-aspects of cybercrime to the exclusion of physical attacks.
Yet other sources use factors other than the direct use of computers in committing crimes to
categorise cybercrime. Among these factors are threats (Thomas (2006) [20]), attacks and
attackers (Kanellis et al (2006) [21], Chakrabarti and Manimaran (2002) [22]), motives
(Kanellis et al (2006), Thomas (2006), and Krone (2005) [23]), and victims (Sukhai (2004)).
13
4.1.3 Approaches based on a classification of the authors
The motivations of attackers are recognised as key differentiators in any classification.
Ghernaouti (2013) [24] emphasises the fact that many techniques and approaches are common
across a range of criminal or terrorist activities and that motivations need to be recognised and
understood in order to make clear and useful distinctions.
This approach has a long history, with roots three decades ago in the analysis of hacker
culture as this phenomenon began to draw academic and public attention. As a hacker
himself, Landreth (1985) [25] defines five categories of individuals active within the hacking
community: novices; students; tourists; crashers; and thieves. Of these categories, the last two
are the most interesting: the crashers who sought to damage and destroy and the thieves who
set out to profit by stealing assets or data. From a criminological perspective, Hollinger
(1988) [26] defines three categories of hackers: pirates; browsers; and crackers. These
categories show increasing levels of sophistication and knowledge: the pirates are mainly
interested in obtaining software illegally; the browsers might access private files but not
necessarily with malicious intent; while the crackers might modify or sabotage other users’
data or applications. Chantler (1996) [27] also seeks to differentiate between types of hackers
and also described three categories: losers and lamers; neophytes; and elites. These represent
increasing levels of technical sophistication and also increasingly intellectual motivations:
hacking to demonstrate knowledge and improve skills rather than to damage or to steal.
Clearly these classifications are dated and apply to only a small subset of what are nowadays
considered to be cybercriminal activities, but the principles are reflected in more recent and
all-encompassing classifications of the authors of attacks.
Rogers (1999 [28], 2001 [29], 2006 [30]) refined his own taxonomy over several years and
Meyers et al largely base their conclusions on his work. Their taxonomy of adversaries
includes eight groups:








Script kiddies, newbies, novices;
Hacktivists, political activists;
Cyberpunks, crashers, thugs;
Insiders, user malcontents;
Coders, writers;
White hat hackers, old guard, sneakers;
Black hat hackers, professionals, elite; and
Cyberterrorists.
These categories are distinguished on the basis of their skills (in ascending order in this list),
their maliciousness, their motivations and their methods. Clear contrasts are drawn between
the ends of the spectrum. At one end there are the unskilled and inexperienced adversaries,
those with minimal technical skills whose activities are distinguished by their naivety, lack of
focus and use of widely-available scripts and basic techniques. In the middle are those who
might exploit their legitimate access rights to systems and data in order to damage, steal or
embarrass. At the far end are the professionals, security experts and experienced hackers who
might choose to employ their skills for good or for bad and who might have their motivation
backed up by significant resources.
14
Kshreti (2006) [31] assesses cybercrime and its motivations in terms of cost-benefit to the
cybercriminal, defining cybercrime as those crimes that use a computer network during the
perpetration of online fraud, money laundering or identity theft.
4.1.4 Approaches based on the impacts of cybercrime on victims
A further approach to classification is to identify the impacts of criminal activities on the
victims. These impacts can be both tangible and intangible.
The first systematic study of the costs of cybercrime, according to its Abstract, was presented
by Anderson et al. in 2012 [32]. This work was commissioned in part as a consequence of a
report published by Detica in February 2011 [33] which estimated the annual cost of
cybercrime to the UK to be £27bn. Experts and the media viewed this figure with widespread
scepticism.
The first task undertaken by Anderson et al. was to establish a clear definition of what
differentiates cybercrime from other crime. While noting that the boundary between
traditional crime and cybercrime is fluid, they chose to follow the threefold definition of
cybercrime proposed by the European Commission in 2007 [34]. This definition separated
cybercrimes as follows:



Traditional forms of crime such as fraud or forgery committed over electronic
communications networks and information systems;
The publication of illegal content (such as material relating to child sexual abuse or
inciting racial hatred) over electronic media;
Crimes unique to computer networks, such as denial of service attacks and hacking.
The next task was to break down the costs into discrete categories. The framework proposed
in the Detica report, a four category structure, was reviewed and rejected as it did not
distinguish clearly enough between direct and indirect costs. The categories are as follows:




Costs in anticipation of cybercrime, in the form of preventive control measures such as
anti-virus software, as well as insurance and compliance costs;
Cost, both direct and indirect, as a result of cybercrime, such as direct losses or the
loss of competitiveness;
Costs in response to cybercrime, such as compensation payments;
Indirect costs such as reputational damage.
For Anderson et al. this framework is unhelpful as the distinctions are arbitrary and
inconsistent. They propose a more straightforward split between direct and indirect costs,
distinguishing between two kinds of losses – direct and indirect – and the costs of defence.
15
Fig 1: Taxonomy of the costs of cybercrime, from Anderson et al., 2012
Within this model, criminal revenue is defined as the monetary equivalent of the gross
receipts for the cybercriminals from their activities. Direct losses are the monetary equivalents
of the losses, damage or suffering provoked by cybercrime. These can include money
withdrawn from accounts, the time and effort required to re-establish credentials, the
secondary costs generated by overdrawn or blocked accounts, and the loss of bandwidth and
attention caused by spam, even if this is not viewed. For practical reasons the authors exclude
costs related to distress from their analysis; this is difficult to quantify and is often worse
when aggravated by secondary victimisation when trying to repair the damage caused by
cybercrime. The authors take care to emphasise that both criminal revenue and direct losses
arise specifically from what they consider to be the domain of Cybercrimes rather than what
they term Supporting infrastructure. They argue that losses and damage caused by the
supporting infrastructure are indirect in nature: botnets, for example, do not cause direct harm
by themselves but generate indirect costs.
Indirect losses are the monetary equivalents of the losses and opportunity costs borne by
society, as opposed to individual victims, as the result of cybercrimes. These include the loss
of confidence in online services, including the lack of uptake of such services, missed
commercial opportunities, and the costs of cleaning up after malware attacks.
Defence costs are the costs related to prevention and protection. These can be direct, such as
the costs of developing, implementing and operating prevention measures, or indirect, such as
inconvenience and opportunity costs. Defence costs too are borne at a societal level rather
than individual, and in addition can often be difficult to attribute to individual types of
cybercrime.
The overall cost to society is the total of the three categories of cost and loss.
Quantifying the impacts of cybercrime is a complex and difficult task. Intangible impacts do
not lend themselves particularly easily to quantitative analysis because of the number of
imponderables and the range of such impacts. Tangible impacts provide a more solid base for
analysis but even here reliable results are difficult to obtain. Anderson et al. provide a solid
16
and sourced estimation of the UK and global costs of cybercrime but emphasise the
significance of the estimations and extrapolations necessary to arrive at their figures.
In respect of the communications sector, ENISA publishes an annual report on security
incidents that have been reported by National Regulatory Authorities through ENISA’s
CIRAS tool. Their 2014 report [35] contains detailed analysis of the incidents reported to
them, but contains important caveats that apply to all such analyses: the scope needs to be
carefully defined and understood; the quality and completeness of the data need to be
appreciated; and the maturity of the information gathering process needs to be taken into
account.
4.2
Dissenting views
Fafinski et al. (2010) [36], in a detailed report on an expert workshop, discussed the need to
be able to map and measure cybercrime, referring to Ward Baker’s “measurement enables
management”. Without reliable and structured data, crime prevention and resolution
initiatives cannot be targeted and evaluated. They noted that the absence of a legal definition
of “E-CRIME” (crimes committed by means of or with the assistance of the use of electronic
networks) and the lack of data on the incidence, investigation or prosecution of E-CRIMEs
had been noted by the House of Lords Science and Technology Committee in 2007 [37].
The relevance of a taxonomy and special treatment of cybercrime was discussed. The
tripartite split proposed by various authors was expressed in alternative forms, most
succinctly as crimes against, in, or via the machine, but interestingly dissenting opinions were
also reviewed. Prominent among these was the view of Peter Sommer of the London School
of Economics that “attempting to establish a taxonomy of cybercrime is an artificial and
somewhat pointless exercise: that crime is conduct that is outside the boundaries of the
criminal law and that the means of commission or target are immaterial” (Fafinski et al., p.
10).
Reference was made to the debates between Easterbrook and Lessig on the meaning of
cyberlaw as an illustration of the difficulties involved in drawing analogies between the
online and offline worlds. Easterbrook argued that trying to develop a taxonomy of “horse
law” would be a flawed enterprise because cases involving horses would include the sale of
horses, injuries caused by horses, the licensing and racing of horses, the care provided by
veterinarians, and the prizes given at horse shows. He concluded that “any effort to collect
these strands into a course on ‘The Law of the Horse’ is doomed to be shallow and to miss
unifying principles” (Easterbrook 1996 [38]).
Lessig (1999) [39] countered this by arguing that legal perceptions and rules need to develop
and evolve as environments change and that cyberlaw would need to be revisited at
cyberspace developed and expanded.
Another analogy discussed at the Oxford forum was ‘car crime’, a term that could encompass
all aspects of criminality involving or referring to cars. The existence of cars could be argued
to have transformed and facilitated traditional crime.
The distinction was made between two possibilities of mapping cybercrime: the conceptual
and the geographical. Common approaches to taxonomy tend to rely upon the formal,
categorising incidents and approaches according to their nature, but useful information can
17
also be gathered and presented from a geographical perspective. The argument was made that,
in common with other kinds of crime, a geographical analysis would allow policies to be
developed and resources allocated more effectively in the fight against cybercrime. Given the
global reach of cybercrime, such efforts would presumably be targeted at tackling the
criminals at source.
4.3
Two dimension taxonomies
Some sources, such as Foreign Affairs and International Trade of Canada (2004) [40] classify
cybercrime into only two categories: crimes committed using computers and networks
(hacking, viruses); and traditional crimes that are facilitated by the use of computers (illegal
pornography, online fraud). Crimes that involve the indirect use of computers by criminals
(communications, storage of documents and data) are termed computer-supported crime
rather than cybercrime.
Such a two category classification is supported by other sources such as, Furnell (2001) [41],
Koenig (2002) [42], the Australian High Tech Crime Centre (2003) [43], Lewis (2004) [44],
and Wilson (2008) [45].
The categorization by Urbas and Choo (2008) [46] again identifies two main types of
cybercrime: crimes where a computer system is a target of an offence (hacking and,
interestingly, terrorism); and crimes where the computer is a means of committing the offence
(online fraud, identity theft). These authors further differentiate within the second category,
the computer as a means or a tool, according to the level of reliance on technology: computerenabled crimes, computer-enhanced, and computer-supported crimes.
Alkaabi et al. (2010) [47] propose a Type I and Type II classification of cybercrime, with
detailed sub-classes. Type I crimes “include crimes where the computer, computer network,
or electronic device is the target of the criminal activity” (Alkaabi et al., p.6). This category is
divided into four sub-categories:




Unauthorized access offences such as hacking
Malicious codes offences such as dissemination of viruses and worms
Interruption of services offences such as disrupting or denying computer services and
applications such as denial of service attacks and Botnets
Theft or misuse of services such as theft or misuse of someone’s Internet account or
domain name
Type II crimes “include crimes where the computer, computer network, or electronic device is
the tool used to commit or facilitate the crime” (Alkaabi et al., p.6). This category is divided
into three sub-categories:



Content violation offences such as possession of child pornography, unauthorized
possession of military secrets, IP offences
Unauthorised alteration of data, or software for personal or organisational gain such as
online fraud
Improper use of telecommunications such as cyber stalking, spamming, and the use of
carriage service with the intention or conspiracy to commit harmful or criminal
activity.
18
Their taxonomy is set out graphically in their schema:
Fig 2: Taxonomy of Computer Crime, from Alkaabi et al., 2010
The authors note that their categories are not necessarily exclusive, as in some crimes
computers or networks play multiple roles, meaning that one crime could be classified under
multiple types. They comment that this “corresponds naturally to the reality that there may
actually be several separate offences involved in the one case” (Alkaabi et al., p.6). They also
stipulate that there will typically be one primary role for computers in each crime, and
therefore one primary cybercrime type classification that is applicable.
It is clear that the individual elements within a cyberterrorist attack can fall into both Type I
and Type II of this taxonomy. Urbas and Choo (2008) [46] see cyberterrorist offences as Type
I but much depends on the motivations behind the attack.
The authors insist on the significance of contextual information in attempting to classify
cybercrimes and position them within their taxonomy. In particular they identify five key
characteristics of each offence that need to be recognized:




The type of cybercrime: which type or types of cybercrime have been committed
(Cybercrime Type I/II)
Refined classification: where does each offence appear in the detailed classification
(…)
Main motive/offender role: what are the motives of the offence; is it an individual’s
motivation, or is it a politically related crime such as information warfare, or terrorism
activity, or that of an organized crime group
The offender relationship: how can we classify the offender’s relationship to the
victim, are they from inside, or outside
19

4.4
The scope of impact: what is the scope of impact of the offence, is the victim or target
an individual, business, government agency or global infrastructure such as the
Internet.
Three dimension taxonomies
A number of authors have proposed three-dimensional taxonomies of cybercrime, with
variations on the nature and degree of specificity of these dimensions.
As referred to in Section 4.1.4 above, the European Commission’s 2007 definition [34]
proposes the publication of illegal content as a specific category, accompanying two
categories familiar from the review of two-dimension taxonomies in Section 4.3 above,
namely traditional forms of crime committed over or using electronic technologies, and
crimes unique to computer networks.
Wall (2007) [5] notes that “value in cyberspace is attached mainly to the expression of
informational ideas rather than things. The focus of cybercrime, therefore, is to acquire
information in order to extract its value” (p. 36). Based on this premise he distinguishes three
typologies of cybercrime: computer integrity crimes; computer-assisted (or -related) crimes;
and computer content crimes.



Computer integrity crimes include hacking, cracking and denial of service attacks,
activities that prevent access to systems by legitimate users or modify, corrupt or
delete software and data.
Computer-assisted crimes include virtual robberies, scams and thefts.
Computer content crimes include the digital storage and communication of
pornography, violence and offensive materials.
Crimes made possible because of the Internet are discussed. These include spamming, seeding
viruses, Trojans, blended threats, botnets and worms. Such phenomena are often selfperpetuating and are at the forefront of what Wall describes as a new generation of
cybercrime, one in which massive automation is being employed to commit large numbers of
individually low value crimes. Wall also considers the human factor behind cybercrimes, the
links with old-fashioned crimes and the various motivations that cybercriminals might have,
without drawing these into a formal taxonomy.
Goodman (1997) [48] categorised cybercrime into three types: crimes in which the computer
is the end target; crimes where the computer is the tool or conduit; and crimes where there is
an incidental presence of computer equipment.
Ghernaouti (2013) [24] proposes a three dimension categorisation of cybercrime,
distinguishing cybercrime from cyberconflicts, wars and terrorism. Her dimensions can be
summarised as:


Cybercrimes against people, including activities affecting their dignity and integrity,
swindles and frauds, identity crimes and privacy related offences;
Cybercrimes against assets, including the theft of data, the theft of services and
resources, counterfeiting, software piracy, surveillance and espionage, the
manipulation of information, and the fraudulent acquisition of intellectual property;
and
20

Cybercrimes against states, including destabilization, information warfare, and attacks
on critical infrastructures.
Ghernaouti emphasises that in such taxonomies distinctions need to be made on the basis of
motivations and objectives because the techniques and methods used by cybercriminals show
many common features and cannot necessarily be easily distinguished.
Moitra [4] proposes a three-dimension classification for cybercrimes: motivation;
opportunities; and skills. He also suggests classification based on the victims, which can be
segmented as individuals, organizations, systems and information types. Analysis based on
such categorisation could prove useful in evaluating the rates at which cybercrimes are
recognised and reported.
4.5
Proposals by international bodies
The taxonomies proposed by international bodies are significant because of their visibility and
influence in shaping opinion, promoting research, and providing a framework for legislation
aimed at combatting cybercrime.
This report has already referred to the European Commission’s 2007 Communication [34].
Two other publications by international bodies have received widespread attention.
4.5.1 The Council of Europe Convention on Cybercrime
The Council of Europe Convention on Cybercrime (2001) [49] defines “computer system”,
“computer data”, “service provider” and “traffic data” for its own purposes and then proposes
a four category classification of cybercrime:
Offences against the confidentiality, integrity and availability of computer systems and data;





Article 2 – Illegal access
Article 3 – Illegal interception
Article 4 – Data interference
Article 5 – System interference
Article 6 – Misuse of devices
Computer related offences (forgery, fraud);


Article 7 – Computer-related forgery
Article 8 – Computer-related fraud
Content related offences;

Article 9 – Offences related to child pornography
Offences related to infringements of copyright and related rights.

Article 10 – Offences related to infringements of copyright and related rights
21
An additional protocol to the Convention came into force on 1 March 2006. This protocol
obliges states that have ratified it to criminalise the dissemination of racist and xenophobic
materiel, and threats and insults motivated by racism or xenophobia, through computer
systems.
The Convention, which as of October 2014 has been ratified by forty-four states and signed
by nine others, does not include certain types of crimes committed or facilitated using
computer technologies such as money laundering, identity theft or storing illegal contents.
This convention is well-known and widely recognised and its four-category approach covers a
wide range of criminal activities.
4.5.2 The UN Manual on the prevention and control of computer related crime
The UN Manual on the prevention and control of computer related crime (1999) [50] was
developed in an attempt to address some of the problems surrounding international
cooperation in the areas of computer crime and criminal law. The introductory paragraphs
summarize some of these issues:
1. “The lack of global consensus on what types of conduct should constitute a computerrelated crime;
2. The lack of global consensus on the legal definition of criminal conduct;
3. The lack of expertise on the part of police, prosecutors and the courts in this field;
4. The inadequacy of legal powers for investigation and access to computer systems,
including the inapplicability of seizure powers to intangibles such as computerized
data;
5. The lack of harmonization between the different national procedural laws concerning
the investigation of computer-related crimes;
6. The transnational character of many computer crimes;
7. The lack of extradition and mutual assistance treaties and of synchronized law
enforcement mechanisms that would permit international cooperation, or the inability
of existing treaties to take into account the dynamics and special requirements of
computer-crime investigation” (Introduction, Section A, paragraph 7).
In the second section of this manual, five common types of computer crime are distinguished:





Fraud by computer manipulation;
Computer forgery;
Damage to or modification of computer data or programs;
Unauthorised access to computer systems and services;
Unauthorized reproduction of legally protected computer programs.
It specifically covers some crimes that use computer systems, such as fraud and forgery, but
does not refer to other types of offences perpetrated or facilitated by computers such as
identity theft, money laundering or storing illegal contents. This manual sets out to provide
common terms and frameworks for common practices but does not provide any legal force or
obligation for compliance.
22
4.6
Police forces and investigation agencies
It is clearly essential for the police and law enforcement agencies to have clear definitions of
cybercrime in order to assess situations and carry out investigations. In this section we
consider the definitions and classifications used by two international police organisations and
four national law enforcement agencies. These were selected to give a flavour of the
variations in focus and definition within a community that is aiming to be harmonised and
provide sophisticated and appropriate frameworks for addressing cybercrime.
4.6.1 Europol
Europol bases its definitions and classifications of cybercrime on the Council of Europe
Convention. The scope of its European Cybercrime Centre “encompasses those crimes that
are directed against our computer and network infrastructures as well as crimes committed
online. This covers all crimes from malware, hacking, phishing, intrusion, manipulation,
identity theft and fraud, to the grooming and online sexual exploitation of children.” [51].
In its report entitled “The Internet Organised Crime Threats Assessment” (2014) [52], the
European Cybercrime Centre presents a classification essentially based on eight criteria for
distinguishing crimes based on their areas:








Crime-as-a-service
Malware
Child sexual exploitation
Payment fraud
Criminal finances on line
Crime related to social engineering
Data breaches and networks intrusions
Vulnerabilities of critical infrastructures
4.6.2 Interpol
Interpol [53] proposes a three domain taxonomy of cybercrime:



Attacks against computer hardware and software, for example, botnets, malware and
network intrusion;
Financial crimes, such as online fraud, penetration of online financial services and
phishing;
Abuse, especially of young people, in the form of grooming or ‘sexploitation’.
4.6.3 UK National Crime Agency
The National Cyber Crime Unit within the National Crime Agency investigates instances of
cybercrime. On its website [54] it presents a number of types of common threats:

Consumers
1. Phishing: bogus emails asking for security information and personal details
2. Webcam manager: where criminals takeover your webcam
23
3.
4.
5.
6.
File hijacker: where criminals hijack files and hold them to ransom
Keylogging: where criminals record what you type on your keyboard
Screenshot manager: allows criminals take screenshots of your computer screen
Ad clicker: allows a criminal to direct a victim’s computer to click a specific link

Business
1. Hacking
2. Distributed Denial of Service (DDOS) attacks
This is clearly a very detailed breakdown of the threats faced and is entirely focused on the
techniques employed.
4.6.4 Bundeskriminalamt
The German Federal Criminal Police Office has established a special “Service Center for
Information and Communications” designed to combat cybercrime. On its website [55] it
provides its own working definition of cybercrime: “High tech and computer crime” denotes
offences which are committed using modern information and communication technology or
crimes which are targeted at these technologies. These include:



criminal offences in which some of the elements of the offence include electronic data
processing (computer crime) or in which information and communications technology
is used for the planning, preparation or commission of a criminal offence,
offences in connection with data networks such as the Internet and
threats against information technology. This includes all unlawful acts against the
integrity, availability and authenticity of electronic, magnetic or otherwise not directly
perceptible stored or transmitted data (hacking, computer sabotage, data manipulation,
abuse of telecommunication means etc.)” (“Internet Crime”, 2014).
4.6.5 Cybercrime Coordination Unit Switzerland
The Cybercrime Coordination Unit Switzerland (CYCO) is the country’s central resource for
reporting illegal contents on the Internet. It analyses reports and secures relevant data before
forwarding cases to the relevant law enforcement agencies, as well as actively searching the
Internet for illegal subject matter. Its remit, according to its website [56] is restricted to illegal
subject matters, of which it gives a number of examples, rather than a wider range of
cybercrimes.
4.6.6 Federal Bureau of Investigation
The FBI provides a platform for the reporting of cybercrimes and publishes an annual report
(the Internet Crime Report) on trends, occurrences and financial losses. There is no stated
taxonomy behind the presentation of the results, but the most significant cybercrimes are
grouped together and discussed. In the 2013 report [57], these included Auto-Auction Fraud,
Romance Scams, FBI Scams (impersonation), Hit Man Scams (threats and blackmail),
Ransomware and Scareware Scams, and numerous fraudulent pleas for money, work from
home, and investment frauds.
24
4.6.7 Summary of police and law enforcement approaches
This brief survey demonstrates that there is wide variation in the way that different countries
approach the problems of informing their citizens, and receiving and categorising reports of
cybercrime. The international police bodies present wide-ranging classifications, while
individual countries have chosen to focus, in their public posture at least, on different aspects
of cybercriminality. The UK police provide information on the threats posed by various
techniques, for example, while the Swiss federal police site is focused on illegal contents.
This illustrates that differences in philosophy and focus exist even though there is a clear
overall desire for harmonisation and cooperation.
4.7
The taxonomy of information sources
4.7.1 Structure of the taxonomy
The proposed taxonomy of information sources has been subdivided into six groups:






Cybercrime Reporting and Advisory
Vulnerability and Security Advisory
National CERTs
Other CSIRTs and CERTs
Agencies, Organisations and People
eCrime Publications and Links
These subdivisions developed organically during the information gathering process and were
essentially proposed by the partners at the University of Warwick. It was found that during
the data gathering process that given the homogeneity of many sources as reporting centres or
national CERTs (Computer Emergency Response Teams), creating a taxonomy would
involve a reasonably arbitrary choice of differentiating factors. The final split is essentially
into two groups, according to the content (cybercrime or security advisory), the nature of the
sources. We believe that these subdivisions do illustrate important distinctions between the
various sources of information.
Cybercrime reporting and advisory sources are those that focus on incidents of cybercrime
and on the techniques of carrying them out. Such sources can be national bodies designed to
provide information to the public or commercial or trade bodies, or service and solution
providers, aiming to provide information to their respective constituencies. The focus of such
reporting is not necessarily technical, given that a great deal of cybercrime, particularly those
activities in which ICTs are the means rather than the targets of the crimes, is not particularly
technical in nature.
Vulnerability reporting services are those that collect and publish information on known
vulnerabilities in platforms and applications. Such information is vital for security managers
who are proactively seeking to identify problems before they become significant and obtain
and apply patches or upgrades. It should go without saying that this information is also of
value to cybercriminals whose activities are based around exploiting vulnerabilities and
weaknesses in installed software. These services tend to be more technical than the
cybercrime reporting services discussed above.
25
Most states and regions have set up CERTs (Computer Emergency Response Teams) as
repositories of information, for users to report and research details of possible attacks or
crimes. These have been treated as a separate category of information sources in this
taxonomy to reflect their quasi-official nature.
CSIRTs (Computer Security Incident Research Teams) respond to computer security
incidents by providing all necessary services to solve the problem(s) or to support their
resolution. In order to mitigate risks and minimize the number of required responses, most
CSIRTs also provide preventative and educational services for their constituency. There is
some blurring of titles and terminology across the globe when referring to CERTs and
CSIRTs, and there is also overlap in terms of reference and scope of intervention.
The fifth category contains what we have termed the Agencies, Organisations and People who
publish information on cybercrime and related topics. These include police and other
investigatory bodies, specialist research groups, commercial and not-for-profit organisations,
and individuals with particular experience, expertise or cross-disciplinary profiles. They are
distinguished from the previous categories because of their status and objectives: there is a
lesser sense of dialogue between the content providers and the general public, and the scope
of material they handle is often broader.
The final category consists of sometimes isolated and occasional publications, sources of
information of real value that do not correspond to the structures or objectives demonstrated
in the other categories.
4.8
Quality of the information
Much of the information presented by the CERTs is of a surprisingly straightforward nature
when compared with the technical contents of specialist research sites. This emphasises a key
need in cybercrime research and education to address the whole range of user experiences.
The CERTs, CSIRTs and research institutes provide high-quality and reliable information in
line with their mandates and objectives.
There is a discussion to be had, based on professional scepticism, about the precise place in
the information market of the commercial providers. Realistically the quality and relevance of
the information they provide need to be carefully considered in the context of their
motivations. Their business models are based essentially on selling solutions and products to
consumers, with a particular focus on upselling from free or very basic packages to more
costly fully-featured packages. The providers of anti-malware software present a good
example of this: a free package will typically provide a desktop anti-virus scanner and scans
of incoming mail, with regular database updates. There is a constant encouragement to
upgrade to paid-for services, however, including such features as safe web browsing, website
verification, operating system optimisation, and so on. Not ever domestic user will be
equipped to determine whether the risks mentioned are relevant and applicable, nor whether it
is cost-effective to pay for services designed to protect from such risks.
This whole question is made more complicated in a meta-sense because of the existence of
fraudulent security advisors and solution providers, those who target the less aware and those
lacking resources in warning them of non-existent threats and then commit cybercrimes by
exploiting their fears and weaknesses to install malware or obtain money for non-existent
services, or even both. The popular and technical media are full of cases of people having
26
fallen victim to phone or email scams in which they are contacted by criminals posing as
support staff for Microsoft or an ISP security department. Being sufficiently well-informed to
be able to distinguish between the genuine information sources and fake sites and addresses
created by criminals creates an additional layer of difficulty, both for individuals as potential
victims and for the bodies seeking to combat cybercrime through education and the provision
of information.
It is interesting to see the existence of industry and sector specific information sources as
major service providers and industry groups seek to work together to inform each other about
mutual threats. It is perhaps a sign of how seriously cybercrime in all its forms is being taken
that competitors in some sectors are sharing information and resources in order to be better
informed and better protected.
4.9
Timeliness of the information
Based on the objectives of each information source and on the resources they possess, and on
the level of interactivity with users that they require, sources will update the information they
provide more or less frequently. Given that cybercrime is a rapidly developing and evolving
field, with new attacks designed and new vulnerabilities identified and exploited every day,
users clearly need to have access to timely and accurate information; they also should be able
to determine easily how up-to-date the information they are reading is, in order to assess its
validity and utility.
Exactly how recent that information needs to be will depend on the precise requirements of
each user, however. A sophisticated corporate entity or a business operating sensitive and
critical activities on online systems will generally be more vulnerable than a typical individual
using the Internet for routine domestic purposes.
4.10 Targets of the information
Different sources have different target audiences. As stated above, different users have
different requirements, from the casual domestic user whose basic security requirements are
largely covered by regular software updates applied more or less automatically by key
software providers and who requires clear and concrete information on such phenomena as
social engineering and phishing, to the large corporate users who need to be aware of software
flaws (such as SSL weaknesses) and of trends in cyberattacks as soon as such information is
available.
This has an impact on both the nature of the information presented and the way in which it is
set out. CERT advisory notices have a standard structure and format that is carefully designed
to provide the right information to its target audience, which will be technically aware and
attuned to the processes of identifying problems, analysing the impacts, determining the
actions to undertake, and applying solutions in the form of software patches, configuration
changes, or modifications to operating procedures. Such processes are not generally followed
by individual domestic users.
4.11 Usefulness of this information for this project
The main motivation for creating this inventory of data sources was for it to serve as a point
of reference for later activities within this project. In order to evaluate the usefulness of the
27
information gathered on publicly available data sources for this project, the nature and
contents of these information sources were analysed in relation to the types of cybercrime
identified as of particular significance in Section 6.1 below.
This analysis included the colour-coding of each information source in order to indicate in a
simple visual way which sources of information apply to each of these dimensions of
cybercrime. This analysis can be seen in the inventory of information sources in Appendix A.
It is evident from this coding that there exist significant gaps in publicly available information
in respect of detailed aspects of cybercrime. A great deal of general information is gathered
and made available, at least in summary or headline form, but there is far less specific
information.
5
5.1
Commonalities and exclusions
Points of consistency
Overall there is a baseline of consistency across taxonomies according to their premises. The
approaches that attempt to classify cybercrimes by analogy to their non-computer antecedents
are broadly consistent in maintaining a distinction between computer systems as a target and
computer systems as a means, while the approaches that consider aspects such as the
motivations, techniques and skill levels of the attackers share a number of features, such as
distinguishing between the skilled and the unskilled and between activities designed to cause
damage, acquire information, or steal money.
5.2
Exclusions
As discussed above, a regular issue concerns the inclusion or exclusion of activities that
would generally be seen as aspects of cyberwarfare or cyberterrorism.
The place in such a classification of cyberterrorism, including attacks against critical
infrastructures, is necessary of discussion. To give an international perspective on the
question of definitions, according to the UK Parliamentary Office of Science and Technology
(2006) [58], cybercriminals may use computers to “damage the functioning of the Critical
National Infrastructure (CNI) which includes emergency services, telecommunications,
energy distribution and finance, all of which rely on IT”, while the Australian High Tech
Crime Centre (2003) [43] categorized cyberterrorism under Type II along with fraud, money
laundering and other traditional crimes. Wilson (2008) [45] refers to the U.S. Federal
Emergency Management Agency (FEMA) definition of cyberterrorism as “unlawful attacks
and threats of attack against computers, networks, and the information stored therein when
done to intimidate or coerce a government or its people in furtherance of political or social
objectives” (FEMA (2002) [59], p.D-2). Coleman (2003) [60] similarly defines
cyberterrorism as “the premeditated use of disruptive activities, or the threat thereof, against
computers and/or networks, with the intention to cause harm or further social, ideological,
religious, political or similar objectives, or to intimidate any person in furtherance of such
objectives” (Coleman, p.1).
Such definitions illustrate the range of opinions on this subject. For the purposes of this
project, we should consider as cyberterrorism and cyberwarfare - and thus exclude from
28
consideration as cybercrimes - those activities that are perpetrated by states or their agent, and
which have no tangible economic impact.
Another area that has been provoking increasing amounts of discussion over recent years has
been activities that can be grouped together as the (perceived) misuse, often by corporations,
of systems and data, to their advantage and to the detriment of the users of systems or of
individuals whose data happens to be stored in such systems.
Such misuses include the violation of privacy and data protection laws, the unauthorised
collection of personal data, the performance of unauthorised data mining, the operation of
unauthorised or inappropriate surveillance, the unauthorised transmission of data to third
countries, the lack of reporting of data breaches (or at least not making such breaches public),
and the illegal co-operation with intelligence agencies. Such activities should be included in a
taxonomy of cybercrime, either implicitly under structures such as the first main category of
the Council of Europe classification, which addresses offences against the confidentiality,
integrity and availability of computer systems and data (see Section 4.5.1 above), or perhaps
explicitly under an umbrella heading of Corporate misfeasance.
Specific cases can be hard to classify, however, and even to determine whether they are, or
should be categorised as a crime as opposed to antisocial behaviour, or even simply a new and
fundamentally legitimate practice. A recent case in the UK might serve as example. The
Samaritans, a long-established organisation seeking to provide support to people in distress,
launched a new service called Radar in which an individual’s messages on the Twitter
platform, whether public or protected, could be scanned and analysed using textual sentiment
analysis and alerts sent to other users if depression or suicidal thoughts were being expressed,
according to the algorithms. This service provoked a great deal of criticism and condemnation
on the part of privacy campaigners, data specialists and mental health experts and was
subsequently suspended by the Samaritans. The criticism was essentially based on the
principles of privacy, data governance and the possibility of abuse of the available data by
stalkers and bullies: the default situation was for all Twitter users to be included although a
manual opt-out scheme was proposed. Such a service does raise important questions about
data ownership, the public nature of communications on social media and the rights – or
otherwise – of third parties to make use of such data, especially where such use can become
criminal. The creation of such a service also raises questions of the limits of the legality of the
commercial or systematic obtaining, analysing and using such data will continue to be
discussed, with legislation possibly being the result.
We should emphasise that privacy related crimes are not the focus of this project. It is
important to recognise their existence, however, because of the techniques they can share with
other crimes, and also because certain forms of information gathering performed through the
abuse of privacy can form a part of crimes with a more tangible financial impact.
In respect of surveillance, Coleman and McCahill (2011) [61] discuss the links between
surveillance, privacy and crime. Surveillance is not restricted to the legitimate and traditional
forces of order and protection of the state, but can be practised by private organizations and
individuals, in a range of ways. Increased use of and dependence on digital technologies and
the availability of search and accumulation tools and plentiful data sources mean that
surveillance has taken on increased dimensions over recent years. Surveillance has “become
implicated in how the few see the many and the many see the few” (p. 9).
29
Such abilities can lead to abuses and to crimes committed against people. The authors
mention the existence of “smart surveillance camera monitoring found in streets and shops
that scan faces in the crowd to match against a database of known or potential troublemakers;
mandatory provision of DNS samples; parental monitoring of children using cameras; phone
tracking or smart clothing equipped with locator chips; computer programs that track and
collect keyword-related information regarding subjects discussed or searched for on the
Internet, monitoring workers in time and space using smart cards, chips or covert camera
surveillance” (p. 22).
The authors emphasise their point that “surveillance both responds to and constructs crime
and deviance” (p. 29), arguing that as a part of the process of collection and analysis of
information about populations, lines of demarcation are drawn between normal or law abiding
behaviour on the one hand and abnormal or criminal behaviour on the other. As a result
‘deviance’ is not a set of activities or attitudes separate from activities related to surveillance,
but is defined and created through them. Increased use of cyber-technologies is therefore
bringing into existence new crimes, which will need to be identified, classified and legislated
for.
Within the scope of this project it is necessary to make a clear distinction between state
surveillance, which is an element of cyberwarfare and not covered in the project, and
surveillance as performed by individuals, groups and organisations for abusive or criminal
purposes.
5.3
Complexities
A common remark in the literature referred to throughout this report concerns the difficulties
involved in specifying exactly which crime has been committed in the course of an attack or a
series of attacks. Sood et al (2013) [62] discuss the life cycles of cybercrimes and illustrate
how a typical online fraud process can involve multiple steps involving different actors and
different methods of attack, often defying useful categorisation as a single cybercrime. For
example, a complex online fraud might consist of nine steps:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Creation of malware
Distribution of malware
Drive-by-download attacks leading to the theft of credentials
Recovery of credentials by the attacker
Use of credentials through a compromised proxy server
Access to the victim’s banking details
Extraction of funds
Money-laundering to transfer the proceeds
Sharing of profits
This overall process can be described simply as a cyberfraud and placed within a taxonomy,
but it consists of several separate illegal activities such as unauthorised modifications to a
third party’s systems, unauthorised access to confidential data, and the laundering of illicit
proceeds. A useful taxonomy needs to take such aspects into account if effective and useful
analysis is to be performed and appropriate protective measures designed.
Another source of complexity emerges from inconsistencies of appreciation between
countries and cultures. The sources reviewed above suggest that there is a reasonable amount
30
of common ground between the European, North American and Australian legal philosophies,
but it would be erroneous to assume that such consistency is to be found everywhere. In a
flawed but interesting paper, Khan (2012) [63] presents the perception of cybercrime as
defined in Saudi Arabia. Legislation was introduced in 2007 in the form of an Anti Crime
Act: previously there was an uncertain mapping between cybercrimes and prosecution and
punishment because of the absence of relevant references in the Quran and the Sunnah, the
basis for the Saudi legal code. Cases were dealt with by reference to existing and recognised
traditional crimes. Cybercrime is now defined and categorised according to structures not
inconsistent with Western taxonomies, with cybercrimes separated into five major groups
with defined maximum penalties. These groups are:





Hacking, Internet extortion, website defacement;
Spoofing, credit card fraud;
Denial of service, software piracy, data diddling;
Dissemination of viruses, pornography, illegal trading; and
Cyber terrorism.
This brief paper is of interest because it demonstrates the differences in philosophy between
that underlying the more-or-less shared European and North American tradition, and that
underlying the legal codes in strongly Muslim countries where sharia concepts hold sway.
There are overlaps with the classifications cited above, but there is no direct comparison of
what is considered to be criminal activity. This is interesting within the context of this
discussion as an illustration of a wider point: if part of the intention behind cybercrime
research is to find means of combatting it, it will be necessary to establish principles of
classification leading to investigation and eventual prosecution that are internationally
acceptable and applicable.
Another aspect to consider concerns how the state-driven perception and classification of
cybercrime permeates the whole of society. Many countries have implemented systems for
individuals and organisations to report cybercrimes, but this necessarily enforces their
national classification. This makes the sharing of information and effective comparisons more
difficult because even at the point of capture of data, the information is categorised according
to a potentially unique system of classification.
6
Conclusions
There exists absolute agreement that cybercrime is a genuine and significant problem in the
modern world and a great deal of agreement over the high-level way in which it can be
classified and categorised, but consensus over the form of a detailed taxonomy has not yet
been achieved.
6.1
Conclusions on the taxonomy of cybercrime
One of the difficulties encountered in creating a taxonomy of cybercrime is simply the result
of the definition of crime, which is a legal concept. Crimes exist when they are identified as
such within legal codes. Such codes are developed within specific national contexts and every
country can, according to its culture and justice system, have a different understanding of
criminality. This is equally true in cyberspace and the idea of cybercrime varies from one
country to another. The fact that cybercriminality is a transnational phenomenon that touches
31
upon many different disciplines (law, criminology, sociology, social and political science,
information systems and telecommunications) makes its study even more difficult and creates
additional problems of terminology.
Today the only documents of international scale that proposes relatively well accepted
definitions are the 2001 Budapest Convention of the Council of Europe (EST 185 et 185 bis)
[49] and the 2007 Communication of the European Commission [34].
In addition to this approach based on the harmonisation of legal aspects, cybercriminality
could be studied on the basis of different criteria such as its impacts, its targets, the methods
and vectors, the weaknesses that are exploited, the motivations of the authors and the end
results of the cybercrime in question.
The attacks
Classification based on the characteristics of attacks can yield valuable insights when seeking
to design and implement preventive measures and thereby reduce the vulnerabilities to, and
the rate of success of, any attacks. The taxonomy of attack vectors proposed by Meyers et al.
[17] usefully covers attacks based on malware, the exploitation of technical and configuration
weaknesses, purely physical attacks and the exploitation of user-related weaknesses, all of
which may be used singly or in combination. A case could perhaps be made for grouping the
first three categories together as malware.









Viruses;
Worms;
Trojans;
Buffer overflows;
Denial of service;
Network attacks;
Physical attacks;
Password attacks/user compromise; and
Information gathering.
An additional useful distinction could be made between passive and active attacks. A passive
attack attempts to gather or make use of information from the system but does not affect
system resources or data, while an active attack attempts to modify systems or affect their
operation.
The classification of attacks is often made more difficult by the absence of timely information
– most analysis is after the event – and the use of combinations of multiple factors in carrying
out attacks. This is particularly significant in respect of passive attacks that are intended to
pass unnoticed.
The impacts
The impacts and damage caused can be considered according to a pre-determined scale of
severity, although comparisons can be difficult in this kind of qualitative analysis because of
the wide variance of reporting possible from one victim to another.
32
From the point of view of the victim, the classification of impacts could also be based on their
type, such as, for example:







Effects on human life, on the physical or mental wellbeing of a person, on their state
of mind, harassment (cyber-bullying, online grooming...)
Effects on a person’s rights (fundamental rights and civil liberties)
Effects on reputations
Effects on the criteria for system security
Effects on the confidentiality, integrity and availability of systems and data
Effects of the proper operations of systems
Ecological and environmental impacts...
It is essential to consider wider economic impacts too. In this context the taxonomy proposed
by Anderson et al. [32] is of real value, with the definitions of direct and indirect losses and
the costs of defence combining to allow the calculation of the costs to society.
One key limitation of such an approach arises from the incompleteness of information. Not all
impacts can be easily perceived and measured, while not all crimes are reported or even
detected.
The targets, such as:









Fixed or mobile telephone platforms;
Information systems;
Network infrastructures;
Routers and controllers;
Communications protocols;
DNS and other servers;
Electronic messaging and mail systems;
RFID chips;
Elements of the Internet of Things...
There could be a classification based on the institutional nature of the targets (cable operators,
ISPs, financial institutions, governmental agencies, or organisations in the health sector such
as pharmaceutical companies, hospitals, doctors’ practices, and insurance companies). A
further distinction could be made on the basis of the degree of importance, more or less
critical, of the target for the country. This links to a classification by degree of significance of
the impacts on a particular sector (energy, health, telecoms, finance, and supply chains).
Furthermore we need to distinguish between directed attacks against high value targets and
undirected attacks against low value targets. The same corporation might be attacked by both
social engineering intended to acquire login information to powerful and/or sensitive
accounts, and by waves of phishing emails.
There remains once again the question of whether organisations know they are being, or have
been, attacked.
33
The attackers:


Attackers can be organised criminal groups, loose alignments of individuals, or
individuals possessing a range of different skills and experiences
Motivations can be financial, political, ideological, entertainment, vengeance...
Identifying and classifying attackers can in practice be difficult because the nature of the
target or of the attack will not in every case allow the recognition of the motivation of the
perpetrators unless they actually communicate this themselves. In addition, techniques for
anonymisation and for routing attacks through intermediaries prevent the correct
identification of the attackers or the origins of a cyberattack.
As discussed in Section 4 above, there exist a wide range of taxonomies of cybercrime. The
EC3 - Europol’s European Cybercrime Centre - presents a classification based on eight
categories of cybercrime, while the Budapest Convention groups ten types into four main
categories and other sources restrict themselves to two high-level categories. Within this
range there is great variety and currently there is clearly no universal typology. These
variations are reinforced by the way that organisations dedicated to the sharing of
information, such as the CERTs, have historically been free to develop and implement their
own classification systems. This is also the case within the technology industry. Every actor,
notably those involved in the provision of services and measures for security and protection,
has a tendency to offer its own classification.
Even so, it is possible to conclude on the overall shape of a robust and durable taxonomy,
bearing in mind that as a result of the rapidly developing digital world, the continual
discovery and design of new ways for the ill-intentioned and malicious to misuse technologies
and resources to their own ends, and the constantly shifting legal frameworks designed and
implemented in countries and regions for pragmatic or political reasons, such a taxonomy
cannot be considered to be a static, completed document.
Within the framework of the E-CRIME project, the principal objective of which is to study
the economic impacts of cybercriminality in non-ICT sectors, we propose using simple and
appropriately generic criteria for classifying crimes. Useful categories could be:
1. Criminal online financial activity (including payment fraud, the manipulation of stock
prices, and various scams).
2. Causing the breakdown, interruption or incorrect operation of services or
infrastructures (unavailability, loss of integrity), taking into account the domino
effects on an economy should a cyberattack or cybercrime affect critical
infrastructures or the interdependency of infrastructures.
3. The theft or hijacking of processing capacity (CPU time, hijacking of bandwidth…)
4. The theft of information, secrets, intellectual property, or knowledge, with a
distinction to be made in respect of the sector in question (health, finance…).
Within these categories, further classification could be performed according to the following
criteria:
1. Targeted or non-targeted attacks
2. High or low value targets (will often be directly linked to the first criterion)
3. Aimed at consumers or companies
34
4. Direct cybercrime (such as theft of money) or infrastructure crime (such as malware
and botnets that facilitate the money-making crimes)
6.2
Conclusions on the taxonomy of data sources
Information sources exist to respond to a wide range of user requirements, in terms of
dependence on technology, vulnerability to weaknesses, technical competence, and language.
With the existence of the national CERTs and a wide range of sophisticated internationallyfocused information centres, administrations and corporations that possess the resources, the
awareness and the sense of priorities to be able to implement structures to monitor such
sources of information, absorb the messages and design and implement appropriate measures
should be able to protect themselves reasonably well from threats of attack, in so far as such
protection is possible in a world of knowns, known unknowns, and unknown unknowns.
There are, overall, sufficient reliable and up-to-date sources available for necessary
information to pass. Whether these are in a sufficiently clear and accessible format is less
evident, and professional experience and media reports of cybercriminality would suggest that
efforts need to be made in consolidating and presenting information in a user-friendly way.
For the average individual, resources also exist but as always in the field of security for
individuals the questions of awareness and competence arise. Some information sources such
as MELANI in Switzerland are aimed squarely at the domestic user and provide useful and
reliable information accompanied by links and explanations, but users still need to be aware
of the existence of such sites and to visit them regularly. Building a security information
reflex into user behaviour is an overall priority, and significant challenge, in the modern
interconnected world, made more difficult by the contradictory encouragement of many
online activities, such as participation in social media, to reveal as much personal information
as possible.
For researchers interested in the fields of cybercrime and cybersecurity, detailed sources of
publicly available information are less widely available. The inventory created within this
work package shows an absence of specific, detailed information about several dimensions, a
finding that is consistent with the work of Anderson et al. above whose results and
conclusions were dependent on assumptions and estimates.
35
7
7.1
Appendices
Appendix A
Appendix A presents the taxonomy in the form of a multi-page document providing details of the information sources.
Work Package 2: Tasks 2.1 and 2.2
Sources of Information
This document contains an inventory and taxonomy of sources of information related to cybercrime in general.
It is subdivided into six groups, based on the nature of the information or of the source organisation:
Cybercrime Reporting and Advisory
Vulnerability and Security Advisory
National CERTs
Other CSIRTs and CERTs
Agencies, Organisations and People
eCrime Publications and Links
Within Task 2.1, we have identified four major groups of cybercrime that are significant for the E-CRIME project:
36
1
Criminal online financial activity.
2
Activities causing the breakdown, interruption or incorrect operation of services or infrastructures.
3
The theft or hijacking of processing capacity.
4
The theft of information, secrets, intellectual property, or knowledge.
This document is colour-coded to indicate which sources of information apply to each of these dimensions of cybercrime, as follows:
Criminal online financial activity.
Activities causing the breakdown, interruption or incorrect operation of services or infrastructures.
The theft or hijacking of processing capacity.
The theft of information, secrets, intellectual property, or knowledge.
General information on cybercrime and or cybersecurity, or on dimensions of cybercrime not specifically considered in this report.
It is evident from this coding that there exist significant gaps in publicly available information in respect of detailed aspects of cybercrime. A great deal of
general information is gathered and made available, at least in summary or headline form, but there is far less specific information.
A key element in the development of targeted cybercrime research will necessary be the acquisition and analysis of appropriate data relating to the fields
that at present are under-represented in public.
37
Cybercrime Reporting & Advisory
NOTE FROM RESEARCHER: DESCRIPTIONS ARE TAKEN DIRECTLY FROM THE WEBSITES. WHERE THEY WERE NOT AVAILABLE IN ENGLISH, A CLOSEST
TRANSLATION HAS BEEN TAKEN USING ELECTRONIC METHODS.
Comments
Regularity
Focus
Language
URL
Description
The IC3 was established as a partnership
between the Federal Bureau of Investigation
(FBI) and the National White Collar Crime
Center (NW3C) to receive Internet related
criminal complaints and/or regulatory
agencies for any investigation they deem to
be appropriate.
http://www.ic3.gov/defaul
t.aspx
E
US focused although
states that they work
with International
agencies and Cyber
Crime Task forces
Ongoing
Nicely presented site that not
only provides the ability to
report but also includes a
consumer alert facility (SCAM
ALERTS)
A government and law enforcement driven
portal for the reporting of cyber crimes.
https://www.internetsignalement.gouv.fr
F
French
Ongoing
Offers the facility to report
anonymously
F/E
/D
French Focus
Ongoing
"Signal Spam is a non for profit organisation
https://www.signaland a public/private partnership promoting a
spam.fr/
trustworthy network of actors united to fight
Spam. Among its contributors are French
Authorities & Law Enforcement Agencies,
main French Internet Services Providers and EMails Senders, Security and Reputation
Companies, Consumers and Marketing
Unions, etc."
38
"The organisation of the NCSC is being shaped
at this moment. On these pages you will find
more information about the parties involved
in the NCSC, background information about
the developments leading to the start of the
NCSC and about our main goals."
https://www.ncsc.nl/
Dut
ch/
E
Netherlands Focus
Ongoing
Provides advice and details. It
would appear that it is still
being established
"FS-ISAC, or the Financial Services Information
Sharing and Analysis Center, is the global
financial industry's go to resource for cyber
and physical threat intelligence analysis and
sharing. FS-ISAC is unique in that it was
created by and for members and operates as a
member-owned non profit entity."
https://www.fsisac.com/
E
International
Ongoing
Focus on the financial sector.
Membership is typically
required although some level
of information is openly
available. (Monthly
newsletters are available on
the website)
"The MS-ISAC is the focal point for cyber
threat prevention, protection, response and
recovery for the nation's state, local, tribal,
and territorial (SLTT) governments. The MSISAC 24x7 cyber security operations center
provides real-time network monitoring, early
cyber threat warnings and advisories,
vulnerability identification and mitigation and
incident response."
https://msisac.cisecurity.or
g/
E
Very US Centric
Ongoing
Spanish Government website for reporting a
cyber crime.
https://www.gdt.guardiaci
vil.es/webgdt/home_alerta
.php
Esp
Spain
Ongoing
39
Offers two options. "To
report" or "To inform".
Overall the site offers details
and helpful tips for the
general public in simple and
straightforward language.
Has an "alerts" page of
current potential issues.
"Are the UK Hotline for reporting criminal
online content and work with the internet
industry, police and international partners to
get it removed. Reports to the IWF are
confidential and can be submitted
anonymously"
https://www.iwf.org.uk/
E
UK - however accepts
reporting from
anywhere in the world
Ongoing
Primary focus is in reporting
sex abuse images of children
& Criminally obscene images.
Their vision is "the
elimination of child sex abuse
images online"
"CEOP works with child protection partners
across the UK and overseas to identify the
main threats to children and coordinates
activity against these threats to bring
offenders to account. We protect children
from harm online and offline, directly through
NCA (National Crime Agency) led operations
and in partnership with local and international
agencies."
https://www.ceop.police.u
k/
E
UK - however works
internationally if
required (depending
upon the case)
Ongoing
Advice for keeping children
safe online. Allows for the
reporting of crimes (online,
email offline) relating to child
abuse and sexual
exploitation.
https://www.ceop.police.uk/
Ceop-Report/
A WARP is a cost-effective, community-based
service where members can receive and share
up-to-date advice on security threats,
incidents and solutions. This community is
supported by a WARP operator.
http://www.warp.gov.uk/
E
UK
Ongoing
Community and user base
driven. Set up by the CPNI
40
The hotline.ie service provides an anonymous
facility for the public to report suspected
illegal content encountered on the Internet, in
a secure and confidential way. The primary
focus of the Hotline is to combat Child
Pornography. Other forms of illegal content
and activities exist on the Internet and may be
reported using this service.
http://www.hotline.ie/
E
Ireland
Ongoing
Also offers safety tips and
access to alert notifications
APWG is the global industry, law enforcement, http://www.antiphishing.o
and government coalition focused on unifying rg/report-phishing/
the global response to cyber crime through
development of data resources, data
standards and model response systems and
protocols for private and public sectors.
E
International
Ongoing
Very useful and heavily
supported by Industry.
Provide a wide range of
resources relating to AntiPhishing
Provides details of what to watch out for in a
wide range of scam. Has specific pages related
to online and Banking and online accounts
scams. Managed and run by the Australian
Competition and Consumer Commission.
http://www.scamwatch.go
v.au/
E
Australia
Ongoing
Useful as many of the types
of scams to watch out for are
not limited to just Australia.
Facility available to report
scams.
"e-Crime Wales is a partnership of
organisations and agencies committed to
equipping Welsh businesses with the
knowledge and tools to be aware, vigilant,
informed and ultimately safe from the
destructive effects of e-Crime in all its forms."
http://www.ecrimewales.c
om/en/report-ecrime
Wl/
E
Wales
Ongoing
Allows for reporting of ecrimes
41
"e-Crime Scotland has been developed
https://www.ecrimescotlan E
through the Scottish Business Resilience
d.org.uk/
Centre with key partners in Scottish Law
Enforcement, Scottish Government and the
wider business community who are all
committed to equipping Scottish businesses
with the knowledge and tools to be aware,
vigilant, informed and ultimately safe from the
destructive effects of e-crime in all its forms."
Scotland
Ongoing
Alerts and useful links
The National Trading Standards eCrime Team
(NTSeCT) has been set up by the National
Trading Standards Board and by the
Department of Business, Innovation and Skills
to investigate online scams and rip-offs of
national significance. For the first time teams
of e-crime intelligence specialists, internet
investigators and forensic analysts have come
together to tackle national online scams and
rip-offs, as well as support local and regional
trading standards officers with their own ecrime investigations..
http://www.tradingstandar
dsecrime.org.uk/
E
UK
Ongoing
Report online scams to
Trading Standards via the
Citizens Advice Consumer
Helpline.
"The website is presented to help you,
ADULTS and CHILDREN alike, with any form of
on-line or technology-driven antisocial
behaviour (commonly referred to as cyber
bullying). Whatever your age or background
we hope to provide you with useful tips,
common-sense approaches, advice and
practical information regarding cyber crime."
http://www.ecrimeaction.co.uk/
E
UK
Ongoing
Deals with cyber bullying
amongst other eCrimes
42
A regular survey of online merchants is carried http://www.cybersource.c
out by Cybersource, a VISA company that does om/current_resources/
credit card processing
E
For industry
Annual
Useful for card fraud on -line
Global fraud loss survey
http://www.cvidya.com/m
edia/62059/globalfraud_loss_survey2013.pdf
E
For industry
Annual
Useful for fraud
ITU on understanding cybercrime: general
overview, and challenges faced, anticybercrime strategies, overview of
international legislative approaches
(institutional, regional). Includes typology of
cybercrime. (Dated 2009)
http://www.itu.int/ITUD/cyb/cybersecurity/docs/i
tu-understandingcybercrime-guide.pdf
E
General audience
One-off
publicati
on
Economic impact of cybercrime
http://www.mcafee.com/c
a/resources/reports/rpeconomic-impactcybercrime2.pdf
E
General audience
One-off
publicati
on
A paper prepared in response to UK MOD
request by a number of academic institutions.
Describes direct costs, indirect costs and
defense costs. Distinguishes between
different "kinds" of crime (traditional crime
turned cyber, transitional crime where modus
operandi has changed due to move online,
new crimes coming from the use of internet,
and platform crimes (e.g. botnets).
http://weis2012.econinfos
ec.org/papers/Anderson_
WEIS2012.pdf
E
Commissioned by
central government.
One-off
publicati
on
OAS portal on cybercrime, links as provided
http://www.oas.org/juridic
o/english/cyber_links.htm
E,
Esp
Generalised portal
Ongoing
43
Trend Micro analysis, Bitcoin and POS related
attacks
http://www.trendmicro.co
m/cloudcontent/us/pdfs/securityintelligence/reports/rptcybercrime-hits-theunexpected.pdf
E
General audience
One-off
publicati
on
List and description of internet crime
schemes, IC3
http://www.ic3.gov/crimes
chemes.aspx
E
General audience
Ongoing
JP Morgan, overview of cybercrime
https://www.jpmorgan.co
m/cm/BlobServer/Cybercri
me_This_is_War.pdf?blobk
ey=id&blobwhere=132060
4888526&blobheader=appl
ication/pdf&blobheaderna
me1=CacheControl&blobheadervalue1
=private&blobcol=urldata&
blobtable=MungoBlobs
E
General audience
One-off
publicati
on
Scenarios for the Future of Cybercrime
http://2020.trendmicro.co
m/Project2020.pdf
E
General audience
One-off
publicati
on
Paper on measuring the costs with a number
of other links
http://ercimnews.ercim.eu/en90/speci
al/measuring-the-cost-ofcybercrimes
E
General audience
One-off
publicati
on
What is the shadow economy in Europe and
how does it function
http://www.atkearney.com
/financialinstitutions/ideas-
E
General audience
One-off
publicati
44
insights/article//asset_publisher/LCcgOeS4
t85g/content/the-shadoweconomy-in-europe2013/10192
on
Overview of black market of cybercrime
http://presse.pandasecurit
y.com/wpcontent/uploads/2012/06/
Le_Marche_Noir_du_Cyber
_Crime_FR.pdf
F
General audience
One-off
publicati
on
Rand corporation search report
http://www.rand.org/cont
ent/dam/rand/pubs/resear
ch_reports/RR600/RR610/
RAND_RR610.pdf
E
General audience
One-off
publicati
on
Established in 2004, The Shadowserver
Foundation gathers intelligence on the darker
side of the internet. We are comprised of
volunteer security professionals from around
the world. Our mission is to understand and
help put a stop to high stakes cybercrime in
the information age.
https://www.shadowserver E
.org/wiki/
Bots, Botnets, DDoS,
Malware, Scan attacks
Daily (or
even
more
frequen
t)
Provides statistics and maps
about several types of
attacks.
This paper puts forward a multi-level model,
based on system dynamics methodology, to
understand the impact of cyber crime on the
financial sector. It also develops a
classification for cyber crime based on the
nature of the crime
http://www.sciencedirect.c
om/science/article/pii/S01
6740481400087X
Mainly for academia
and practitioners
No
updates
Mainly based on the financial
sector
E
45
One of the first reports on analysing the
impact of different type of cyber crimes
https://www.gov.uk/gover
nment/uploads/system/upl
oads/attachment_data/file
/60943/the-cost-of-cybercrime-full-report.pdf
E
Written for decision
makers in the
government and
industry
No
updates
Classification is limited to a
few types of criminal
activities
Report based on hundreds of data breach
investigations and proprietary threat
intelligence. It focuses on who cyber criminals
attack, what information they want and how
they get it.
http://www2.trustwave.co
m/rs/trustwave/images/20
14_Trustwave_Global_Sec
urity_Report.pdf
E
Mainly for industry
Annual
A useful tool for comparing
countries and sectors at high
level
A report on Cost of Data Breach. It is a global
analysis based on eighth annual benchmark
study concerning the cost of data breach
incidents for companies located in nine
countries
http://www.ponemon.org/
local/upload/file/2013%20
Report%20GLOBAL%20CO
DB%20FINAL%205-2.pdf
E
For government and
industry
Annual
Useful since Ponemon
Institute researchers
collected in-depth qualitative
data through interviews with
more than 1,400 individuals
in 277 organizations over a
ten-month period. The report
is limited to 9 countries (4 are
European)
This is an article that focuses on the
theoretical foundation on how to classify
cyber crime
http://papers.ssrn.com/sol
3/papers.cfm?abstract_id=
740607
E
For academia
No
updates
Provides a good theoretical
foundation for cyber
classification
This article provides an interesting
classification of cyber crime based on
motivations
http://cecs.wright.edu/cop
/cybw/Kshetri_Nir.pdf
E
For academia
No
updates
Could be useful if we are
focusing on classifying
cybercrimes using
motivations
46
This report provides the UK view on cyber
threats and include an high level classification
https://www.gov.uk/gover
nment/uploads/system/upl
oads/attachment_data/file
/228826/7842.pdf
E
For government and
industry
Possibly
every 3
years
Could be useful since it
indicates which categories of
cybercrimes are perceived as
important by the UK
government
This is an in-depth analysis of on-line identity
theft
http://www.oecd.org/inter
net/consumer/40644196.p
df
E
For governments
No
updates
Could be useful for further
classifications for on-line
identity thefts
This article deals with the definition of
‘identity theft’ or
‘identity fraud’
http://www.fidis.net/filead
min/fidis/publications/200
6/DuD09_2006_553.pdf
E
For academia
No
updates
Could be useful for further
classifications for on-line
identity thefts
The article provides a conceptual review of
the major crimes leading to ID fraud
http://www.academicjourn
als.org/article/article13798
59409_Hedayati.pdf
E
For academia
No
updates
Useful since it provides
different conceptual
classifications for ID thefts
This is a report on Victims file complaints with
the IC3 ( formerly known as the Internet Fraud
Complaint Centre ) . The complains go into an
extensive database
http://www.ic3.gov/media
/annualreport/2013_IC3Re
port.pdf
E
For governments,
industry and individuals
Annual
US focused
Strategic analysis of Internet Facilitated
Organised Crime (iOCTA) assesses current and
future trends in cybercrime, and informs both
operational activity and EU policy.
https://www.europol.euro
pa.eu/sites/default/files/p
ublications/iocta.pdf
E
For law enforcement
agencies
Unknow
n
Useful for identifying new
trends and new categories of
crime
The UK Payments Administration, a payment
industry trade association, publishes annual
reports.
http://www.ukpayments.o
rg.uk/
E
Industry
Annual
Useful for card fraud
47
Data given in this domain are collected
annually by the National Statistical Institutes
and are based on Eurostat's annual model
questionnaires on ICT (Information and
Communication Technologies) usage in
households and by individuals.
http://epp.eurostat.ec.eur
opa.eu/cache/ITY_SDDS/E
N/isoc_bde15c_esms.htm
E
For government,
industry, individuals
Annual
Useful for general ICT
security and trust
Commercial risk analysis services
http://www.lexisnexis.com
/risk/insights/true-costfraud.aspx
E
Industry and general
public
Ongoing
Insurance and banking
industry focus
Financial services provider reporting
periodically on data security and fraud
prevention
www.mastercard.com
E
General public
Ongoing
Useful for card and data
fraud data
Financial services provider reporting
periodically on data security and fraud
prevention
http://www.visa.com
E
General public
Ongoing
Useful for card and data
fraud data
48
Vulnerability-Security Advisory
NOTE FROM RESEARCHER: MANY DESCRIPTIONS ARE TAKEN DIRECTLY FROM THE WEBSITES. WHERE THEY WERE NOT AVAILABLE IN
ENGLISH, A CLOSEST TRANSLATION HAS BEEN TAKEN USING ELECTRONIC METHODS.
https://cve.mitre.org/
E
International
Ongoing
http://nvd.nist.gov/
E
Ongoing
http://www.kb.cert.or
g/
E
US Focus (for
government
bodies and
agencies).
However well
respected and
frequently
referenced
internationally
International
49
Ongoing
Comments
Regularity
Focus
Language
CERT
Vulnerability
Notes
Database
"CVE is a dictionary of publicly known information
security vulnerabilities and exposures. CVE’s
common identifiers enable data exchange between
security products and provide a baseline index
point for evaluating coverage of tools and
services."
"NVD is the U.S. government repository of
standards based vulnerability management data
represented using the Security Content
Automation Protocol (SCAP). This data enables
automation of vulnerability management, security
measurement, and compliance. NVD includes
databases of security checklists, security related
software flaws, misconfigurations, product names,
and impact metrics."
"The Vulnerability Notes Database provides timely
information about software vulnerabilities.
Vulnerability notes include summaries, technical
details, remediation information, and lists of
affected vendors. Many vulnerability notes are the
result of private coordination and disclosure
efforts"
URL
National
Vulnerability
Database
Version 2.2
Description
Name
CVE
Security Focus
A listing of vulnerabilities which can be sorted by
Vendor. It is also the moderator for the BugTraq
mailing list.
http://www.securityfo
cus.com/
E
International
Ongoing
Seclist
Provides an archive (and some moderation) of
various vulnerability mailing lists.
A listing of vulnerabilities and archives. Also
provides a search facility and listing under third
party organisations (those who published the
exploit) in addition to the usual facilities.
Probably one of the most widely used vulnerability
mailing lists (Full Disclosure), which was closed for
a brief period and now re-opened by other
moderators from the security community.
This is a US based commercial security
organisation, their research department provides a
vulnerability archive resource. It also archives SANS
and RISKS newsletters
"The Critical Vulnerability Analysis and the Security
Alert Consensus have merged to become @RISK:
The Consensus Security Alert. Delivered every
Thursday, @RISK first summarizes the three to
eight vulnerabilities that matter most, tells what
damage they do and how to protect yourself from
them. @RISK adds to the critical vulnerability list a
complete catalogue of all the new security
vulnerabilities discovered during the past week.
http://seclists.org/
E
International
Archive
http://securitytracker.
com/
E
International
Ongoing
http://www.insecure.
org
E
International
Ongoing
http://archives.neoha
psis.com/
E
International
Ongoing
http://www.sans.org/
newsletters/risk/
E
International
Ongoing
Security
Tracker
Full Disclosure
Neophasis
SANS @RISK
50
Good site which
also sections
details and
provides
information on
Forensics,
Honeypots, Log
Analysis, website
security and
others.
Thus in one bulletin, you get the critical ones plus a
complete list of the full spectrum of newly
discovered vulnerabilities."
Microsoft
Security
Centre
"Led by some of the world’s most experienced
security experts, the MSRC identifies, monitors,
responds to and resolves security incidents and
vulnerabilities in Microsoft software. This helps our
customers manage security risks, builds
community-based defense capabilities, and
enables the development of best practices that
have been adopted by others in the software
industry. "
http://technet.micros
oft.com/enus/security/dn440717
E
International
Ongoing
Drupal
Provides details and Advisories of Drupal
vulnerabilities
"Team Cymru Research NFP is an Illinois non-profit
and a US Federal 501(c)3 organization. A group of
technologists passionate about making the
Internet more secure and dedicated to that goal.
Work closely with and within Internet security
communities, as well as with all manner of other
organizations - after all, almost every organization
in the modern world is connected to the Internet in
some way or another, and they all need help to
ensure that their parts of the network remain safe
and secure."
https://www.drupal.o
rg/security
http://www.teamcymru.org/
E
International
Ongoing
E
International
Ongoing
Team Cymru
51
There are
separate links
within this,
which are
"Advisories" and
"Bulletins" and
the ability to
create your own
dashboard
"MyBulletins"
The Internet
Storm Center
McAfee Labs
ECENTRE
project
The Internet Storm Center gathers millions of
intrusion detection log entries every day, from
sensors covering over 500,000 IP addresses in over
50 countries. It is rapidly expanding in a quest to
do a better job of finding new storms faster,
identifying the sites that are used for attacks, and
providing authoritative data on the types of attacks
that are being mounted against computers in
various industries and regions around the globe.
The Internet Storm Center is a free service to the
Internet community. The work is supported by the
SANS Institute from tuition paid by students
attending SANS security education program
McAfee Labs is the world’s leading source for
threat research, threat intelligence, and cyber
security thought leadership. The McAfee Labs team
of 500 threat researchers correlates real-world
data collected from millions of sensors across key
threat vectors — file, web, message, and network
— and delivers threat intelligence in real-time to
increase protection and reduce risk.
Canterbury Christ Church University has launched a
Centre for Cybercrime Forensics (CCF) recognising
the growing body of work across the last decade by
staff in the University’s Department of Computing
and the Department of Law and Criminal Justice
Studies. The Centre will carry out research, hold
conferences and provide training and education
opportunities to prevent and tackle Cybercrime.
https://isc.sans.edu/
E
US locations/
International
usage
Ongoing
Range of
information and
some tools are
available
http://www.mcafee.c
om/uk/resources/rep
orts/rp-quarterlythreat-q2-2014.pdf
E
For industry
Quarterly
Provides insights
on and new
classifications of
on-line threats
http://www.canterbur
y.ac.uk/news/newsrel
ease.asp?newsPk=202
1
E
For law
enforcement
Unknown
New centre,
created in 2012.
52
The Microsoft
Security
Intelligence
Report (SIR)
Symantec
MessageLabs
Intelligence
reports
Mobile Apps:
New Frontier
for cybercrime
The Microsoft Security Intelligence Report (SIR)
analyzes the threat landscape of exploits,
vulnerabilities, and malware using data from
Internet services and over 600 million computers
worldwide. Threat awareness can help you protect
your organization, software, and people.
The Internet Security Threat Report provides an
overview and analysis of the year in global threat
activity. The report is based on data from the
Symantec Global Intelligence Network, which
Symantec's analysts use to identify, analyze, and
provide commentary on emerging trends in the
dynamic threat landscape.
Trend Micro Threat Encyclopedia, mobile app
threats
Sophos
Commercial producer of anti-virus and encryption
products. Publishes user-targeted reports.
We Live
Security
Part of ESET, a Slovakian anti-malware software
provider. "We Live Security comes from the brains
at ESET – experienced researchers with in-depth
knowledge of the latest threats and security
trends. It’s an editorial outlet for internet security
news, views and insight, covering the latest,
breaking security news, alongside video tutorials,
in-depth features, and podcasts."
Blog of a leading anti-malware provider
Malwarebytes
http://www.microsoft. E
com/security/sir/defa
ult.aspx
For government ,
industry,
individuals
Annual
Useful for
classification and
data collection
of malware
http://www.symantec E
.com/security_respons
e/publications/threatr
eport.jsp
For government ,
industry,
individuals
Annual
Good for
statistics , data
and
classifications
http://aboutthreats.trendmicro.co
m/us/webattack/119/
Mobile%20Apps%20N
ew%20Frontier%20for
%20Cybercrime
http://www.sophos.co
m/enus/medialibrary/PDFs/
other/sophossecurityt
hreatreport2013.pdf
http://www.welivesec
urity.com/
E
International
Ongoing
E
Commercial
products for
corporations and
end-users
Ongoing
Commercial
E
Commercial,
products,
information,
editorial
comment
Ongoing
Commercial
Information and
Ongoing
http://blog.malwareby E
53
tes.org
Edgis Security
Messaging
Anti-Abuse
Working
Group
Mandiant
Tripwire
Krebs on
Security
comment
Edgis is an infocomm security special interest
group formed by a group of enthusiasts in January
2011. Edgis aims to build an environment where
infocomm security enthusiasts can share
knowledge, collaborate on projects, and meet likeminded people.
The purpose of MAAWG is to bring the messaging
industry together to work collaboratively and to
successfully address the various forms of
messaging abuse, such as spam, viruses, denial-ofservice attacks and other messaging exploitations.
To accomplish this, MAAWG develops initiatives in
the three areas necessary to resolve the messaging
abuse problem: industry collaboration,
technology, and public policy.
Security advisory corporation that publishes
reports
Commercial security solution and vulnerability
management provider. Publishes regular blog
items
http://edgissecurity.org/
E
Information
sharing in respect
of
communications
security
Ongoing
Networking
group
http://www.maawg.or
g
E
Industry group,
general public
Ongoing
View from the
inside of a
specific problem
http://www.mandiant
.com
http://www.tripwire.c
om/state-of-security/
E
Security issues
Ongoing
Commercial
E
Ongoing
Commercial
News site written by well-known author and
journalist.
http://krebsonsecurity
.com/
E
Security and
vulnerabiity
management;
corporations and
individuals
IT security in
general;
cybercrime and
hacking
Ongoing
Professional,
non-commercial
54
National CERTs
NOTE FROM RESEARCHER: DESCRIPTIONS ARE TAKEN DIRECTLY FROM THE WEBSITES. WHERE THEY WERE NOT AVAILABLE IN ENGLISH, A CLOSEST
TRANSLATION HAS BEEN TAKEN USING ELECTRONIC METHODS.
http://www.govcert.gv.at/
D/E
Generalist Ongoing
http://www.cert.at/index_e
n.html
D/E
Generalist Ongoing
https://www.cert.be/
E
Generalist Ongoing
55
Comments
Regularity
Focus
Language
BELGIUM
"GovCERT Austria is the Government
Computer Emergency Response Team for
the public administration and the critical
information infrastructure (CII) in Austria."
"CERT.at is the primary contact point for
IT-security in a national context. CERT.at
will coordinate other CERTs operating in
the area of critical infrastructure or
communication infrastructure. We will also
provide basic IT-security information
(warnings, alerts, advise) for SMEs. In the
case of significant online attacks against
Austrian infrastructure, CERT.at will
coordinate the response by the targeted
operators and local security teams"
CERT.be is the federal cyber emergency
team which, as a neutral specialist in
Internet and network security, is able to
assist your company or organisation with:
coordination in the event of cyber
incidents; advice about finding a solution
when cyber incidents arise;
URL
AUSTRIA
CERT.AT
Description
Name
AUSTRIA
Works in Co-operation with
GovCERT Austria and is the
National Austrian CERT
support to prevent these security incidents
occurring.
CROATIA
DENMAR
K
"CERT Bulgaria is the National Computer
Security Incidents Response Team. Its
mission is to provide information and
assistance to its constituencies in
implementing proactive measures to
reduce the risks of computer security
incidents as well as responding to such
incidents when they occur."
"The National CERT was established in
accordance with the Information security
law and its main task is processing of
incidents on the Internet, i.e., preservation
of the information security in Croatia.
According to the National CERT Operations
policy, it deals with the incident, if one
party to the incident is in the Croatian IP
address space or in .hr Internet domain."
GovCERT is an alert service for Internet
threats, detect security mode on the state
of the Internet and identify cyber attacks
against the authorities. By providing
information about specific threats to the
user community
https://govcert.bg/
B
Generalist Ongoing
http://www.cert.hr/
HR
Generalist Ongoing
Danish
BULGARI
A
Generalist Ongoing
http://feddis.dk/cfcs/opgaver/govcer
t/Pages/GovCert.aspx
56
Works on Co-operation with
CERT.AT
ESTONIA
FINLAND
FRANCE
GEORGIA
GERMANY
RIA handles information security incidents,
the department operates in a national
CERT's duties and functions with an
international point of contact. CERT
Estonia detects, monitors and resolves
computer networks in Estonia will be no
security incidents, threats inform and
organize prevention activities
"The National Cyber Security Centre
Finland (NCSC-FI) is responsible for
monitoring cyber security risks, collecting
information related to cyber security from
various sources as well as processing it and
communicating it to various players. NCSCFI is also specialised in information
assurance matters related to the handling
of classified information in electronic
communications. "
CERT-FR is the French government CSIRT.
As such, CERT-FR is the point of contact for
all computer-related security incidents
regarding France.
CERT-GE provides consultations on
network security and supports users to
solve network incidents connected with
unauthorized access on user’s servers and
computers, virus attacks and other Cyber
incidents.
German National CERT which provides
details on vulnerabilities and warnings
https://www.ria.ee/cert
EST
/E
Estonia
Ongoing
https://www.viestintavirasto Fin
.fi/en/informationsecurity/fi /E
corasinformationsecurityserv
ices.html
Generalist Ongoing
"FICORA's CERT-FI and NCSA-FI
duties have been merged into
the National Cyber Security
Centre Finland (NCSC-FI) on 1
January 2014."
http://cert.ssi.gouv.fr/
F
Generalist Ongoing
Offers awareness and also
contacts if you feel you have
suffered a breach.
http://grena.ge/eng/services
/cert
GE/
E
Georgia
Also provide training and elearning.
https://www.cert-bund.de/
D
Generalist Ongoing
57
Ongoing
Part of the German BSI
https://www.bsi.bund.de
GREECE
(NAAEA)
The mission of the National Authority
Against Electronic Attacks is to attend to
the prevention as well as the passive and
active encounter of electronic attacks
against communication networks, data
storage facilities and IT systems. In
addition, the Authority is responsible for
processing the data and notifying the
competent authorities.
HUNGARY CERT-Hungary is the governmental CSIRT
of Hungary. It operates within the Special
Service for National Security. CERTHungary started its operation on July 2013.
With effect of July 2013, CERT-Hungary is
the Government Incident Response Team
of Hungary, designated by a Government
Decree. CERT-Hungary coordinates
preventative work and responses against IT
security breaches aimed at critical
infrastructure in Hungary.
ICELAND
CERT-IS is the Icelandic centre for handling
serious cyber security incidents in the
critical informational infrastructure (CII).
CERT-IS will, as far as possible, assist its
constituency members in preventing such
incidents, educate and inform about
threats and coordinate responses when
serious cyber security incidents occur.
http://www.nis.gr/portal/pa
ge/portal/NIS/NCERT
GR/
E
Generalist Ongoing
http://www.certhungary.hu/en
H/E
Hungary
Ongoing
Just over one year old
http://www.cert.is/en.html
Is/E
Iceland
Ongoing
Limited information compared
to others
58
IRELAND
ISRAEL
(ILANCERT)
ITALY
(CERT-PA)
IRISS-CERT is Ireland's first CSIRT
(Computer Security Incident Response
Team) to provide services to all users
within Ireland. Our goal is to provide a
range of high quality information security
based services to aid Irish based
organisations and citizens to better secure
their information technology facilities and
services in accordance with industry
recognised standards and compliance
requirements, to provide high quality
research services on current and potential
information security threats, to provide
information security prevention, response
and mitigation strategies and to become a
recognised centre of information security
excellence for national and international
organisations to refer to.
The IUCC CERT is a 24x7 Computer
Emergency Response Team set up by IUCC
to handle all incidents and issues with
computer and networking security in
higher education - specifically universities in Israel.
The IUCC also provides emergency
response services to the South-East-Europe
federation, as part of the EGEE project.
https://www.iriss.ie/iriss/
E
Ireland
Ongoing
https://cert.iucc.ac.il/en/abo
ut_us.html
E/H
e
Israel,
academia
Ongoing
http://www.agid.gov.it/infra
strutture-sicurezza/cert-pa
I
Italy
Ongoing
59
Similar modelling to the Estonia
CERT
LITHUANIA
LUXEMBOURG
"CERT.LV mission is to promote
information technology (IT) security in
Latvia. CERT.LV operates under the
Ministry of Defence of the Republic of
Latvia and is regulated by the Information
Technology Security Law. CERT.LV main
tasks are to maintain and update
information on IT security threats, provide
support in the case of IT security incident,
advise governmental institutions, organize
informative and educational activities for
the government employees, IT security
professionals and general public"
CERT-LT is the Lithuanian national
Computer Emergency Response Team
whose task is to promote security in the
information society by preventing,
observing, and solving information security
incidents and disseminating information on
threats to information security.
The computer emergency response team
of the Government of Luxembourg
(GOVCERT.LU), also known as the
computer security incident response team
(CSIRT). GOVCERT.LU is the single point of
contact dedicated to the treatment of all
computer related incidents jeopardising
the information systems of the
government and of critical infrastructure
operators.
https://cert.lv
LV/
E
Generalist Ongoing
LV CSIRT in 2012 was converted
into Information Technology and
Information Systems Security
Expert Group (DEG). DEG has its
own Statutes (in Latvian) and
Code of Ethics (in Latvian). This
group works to support CERT.LV
and meets the 2nd Thursday of
each month. Further to this they
also have a useful link to "Black
List of Latvian Spammers"
http://blw.cert.lv/?&lng=en_EN
https://www.cert.lt/en/inde
x.html
Lt/
E
Lithuania
Ongoing
Provides a useful archive of
incident statistics
http://www.govcert.lu/en//
Lu/
F/E
Luxembourg
LATVIA
Ongoing
Offers usual services and an
online reporting form
https://www.govcert.lu/online_f
orm
60
MONTENEGRO
http://www.cirt.me/
Mo
/E
Dutch/E
NETHERLANDS
NORWAY
Law on Information Security of
Montenegro defines the establishment of
the National Montenegrin Computer
Incident Response Team
(CIRT.ME).CIRT.ME functions as
Governmental and National CIRT. The
Primary constituency for CIRT.ME is
defined as:
All Government Institutions in
Montenegro; Critical National
Infrastructure in Montenegro and all other
networks and incidents in Montenegro are
defined as Secondary constituency.
The National Cyber Security Centre (NCSC)
has been operational since 1 January 2012.
Its mission will begin: to help increase the
resilience of Dutch society in the digital
domain and, by doing so, help to create a
safe, open and stable information society.
How and with whom the NCSC is going to
achieve this is outlined here.
"National Security Authority (NSM) is a
Directorate of Preventive Security Service.
NSM has within its remit to protect
information and objects against espionage,
sabotage and terrorist actions through: Providing advice and guidance - developing
safety - alert and manage serious cyber
attacks - supervise and exercise authority
in accordance. regulations NSM should be
a driving force for the improvement of
safety conditions and provide advice on
the development of safety in the
http://govcert.nl
http://nsm.stat.no/omnsm/english/
61
Nor
/E
Montene
gro
Ongoing
Well laid out site, the majority of
which is also available in English.
Ability to report incidents:
http://www.cirt.me/en/reportan-incident/
Generalist Ongoing
Norway
Ongoing
Provides a wide range of services
in which undertaking the role of
CERT would appear to be a part.
community. "
POLAND
PORTUGAL
ROMANIA
" The Governmental Computer Security
Incident Response Team – was established
on 1 February, 2008. Its chief task is
ensuring and developing the capability of
public administration units to protect
themselves against cyber threats, in
particular against attacks aimed at the
infrastructure involving IT systems and
networks the destruction or disturbing of
which may considerably threaten the lives
and health of people, existence of national
heritage and the environment or lead to
considerable financial loss or disturb the
operation of public authorities. The
CERT.GOV.PL team is a part of the IT
Security Department at the Polish Internal
Security Agency."
The CERT.PT's mission is to contribute to
the effort of national cyber security
including processing and coordination of
incident response, the production of
security alerts and advisories and the
promotion of a safety culture in Portugal.
CSIRT - centre response to cyber security
incidents - specialized organizational entity
that has the capacity necessary for the
prevention, analysis, identification and
response to cyber incidents. CERT-RO is a
national point of contact with structures
similar type. It ensure the development
and dissemination of public policies to
http://www.cert.gov.pl/
PL/
E
Generalist Ongoing
http://www.cert.pt/
Por
Portugal
Ongoing
http://www.certro.eu/despre.php
Ro/
E
Romania
Ongoing
62
Well presented site, most pages
available in English. Link to
reporting incidents and forms
are available.
http://www.cert.gov.pl/cee/inci
dent-submission/90,Report-onIncident.html
Some difficulty in the English
option on the website. Wide
range of services, including
legislation, current threats and
historical reports on threats
encountered.
prevent and counteract incidents of cyber
infrastructures, according to area of
competence.
It also analyses procedural and technical
malfunctions.
SLOVAKIA
SPAIN
SWEDEN
Center Computer Incident Response in the
information and telecommunications
networks (ITS) bodies of state power of the
Russian Federation (GOV-CERT.RU)
coordinates the actions of the interested
agencies and organizations in the
prevention, detection and elimination of
the consequences of computer incidents
that occur in the ITS authorities of the
Russian Federation
CERT.SK provides services associated with
security incidents handling and impact
elimination followed by the recovery of
affected information and communication
technologies.
"The CCN-CERT is the capacity of Security
Incident Response Information National
Cryptologic Center. This service was
created in late 2006 as the Spanish
government CERT"
http://www.gov-cert.ru/
Ru/
E
Russian
Federatio
n
https://www.csirt.gov.sk
SK
Generalist Ongoing
https://www.ccn-cert.cni.es/
ESP / EN
RUSSIA
Generalist Ongoing
CERT SE is Sweden's national CSIRT
(Computer Security Incident Response
Team) that aims to support the community
in efforts to deal with and prevent IT
https://www.cert.se
Sw
edi
sh
Generalist Ongoing
63
Ongoing
Able to report an Incident
http://www.govcert.ru/abuse/index.html
Feature to report incident or
vulnerability. Was set up by the
Ministry of Finance.
Rn by the Swedish Civil
Contingencies Agency (MSB).
https://www.msb.se/
incidents. The business is run by the
Swedish Civil Contingencies Agency (MSB).
SWITZERLAND
Reporting and Analysis Centre for
Information Assurance, Swiss
Confederation. Federal site providing
information on security risks and periodic
situation reports.
http://www.melani.admin.c
h/?lang=en
D/F
/I/E
Information for
small and
mediumsized
businesses
and for
individuals
Semiannual
reports;
ad hoc
general
updates
Useful source containing case
studies and clear examples of
attacks.
SWITZERLAND
Cybercrime Coordination Unit Switzerland
(CYCO/SCOCI/KOBIK). Switzerland’s central
office for reporting illegal subject matter
on the Internet. After conducting an initial
analysis of the incoming report and
securing the relevant data, CYCO forwards
the case to the appropriate law
enforcement agencies in Switzerland
and/or abroad. The Cybercrime Unit also
actively searches the Internet for illegal
subject matter and carries out in-depth
analyses of Internet crime.
Provides National Direction on matters of
cyber security and Incident Reponse.
The official CERT of the Ukraine
http://www.cybercrime.adm
in.ch/kobik/fr/home.html
D/F
/I/E
General
public
Ongoing
Useful source of sober
information for individuals
Turkey
Ongoing
Ukraine
Ongoing
Provides various security guides
and announcements
Allows for reporting
http://cert.gov.ua/?page_id=532
and provides threat awareness
TURKEY
UKRAINE
http://www.bilgiguvenligi.go Tr
v.tr/
http://cert.gov.ua/?page_id= Ua
532
64
UNITED
KINGDOM
VATICAN
(SICEI)
GovCertUK is the Computer Emergency
Response Team (CERT) for UK
Government. We assist public sector
organisations in the response to computer
security incidents and provide advice to
reduce the threat exposure. We gather
data from all available sources to monitor
the general threat level. For these reasons
the early reporting of incidents and
attempted attacks is highly recommended.
The Computer Emergency Response Team
of the SICEI was established to support the
Italian diocese in the management of cyber
incidents.
http://www.cesg.gov.uk/Poli
cyGuidance/GovCertUK/Pag
es/index.aspx
E
Generalist Ongoing
http://cert.chiesacattolica.it/
I
Italian
diocese
Ongoing
https://www.cert.gov.au/
E
General
users
Ongoing
OUTSIDE EUROPE
AUSTRALIA (CERT-AUSTRALIA)
CERT Australia (the CERT) is the national
computer emergency response team.
We are the point of contact in Government
for cyber security issues affecting major
Australian businesses. The CERT is part of
the Federal Attorney-General’s
Department, with offices in Canberra and
Brisbane.
We also work in the Cyber Security
Operations Centre, sharing information
and working closely with the Australian
Security Intelligence Organisation (ASIO),
the Australian Federal Police (AFP), the
Australian Signals Directorate (ASD) and
the Australian Crime Commission (ACC).
65
Very limited information.
Contact details available
CANADA
(CCIRC)
CHINA
(CNCERT)
JAPAN
(JPCERT)
CCIRC helps ensure that many of the
services which Canadians rely on daily are
secure. It assists in securing the vital cyber
systems of provinces, territories,
municipalities and private sector
organizations while collaborating closely
with partners, including international
counterparts and information technology
vendors.
The National Computer Network
Emergency Response Technical
Team/Coordination Center of China
(known as CNCERT or CNCERT/CC) was
founded in September 2002. It is a nongovernmental non-profit cybersecurity
technical center and the key coordination
team for China’s cybersecurity emergency
response community. As a national CERT,
CNCERT strives to improve nation’s
cybersecurity posture, and protect critical
infrastructure cybersecurity. CNCERT leads
efforts to prevent, detect, warn and
coordinate the cybersecurity threats and
incidents, according to the guideline of
“proactive prevention, timely detection,
prompt response and maximized
recovery”.
JPCERT/CC is the first CSIRT (Computer
Security Incident Response Team)
established in Japan. The organization
coordinates with network service
providers, security vendors, government
agencies, as well as the industry
http://www.publicsafety.gc.c E/F
a/cnt/ntnl-scrt/cbrscrt/ccirc-ccric-eng.aspx
General
users
Ongoing
http://www.cert.org.cn/publ
ish/english/index.html
E/C
h
General
users
Ongoing
http://www.jpcert.or.jp/engl
ish/
E/J
General
users
Ongoing
66
associations.
MALAYSIA
http://www.mycert.org.my/
en/
E
General
users
Ongoing
SINGAPORE
(SingCERT)
https://www.singcert.org.sg/
E
General
users
Ongoing
http://www.aecert.ae/indexen.php
E/Ar
General
users
Ongoing
http://www.us-cert.gov/
E
Generalist Ongoing
CyberSecurity Malaysia is the national
cyber security specialist agency under the
Ministry of Science, Technology and
Innovation (MOSTI).
The Singapore Computer Emergency
Response Team (SingCERT) responds to
cyber security incident for its Singapore
constituent. It was set up to facilitate the
detection, resolution and prevention of
cyber security related incidents on the
Internet.
UNITED
The United Arab Emirates Computer
ARAB
Emergency Response Team (aeCERT) is the
EMIRATES cyber security coordination center in the
(aeCERT) UAE. It is established by the
Telecommunications Regulatory Authority
(TRA) as an initiative to facilitate the
detection, prevention and response of
cyber security incidents on the Internet.
US-CERT
"The Department of Homeland Security's
(United
United States Computer Emergency
States
Readiness Team (US-CERT) leads efforts to
Computer
improve the nation's cyber security
Emergency posture, coordinate cyber information
Readiness
sharing, and proactively manage cyber
Team)
risks to the Nation while protecting the
constitutional rights of Americans."
67
Overwhelming US focus but of
significant interest to all ICT
users.
Other CSIRT-CERTs
NOTE FROM RESEARCHER: DESCRIPTIONS ARE TAKEN DIRECTLY FROM THE WEBSITES. WHERE THEY WERE NOT AVAILABLE IN ENGLISH, A CLOSEST
TRANSLATION HAS BEEN TAKEN USING ELECTRONIC METHODS.
Regularity
D
Germany
Ongoing
http://cert.europa.eu/
E
Europe
Ongoing
Comments
Focus
https://www.buergercert.de/about
68
Language
"The citizen-CERT is a project of the Federal Office
for Information Security (BSI). The citizen-CERT
warns and informs citizens and small businesses
quickly and competently against viruses, worms,
and other vulnerabilities - of course free of charge
and completely neutral. Our experts analyse and
evaluate around the clock, the security situation in
the internet and send with concrete action due to
vulnerabilities in Internet warnings and safety
information via e-mail."
" After a pilot phase of one year and a successful
assessment by its constituency and its peers, the EU
Institutions have decided to set up a permanent
Computer Emergency Response Team (CERT-EU) for
the EU institutions, agencies and bodies on
September 11th 2012. The team is made up of IT
security experts from the main EU Institutions
(European Commission, General Secretariat of the
Council, European Parliament, Committee of the
Regions, Economic and Social Committee). It
cooperates closely with other CERTs in the Member
States and beyond as well as with specialised IT
URL
CERT-EU
Description
Name
Bürger-CERT
security companies."
CERT.ORG (SEI
with Carnegie
Mellon
University)
CPNI
ESACART
FIRST
The CERT Division of the Software Engineering
Institute (SEI) has evolved dramatically since it was
created in 1988 as the CERT Coordination Center in
response to the Morris worm incident. The small
organization established to coordinate response to
internet security incidents now has more than 150
cyber security professionals working on projects
that take a proactive approach to securing systems.
CPNI protects national security by providing
protective security advice. Our advice covers
physical security, personnel security and cyber
security/information assurance.
European Space Agency CERT
www.cert.org
E
US
Ongoing
http://www.cpni.gov.uk/
E
UK
Ongoing
http://www.esacert.esa.i
nt/
E
European
Space
Agencies
and
related
organisati
ons
Uncertain
"FIRST is the Forum of Incident Response and
Security Teams. The idea of FIRST goes back until
1989, only one year after the CERT(r) Coordination
Center was created after the infamous Internet
worm. Back then incidents already were impacting
not only one closed user group or organization, but
any number of networks interconnected by the
Internet. FIRST brings together a wide variety of
http://www.first.org/
E
Internatio
nal
Ongoing
69
US Centric and
works closely
with the DHS.
Several pages
appear to
require some
subscription
access, however
it is uncertain if
the site is
possibly defunct.
An email has
been sent to the
webmaster
Very
international
focus. Several
members are
also commercial.
security and incident response teams including
especially product security teams from the
government, commercial, and academic sectors."
GARR CERT
NORDUnet CERT
Trusted
Introducer
The official CERT for the GARR network and its
services are dedicated to the Italian Academic and
Research Community . Currently, about 500 sites,
including research and documentation centres,
universities, observatories, laboratories, libraries,
museums and other infrastructure, for a total of
more than 2,000,000 end users are connected to
the GARR network
NORDUnet CERT performs security incident
handling in cooperation with the Nordic national
research networks.
http://www.cert.garr.it/e
n/
IT/E
Italy
Ongoing
http://www.nordu.net/n
etwork/cert.html
E
Nordic
Nations
Ongoing
The Trusted Introducer Service forms the trusted
backbone of infrastructure services and serves as
clearinghouse for all security and incident response
teams. It lists well known teams and accredits as
well as certify teams according to their
demonstrated and checked level of maturity
http://www.trustedintroducer.org/
Seve
ral
Primarily
European
Ongoing
70
Provides direct
contact details
to all Nordic
countries
national CERT's
Provides an
accreditation
process for
CSIRT/CERT
Teams
Agencies & Organisations
NOTE FROM RESEARCHER: DESCRIPTIONS ARE TAKEN DIRECTLY FROM THE WEBSITES. WHERE THEY WERE NOT AVAILABLE IN ENGLISH, A CLOSEST
TRANSLATION HAS BEEN TAKEN USING ELECTRONIC METHODS.
http://www.justice.gov/cri E
minal/cybercrime/
71
Comments
The
Computer
Crime and
Intellectual
Property
Section
(CCIPS)
E
Regularity
URL
http://www.fbi.gov/about
-us/investigate/cyber
Focus
Description
"We lead the national effort to investigate
high-tech crimes, including cyber-based
terrorism, espionage, computer intrusions,
and major cyber fraud. To stay in front of
current and emerging trends, we gather and
share inforation and intelligence with public
and private sector partners worldwide."
"Responsible for implementing the
Department's national strategies in combating
computer and intellectual property crimes
worldwide. CCIPS prevents, investigates, and
prosecutes computer crimes by working with
other government agencies, the private
sector, academic institutions, and foreign
counterparts."
Language
Name
FBI - Cyber
Crime
Enforcement/
Awareness &
Investigation
and
Prosecution of
cyber criminals
Ongoing
US focused however
works internationally
Section
attorneys work
to improve the
domestic and
international
infrastructurelegal,
technological,
and
operational-to
pursue network
criminals most
effectively.
Ongoing
Focus on protecting IP
generated by "US
Economic Engines". As
such US centric however
works internationally
Office of
Cybersecur
ity and
Communic
ations
(CS&C)
OCLCTIC
(L’office
central de
lutte contre
la
criminalité
liée aux
technologies
de
l'informatio
n et de la
communicat
ion)
Office of
Cyber
Security &
Information
Assurance
(OCSIA)
The Office of Cybersecurity and
Communications (CS&C), within the National
Protection and Programs Directorate, is
responsible for enhancing the security,
resilience, and reliability of the Nation’s cyber
and communications infrastructure.
French Police Central office for the fight
against information technology and
communications crime (Cybercrime)
"The Office of Cyber Security & Information
Assurance (OCSIA) supports the minister for
the Cabinet Office, the Rt Hon Francis Maude
MP, and the National Security Council in
determining priorities in relation to securing
cyberspace. The unit provides strategic
direction and coordinates the cyber security
programme for the government, enhancing
cyber security and information assurance in
the UK. It is also responsible for providing a
strategic direction on cyber security and
information assurance for the UK including ecrime."
http://www.dhs.gov/offic
e-cybersecurity-andcommunications
E
http://www.policeF
nationale.interieur.gouv.fr
/Organisation/DirectionCentrale-de-la-PoliceJudiciaire/Lutte-contre-lacriminaliteorganisee/Office-centralde-lutte-contre-lacriminalite-liee-auxtechnologies-de-linformation-et-de-lacommunication
https://www.gov.uk/gover E
nment/groups/office-ofcyber-security-andinformation-assurance
72
US
Ongoing
France focused
Ongoing
UK Focus, does
work with EU
Partners
Ongoing
MPCCU
Met Police
Cyber
Crime Unit
COE
(Council of
Europe)
European
Network
for Cyber
Security
Nicolaus
Copernicus
CyberCrime
Research
Centre
"The MPCCU is jointly funded by the Home
Office and Metropolitan Police to provide a
national investigative response to the most
serious incidents of cyber-crime."
The Council of Europe helps protect societies
worldwide from the threat of cybercrime
through the Convention on Cybercrime and its
Protocol on Xenophobia and Racism, the
Cybercrime Convention Committee (T-CY) and
the technical cooperation Programme on
Cybercrime
"ENCS creates and brings together knowledge
and resources to secure European critical
infrastructures. ENCS is a cooperative
association with dedicated highly specialized
resources and uses her network in
government, academia and business to
provide cyber security solutions dedicated to
the needs of owners of critical infrastructures
and regulators. Established in July 2012, ENCS
is already actively involved in projects
supporting the energy transition in Europe
and is open for association of new members."
The Cybercrime Research Centre is a unit that
conducts complex research and provides
training and education on the broader issues
of cybercrime. The CRC cooperates with
similar units in the other states. Nicolaus
Copernicus University - co-funded by the
Prevention of and Fight against
Crime Programme of the European Union
http://content.met.police.
uk/Site/mpccu
E
http://www.coe.int/t/dghl
/cooperation/economiccri
me/cybercrime/
E/
F
https://www.encs.eu/
E
http://www.cybercrime.u
mk.pl/
Pol Polish with
/E European ties
73
UK focus with
International
collaboration/re
ach
Europe
Ongoing
International
Ongoing
Scope appears to be
more limited to Smart
Energy Grids and
Security
Ongoing
Research and legislative
focus
Ongoing
Provides advice and
guidance as well as a
point of contact for
cyber crime
Provides information on
related projects
European
Cybercrime
Centre
ENISA
US Secret
Service
ECTF
NATO
Cooperativ
e Cyber
Defence
Following a feasibility study conducted by
Rand Corporation Europe, the European
Commission decided to establish a European
Cybercrime Centre (EC3) at Europol. The
Centre will be the focal point in the EU’s fight
against cybercrime, contributing to faster
reactions in the event of online crimes. It will
support Member States and the European
Union’s institutions in building operational
and analytical capacity for investigations and
cooperation with international partners.
The European Union Agency for Network and
Information Security, working for the EU
Institutions and Member States. ENISA is the
EU’s response to these cyber security issues of
the European Union. As such, it is the 'pacesetter' for Information Security in Europe, and
a centre of expertise.
The Secret Service's ECTF and Electronic
Crimes Working Group initiatives prioritize
investigative cases that involve electronic
crimes. These initiatives provide necessary
support and resources to field investigations
that meet any one of the following criteria:
Significant economic or community impact;
Participation of organized criminal groups
involving multiple districts or transnational
organizations;Use of schemes involving new
technology
"NATO Cooperative Cyber Defence Centre of
Excellence is a NATO-accredited research and
training facility dealing with education,
consultation, lessons learned, research and
https://www.europol.euro E
pa.eu/ec3
Europe
Ongoing
http://www.enisa.europa.
eu/media/pressreleases/enisa-lists-topcyber-threats-in-thisyear2019s-threatlandscape-report
E
Europe
Ongoing
http://www.secretservice.
gov/ectf.shtml
E
Electronic
crimes
Ongoing
https://www.ccdcoe.org/
E
Cyberdefence
Ongoing
74
There is a useful link
within the NATO
libraries of cybersecurity
related information;
Centre of
Excellence
(CCDCOE)
ANSSI
/Agence
nationale
de la
sécurité
des
systèmes
d’informati
on
The
Internation
al Cyber
Security
Protection
Alliance
development in the field of cyber security."
The ANSSI core missions are:
- To detect and early react to cyber attacks,
thanks to the creation of a strong operational
center for cyber defence, working round-theclock and being in charge of the continuous
surveillance of sensitive Governmental
networks, as well as the implementation of
appropriate defence mechanisms;
- To prevent threats by supporting the
development of trusted products and services
for Governmental entities and economic
actors;
- To provide reliable advice and support to
Governmental entities and operators of
Critical Infrastructure;
- To keep companies and the general public
informed about information security threats
and the related means of protection through
an active communication policy.
The ICSPA addresses the critical need for
international cooperation between business,
government, law enforcement, academia and
civil society to combat the inexorable growth
in cybercrime. A business-led organisation
comprising large national and multi-national
companies who recognise the need to provide
additional resourcing and support to law
enforcement officers around the world, in
their fight against cybercrime.
http://www.natolibguid
es.info/cybersecurity
http://www.ssi.gouv.fr/en
/the-anssi/
F/
E
France
Ongoing
Provides details on
policy, best practice
guides, certifications and
cryptological regulations
for France
https://www.icspa.org/
E
UK based with
International
scope
Ongoing
Project 2020 Initiative
75
The
National
Identity
Theft
Victims
Assistance
Network
(NITVAN)
The National Identity Theft Victims Assistance
Network (NITVAN) seeks to expand and
improve the outreach and capacity of victim
service programs to better address the rights
and needs of victims of identity theft
nationwide by building the field’s capacity to
provide a coordinated response to the
problem. With assistance from the National
Network, new coalitions have formed across
the country
http://identitytheftnetwor
k.org/about
E
US and US State
specific
Ongoing
IMPACT
Alliance
The International Multilateral Partnership
Against Cyber Threats (IMPACT) is a key
partner of the International
Telecommunication Union (ITU), a United
Nations (UN) specialised agency, in the effort
to ensure the safety of cyberspace for
everyone. Being the first comprehensive
public-private partnership against cyber
threats, ITU-IMPACT serves as a politically
neutral global platform which brings together
governments of the world, industry,
academia, international organisations, and
think tanks to enhance the global
community’s capabilities in dealing with cyber
threats
http://impactalliance.org/
E
International
Ongoing
76
"NITVAN was launched
in 2010 with funding
from the U.S.
Department of Justice,
Office of Justice
Programs, Office for
Victims of Crime,
through the Crime
Victims Fund. This
unique fund is financed
by fines and penalties
paid by convicted
federal offenders, not
from tax dollars."
Wide range of partners
made up of Industry,
Academia and
Government
e-Crime
Congress
APWG
eCrime
Research
PICTFOR
National
Crime
Agency
Cyber
Crime Unit
The e-Crime and information security Series
delivers critical information, examples of best
practice and practical case studies that detail
how to proactively reduce risk in a changing
business and technology environment, defend
IT systems or data against emerging threats,
identify sophisticated cyber attacks and
comply with relevant legal, compliance, or
regulatory requirements.
APWG’s eCrime Research Summit (eCRS),
inaugurated in 2006, established a community
of researchers distinguished by their focus on
new forms of criminal enterprise mediated
through electronic internetworks and
software.
"The Parliamentary Internet, Communications
and Technology Forum (PICTFOR) is the
leading all party group in the technology
sector in the Houses of Parliament.
As an Associate All-party Parliamentary
Group, operating under official all-party group
rules, our membership comprises
parliamentarians from both Houses, consumer
groups, academic institutions and technology
companies. PICTFOR’s origins started over 30
years ago as the Parliamentary Information
Technology Committee (PITCOM)."
The NCCU has brought together specialists
from the Police Central e-Crime Unit in the
Metropolitan Police Service and SOCA Cyber
to create expert technical, tactical intelligence
and investigation teams. It has the capability
to respond in fast time to rapidly changing
http://www.ecrimecongress.org/
E
Industry,
Academia and
Gov
Several
events
per year
http://ecrimeresearch.org
/
E
International
Ongoing
http://www.pictfor.org.uk
/
E
UK
Ongoing
http://www.nationalcrime
agency.gov.uk/aboutus/what-we-do/nationalcyber-crime-unit
E
UK
Ongoing
77
Several articles related
to eCrime
DP Alliance
VERIS
COMMUNITY
threats and collaborates with partners to
reduce cyber and cyber-enabled crime by:
To create, identify and support key
partnerships to cut online crime and nuisance,
reduce risk, increase awareness and
confidence in online safety/security and
establish UK leadership in Internet policing
and governance. This activity has implications
for both consumer and business confidence in
the online world, as well as delivering a secure
consumer/commercial environment which
underpins UK competitiveness.
The Vocabulary for Event Recording and
Incident Sharing (VERIS) is a set of metrics
designed to provide a common language for
describing security incidents in a structured
and repeatable manner. VERIS is a response to
one of the most critical and persistent
challenges in the security industry - a lack of
quality information. VERIS targets this
problem by helping organizations to collect
useful incident-related information and to
share that information - anonymously and
responsibly - with others. The overall goal is to
lay a foundation from which we can
constructively and cooperatively learn from
our experiences to better measure and
manage risk. This site serves as a central hub
for all things VERIS. On it, you will find
information and resources for leveraging
VERIS in your organization as well as
interacting with the growing community of
users. We hope you'll become part of that
http://dpalliance.org.uk/c
yber-security-wg/
E
http://veriscommunity.net E
78
UK
Ongoing
Cyber incidents
Ongoing
It describes incidents in
a structured and
repeatable manner.
Interesting because the
data are collected in
useful categories to
understand impacts and
sectors involved.
NATO
Review
Magazine
IBM
NORSE
Digital
Attack map
community, and help build a set of valuable
information that benefits us all.
It is a chronicle of most significant cyber
attacks from 1988
A series of papers related with cyber attacks
and impacts analyzed by IBM. The IBM Global
Study on the Economic Impact of IT Risk is the
largest independent research study conducted
to date to measure the financial and
reputational consequences of business or IT
disruptions caused by business continuity or IT
security failures. The study—a follow-on to
the 2013 IBM Reputational Risk and IT Study—
was sponsored by IBM and independently
conducted by Ponemon Institute® in July
2013.
Norse's ability to track and analyze vast
amounts of live Web traffic, providing the first
truly effective protection from all threat
vectors.
Daily DDoS attacks worldwide
http://www.nato.int/docu
/review/2013/Cyber/timel
ine/EN/index.htm
http://www935.ibm.com/services/us/
gbs/bus/html/risk_study.h
tml
E
Cyber attacks
Ongoing
E
Economic
Impact of IT Risk
Periodic
al
reports
http://map.ipviking.com
E
Attack origins,
attack types in
real time
Daily
http://www.digitalattack
map.com/#anim=1&color
=0&country=ALL&time=16
273&view=map
E
DDoS attacks
Daily
79
E, D, GR, PL, CS, Croatian
Overall sum of
attacks per day;
overall sum of
attackers per
day
Daily
E
Attack statistics
Daily
http://www.trendmicro.c
om/us/securityintelligence/currentthreat-activity/globalbotnet-map/index.html
E
Botnet
Realtime
http://www.financialfraud
action.org.uk/Fraud-theFacts-2013.asp
E
Payment
industry
Annual
Sicherheits
tacho
Overview of current cyber attacks (logged by
180 sensors). This Portal shows statistics of
the early warning system of Deutsche
Telekom. The corresponding sensors are
operated from Deutsche Telekom and
Partners.
http://www.sicherheitstac
ho.eu
Kaspersky cyberthreat
real-time
map
Daily statistics detected by On-Access Scan,
On-Demand Scan, Web Anti-Virus, Mail AntiVirus, Intrusion Detection System,
Vulnerability scan
"Trend Micro continuously monitors malicious
network activities to identify command-andcontrol (C&C) servers and help increase
protection against botnet attacks. The realtime map below indicates the locations of C&C
servers and victimized computers they control
that have been discovered in the previous six
hours."
Fraud the Facts 2012 is a comprehensive and
detailed directory of all facts,
statistics and advice to the industry on the
latest developments in payment
technologies and measures to combat
payment fraud.
http://cybermap.kaspersk
y.com/#
Trend
Micro
Global
Botnet
Threat
Activity
Map
UK
Financial
Fraud
Action
80
It only focuses on fraud
and only in the UK and
use on-line and off line
data
CIFAS
CIFAS provides the UK's most comprehensive
databases of confirmed fraud data, as well as
an extensive range of fraud prevention
services, using the latest technology to protect
organisations from the effects of fraud
https://www.cifas.org.uk/
Carnegie
Mellon
University
Cyberpedia
EMPACT
They have developed definitions for cyber
crimes for kids
http://www.carnegiecyber E
academy.com/facultyPage
s/cyberCrime.html#databa
se
https://www.europol.euro E
pa.eu/content/publication
/eu-policy-cycle-soctaempact-1775
The European Multidisciplinary Platform
Against Criminal Threats (EMPACT), is a
structured multidisciplinary co-operation
platform of the relevant Member States, EU
Institutions and Agencies, as well as third
countries and organisations (public and
private) to address prioritised threats of
serious international and organised crime.
81
E
For public and
private
organisations
The
National
Fraud
Databas
e is
online
and in
realtime,
availabl
e 24
hours a
day, 7
days a
week.
For children
Unknow
n
Allencompassing
information
sharing
Ongoing
Useful for on-line fraud
related crimes. 300
organisations from the
public and private
sectors share fraud
information through
CIFAS in order to
prevent further fraud.
They include those from
the banking, grant
giving, credit card, asset
finance, retail credit,
mail order and online
retail, insurance, savings,
telecommunications,
factoring, share dealing,
vetting agencies, contact
centre and insurance
sectors. However, the
database is mainly for
UK.
An interesting
classification designed
for children
Part of Europol
Deep Dot
Web
Unofficial entity providing links to darknet
resources; news and comment
www.deepdotweb.com
E
Information for
users of the
darker aspects
of the Internet
Ongoing
blog site
Very informal and critical
of law enforcement and
regulatory efforts.
Potentially useful insight
into trends and attitudes
on the part of users.
Industry of
Anonymity
Industry of Anonymity is the online home for the
work of Jonathan Lusthaus, a writer and scholar
specialising in the study of profit-driven
cybercrime. Conceptual in his approach, Jonathan's
work attempts to make sense of the world of
cybercrime, rather than report on its latest news.
Oddly non-technological, with a background in
sociology, international security and law, Jonathan
focusses on the "human" side of cybercrime: who
inhabits this world and how they are organised.
The posts on this site are designed to make his
work accessible to the broad audience of those
with an interest in this area.
http://industryofanonymit
y.com/about/
E
The human side
of cybercrime
Ongoing
blog site
Sociological perspectives
on the subject.
Internationa
l Association
of Internet
Hotlines
(INHOPE)
INHOPE is an active and collaborative network
of 51 hotlines in 45 countries worldwide,
dealing with illegal content online and
committed to stamping out child sexual abuse
from the Internet.
The Spamhaus Project is an international
nonprofit organization whose mission is to
track the Internet's spam operations and
sources, to provide dependable realtime antispam protection for Internet networks, to
work with Law Enforcement Agencies to
identify and pursue spam and malware gangs
worldwide, and to lobby governments for
effective anti-spam legislation.
http://inhope.org/gns/wh
o-we-are/at-a-glance.aspx
E
Illegal contents
and child sexual
abuse
Ongoing
http://www.spamhaus.org
/
E
Real-time
tracking of the
origin of spam
Ongoing
The
Spamhaus
Project
82
Very useful and widely
referred to.
eCrime Publications & Links
Title
URL
UK Parliament Report on E-Crime
http://www.publications.parliament.uk/pa/cm201314/cmselect/cmhaff/70/70.pdf
ACPO Press Release Regional E-Crime Hubs
http://www.acpo.presscentre.com/Press-Releases/New-regional-police-e-crimehubs-to-tackle-threat-of-cyber-crime-155.aspx
https://www.gov.uk/government/speeches/karen-bradley-speech-on-e-crime
Karen Bradley (MP) Speech on E-CRIME
ACPO Good Practice and Advice Guide for Managers of e-Crime
Investigation
Convention on Cybercrime
http://www.acpo.police.uk/documents/crime/2011/201103CRIECI14.pdf
The European Parliament, The Economic, Financial and Social
Impacts of Organised Crime in the EU
http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/493018/IPOLJOIN_ET(2013)493018_EN.pdf
Cyber Infrastructure Protection
http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1145.pdf
Russian Underground 101 - Trend Micro analysis of Russian
underground
Cyber Power - Crime, Conflict and Security in Cyberspace - Prof S.
Ghernaouti
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/whitepapers/wp-russian-underground-101.pdf
http://www.epflpress.org/product/51/9782940222667/Cyber%20Power
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?CL=ENG&NT=185
83
8
References
1.
Williams L. Catch Me If You Can: A Taxonomically Structured Approach to Cybercrime.
Forum on Public Policy; 2008.
2.
Howard J, Longstaff T. A common language for computer security incidents [Internet]. Sandia
National Laboratories; 1998. Report No.: Technical Report SAND98- 8667. Available from:
http://www.cert.org/research/taxonomy_988667.pdf
3.
Simmons C, Shiva S, Bedi H, Dasgupta D. AVOIDIT: A Cyber Attack Taxonomy. Proceedings
of the 9th Annual Symposium on Information Assurance (ASIA ’14). Albany, NY, USA; 2014.
4.
Moitra S. Developing Policies for Cybercrime. Eur J Crime Crim Law Crim Justice.
2005;13(3):435–64.
5.
Wall DS. Cybercrime. Cambridge: Polity Press; 2007.
6.
Brenner SW. Cybercrime, cyberterrorism and cyberwarfare. Rev Int Droit Penal.
77(2006/3):453–71.
7.
Kelly J. Cybercrime - High tech crime [Internet]. 2002. Available from:
http://www.jisclegal.ac.uk/cybercrime/Archived_cybercrime.htm
8.
Sukhai N. Hacking and Cybercrime. Proceedings of the 1st Annual Conference on Information
Security Curriculum Development. ACM Press: Kennesaw, Georgia; 2004. p. 128–32.
9.
Cybercrime [Internet]. Secretariat of the Parliamentary Joint Committee on the Australian Crime
Commission; 2004. Available from:
http://www.aph.gov.au/senate/committee/acc_ctte/completed_inquiries/200204/cybercrime/report/report.pdf
10.
Gordon S, Ford R. On the Definition and Classification of Cybercrime. J Comput Virol.
2006;2(1):13–20.
11.
What is Cybercrime? [Internet]. Symantec Corporation; 2007. Available from:
http://www.symantec.com/avcenter/cybercrime/index_page2.html
12.
Landwehr C, Bull A, McDermott J, Choi W. A taxonomy of computer program security flaws,
with examples. ACM Comput Surv. 1994;26(3):211–54.
13.
Howard J. An analysis of security incidents on the internet, 1989-1995 [Internet]. [1997]:
Carnegie Mellon University; Available from: http://www.cert.org/archive/pdf/JHThesis.pdf
14.
Hansman S, Hunt R. A taxonomy of network and computer attacks. Comput Secur.
2005;(21):31–43.
15.
Kjaerland M. A classification of computer security incidents based on reported attack data. J
Investig Psychol Offender Profiling. 2005;(2):105–20.
16.
Kjaerland M. A taxonomy and comparison of computer security incidents from the commercial
and government sectors. Comput Secur. 2006;(25):522–38.
84
17.
Meyers C, Powers S, Faissol D. Taxonomies of Cyber Adversaries and Attacks: A Survey of
Incidents and Approaches. Lawrence Livermore National Laboratory; 2009 Apr. Report No.:
LLNL-TR-419041.
18.
Rege-Patwardhan A. Cybercrimes against critical infrastructures: a study of online criminal
organization and techniques. Crit Justice Stud Crit J Crime Law Soc. 22(3):261–71.
19.
Newman G, Clarke R. Superhighway robbery: Preventing e-commerce crime. Portland, OR:
Willan; 2003.
20.
Thomas D. An Uncertain World. Br Comput Soc. 2006;48(5):12–3.
21.
Kanellis P, et al. Digital Crime and Forensic Science in Cyberspace. London: Idea Group Inc;
2006.
22.
Chakrabati A, Manimaran G. Internet Infrastructure Security: A taxonomy. IEEE Netw.
2002;16(6):13–21.
23.
Krone T. High Tech Crime Brief: Hacking motives [Internet]. 2005. Available from:
http://www.aic.gov.au/publications/htcb/htcb006.html
24.
Ghernaouti S. Cyberpower: Crime, Conflict and Security in Cyberspace. EPFL Press; 2013.
25.
Landreth B. Out of the Inner Circle: a Hacker’s Guide to Computer Security. Microsoft Press;
1985.
26.
Hollinger R. Computer hackers follow a Guttman-like progression. Sociology and Social
Research. Sociol Soc Res. 1988;(72):199–200.
27.
Chantler N. Profile of a Computer Hacker. Infowar; 1996.
28.
Rogers M. A new hacker taxonomy. University of Manitoba; 1999.
29.
Rogers M. A social learning theory and moral disengagement analysis of criminal computer
behavior: an exploratory study. University of Manitoba; 2001.
30.
Rogers M. A two-dimensional circumplex approach to the development of a hacker taxonomy.
Digit Investig. 2006;(3):97–102.
31.
Kshreti N. The Simple Economics of Cybercrimes. IEEE Secur Priv. 2006;4(1):33–9.
32.
Anderson R, Barton C, Böhme R, Clayton R, van Eeten M, Levi M, et al. Measuring the Cost of
Cybercrime. Proc (online) WEIS 2012 [Internet]. Berlin, Germany; 2012. Available from:
http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
33.
Detica and O_ce of Cyber Security and Information Assurance. The cost of cyber crime
[Internet]. 2011 Feb. Available from: http://www.cabinetoffice.gov.uk/resource-library/cost- ofcyber-crime
34.
European Commission. Towards a general policy on the fight against cyber crime. Report No.:
COM(2007) 267 final.
35.
Karsberg C, Skouloudi C, Dekker M. Annual Incident Reports 2013. ENISA; 2014 Sep.
36.
Fafinski S, Dutton W, Margetts H. Mapping and Measuring Cybercrime. Oxford Internet
Institute, University of Oxford; 2010.
85
37.
Personal Internet Security. London: House of Lords Science and Technology Committee; Report
No.: 5th Report of Session 2006-2007, Volume 1.
38.
Easterbrook F. Cyberspace and the law of the horse. University of Chicago Legal Forum.
1996;(207).
39.
Lessig L. The law of the horse: what cyberlaw might teach. 113 Harv Law Rev. 1999;501.
40.
Cyber Crime [Internet]. Foreign Affairs and International Trade Canada; 2004. Available from:
http://www.dfait-maeci.gc.ca/internationalcrime/cybercrime-en.asp
41.
Furnell S. The Problem of Categorising Cybercrime and Cybercriminals. 2nd Australian
Information Warfare and Security Conference. Perth, Australia; 2001. p. 29–36.
42.
Koenig D. Investigation of Cybercrime and Technology-related Crime. 2002.
43.
Australian High Tech Crime Centre (AHTCC). Fighting the Invisible. Platypus Mag J Aust Fed
Police. 2003;80:4–6.
44.
Lewis B. Preventing of Computer Crime Amidst International Anarchy [Internet]. 2004.
Available from: http://goliath.ecnext.com/coms2/summary_0199- 3456285_ITM
45.
Wilson C. Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and policy issues for
congress. 2008.
46.
Urbas G, Choo K-K. Resources Materials on Technology-enabled Crime [Internet]. 2008.
Available from: http://www.aic.gov.au/publications/tbp/tbp028/tbp028.pdf
47.
Alkaabi A, Mohay G, McCullagh A, Chantler A. Dealing with the problem of cybercrime.
Conference Proceedings of 2nd International ICST Conference on Digital Forensics & Cyber
Crime. Abu Dhabi; 2010.
48.
Goodman M. Why the Police Don’t Care about Computer Crime. Harv J Law Technol.
1997;10(3):465–94.
49.
Council of Europe Convention on Cybercrime. 2001.
50.
International Review of Criminal Policy – United Nations manual on the prevention and control
of computer-related crime. United Nations; 1999.
51.
Europol. Focal Points [Internet]. [cited 2014 Nov 17]. Available from:
https://www.europol.europa.eu/ec3/focal-points
52.
EC3. The Internet Organised Crime Threats Assessment [Internet]. European Police Office;
2014 [cited 2014 Nov 17]. Available from:
https://www.europol.europa.eu/sites/default/files/publications/europol_iocta_web.pdf
53.
Interpol. Cybercrime [Internet]. [cited 2014 Nov 17]. Available from:
http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime
54.
National Crime Agency. Cyber crime [Internet]. [cited 2014 Nov 17]. Available from:
http://www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime
55.
Bundeskriminalamt. Internet Crime [Internet]. [cited 2014 Nov 17]. Available from:
http://www.bka.de/nn_194550/EN/SubjectsAZ/InternetCrime/internetCrime__node.html?__nnn
=true
86
56.
CYCO. The CYCO [Internet]. [cited 2014 Nov 17]. Available from:
http://www.cybercrime.admin.ch/kobik/en/home/ueberuns/kobik.html
57.
2013 Internet Crime Report. Internet Crime Complaint Center; 2014.
58.
Computer crime [Internet]. The UK Parliament Office of Science and Technology; 2006.
Available from: http://www.parliament.uk/documents/upload/postpn271.pdf
59.
Federal Emergency Management Agency. Interim Toolkit Kit [Internet]. 2002. Available from:
https://www.hsdl.org/?view&did=447042
60.
Coleman K. Cyber Terrorism. 2003; Available from:
http://www.directionsmag.com/article.php?article_id=432&trv=1
61.
Coleman R, McCahill M. Surveillance and Crime. London: SAGE Publications Ltd; 2011.
62.
Sood A, Bansal R, Enbody R. Cybercrime: Dissecting the State of Underground Enterprise.
IEEE Internet Comput. 2013 Feb;
63.
Khan NK. Taxonomy of Cyber Crimes and Legislation in Saudi Arabia. Int J Adv Res Comput
Eng Technol. 2012 Oct;1(8).
87