Dear Cyber Criminals: We’re Not Letting Our Guard Down in 2015

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/operations/dear-cyber-criminals-were-not-letting-our-guard-down-in-2015-/a/d-id/1318247

Dear Cyber Criminals,

Congratulations on a banner year! As cybercrime goes, you’ve had incredible
success in 2014. In the past 12 months you’ve demonstrated that no one is
too big or small to be a target: the US Government, Home Depot, JPMorgan,
Apple, eBay, and Community Health Systems, just for starters. And you keep
picking on poor Sony.

This past year, you exploited financial institutions like JPMorgan, where
you helped yourselves to contact information for 76 million households and
7 million small businesses. You sat on its network for more than two months
before a (rare) sloppy mistake gave you up. You even deleted your tracks,
hampering investigators. JP Morgan spent $250 million this year on cyber
security measures, which, thankfully, did prevent you from accessing its
really critical data.

Retail wasn’t safe either. You tapped Home Depot for 56 million payment
cards, costing it $62 million to recover from your handiwork. We are
getting pretty used to news like this, and consumer confidence isn’t as
easily shaken anymore. Not like in 2007 and 2008 when you cracked TJX and
Hannaford.

At the tail end of 2013, you snagged a whopping 110 million payment cards
from Target, one of the largest hauls in history. Quite simply, you have
dominated the retail space.

You very cunningly attacked the $3 trillion US healthcare industry,
including swiping 4 million electronic health records from Community Health
Systems, each EHR worth 50 times more on the black market than a credit
card number. The FBI Cybercrime Division even issued a warning to the
healthcare community that its security measures were inadequate and
couldn’t defend against a basic attack, let alone an advanced threat.

EHRs sell for about $50 a pop and can generate profit in many ways. The
medical identity may be sold, so someone can get an operation they
otherwise couldn’t afford. Details, like a mother’s maiden name, are most
likely included as well -- extremely useful for identity theft. And then
there’s that other sensitive information. EHRs contain personal info
ranging from drug rehab to STDs and details you wouldn’t want anyone
knowing. This information can be posted on the Internet, adversely
affecting a person’s life, ruining career potential, and even opening one
up to blackmail. The FBI acknowledged the value of this opportunity,
calling healthcare “a rich new environment for cyber criminals to exploit.”
Kudos for your accomplishments in this area.

Then there was Apple. That breach created one of the bigger media storms in
2014 and drew the most attention. This one was clearly just for fun and to
remind us that you enjoy some celebrity gossip just like the rest of us. A
classic phishing scam duped celebrities out of their logins, and some
clever third-party forensics software allowed you to gain data right from
iCloud. Then, you were kind enough to share your bounty of photos with
everyone, ensuring that gossip sites and forums had a field day.

In 2014 you also demonstrated increasingly impressive organizational
skills. You began selling your hacking services and running your
organization in a very notably corporate fashion. The Blackshades malware
reflects this growing sophistication. After infecting more than a
half-million machines across more than 100 countries, you were shown to be
running your hacking operation like a very organized and professional
business, replete with paid staff, customer service personnel -- even a
marketing director to promote Blackshades. Now that is some well organized
crime!

The list goes on, pointing to an outstanding year. The cyber security
market is estimated to be worth about $76 billion annually, and demand for
security solutions is at an all-time high. Yet you remain effective. As we
have improved at stopping you, you have improved your methods, making them
more sophisticated and advanced.

In 2015, you’ll keep showing us why the cyber security market is as immense
as it is and why it will never stop growing. Despite what we’ll spend to
protect and educate ourselves, you’ll keep on doing what you do best:
exploiting vulnerabilities in operating systems and people. You’ll continue
to show that we can never let our guard down and must remain vigilant at
all times. To that end, we’ll keep exercising best-practices by making sure
our systems are patched on Tuesdays, our antivirus is up-to-date, and to
teach people -- our softest spot in the armor -- to stop being duped into
clicking the links you send them.

We'll see you on the battlefield next year. Be prepared. We will be.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!