There are — and always have been — many forms of cybercrime, all of which carry the common thread of commerce.
As long as there has been commerce, there has been crime, both in the general sense as well as cybercrime specifically. Think of the highwaymen on the 17th-century roads in England, or the pirates hunting down and capturing Spanish Galleons and their precious cargos of gold.
When cybercrime first came on the scene, it mainly dealt with access, but the goal was still often financial. The very first cybercriminal, tried and convicted as a felon in 1981, was Ian Murphy, known to his friends as “Captain Zap.” Murphy broke into AT&T’s internal computers and changed the internal clocks that metered telephone call billing rates so that callers could make phone calls in the middle of the day and receive the reduced late-night rates. Murphy was the inspiration for the film Sneakers, and today is the chairman of IAM/Secure Data System.
Another major example in the emergence of cybercrime was German hacker Markus Hess who, in 1986, was arrested for breaking into US computers and selling the military secrets he obtained to the Soviet Union. Hess was painstakingly tracked down by Lawrence Berkeley National Laboratory computer manager Clifford Stoll, and the account of his being tracked and captured is a fascinating tale told in Stoll’s book The Cuckoo’s Egg.
There have been forms of cybercrime that didn’t have a financial motivation, such as web site defacing, which came about in the early days of the world wide web. Web site defacing, in which a web site is replaced with the hacker’s own, is a form of graffiti, and is usually intended to carry a religious or political message.
Spamming for Profit
As the internet continued to emerge at the beginning of the 21st century, a key application proved to be email. As email became more embraced by businesses and computer users, so did a new character appear in the development of cybercrime: the spammer. Spammers were able to make millions by promoting dubious products and services through unsolicited email.
ISPs fought back through anti-spam systems that blacklisted spamming servers. Spammers realized that, if they were to continue, they would need large numbers of fresh computers to continue to deliver spam to inboxes. They teamed up with malware writers, and vast numbers of infected machines were utilized in botnets to continue spamming.
Denial of Service
Another form of spamming soon evolved called the Denial of Services (DoS) attack. A DOS attack is conducted by a perpetrator flooding a targeted server or resource with counterfeit requests for service in an effort to overload the system and prevent legitimate requests from being satisfied. The motive is often blackmail but can also be revenge or activism. A more modern method of the DoS is the DDoS, a Distributed Denial of Service attack, which utilizes multiple compromised computer systems as sources of traffic.
Many of these cybercrime methods exist today, in endless different varieties. Cybercriminals are constantly finding ways to hack into major systems, such as those storing financial account information, and steal data.
Another modern form of cybercrime is ransomware, in which a computer system is locked by cybercriminals, and “held for ransom.” The criminals threaten to release data or to permanently block access to the system unless a ransom is paid.
Increasingly devious methods have been utilized in the evolution of cybercrime to gain access to secure systems. Not long ago, cybercriminals realized that, instead of using sophisticated technology to break into systems, they could take advantage of uneducated and unaware users of secure systems and trick them into giving up access. Some of the most expensive cybercrimes in history have been perpetrated this way. In 2014, Sony Pictures lost more than $100 million through a phishing attack, conducted with malicious emails from hackers posing as company employees. Another phishing attack in 2015, through which networking firm Ubiquiti lost $46.7 million, utilized emails tricking employees into providing usernames, passwords, and account numbers to hackers.
However it is conducted, cybercrime is continually a game of cat-and-mouse. Cybercriminals attack systems, but then corporations, governments, and software publishers evolve increasingly more effective methods of defense against attacks. Cybercriminals then invent new ways to attack.
As the hacker community has expanded over time, so has an entire ecosystem grown up to service them. Entire companies have evolved to service the hacker community, creating products and tools to allow them to be more effective at hacking. Much as the defenders require the latest defense products and services, attackers are always looking for new methods and products to increase their profits.
In corporate computing, we see optimization of development and computing resources through outsourcing. There are very few organizations that do not outsource some function of their business. The exact same patterns exist in cybercrime, where certain aspects of their operation are outsourced. The above-board and underground sides of the computer universe mirror each other uncannily.
Cybercrime-as-a-Service today generates enormous revenues. According to DARKReading, over the past 20 years, cybercrime has become a mature industry generating more than $1 trillion in annual revenues.
Both sides are profit-driven — the defender side is driven by their business, the products and services they are selling, and the attackers are driven by maximizing their botnets or maximizing reach through a spam or ransomware campaign.
Markets for Sale of Stolen Data
While cybercriminals found new and clever ways to harvest financial, personal, and other valuable data from company sites, they didn’t necessarily have a way to turn this data into money. This need led to the development of underground markets where cybercriminals who invaded computers and collected stolen information sold their services to criminals who could sell the stolen data.
As criminals profited from information stolen by malware, nation-states began to invest in the development of espionage by malware, and the era of the Advanced Persistent Threat (APT) was born. State-sponsored teams of hackers could take the time to invest in stealthy and persistent attacks against chosen targets and steal valuable information for geopolitical reasons or economic gain.
Protecting Your Data
Despite the considerable evolution in cybercrime, there are measures you can take that will keep attacks at bay. There are 5 primary aspects to protecting your data, and greatly decreasing its availability to hackers.
1. Accurate inventory
Before engaging in the various effective levels of protecting your assets, you must have an accurate, up-to-date inventory of them. You cannot defend what you don’t know you have. Inventory all your hardware and software systems. For each of these systems, you must also have a firm understanding of the risk profile they present to the company.
A crucial piece of this step is to know what legacy systems you possess. Deep in the bowels of many corporations are very likely legacy systems that top executives are not even aware of.
Too many organizations simply pick out what they consider their most important assets and concentrate protection on them. As an analogy, a bank, because all the financial assets are stored in the vault, might have all the cameras and lasers focused on that vault. But they don’t have eyes on the money once it is removed from the vault and distributed to tellers, where there might be an equal or greater risk of theft. Similarly, companies must ensure they know all of their resources, fully understand their risk profiles, and monitor all of them. Without a comprehensive understanding of your assets and their risk profiles, attacks and defense can be like a game of whack-a-mole.
Too many companies skip this step because they think it’s obvious, but its importance cannot be overstressed. Again, you cannot protect what you don’t know about.
2. Keep patching up to date
There have been many reports over the years on companies being too lax about patching their systems. There are vulnerabilities that are still taken advantage of, for which remedies have existed for years. As an example, remedies have existed for EternalBlue and WannyCry for 2 or 3 years, yet we still see those vulnerabilities in customer environments.
A company can take a great measure of protection by making sure patches are regularly applied and kept up to date.
3. Monitor and log networks
Another very important aspect of data protection is to continuously monitor and log networks for patterns and anomalies. Doing so allows action to be taken before a cybercriminal has a chance to act.
In #2 above we discussed updates, but there comes a point when a company has legacy systems that are very hard to update. As an example, there are certainly OS/2 or Windows SE systems still in place in some organizations, simply because they work. They are very brittle, and IT is afraid to touch them because they might break. At that point, monitoring and logging become very important, as these are the only methods through which legacy systems can be protected.
4. Firewalls and encryption
Make sure that firewalls and web application firewalls are in place and correctly configured. This, coupled with encrypting sensitive data, will help with your security strategy.
5. Security awareness training
As discussed earlier, one method of attack that has been utilized in modern times is through users who aren’t aware that they can be pawns in phishing schemes. Regularly providing security awareness training for all staff will go a long way to keep them from releasing access to cybercriminals.
These 5 steps will greatly empower you in the area of data protection and help halt the further development of cybercrime. The final step would be to protect your company with Managed Detection and Response (MDR), which combines purpose-built technology with a team of cybersecurity experts to address your unique needs and business context. Learn more about MDR here.