Your information isn’t as safe as you think it is.
In part one of this series, Kelly Cory outlines the risks that cybercrime poses to small investigative businesses.
What is information security?
“Information security, also termed cyber security, is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.” –National Institute of Standards and Technology
In business, the term “information” would include company policies, procedures, emails, invoices, payroll, employee data, client data, passwords and company website. For investigative agencies, subject identifiers and investigation data would also be considered sensitive or confidential information that would need to be safeguarded.
Information systems include computers, networks, accounting programs, case management software, online data storage, etc.
Note: Security of information not only is relevant for computers but extends also to smartphones and any other electronic devices which are used to connect to the Internet.
Why is information security important?
Internet crimes are on the rise—identity theft, credit card fraud, scams, computer crimes, spam, malicious links/viruses/codes/programs, sexual predators, and non-delivery payment/merchandise, to name a few.
The FBI reported 303,809 complaints of internet crime in 2010. The 2011 Norton Cybercrime Report estimated that the annual total cost of cybercrime that year was approximately $388 billion. That number included $114 billion in direct theft and time spent resolving attacks and another $274 billion for productive time lost by victims of cybercrimes.
Myth: Having an antivirus program on your computer is enough to be considered secure. Fact: Having an antivirus program won't protect you from other sources of malicious attacks.
People often have the misconception that if they’re not doing anything “important” online, they won’t be a target. It doesn’t matter who you are or whether you’re high profile. Hackers have software programs designed to scan about 10,000 computers an hour to identify those with a weakness to penetrate and launch attacks against them.
Having the best antivirus protection in the world still won’t protect you if you don’t use strong passwords. Brute force attacks have become much easier with the advent of sophisticated algorithms specifically targeted at cracking passwords. According to Woopra, one of the world’s leading web analytics companies, the average time to hack a password with only 5 characters all in lower case using just an average computer is about 12 seconds.
The average time it takes to hack a password with 8 characters all in lower case is about 2 ½ days. But if you make your password stronger (longer, include capital and lower case letters and special characters), you can significantly reduce your risk of having your account hacked by a brute force attack.
For instance, if you use a password which is 8 characters long and using all character types, it would take over two centuries to hack. If you raise that to 9 with characters of all types, it would be 20 millenniums before that password was likely hacked. This is all considering the use of only an “average” computer used to conduct those brute force attempts.
Just imagine if stronger computers were used to implement those attacks. Many cyber criminals have lots of money and can afford powerful equipment to handle the efforts they need to hack numerous accounts quickly.
Less serious cyber criminals or individuals with malicious intent can still hack your accounts by brute force without sophisticated computers simply by learning something about you. People tend to use passwords that they remember. A great deal of personal information, preferences, favorite books, songs, activities and names can be found on a person’s social networking page these days.
How many of you use your dog’s name as your computer password or your date of birth as your cell phone’s voicemail password?
Who is attacking?
- Experimenters and vandals—also called “script kitties”—in it for the notoriety the challenge (bragging rights)
- "Hactivists" who believe they are vigilantes fighting for a cause
- Cyber criminals-for-profit (have lots of money and commission custom software and trojans to use against small businesses with little protection and a lot to lose)
- Information warriors/spies; going after Departments of Defense and other governmental organizations
Reasons for launching attacks vary: Hackers may be motivated by money, access to resources, competitive advantages, grievance or vengeance, curiosity, mischief, attention or notoriety. Professional cyber criminals (script kitties) hack for the sheer thrill, or to just to prove they can.
Additionally, in difficult economical times, people may turn to Internet crime out of desperation. Like any industry hit by cutbacks, there are a lot of highly skilled information technology specialists out of work who have time on their hands and families to feed.
What are common targets?
The bad guys want access to your and your clients’ information, access to your money and personal identifiers, to connect you to a botnet, to use your information for political reasons, to use your resources for hidden file storage, and to identify anything they can use from you to make money. Your personal information is valuable, and there are some people out there who want it to sell for a hefty profit.
According to the OSF DataLoss in 2010, the average number of identities exposed per data breach was as follows:
- 262,767 from hacking
- 68,418 from insiders
- 67,528 from theft or loss
- 30,572 from insecure policies
- 6,353 from fraud
Hacking comes out on top because hackers use sophisticated scanning software to find unprotected computers.
Specific targets are end point operations, your word processor, office software, PDF readers, social networking, emails and mobile applications.
It is important to note that small businesses are prime targets for malicious attacks. There are an estimated 26.8 million small businesses in the US, and most small businesses (89.9%) have fewer than 20 employees. Small businesses usually don’t feel at risk and are largely unaware of the need for protection. Therefore, they tend not to focus on security and remain unprotected.
Like any business, small companies maintain confidential information, employee and client data, trade secrets, and financial information, and those are all prime targets for attacks. Investigative companies have even more at stake than some other businesses, as they typically deal with sensitive and confidential information regularly. So combine a lack of thorough security measures with high stakes information at risk, and you have a prime target for an attack.
Myth: I'm protected because I use a MAC, not a PC or gmail rather than hotmail. Truth: Hackers go after what's popular (where there are more people/targets). As MAC and gmail popularity increase, we will likely see more attacks on them.
Remember, everyone is at risk! There was a 400% increase in computer infections leading to more data breaches in 2010 than in the previous four years combined.
In part 2, we’ll look at the different types of cyberattacks and their potential consequences.
About the author:
Kelly Cory is president of Keystone Investigative Services, Inc.
The author is independent of any specific company, program, or software that would benefit from the promotion of this information. This article is meant solely as an informational piece to help educate others on how to protect themselves and their companies. Any recommendations and tips should not be construed as legal or professional advice. Should you have any specific questions or concerns regarding your information security, contact a trained IT professional.
This article is a compilation of information gathered across various sources, from industry professionals and workshops and includes information from NIST and Team Logic IT as well Keystone Investigative Services, Inc.