Raj Goel, CISSP
CTO Brainlink International, Inc.
Raj’s LinkedIn profile

This article appeared in InfoSecurity Magazine Issue 7

High-tech professional criminals are getting ever more clever

Malicious attacks on databases and incidents of online and other tech-related thefts continue to evolve in number and manner leaving both consumers and businesses scrambling to pay for the damage to their reputations and bottom lines. The Identity Theft Resource Center reports that in the first half of 2009, 18.4 percent of all breaches were from insider theft. That’s up from 15 percent in 2008 and 6 percent in 2007. During the same period, the ITRC reports that hacking totaled 18 percent of all data breaches, compared with 11.7 percent in 2008. Combined, these malicious attacks are up more than 10 percent in 2009, with data breaches and insider theft accounting for 36 percent of the 250 reported breaches this year.

Information security experts, including ITRC, say companies must implement effective data-protection policies and systems to safeguard their businesses and customers. Knowing what you are up against is a solid start in planning a defense against would-be thieves—from both inside and outside your company.

What follows are some of the latest trends in information security breaches and technology-related theft examples that hold valuable lessons for information security professionals.

Identification Theft

Identification theft continues to run rampant because so much of the information required to commit ID theft is available online due to inadequate controls, data leaks or human behavior.

For instance, ITRC reports that as of June 15, 2009, only 0.4 percent of all breaches involving laptops or other portable storage devices had encryption or other strong protection methods in use. Another 7.2 percent of reported breaches had data password protection. That leaves 92.4 percent of sensitive data with no protection at all. And ITRC reports that many of these breaches are repeated events affecting the same company or agency.

PrivacyRights.org reports that between 2005 and 2009, companies reported losing more than 431 million data records, primarily those of U.S. citizens. Stolen personal information has, in turn, created a vast black market for hijacked credit card numbers and bank account credentials. As of April 2009, Symantec reports that hijacked credit card numbers were being sold for as little as 6 cents per card in lots of 10,000.

ITRC suggests any entity that requests personal information should have the technology and policies in place to limit access of sensitive information. For instance, companies can set up verification systems so that a consumer should not be asked for his or her Social Security number to view, for instance, a current balance.

Global Supply Chain Risks

Fake receipts and counterfeit gear are just a couple of examples of crimes that have swept through global supply chains. Fake receipts include everything from fake ticket stubs and railway passes sold online by unscrupulous companies to fake restaurant or taxi receipts turned in by unscrupulous employees looking to pad expenses.

One recent business scammer fraudulently raised $50 million from local investors by using fake receipts to support a lie about the number of existing U.S. customers signed on with his business. In another case, Chinese authorities reported seizing several warehouses full of fake receipts worth an estimated $147.3 billion dollars.

Another booming criminal business is the production and sale of counterfeit technology. For instance, the U.S. Federal Bureau of Investigation recently discovered nearly $2 million in counterfeit Cisco Systems gear that leading private companies and leading government agencies were using unknowingly.

Government investigators and industry experts say the Cisco example highlights a need for companies’ IP protection teams, resellers, law enforcement liaisons and customer service teams to stay in touch and be aware of red flags such as customer complaints.

Online Banking and Mortgage Fraud

Banks across the globe have spent billions of dollars over the past few years encouraging consumers to shift to online banking. And businesses everywhere have implemented more and more selfserve transaction methods — online and in person.

However, not all security ramifications have been thought out. For instance, if a customer logs into her bank account and a piece of malware transfers funds out of her account, who is liable?

In the U.S. home mortgage industry, meanwhile, reports of criminals targeting owners of rental properties or second homes with attractive refinancing offers are on the rise. Using data supplied by the victims, the criminals forge credentials, refinance properties and abscond with the funds.

And when risky business practices in the subprime loan and mortgage market played out as a leading cause of the global financial meltdown, many people were surprised to find out just how many banks and lenders had inadequate internal digital controls.

In one sample case, a vocational nurse violated HIPAA’s provisions and stole the identification of a 72-year-old woman. The nurse and three accomplices were able to cash out $165,000 of the woman’s home equity.

Spam, Malware and Insecure Coding

According to a new survey by the Messaging Anti-Abuse Working Group (MAAWG), 12 percent of Internet users admitted clicking on spam because they were interested in the product or service offered. Eighty percent said they didn’t believe they were at risk from malware when doing so.

And it’s not just criminals who are peddling fake antivirus software or bogus spyware, or botnet herders hijacking machines. For instance, the New York attorney general’s office in 2007 fined Priceline, Travelocity and Cingular for using adware programs to market their products.

Meanwhile, insecure or bad coding— whether it’s a flaw in APIs from the same vendor that has acquired other companies or multiple companies agreeing on the same insecure standards or singlevendor flaws—is likely here to stay.

For instance, HIPAA is touted as a good first step in protecting the electronic storage of medical data, but it only applies to doctors, hospitals, insurance companies and the government. It excludes pharmaceutical companies and services to which consumers voluntarily give their health information. Industry watchers say new online health concerns, such as Google Health, Microsoft Health and other services that are exempt from HIPAA-required controls, will lead to further privacy erosions due to flaws in their APIs or third-party APIs.

The Bottom Line

The Ponemon Institute reports that in 2005, the cost for companies that lost 10,000 records or more was $138 per record to clean up. By 2008, the cost per lost record rose to $202. Multiply that by 10,000 records and it skyrockets to more than $2 million.

Security experts say the best defense is to learn from trends in crimes, and use the knowledge to revise and build better policies and systems in cooperation with industry peers and government agencies—because you will be targeted again.