Increasingly sophisticated criminals are resorting to advanced techniques to attack and infiltrate networks, steal information and commit fraud using computers, networks and mobile devices in the act or commission of the fraud. Cybercrime or the criminal activity that flows from the use of such electronic equipment has evolved into a complex, regimented industry of skilled participants who exploit every opportunity to defraud victims and/or commit other online crimes.
Cybercriminals have also continued to adapt in order to evade traditional security defences so that they can defraud not only consumers but also various organisations, business and corporate entities through credential theft, cyber-attacks, data breaches, abuse of cloud services and online social and financial fraud.
The term cybercrime has also been expanded to embody a wide range of activities, including bank, financial and credit card account takeovers, downloading illegal content, creating or distributing viruses or unlawfully accessing and releasing company confidential or personal information onto the internet and/or in the public domain.
Although strict governance of sensitive or personal data to avoid breaches is mandated through industry guidelines and government compliance regulations, cybercriminals continue to have great success with using malware, guesswork and deception to exploit networks for fraudulent purposes. Even a single breach or violation of government regulations or industry compliance standards could result in very serious outcomes, including steep fines and / or criminal or civil prosecution for the organisation.
Although most cybercriminals are out to steal data, some are after system resources or may even aspire to tarnish a company’s brand or person’s reputation or simply to execute a hoax or scam. The evolving range of internet based strategies affecting companies’ and individuals’ security protocols are extensive. These include worms and viruses attached to emails, spoof emails to ‘phish’ for personal information, Trojan horses to launch spyware and key loggers to track typing strokes.
Organisations have witnessed a dramatic increase in attacks using stolen account details, with new techniques consistently being used to evade fraud detection systems. It is anticipated that such attacks will continue to increase in number and functionality given evolving technologies and infrastructure such as cloud services.
Attackers can steal credentials in a number of different ways. The following examples are encountered the most:
- Phishing – a form of social engineering, whereby a phishing email containing a link to a spoofed (fake) web or login page, where users are tricked into providing their credentials which attackers can steal.
- Malware – a cybercriminal may send a user an email containing an attachment with malware. Once opened, it can download and execute a key logger that records and sends user credentials back to the criminal.
Once credentials have been obtained cybercriminals can steal other sensitive and confidential information, install viruses or other malicious code, disable or reconfigure security controls and cause irreparable damage to a company and its infrastructure. To this end companies promote a technique – deflection – to scramble website code, thereby confounding attackers and obscuring vulnerabilities.
Cyber-attacks: Cloud Computing
The “cloud” is a virtual, boundless facility for the storage and use of data online and comprises countless, unique, third-party services, all with differing and often undefined and untested security practices. Cloud computing and services have benefitted both personal users and businesses in many ways, including – but not limited to –the convenience of having on-demand data availability, high computing power and performance, reduced costs, improved information manageability and the flexibility to scale up or down as computing needs change. But, notwithstanding its success, it does have a shadowy side and is often exploited by cybercriminals for fraud and other illegal activities.
As the popularity of using cloud resources to store data increases, it is steadily gaining a reputation as the ‘fruit-bearing jackpot’. Cybercriminals have been quick off the mark to embrace the trend towards cloud computing and storage and are making concerted efforts to target these services to steal sensitive information or deliver malware. This is done through brute force (using numerous attempts to test multiple common credentials) or by tapping in to vulnerability scans (i.e. automated attempts to find and exploit security weaknesses). The reality is that, major cloud services are in fact at risk of ‘man-in-the-cloud’ (MITC) cyber-attacks that are becoming increasingly difficult to detect.
The convergence of cloud computing together with the emergence of powerful mobile devices and its incorporation into our daily work routine means that the goals of securing sensitive data and maintaining regulatory compliance have become serious risks for organisations and businesses and increasingly difficult to maintain.
Stay Safe – Be Secure
Cyberspace is now abounds with unprecedented opportunities to deceive victims on-line with cybercriminals enjoying, instantaneous and direct access to millions of prospective victims around the world. To minimise the risk of losing personal and business confidential information ALWAYS exercise caution and use the following guidelines:
- Do not respond to, or click on, any links in an email message requesting that you verify your personal details or login credentials or update, activate or reactivate online profiles. Following these links could expose you and /or your organisation to malware, spyware or viruses.
- Never download files or content from sites that you don’t know or trust. Ensure that the operating system, applications, software, browser and anti-virus software on all your devices is always updated and that you have software or hardware firewalls.
- Protect the information on your storage devices by either encrypting files or by hiding or disguising files containing sensitive and confidential information.
- Refrain from using any device that you suspect may be infected and as far as possible do not use the same (one) password for all of your devices and applications.
Some questions for you as a Risk Manager:
- Does your organisation have a process in place to protect the business against cyber threats?
- Does your organisation create awareness pertaining to cyber threats?
- Has your organisation conducted a cyber threat analysis to ensure that the organisation is protected?