Hackerpocalypse: A Cybercrime Revelation
August 17, 2016
Written by: Steve Morgan, Editor-In-Chief of Cybersecurity Ventures
TABLE OF CONTENTS
- Cybercrime Costs
- Digital Growth
- Cybersecurity Spending
- Why is this Happening?
- Who is a Hacker?
- Cyber Offense vs. Cyber Defense
- Money, and the Law
- Social Engineering, Phishing, M2M Attacks
- Cyber Labor Shortage Outsourcing
- Small Business
- Cybercrime Statistics
- Fighting Back
- Book Knowledge
HIGHLIGHTSTop Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021.
- Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
- Global spending on cybersecurity products and services for defending against cybercrime is projected to exceed $1 trillion over the next five years, from 2017 to 2021, according to the Cybersecurity Market Report, which is published quarterly by Cybersecurity Ventures.
- The U.S. has declared a national emergency to deal with the cyber threat, while others claim the world is engaged in a global cyberwar.
- Cyber threats have evolved from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.
- The world’s cyber attack surface will grow an order of magnitude larger between now and 2021.
- Black-Hat hackers are motivated by money, espionage, notoriety, and malicious intent… and they are faster, more daring, and more experienced than White-Hats who are constrained by boundaries and rules.
- There is no effective law enforcement for financial cybercrime today.
- There is a severe cybersecurity workforce shortage, with one million cybersecurity jobs open in 2016 — which is expected to reach 1.5 million by 2019.
- Enterprise IT infrastructures and databases — the treasure troves for cyber pirates — are facing more hostile and complex cyber-attacks. Corporations are increasingly turning to third party data breach and incident response firms, and Managed Security Service Providers (MSSPs), for help with cyber-defense.
- Nearly half of all cyber-attacks are committed against small businesses.
- Businesses and governments are fighting back with security awareness training for employees — which is expected to become a fundamental cyber-defense strategy by 2021.
INTRODUCTIONTop World War III is underway, and it’s cyber… timeline ad infinitum. In July 2016 NATO — the North Atlantic Treaty Organization — stated, “In recent events, cyber attacks have been part of hybrid warfare”. Hybrid warfare combines conventional warfare with cyberwarfare, where the aggressor intends to avoid attribution or retribution. NATO’s ‘cyber defense’ post recognizes cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. NATO is hardly the first to suggest the world is embroiled in cyberwar. In his ground-breaking book ‘The Hacked World Order’ — author Adam Segal explained cyberspace is a global battlefield, writing, “It was in 2012 that nation-states around the world visibly reasserted their control over the flow of data and information in search of power, wealth, and influence… The conflict in cyberspace will only become more belligerent, the stakes more consequential… We will all be caught in the fallout as the great powers, and many of the lesser ones, attack, surveil, influence, steal from, and trade with each other.” The White House issued an Executive Order in April 2015, in which President Barak Obama stated, “The increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. I hereby declare a national emergency to deal with this threat.” “Cyberwarfare has crossed from the digital world into our physical realm, and there is a very real potential cybercrime will lead to the loss of human life,” says Robert Herjavec, Founder & CEO of Herjavec Group, a leading global information security advisory firm and Managed Security Services Provider (MSSP) with offices across Canada, the United States, United Kingdom and Australia. “A breach of our power grids, of our dams, or of air traffic control mechanisms, could have catastrophic effects that are felt far beyond the financial and reputational impacts of a corporate attack,” adds Herjavec. “We are at a critical point in cyber warfare,” says Tyler Cohen-Wood, Cybersecurity Expert and Media Spokesperson at Inspired eLearning, a security awareness training company specializing in educating employees on cyber threats. “In the past two years, we have seen a massive upswing in hackers breaking into some of the most highly secure corporations and stealing financial data, intellectual property, and very sensitive personal information—and it seems to be growing exponentially,” adds Cohen-Wood, who was previously Deputy Division Chief & Science And Technology Directorate Cyber SME at DISA (Defense Information Systems Agency) — and before that was Lead Senior Computer Forensic Examiner for the DoD (Department Of Defense) Cyber Crime Center. The recent DNC (Democratic National Committee) hack is the most visible evidence of hostile nation state sponsored hacking. “By breaking into the DNC and stealing and exposing data, for the first time we are seeing that hackers have the power to potentially influence the most vital election in the world, that of the presidency of the United States,” says Cohen-Wood, who is also author of Catching the Catfishers, a book which explores the digital footprints that we all leave behind when we are online, whether we realize it or not. While international cyber battles are certainly scary and grabbing the headlines in major daily newspapers, the bigger picture cyberwar is one of Black-Hat hackers vs. the world – where everyone, every (Internet of) Thing, and every bit of data is at risk of theft, damage or destruction. If it’s got a heartbeat or an electronic pulse, then it’s hacker prey. If the cyber evildoers have their way, lives will be lost. Economies will be shaken. Cars and planes will crash. Nations will clash. Power grids will go down. Businesses will go under. Reputations will be ruined. Government secrets will be exposed. Billions of personal identities will be stolen. Trillions of dollars will be taken. Zetabytes of data will be damaged. That’s what the hackers are shooting for. Cybercriminals are launching missives against a global attack surface comprised of the world’s people, households, companies, governments, police, hospitals, schools, banks, power grids, utilities, data centers, servers, networks, PCs, laptops, tablets, and smartphones. Count in Internet of Things (IoT) devices and the targets expand to cars, medical devices, kitchen appliances, thermostats, TVs, wristwatches, pet collars, webcams, thermostats, you name it. Enterprise IT infrastructures and databases house the goods which hackers crave — namely contact names and login credentials, credit card digits, social security numbers, and confidential files. No surprise the most daring and damaging hacks over the past several years have been carried out against big businesses and government agencies. Hackers dwell undetected for months at a time in corporate and government networks — which are gateways to public utilities, nuclear power plants, human and animal disease control centers, transportation and air traffic control systems, physical building security systems, intellectual property, trade secrets, and the world’s money. Surveillance and espionage have gone cyber. Spies are in fact cyber spies. An economic cyberattack could potentially disable the economy of a city, state or country, according to a recent RSA Conference blog post. In his New York Times bestselling investigation, Ted Koppel reveals that a major cyberattack on America’s power grid is not only possible but likely, that it would be devastating, and that the United States is shockingly unprepared. A national cyberattack recently targeted power grids in Ukraine, and it is believed that the malware used in crippling Ukraine’s power systems was also spotted affecting mining and railway companies. An apocalypse defined is the complete final destruction of the world… or more often thought of as an event involving damage on a catastrophic scale. However, the literal translation from Greek is a disclosure of knowledge or a revelation. A hackerpocalypse is either a metaphor for the mass destruction of the world’s computing systems and digital data… wreaking havoc on the world’s population — OR it is a lifting of the veil around the state of today’s hacking activities and resulting cybercrime. Our report is the latter. It does not forecast destruction or catastrophe. Rather, it shares knowledge from top cybersecurity experts – plus cybercrime statistics and resources — for more revelation around the cyber threats we face… and what they are costing the world. The primary goal of our report is to spark major discussion around cybercrime — and cyber defense — from local, national, and global political and business leaders. We invite broadcasters, publishers, editors, reporters, and bloggers to borrow generously from our report in their efforts raise up cybersecurity in the public’s consciousness. While our report focuses on global cybercrime, we zero in on the hacking activities against businesses and governments… and the resulting costs.
CYBERCRIME COSTSTop Cybercrime cost estimates have risen from $400 billion in early 2015 to $6 trillion by 2021. In early 2015, the British insurer Lloyd’s estimated cybercrime was costing businesses globally $400 billion annually — which included direct damage plus post-attack disruption to the normal course of business. Juniper Research followed with a report in the Spring of 2015, which predicted that the rapid digitization of consumers’ lives and enterprise records would increase the cost of data breaches to $2.1 trillion globally by 2019. This year, the Microsoft Secure Blog reported that The World Economic Forum estimated the economic cost of cybercrime to be $3 trillion worldwide. That was a six-fold jump in cybercrime damage estimates in just one year. Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021. The estimate is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, a cyber attack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be pitted against hackers and cybercriminals over that time. The cybercrime cost prediction includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. The worldwide cyber damage estimates do not include unreported cybercrimes, legal and public relations fees, declines in stock and public company valuations directly and indirectly related to security breaches, negative impact on post-hack ability to raise capital for start-ups, interruptions to e-commerce and other digital business transactions, loss of competitive advantage, departure of staff and recruiting replacement employees in connection with cyber-attacks and resulting losses, ongoing investigations to trace stolen data and money, and other. “The biggest victims of (cyber) crime are in the most developed economies, including the U.S., China, and Germany,” says Adam Segal. “Indian companies are also highly victimized.” Ginni Rometty, IBM Corp.’s Chairman, President and CEO — speaking at the IBM Security Summit in New York City last year — stated, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.” The construction industry is just one example of the future hot targets for cyber-attacks. As construction companies begin to standardize on IoT devices including thermostats, water heaters, and power systems, a whole new attack surface will emerge for hackers. Make no mistake, companies of all sizes and in all industries will continue to be cyber-attacked.
DIGITAL GROWTHTop By 2020 the world will need to cyber-defend 50 times more data than it does today. Microsoft frames digital growth with its estimate that by 2020 four billion people will be online — twice the number that are online now. They predict 50 billion devices will be connected to the Internet by 2020, and data volumes online will be 50 times greater than today. A recent Huffington Post blog quoted David Bray, Chief Information Officer (CIO) at the Federal Communications Commission (FCC) as saying, “Today there are 7 billion people, about 850 million web servers online, and about 4 billion zetabytes of digital content worldwide. By 2022 there will be 8 billion people, 75-300 billion networked devices globally and 96 zetabytes of digital content is estimated to exist”. Bray reinforces Microsoft’s predictions. There are 111 billion lines of new software code being produced each year — which will include billions of vulnerabilities that can be exploited, according to research conducted by Secure Decisions. Some media estimates peg the number of Internet of Things (IoT) devices to exceed 200 billion by 2020. IDC predicts global wearable devices (i.e. smartwatches, electronic fitness trackers) will grow from a little over 76 million in 2015 to more than 173 million by 2019. In a report last year, ABI forecasted that more than 20 million connected cars will ship with built-in software-based security technology by 2020 — and Spanish telecom provider Telefonica states by 2020, 90 percent of cars will be online, compared with just 2 percent in 2012. Hundreds of thousands — and possibly millions — of people can be hacked now via their wirelessly connected and digitally monitored implantable medical devices (IMDs) — which include cardioverter defibrillators (ICD), pacemakers, deep brain neurostimulators, insulin pumps, ear tubes, and more. In a decade from now, the cyber attack surface will surely include devices we cannot yet fathom. What about microchip implants in humans? Implantable Fitbits, circa 2025?
CYBERSECURITY SPENDINGTop Cybersecurity Ventures projects $1 trillion cumulatively will be spent globally on cybersecurity from 2017 to 2021. Worldwide spending on cybersecurity reached $75 billion in 2015, according to Gartner, Inc., the leading IT analyst firm. Cybersecurity Ventures forecasts global spending on cybersecurity products and services will exceed $1 trillion over the next five years, from 2017 to 2021. IT analyst forecasts are unable to keep pace with the dramatic rise in cybercrime, the ransomware epidemic, the refocusing of malware from PCs and laptops to smartphones and mobile devices, the deployment of billions of under-protected Internet of Things (IoT) devices, the legions of hackers-for-hire, and the more sophisticated cyber-attacks launching at businesses, governments, educational institutions, and consumers globally, according to Cybersecurity Ventures’ Cybersecurity Market Report. “From our optics, if you define cyber as data collection, storage, security, analysis, threat intelligence, operations and dissemination, then the $1 trillion market forecast from Cybersecurity Ventures barely scratches the surface,” says Jeremy King, President at Benchmark Executive Search, a boutique executive search firm focused on cyber, national, and corporate security. “Cyber will never go away as the bad guys will never stop exploiting this new medium.” King points to the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies as an elite cybercrime fighting force. These companies collectively employ tens-of-thousands of cybersecurity experts with deep domain experience across all of the security disciplines required to combat hackers. “The companies on the Cybersecurity 500 list earned a spot because the lure for bad guys stealing money, data, IP, secrets, reputations or intentions is just too great. Cyber War is here! A war for defensive solutions, offensive strategies, and a war for top talent,” adds King.
WHY IS THIS HAPPENING?Top The target of most data breaches are money and espionage, followed by notoriety. “What in the world is going on and why is this happening?” asks Tyler Cohen-Wood. She answers with, “The reasons are both simple and complex. We are more connected than ever before with everything we use having some form of wireless or Internet connection: health monitors, smart TVs, smart home control and alarms systems, cars, planes, power grids and the list goes on. The extent to which everything is dependent on the Internet can be alarming because lives are at risk.” “The problem is really threefold,” Cohen-Wood explains. “First off, hackers have shifted from breaking into systems by actually cracking the code to attacking the human element, such as using spear phishing attacks to target individuals in order to gain entry in a company network or personal system. Secondly, most people are not aware that their pattern of life can be easily gleaned by a hacker perusing their social media and don’t take these types of attacks seriously because they either don’t understand the threat or do not think they are in any real danger. Third, the more connected devices you have connected to your network and the more apps and software (especially those with default passwords and poor security), the greater your chances are of being hacked. A security professional has to fill in all the security holes, while the hacker just has to find one left open.” Hacking for Dummies keeps it simple and asserts, “Hackers hack because they can.” The book states the motives include blackmail, boredom, bragging rights, espionage, extortion, financial gain, and more. “The target of most data breaches are money and espionage,” says Dr. Anita D’Amico, CEO at Code Dx, Inc. “Verizon’™s 2016 Data Breach Investigations Report states that 89 percent of breaches in 2015 had a financial or espionage motive. If you read the data breach reports it would be easy to conclude that most Black-Hat hackers are in it to get paid, either by stealing directly from a financial institution or stealing information to sell to others. But those reports don’t include the attacks that are motivated by fame and notoriety, among other hackers and the media. There are many hackers that spend countless hours crafting exploits just to prove that they can do it, and do it fast.”
WHO IS A HACKER?Top Hackers run the gamut from curiosity seekers to hostile nation state sponsored cyber-terrorists. The times have changed over the past 45 years since Bill Gates — legendary co-founder of Microsoft, the world’s richest person, and now philanthropist — was caught hacking into a major corporation’s computer and as a consequence he was forced to give up his computing privileges for a year. Gates was a curious and budding 15-year-old programmer at the time. Too curious for his own good. “Today’s hackers — a.k.a. ‘Black-Hats’ — are motivated by money, notoriety, and malicious intent,” says Atif Ghauri, CTO USA at Herjavec Group, and Adjunct Professor – Cybersecurity at Drexel University. “Talented and unemployed college graduates with and without formalized computer training are sitting around in coffee shops of underdeveloped nations picking up ‘work’ for data theft and espionage” adds Ghauri. “They have all the time in the world. They even have resources when sponsored by a nation state or organized gang. Left with so few options, the financial gain and underground notoriety attracts criminal activities, as it is their only alternative – not to mention ludicrous cash payouts and bounties offered on the dark web.” An FBI agent told Black Hat conference attendees that when it comes to the most recent DDoS attacks, the vast majority come from North America, Western Europe and Israel… and many (attackers) are 16 to 17-years of age or in their mid-20s. “Sophisticated attackers use a wide variety of approaches to disrupt or gain access to a system or a network” states Chris Binnie, in his book ‘Linux Server Security: Hack and Defend’. “They (hackers) are not only sophisticated and intelligent, but also innovative, patient and cunning. They employ social engineering, build customized hardware, and practice sleight of hand.” Some hackers focus on big-ticket hardware, like cars. Cyber thieves are stealing current model cars by hacking into their electronic ignition systems using laptop computers — which can cause consumers and auto insurers billions of dollars, and even force automakers to modify their electronics or ignition systems. A new vulnerability exposes both the ignition and the keyless entry system that unlocks doors in nearly all Volkswagen cars sold since 1995 — estimated to be around 100 million cars. Automotive cybersecurity researchers hacked into a Jeep Cherokee — originally at low speed and more recently at high speed — and proved they could take control of the steering wheel and brakes. Other speciality hackers focus on breaking into or stealing from smartphones, automated teller machines (ATMs), point-of-sale (POS) systems, gas pumps, video game consoles, late model TVs, cables boxes, GPS devices, digital cameras, and other electronically connected devices. Hackers have morphed from the lone wolf wearing a hoodie and sitting behind a computer — to a garden variety of cyber intruders and perpetrators wearing anything from t-shirts and flip-flops, to dark suits and wing-tips, to military garb. A high-level breakdown of the various hacker types:
- Hacktivists (Hacker-Activists) are motivated to deface and harm websites, blogs and other digital media — and launch DDoS (distributed denial of service) attacks against organizations they are opposed to.
- Cyber-Insiders are employees (or contractors, others with ‘inside’ access) who hack into their internal systems and data belonging to their employers.
- Cyber-Gangs are groups of hackers who are sponsored and managed by criminal organizations, and perpetrate illegal hacking for stealing large sums of money, drug trafficking, and other crimes.
- Cyber-Spies (often sponsored by hostile governments) commit espionage through digital surveillance, and theft of confidential data including government and trade secrets, intellectual property belonging to corporations, academia, medical institutions, and other.
- Cyber-Terrorists use technology to commit cyber-attacks which harm people, places and things.
- Cyber-War Fighters belong to nations who engage in cyber warfare, using technology as their weaponry.
- Cyber-Criminals are the broadest category and may refer to any of the above, but can be thought of as solo or group hackers who use technology and employ social engineering against organizations and individuals for financial gain, notoriety, or both.
CYBER OFFENSE VS. CYBER DEFENSETop Speed is where the Black-Hats have the advantage over the White-Hats. The bad guys — Black-Hats — are on offense, and the good guys — White-Hats — are on defense. “Black-Hats may be nation-state sponsored, disgruntled employees, and/or political activists,” says Herjavec Group’s Atif Ghauri. “White-Hats are the good guys, motivated by idealistic principles such as protecting the innocent and warding away evil and destruction for the sake of good.” Ghauri notes that the Black-Hats have advanced hacking skills compared to that of most White-Hats. An NFL (National Football League) metaphor helps explain the dynamics between the opposing sides — the Black-Hats are running a hurry-up no-huddle offense — and the White-Hats rely on a stodgy defense which huddles up before each down and methodically contemplates how to defend the next play… with constant input and restraint from their head coach and defensive coach. “Black-Hats are ahead of White-Hats,” says Adam Segal, Director, Digital and Cyberspace Policy Program, Council on Foreign Relations. “That is symptomatic of the larger problem in cybersecurity that offense still has the edge over defense. The defender has to worry about millions of lines of code, thousands of devices, thousands of networks. The attacker only has to be right once.” “Speed is where the Black-Hats have the advantage,” says Dr. Anita D’Amico, CEO at Code Dx, Inc., an application security company, a human factors psychologist, a specialist in cybersecurity situational awareness, and a security researcher, who was previously head of Northrop Grumman’s first Information Warfare team. “Right now about 11 percent of compromises are accomplished within seconds and another 82 percent in under an hour. The attackers work nimbly and without rules. The attackers, by nature, abhor rules and will break them. The defenders, by contrast, often are encumbered by rules of engagement and permissions, and so the defensive response is slow, measured in hours or days. Even White-Hat hackers who are paid to penetrate an enterprise by its own organization have to work within boundaries and rules that are not there for the Black-Hats.” “(Cyber) Criminals have the advantage because the math works in their favor: they can use the same attack infrastructure to send the same phishing email delivering the same malware that exploits the same vulnerability to thousands of targets; they only need to be successful once,” says Rob Knake, Senior Fellow for Cyber Policy, Council on Foreign Relations, and previously Director of Cybersecurity for The White House. “Defenders need to protect massive attack surfaces, being right every time.”
MONEY, AND THE LAWTop Crypto currencies enable and embolden cybercriminals. “The rise of Bitcoin and other crypto currencies has made it possible, safe, and easy, to demand and receive payments and transfer money anonymously," says Matt Anthony, Vice President of Remediation Services at Herjavec Group. “This has had a dramatic impact on the number and type of cybercrime opportunities. It really is the engine of cybercrime, and it will continue to enable and embolden the criminals.” As long as cybercriminals have no fear of retribution, they’ll continue hacking away. “Law enforcement will need to take a more coordinated and international view,” says Anthony. “A company reporting a cyber crime today is likely to get about the same response from law enforcement as if they were reporting a stolen bicycle.” “There is no effective law enforcement for financial cybercrime today,” says Herjavec Group Founder & CEO Robert Herjavec. “Organizations need to increase their defenses and become more resilient because there is no end state in sight for this growing cybercrime epidemic. So long as there is a way for cybercriminals to get paid, with limited risk, attacks will continue. The challenge remains that large enterprises aren’t nearly as agile as their attackers”.
SOCIAL ENGINEERING, PHISHING, M2M ATTACKSTop Stolen datasets are absorbed into black markets that feed an ecosystem of identity theft. How are hackers getting into corporate networks? “Due to the anonymous and impersonal nature of the attack surface, cyber criminals test your assets from outside and in, looking for the most profitable ways to exploit the holes in corporate cyber defences,” says Robert Steadman, Vice-President, Security and Compliance Consulting at Herjavec Group. “One of the most significant threats today is social engineering,” says Steadman. “Each day around the world, 294 Billion emails are sent, and it is estimated that more than 90 percent of them are spam. Of the reported 37.3 million instances of phishing attacks, 88 percent involved users clicking a link. Social engineering has proven itself to be an effective means by which threat actor groups can exploit human cognitive biases to gain access to sensitive information and assets.” “An increasing number of phishing campaigns are now specifically crafted to target individual organizations,” continues Steadman. “The lack of user awareness when combined with a significant uptick in criminal activity (and improved tactics) has given rise to a number of large scale private and public sector breaches that have resulted in a global epidemic of issues surrounding confidentiality, integrity, and availability of data and services. Compromised datasets are absorbed into black markets that feed an ecosystem of identity theft.” LeakedSource – which has only been online for several months and culls data from the Internet and dark web — boasts databases with nearly 2 billion user credentials (emails, passwords, etc.) which have been breached. They offer access to their data for a mere 76 cents per day. To protect itself, LeakedSource informs that all of its data is in the public domain. One hacker recently claimed to have stolen login information from 200 million Yahoo accounts — and has put them up for sale on TheRealDeal, a darknet marketplace for hacker data including zero-day attack methods, hacking services, and more. The billions of new IoT devices have spurred a rise in machine-to-machine (M2M) cyber attacks. M2M enables networked devices to exchange information and perform actions — including automated hacking activities — without the manual assistance of humans. “There is a significant increase in machine-to-machine attacks, as compared to 3 years ago,” says Melissa Zicopula, Vice President Managed Security Services at Herjavec Group.
RANSOMWARETop Ransomware attacks are surging. Ransomware is malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom — anywhere from hundreds to thousands of dollars — is paid. Last year, cybercrime victims forked over $24 million across nearly 2,500 ransomware cases reported to the FBI’s Internet Crime Complaint Center (IC3). The FBI states that ransomware attacks have already cost victims $209 million — in just the first three months of this year. At that rate, the total costs of Ransomware may approach $1 billion for all of 2016. Hollywood Presbyterian Medical Center in Los Angeles, Calif. declared an internal emergency earlier this year when they were infected by the “Locky” strain of ransomware. Some hospital were staff unable to turn on their computers and radiation and oncology departments unable to use their equipment, potentially interrupting treatments for cancer patients. Hollywood Presbyterian paid the demanded ransom of 40 bitcoins (worth $16,664 at the time) after the cyber intrusion — which was committed by unknown hackers. The ransomware threat is of particular concern due to its nearly foolproof nature. Even police departments have paid ransomware demands in order to regain access to their hacked systems and data. Infosecurity Magazine recently reported a whopping 789 percent jump in phishing email campaigns in the first three months of 2016 — due primarily to a surge in ransomware compared with the last quarter of 2015. As ransomware continues to grow, the ransom payments will climb and make up a substantially larger percentage of cybercrime costs over the next five years.
CYBER LABOR SHORTAGE OUTSOURCINGTop Cybersecurity job openings expected to grow from one million in 2016 to 1.5 million by 2019. A severe cybersecurity workforce shortage has left CISOs (Chief Information Security Officers) and corporate IT security teams shorthanded and scrambling for talent while the cyber attacks are intensifying. There are approximately one million cybersecurity job openings in 2016, and that number is expected to grow to 1.5 million by 2019. Corporations are responding by placing some or all of their IT security into the hands of third parties. The IT security outsourcing segment recorded the fastest growth (25 percent) out of the entire cybersecurity market last year, according to Gartner. Microsoft estimates 75 percent of infrastructure will be under third-party control (i.e., cloud providers or Internet Services Providers) by 2020. MSSPs (Managed Security Service Providers) are a subset of the third-parties, and they focus exclusively on security. Outsourcing security introduces a whole new risk for enterprises — choosing the right third party which has the cyber defenders, cyber operations, and security platforms to effectively combat an increasingly hostile threatscape. “Having a partnership with a third party Security Operations Center (SOC) provider is beneficial to companies that have limited IT resources and lack internal security expertise,” says Melissa Zicopula, Vice President of Managed Security Services at Herjavec Group. “There is a constant struggle to hire security talent and most importantly, retain resources” adds Zicopula, who was previously Executive Director of Global Security Operations for one of the world’s top gaming organizations. “Companies want to identify a provider that can manage the risks to their organization’s critical assets in an efficient fashion while aligning with industry best practices and the business’ needs. With this support, organizations can focus their resources on the real threats to the business, while still having a dedicated team of analysts monitoring alerts and detecting intrusions 24/7/365.” “I often explain to boards that Managed Security Services is the new house alarm,” says Robert Herjavec, Founder & CEO at Herjavec Group. “The logs tell you if your house is safe. The insights SOCs can draw from data correlation will tell you if the other houses on the street are getting robbed. Security technology management keeps the system fine tuned. But the secret sauce? That’s in data enrichment. That’s where the magic happens.” “MSSPs need to continually evolve their practices because proactive threat detection and investigation is becoming the norm,” adds Herjavec. “You can’t just block and defend anymore. The role of the Threat Hunter is key as the expectation is that cyber operators not only detect but they investigate and analyze very sophisticated and persistent threats. Enterprises want to know where the threat originated, how they should respond and what can be done to contain the incident. Today, more often than not, we’re seeing organizations turn to a third party for these answers.” “Over the past few decades, many Black-Hats who have been caught are offered jobs by 3 letter agencies,” says Atif Ghauri. “In fact the best White-Hats are first Black-Hats whom have been mentored and guided to do good. There is evidence of this trend in the commercial environment as well.” So, (some) cyber defenders are bolstering their teams by poaching from the Black-Hats. Robert Steadman notes that Herjavec Group does not recruit ex-Black-Hats, which he believes would be a risky practice for an information security services firm or MSSP.
SMALL BUSINESSTop Nearly half of all cyber-attacks are committed against small businesses. The Microsoft Digital Crimes Unit (DCU) states, “Cybercriminals hijack devices, steal personal information, send spam, run phishing scams and target bank accounts. It’s a global problem and no one organization can solve the issue of cybercrime on its own." This is especially true of small businesses who do not employ full-time cybersecurity personnel. Nearly half of all cyber-attacks globally last year were committed against small businesses, according to Symantec. Intel Corp. says that as many as 80 percent of small to medium sized businesses don’t have data protection or email security in place. Ransomware attacks launched on smaller companies usually asks for $1,000 or less in exchange for releasing the data being held hostage. The idea – according to Infosec Institute — is to make the business owner see this as a “nuisance expense” and pay up quickly compared to the business implication and stress of trying to fix the issue on their own. Small businesses — who don’t train their employees on security risks — are susceptible to the Business Email Compromise Scam (BEC), which the FBI says has led to over $3 billion in losses.
CYBERCRIME STATISTICSTop The editors at Cybersecurity Ventures have compiled some of the most compelling cybercrime statistics from the past year, which help frame the evolving threatscape faced by consumers, businesses, and governments globally:
- Every second, 12 people online become a victim of cybercrime, totalling more than 1 million victims around the world every day.
- Identity theft is now the fastest growing crime in America.
- CRN reports that data breaches and security incidents overall for 2016 (year-to-date) are up double digits over 2015, with the business sector up 49 percent — and the healthcare sector up 35 percent compared to the same period last year.
- Cybercriminals produced malware at a record rate of 230,000 new malware samples per day in 2015… and the 2016 figures are expected to be worse.
- Last year, more than three-quarters of the Fortune 500 were breached by cyber adversaries, and the average time from a breach to its detection was nearly 146 days.
- The 5 most cyber-attacked industries last year: 1. Healthcare; 2. Manufacturing; 3. Financial Services; 4. Government; 5. Transportation.
- More than 90 percent of corporate executives say they can’t read a cybersecurity report and aren’t prepared to handle a major attack.
- Consumers globally lost $158 billion to cybercrime last year.
- 75 percent of the top 20 US banks are infected with malware.
- The Office for National Statistics (ONS) released figures indicating that nearly half of all crime in the UK is cybercrime.
- Ransomware attacks have risen an astonishing 300 percent in 2016.
- 85 percent of senior security pros believe that more than 50% of IoT products are insecure.
- 90 percent of security incidents result from exploits against defects in software code.
FIGHTING BACKTop What you don’t know will hurt you. A common thread that runs through this entire report is a lack of security awareness on the part of corporate executives, small business owners, employees at organizations of all sizes, and consumers. “Unfortunately employees tend to be the weakest link in an organization,” says Robert Herjavec. “Human error is inevitable. But it’s each company’s responsibility to train their team – all of their teams, and not just security personnel – to know what to look for. How do you identify a phishing scheme? What do you need to consider before you open an attachment? Why should you never email your passwords or give them to someone who is cold calling you saying they are from Internal IT? It seems simple, but these basic errors can be catastrophic for an enterprise.” A study from IBM Security and IBM’s Institute for Business Value (IBV) earlier this year included a global survey of C-Suite executives at large corporations which indicated only 57 percent of chief human resource officers (CHRO’s) report they have rolled out employee training that addresses cybersecurity. Cybersecurity Ventures expects that number will rise sharply over the next five years — and employee education programs will become a fundamental cyber-defense strategy by 2021. Training employees on security will immediately bolster the cyber defenses at most companies. “Every Security Program needs to educate users, in fact, the bulk of data breach is exploiting common user knowledge gaps to social engineer them to install malware or give away their credentials,” says Lawrence Pingree, Research Director at Gartner, Inc., the leading IT analyst firm. “Organizations must do a better job at educating employees on warning signs and indicators of suspect activity, emails, and phishing campaigns,” says Herjavec Group’s Melissa Zicopula. “Cybersecurity is mainstream today because we’ve seen the repercussions personally, professionally and financially from not keeping our corporate and customer data secure,” says Robert Herjavec. “Security isn’t an IT issue; it’s a board-level issue for organizations globally. To speak more broadly, it’s a global citizen issue. The wars of today and even tomorrow will continue to play out via cyber warfare.” “I’d love to see our industry focus on educating the youth of today about cybersecurity risks and information security in general,” adds Herjavec. “We have a shortage of talent and training in this sector that needs to be resolved because the risks we are facing aren’t going to decrease over the next 5 to 10 years. We need the support of post-secondary institutions to help teach a new generation of students how this technology fundamentally works so we can have a greater talent pool to pull from.” Herjavec has given numerous speeches calling out the 0.0 percent unemployment rate in security. “It sounds insane given today’s economy, but it’s true –cybersecurity professionals are highly sought after and we need to ensure we’re replenishing the talent and teaching the next generation,” says Herjavec. A cyber call to arms:
- High Schoolers… There are hacker high school programs to help teens become the cyber-defenders of tomorrow. Think about it.
- Parents… Talk to your kids about purusing a degree in cybersecurity. It’s a noble and well paying profession with job security.
- Universities… Need to include cybersecurity in all of their undergraduate computer science programs.
- Women… Only 11 percent of the world’s information security workforce are women and it needs to be 50 percent or more.
- Minorities… Get involved. Only 3 percent of U.S. information security analysts are ‘Black or African American” and those jobs will grow by 18 percent through 2024.
- Retiring police officers… Bring your experience to the cyber forces.
- CIOs and CISOs… Cross train your IT workers on cybersecurity.
- CEOs… Your employees should be your first line of cyber defense. Make sure they are. There’s too much at risk for you not to.
- Cyber Defenders… society owes you a debt of gratitude. The cyberwar won’t end, ever. But hackers can be neutralized by the world’s cyber defenders… if there’s enough of them.
BOOK KNOWLEDGETop Cybercrime reading for everyone. Here are some recommended reading from the editors at Cybersecurity Ventures. These books will enlighten and inform readers. Knowledge is power in the war against hackers.
- Hacked Again: It can happen to anyone, even a cybersecurity expert. A small business owner gets hacked, and hacked again. He fights back by writing this book which tells an entertaining story while doubling as a cybersecurity dictionary for newbies and small business owners.
- The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. 2012 marked a transformation in geopolitics and the tactics of both the established powers and smaller entities looking to challenge the international community. That year, the US government revealed its involvement in Operation “Olympic Games,” a mission aimed at disrupting the Iranian nuclear program through cyberattacks; Russia and China conducted massive cyber-espionage operations; and the world split over the governance of the Internet. Cyberspace became a battlefield.
- Catching the Catfishers: Disarm the Online Pretenders, Predators, and Perpetrators Who Are Out to Ruin Your Life. Catching the Catfishers is for every user of social media, teaching you how to: Safely and successfully navigate the online world; Protect yourself and your children from online predators, cyber stalkers, and chat-room bullies; Detect if someone is not who he or she claims to be; Learn what digital bread crumbs you leave behind and how to clean them up; Control your own online identity; Use social media to find the right relationship, employee, or anything else you are looking for.
- Spam Nation: The Inside Story of Organized Cybercrime from Global Epidemic to Your Front Door. In Spam Nation, investigative journalist and cybersecurity expert Brian Krebs unmasks the criminal masterminds driving some of the biggest spam and hacker operations targeting Americans and their bank accounts. Tracing the rise, fall, and alarming resurrection of the digital mafia behind the two largest spam pharmacies―and countless viruses, phishing, and spyware attacks―he delivers the first definitive narrative of the global spam problem and its threat to consumers everywhere.
SPECIAL CONTRIBUTIONTop Privacy and security for American citizens. Cybersecurity Ventures asked one of the top minds in the industry — Brian Krebs — for his commentary on the current state of cyber threats and how they are affecting American citizens. Krebs is author of the immensely popular blog ‘Krebs on Security’, and author of ‘Spam Nation’, The New York Times Bestseller which is described as The Inside Story of Organized Cybercrime — From Global Epidemic to your Front Door. Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper. Krebs’ contribution is shared unedited, and in its entirety: The most realistic cyber threat is that as we become way more dependent on all this technology, we understand less and less of it and our sense of apathy, complacency and entitlement grows. The danger here, our course, is that we can scarcely afford to be more indifferent when it comes to tidying our little personal corners of cyberspace. Rather, we as people of the Internet need to become much more informed about the ways and snares of the enemy: Crooked governments, hacktivists, identity thieves and scam artists lie in wait to tear down our thin veils of privacy and security, and to plunder our most prized possessions should we neglect to secure and probably value them. Whether we value them or not, the enemy knows well what these things are worth and how to monetize or otherwise abuse them for its own gain. We also can’t afford to keep producing incredibly flawed software and hardware without any care or accountability for crafting code that is secure by design and not just secure by afterthought or patch. Virtually every hot consumer product these days has a computer chip, software and logic in it — and maybe even Internet connectivity. Left to their own devices, a great many of these online things that nobody wants anymore will grow outdated and insecure, and be hijacked for nefarious purposes — most likely to assist in massive online attacks designed to know sites and individuals offline and to disrupt free speech and global commerce. Everyone has a role to play in security, and if we’re not part of the solution we’re invariably part of the problem. Same goes with privacy. I’d wager that this is a concept which is completely alien to many Americans, and my fear is that the next generation won’t readily be able to relate to this term as a form of self-preservation. And it’s not hard to see why. In this country, the easiest way to have privacy is it be either destitute and without possessions or to be very wealthy. That is, at least wealthy enough to put up with all the petty inconveniences that come with trying to preserve some level of privacy in one’s life. Increasingly, however, privacy is presented as a binary, all or nothing choice. An alarmingly increasingly number of people are okay with that, and will happily give all of their secrets away if everything is always free. But nothing in life is free, and those who do nothing to preserve or at least measure what their privacy is worth soon find out they have neither privacy nor security, and probably less liberty. Unfortunately, there is no privacy without security. And so if we value privacy, we must also care more about security. But to preserve liberty, we need to care deeply about both. – Brian Krebs, August 16, 2016 Editor’s note: Krebs received no compensation for his contribution, and he is not affiliated with Cybersecurity Ventures or any of our sponsors. While his commentary centers on the U.S. and its citizens, it is a global message which we believe applies to other nations and citizens globally.
CYBERSECURITY VENTURESTop Steven C. Morgan, Editor-In-Chief Steve Morgan is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybercrime Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. He has written hundreds of cybersecurity blogs and articles which have appeared in CIO, Computerworld, CSO, Forbes, Homeland Security Today, InformationWeek / DarkReading, Infoworld, ITworld, SandHill.com and others. Steve is regularly interviewed, quoted, and cited in financial, business, technology, and cybersecurity media outlets for his expert opinion on cybersecurity market projections and cybercrime trends.
CONTRIBUTORSTop Atif Ghauri, CTO USA, Herjavec Group Atif Ghauri has over 15 years of experience in technology strategy, implementation and business development from Comcast, IBM and Unisys. Prior to joining Herjavec Group, he spent four years at Comcast serving as the CISO for the advanced engineering group. He led all product and operational security work streams to launch next generation X1 Platform and Xfinity Home Security product and services. At Comcast, Atif invented and deployed a patent pending fraud detection technology operational on over one million customer devices. Atif earned his undergraduate degree with honors from the Schreyer Honors College at Penn State University, and holds Master of Technology Management from the University of Pennsylvania. Matt Anthony, Vice President Remediation Services at Herjavec Group Prior to joining Herjavec Group, Matt Anthony held numerous leadership positions focused in enterprise security programs, most recently at Alberta Health Services, a $14 billion, 115,000 seat enterprise. Matt has been at the forefront of the information security practice for many years, building and implementing effective programs to govern and manage risk. He has developed and operated Security Operations Centres, led security incident response practices, created policy and governance frameworks, and implemented and operated digital investigation teams. Matt believes strongly in positioning information security as an enabler of business by promoting an architectural and risk-based approach to program development and management. Robert Steadman, Vice President Consulting Services at Herjavec Group Robert Steadman has over 27 years of experience in IT Risk Management and information security, specializing in enterprise information risk management engagement delivery and payment card industry compliance. Robert’s expertise includes governance, risk and compliance (GRC), information security policy and strategic technical assessments. Prior to joining Herjavec Group, Robert earned extensive practical experience leading the security and compliance practices for leading Canadian financial institutions and grocery retail chains. He also led the IT Security Practice at PWC in Toronto, Canada. Melissa Zicopula, Vice President Managed Security Services at Herjavec Group Melissa Zicopula has over 10 years of experience in government and corporate sectors in various executive roles within global cybersecurity operations. She has been responsible for developing and improving the managed services practices and SOC operations across US federal and global gaming organizations. Melissa leads the overall Managed Services practice for Herjavec Group, overseeing SOC operations, enriching customer analytics and supporting enhancements to the firm’s Managed Services practice.
For immediate media inquiries contact Erin McLean SVP Marketing & Communications EMcLean@HerjavecGroup.com, 647-826-3115