At the InfraGard Cyber-Defense Summit, security experts discussed the costs of cyber-crime and cyber-fraud, and ways to defend against cyber-criminals.
Cyber-crime continues to
flourish as perpetrators continually evolve new attacks and scams to compromise
users and steal money and information, but there are certain things enterprises
can do to protect themselves, security experts said at a cyber-defense summit.
insider threats to corporations, risk assessment and the costs of cyber-crime
were some of the topics covered at the New York Metro InfraGard Cyber-Defense
Summit in New York City on Sept. 14. The event focused on current threats
facing organizations and providing information on how to prevent future
Some types of cyber-fraud
such as identity theft, and check and payment card fraud have been declining
since 2006, said David Nelson, a specialist with the Federal Deposit Insurance
Corporation's Cyber-Fraud and Financial Crimes section.
The decline is partly a
result of the improvements financial institutions have made in their security
practices such as implementing new anti-fraud technology, said Nelson.
Increased adoption of regulations, such as the Payment Card Industry Data
Security Standards (PCI-DSS) and the guidelines
from the Federal Financial Institutions Examination Council
helped financial institutions secure customer accounts from theft.
Organizations are also sharing more information with each other and law-enforcement
agencies, making it much easier to recognize fraud and investigate incidents.
However, criminals are
innovative and flexible, so instead of giving up, they've switched targets,
according to Nelson.
account takeover attempts
have been increasing each year, with estimated
losses approaching $114 billion in 2010. Attackers are relying on various
social-engineering tactics to trick users into clicking on a phishing or
spear-phishing email, opening an attachment containing a malicious Adobe
document or opening a link posted on the social networking sites, said Nelson.
More than half of all wire-fraud activity tends to be initiated by attackers
after compromising an online bank account, he added.
Contrary to popular belief, the
money is not going straight to China, Korea or another international
destination. In fact, domestic transfer accounts for 40 percent of fraudulent
wire activity, with funds being transferred to other institutions around the
country, such as New York City.
The good news is that banks
are winning for the time being, said Nelson.
Losses from online bank
account takeovers in the first quarter of 2011 were nearly half the losses in
the fourth quarter of 2010. Financial institutions were doing a much better job
stopping fraud in the first quarter, as only 27 percent of incidents went
undetected, compared with 40 percent in the fourth quarter of 2011.
It's not just banks that are
uncovering incidents, as customers, vendors and service providers and law
enforcement are also vigilant and reporting fraud.
Many banks and credit unions
have implemented multiple layers of security controls, deployed virtual
browsers that cannot be easily compromised to their customers for online
banking and installed anomaly-detection systems on their network, according to
Nelson. Customer education and awareness programs are also having an effect.
These are "controls
that are working" and should continue to be deployed, said Nelson. However,
organizations need to continue monitoring and assessing risk.
A recent study from the Financial
Services Information Sharing and Analysis Center
found that financial
institutions are doing a better job of stopping funds from leaving the
institution even after the cyber-criminal creates the fake transaction. In
2009, financial institutions managed to stop funds from actually being transferred
only 20 percent of the time. The number rose to 36 percent in the first six
months of 2010, the survey found.
Larry Ponemon, founder of
the research firm Ponemon Institute, discussed his organization's cost
of cyber-crime study
that was released early August. The study, found that
the median cost of cyber-crime for a benchmark sample of organizations was $5.9
million per year, a 56 percent increase from the median reported in July 2010.
All industries fall victim
to cyber-crime, including malware, Web-based attacks, botnets and stolen
devices, according to Ponemon. Information theft was the biggest external cost,
and recovery and detection activities were the biggest internal cost, the study
Organizations should be
"vigilant" about new risks but should not forget about "old
problems," said James DeFalco, an examining officer with the Federal
Reserve Bank of New York. Unpatched or forgotten machines are likely to be
infected first and allow attackers to conduct attacks from inside the firewall,
according to DeFalco.