Cyber Attack, Internet Crime, Hackers,….Impact on Business Performance: Menace, Threat, Warfare…

 “Presence of mind… is nothing but an increased capacity of dealing with the unexpected.” ~ Baron Carl von Clausewitz

According to the FBI and the ‘Computer Security Institute Annual Survey’ of 520 companies and institutions, more than 60% reported unauthorized use of computer systems over the past 12 months and 57% of all break-ins involved the Internet.  

An ‘E-Crime Watch Survey’ shows the impact of cyber crimes on business: 56% on operational losses, 25% on financial loss and 12% on other types of losses. Interestingly, 32% of respondents do not track losses due to e-crime or intrusions; among those who do track, half say they do not know the total amount of loss. 41% of respondents indicate they do not have a formal plan for reporting and responding to e-crimes…

The Department of Justice categorizes computer crime in three ways: Using computer as a target; attacking the computers of others (e.g., spreading viruses); Using computer as a tool; using a computer to commit ‘traditional crime’ (e.g., credit card fraud); Using computer as an accessory (e.g., store illegal or stolen information).  The ‘Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders’ categorized five offenses as cyber-crime:

  • Unauthorized access,
  • Damage to computer data or programs,
  • Sabotage to hinder the functioning of a computer system or network,
  • Unauthorized interception of data to, from and within a system or network,
  • Computer espionage.

In the article “Sony Says it’s a Victim of a Sophisticated Cyber-Attack” by Joelle Tessler writes: The recent data breach of ‘Sony’s PlayStation Network’ was a “very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes,” a Sony executive said. The attack may have compromised credit card data, email addresses and other personal information from 77 million user accounts, and data from an additional 24.6 million online gaming accounts may have been stolen.

The company said it did not know who is responsible for the attack and is working with outside security and forensics consultants and the Federal Bureau of Investigation (FBI) on an inquiry. The hack came on the heels of ‘denial of service’ (DoS) attacks launched against several Sony operations and threats made against Sony and its executives in retaliation for complaint filed by the company against a hacker in U.S. District Court in San Francisco…

In the article “Protecting Your Business Finances from Cyber Attack” by Professor Thomas H.B. Symons writes:  A recent report indicates that ‘small-medium-size-business’ (SMB) are increasingly targeted by cyber criminals due to the perception that SMB employ less robust IT security measures than large corporations. One common method installs a small piece of malware (malicious software) on an unwitting machine that silently logs usernames and passwords. Once obtained, the hacker cleans out the victim’s bank account…

To ensure protection, SMB owners need to implement strict security practices. For example, install security software that is regularly and automatically updated to defend against new viruses and other malware. Dedicate one machine to the task of ‘online banking’ and set the security software’s settings to maximum. Don’t use it for surfing the Web or reading email. Disconnect it from the Internet completely when it’s not in use and configure it to perform frequent, automatic system scans.

“Much is needed to increase the security of the Internet and its connected computers and to make the environment more reliable for everyone. Security is a mesh of actions and features and mechanisms. No one thing makes you secure” ~Vint Cerf

Criminal attacks and cyber espionage are on the rise, and in the case of domain and address theft, they are increasing exponentially. Cyber criminal gangs are increasingly motivated by the potential gains from extortion, theft of credit cards, and abuse of private information. Sophisticated, persistent groups—particularly organized criminal gangs and state or corporate espionage agencies— are targeting specific enterprises to steal intellectual property and conduct fraud or other money-making activities.

Moreover, according to a ‘Symantec Internet Security Threat Report’, attackers are now creating global networks that support coordinated criminal activity. All this sophisticated criminal activity has driven up the costs of defense and recovery. The business costs of cyber-crime and cyber-terrorism are already staggering.

Globally, malware and viruses cost business between US$169 billion and US$204 billion, and the trend is rising sharply. Even the cost of spam is significant: Costs associated with spam in the United States, United Kingdom, and Canada was US$17 billion, US$2.5 billion, and US$1.6 billion, respectively.

In addition, cyber criminals and corporate espionage agencies intent on harvesting corporate data, interrupting corporate business, or compromising corporate computers and networks to launch attacks on other networks are immensely creative, and readily adapt to defensive measures. Cyber criminals and espionage agencies are constantly watching for small oversights in a corporate network infrastructure that will give them the opportunity they need. Some of the most common mistakes include:

  • Failure to maintain the corporation’s online identifiers.
  • Neglect of security-related software patches and updates.
  • Poor handling of sensitive data, including the failure to deploy encryption when necessary.
  • Sacrificing security for convenience.

In the article “High Cost of Cyber Attacks” by Courtney Rubin  writes:  More than half of the companies running critical infrastructure such as; electric grids, gas and oil supplies have sustained cyber attacks of stealth infiltrations by organized gangs or state-sponsored hackers. The rates of ‘stealth infiltration’ were highest in oil and natural gas operation, with 71 percent claiming to have been targets. The  cost of the downtime caused by cyber attacks is high, average cost is $6.3 million a day, for corporations.

A study presented at ‘World Economic Forum’, Davos, Switzerland, surveyed some 600 IT and security executives from the energy, transport, water and sewage, government, telecoms and financial sectors in 14 countries. The findings were chilling, particularly as they come on the heels of both ‘Operation Aurora’ (the high-profile episode whose targets included Google and Adobe Systems) and new revelations of orchestrated cyber attacks against Exxon Mobil, ConocoPhillips, and Marathon Oil.

Even worse news: The risk of cyber attack – including everything from garden variety-viruses and malware on up to the more vicious – is rising. In the study ‘Crossfire: Critical Infrastructure in the Age of Cyberwar’ – blamed the current economic climate for shrinking security resources available, and 25 percent said resources had suffered cuts of 15 percent or more. The cuts were most severe in the energy, oil and gas sectors…

In the article “Cyber Attacks on Business – A National Security Threat?” by Kevin Coleman writes:  In a recent testimony before Congress, a cyber security expert warned that the private sector in the United States has proven unable to defend the nation’s critical cyber infrastructure from attack; business own 85 percent of critical infrastructure and they have not invested in the skills or technology to secure it from cyber attack leaving the electrical grid, financial services, other key elements vulnerable; foreign intelligence agencies, organized gangs, corporate spies have successfully infiltrated banks, multinational corporations, and even government websites and stolen sensitive data; cyber security experts urged for greater government regulation to secure  U.S. networks…

James Lewis from the ‘Center for Strategic & International Studies’ said that the private sector has been largely responsible for protecting critical portions of U.S. networks for the past ten years and “it’s not working.” To bolster U.S. networks, Lewis urged lawmakers to impose regulations on the private sector…

Mischel Kwon, the former director of the ‘U.S. Computer Emergency Readiness Team (CERT)’, was also present at the subcommittee’s hearing and explained that ‘cloud computing’ is putting cyber defense in the hands of real experts. Kwon said, “Soon most companies, even government departments and agencies, will no longer have data centers, or continue to manage their own e-mail servers, applications or desktops, as they move to cloud computing systems”. By building security measures into cloud computing, cyber security efforts could be centralized thereby reducing costs, minimizing the ‘cyber talent pool shortage’, and increase defense capabilities.

In the article “Cyber Attack Protection Not Worth the Cost for Most” by Georgina Prodhan and Marius Bosch write:  Most companies have no protection at all against ‘distributed denial-of-service’ (DDoS) attacks, which put computer servers out of action by overwhelming them with requests. Most companies will never become targets, so they are willing to take the risk and save the costs. But for those who are attacked, the consequences can be huge — the loss of a single day’s pre-Christmas sales could easily cost hundreds of millions of dollars for an online retail giant like Amazon, which has been targeted…

DDoS attacks are clearly against the law in most countries, although for many protesters that may be an academic question. Peter Church, London law firm, says “It’s not a pure law issue. It’s a question of actually; how do you track these people down? How do you secure a conviction to criminal standards of proof?

In the article “Managed IT Service Spotlight , Cyber Attack Prevention” by Karl Muhlbach writes:  Another day, another cyber attack. Actually, the statement should be, “Another day, another 60 million cyber attacks.” A recent government report shows that the United States government faces 1.8 billion cyber attacks per month. While this report only pertains to government resources, businesses also face cyber attacks at alarming rates. The estimated number of attacks against businesses is harder to aggregate as there is no central source to report the information to, but the numbers would be equally as high if not greater.

Unfortunately, many businesses are still not protected. The ‘2009 National Small Business Cyber-security Study’ revealed alarming statistics for small business. The report found that only 28 percent of businesses surveyed had any type of formal Internet security policy, and only 35 percent provided Internet safety training to employees. One of the most interesting details of the report was that 65 percent of the business surveyed stated that the Internet was vital to the success of their business; however, the numbers show that the businesses are not taking adequate measures to protect against an attack.

In the article “Cyber-attacks: Misunderstood Menace?” by Kyle Cunliffe writes: ‘Cyber-attacks’ are often presented as an impending virtual Armageddon, creating concerns for governments and corporations a like. Britain’s ‘Daily Mail’ anointed cyber-terrorism as top threat to British security, while the ‘U.S. Homeland Security and Government Affairs’ committee speculated terrifying consequences of a cyber-attack against critical U.S. infrastructure. Even the European Union (EU) officials consider cyber attacks the most prominent threat to European energy! Sir Richard Mottram, former chairman of the ‘British Joint Intelligence Committee’, told the ‘House of Lords’ that cyber attacks from one state against another should be considered an “act of war”…

Provocative headlines and large statistics can make the internet seem like an unrelenting terror, but this isn’t necessarily the case. Bruce Schneier, chief security of British Telecom argues that the term ‘cyber warfare’ has been greatly exaggerated. Mr. Schneier complained that headline stories and inappropriate phrases wrongly portray most cyber attacks as ‘cyber warfare’; in actuality very few cyber-attacks have anything to do with warfare.

Even obvious cases have caused little lasting damage…In the end, while cyber-attacks may cost governments and businesses ‘billions of pounds’ and act as a genuine menace, they do not fall under the same categories as terrorism and warfare.

Cyber-terrorism (definition): “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or, to intimidate any person in furtherance of such objectives.” ~Barry C. Collin

One of the fastest growing segments of the world economy is cyber-crime. Cyber criminals typically exploit one of the thousands of vulnerabilities of the underlying operating system or the web server or the firewall that the enterprise uses as it’s security foundation. And, many IT professionals never even bother to research the existence of these vulnerabilities, although they are readily available by checking the ‘national vulnerability database’.

The first thing any organization should do when formulating a proactive approach to internet security and risk management: Do homework, obtain independent affirmation for the level of security appropriate for your company, educate your company about cyber-attacks and internet crime, and invest in technology that protects sensitive data from the inside out…