How to Address Online Crimes
Over the years, the rapid development in technology and web applications has also opened doors to criminals to commit online theft and fraud. With cases that mainly involve the violation of information databases and illegal data use, cyber crime has definitely grown in recent months.
The Ludicrous Cyber Crime Industry
Now considered as organized crime, with its main characteristic of making criminals a hefty profit, cyber crime has reached into victims’ personal files and made money off credit card fraud. There has been an existing market where the price of payment card data has been as low as $.01 per payment card record. Therefore there have been more profitable targets for criminals as they begin to market classified PIN information. With PIN data, criminals can withdraw cash directly from a customer’s savings, checking, or other account. This causes a headache for many consumers who have to prove that certain transactions are fraudulent to their companies and banks.
With the rise in such profit-making schemes for online thieves, it makes the recovery of thousands of dollars in assets much harder to retrieve than charging standard credit-fraud fees. However, there is a silver lining to the cloud as online law enforcement was able to make at least 16 arrests for online fraud in 2008 and looks forward to more arrests in 2009.
It is now in the hands of major companies and businesses to handle such situations with caution and care. It has been proven that many of these companies could cut losses if they only strictly follow their own guidelines and policies. It has been seen that the three biggest yielding strikes (namely SQL Injection, Unauthorized Access via shared Credentials, and Misconfigured ACLs) could have been prevented by means of efforts in remediation, yet do not exist in every business’s policy.
These self-same weaknesses were also evident when put through simple scanning processes. It has been noted that gaps in standard scanning and monitoring techniques have been attributed to complicated business demands which further compromise the technology they use. If the three highest yielding strikes were eradicated, there is a possibility that of the 285 million records compromised in 2008, 90 percent could have been prevented.
Who and where are these Cyber Criminals?
Most of these internet offenders come from Eastern Europe, East Asia, and North America. Depending on what region they are from, one can also classify which crimes are most committed by them. For instance, in North America, organized crime has reached its heights in terms of fraud spending. On the other hand, in East Asia, cyber lawbreakers have taken a strong interest in botnets and implement scripted and point attacks to target any kind of information that comes their way. And in Eastern Europe, there is concentration in seeking out consumer information such as PIN codes, payment card records, and other confidential identity information which is used for theft and identity fraud.
Because of these crimes crossing over extensive regions of different jurisdictions, targeting and catching the criminals has been a major challenge for law enforcers. Because of this, there have been collaborative efforts by authorities from different countries to catch offenders and make it almost impossible for them to remain undetected. Due to differing laws in different countries, as well as distinctive treaties of extradition, it makes law enforcement all the more complicated. With the collaborative efforts of various countries, there is a better chance of catching offenders.
One major breakthrough made by Verizon Business is to utilize intelligence data from its network. Because of Verizon’s extensive reach, which covers up to one million kilometers, the traffic on the network will eventually be handled by the web backbone. Recent studies on hacker modus operandi have revealed that most hackers veil themselves in compromised systems that are unrelated to the obvious systems being hacked. This way, they are able to conceal their IP addresses. However, with the recent Verizon breakthrough, the netflow information in the Verizon Business network has allowed for the quick identification of IP addresses communicating with staging points (or compromised systems) to locate the online offenders.
Because of Verizon’s initiatives in aiding law enforcement, law enforcers are now able to identify IP addresses of culprits, the service provider they are using, the physical address of the culprit (within 150 meters via a geo-location database system), and even an aerial photograph of the building where the attacker is doing his illegal activity from, courtesy of Google Earth. With the collaboration of law enforcement agencies and private businesses, like Verizon, the war against web criminals has more achievable results.
Results and Trends in Cyber Crime Activity
Over the last year, there have been no startling new events in cyber crime. However, there has been the observation of a significant change in modes of attacks that have improved in sophistication and intricacy. For instance, there have been more customized and tailored malware strikes which are difficult for anti-virus software to detect. Up to 60 percent are not detected by anti-virus software since they are modified, repackaged and custom-coded to attack specific systems. Some instances of these repackaged malware are tailored network sniffers, RAM scrappers, and space scrappers that are not allocated.
There have also been more instances of hackers hacking systems within their own territorial jurisdictions. In the past, many hackers traversed international borders to do their hacking jobs which made capture and prosecution very difficult. Nowadays, they are doing it from their own backyard which has made the increase in the number of arrests and prosecutions possible. Even organized crime has followed a trend of hacking into companies in their own areas of jurisdiction, and using other countries as staging points to their attacks to avoid detection, as well as prosecution.
The bad news is that information breaches have gone up in size, 75 percent more than previous years. Compare the 285 million confidential records compromised in 2008 to the previous 4 years before that (combined) with 235 million records. As crime increases the more organized it becomes, and of the 285 million compromised data in 2008, at least 90 percent of it can be attributed to organized crime.
With the type of information compromise being accomplished and with 75 percent of all violations reported by third parties, there is reason to believe that all data violations that are reported and seen are just a small portion of what is actually out there. Since payment cards are the most frequently attacked record, there is a system by which one can detect where the breach to the payment card data was made, considering there is only one source of information for that. So obviously, the breached location would be in the single place where your personal information for payment is kept. However, for other kinds of records, this kind of information to lead you to one source is virtually non-existent. For instance, if a person’s private information is compromised, we cannot exactly pinpoint where the breach occurred and which location that particular information was stored. And in terms of spam, we never know where in the world they got that information, such as our email addresses among others.
Asia Pacific Cyber Crime vs. US and Europe
It is remarkable that depending on what region one might be in, there is a cyber crime ‘influence’ in terms of what methodologies and operations are used. These modus operandi differ from country to country. In Asia Pacific, they have a taste for using botnets, staging point attacks, and scripted attacks. However, in place like the US and Europe, they have a preference for fraud spending, identity theft, PIN data theft, and stealing personal information of consumers.
For the Asia Pacific, the attacks using botnets and script are not as complicated as those done in Europe, but there seems to be a high incidence in compromised records using the Asia Pacific hackers’ weapon of choice. It happens a lot in countries within close proximity to these regions. For instance, Australia has received a big share of its attacks from hackers in Japan, probably because of the excellent connectivity between the two nations. There has also been a rise in compromised data from employees, in Asia Pacific, who after being terminated from employment, get back at the company by stealing company information.
The Emergence of PCI-DSS
PCI-DSS or Payment Card Industry Data Security Standards is a collection of guidelines, regulations, and rules developed to allow merchants to practice stable security precautions in terms of safe credit and debit card use, as well as secure customer information storage. This was developed in response to the necessity for a setting where businesses and consumers could confidently engage in electronic transactions or e-commerce.
With the development of PCI-DSS, studies reveal that approximately 81 percent of companies that are now PCI-DSS compliant were actually not complying with the standard rules before a breach compromised their records. Monitoring teams found that if companies had assessments, they were found to be non-compliant or sometimes, the assessment was never done to begin with.
It is important to note that two requirements in PCI-DSS garnered the most interesting reports. For Requirement 3 in PCI-DSS it entails that stored data is protected with at least 11 percent compliance; and Requirement 10 requires that tracking and monitoring of all accessibility to the network resources and cardholder data should have at least 5 percent compliance. Considering that these two requirements are the foundations of the PCI-DSS program, it is surprising to see how low the passing compliance percentages can be to pass the regulations inspection.
It was noted that in Requirement 5 there is a need to utilize and update regularly the anti-virus of the computer systems at 62 percent compliance. Of all the companies monitored, up to 38 percent did not have anti-virus software installed, or functioning suitably, for the kind of information it was handling. This is probably why the computer storage systems were compromised.
The Next Steps of the IT Industry
Upon highlighting these issues that companies often undergo, what are the IT industry’s next steps in addressing the problem? First, it must be recognized that companies themselves are not even compliant with their own IT policies. If companies were compliant, then these data breaches and violations would never happen in the first place. The three major causes of information breaches (Unauthorized Access via Shared Credentials, Misconfigured ACLs and SQL injection) can easily be prevented with correct coding, proper configuration and habitual testing and monitoring.
Another thing companies should be careful with is when they decide to execute a needed security function which is necessary or not. For instance, if a company monitors its anti-virus scans and checks the events and log analyses, only 6 percent of data violations can be detected. The logs always record the events but companies do not seem to detect them anyhow. This may be because the monitoring of events and log analysis is a task requiring experts to install and oversee. Not all organizations have the capability to do the monitoring and should look to third party providers to do it for them.
Finally, a lot of companies have not moved forward from the 1990’s mindset of the computer network borders. Traditional network perimeters are no longer useful in today’s technological environment. What companies should do is make information security a priority and recognize which data is most critical to them. Of the past studies done, this has been a weakness in most organizations which resulted in 67 percent of 285 million compromised data to be pilfered, and worse, without the organization’s knowledge of the event. With this incredible statistic, it is clear that many companies have still not moved on from their 1990’s technological mindset.
The Enemy From Within
Probably the biggest threat and enemy in companies today are the disgruntled employees and partners that lash out at the company after their termination. Because of this, a large number of cases have been about incompetent or unhappy workers who have increasingly become the cause of data breaches in company computer networks. It is expected that these numbers may increase in the following months to follow in 2009.
Due to the world economic crisis, retrenching and layoffs have been inevitable for many organizations. Much to their management’s chagrin, the long-term employees who are familiar with sensitive information and computer system processes have attacked their own employers before leaving the company. This can be seen in the rise of insider end-user occurrences in 2008, which are expected to further increase in 2009. Because of untimely terminations, companies have suffered from employees who have stolen information from the company between the moment that they are given notice of termination until the time that they actually leave.
Breaches Caused By a Combination of Events
Rather than coming from a single source, many information violations are caused by a build-up of mistakes and oversight by the companies themselves. Since many companies cannot detect breaches straight away, cyber criminals are able to plant malware in computer network systems to complete information theft. The best strategy for companies would be to start breach defense from the deepest parts of the system and find gaps before they are discovered by internet violators.
Different levels of security must be implemented to detect the smallest breach and nip the problem in the bud. When a breach is not noticed, this could compromise the entire computer network and thus create a breeding ground of malware and theft. It is better for organizations to fix their systems as early as now to find the weaknesses and address them before the problem builds up to cause a disastrous mess for managers, regulatory bodies, and law enforcers alike.
Biggest Issues to Resolve
Because almost 99 percent of all information is breached through applications and servers, there is a need to shift security paradigms to counter this. Most organizations today still lack the ability and capacity to manage their information systems properly throughout their existence. Due to this, 67 percent of data that is compromised is done in locations of their computer systems and networks that the organizations themselves were not even aware existed. This finally develops into a general system failure in the lifecycle of information management for the organization.
Adaptation to Breaches Detected by Third Parties
Based on the information that 69 percent of breach cases were discovered by third parties, there is a need for organizations to change strategies in security to reduce the incidents. Since only 6 percent of breached data can be monitored by an actual anti-virus events log, it is vital that companies take action, especially if the breach takes months to be finally detected.
The critical months that it takes for breach discovery are the number of months of data that has been seeping out of the company system and into the hands of a cyber criminal. Many of these incidents can easily be detected by scrutinizing log records, which is a task that companies take little heed of.
If companies take the time and effort to read through their logs, many of these breaches can be prevented and future breaches can be blocked. It is a good investment for organizations to consider hiring specialists who can read through company events and log records, since such a task is not a normal duty performed by just any employee.
Final Messages to Consider Regarding Information Security
If organizations today focus on the needed information security that is required to keep confidential information safe, then security breaches will gradually become a thing of the past. It must be reiterated that many security breaches are caused by organizations overlooking basic policies in monitoring and implementing information security measures.
The message to companies is to identify what is critical data, protect it with proper measures, and do regular monitoring of systems to prevent compromises. It is better to shell out capital to protect your data now before you regret the huge amounts of money you may lose if someone steals your information. Do not think of end-of-the-pipe solutions by trying to clean-up before a regulated audit. Protect your data now with prudent management, regular screening, and meticulous observation.