A panel of cyber-security experts talked about the changing security landscape and how multinational collaboration is helping bring down some of these criminal syndicates.
Despite the constantly
changing security landscape with evolving threats and new tactics, there are
several key victories in the fight against cyber-crime, experts said.
There is big money in the
Internet, said Adam Palmer, Norton lead cyber-security advisor at Symantec, and
that applies to both businesses and criminals. It's important for the industry
to work alongside law enforcement to share information about the latest threats
and technology to fight cyber-crime, Palmer said at a "Tackling Digital Crime"
panel, held Feb. 17 at Fordham University.
"Is cyber-crime real? Are we
winning the fight?" asked Kevin Kelly, a professor in the computer and
information science department at Fordham University and moderator of the
panel.
About 73 percent of all Web
surfers in the United States have been hit by some kind of cyber-crime,
according to Palmer. Over 7 million people had their identities stolen in 2009,
he said.
The key motivation for
cyber-criminals is quite simply, "money," said Dan Larkin, director of strategic
operations at National Cyber-Forensics and Training Alliance. Regardless of the
type of attack used or the target, criminals are out to get more money, he
said.
Cyber-crime can be old
crimes committed in new ways, Palmer said. The fact that criminals are stealing
money, property and information is not new, but now they are using computers
and the Internet to make the tasks easier.
Cyber-crime "is definitely
real" but the problem is in tracking down the criminals, said Christopher K.
Stangl, a supervisory agent at the FBI New York Cyber Branch. Even if the crime
occurred in the United States, the perpetrators could be in a different
country, Stangl said. It's a challenge figuring out how the criminals did what
they did and finding out where they are, he said.
Law enforcement officials
from different countries are now also more willing to work together, Stangl
said. Even 10 years ago, if the FBI identified criminals using a Russian IP
address, "it was forget it, nothing we can do," said Stangl. That's no longer
the case as the FBI conducts joint operations with other countries to share
information and make arrests, he said.
The FBI had a "significant
amount of success" in 2010 against cyber-criminals, Stangl said, naming the shutdown
of the Mariposa botnet, the arrest of the Mega-D
mastermind and the capture of several members in the gang behind the Zeus
Trojan, among other arrests. The biggest achievement was "disrupting the
groups," according to Stangl.
A "real time exchange" of
government intelligence is critical, according to Palmer.
It's "tough" to say whether
cyber-crime is becoming a bigger problem because it is constantly changing,
said Larkin. The challenge facing the industry and law enforcement is
continuously figuring the best methods to find and catch the criminals, Larkin
said. It's an evolving process, he said.
The industry is constantly
playing "catch-up" to criminals, Palmer said. With the proliferation of mobile
devices, criminals have new ways to attack, he said. Security used to be about
enforcing the perimeter, but that's no longer the case when one can "check
Facebook from the TV," or regularly uses cloud-based services, Palmer said.
"There are more
opportunities for bad guys to generate revenue," he said.
Without calling out any site
in particular, the panelists said users not being careful with their identity
information on social networks were a bigger threat than malware on the
platform. Criminals can use the information on a victim's profile, such as
organization affiliation, favorite stores and name of family members to target
the victim, Palmer said.
Social-engineering attacks
are more likely to target small businesses to steal money from their bank
accounts, Stangl said. While "it used to be the case" that cyber-criminals
would cast a wide net and send out hundreds of thousands of spam messages,
there is a clear shift toward more targeted attacks, he said. Spear phishing is
more effective and can net millions of dollars despite the smaller number of
victims, according to Stangl.
Larkin also noted that a
targeted attack on a small firm might lead them to high-value client accounts
and wealthier victims.
The good news is that
consumers are becoming more security-conscious and people in general are much
more cyber-aware than they used to be, according to Palmer. There was a time
when judges didn't know what a Website was, Palmer said. The bar is slightly
higher now, because now the judges want to know what a "hash value" in
programming code is, he said.
Email
Print
