Prepare Now to Survive Perfect ‘Cyber Crime’ Storm Ahead
It has been one year since hackers infiltrated multiple Sony Corp. websites, compromising millions of customer records containing private, personal information. Meanwhile, online attacks are on the rise by groups like Anonymous, an organization of international Internet activists characterized by their use of a Guy Hawkes styled-mask and popularized by the recent Occupy Movement.
And even more horrific cyber-crimes are ahead for 2012 and beyond, predicts cyber security expert Robert Beggs, CEO of Burlington, Ont.-based Digital Defence and speaker at the upcoming World Conference on Disaster Management (WCDM), to be held at the Metro Toronto Convention Centre, June 25-27.
“The easiest way to think of me is that I break into computers.” Beggs tells us.
He’s the bad guy you hire, the ethical hacker, who will assess a company’s network security by trying to break the physical security, stealing paper, computers, picking locks, etc. More importantly, they also try and steal your data electronically through your own network.
“About 70 per cent of our work is devoted to compromising and then telling you how to fix your network,” he says. “Because of this we have a particular expertise in helping you respond when someone else attacks; we know what to look for and how to stop the damage.”
From there, Beggs says a lot of data forensics becomes involved and that can include anything from reviewing a hard-drive to see if there is child pornography or other illegal activity requiring police intervention such as fraud. Other matters could include such things as employee abuse and human resources issues.
Crimes are Intensifying
“If you thought last year was bad, we’re already seeing signs that this year will be worse,” says Beggs, who addresses the WCDM audience on Monday, June 25, at 1:30 p.m. “We’re now approaching the perfect storm in cyber-crime, not only because it’s easier than ever to engage in cyber wrongdoing, but also because we’re just now realizing how inadequately equipped our legal systems and governments are to deal with this.”
The growing cyber threat is complicated by the fact that ‘weapons’ to conduct cyber-crimes are more widely available than ever, says Beggs, pointing to on-line video instructions that explain how to hack into computer systems. That means the players have changed, he explains. Whereas there used to be an organized criminal element behind most cyber threats, now even a disgruntled employee can access the tools and techniques to steal passwords or disrupt corporate systems.
At the same time, law enforcement agencies and governments are having difficulty keeping up, he says, primarily because the regulations and legal guidance currently in place is inadequate to deal with the breadth and depth of cyber-crime, which now reaches across countries. Beggs compares the current situation to the days of the Wild West when crime emerged before law enforcement was in place. Similarly, cyber-crime is occurring on a new global frontier and countries have limited resources to fight it.
“There are more attacks coming and the worst part is that it’s easier for the hackers than it is for the defenders,” points out Beggs. “It’s time to put up a defence but a lot of people are struggling with where to start.”
At the crux of the problem is the fact that people are failing to recognize information as the new currency of the information age. Just as we take steps to protect our money beyond the bank vaults, we need to focus on protecting our data beyond secure networks and devices, he advises. “People are concerned about the large databases and corporate handling of data and yet they let their own personal information wander about freely,” he says. “The more that everyone is controlling this new currency of data, the more we’ll be able to minimize its loss and misuse.”
Preparation is the Key
One of the most effective ways to deal with cyber threats is to prepare for them. That means putting the same amount of time and effort into protecting your information as you would into protecting a building, business or other asset. At WCDM, Beggs refers to some of the strategies currently under way to help governments, corporations and the general population limit access to this new on-line currency called information.
“When you prepare for a storm, you get insurance, you put money aside for repairs to recuperate, you plan in advance,” notes Beggs. “But very few people are planning for how to deal with this looming cyber storm. Putting a concerted, organized legal effort in place to combat cyber threat and taking steps to secure information has to be part of the planning stage.”
With the Internet having grown to the size it is today, and continuing to expand with each passing day, there has been an increased awareness of the need for security measures. Business owners now realize there is a very real possibility that their networks could be victimized by a cyber attack and often now takes the initiative to reach out for help.
“It used to be that we approached and it was very much an education type sale,” Beggs continues. “But we’re finding out now is that we’re at the stage where 40 per cent of the time when we go in to test security we find evidence the hacker has already been there.”
This type of information is making its way out to the business community and we’re starting to see such things as Anonymous stating that they are the world’s most potent political force right now. People are giving them access to databases because people are looking to properly take care of due diligence.
“Even if you hack me at least I can go to my clients and say you are prepared; I’m not going to be held extra liable.”
Despite the ever-increasing sophistication of the Internet and the ways and means for cyber-crimes to happen, Beggs says most corporate clients are still shocked when they are given the news that they have been victimized by a hacker.
“They are often shocked because they say ‘who’s going to compromise me? I’m just a two-person consulting firm’,” Beggs says. But when you understand the value of the data and where people are being concerned, then it becomes a whole new ballgame.
Extortion and Blackmail
“For example, take a hospital; hospitals right now are very visibly concerned with employees looking at personal records, you know, visiting dignitaries – it’s a well-known problem,” Beggs asserts. “Do you think your personal medical record would be at risk of someone stealing it when you’ve got Arnold Schwarzenegger’s? You probably don’t think much about whether you’ve got a hurt knee and getting treatment. We are seeing two emerging crimes:
Extortion. Step down from this job or I’ll let the boss know that you’re under treatment for psychiatric care. The other thing that we are seeing is people are stealing thousands of these medical records, then they turn them over to resellers of pharmaceutical products and people are becoming targeted to buy a certain specific medication.”
What comes as a surprise to many uninitiated folks to the Internet is the number of higher learning students who often use network computers for their own illegal means. Often it could be pirated video or music files, illegal software or documents relating to education. It’s known as the “inside threat” – using corporate assets for their own nefarious schemes.
“We’ve actually had cases – law offices – that didn’t properly secure their phone system and the next thing you know they get a $300,000 bill for misuse of phone assets,” Beggs reveals. This is old school. It’s 1980s, 1990s-type hacking, pre-Internet days and yet it’s still happening.
Regarding the incident rates and the damage done by these cyber-crimes is something being monitored closely, but it’s often hard to get an accurate assessment as to whether it’s getting better or worse.
“It varies study by study,” Beggs tells us. “On a realistic, foot on the ground viewpoint you are seeing two things happening: first of all is a change from ‘I’m just going to hack the Internet’ to ‘I’m going to hack a particular company’. And the problem with this is when you set out with a targeted company you know how it works and you know how to hide the attack. So we are seeing an increase in targeted attacks and they do more damage and are harder to detect.”
Obviously the number of general attacks has increased with the continued growth of the Internet and the number of people and computers hooked up to it.
More people take security measures, but the general level of vulnerability has remained relatively level.
Financial companies and businesses that handle data for those companies are prone to targeted attacks. Now there are increased incidents of targeted cyber attacks meshed with real-life attacks.
“We have one client that is a logistics firm and it was compromised by a very specific automated attack that went for its billing system,” Beggs reveals. “It automatically inserted numbers into the approved purchases system and that allowed people in the United States to go into offices and use these numbers to withdraw money – and it all happened in under 24 hours.”
A newer and more cutthroat form of cyber-crime is competitor versus competitor. As Beggs told us, a construction firm was consistently being underbid by another industry firm.
“Upon investigation, what we found out – they were losing bids, $80,000 on an underbid of $100 to $200. Their competitor placed a keylogger on an Admin’s computer. The Admin had access to bid documents that were being prepared and the competitor was able to see the documents in preparation and underbid.”
Hacking is becoming a legitimate criminal field in the sense that you can now hire a hacker to assist you in compromising someone else’s data. Hacking has been made that much easier with do-it-yourself videos on how to become a hacker. There has always been the battle cry that the Internet could and should be able to self-regulate itself, without outside government interference. But because of the ease with which so much illegal information can be obtained, we asked Beggs whether he believes the time has come for increased government regulation.
“In a sense, we’re paralleling the exploration of The Wild West,” Beggs opines. “People moved out to the west in the 1800s before government infrastructure made its way out. We are at a stage now where we are not supporting just law enforcement; we’re not supporting the legal system and creating the laws that we need. For example, a Bill that allows surveillance of what a fraudster or what a person committing harassment is doing – that’s been put aside.”
The bottom line is that Beggs believes law enforcement has to work within the parameters of the structure they have and they are not adequately getting the financial and training support they need. But given this is a global problem, the cross-national legislation cooperation is going to have to increase tenfold.
Otherwise, there is always the option of offshore servers and/or countries that don’t conform to international regulations. There is the European agreement on cyber-crime, which Canada is a member in an effort to lower the barriers set up against law enforcement.
Another aspect that needs to be addressed is the necessity for better education for users on the Internet. Too often a hacker’s job is made far too easy due to a user’s lack of knowledge and a willingness to give out far too much personal information about themselves. While this wouldn’t help cut targeted crimes, it certainly would lower the rate of opportunistic crimes by a significant margin. Changing passwords every so often and making sure all system patches have been installed can also go a long way in securing a system.
Keep in mind that hacking and cyber-stalking can be brought on by something that outwardly appears to be very innocent.
“For example, if I gave someone a free computer and said ‘I need you to test this out because it’s got a special application for your industry’ you would probably plug it on to your network and you’d log on to check your email, type in your username and password – and it would send it to me.
The cost of a new computer is $300 – and for that, your network could be compromised; a very simple but effective method. The biggest concern is that people and businesses often don’t prepare for an attack until after it’s already happened.
“I tell all my clients, ‘you’re going to get hacked one day,’” Beggs notes. “No matter what we do, you’re going to get hacked. At the very least, proper preparation is minimizing your liability.”
Keeping your network safe can be costly. You have to spend the money up front to prepare and identify the attack. Then you have to spend the money to respond, and responding to an attack can cost somewhere between $50,000 and $200,000 on average in Canada, according to Beggs’ experience. And then there’s the cost of prosecution, which often never takes place, even if the guilty party is identified.
“I have cases where I know exactly who did it and the cost for the company to proceed legally is so prohibitive that they just stop and accept the loss.
To put this into perspective, we’ll leave you with this thought: The United Nations has announced the amount of money lost to organized cyber-crime on the Internet exceeds the amount of money that is spent on illegal drugs globally.
For more information on The World Conference on Disaster Management or to register for the event, visit www.wcdm.org.