Automated tools have become so ubiquitous that attacks against Internet-connected systems are commonplace. Because of this, the number of incidents reported offers little insight into the scope and effects of these attacks. Possibly as a consequence of this evolution, the Computer Emergency Response Team Coordination Center (CERT®/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) no longer publishes the number of reported incidents or vulnerabilities.
Nevertheless, numerous national surveys, conducted among samplings of U.S. businesses, government executives, security experts and others in the public and private sector show that companies are not doing enough to protect themselves against cybercrimes.
The worldwide monetary loss from cybercrime attacks in 2017 $172.2 billion. This figure could very well be imprecise and most likely underestimated, because many companies tend to deal with data breaches quietly and do not report them. And while respondents continue to be most concerned with intruders from outside their organizations, a considerable number continue to report damage caused from within. Reporting such occurrences does not bode well for a company’s image or public trust.
Interestingly, China suffered the worst losses at $66.3 billion; Brazil was ranked second with $22.5 billion in losses, while the U.S. was ranked third at $19.4 billion.
The first study ever to link specific online behaviors with the potential for becoming a victim of cyber crime, conducted by Computer Associates (now CA) and the National Cyber Security Alliance (NCSA), showed that up to 83 percent of adults who use social networking sites expose themselves to hackers and identity thieves.
Although social networking sites, such as FaceBook, Twitter and Craigslist previously had been examined from the standpoint of physical security issues, including sexual predators, this survey examined users’ online behavior and the possibility of other threats such as fraud, identity theft, computer spyware and viruses.
Results of the survey updated in 2016 revealed that there were 809 data breaches in the United States and more than 30 million records exposed. This figure is certainly expected to increase geometrically in recent years, due to three billion Yahoo accounts that were compromised, as well as the hundreds of millions of others at the likes of Apple, AT&T, Chase, Citigroup, Deloitte, ebay, Equifax, the Federal Reserve Bank of Cleveland (including the Pittsburgh branch), Monster, Nintendo, Sony Pictures, Stanford University, TD Ameritrade, Trump Hotels and Walmart, to name only a few.
The CA/NCSA survey mentioned above reported some emerging general trends:
• The majority of data breaches are caused by weak or stolen credentials, some form of hacking or malware. Financial motives make up 75 percent of these attacks, and surprisingly only 14 percent were from insiders. (This is in stark contrast to the previous “Cybersecurity in the Pittsburgh Region” white paper, last updated in 2014, when internal breaches made up the preponderance of attacks.)
• Cybercrime costs the average U.S firm $15.4 million a year.
• When it comes to American households, only 30 percent have rules limiting the kind of personal information their children can share on social networks.
In a separate study, Pew Research found that 91 percent of American adults say that consumers have lost control over how their personal information is collected online and used by companies.
Privacy, Parenting and Teens
Since practically the entire planet is digitally-connected, teens constantly access, use and share information with their peers. Yet many say they withhold from their parents information about what they do online. Highlights from a recent survey from NCSA and Microsoft include:
• Sixty percent of teens say they have created an account that their parents were unaware of, such as on a social media site or for an app they wanted to use. In contrast, only 28 percent of parents say they were aware their children had created such accounts.
• Only 13 percent of teens report that their parents are completely aware of the full extent of their activities, while 17 percent say their parents are only somewhat aware.
• Twenty-one percent of teens believe their online activities should be kept private from their parents.
• Nearly half (47%) of teens are very concerned about having someone access their accounts without permission.
• Only nine percent of teens say they would talk to their parents all the time about the problems they encounter online. In contrast, 30 percent of parents say their children are likely to communicate with them all the time about online problems.
Retail businesses gathering customer information to identify spending behavior and consumers plugging in bank information to buy the latest product have made it easier for cybercriminals to hack stored data from vulnerable devices.
Among the recent findings from various privacy and security-related studies:
• Forty-eight percent of consumers said their greatest concern was a potential security-related hacking into a home system.
• By comparison, privacy concerns about protecting personal information were cited by only 33 percent of respondents.
• The 25 to 34 year old demographic is driving the majority of mobile payments activity for in-store purchases, with almost 50 percent saying they use mPayments at least once a month.
• A Pew Center study found 81 percent of parents said they were very or somewhat concerned about how much information advertisers can learn about their child’s online behavior.
• Eighty-eight percent of people know that identity theft is a potential issue when using public WiFi, however 39 percent of public WiFi users have accessed sensitive information and 25 percent have logged into their online bank accounts while on public WiFi.
Internet of Things
From a security standpoint, the internet of things (IoT) is driven by personal information, allowing it to evolve into an internet of me and making it increasingly important to understand what personal information is being used to access new smart devices.
Following are some key findings from an NCSA survey in cooperation with ESET, a premier internet security software maker:
• A majority of respondents (88%) have thought about the fact that IoT devices, and the data they collect, could be accessed by hackers.
• Fifty percent have been discouraged from purchasing an IoT device due to concerns about cybersecurity.
• Nearly one in four use an app from their mobile device or computer to remotely access or control devices in their home (e.g., front door lock, home security system, TV, thermostat.)
• Seventy-seven percent know that some cars may be vulnerable to hacking, and 45 percent are somewhat or very concerned that their cars could be hacked.
• A majority (85%) know that some computer webcams can be accessed by hackers to spy on them, and 29 percent are or have be been afraid that someone might have accessed their webcams or video calls without their consent.
It is important to remember that consumer generated health data is not protected by the Health Insurance Portability and Accountability Act (HIPPA) and other data privacy assurances. Personal data culled from all types of wearables, such as fitness trackers and smart watches, provide tremendous insight into an individual’s state of health and lifestyle, but can find its way to employers, third parties and cyber culprits. This can result in a range of privacy vulnerabilities, including identity theft, employee discrimination and leaked health records.
• The retail value of wearables is projected to hit $45 billion in 2021.
• Gartner estimates that more than 1.4 billion health and fitness units will ship by 2020, up from roughly 300 million today.
• In a PricewaterhouseCoopers study on fitness devices, 70 percent of respondents had concerns about their data being transmitted via smartphone and 78 percent took issue over the security of their medical data.
As the proliferation of connected information has transformed our day-to-day lives, medical professionals are tapping into the connected world by eliminating hard copy filing and moving into digital record keeping. Likewise, patient and insurance companies are able to view and access Social Security numbers, financial information and medical history, all from connected devices, serving as a gateway for hackers.
• Healthcare data breaches involving more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights by mid-year in 2016. During the same period in 2015, 143 data breaches were reported.
• A Ponemon Institute study found nearly 90 percent of healthcare organizations suffered at least one data breach in the last two years.
• Under HIPPA, it’s illegal for healthcare providers to share patients’ treatment information, yet more than 30,000 reports regarding privacy violations are received each year.
• According to a recent study by the Healthcare Information and Management Systems Society, the vast majority of provider respondents (77%) cited medical identity theft as cyber criminals’ primary motivation.
• Criminal attacks are the leading cause of half of all data breaches in healthcare; employee mistakes, third-party snafus and stolen computer devices are the root cause of the other half.
Social media activity continues to be one of the most popular online activities around the globe, including everything from personal news updates, photo sharing and live streaming video. However, contrary to the popular perception that social networking is an activity enjoyed almost exclusively by teens, a Pew Internet and American Life study showed that the majority all networking site users are adults. The growing number of adults using these sites is an indicator of the potential security risks.
As convenient as these platforms are to communicate, privacy settings don’t always prevent personal information from being shared beyond the intended audience and without a user’s knowledge.
• Eight-two percent of cyber stalkers use social media to learn information about potential victims, such where they live and which school they attend.
• According to a Pew Research Center study, 16 percent of teen social media users said they set up their profile or account so that it automatically includes their location in posts. Of this same study, 64 percent of teens with Twitter accounts say that their tweets are public.
• The NCSA/Microsoft survey revealed that from a privacy perspective, teens report that they are very concerned about someone:
- sharing personal information about them online (43%).
- having a photo or video shared that they wanted to keep private (38%).
- receiving unwanted communications that make them uncomfortable (32%).
Tracking and Responses
The FBI periodically details a wide range of known criminal cyber activities. Viruses, worms, Trojans, computer intrusions, Web site attacks and defacements, denial-of-service attacks, identity theft, privacy breaches and child pornography are included as just some of the better known examples.
Attackers fall into a range of categories, including disgruntled and dismissed employees, domestic and overseas competitors, terrorists and even foreign governments, exemplified by how Russia meddled in the U.S. elections of 2016. Scores of Web sites are now readily vulnerable to international hackers and virus writers in numerous languages and cultures.
Types of attacks have a spectrum of their own, ranging from the $45 million stolen from ATMs worldwide by hacking into consumer prepaid credit card accounts, to the cyber Pearl Harbor warned of by former Defense Secretary Leon Panetta. The secretary singled out the country’s utility grids, financial networks and transportation systems as being particularly vulnerable.
As government, global e-commerce and mass computer use continue to grow, cybersecurity initiatives become all the more pressing. Simultaneously, progressive changes in intruder techniques increase the difficulties of predicting or detecting attacks or of limiting their potential damages. In short, such sophisticated threats demand truly sophisticated responses. As a result, President Obama signed an executive order in February of 2012 directing federal agencies to develop standards for improving cybersecurity in the private sector. Amid such a backdrop, southwestern Pennsylvania has become the premier center of excellence in cybersecurity.CERT® Coordination Center The first organization of its kind, the Computer Emergency Response Team Coordination Center (CERT/CC) was created in Pittsburgh in 1988, part of Carnegie Mellon University’s Software Engineering Institute, is a nationally recognized cybersecurity center that has been leading the way in computer security response and research since its inception. Following the Morris worm incident, which brought 10 percent of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with establishing a center to coordinate communication among experts during security emergencies and to help prevent future incidents on a national basis. Today, working with the Department of Homeland Security, CERT/CC alerts U.S. industry, defense contractors and computer users worldwide to potential threats to the security of their systems and provides information about how to avoid, minimize or recover from the damage. The center has played a key role in coordinating responses to major security events, such as the Code Red worm, Melissa virus and, most recently, the DNS Changer, the Rootkit viruses and the Flame and Olympic Games Trojans. The CERT/CC’s primary charge is to preempt or respond to any threats to the security of the Internet, and the millions of computers connected to it, and to analyze product vulnerabilities that place organizations and individuals at risk. The CERT Program partners with government, industry, law enforcement, and academia to develop advanced methods and technologies to counter large-scale, sophisticated cyber threats. The CERT/CC is part of the SEI’s CERT program, which ensures that appropriate technology and systems management practices are used to resist attacks on networked systems, to limit damages and to ensure continuity of critical services in spite of successful attacks (survivability.) Numerous alerts, vulnerability reports, educational guides and other statistics are published by CERT each year. To accomplish its mission, CERT/CC is organized into several different work areas that encompass key capabilities and products. Coordination The CERT/CC works directly with software vendors in the private sector, as well as government agencies to address software vulnerabilities and provide fixes to the public. This process is known as coordination. The CERT/CC promotes a particular process of coordination known as Responsible Coordinated Disclosure. In this case, the CERT/CC works privately with the vendor to address the vulnerability, before a public report is published, usually jointly with the vendor's own security advisory. In extreme cases when the vendor is unwilling to resolve the issue or cannot be contacted, the CERT/CC typically discloses information publicly 45 days after the first contact attempt. Software vulnerabilities coordinated by the CERT/CC may come from internal research or from outside reporting. Vulnerabilities discovered by outside individuals or organizations may be reported to the CERT/CC using the CERT/CC's Vulnerability Reporting Form. Depending on severity of the reported vulnerability, the CERT/CC may take further action to address the vulnerability and coordinate with the software vendor. Knowledge Base and Vulnerability Notes The CERT/CC increases awareness of security issues and helps organizations improve the security of their systems by disseminating information through many channels. Previously CERT/CC published vulnerability reports on a more routine basis in the CERT KnowledgeBase. Vulnerability Notes include information about recent vulnerabilities that were researched and coordinated, and how individuals and organizations may mitigate such vulnerabilities. Although the CERT/CC has not published annual vulnerability report totals since 2008, its archive catalogs approximately 41,000 vulnerability reports from other sources worldwide. Vulnerability Analysis Tools The CERT/CC provides a number of free tools to the security research community. Some tools offered include: