ISACA Journal
Volume 1, 2,014 

Columns 

IS Audit Basics: Understanding the Cybercrime Wave 

Tommie Singleton, CISA, CGEIT, CPA 

The fact is that cybercrime has superseded much of organized crime in the past few decades. There are still gangs—organized gangs—but they are considerably different. First, the gang members are not geographically in the same place frequently. Second, they are likely to be international in nature. Third, the gang relies on technology skills rather than brute force or trickery to perpetrate its crimes. Fourth, while the gangs are usually still after money in the end, the means to get there is significantly different from the past. Because of their scope and level of risk (the danger of a serious malicious attack), as compared to a few years ago, cybercrimes could be viewed as a crime wave in recent years.

First, the term “cybercrime” needs to be defined using a definition that is widely and generally accepted. According to one authoritative source, cybercrimes (or cyberattacks) generally refer to criminal activity conducted via the Internet.1 Examples of cybercrimes include stealing an organization’s intellectual property (IP), confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet, and disrupting a country’s critical national infrastructure.2

In February 2013, 178 million Americans watched 33 billion online videos.3 This statistic reflects the value of intellectual property available on the Internet in movies alone. For example, Netflix is paying Disney and Epix a total of US $350-400 million a year in licensing fees for content.4

Next, all IT auditors need to grasp the scope of this problem. According to the Ponemon Institute, the average annualized cost of cybercrime for respondents to its 2012 survey was US $8.4 million globally, US $8.9 million inside the US.5 This is an increase of 6 percent from the last survey. The respondents also report that they experienced 1.8 successful attacks per week per entity, an increase of 42 percent from 2011.6 The survey results show a positive relationship between size and annualized cost of cybercrimes. However, smaller organizations had a significantly higher per capita cost (US $1,324) than larger organizations (US $305). Statistics such as these indicate that cybercrimes are on the increase.

Finally, the IT auditor needs to understand the phases or components of a cybercrime attack. First, there is the tool or tools used by the cybercriminal, including a denial-of-service (DoS) program, a virus and a Trojan. Next is the delivery methodology. The term used for the delivery methodology is vector. Examples of a vector are phishing emails, drive-by web sites, vulnerabilities that allow unauthorized access to systems or data, and advanced persistent threats (APTs). Finally comes the purpose or objective of the cybercriminal—the crime. Examples include theft of IP, theft of funds or disruption of systems.

Cybercriminals are often external to the victim, but according to the Ponemon Institute, one of the three most costly attacks is associated with malicious insiders.7 A typical insider cybercrime would be an employee stealing funds via automated clearinghouse (ACH), electronic funds transfer (EFT) or wire transfer. Ultimately, organizations must protect themselves from external and internal threats and risk.

The basics to be understood about cybercrime include the types of potential losses (who the victims are, what gets stolen and how victims suffer), basic remediation, trends and resources.

Types of Potential Losses Due to Cybercrimes

Figure 1Who Are the Cybercriminals’ Victims?
The nature of the victims of cybercriminals is generally a function of whether a person or entity has something the cybercriminals can steal that will satisfy their goal, which is usually money (see figure 1). So, naturally, a favorite target victim is the financial institution. Part of that is driven by the fact that financial institutions are warehouses for money, but they are also a favorite target because a common scheme of the cybercriminal is falsifying debit/credit cards. There is also a growing number of DoS attacks on banks to disrupt banking services and the financial infrastructure of the US.

This leads to another favorite target of cybergangs: anyone who has large files of debit/credit card data, such as financial institutions and retail trade. The 2007 T.J. Maxx breach led to the theft of more than 45 million debit/credit card numbers and US $100 million in fraudulent charges. The case, prosecuted by the US Department of Justice, was supposedly the largest to date for hacking and identity theft. Eleven conspirators were accused of hacking into unsecured wireless networks of a very large set of retail chains. A similar event occurred with the CardSystems Solution breach. In that case, about 40 million credit cards were exposed to the hacker. The point is, where there are millions of debit/credit card data bytes, cybercriminals are attracted. But they may also be attracted to thousands of card data bytes in small and medium-sized enterprises (SMEs) where the data may not be encrypted or are otherwise unsecured.

For those in government, there is a specific threat from cybercriminals: nation-state-sponsored terrorism and attacks. It is reported that some governments are hiring full-time hackers to attack government data, content and IP (e.g., weaponry) and to attack businesses as well (with the same target of data/content/IP). This situation presents a difficult and dangerous challenge for those tasked with protecting the data, content and IP from such threats on behalf of a government agency.

Some cybercrimes target SMEs because of the lower likelihood that those organizations would have adequate information security controls to prevent the crime. For instance, a corporate account takeover cybercrime8 is focused on SMEs. Thus, if the auditee is an SME, it has some risk associated with corporate account takeover and other schemes targeting SMEs and the IT auditor should be in a position to assist management in trying to defend itself against such attacks.

Figure 2What Do Cybercriminals Steal?
Cybercriminals are after almost anything that is of value in the current crime world (see figure 2). Sometimes the target is related to eventually stealing funds. Sometimes it is about causing harm to an entity. Sometimes it is to gain fame and possibly recognition that will lead to a high-paying job. But usually, the eventual objective is to steal money.

That objective could be met by stealing an individual’s or entity’s bank credentials. It could be more sophisticated by involving personally identifiable information (PII), which can be used to open false accounts, loans and other methods of impersonating someone for illicit financial gain.

A more direct path is to steal debit/credit card data that can either be skimmed onto a blank or discarded credit card and used to access the victim’s credit, or can be used online to buy any variety of things that the criminal could then turn around and sell or use. Debit/credit card theft is sometimes the end objective of stealing PII.

While the first three cybercrime objectives in figure 2 are fairly well known, the last one does not seem to draw as much attention: IP, data and/or content. IP has an immediate value to the criminal. But cybercriminals continue to invent ways to get money related to data and content. One new method is the cryptolocker virus.

The cryptolocker virus scheme works as follows: The cybercriminal infects an entity’s computer system with the cryptolocker, usually via a phishing email or drive-by web site. The virus then generates a private and public key and proceeds to encrypt all of the data on a server or network. Then, the cybercriminal sends what is basically a hostage message saying he/she will provide the private key for US $300-$500, knowing that it will cost much more to get the data back, even if the entity does have an effective business continuity plan (BCP) including current backups of data. The problem is, if the cybercriminal is able to infect an entity’s system once, what is to prevent him/her from doing it again? And what other malware did the cybercriminal place on the system before executing the cryptolocker virus? No matter what the victim decides, the entity will need serious and costly entitywide security changes.

Sometimes a cybercriminal is out for nonmonetary satisfaction. For instance, those who employ DoS or distributed DoS attacks do not receive monetary gain; instead, they desire high-profile attention. Other objectives might be distributing a virus (for a similar fame objective) or disrupting a government infrastructure or private service (e.g., a major web site).

What Are the Damages From a Cybercrime?
It begins with the end game—loss of funds, usually from a financial institution’s account. Sometimes that is stolen directly (e.g., corporate account takeover, ACH/EFT/wire transfer frauds), and other times it is taken indirectly—stealing the victim’s identity and opening accounts.

There is also the collateral damage from the attack, which is twofold. First, the entity has likely suffered some damage or loss to data or systems. There is a cost to recover or restore data, systems or computerized services. For example, in the cryptolocker virus, once the data are encrypted with a public/private key, the entity must spend resources to recover the data—whether by restoring a backup or paying a ransom. Second, a breach in the entity’s systems has been exploited. Whether or not the entity knew about it before the attack, following an attack, it is in the entity’s best interests to fix the security problem to prevent it from occurring again. The cost of such security fixes can be significant.

Collateral damage can come in other forms as well, for example, local or regional fines or penalties and the costs associated with complying with laws. Further, if the entity suffers loss of debit/credit card data or PII of customers, the customers may sue the victim in court for damages. Finally, there is the damage to the public image of the victim. Once the public finds out that customers had their debit/credit card data or PII stolen from a particular entity, others may think twice about doing business with that organization.

How to Defend Against Cybercrimes: The Point of Entry

Like so many audits IT auditors perform, the best way to defend against cybercrimes is to conduct an effectual risk assessment. That process should lead to the identification of a risk ranking. Once that process is completed, the entity must set a threshold of risk, addressing those risk areas at or above that threshold.

While it may be an oversimplification, the remediation starts with understanding where the original point of entry is for identified risk and finding an effective remediation to prevent and detect an intrusion. For instance, on a corporate account takeover, the point of entry is when the cybercriminal attacks (purposely and individually selected) an accounting officer with a phishing email or drive-by web site. Thus, one possible solution is to have a computer dedicated to online transactions (ACH, EFT and wire transfers) that never accesses email or the web.

Another key to remediation is to understand the tools and vectors that have a high risk for the auditee and think through how to remediate that particular tool or vector. Fortunately, there are a lot of resources available to IT auditors.

Cybercrime Trends

There are some facts over the last few years that show some trends in the current crime wave. First, cybercrimes have gone from broad-based attacks, such as mass-phishing emails, to targeting victims, such as in spear phishing. Yet, cybercrime goes beyond spear phishing. The corporate account takeover crime scheme is based on targeting the victim with specificity. One factor in this targeting is the fact that these techno-gangs are often targeting SMEs because they believe SMEs are likely to have less information security in place than a larger business. Similar targeting takes place in the theft of debit/credit card data. Cybercriminals are targeting the card processors, banks and other entities that are likely to have files with thousands, if not millions, of card data bytes. While these institutions are large, the technical skills of criminals such as Albert Gonzalez (T.J. Maxx breach) demonstrate just how savvy these criminals are when it comes to IT; he stole almost 200 million debit/credit cards in a span of four years using sophisticated IT techniques and tools.9 Another example is the advanced persistent threat (APT) vector. It is referred to as “persistent” because the cybercriminal identifies a specific target and then hammers at that target over and over to perpetrate the desired cybercrime.

Resources for Cybercrime Remediation

ISACA has a wealth of resources available on this subject, including frequent articles and a column (Information Security Matters by Steven J. Ross) on the subject in the Journal. It also has books, webinars and conferences on the topic.

There are also plenty of best practices that can be found with a search engine for specific aspects of cybersecurity (e.g., logical access controls, passwords, firewalls, BCP, encryption). And there are a number of reliable reports, standards and frameworks available from authoritative sources, many of which are updated annually:

  • Microsoft Security Intelligence Report
  • Verizon Data Breach Investigations Report
  • Ponemon Institute (various reports on cybersecurity)
  • Govinfosec web site
  • The Business Model for Information Security (BMIS) from ISACA
  • US National Institute of Standards and Technology (NIST) standards

Conclusion

The evidence supports that a new crime wave has begun in recent years: cybercrime. It is no longer a question of if your organization will be attacked, but when it will be attacked. The costs of cybercrimes are significant in a variety of ways.

For IT auditors to be prepared to respond to the risk, they need to understand how a cybercrime is perpetrated: one or more tools, one or more vectors, and the final result (the crime). To conduct an effective risk assessment regarding cybercrimes, the IT auditor needs to understand who the victims are likely to be, what is likely to be the object of the cybercriminal and the potential damages that could result from various cybercrimes.

The most costly attacks are those associated with DoS, malicious insiders and web-based attacks.10 Mitigation for such attacks requires enabling technologies such as security incident and event management (SIEM); intrusion prevention systems; application security testing; and enterprise governance, risk management and compliance (GRC) solutions. The loss or misuse of information is the most significant consequence of a cyberattack.11

All that said, the good news is there are remediation solutions. And there is a wealth of resources to aid IT auditors in defending their organizations against this crime wave. However, it will take education and some diligence in developing controls and defenses to thwart cybercrimes.

Endnotes

1 Ponemon Institute, “2012 Cost of Cyber Crime Study: United States,” October 2012
2 Ibid.
3 comScore, “comScore Releases February 2013 U.S. Online Video Rankings,” 14 March 2013, www.comscore.com/Insights/Press_Releases/2013/3/comScore_Releases_February_2013_U.S._Online_Video_Rankings
4 Seeking Alpha, “Netflix: Rising Content Costs Stump Growth,” 1 February 2013, http://seekingalpha.com/article/1150191-netflix-rising-content-costs-stump-growth?source=google_news
5 Op cit, Ponemon Institute. The sample was of 56 organizations in various industry sectors in the US, but many are multinational firms.
6 For an example of IP cybercrime, research the “Megaupload” case and its founder, Kim Dotcom, who was arrested in January 2012 on cybercrime charges.
7 Op cit, Ponemon Institute
8 The corporate account takeover generally follows this pattern: A cybergang identifies a target, an SME or small to medium-sized government agency. It then targets an accounting officer who is likely responsible for online banking, particularly ACH/EFT/wire transfers. It sends a phishing email to that person in hopes of infecting his/her computer with a Trojan. It steals banking credentials from that person. It sets up money mules to handle stolen cash. It uses a tool to grab control of the infected computer and log onto the bank account from the accounting officer’s own computer using his/her credentials. The bank’s system of controls suspects nothing. The criminals begin to transfer funds out of the bank about US $10,000 at a time to money mules, until the account is empty. The money mules keep a fee (usually about 5 percent) and send the rest on to the gang’s main bank in a distant country.
9 Miami Herald, “Identity Theft: Miami Hacker Cyberthief of the Century?,” 23 August 2009
10 Op cit, Ponemon Institute
11 Ibid.

Tommie Singleton, CISA, CGEIT, CPA, is the director of consulting for Carr Riggs & Ingram, a large regional public accounting firm. His duties involve forensic accounting, business valuation, IT assurance and service organization control engagements. Singleton is responsible for recruiting, training, research, support and quality control for those services and the staff that perform them. He is also a former academic, having taught at several universities from 1991 to 2012. Singleton has published numerous articles, coauthored books and made many presentations on IT auditing and fraud.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.