One of the countless cyber threats today to corporations is organized crime. The reality is organized crime no longer marches into a business and demands so called “protection money” or executes a “smash and grab”; rather these groups are sophisticated and leverage technology heavily for criminal activities. Also it is important to note that when you consider this type of threat, you must also understand that it could possibly include the insider threat. I am always amazed when I speak with others about security that do not fully comprehend threats from “trusted” sources which included employees that more often than not the typical response is “what are you worried about because we have a firewall” and that type of false sense of security will one day lead to a breach in security.
The Mafia is one such organized crime group that uses cyber-attacks to fund their criminal activities according to an U.S. Attorney from the state of Florida. This U.S. Attorney filed criminal charges against a Mafia family charging them with stealing data from Lexis-Nexis. In the case with Lexis-Nexis the crime targeted the organization’s databases in order to steal customer information in order to conduct identity theft. While the act of this cyber crime is all too familiar, the sad truth of the situation was that the Federal Trade Commission (FCC) charged Lexis-Nexis with not having sufficient security measures in place. There is a lesson here and I hope that it is evident to you, if not please watch the following video titled Combat Insider Threats – Proven Strategies from CERT.
To understand the impact of organized crime, a number of acts are born out of organized crime groups whereas in the recent past a single or even a small group produced malware or viruses and this trend of organized crime will likely only continue to increase.
The Internet is the perfect storm for organized crime and the opportunities abound. Consider for a moment gambling, drug trade, stolen goods, financial fraud, and extortion and it starts to become clear that the underbelly of the Internet clearly is a substantial threat. I feel it is important to understand that organized crime is not the traditional groups that may come to mind, but today include groups such as LulzSec and D33Ds Company as well as many others. I would even include state sponsored attacks in this group. Here are a handful of well known successful attacks that have taken place over the years.
- July 2012, more than 450,000 usernames and passwords were stolen from Yahoo
- In 2011 the group LulzSec targeted Amazon, eBay, Fox news, and most notably was the Sony Playstation network where they not only stole username and passwords, but Sony’s network was down for three weeks
- In 2006 a Chinese hacker stole documents from Ford Motor Company
These examples are not all inclusive, but it does paint the picture that corporations are under attacks and will likely continue to be in the cross hairs of organized crime for some time to come. In terms of revenue, Symantec Corp estimates on average a breach costs organizations $5.5 million and Verizon security found organizations with less than 100 employees suffered and average cost of $188,242 per incident. If you have not reviewed the Verizon Security 2012 Data Breach Investigations Report, then I strongly urge you to do so.
When it comes to effective measures to combat this threat, I would like to think that there are protocols in place, but I fear that security all too often takes a back seat until it is to late.