"Are computer vulnerabilities growing faster than measures to reduce them? Carelessness in protecting oneself, tolerance of bug-filled software, vendors selling inadequately tested products, or the unappreciated complexity of network connectivity has led to…abuse…" (Lukasik, 2011).
The evidence is overwhelming that cyber crimes are not only increasing each year, but the sophistication of the attacks is greater each year and the impacts of attacks are more severe each year as well. While cyber criminals' activities are taking a greater toll around the world -- and in St. Louis -- there is a great need to organize a Cyber Crime Task Force that incorporates appropriate private and public agencies, including law enforcement, the FBI, the U.S. Attorney's Office in St. Louis, and other relevant organizations. Thesis: Cyber crimes are happening at a faster rate than ever before and the attacks are taking a greater impact each year. Unless strategies and policies are put in place, cyber criminals will continue to severely impact web-based organizations, businesses, and governments as well.
Current Cyber Crime Threats in the United States -- Update
"The Internet has turned reputation on its head. What was once private is now public. What was once local is now global. What was once fleeting is now permanent. And what was once trustworthy is now unreliable" (Lipton, 2001).
According to a 2013 study referenced by the news channel CNBC.com, one-third of businesses and private organizations saw an increase in cyber attacks in 2013. The report cited by CNBC.com -- presented by the consultancy EY -- reports that thirty-one percent of the senior executives (in 64 countries) that responded to EY's survey had increases in cyber security incidents of at least 5% over the previous dozen months. That said, some 83% of the 1,900 executives surveyed indicated that their security preventative measures "…do not meet their needs" (CNBC.com, 2014).
About half of the 1,900 companies surveyed indicated that they suffered from a "…lack of skilled resources toward innovating solutions that can protect them against the great unknown" (CNBC.com, p. 1). Eleven percent of the 1,900 global companies polled indicated that their companies suffered from "…a lack of executive awareness or support for fighting cyber security" (CNBC.com, p. 1).
The list of companies and organizations that have been compromised by cyber crime is long and the damage is severe. The Reuters' sources that were referenced by RT.com indicate that besides Target "…at least three other well-known national retailers" were attacked by the same virus.
In fact, the same virus that attacked Target's servers also attacked Neiman Marcus group (and stole personal data from Neiman Marcus customers); that virus is named KARTOKHA (means "potato" in Russian) and hence there is a strong suspicion at the U.S. Department of Homeland Security -- and its "National Cybersecurity and Communications Integration Center" -- that "Russian speaking codeheads from the former Soviet Union" were responsible (RT.com).
The Biggest Cybersecurity Threats of 2013 and 2014 for St. Louis
Security "evangelist and researcher" Tomer Teller asserts that cyber criminals are using "social engineering" tactics to steal information from citizens. That is, users of Facebook and Linked In and other social media sites are being targeted because their personal information is so readily available. The second kind of cybersecurity threats Teller warns about involved "Advanced Persistent Threats" (APTs); these are highly sophisticated and "carefully constructed" threats to corporations and governments in which a "low-and-slow" approach is used so they are difficult to detect (Teller, 2013). These APTs offer a chance for criminals to steal information quietly -- and not all APT attacks are used against giants like Microsoft Word, Teller continues. The APTs attack embedded systems as well, that have Internet protocol addresses, which means that "building security into these systems has never been more important" (Teller, p. 2).
Internal threats are also considered dangerous by Teller; they can be "…the most devastating" of all security threats because an insider can obtain a tremendous amount of data in preparation for the attack. The CERT Insider Threat Center at Carnegie Mellon University's Software Engineering Institute -- and the U.S. Secret Service -- believe that "malicious insiders" in the banking and financial industry can "typically" get away with fraud and theft for "nearly 32 months" prior to being detected (Teller, p. 1).
The fourth ongoing threat to citizens of St. Louis and elsewhere is the opportunity for criminals to hack into personal devices. In fact the huge growth in the use of iPhones, Android Phones and other personal devices open the door as a "potential gateway for attackers" (Teller, p. 2). Web-based attacks can hit personal devices the same way they can access personal desktop computers, Teller goes on; and because smart phones are now used in the workplace, the criminals can likely circumvent the "detection mechanisms mobile vendors use") (p. 2).
The fifth threat that Teller talks about is "cloud security," the trend that companies use to store information in public cloud services; the cloud services are "juicy targets" for criminals, and can easily represent "…a single point of failure for the enterprise" (p. 3). Also, the author warns that the growth of HTML5 -- the sixth serious threat he presents -- is very real in 2014. HTML5 is the system that allows for "…the integration of various technologies" in cross-platform services, and no doubt as developers of HTML5 systems "a bound to make mistakes" attackers will surely "take advantage" (Teller, p. 3). The author also warns that botnets can be compromised and attackers are creating software that allows their malware attacks harder to detect. Malware appears disguised as a form of code, scripts, or active content but it is malicious software; it may be a virus, a worm, a Trojan horse, spyware, adware or simply rouge software disguised as security software. "Millions of malicious URLs are used as distribution channels to propagate malware all over the web… [and] victim systems fall in the control of the attackers" (Chang, et al., 2013). Firewalls and other digital security technologies "have only limited capability to mitigate this new problem," Chang explains.
What are the Greatest Cyber Crime Threats in St. Louis County?
"We need to abandon the belief that better defenses alone will be sufficient. Instead of just building better defenses, we must build better relationships. If we do these things, and if we bring to these tasks the sense of urgency that this threat demands, I am confident that we can and will defeat cyber threats, now and in the years to come…" (FBI Director Robert S. Muller).
The cyber crime threats in St. Louis County in a very real way mirror the cyber crime threats elsewhere in the United States. It is likely that the most prolific cyber crime in the St. Louis area is child pornography, "obscenity toward children," and "enticement of children for sexual conduct" (Gilbreth, 2012).
Meanwhile, the St. Louis Chapter of InfraGard -- an information sharing and analysis organization that combines knowledge of cyber threats with hands-on experience in criminal detection -- is a partnership between the Federal Bureau of Investigation and businesses, academic institutions, law enforcement groups and other private organizations. The role of the St. Louis Chapter of InfraGard is to acknowledge and response to denial of service attacks, network intrusions, and state-sponsored hackers that are "bent on compromising national security" and on stealing personal data of consumers from corporate websites (InfraGard, 2013).
Monitoring the training / seminar sessions that the St. Louis Chapter of InfraGard has provided to private industry and other members of the organization gives the researcher an idea of the greatest threats to St. Louis County.
For example, in 2013 the Chapter brought in two fraud investigators from MasterCard to review the need to protect citizens' credit cards in St. Louis County. The Chapter has also zeroed in on the vulnerability of mobile devices (smartphones), on social network vulnerabilities (due to personal and professional information being readily available).
Which three types of cyber crime should the task force prioritize?
First, child pornography and solicitation of children for sexual acts (over the Internet) should be at or near the top of the list. Second, Internet criminals who hack into company and government websites to steal personal data (where a person lives; where a person works; what activities the person engages in) is a vitally important component of a future task force in the St. Louis area. And third, credit card fraud -- which includes those criminals that hack into commercial websites and steal debit and credit card information -- is a big problem in St. Louis and should be an important part of the business of a task force for this area.
As to the child pornography and solicitation issue, there are so many instances of inappropriate behaviors vis-a-vis children online that Missouri was obliged to pass a new law in 2012 (statute 565.090). That legislation includes a "…new criminal provision for recklessly frightening, intimidating, or causing emotional distress to another…" who is seventeen or younger (Gilbreth, p. 16).