Over twenty years ago, I started to study criminology, crime scene investigation, fingerprinting, and took classes on how to help people become more secure. I recently finished a degree program in criminal justice, and today's criminal justice program has an entirely new element that did not even exist at any University that I was aware of over 20 years ago. Cybercrime! As a business owner, you are far more vulnerable today to cybercrime than you were ever to someone physically breaking into your office and stealing your money or files.
If you are tired of all of your information being tracked on every device, or maybe you are a professional who needs extream online privacy for security reasons we are able to help. We can help scrub the internet of your information, secure your devices and significantly reduce or eliminate the ability for you to be digitally tracked.
The single most vital risk I see right now trending for business owners is the IT security gap or the total disregard a threat even exists. The last eight years, I traveled all over the world. From almost every state here in the US to India, Germany, Canada, and multiple stops in South America. Over the years, I can attest to personally seeing numerous businesses falling to some form of cyber-attack every couple of weeks.
Feel free to reach out and set up a time to discuss the potential exposure your business or personally may have to IT security risks. Many business owners and people mistakenly believe the advances in cloud technology makes them more secure. It is a false notion that just because we move our data to an off-premise server, it is somehow safer. Many companies had significant data losses this year who had not set up their Cloud IT solutions correctly. If you would like to set up a time to discuss IT services or how to mitigate today's security threats to your business, feel free to reach out at any time. How long could your business run without any of your data? Would customers come back after you had a vital data breach or loss of funds?
Let us help you protect your legacy, your business with advanced IT security solutions.
We can help you and your employees be better prepared to prevent and respond to malicious attacks on your company.
For this cybercrime research article, I took a look at an area of crime that is generally disregarded in the news. Here we will take a look at what factors are driving an explosive criminal industry and, in many cases, funding organized crime. In addition to looking at multiple motivations for cybercrime, we will also take a deep dive into what recommendations businesses and individuals can do to prevent cyber-attacks.
Two Research Questions
1. What factors have contributed to criminal phishing & hacking?
2. What strategies and initiatives may reduce potential phishing & hacking incidents?
Crypto Locker, Ransomware, Spam computer viruses, patches, server crashes, and GDRP Oh My! That’s right IT security and liability is front and center in the news around the globe. To understand the on slot of all the phishing attempts and hacking facing business owners and consumers alike today, we need to understand what the motivation behind the underground billion-dollar industry is. Many times, a small internal IT department is not enough to help protect companies from today’s sophisticated attacks. Here we will identify the draw to the underground world of cyber-criminals who are behind hacking and phishing campaigns.
Is there anything that can be done to prevent cyber-criminals when it comes to phishing and hacking attacks? That is precisely what we will explore in this research paper. There a significant number of simple steps we will go over to help users prevent attacks from ever happening. We will also discuss one of the weakest links in the cybersecurity chain.
It is not as apparent to most, but the history of hacking has deep roots to new tech. To be honest, when I put in search results for cybercrime history, the results are not plentiful. There was one library resource I put in “hacking history” that returned no results in my research. Early hacking was not even perceived to be a crime, and in many close-knit tech groups, hackers are not known as criminals. It has been a stigma that has grown over the last decade. Hacking as a concept of crime can be dated back to the early days of the phone, and even wireless telegraphy.
Even when we go back through history, we can find early hacking in our military. In 1939, in the best-known case of military code-breaking, Alan Turing, Gordon Welchman, and Harold Keen developed the Bombe, an electromechanical device capable of deciphering German Enigma machine-encrypted secret messages. (Fell, 2017) Then as recent as 1988 & 1995, Kevin Mitnick was placed in solitary confinement for fear even access to a phone could lead to nuclear war (Fell, 2017) that was directly tied to his hacking. From this same timeframe, we were introduced to our first worm.
As a graduate student at Cornell University in 1988, Robert Morris created what would be known as the first worm on the internet – to give himself an idea of the size of the web. The worm was released from a computer at MIT in 1988 in hopes of suggesting that the creator was a student there. It started as a potentially harmless exercise but quickly became a vicious denial of service attack as a bug in the worm’s spreading mechanism led to computers being infected and reinfected at a rate much faster than Morris anticipated. By the time he realized the issue and attempted to rectify it by telling programmers how to kill the worm, it was too late…Morris became the first person to be convicted by jury trial of violating the Computer Fraud and Abuse Act. (Fell, 2017)
What factors have contributed to criminal phishing & hacking?
When we look back to what is driving cybercrime today, one must follow the dollars of the digital age of Bonnie and Clyde style crime. It is the same motivation that drives people with the skill set to rob a bank as it is to phish, and hack. It is primarily the financial reward that is so lucrative. The mean cost of cybercrime for a company m the US last year was $12.7 million per year; other countries’ enterprises mean costs ranged from Germany’s $8.13 million to Russia’s mere $3.33 million. The study observes a $1.1 million (or 9.3 percent) increase in cybercrime costs for the US from last year’s report. (Anonymous, 2015) Personally today, in my industry, we discussed just this week how hackers in a case we are reviewing sat dormant in a companies email watching and studying how they transfer funds. Eventually, they changed enough rules and flows around in the company email and sent a request for an account that was in the ballpark of one million dollars. The company sent the money to the elaborate scheme, and in my opinion, many of these incidents are not correctly being reported because so many companies fear the public knowledge of such an event could do even worse harm to the company reputation.
It is not only the large companies that are regularly falling victim to phishing and hacking campaigns.
Small enterprises also have plenty to worry about. The study found that the cybercrime cost per capita m a more modest enterprise was significantly higher than m a larger organization ($1,513 vs. $517). If not resolved quickly, costs rack up as well. The average time to fix a cyber-attack was 45 days m 2014, with an average cost to participating organizations of more than $1.5 million during that period - a 33 percent increase from 2013, based on a 32-day resolution period. Malicious insider threats are even worse - taking 65 days on average to contain, the report notes. (Anonymous, 2015)
There are also virtually infinite ways to commit cyber-crime, and many have still not been discovered. Unlike robbing a bank, cyber-criminals are just limited to their imagination. It could be the hack used on churches in England, for example, have reported having the lead from their roofs stripped off and sold by thieves using Google Earth to find the material. Reuters (www.reuters.com) ran a story in December stating that 8,000 churches had filed insurance claims for theft of lead, for a dollar value of $37 million. (Altom, 2011) The reality is the ability to track, and predict cyber-crime today is extremely difficult, and depending on the ingenuity of the criminal, the tools are very inexpensive to even free. Technology crime is now an international multibillion-dollar organized industry. Hacking tools are built in one country, then sold to another, to be used to steal money from yet others. China has been the source of much of today’s hackery, but that doesn’t mean the Chinese are doing it. It’s relatively easy for hackers to gain control of Chinese machines and use them to attack those in other countries. (Altom, 2011)
In research performed on white-collar cyber-crime, ten main factors were identified as to why online crime is so attractive. Seven of these factors were obtained through analysis of secondary and primary data: disconnected nature of personal communication, anonymity, geographical and timing distance, network size effect, low-cost standard, no need for violence, and weak law regulation. The remaining three factors were empirically identified by experts in the field of cybersecurity and financial crime: more substantial rewards and returns on investment; automatization of the crime; and the dematerialization of the crime. (Maria Karvonen, 2018)
When we break it down cybercrime has a lot of new motivations for criminals but the motives for illegal financial gain can vary: it can be increased personal wealth and providing for relatives and friends, avoidance of personal bankruptcy/falling from a high-status position in society, or even compensating for the lack of popularity by buying friends. (Gottschalk, 2017) Even in current news, we can see how hacking is on much more significant scales like elections. In July 2016 a series of Democratic National Committee emails were leaked to and subsequently published by WikiLeaks. The collection of 19,252 emails and 8,034 attachments from the governing body of the US Democratic Party, which included off-the-record correspondence with reporters, suggested that senior party officials may have favored Hillary Clinton over Bernie Sanders, her chief rival for the Democrat nomination. (Fell, 2017)
What strategies and initiatives may reduce potential phishing & hacking incidents?
How can we mitigate and protect ourselves from these types of criminal activity? Even for many small to mid-size businesses, they look to building an Internal IT department or IT MSP. An MSP is a managed service provider who essentially is a full outsourced IT department for the SMB market. Even when we look at many small IT departments, it is a security risk to have all of the company IT in the hands of one IT professional. They have to make sure they don’t have an IT guy who will quit and go rouge on them. Alternatively, worse yet, the old IT guy can be the cause of compromised IT systems in some way. An internal IT department equipment cost, cost of salaries, and employee benefit packages are generally too expensive for many small businesses. On alternative solutions is outsourced IT MSP who is usually always up to date with the latest and greatest. You never need to worry about hiring, turnover, and businesses will have better response time and services because an MSP has built an entire staff of professionals to support your network.
For small businesses planning with an MSP is critical. The best ones have plans and strategies laid out and will help simplify your networks for the most efficient process. Having an MSP as a partner with your business means you have gained a partner who is continuously strategizing for business IT needs.
There is a significant amount of approaches people can take regarding security for them self and business. Prevention vs. Reaction. A managed service provider is continuously updating and performing preventive maintenance on your network. Because they are always monitoring and planning, you generally have considerably less downtime. You also have less unplanned emergency disasters. A good example is an MSP will work with you to make sure your data is always backed up and have plans in place for natural disasters. MSP’s are continually reviewing plans with customers to get them back up and running in the event of hurricanes, floods, fires, hacking, and without an MSP most times business is left looking for a solution for weeks after an event to get up and running.
For individuals, there are general guidelines like setting up or getting a basic firewall for your home network. There are VPN services that can be used to help secure your connection when you are not home. Make sure to keep your computer updated, and an excellent security malware/virus protection running on your computer. Additionally, never transfer large sums of money unless you are sure you can confirm you know where it is going. There is nothing wrong with still sending money orders, bank checks, or picking up the phone to confirm a transaction. If something feels off about an online transaction, it most likely is wrong.
Most recently, there has been a significant uptick in phishing activity through email. Not only is the rise in the number of attempts concerning but the quality of phishing emails are getting harder to detect. Today I would classify these new emails not only as phishing emails, but I would suggest labeling them as counterfeit emails. Past phishing emails were much easier for us to discern as “spam” or “phishing” type emails. These simplistic attacks strike deep into the heart of the weakest link in the cybersecurity chain being the end-users.
These new counterfeit emails have become much more challenging to spot as opposed to the older ones. Experts would agree that it is helpful to understand why spam is becoming so advanced. The reality is that spam and phishing are growing a very lucrative underground business, and there are millions of dollars going into the tech of spam/email phishing. There are a significant number of business days that are held ransom for access to their network because they click on these links.
I have seen multiple companies become victims of numerous attacks, and most times, a company is not going to make it publicly known they were attacked and paid a ransom. Let me be the one to tell you the threats are real, impacting customers, and these attacks are becoming more advanced.
In a recent article by Lilly Hay Newman, “people fall for these phishing attacks all the time. Case in point: The FBI suspects a phishing email is how the Russian hackers who were indicted this week got into Yahoo. Ditto for the breach of the Democratic National Committee and the Sony Pictures hack. There’s currently a Gmail phishing scam going around that even super savvy techies are falling for.” (Newman, 2017)
Even with the best monitoring and counter tech in the world, some of the best preventive measures are in your hands. Each business owner can implement practical solutions that are “elementary.” Also, if you have signed up for a new email recently and seem to be getting a lot more spam in a new account, there is a reason for that. Spam filtering is a little bit different for each user, and the longer you have your email account, the better the filters can learn what you consider spam and what is not. They tend to develop and become better over time, the more you use them. What can you do?
1. Verify, Verify, and Verify. When you get an email about a warning from your bank account that should not have any issues stay away from any links in the email. Do not follow the link! The best option is to pick up the phone and call to verify any questions you may have directly on any account. You can open a browser and type in the known website to check your information instead of clicking links in suspicious emails. However, never follow a link in an email that doesn’t seem to add up.
2. Think Before you click. Many times, a day our mouse is smoking from all the clicking. Pages loading, new emails are coming in, and nothing is opening fast enough. When it comes to that strange email, take your finger off the mouse for a second and think. Many of these bogus emails are banking on us being in zombie mode and clicking on anything they put in front of us. Take an extra second before clicking on emails in your inbox or links inside of emails.
3. Communication and education in the office. Often you may see a great article on phishing, or you may catch an incoming email that was an attack. Share these experiences with your coworkers and keep people current on the risk. One of the most significant risk factors is complacency, so we want people to keep thinking about the present dangers. (Newman, 2017)
About once a month we get a call from a business which has been down for weeks and some over a month after their IT has failed. This month alone, I heard from one business owner whose server crashed, and another who was hit with a CryptoLocker. Both had been down three to four weeks trying to scramble to get up and running. Another way to protect your data is to fully understand how to back up your data and how to implement a disaster recovery plan for a mitigation strategy. Many businesses tell me when we meet, “we have a backup already.” As if the backup was supposed to be the answer to all the issues. Not so much. Sometimes when I discuss our offering, I roll into one phrase, “Backup and Disaster Recovery.” When I do, it is as if when I am speaking to a prospect, they never hear the words Disaster Recovery. Even if they do hear disaster recovery, they generally do not understand that Back up and Disaster Recovery are very different from each other.
Let’s start with backups. I won’t dive too far down this rabbit hole, but there are dozens of variants of how you can back up your data. Some of the significant concerns are how fast can you restore from the way you back up your data. Two examples are bare metal and image-based. Bare metal is much more difficult to reconstruct from whereas image-based backups consist of the entire hard drive images, that will have the entire contents of the now compromised hard drive. This is the best way to backup data for a business. That great deal you are getting on your IT services most likely means you’re getting the very cheap version of a backup.
Ok, so you have a backup much like the spare tire in the trunk of your car. Let’s stop right there and use this as our reference point. That is the equivalent of a backup. It is the spare tire in the back of your car. Only let’s discuss what it is not. It is not everything that your business will need to get you back on the open road. There is no air in the tire, no jack in the trunk, no rim for the tire to go on, and there is no one in your car which has any clue how to change a tire. A backup of your data is just the equivalent of a tire in your trunk with nothing to go with it. It is starting to sound kind of silly now. So here you are out on Highway 50 in the Nevada desert 200 miles from nowhere with a flat tire on the car. Ahh but you have a spare tire in the back with nothing to go with it to make the change. It is the same thing as saying you have a backup for your data when you get hit with ransomware, Crypto Locker, virus, server crashes, or any of the many reasons business data become compromised. You have a backup of the data, but you have no place to put it, no plan on how it is going to be recovered and you’re not sure if anyone even knows how to retrieve it.
This is the brick wall business hit day in and out when they find out the hard way a backup, and disaster recovery is not the same thing. Therefore, they end up taking weeks or a month to be appropriately recovered if recovered at all. Disaster Recovery is providing you much more than the tire in the trunk. Think of it this way. You get out of your car on the loneliest road in the country, and there is a coach bus for everyone in your vehicle to get on. You all get on the bus, and a tow truck pulls up to your car, and off you all go. That is the equivalent of having disaster recovery. It is all the planning that goes into getting your business back up and running when there is a disaster. Yes, the coach bus might take an hour or two to show up, but there is a plan in place. It is an entirely separate system that has been sized for your business to operate in with your line of business applications while the tow truck comes in and picks up the broken-down car. Disaster recovery is the coach bus you hop on and enjoy the ride while in the background repairs are made to what went wrong. Disaster recovery provides you with a secondary environment with multiple redundancies. The proactive plan is already in place if there is a problem, the proper allocations have been made, the active workforce is there, and the data has been saved most efficiently to recover as quickly as possible.
If you cannot risk being down for days or weeks and do not have a disaster recovery option in place, you are at severe risk. The most proactive way to mitigate your downtime is to understand the limitations of only a backup and why it will take significantly longer to recover from just a backup. Be proactive and reduce your business risk with a disaster recovery plan.
Know the difference.
These are some of the commonly identified website forgery phishing attack as of today; phishers always implant however new method and approach with no prudent. Another widely practiced countermeasure exists, and it is advised to be practiced on every website before sharing any information. Some of these countermeasures are:
• Awareness and education about the usage of internet services
• Paying attention to a web browser, toolbars, and address bars
• Ensuring that financial and information sharing websites are secured with the use of https protocol and SSL certificates. SSL certificate provides that all information used on that specific website is encrypted, and it also uses the https protocol, which is the secured version of HTTP. To ensure that a website is secured, always check for the padlock sign close to the URL and https in the URL. Clicking on the padlock sign reveals the SSL certificate. Phishers can’t get an SSL certificate for malicious websites because it involves providing one’s identity, and that is something they can’t afford to. Remember they live in the shadows.
• Authentication and Authorization - That is the usage of two-factor authentication in all information related websites. Usually, it involves the use of authentication (providing password or PIN) and then authorization (provide a token number or an authorization number traditionally sent from the merchant via email or text).
• Virus, Spyware, and Spam Prevention - The use of antiviruses and ensuring they are always updated.
• Avoid using bootlegs, keygens, and peer-to-peer sites
• Avoid visiting a link provided in an email, still, type in the website.
• Bank and the financial institution will never request personal information over the mail.
• Avoid sharing information over public emails
• Avoid pop-ups and being wary of ads
• Always check the authenticity of a website using the WHOIS information. (Waziri, 2015)
There is something to be said for complex equations like the general theory of relativity or the Euler’s equation. Einstein’s theory of relativity helps us understand gravity and its impact on the warping of the fabric we know as space and time. However, is this the level of complexity you need to build your home or business IT needs around?
Many times, when speaking to an IT professional about your IT needs, we feel like they are trying to create the next Gaussian Integral? Not to mention most server rooms look like Charlotte’s Web, server rooms are generally extraordinarily complex and pieced together with equipment from all over. The truth is that the more simplified your IT is, the better off your business will be. In the IT world, the critical word here is a standardized business-class network.
To put this in context of a quick story, I met with a c level employee at a company this week about their needs to hire a company to help them manage the network. The one person who built the network had become too busy with another part of the business and needed to hand off the management of his network. I explained as a managed service provider we installed and provided a standardized business-class network that all our techs understand like the back of their hand. We engineered our stack that was proven to work well together, provided granular insight to the network, cloud-managed, and it included one of the most robust backup and disaster recovery systems on the market.
He responded that he had built his unique network over the years between three locations. He and he alone knew precisely how this network ran. He exclaimed that he had configured and set up the firewalls and the network and did not want to change a thing. Nothing was standardized, and everything was custom set up based only on his know-how. What he did not stop to think about was his custom network was now complicated for anyone other than himself to manage. Whomever he now gets to help him support his custom network will need to be trained explicitly on that network. If that person, he teaches ever moves on the next person again will need to be retrained on that network. From the company’s standpoint, if they ever lose the one person who created the complex system, it is going to be very challenging for the next person to come in and try to understand his custom network. Is this the best network for the business, or is it what is best suited to what this one IT person knows?
In the end, I always recommend for businesses to find a dependable IT managed services company. A good MSP will have set up security and network best practices that are standard industry-wide. They will put in business class equipment that is known for uptime and able to handle business workloads for a minimum of five to seven years plus. Their model will be built around simplifying and standardizing your network to maximize not only up time for your business but to also untangle to the complexity of the entire network.
Lots of companies out there today have an IT guy who has a custom-built their own “special” network that they understand, and maybe they even saved a few bucks here and there along the way. On the other hand, the company is at the mercy of that one person’s knowledge of how the custom network is set up, and they are betting all the company data on it. Don’t bet your company data on a custom elixir that revolves around one person’s custom playground. A business, in my opinion, is far better off with an MSP that utilizes business class equipment, follows industry-wide standards, and has developed a standardized network stack for your business.
What factors have contributed to criminal phishing & hacking?
In conclusion, we have been able to identify there are a significant number of drivers behind cybercrime and technology that can be traced back to the 1800s. There are many similar motivators behind cyber-crime that are very relatable to other white-collar crimes like gaining status in society. There can also be military incentives, political gain to be had, and from one example we found even the rooftops of churches can fall victim to the unlimited possibilities hacking can be a contributor to.
What strategies and initiatives may reduce potential phishing & hacking incidents?
In addition to identifying some of the motivations behind the hacking, and phishing campaigns we also looked in-depth at multiple was not only how the average user can protect themselves, but we also looked at the bigger targets in the business sectors. There are numerous best practices we can all follow to be safer online. Awareness is one of the most significant vital components and the thirst for always learning more.
Altom. (2011). RETURN ON TECHNOLOGY; News flash: High-tech crime sometimes does pay Multibillion-dollar industry involves hacking tools built in one country, sold to another, to steal money . The Indianapolis Business Journal.
Anonymous. (2015, Feb). How Much is Cyber Crime Costing U.S Businesses? Security, 52(2), 12. Retrieved from https://search-proquest-com.ezproxy.uwplatt.edu/docview/1658385428?rfr_id=info%3Axri%2Fsid%3Aprimo
Fell, J. (2017, April). Hacking Through History. Engineering & Technology, 12, 30-32. Retrieved 08 1, 2019, from file:///C:/Users/ryanr/AppData/Local/Temp/Temp1_bulk-download.zip/Hacking%20through%20history.pdf
Gottschalk. (2017). White-Collar Crime Triangle: Finaance, Organization and Behavior. Journal Of Forensic Sciences & criminal Investigations, 4, 1-7.
Maria Karvonen, A. F. (2018). White-collar crime in cyber time: the role of opportunity in committing financial crime online. BI Norwegian Business School Oslo, v,.
Newman, L. H. (2017, 03 19). Phishing Scams Even Fool Tech Nerds-Here's How to Avoid them. Wired, NA. Retrieved 06 01, 2019, from https://www.wired.com/2017/03/phishing-scams-fool-even-tech-nerds-heres-avoid/
Waziri, I. (2015). Website Forgery: Understanding Phishing Attacks and Nontechnical Countermeasures. IEEE Xplore .