The battle between cyber criminals and law enforcement (and information security

Question

The battle between cyber criminals and law enforcement (and information security professionals) the world over is a constant tug-of-war. From most perspectives, law enforcement and INFOSEC personnel are at a significant disadvantage, but occasionally we find ourselves ahead of the curve, having developed a new countermeasure or technique for prevention, detection, or investigation. When such an innovation is developed, should it be widely publicized and shared with others, or is the risk of informing the "bad guys" and allowing them to adapt or evolve their tools and techniques in response too great? How should we balance the need to collaborate and cooperate for the benefit of all with the need to maintain maximum advantage (if however slight) over our cybercrime adversaries?

Explanation / Answer

In the modern era, with cybercrime entering this second wave, defaulters with no programming experience can buy illegal packaged software to conduct sophisticated attacks, and information security agencies can no longer be addressed just with a firewall. It has now become not just an IT risk, but infact a business risk. The threats extend beyond systems, changing everything from marketing and the customer relationship to government compliance, insurance expances and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security spending based on the overall threat cybercrime poses.

In case we view security as an IT cost and responsibility, companies will never be truly prepared for the risks they could face. “If you do have an attack, it’s never just the data that you lose or the customers who are victimized, it has also the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”

Variations in Cybercrime:

The crooks are still behind the money, but they are generating more sophisticated means of getting at it. They’re willing to spend longer times in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. The new paradigm is to not make big, noisy attacks says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property

That threat is mounting on almost daily basis. The number of people who think or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing their money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose their money, there is a cost. The Federal Trade Commission estimates that it takes consumers average of 30 to 60 hours to clean up a credit history damaged by identity theft.

For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly $400,000 the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, $128 per compromised record and $2.6 million in total).

Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost $15 each when they could be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.

Now let us take a look at the most plausible solution for the cyber crime by the expert himself. Crime is going exponential said cyber-security scholoar Marc Goodman, who has advised Interpol, the United Nations, NATO and the Los Angeles Police Department, among others.

Among the myriad methods, criminals can hack devices for their own ends, Goodman said that the massive 2013 data breach at mass-merchant Target affected about 100 million people.

60% of attacks on businesses hit small organizations, Goodman said. And 70 percent of small businesses attacked fail within a few months. Business owners need to treat cybercrime not merely as a possible nuisance, but as an existential threat.

Attaining perfect security is almost impossible, but still there are a number of steps citizens and small-business owners can take to protect themselves. Goodman gave his top six suggestions for how businesses of every size should protect themselves.

1. Classification, Encryption and protection of 'high-value targets':

This is something governments are already doing. Businesses need to encrypt safe data, take calls on who needs access to what information and build its strongest walls around individuals or information that might be most appealing to cybercriminals.

2. Required Plans

They say, precaution is better than cure. Therefore don't wait until there is a breach to do something about it. Chances are, by the time you recognize something is fishy, criminals have already done a lot of harm.

The average time to discover a breach is 211 days. So For seven months, the criminals are in your system and taking what they want.

3. Create a united front:

Most companies claim that they have a good security font but that doesn’t work most of the time. Top executives in every department of a business need to be involved and working together to ensure security remains a priority, he said.

4. Avoid unnecessary storage on computer:

Create "air gaps" by letting some information on computers which are not (preferably cannot be) connected to the Internet, or leave some of the most precious information offline entirely.

5. Test assumptions

Do not let criminals be your security checking team. Work with security experts who can break into your systems as criminals would and identify holes or ineffective measures.

6. Attach is the best defence:

Trying to keep cybercriminals out with measures like firewalls is no longer sufficient these day, Goodman said. Many can get past them. Instead, hunt down bad guys who may be in your networks.

So, finally it is always necessary to collaborate and cooperate for the benefit of all with the need to maintain maximum advantage over our cybercrime adversaries. But one should also ensure that there is no leaved information that can do serious damage if it got on the hands of cyber criminals.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.