Vigilance is key
Vigilance is key when it comes to fighting cyber crime.
A 2018 report estimates that organized crime could be worth an estimated $2,13 trillion. Of that, $2,1 trillion is laundered. It is also worth noting that cyber crime is also making a major impact and was worth an estimated $6 trillion in 2018.
The public has been made aware of the tactics that fraudsters use in the past. However, because it is such a booming business, a fresh new tactic is making an impact on the industry that uses physical and cyber means to commit the crime.
Criminals target markets where it is easy to launder money and victims are easy to find. This is traditionally in markets that are facing high levels of unemployment and desperation is rife.
Criminals will purchase a bottom end recruitment agency and will advertise several positions that do not require a lot of qualifications.
The job applicants never receive any of the jobs that they apply for, but the recruiter keeps in constant contact with them giving them hope. Eventually, desperation sets in and the recruiter (having key information such as names, mobile numbers, email addresses and copies of IDs) offer a soft loan to the applicants who open bank accounts to receive this money. They draw the money to provide for their families and the recruiter has access to a bank account because they have cloned the applicant’s identity.
The fraudsters use these accounts to create a steady flow of cash flowing through these accounts because the applicants that the soft loan was offered to will never be able to pay the loan back and therefore never access the accounts.
Once the fraudster has laundered the desired money that they aim for (their goal), they pack up and exit the country leaving the applicants, who are listed as the account owners, to deal with the authorities.
It doesn’t end there.
The above tactic is merely the first step in a much more elaborate scheme.
Money is laundered quickly when there is volume and a multitude of means. Fraudsters are now targeting companies such as legal firms, estate agencies and investment firms to create a virtual economic community that they use in conjunction with the recruitment agency tactic.
Cyber criminals infiltrate the IT systems of these companies and basically clone the business, staff identifications and email addresses. They then transact with the trust funds that are held by these companies to launder they money that they need. Again, the fraudsters then exit the country leaving the companies at the mercy of law enforcement agencies where they will spend a lifetime trying to clear their names.
A rethink is needed.
According to a recently read article on entrepreneur.com, a serious rethink is needed when it comes to combatting cyber crime.
The article points out that, in 2018, a security issue at Facebook affected a whopping 50 million users. In 2017, 412 million user accounts were stolen from Friendfinder’s sites and 147.9 million customers were affected by the Equifax data breach. Just one year earlier, 3 billion Yahoo accounts were hacked while hackers managed to steal the data of over 57 million riders and drivers from Uber.
The article adds that the fact that some of the biggest tech companies across the world have suffered such massive security failures gives us an insight into how big a problem cybersecurity really is. And just in case you thought that these breaches are few and far between, the average number of recorded breaches per country in 2017 alone was 24,089. Interestingly enough, India was the nation with the most number of annual breaches (over 33,000 files) while the US had 28,500. It’s also important to remember that these are the reported figures and that the actual numbers could be several times higher.
Let’s talk a little bit about why cybersecurity is in such a flux today and some of the upcoming long-term solutions being observed within the markets.
- Cyber-attacks have gone from being standard-issue, easily manageable threats to complex attacks. Cyber-attacks have gone from being standard-issue, easily manageable threats to complex attacks that leverage cutting-edge technologies and sophisticated algorithms. Given the highly varied nature of modern attacks and the sheer amount of information needed to fully document an attack, it’s no longer possible for cybersecurity teams to process everything within a reasonable timeframe. Improving detection and response times for cyber threats and enabling human cybersecurity teams to focus on the more strategic threats is the need of the hour.
- Companies across the world are now looking at adopting AI-powered cybersecurity solutions. Automation in cybersecurity is not a new concept and has been widely used over the years. However, with the rising attack surface, the number of alerts being generated by security automation products is usually overwhelming. The high severity threats get buried within a spew of irrelevant alerts, and organizations have to either spend a lot on cybersecurity teams to manually filter through those alerts or deploy customized automated security solutions that are also prohibitively expensive. This is where AI-powered technologies come into the picture. These technologies are a cost-effective way for companies to identify the most critical threats, thereby increasing detection and response times. In fact, 61% of enterprises today say they cannot do without AI technologies when it comes to detecting breach attempts, and another 48% say that their budget for AI in cybersecurity will increase by an average of 29% in 2020.
- Applications today have become increasingly diverse. They reside on multiple platforms (mobile devices, web servers, application servers, etc) and proliferate from a number of sources— whether that’s in-house, third-party, or Commercial Off-the-Shelf (COTS). And while enterprises have so far been fairly effective at protecting the network layer and endpoints of the cybersecurity surface, the application layer itself remains highly vulnerable. This means enterprises have to make it as difficult as possible for a malicious actor to hurt the organisation or its digital assets.
- A poorly-written piece of code can affect more than just itself. A poorly-written piece of code can affect more than just itself. The components it interacts with are also at risk. Even a minor flaw can be exploited, damaging, or leading to damage of critical parts of a company’s infrastructure.
- Bugs. Bugs are commonly introduced due to development team time constraints, legacy code that has since become vulnerable, carelessness or a misunderstanding of bug classes that an attacker will exploit. No matter the automation or rules you have in place, one mistake can take down the organization.
The article points out that a large amount of information gets leaked online through innocent mistakes. In February of 2018, for instance, our crawler found details of over 10,000 credit as well as debit cards of the customers of a prominent Indian bank, that were available for sale on the dark web, for $4-5 per card.
Given this context, security can no longer be just another layer over the business application but should be inherently built into it—a part of the development workflow itself. Things like malicious code, application backdoors and lack of security functionality need to be addressed during development itself; and for existing projects, via a comprehensive assessment.
The article adds that at the end of the day, cyber attacks have become more sophisticated and complex than ever before, and the defensive methods that worked even a few years ago are now limited in their efficacy. Luckily, there are a number of advanced cybersecurity solutions providers out there and they’re leveraging cutting-edge technologies to build faster detection and response times. Most of these cloud providers have highly sophisticated systems to secure your infrastructure better. Although those systems have a steep learning curve, investing time in setting up proper access controls and defence mechanisms can go a long way in securing your organisation.
Fighting fire with explosives.
When Didge City and Tombstone were overrun by desperados in the Wild West, the cities called on lawman Wyatt Earp to take the battle to the criminals.
This was an extreme move because Earp’s tactics were unconventional to say the least. He was very heavy handed when handing out justice to criminals and he wasn’t not scared to push the boundaries of legality in the undertaking of his duties.
In order to defeat hackers, it is becoming increasingly clear that white hats are needed. In an online world infested with hackers, we need more hackers.
The article points out that this is not an oxymoron. While hacking remains a generally pejorative term (“Don’t respond to any Facebook invites from me! I got hacked!), the reality is that it’s all about the motivation. To have a chance of blocking or defeating malicious hackers, organizations need “good” or ethical hackers on their side—people who know how to think like the bad guys.
It’s like anything—the best detectives know how to think like criminals. The best sports teams get that way in part by figuring out what their opponents are likely to do before the game starts.
The article adds that hacking has been a “mixed-use” term for decades. How it is perceived depends on the prefix—white hat, black hat, grey hat. White hats are good guys, black hats are bad guys (you know, like in the old spaghetti westerns) and the greys float somewhere in between, generally choosing a side based on how much it will benefit them or a cause they support.
Internet of Everything.
The article points out that the annual Black Hat security conference is 22 years old and is generally aimed at ethical hackers who want to learn more about how to think like a black hat and help their organization avoid becoming the next catastrophic data breach headline.
But as malicious hacking evolves and the “attack surface” expands exponentially—the Internet of Things (IoT) is now more frequently called the Internet of Everything (IoE)—the definition and mission of ethical hacking is evolving as well. In addition to helping protect a company’s digital assets, it is also about making the online world (and the physical world) a better, more secure place for everybody but criminals.
The article adds that one of the presentations at last month’s Black Hat in Las Vegas was titled “Hacking for the greater good: Empowering technologists to strengthen digital society.” It featured technologist, cryptographer, blogger and author Bruce Schneier; Camille Francois, chief innovation officer at Graphika; and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF).
With the global cost of cybercrime expected to surpass $2 trillion by the end of 2019, it’s no surprise that organizations have sought out unconventional cybersecurity strategies. For years, businesses have encouraged — and even hired on — hackers to unearth their digital vulnerabilities.
The article adds that to be clear, these hackers aren’t bad guys turned good. Ethical, or white hat, hackers use their computer security expertise to hack into organizations’ digital infrastructure and identify cybersecurity weaknesses, rather than exploit them. The profession isn’t necessarily new, but the ethics surrounding it have begun to evolve.
While 75% of white hat hackers say that no amount of money could turn them into black hat hackers, that leaves 1 in 4 ethical hackers who would switch their hats for the right price — or more recently, the right cause.
The article points out that while that isn’t to say that all ethical hackers are easily swayed, the promise of a hefty payout or even “hacktivist” glory can be attractive. With this knowledge in mind and sensitive data on the line, businesses must reassess their ethical hacking practices. Before communicating with outside ethical hackers or bringing an ethical hacker onto your team, consider how you can best ensure this practice isn’t endangering your organizations’ data.
Approach outside ethical hackers with a set protocol.
The article adds that while you’re rethinking your organization’s policies toward hiring ethical hackers, it’s worth considering how you deal with outside white hats too. Some organizations offer “bug bounties” to those who can find previously unnoticed vulnerabilities in their digital infrastructure.
It could be dangerous to overlook these independently operating hackers — over 70% of cyber attacks are financially motivated, so having some sort of compensation is a best practice.
Organizations must be open to all security opportunities.
The article points out that in an environment where cyberattacks are only set to increase, being open to the latest cybersecurity strategies is essential to protecting the digital infrastructure of your organization.
While there are some risks that come with ethical hacking, having someone who thinks like and is equipped with the same skills as the bad guys might be the best way to keep your information safe from them.