The Green Sheet Online Edition
April 24, 2017 • Issue 17:04:02
The sobering state of cybercrime today
The Information Security Media Group is the world's largest media organization devoted solely to information security and risk management. This year, they will host 12 security summits throughout the world for senior information security (infosec) and fraud professionals.
On March 28 and 29, 2017, ISMG held a two-day fraud and breach seminar in San Francisco. It covered the following topics (and more): fraud prevention, compliance, breach prevention and response, identity and access management, anti-phishing, ransomware, payments security, and risk management. Individual sessions covered topics such as:
- Artificial intelligence (AI) and the self-defending network
- Privileged access management and secure code
- New boundaries for perimeter security
- Insider threat detection
- How to work with law enforcement and regulators after a breach
- The emerging threat landscape
- Breakthroughs in account security
- Distributed denial of service, cyber extortion, and business email compromise
- Security tools, for example, endpoint security, border controls, data loss prevention, sandboxes, log tools, threat intelligence, and behavioral analytics
Cybercrime is an aspect of transnational crime
The growth of cybercrime-as-a-business and distributed crimeware is truly astonishing, particularly the onward expansion of the attack space. To quote the retired RSA Chair, Art Coviello, "It's broad, what's going on in terms of the scope and nature of nation-state attacks. … With the larger countries, we're probably already at a state of mutually assured destruction. You take out my power grid; I take out your dam. We do have the issue of attribution and the difficulty in attributing a specific attack."
Further, writer Greg Masters wrote, "There are a lot of skilled engineers in Russia, easily tempted by the possibility of anonymously attacking for easy monetary gains. Not to mention cyber forces within the Russian and Chinese militaries intent on interfering with elections or purloining industrial blueprints or intellectual property."
Cybercrime is just a part of the overall business of transnational crime. The March 2017 report from Global Financial Integrity found that globally, the business of transnational crime is valued at an average of $1.6 trillion to $2.2 trillion annually (it's difficult to be more precise because we are talking about criminal behavior here). There are high profits and low risks for criminals, and there is the support of a global shadow financial system to perpetuate and drive these abuses.
With cybercrime-as-a-service, crime has been commercialized along the lines of other successful consumer businesses, and there is an industry of distributed crimeware with open source software, marketing specialization and "professional values" of customer service. You pay with bitcoin, of course.
Fraudsters' barrier to entry is lower
If you weren't frightened at the end of the day by the extent of cybercrime, you just weren't paying attention. I found it sobering, and I work in the payments industry and should have known about this already. But it turns out I am not alone in my lack of awareness. A recent study by the University of Alabama at Birmingham put things in perspective.
- 87 percent of business owners regularly upload work files to a personal email or cloud account.
- 51 percent of senior managers have taken job files with them after leaving a job.
- 15 percent of employees believe that they have zero to minimal responsibility to protect data stored on their personal devices.
- An unknown number of employees connect their personal mobile devices to organizations' networks, use generic USB drives not encrypted or safeguarded by other means, or unnecessarily carry sensitive information on a laptop when traveling.
Along these lines, a recent Forrester Research survey found that 80 percent of breaches involve compromised privileged accounts, and an unknown number are attributable to insider abuse. Composed of companies processing payments for third parties, The Green Sheet subscriber base, is an ideal target for cyber-criminals, perhaps the ideal target.
Payment companies have employees and merchants accessing networks via smartphones and laptops. BYOD, remote working, POS devices accessing the Internet and internal networks are commonplace. These all need to be managed.
As networks and enterprises grow in size and complexity, it becomes harder to identify threats and catch attackers. The barrier to entry for hackers has been lowered, too. Today, a criminal can buy and download ready-to-deploy exploit kits and malware on the Internet. And aside from these outside threats, there are threats from within an organization: employees, contractors, supply chain users or customers.
It's a long game
Darktrace, a presenter at the ISMG conference, put it this way: "For businesses, it is no longer realistic to expect that every threat or potential intruder can be kept out. Networks are becoming larger, more complex, spanning different geographies, and accessible to a wider variety of dispersed people. It is almost impossible to keep up.
"The new generation of cyber-threats is not necessarily targeting data alone. Today's most pernicious threats are playing a long game, and look to disrupt or undermine the very integrity of data. For example, a healthcare company relies on the integrity of patient data. A bank must be able to trust the core processor's data regarding their customer's bank balances. But what if the information, or part of it, is not just taken, but changed?
"The new wave of attackers may lie low inside a network for weeks or months before taking definitive actions. … Today, slow running and sophisticated attackers are targeting all manner of companies and industries."
The good news is that there are about 4.5 million IT professionals who have background and experience as security risk professionals. The bad news is that about 1 million IT risk management jobs are vacant right now because we lack this number of trained professionals.
One of the most compelling statistics in the ISMG presentations was that when there was fraudulent insider activity, the perpetrator had worked at the organization for at least five years with no apparent issues, and it took 32 months from the start of the fraud for it to be detected.
Any company in the payments business, of whatever size, would be well advised to pay attention here. You can learn more about the ISMG at www.databreachtoday.com/memberships. I also recommend that you check out the daily Krebs on Security blog at www.krebsonsecurity.com and the Software Engineering Institute at Carnegie Mellon University's website, www.CERT.org.
Perhaps the most depressing takeaway for me was the presentation by the FBI and Los Angeles District Attorney, which emphasized that after reporting a breach to the authorities, your journey has just begun.
If you do not have a plan in place, an attorney to manage the post-breach environment, committed management and prompt follow-through, you can be sued by the regulators for negligence, even though the breach was not your fault. As one speaker put it, there is "compliance fog," and a "regulation gap," multiple jurisdictions, and multiple enforcement authorities (SEC, FCC, CFPB, FTC), and very little case law on this subject.
The ISMG focuses on info-risk, data breach, banks, governments, healthcare, and careers in IT security. I cannot emphasize strongly enough how important it is to be aware of the threats to your organization from cybercrime and to take action, which includes getting senior management involved.
To learn more, contact Mark D'Agostino at ISMG (609-356-1499, ext. 26). Just imagine if your customer database and transaction record files were hacked and the data (dates, dollar amounts, authorization numbers, etc.) was permanently changed. What if you had no way to determine what the real numbers were? How would your company stay in business?
There are two kinds of attacks. Trust attacks undermine the integrity of the data; they manipulate, do not exfiltrate and are a threat to your reputation and stability. Then there are attacks using AI (polymorphic malware). These attacks are an arms race with algorithms fighting algorithms.
I am glad I was able to attend this conference. It opened my eyes to the world of cybercrime as a service. All professionals in the payment space, whether working in IT directly or not, should be paying attention.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.