✓ U.S. Postal Service: 800 thousand records
✓ Variable Annuity Life Insurance Company: 774 thousand records
✓ Spec: 550 thousand records
✓ Aaron Brothers: 400 thousand records
Although 2014 was not an encouraging year in information security, it is for businesses whose mission is the protection of critical information.
So many security breaches are occurring that several websites are devoted to listing them, including
Improved defenses
This scourge of break-ins and breaches does not mean that governments and industries are going to turn tail and stop their expansion of information systems. Instead, organizations of every size and type are hiring security professionals to improve security measures that protect their systems. Security professionals are doing the following to protect critical data:
✓ Hardening systems and applications to make them more difficult to attack
✓ Adding layers of defense
✓ Performing security scans to find vulnerabilities
✓ Conducting internal audits of security controls
✓ Training personnel to recognize intrusion attempts
✓ Improving security in partner and supplier organizations
✓ Updating business processes to include security procedures
A Brief History of Cybercrime
As far back as recorded history goes, we know that whenever one party collects or creates anything of wealth, another party will do his or her best to steal or spoil the owner’s wealth. It makes sense, then, that as individuals and organizations use information systems to create, store, or spend wealth, others will do whatever they can to take the wealth for themselves. As individuals and organizations become increasingly reliant on information systems, more valuable information is created. So news of security breaches in which these information hordes are stolen or vandalized should not come as a surprise.
It helps to wind the clock back a few years to see how security breaches all came about. Although the first security incidents weren’t so much about stealing money, they provided the foundation for later incidents in which monetary theft was the object.
The history of cybercrime can be thought of as two different related trends on a collision course:
✓ Improvements in malware potency
✓ Increased use of computers, networks, and the Internet to manage and control just about everything
These trends have gradually moved toward each other, each gaining momentum. If you're imagining two locomotives barreling toward each other, that’s not quite the right image. The collision of malware potency and increased computer dependence has been slower – like cold air from the north colliding with warm air from the south, wreaking unpredictable havoc in multiple locations.
Malware
Malware is a general term that encompasses many kinds of harmful programs or program fragments such as viruses, Trojan horses, worms, and bots (for a more detailed description of malware, see Chapter 3). Early forms of malware were simple, almost like experiments developed by computer hobbyists who thought, “I wonder what will happen if I build a piece of computer code that does this?”
These early versions of malware were crude and performed simple functions, such as displaying something on the computer screen or deleting files. The creators of malware made no attempt to hide themselves, because there was nothing to hide from.
Fast-forward to today, when malware has become so potent and stealthy that your life can become miserable if you depend on computers and networks.
Break-ins and breaches
Malware is not the only tool in an attacker’s toolbox. Just as a lock-picking set is only one way to break into a building, other techniques are frequently used to break into computer systems, such as computer break-ins and breaches. Some of the techniques used include social engineering, phishing, and watering hole attacks. These attacks are occurring more often than before for a variety of reasons:
✓ More companies using information systems
✓ More companies are building interconnections
✓ Higher value information being stored on information systems
✓ Growing shortage of personnel who know how to implement good security
✓ Cybercriminal organizations building better intrusion tools
✓ Profitable cooperation among cybercriminal organizations
We are living in a perfect storm, where more companies are storing high-value information that they don’t know how to protect from criminal organizations that are getting better at finding and stealing it. The situation is truly becoming dire, and we could use more help!
One of the biggest problems in computer security today is social engineering, which is any of several techniques of deception designed to take over computers or obtain sensitive information. When organizations do a good job of protecting their computers and networks, intruders turn to hacking people instead – too often with great success.
Fraud
Another form of cybercrime is online fraud. The definitions of fraud, according to Wiktionary, are
✓ Any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain.
✓ The assumption of a false identity to such deceptive end.
✓ A person who performs any such trick.
Fraud has been a problem since the beginning of history. And today, fraud has found a cozy home in the world of information systems and the Internet.
The most prevalent form of fraud is the phishing scheme, in which an adversary creates some ruse, identifies potential victims, and attempts to trick them into doing something they should not do. Here are some examples of email or other communications that the potential victim might receive:
✓ Bank: Your funds are low, or are being locked because of suspected fraud (this one’s really ironic).
✓ Taxes: You owe taxes to the government and will be in trouble unless you pay right now.
✓ Law enforcement: You have overdue fines or there's a warrant for your arrest.
✓ Sweepstakes: You're the winner of a sweepstakes and must provide financial information to claim your prize.
✓ Inheritance: You have inherited money, and the organization that holds your funds needs help so that they can transfer your newfound wealth to you.
✓ Friend in need: A friend of yours is in trouble with law enforcement and needs you to send money to get out of jail.