The global cyber theft economy has reached $150 billion and is increasing. Companies and individuals need to be extra vigilant!
By Deborah Tarrant
Malicious Intent
There's a chance that in the infinite realm of cyberspace, your identity was bought and sold today for the discount price of a mere 40 cents, or $1.00 at maximum. Yes, as you logged on to a transactional website, added to a wiki, or perhaps updated your details on a social networking site, your activities may have been monitored.
They know where you live, perhaps your tax details, your children's names, even your mother's maiden name, and they know your preferences. In a year or two you may be appalled when you receive a credit card statement or details of a mortgage that you never applied for, but somehow your name is on the document and for all intents and purposes you're in more debt than you ever imagined.
Maybe someone from an 'outsourced' IT service contacted you, and with a few quick questions helped you to change your company log in and password, or worse, they contacted the HR department to change your payroll details. Your salary went to an unknown account somewhere in the vast reaches of the internet.
These hypothetical examples may seem frightening and alarmist, but they are real and represent the modus operandi of an increasingly enthusiastic, greedy and organised cyber underworld.
International experts are in agreement. 'The online underground economy is booming,' reports Craig Scroggy, managing director of the Pacific region for Symantec, a company which has built its business around keeping tabs on the insidious world of cyber-crime. Last estimate of the global underground economy put it just shy of $150 billion and rising, while Australian Federal Police believe it's costing the Australian economy $1 to $4 billion annually.
Scroggy and others of his ilk can reel off terrifying statistics. 'In 2007, we found 40,000 bot-infected computers in Australia,' he says. In a bot network, an attacker deposits a piece of software and remotely controls your computer like a robot.
Incidences and new forms of cyber-crime are manifesting daily. Once we read tales of smart student hackers who managed to crack big corporate networks to peruse sensitive information, steal secrets or personal details, and now as internet use has grown exponentially in the community and in its capabilities over the past decade, so has cyber-crime.
Now it's the focus of organised criminals. Reports from the US claim that the Mafia has been an early mover on cyber-crime with 'the Mob' now bankrolling other activities from the profits of selling sophisticated hacking tools worldwide and stealing personal, business and financial information.
A group calling itself the Russian Business Network, purported to be the epicentre of a vast community engaged in spamming, identity theft and the trade of child pornography, closed its doors in St Petersburg only to resurface almost immediately in Asia. Europe's Eastern bloc countries have also been the focus for investigations, in particular Romania.
A walk on the internet's dark side shows governments globally are struggling to police the highly elusive 'catch me if you can' black economy where offenders switch servers in a nanosecond. They are facing the fact that cyber-terrorism attack is not the province of conspiracy theorists, but a real possibility.
As Australia's attorney-general Robert McClelland recently explained, a crippling electronic attack on our financial system or infrastructure, including electricity and transport systems, 'would reap far greater economic damage than would be the case of a physical [terrorist] attack'.
There have already been instances of hackers infiltrating sensitive systems in Australia, McClelland says, confirming known breaches against government and private sector computer networks 'as a result of mischief, in some instances to obtain security-sensitive information and in some cases to obtain commercial information'. An outstanding example of what can happen was the hacker attack that closed down the Estonian Government for a fortnight last year.
Most recently in Australia, a civil liberties furore has erupted over mooted changes to privacy legislation extending powers to monitor emails and other internet communications to companies and others operating critical infrastructure. Currently only security authorities are allowed to take a look without employees' consent.
Serious threats and criminal behaviour are investigated by the Australian High Tech Crime Centre which is hosted by the Australian Federal Police in Canberra, while protection for infrastructure comes through the Attorney-General's Computer Network Vulnerability Assessment Program. But, the reality is that 90 per cent of networks exist outside of government. Cyber-terrorism, internet crime and just plain carelessness have become vital issues for individuals, all organisations and national security.
This story has all the traditional gripping elements of the good versus evil forces. To tackle them, we need to know what we're up against, and that's where the real cloak and dagger stuff begins.
Difficulty is not only in the covert nature of the activities on the criminal side, but in the organisations that are reluctant to go public with security breaches when they occur. In business, it's a public relations fiasco and erodes customer trust.
Drawing on a constant global research network, Symantec's Scroggy delivers insights into the growth business in malicious codes or malware-codes that are inadvertently downloaded. There is phishing, which are websites designed to mimic legitimate websites, and muling, where individuals are trapped into laundering money for criminals.
These are the common activities of a multi-faceted, mature underground online industry that is illegally farming information and on-selling it in large volume to criminal groups. For their rarity value, credit card details from smaller countries in the European Union sell for higher prices than those from the US. Bank account credentials represent around 22 per cent of all 'goods' offered on underground sites and currently sell for around $10.00, 'depending on the balance'.
'You need to know where to look,' advises Scroggy, and he's certainly not telling. These underground bulletin boards are also where a large number of job ads for malware authors are posted. On the espionage front, popular techniques are theft by 'hired guns', denial-of-service attacks where a website is bombarded with so many requests it cannot perform its function, and phlashing, a permanent attack that damages a system so badly it needs replacing.
While we tend to focus on external threats, there's also the stark reality that the perpetrators of most white-collar crimes, including cyber theft, fraud and espionage, are most often inside jobs by employees, points out Rod Thomas, technology and security risk partner at Ernst & Young Australia. Certainly, organised crime and espionage capture our imaginations, but Scroggy is quick to say that not all information that escapes from organisations is due, initially, to dastardly intentions.
Ninety six per cent of data loss is accidental. Rampant technological advances mean we may be carrying confidential files on a USB stick attached to a key-ring, or have a back-up copy of a computer hard drive sharing space with our favourite tunes on an iPod. Not long back, a Department of Defence official left top-secret information on a disk in a Qantas lounge, while entertainment booking agency Ticketek dispatched a newsletter revealing 13,000 client email addresses. On the way to the bank, a CD holding the payroll details, oops!, was left on a bus seat.
Data breach disclosure legislation originally introduced in California in 2003 demanding mandatory reporting of security breaches of unencrypted personal information, has now been enacted in 44 US states, and it shows just how often data escapes. By August, the number of US breaches this year alone had passed 450. Such breaches present a high cost to business.
The Enterprise@Risk: 2007 Privacy and Data Protection Survey by the Ponemon Institute and Deloitte in the US showed the average cost to be US$100.00 to $300.00 per person whose information has been compromised.
Draft data breach disclosure notification is also looming in the European Union. In Australia, suggested new rules to replace the pre-cyber Privacy Act 1988, the subject of a 2700-page, three-volume report by the Australian Law Commission, are expected to force Australian companies out into the open in the next 12 to 18 months. Currently voluntary guidelines are offered by the Australian Office of the Privacy Commissioner.
This review of laws arguably foreshadows much needed society-wide attention to new modes of internet behaviour. The pace of change has been so fast, we've barely had time to notice we've entered a new era with new attitudes.
Social networking, Gen Y and the millennials may be quicker than a mouse-click on the uptake, but such cyber-savvy ways have introduced a complacency, Scroggy warns. More than 3.5 million Australians now use 'always-on' broadband, and 2.6 million use networking sites, such as MySpace or Facebook where people willingly disclose valuable information, and it's there for the taking. Research shows these trusted sites are a new source for concern.
In organisations, change is the harbinger for being particularly alert. Financial organisations and large corporations with transactional sites inevitably are more of a target and tend to spend big on risk assessment and security. Constant vigilance is required to stay on top of the escalation of cyber-crime and its nimble, innovative ways, confirms Ernst & Young's Thomas.
He says almost invariably vulnerabilities are introduced by change. 'Change in the organisation, perhaps through a merger or a restructure, in technology and in people, all types of change need to be watched,' says Thomas. 'While technology can raise flags to threats, people need to respond. You can't leave it all to the system.'
Thomas, whose team conducts vulnerability assessments for common attack and penetration, employs 'ethical hackers' who understand the process of 'pinging' a website to find access points. Astonishingly, he says, '95 per cent of the time we find a hole in an organisation's security, that doesn't mean they are exceptionally vulnerable, but there's room for improvement.' Like anti-theft devices on cars, he says, IT security is a deterrent to criminals who go first for easy targets.
Change risk highlights the fact that putting mechanisms in place against cyber-crime is not a one-time process. Regardless of how stable an organisation is, over time there will be changes to infrastructure, computing, the network, and security degrades. Checks every three to six months are advised, while a full audit should be conducted annually, Thomas suggests.
The rise in cyber-crime and mandatory reporting of breaches is expected to revive the practice of encrypting confidential information. Under the proposed new rules where information has been encrypted, no disclosure will be required. Experts say that many SMEs depend on standard internet security solutions, combining antivirus, firewall, intrusion protection and prevention. The proliferation of malware means regularly updating virus signatures and patching for web browser vulnerability is.
'Immediate updating is vital,' says Scroggy because providers of anti-virus software and the regular patches may take up to 90 days to plug the holes created by the bugs. And, the last word is about back-up. Should your whole system be disabled, how readily could you replace it?
