Do you like a good horror story? Then may I suggest “Future Crimes” by Marc Goodman. When it comes to this genre, Wes Craven, John Carpenter and Stephen King have got nothing on Goodman, primarily because Goodman’s story is non-fiction.
Scene 1: The present – Your workstation or data center
Whether it’s your personal or corporate data that’s at risk, the magnitude of that risk is far greater than the uninitiated are currently aware. We’ll skip right over the now mundane cyber threats of zero-day exploits, ransomware and spoofing, and get right to a few of the more vile and contemptable approaches currently on the crime market:
- “Girls Around Me”: a downloadable app that uses geolocation data from mobile devices and social apps – a favorite of stalkers.
- “SpyEye”: A man-in-the-middle screen spoof that not only captures all your log-in credentials and drains your bank account, but records exactly how much was taken and adds that amount back into your fake current balance before presenting it to you, so as to buy enough time to clear the settlement period.
- Mobile POS scanners, like the one carried by this guy on public transit, which, when pressed close to your wallet, will automatically charge your contactless debit card.
- GPS signal spoofing that can redirect an 18-wheeler to the wrong warehouse or a cargo ship to the wrong berth, where the bad guys are ready and waiting to unload it.
Scene 2: The future – Rising action and danger
Cybercrime is a big business, run by professional looking organizations with a CEO, CFO, CMO, R&D, Quality Control and Tech Support. Out on the Dark Net, websites you’ll never find with a Google search, are merchants ready to sell you whatever you might need, from a piece of malware targeted to a specific flaw on a specified operating system, to the hourly or daily rental of a botnet for your next DDOS attack. I’ve written previously about Caas – Crime-as-a-Service – where criminals can outsource their infrastructure needs, and can even rent cloud computing services for purposes such as cracking encryption keys, known as “cloud cracking”. Some of the other pertinent targets of the growing Malware-Industrial Complex are:
- Sophisticated toolkits that not only steal your credit card info and banking log-on details, but erase all system logs that show they were even there, leaving behind a hidden, persistent backdoor for future access.
- Exploiting the weak points in the IoT, such as wireless, RFID, and the many minimal OS consumer devices in our home. No need to blast through a firewall router when you can get access to the banking files on the hard drive through the refrigerator.
- Biometric data provides one of the most lucrative paths to theft and extortion. You can always reset a password, but once they have your fingerprints and other biometric data, they are for all intents and purposes, you, for as long as they care to be.
- Hacked robotics, where criminals no longer need be content with merely making mayhem via proxy (i.e. disrupting the electric grid) - they can become active agents in creating chaos through the hacked device or vehicle – a physical manifestation of cybercrime.
Scene 3: The climax – DETECTION!
The cyber criminals will likely have the upper hand for some time to come – it’s harder to play defense in this game than offense – you have to guard against every eventuality, they only have to find one weak link.
This point was underscored by the former CIO of a Fortune 50 manufacturer speaking to a conference of IT executives I attended last year. He had a staff of 60 dedicated to fighting off the bad guys, but was always vastly understaffed to the challenge. His conclusion and advice from this experience was: after you’ve done your best at putting up a solid defense, shift your priority to rapid detection and elimination of the threat.
Following successful intrusion, the typical malware threat sits inside your firewall for about seven months until discovery of the breach, that malware occupied with exploration and reconnaissance before it ever gets to the actual data infiltration. This is to be expected – the hackers don’t know your system or network, they came in through the open window near the back fence and need to first figure out the lay of the land and find the safe before they can start trying to crack it. And as is true in forensics, they will leave a trail, they will leave evidence of their recon activities, evidence you can uncover to nail them before they do much damage.
SAS Cybersecurity software automatically tracks down and identifies this evidence, which can be a formidable task when your business has billions of unique network transactions per day, typical of a Fortune 1000 company, and an impossible task to attempt manually. First, it develops a baseline profile of peer device activity by function and department, then looks for and identifies anomalies in the usage and traffic patterns. An HVAC system searching the customer files? An HR server querying production data? A piece of lab equipment downloading financial data? A scorecard will rank your potential threats for investigation, provide drill down capability to identify the exact IP address or user, and get to the details behind the score, such as: was this machine communicating over a specific port more frequently than its peers?
Looking at the entire process holistically, an appropriate analogy might be with the human immune system. Yes, your skin and inner membranes do act as that first line of defense, but the heavy lifting is done by the T and B cells of the immune system, continuously identifying and disassembling nasty intruders. Taking this analogy further, the mission critical systems of the cerebral cortex sit further protected behind the blood-brain barrier, where you might say the security levels are a bit higher than for the other organ systems.
Scene 4: Denouement – Other best practices
Marc Goodman provides a handy infographic, UPDATE, on his website, which outlines what you can do to better protect yourself. Here are some key tips from his book and other sources:
- NEVER, EVER reuse the system Admin password for any other purpose, and users should never log-on as the Admin. I’d like to see the OS makers build this into their systems, at least to the point of requiring you to opt-out.
- Update the OS and Apps frequently
- Never use the same password across multiple sites. Use a password manager, and consider two-factor authentication when possible.
- Create a comprehensive data inventory and implement a network configuration management system. This serves both for rapid detection and rapid recovery.
- Keep in mind that the weakest link is the human component - the social engineering that tricks an employee into downloading a piece of malware or sharing a system password. 85% of all hacks start with a phishing email.
We are seeing a shift from the physical to the digital. Data used to follow the product, as a by-product so to speak; in the future the product will follow the data. Some industry segments are already 100% digital. On the personal side, you are becoming your data. It’s long past time for data brokers to be treated the same as the credit rating agencies, where you have the right to view and correct the data they have on you. That is, if you can work through the sense of horror and violation of privacy you’ll encounter upon first seeing how much they do have.
If you’re still reading your children tales of scary trolls under bridges and hungry wolves in the woods, consider instead updating your repertoire with Future Crimes – it’ll give you both nightmares for weeks.