While a report prepared by the Risk and Infrastructure Science Center indicates that severe weather — like Hurricanes Harvey and Maria — lead the pack when it comes to causes of power outages in the U.S., Mother Nature is not without rivals. Power grids can go down for a number of reasons beyond natural disasters. They often use aging equipment, are prone to human error and can just malfunction. However, energy hackers are starting to play more of a role in blackouts.Read More
FROM THE RESOURCE GUIDE
Robert Holtfreter, Ph.D., CFE, CICA, CBA
It seems almost weekly that the media reports a high profile hacker has initiated a data breach. By doing so, the public is conditioned to believe that data breaches are only caused by hackers and not other external and internal causal factors. But, in a recent factor analysis of more than 3,800 data breaches reported by the Privacy Rights Clearinghouse (PRCH), my research assistant and I discovered other types of causal factors (Holtfreter & Harrington model) including internal: loss of data, hacking and theft of data by a current or former employee, improper protection or disposal of data, and external: theft of data by a non-employee, partner/third-party theft or loss of data by improper exposure or disposal and hacking by a non-employee. As will be shown, data breaches — especially those initiated by hackers — are very hard, if not impossible, to protect against. This is confirmed in an article in The Wall Street Journal on April 20, 2015, where Danny Yardron, a hacking prevention specialist, mentioned that “No matter how much companies spend on digital defenses, hackers often still get in (to computer networks) to test the defenses of what is often a weak spot in hackers defenses: people.”
To get a better grasp of the scope of the problem that hackers and others are creating, PRCH, Verizon Business (VB) and the Identity Theft Resource Center (ITRC) track and classify the data breaches they learn of through many different sources.
From January 1, 2005, through April 15, 2015, the PRCH has reported 4,517 data breaches and more than 816 million compromised records. Their reported compromised records are significantly understated because in more than 50 percent of the data breaches the numbers are unknown. VB reported 2,122 data breaches in 2014. From January 1, 2005, through March 20, 2015, the ITRC has reported 5,203 data breaches and more than 778 million compromised records. Hackers employ a variety of schemes and methods to infiltrate the networks of organizations with malware to steal personally identifiable information (PII) of customers to use for their criminal activities or directly rob the organizations of their resources, including cash.
In the biggest retail hacking case in U.S. history, hackers installed malware onto Target’s security and payments system in November 2013 allowing criminals to steal credit card information at all of their 1,797 U.S. stores when customers swiped their cards. The stolen information was stored on a Target server controlled by the criminals and was later moved to staging points throughout the U.S. and finally to computers in Russia. What is amazing is this scheme eluded security people who were overseeing a $1.6 million malware detection tool installed by Target six months earlier. In another major case, Premera Blue Cross in the state of Washington revealed on February 15, 2015, that hackers used a sophisticated attack to gain unauthorized access to their information technology systems on May 4, 2014. Eleven million customers were possibly affected, compromising PII including name, address, telephone number, date of birth, Social Security number, member identification number email address and claim information. At this point it is not known how the hackers infiltrated their network, but no doubt, it was probably people-based.
Organizations are responsible for many internal breaches and need to continually educate their employees about all types of data breach causal factors. Educating employees and the public is not the only fix but is probably the most important one to put in place to help curtail compromised records containing valuable PII and reduce identity theft.
As I have written in many of my cybersecurity/identity theft articles in Fraud Magazine, encrypting all forms of PII with an advanced encryption standard will help immensely.
In order to survive, everything must evolve — including crime and security. As time goes on and fraud fighters become experienced in new fields, criminals evolve their tactics to get to their victims’ pocketbooks or assets. The ACFE’s course Protecting Against Data Breaches and Cyberfraud will prepare your employees to ensure your organization’s data security, safeguard intellectual property and protect against cyberfraud. This 2-day, instructor-led course will guide you through strategies needed to mitigate the threat of malicious data theft and minimize the risk of data loss. You can read more about this course and more events and seminars in our latest Resource Guide.
ACFE Social Media Specialist
Wired.com senior editor and author shares insight into the life of a cyber criminal at the South by Southwest Interactive Festival
Being always on the alert for how fraud awareness, specifically compliance and ethics, shows up in my everyday life, it didn’t take me long to spot the one session I had to attend at the recent South by Southwest Interactive Festival in Austin, Tex.
Kevin Poulsen, Wired.com senior editor and author of the new book Kingpin: How One Hacker Took Over the Billion Dollar Crime Underground, spoke in an interactive session Friday about the evolution of white hat hacker and FBI consultant Max Butler to the black hat fugitive and cyber underworld leader known as, “Iceman.”
While the book reads like a Hollywood movie script and Poulsen’s session felt like a glorified roast of an accomplished, yet dangerous, hacker, I couldn’t help but wonder about the pros and cons of hacking.
As a university prank that inspired the world's largest social network and a hobby that led to the creation of Apple, hacking can also manifest as a Russian gangster killing for cyber underworld notoriety or a tech savvy teen swindling the savings account of a struggling single mom.
Where do you stand on hacking? What are some of the benefits and/or risks that you see in your field? Leave your comments below.