The battle between cyber criminals and law enforcement (and information security

Question

The battle between cyber criminals and law enforcement (and information security professionals) the world over is a constant tug-of-war. From most perspectives, law enforcement and INFOSEC personnel are at a significant disadvantage, but occasionally we find ourselves ahead of the curve, having developed a new countermeasure or technique for prevention, detection, or investigation. When such an innovation is developed, should it be widely publicized and shared with others, or is the risk of informing the "bad guys" and allowing them to adapt or evolve their tools and techniques in response too great? How should we balance the need to collaborate and cooperate for the benefit of all with the need to maintain maximum advantage (if however slight) over our cybercrime adversaries? Discuss thoroughly.

Explanation / Answer

As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems, affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security spending based on the overall threat cybercrime poses.

If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”

How Cybercrime Is Changing

The crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. The new paradigm is to not make big, noisy attacks says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property

That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft.

For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly $400,000 the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, $128 per compromised record and $2.6 million in total).

Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost $15 each when they could be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.

Now let us see the most plausible solution for the cyber crime by the expert himself,Crime is going exponential said cybersecurity expert Marc Goodman, who has advised Interpol, the United Nations, NATO and the Los Angeles Police Department, among others.

Among the myriad ways criminals can hack devices for their own ends, Goodman said that the massive 2013 data breach at mass-merchant Target affected about 100 million people.

Sixty percent of attacks on businesses hit small companies, Goodman said. And 70 percent of small businesses attacked fail within a few months. Business owners need to treat cybercrime not merely as a possible nuisance, but as an existential threat.

Attaining perfect security is nigh impossible, but there are a number of steps citizens and small-business owners can take to protect themselves. Goodman gave his top six suggestions for how businesses of every size should protect themselves.

1. Classify, encrypt and protect 'high-value targets'

This is what the government already does. Businesses need to encrypt safe data, decide who needs access to what information and build its strongest walls around individuals or information that might be most appealing to cybercriminals.

2. Have a plan

Don't wait until there is a breach to do something about it. Chances are, by the time you recognize something is wrong, criminals have already done a lot of damage.

The average time to discover a breach is 211 days. So For seven months, the bad guys are in your system and taking what they want.

3. Create a united front

Most companies say that they have a good security font but that doesn’t work most of the time.Top executives in every department of a business need to be involved and working together to ensure security remains a priority, he said.

4. Not everything needs to go on a computer

Create "air gaps" by leaving some information on computers that are not (preferably cannot be) connected to the Internet, or leave some of the most precious information offline entirely.

5. Test assumptions

Don't let criminals be your security testing team. Work with security experts who can break into your systems as criminals would and identify holes or ineffective measures.

6. To defend, attack

Trying to keep cybercriminals out with measures like firewalls is no longer enough, Goodman said. Many can get past them. Instead, hunt down criminals who may be in your networks.

So, finally it is always better collaborate and cooperate for the benefit of all with the need to maintain maximum advantage over our cybercrime adversaries.But one should also be careful over the leakage of information which can do serious damage if it got on the hands of cyber criminals.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.