According to Cap Gemini’s 2016 World Payments Report, the Payment Card Industry is worth some $426 billion globally and, in the US alone, the value of payment card and identity theft is estimated to be $16 billion. Of the 4.2 billion records exposed through one type of cyber crime or another in 2016, 1 billion were credit card accounts. The value of Protected Health Information (PHI) and other Personally Identifiable Information (PII) acquired in a similar manner is of equal if not even greater significance.
Given the value and nature of the sensitive information that can be acquired through illegal cyber activities, it’s not surprising that people, organizations and even states (let’s call them ‘the bad guys‘ take great interest in illicitly acquiring personal account information of one type or another, which they do by the millions of accounts.
So What’s the Value of your Credit Card Data?
The current value of your credit card data (were it to be acquired by the bad guys) is between $5 and $30 and stolen card accounts can be purchased in bulk. Personal health information is worth nearer $150 per account. To the 99.9% of people who operate within the law, the very idea of stealing such information, and selling it, seems to belong in a Hollywood film noire. But to those of us in the security business, we know that access to such illicit material is only a download and a few clicks away (How Dark is The Dark Web?) – the guys looking to steal your data know this too!
What Exactly is Cyber Crime?
Cyber crime is the undertaking of some specific illegal activity using a computer either as a tool to execute the crime or as a target of the crime. The theft of valuable personal data is, for the most part, conducted using computers in either or both of these ways. The term ‘hacker’ is generally applied to an individual who undertakes cyber crime, although there are certainly some hacking applications that are legitimate.
Most cyber crime starts with the injection of malicious software (known as ‘malware‘ ) into the target computer or IT network. However, in order to perpetrate a cyber crime, it’s necessary to find a way to access the targets computer or IT network in order to upload the malware. Clearly, no individual is going to knowingly load malware of their own volition, so this is one area in which cyber criminals have become incredibly sophisticated in recent years and new ways of infecting target computers now include:
- Drive-by downloads: When you visit a website a script secretly runs and installs malware
- Phishing emails: Users inadvertently click on a link within an email which launches malware
- Email attachments: When the attachment is opened the malware is launched
- Popup Alerts: The user clicks on the alert and the malware is loaded
From Hacktivist to Nation States
Cyber criminals are the most prevalent form of attacker that we need to be worried about. Their motivation is pretty clear: to make (large amounts of) money and quickly. They can range from lone actors operating in isolation who are just out for themselves, to large cyber crime gangs, well financed and sophisticated with organizational structures similar to any legitimate business. These are the guys responsible for stealing billions of dollars from consumers and enterprises each year.
In reality there exists a parallel universe, outside of the one within which most of us exist, where an underground economy supports all aspects of cyber crime. This economy supports the buying and selling of information and intellectual property acquired through cyber crime, the tools, hardware and software required to execute the crimes and even the procurement of off the shelf cyber crime kits based on an ‘as a service’ model.
Hacktivists are politically motivated cyber attackers focused on getting their message across by disrupting the specific systems or networks of the organizations or individuals they disagree with or wish to influence.
Perhaps the most well-known of these is Anonymous. Hacktivists tend to be less well organized than cyber criminals and on many occasions their actions appear inconsistent with their core message and therefore somewhat random. Nevertheless there are plenty of examples of hacktivist organizations such as Anonymous causing significant disruption to large enterprises and governments – so they are not to be taken lightly. And since their agendas can vary widely they may pose a threat to organisations small and large if they happen to associate with a hacktivist target.
Nation States (or State-Sponsored Attackers) are the newest, and most concerning attackers to appear. Given that they are backed and guided by national governments with specific agendas, they are extremely well funded and highly motivated. For this reason they are able to execute very sophisticated attacks that often exploit previously undetected vulnerabilities, which at the time of attack have no fix or patch. They often leverage the most advanced attack and evasion techniques into their activities which makes it very difficult for you to uncover their malware.
Although nation state attackers focus on very specific targets, such as government entities and Fortune 500 enterprises, they add to the threat level for smaller organizations as well. Not only could a smaller organizations be stepping-stone for a more expansive targeted attack, but the nation state attackers advanced capabilities and malware have gradually become accessible to the broader community of cyber criminals expanding the threat vector for all organisations..
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.
In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.