The New Face of Organized Crime
You could call 2014 the year of the hack.
From Michael’s, the nation’s largest chain of craft stores, which reported that data from an estimated 2.6 million bank cards was exposed, to Community Health Systems, which endured an attack on some 4.5 million patient records, the twelve months of 2014 were filled with cybercrime. Other high-profile hacks targeted UPS, Goodwill, JP Morgan Chase and Sony. It appeared no organization was immune.
And 2015 isn't looking any safer. A new report from Forrester Research predicts at least 60 percent of businesses could face a breach of sensitive data this year.
Just last month, international hackers were suspected of stealing 100,000 taxpayers’ data from the Internal Revenue Service. And although in the Sony case, it was the inflammatory leaked emails and cancellation of “The Interview,” (a caper about a plot to assassinate North Korea's leader) that made headlines, hackers also stole more than 47,000 Social Security numbers of Sony’s current and former employees. Also stolen were a number of files that had personal information such as birth dates and home addresses, making identity theft a concern alongside the political statement.
The proliferation of security breaches is due in part to the increased sophistication of hackers. These are not the clueless kids who instigated a nuclear attack in the 1983 movie, “WarGames.” “The adversary we are up against is not a bored teenager,” said Caleb Barlow, a vice president with IBM security.
“Highly organized criminal gangs,” Barlow said, are generating about 80 percent of cybercrimes. They operate from cubicle farms just like regular businesses, keeping office hours and taking off on the weekends.
The difference is that when they turn out the lights on Friday, they often flip the on switch to launch an attack — especially if it’s right before a holiday weekend. Then, Barlow said, the breach can go undetected longer while regular workers are off the clock.
To get a sense of the level of sophistication, Barlow described one attack campaign he and the IBM security team were tracking called The Dyre Wolf.
The campaign uses a new variant of the Dyre banking Trojan, so named because it rolls into computer operating systems via an innocent-looking source such as an email, then waits until a user starts a high-value transaction. Once a customer starts that transaction — say a wire transfer — he sees a webpage from what looks like the bank with a number to call to fix an issue with his account.
Unfortunately, what looks to the user like a standard security measure instead connects him to the team working for the cyber crooks. The person on the phone speaks in unaccented English and proceeds to act like a regular banking customer service representative, validating all the user’s credentials and capturing them for potential future thefts.
Hackers simultaneously instilled a false sense of safety in users while seizing funds in excess of $500,000 per transaction. In some cases, Barlow said, attacks like these come with a money-back guarantee from hackers who are raking in millions.
The High Cost of Cybercrime
Security breaches can take almost a year to discover. According to the latest research from Ponemon Institute, malicious attacks can take an average of 256 days to identify. Nearly half (47 percent) of all breaches in this year’s study were caused by malicious or criminal attacks.
Financial and operational loss is sure to follow, not to mention the cost of repairing a damaged reputation. According to Ponemon’s 2015 benchmark study of 350 companies in 11 countries, the average consolidated total cost of a data breach is $3.8 million, a 23 percent bump up since 2013.
The average cost to resolve these attacks varies by industry. For instance in healthcare, the cost per stolen record can be as high as $363, but the average across all industries is $154 per record.
Do You Really Have Control of Your Data?
Even companies trying to be proactive about protecting their data can have blind spots that leave them open to costly breaches, Barlow said. “It’s easy for organizations to get enamored by one slice of the problem,” and put all their resources into plugging up one particular data stream.
But a sophisticated attack can penetrate an organization on multiple levels, especially as employees ramp up their use of personal devices on the job or use software that is not vetted and secured by their employer. File sharing or e-signature applications can be weak spots, and storing data unsecured in the cloud also increases the risk of exposure.
“If you are not providing employees with the right tools to do their jobs they will go out and get on their own account,” Barlow said. “If their account gets hijacked or they leave, you don’t have control.”
Bringing on an outside security specialist can help, Barlow said, but is not enough. Companies should put an emergency response plan in place as well and drill staff on what to do if the worst happens. Barlow also recommends discussing the impact of breaches ahead of time with vendors, law enforcement, and legal counsel, to build the “muscle memory” of reaction to save precious time and money.
Ponemon’s research indicates that board member involvement reduces the cost by $5.50 per record and business continuity management further reduces costs by an average of $7.10 per compromised record.
Pinterest for Security Analysts
They say what you don’t know can’t hurt you, but in the case of cybercrime, the opposite is true. That’s why IBM recently made its library of threat intelligence data available through the IBM X-Force Exchange, a new cyber-threat intelligence-sharing platform powered by IBM Cloud.
Using the X-Force Exchange, enterprises can access one of the largest global catalogs of vulnerabilities, including threat data from the monitoring of 15 billion security events each day, malware threat intelligence from a network of 270 million endpoints, threat data coming from over 25 billion web pages and images, and deep intelligence on more than 8 million spam and phishing attacks. Using this database of historical and real-time indicators of live attacks, security teams can build a centralized, up-to-the-moment view of possible threats.
Barlow said the X-Force Exchange amounts to a Pinterest for security analysts who can “pin a hack” and share it with a global audience. IBM’s security analysts and industry peers can validate findings in hopes of shutting down further breaches.
In the month since the exchange launched, more than 1,000 organizations across 16 industries have joined the network and created more than 300 new collections of threat data.
"Cybercrime continues to grow in sophistication and organization, we understand that there is power in numbers to fight back," said Rob Bening, ING Bank’s chief information security officer, in a statement. "Sharing threat information via IBM X-Force Exchange initiative is a big step toward better understanding potential attacks and anticipating measures to mitigate them."