Sunday, October 18, 2020

Warnings, alarms, and an aneurysm: the awareness juggling act (Cybersecurity Awareness Month, D18)

A vague and unhelpful warning, based on an image by Ingo Doerrie on Unsplash

One Friday evening, about 15 years ago, I arrived home from an out-of-town cybersecurity conference to find a letter from my cardiologist's office that simply said: "Aortic aneurysm detected, please call."

You're probably wondering what this has to do with Cybersecurity Awareness Month, and to be honest, it will take about half a dozen paragraphs for me to get to the connection, but please stick with me (we are now on Day 18 and it's a Sunday, so I'm feeling particularly reflective).

I don't know how familiar you are with human biology, but when I got that letter I was in my early fifties and less medically knowledgeable than I should have been, despite more than a decade of treatment for high blood pressure and being under the care of a cardiologist. My point is this: the words aortic aneurysm sounded deeply scary to me, but at the same time I didn't know what they meant.

My first thought was to call the cardiologist's office, but of course nobody was there because it was Friday evening, so I left a message to call me back ASAP, knowing that I probably wouldn't get a call any sooner than Monday. 

The next thing I did—as you can probably guess—was google aortic aneurysm. The results only added to me growing sense of dread, for example:

Aortic Aneurysms: The Silent Killer
Abdominal aortic aneurysms are the third leading cause of sudden death in men over age 60. Aneurysms are often called a “silent killer,” ...

Aortic Aneurysm - Cause Of Death For George C. Scott
Abdominal aortic aneurysms are the 13th leading cause of death in the U.S. Rupture of an abdominal aneurysm is a catastrophe. It is highly lethal and is usually ...

And those weren't tabloid newspaper headlines. Those were web pages from reputable sources (a university hospital and a division of WebMD). By this time my partner was urging me to calm down. She did her own googling and pointed out that even the Silent Killer article actually said, towards the bottom of the article:
"Fortunately, at least 95 percent of these aneurysms can be successfully treated if detected prior to rupture. Finding and treating an aortic aneurysm before the aneurysm ruptures is vital for patient survival."
And this is where I see the connection to one of the great challenges of cybersecurity awareness: how do you persuade people to act in ways that reduce the risk of something causing them considerable harm, but without freaking them out? Here are three cybersecurity examples to consider as we try to answer this question: 
  1. If criminals get your Social Security number and decide to abuse it, the effects can be very upsetting and potentially costly. That's why you need to protect such information.
  2. If criminals acquire your credentials for the network at the hospital where you work, the effects can be very upsetting and potentially deadly. That's why it's important such protect such information.
  3. If an adversarial nation state actor acquires your credentials for the network at the power plant where you work, the effects can be very upsetting and potentially trigger regional destabilization that leads to armed conflict. So be sure to protect your network login.
I don't see anything factually inaccurate about these statements and all three are making worthy assertions about protecting information systems; but it seems to me that there's something "off" in #2 and #3. They escalate from security awareness to "deadly" and "armed conflict" in a way that might be alarming and unhelpful to a general readership. But these examples do help us to focus on a difficult question with which security professionals have wrestled for decades: how far should we go make a point? 

Consider what my good friend Winn Schwartau said in testimony to Congress in 1991: "Government and commercial computers are so poorly protected today, that they can be essentially considered defenseless. An electronic Pearl Harbor waiting to happen." In my opinion, then and now, that was a valid statement and made a point that urgently needed to be made. 

However, other people, now and then, have criticized this testimony as alarmist, an adjective that the OED defines as "a tendency to exaggerate potential dangers or an eagerness to express fears or concerns publicly; esp. that creates needless worry or panic in this way." In other words, raising the alarm can be a good thing, but not always, depending on how, when, why, and to whom you do it.

One traditional approach to the balancing act we might paraphrase as "alerting people to something that could cause them considerable harm without freaking them out" has been to adjust the message according to the audience. Get it right, which I believe Winn did in his 1991 testimony to Congress, and you are performing a valuable public service. Get it wrong and you can end up getting all kinds of grief.

Ironically, nearly three decades later, that balancing act is trickier to perform than it used to be, thanks to the World Wide Web. What I mean is that publishing information on the web is not targeted, even if you think it is. You might write for a technical-savvy audience and think that's who is going to read what you write, so you can assume they will interpret your meaning accordingly. But unless your writing is hidden from search engines and/or protected by a paywall, your words may be read by people from a wide range of backgrounds, with varied levels of education, holding a variety of differing views about life.

That is why the guidelines for creating awareness content intended for use during Cybersecurity Awareness Month include the following advice: 
  • Don’t write material that feels threatening or fear-based
  • Avoid painting scenes like cyber-criminals waiting at every online intersection ready to steal social security numbers
  • Promote practical, empowering steps people can take

My initial reaction to seeing those guidelines was concern that they did not align with the sense of urgency that I feel about the need for humans to do better at cybersecurity. But on reflection—remember I said this was a day of reflection—I think they strike the right balance for messaging to the general population. 

There are indeed practical steps that people can take to reduce the odds of becoming a victim of cybercrime, and we should make sure everyone is aware of them. That is what cybersecurity awareness is about. The work that needs to be done to get politicians and policy makers to address cybersecurity with greater vigor than they have so far, that is something else.

Finally for today, if you're still wondering—and I hope you are—what happened with the aortic aneurysm alert that kicked off this article, here's the short version. After a less than happy weekend, I saw the cardiologist early the next week. He told me the aneurysm was relatively small but I needed to keep my blood pressure low, eat less salt, and more bananas (for the potassium). When I asked him how I could tell if the aneurysm was becoming a serious problem he said: "You'll just feel a sharp pain in your back but it won't last long because you'll soon be dead."

Shortly after that I got a second opinion, from the Mayo Clinic. The cardiologist there told me I didn't have an aneurysm and I would probably be fine if I avoided all alcohol and chocolate, kept my blood pressure low, ate less salt, and consumed more bananas (for the potassium). I cut back on most chocolate and all alcohol (ironically, just before going on a trip to Moscow with Winn, but that's another story). 

I also quit my somewhat stressful job as Chief Security Execute for an Internet provider (to help with the blood pressure and take stock of my life). Then, after about five years—during which we had to struggle hard to survive the Great Recession and my atrial fibrillation got worse—I went back into cybersecurity, working for a company that had an excellent health plan. 

So I saw a cardiologist about my AFib and, after a failed attempt to reboot my heart in the hopes of restoring a normal rhythm, he said there was nothing else he could do for me ("just keep taking the potassium pills"). That motivated me to figure out the underlying cause of all my heart problems. Turns out it was a condition called primary aldosteronism, which can sometimes be corrected with surgery, and in my case it was. I still have a wonky heartbeat, but my blood pressure is fine without any medications or added potassium.

And that's why, when it comes to dealing with risks, early awareness and accurate information are important, as is an appropriate level of motivational fear. However, when you're trying to reduce risk, there's nothing like addressing root causes.

Do your part, #BeCyberSmart

Saturday, October 17, 2020

Old school security awareness, a blast from the digital past (Cybersecurity Awareness Month, Day 17)


Why use an image of people being cyber-smart on their phones today, day 17 of Cybersecurity Awareness Month? Because it occurred to me this morning that I got into computer-related security awareness before the general public started using computers as phones (or phones as computers). 

In fact, this article is essentially a reprint of some basic computer security advice that first appeared in print nearly 30 years ago. (It lives on my old security book, a free PDF version of which available, in three parts, on this blog—the links are near the top right of the page you are now reading. I keep this available as an historical artifact because...well you know what they say about those who don't learn from history, they may decide to go back and read it some day). 

What follows, all the way to the last few lines of the article, was written way back in the first half of the 1990s:

You might be surprised to see people at the top of the personal computer security agenda. After all, we are talking high-tech problems here. However, security also is a people problem. Computers are a human invention, and if they don't work properly, it is humans who get hurt-sometimes financially, sometimes even physically.  

For the most part, the impediments to successful computing are human in nature, and not technical. If everybody woke up tomorrow thinking that it was wrong to mess with other people's information, then the next edition of this book would have fewer pages and sell less copies. Until this happens, the sad fact is that effective implementation of personal computer security requires you to take a dim view of human nature.  

Of course, it is not the purpose of this text to determine whether people are essentially good or evil. However, we can state categorically that human beings are, to varying degrees, devious, grasping, and downright rotten. To secure yourself and your organization against such character traits, you must be prepared to think like your adversary and realize that sometimes he or she is a miserable specimen (there are times when the expert in personal computer security is sorely tempted to agree with Sartre when he said "Hell is other people.")  

People might be your biggest risk, but they also are your best resource. Successful personal computer security depends upon good people more than anything else. If you have motivated, diligent, and careful people working with you, then a greater degree of security can be obtained and with less hassle. Without the cooperation of the people involved, even the most sophisticated security devices will fail. With cooperation, high levels of security can be obtained without recourse to expensive equipment. 

What is clear from experience is that both management and employees have security responsibilities. Working together, they can be very effective in protecting the company's computer resources. The British Government's 1993 Audit Commission report on computer abuse noted several areas of management responsibility:

  • The chief executive and management board must be determined to instill an awareness of the importance of computer security and be prepared to act when breaches occur. 
  • Line management in user departments must ensure that access to facilities complies with the organization's standards. 
  • IT management must assist in defining cost-effective controls that protect the data that it is holding and processing on behalf of others. It should educate users in the need for controls over computerized data. 

The same report identifies one other key element within management: internal auditors. They have a responsibility "to test and advise on the adequacy of security and controls...bring to management's attention any shortcomings...and emphasize the risks of all forms of computer abuse." 

The following are six quick and relatively immediate steps that management can take to improve information security: 

Step 1. Post security rules. Write up a basic list of rules that users should follow to preserve security. Display them prominently. Issue a memo to each employee that states the same rules in a form that can be kept handy. Consider posting a copy of the rules on each personal computer. 

Step 2. Announce computer security enforcement. Let people know that compliance with the security rules will be checked and considered part of job performance.

Step 3. Announce computer security incentives. Let employees know that compliance will be rewarded. Remember that people who breach security have an incentive to do so, even if it is just boredom.

Step 4. Open a computer security hotline. Let people know where they can get advice on security issues and give anonymous tips about security violations or suspicious activity.

Step 5. Issue computer security alerts. These can highlight specific weaknesses that have come to management's attention and stress the ongoing need for vigilance in maintaining security. In some cases, you might want to issue alerts in response to news items involving security breaches, but beware of giving employees specific details.

Step 6. Appoint a computer security officer. This raises awareness of the issue and sends a clear message about the organization's commitment to security. You don't have to hire a new employee for this position, but you do need to back the person you appoint with the appropriate resources and authority.

These steps are just a starting point. They are not meant as a substitute for an in depth risk analysis, security policy promulgation, and implementation program (these items are covered in the next chapter). The idea is to make big strides towards raising security awareness without spending a whole lot of money or scheduling a lifetime's worth of meetings. While these steps might sound like token gestures, they nevertheless can be very effective. For more detailed discussion about the human factors in computer security, see chapter 14, which suggests ways to improve security through a variety of personnel management tactics. 

Here is a sample set of security rules:

ALWAYS: 


1. Back up important data files.
2. Use your access password.
3. Use screen saver and keyboard lock.
4. Label all media and lock them up.
5. Check the ID of outsiders using PCs.
6. Report suspicious activity.
7. Scan floppy disks for viruses.
8. Log off unattended workstations.
9. Protect keys and passwords.
10. Assume someone somewhere is interested in stealing, damaging, or destroying your data and equipment.

NEVER:

1. Use obvious passwords, such as your name.
2. Write down, or be seen entering, passwords.
3. Share or reveal passwords.
4. Use same password for different systems.
5. Boot a PC with a floppy disk in drive A.
6. Install unlicensed software
7. Make unauthorized copies of software.
8. Leave unprotected modems in answer mode.
9. Leave unlocked computers unattended.
10. Assume that nobody is interested in stealing, damaging, or destroying your data and equipment.

Friday, October 16, 2020

We interrupt regular programming with this FBI message (Cybersecurity Awareness Month, D16)

Warning from FBI: Potential Charity Fraud Associated with the COVID-19 Pandemic

Sad, but true: "the FBI and other law enforcement agencies have received reports of scammers fraudulently soliciting donations for individuals, groups, and areas affected by COVID-19. They are leveraging the COVID-19 pandemic to steal your money, your personal information, or both."

Yes folks, it is now day 16 of Cybersecurity Awareness Month, 2020, and the scammers are still scamming. Some have even sunk so low that they are taking advantage of a global pandemic that has sickened millions of people. What a sick way to rip people off. 

This particular FBI warning caught my eye as I was surfing the fraud news this morning because it was such a timely reminder that no target is off limits to scammers (you can read the full warning online here).

As you may know if you've been visiting this site recently or if you follow me on Twitter, this year I pledged to write one cybersecurity awareness post for each day of October. Given that there are 31 days in October, I figure day 16 is the midpoint. I also figure it's a good day to pause and thank everyone for sharing the first 15 articles on social media (remember hashtag #BeCyberSmart). All the sharing and awareness raising you can do is much appreciated.

So, I hope you don't mind if today's article is a short one. To be honest, I've been a bit distracted helping a friend who is a worried they might have COVID-19. That's another reason the FBI alert caught my eye. Also, I love this line of actual FBI advice:

The best way to protect yourself is by doing your research. 

Amen to that! I recommend reading the FBI warning and advice and subscribing to future FBI alerts via email using the link on that page. 

Stay safe. #BeCyberSmart

Thursday, October 15, 2020

Cybersecurity Awareness Month, Day 15: Apartment rental scams and the Internet as fraud multiplier

A very good photo of an attractive and entirely legal apartment by Francesca Tosolini, kindly shared on UnSplash by @fromitaly
Back in September of 2011, I wrote: Internet scams are not new, and some of the strategies they use are not unique to the Internet, but there is no doubt that the Internet can provide a multiplier effect for people intent on defrauding others

Welcome to number 15 of the 31 blog posts that I am writing for Cybersecurity Awareness Month, October, 2020. Why am I doing this? Because ever since I made that statement, ethically-challenged individuals have repeatedly validated it, sometimes at scale, and at a cost to victims that is hard to calculate but now runs into billions per year. 

The graph on the right reflects only those losses suffered by victims of internet crime who filed reports with the FBI via IC3; yet it strikes me as pretty clear evidence that the Internet does indeed provide a multiplier effect for people intent on defrauding others. (For more on this data, seen this post from a few months ago.)

I was reminded of this multiplier phenomenon a few days ago when I was writing about cybercrime victim support. When I wanted to show readers how much information fraud victims can find at FraudSupport.org, I picked Real Estate/Mortgage Scams as an example. And that's when I remembered the experience Chey and I had with this scam back in 2011, when we were looking for a place to live in San Diego.

We were moving to San Diego because that's where ESET, the Internet security software company, has it's North American headquarters, and they had just hired me to work there. At the time we were living about 3,000 miles from San Diego, in Upstate New York. As it turns out the move itself gave me the content for my first piece of work for ESET, and article published on what would become WeLiveSecurity, the award-winning cybersecurity blog. 

I will paraphrase what I wrote back then: as geeks and researchers we saw this move as a chance to explore the impact of technology on the logistics of relocation, starting with a virtual reconnaissance mission to San Diego. Chey and I became immersed in online representations of San Diego. Using Google Earth and Google Street View we were able to acquire the lay of the land in San Diego County, starting with the downtown area around the ESET office and then venturing into adjoining neighborhoods. At the same time, I was entering important addresses—like the ESET office–into my Garmin GPS, while plotting a cross-country road trip using Microsoft Streets and Trips.

And then there was the virtual apartment hunting. 

While I pointed my laptop's web browser to Craigslist, Chey opted to use Craigslist Pro on her iPad. Almost immediately both of us spotted the same great deal: "Furnished 2BR/2BA Apartment $1,000/month." This was not just any apartment, it was a great looking apartment in a great location downtown, not far from ESET's offices, with great features:

"Fully furnished, the apartment has everything that you wished for, TV, DVD, a/c, internet, cable, towels and lines. The concrete walls make it quiet inside. Both bedrooms have walk-in closets. The rooms are very spacious…Very luxurious and modern."

This written description was supported by the very professional photos that accompanied the listing, one of which you can see here in this screenshot of the listing:

The part of the listing that was not supported—at least not by common sense—was the pricing of this fully furnished apartment. At $1,000 per month, the rent was suspiciously low, right on the edge of "too-good-to-be-true" territory. You would probably know this if you were already living in San Diego, but what if you were from out of town? People moving to the city for the first time—like us—could be taken in by this listing. Furthermore, the stress of moving to a new city might add to the temptation to believe this was a genuine deal.

But what was this listing trying to achieve? Someone had clearly made an effort to create an attractive and appealing listing, so there had to be a purpose. Was it a bait-and-switch scam? Or maybe a phishing exercise to obtain personal data? Or could it really be a just a great deal from someone who was desperate to rent out their place? 

As properly trained researchers, Chey and I decided to investigate. Using an online identity and email address reserved for just this kind of scenario, Chey contacted the person listing the property. The response pointed the way to the scam. 

In a nutshell, the scam goes like this: the con artist responds via email with a story about how she is out of the country, so she is proposing that the prospective renter send her the money for a deposit and the first few month's rent. Here is some of the language from the scammer's email:

"I have decided to rent the apartment because my financial situation is not so good at this time and I also cannot live in the US in the near future because I just received a new work contract on the Dunbar Oil platform in the North Sea (I work as an engineer ) and I will be there for at least 8 months per year….Because I am unable to show you the apartment in person I decided that it's better for both of us to use a multinational renting service, provided by Yahoo Real Estate."

Note that "Yahoo Real Estate" is another innocent bystander in this scam. Yahoo does NOT provide any property rental services. When someone responds that they are interested in renting, the scammer probably has a story about how it is cheaper and quicker to just send the money via Western Union. We did not take our research to that level because...we were trying to rent a real place so that I could start my real job, which included warning people not to fall for scams like this!

The multiplier effect of digital tech

So where does the "multiplier" effect of digital technology and the Internet come into the picture. Well, con artists had learned, well before the Internet existed, that people eager to rent a place to live could be tricked into paying money up front for a place, one that was either not real, or real but way different from the description, and not in a good way. What technology has done is make this scam: 

  • easier, through digital images, online listings, and electronic communications; 
  • less risky, because the scammer does not need to be physically present; and,
  • more lucrative, because you can do it in many cities at the same time.

That last point became clear when Chey—after notifying Craigslist of the scam—did some more research and found out something very special about this apartment: a very similar apartment was being offered for rent—at exactly the same time—in Boston, and in San Francisco, also Seattle, Washington, and several other cities. 

The scam artist had simply localized the description in each listing, but used the exact same format, photographs and listing parameters in each city. In other words, here is a scam that might not be worth the effort if you could only do it in one location, but global connectivity and the ease of digital replication make it a much more appealing strategy for parting people from their hard-earned money. 

Have we moved on?

Fortunately, eventually, we found a real place to rent. It was right across the street from the ESET building in San Diego's Little Italy. And we found it the old-fashioned way: walking around the area and calling phone numbers we saw on "For Rent" signs posted in apartment windows. (Ironically, there were quite a few of those signs in 2011, due to another, much bigger scam: the one that the big banks perpetrated on the American public and which led to the Great Recession.)

As for the scam documented here, I recently found out that it had also been perpetrated in Sweden, which suggests to me that this particular scheme might be Scandinavian origin. Here is someone's blog entry from July, 2011:

Look closely, toward the bottom, and you can see the infamous Dunbar Oil Platform gets a mention. The isolation of North Sea oil rigs is something that would ring true with folks in Scandinavia. However, digital forensics can be tricky. 

Remember this piece of text that I quoted from the ad: "internet, cable, towels and lines"? Did you spot that there was a typo? The word linens was spelled lines. When I quoted the scam listing on WeLiveSecurity I added "[sic]" to indicate that "the source is presumed to be erroneous and has been intentionally transcribed without correction." So it appeared in my article like this:

"internet, cable, towels and lines [sic]"

That was in 2011, but you can still find that exact text string, with the sic bit, out there on the Internet, and I don't mean in plagiarized uses of my article. In fact, I'm not sure why it is being used (there is currently one rental ad using it, but the listing is closed).

Cybersecurity Awareness Takeaway:
Search engines are your friends

That's right, whenever you have doubts about something you read on a website or in your email—like an unbelievably low price on something you need to buy—just copy or type part of the text of the dodgy item into the search box of your favorite search engine (e.g. Google, Bing, DuckDuckGo), and put it in quote marks like this:

"a string of text from the dodgy item"

For example, to check for this amazing apartment deal you could enter:

"Fully furnished, the apartment has everything that you wished for"

Very often it will be clear from the search results that other people have questioned this item, and you can steer clear of it. Of course, there is a chance this won't work, so a lack of results should NOT be taken as an "all clear." But it is a very handy sanity check that I use a lot.

#BeCyberSmart

Wednesday, October 14, 2020

Hacking is not a crime, and other problems with words in cybersecurity awareness (Day 14 of 31)

If you've been seeing messages about Cybersecurity Awareness Month you may that find you're now more aware of news headlines like these: 

Hackers steal data from school district, post it on the internet 

Coronavirus: How hackers are preying on fears of Covid-19?

Well, on the one hand, I'm very pleased if you're more alert to news of this nature, and I hope that you keep reading about the problems described in the articles. On the other hand, I have to say that those headlines are somewhat misleading. I'm not saying they are fake news, far from it, but those headlines wrongly confuse hackers with criminals. They should read:

Criminals steal data from school district, post it on the internet 

Coronavirus: How criminals are preying on fears of Covid-19

To be clear: people who hack computers for criminal purposes are criminals, not hackers. There are many people who engage in perfectly legal activities that definitely are hacking. And some hackers are very noble and selfless people. For example, right now there are people constructively "hacking" together programs and devices that can help the world deal with the Coronavirus pandemic, for example:

So, when editors and journalists lazily use hackers instead of criminals they are doing the world a disservice. As someone who has spent the better part of three decades trying to explain why the world needs to do more to shut down the criminal abuse of information technology, I can assure you that confusion over the word "hacker" has been a serious distraction if not an outright impediment. 

I have written about this criminal/hacker problem here and there is a whole "Hacking is Not a Crime" organization devoted to remediating the problem. The non-profit organization's mission statement says that it is: "seeking to raise awareness about the pejorative use of the terms "hacker" and "hacking" throughout the media and popular culture. Specifically, the negative connotation in which the terms are so often associated." 

The statement goes on to explain why that matters: 

"Hackers are often vilified and portrayed as evil, menacing, and even threatening individuals. Because of this, many hackers refrain from publicly disclosing physical and information security vulnerabilities they discover due to fear of legal retaliation. Subsequently, this is creating an increasingly hostile digital frontier due to compromises perpetrated by cybercriminals and threat actors. We therefore advocate state and federal legal reform which provides a safeguard for hackers conducting security research."

So, as your cybersecurity awareness grows, know that hacker does not equal criminal. and criminals who use hacking techniques to commit crimes are, simply criminals. 

For more on this, check out the Hacking in NOT a Crime website and follow @HackNotCrime on Twitter.

#BeCyberSmart

Tuesday, October 13, 2020

Basic resources for learning more about cybersecurity (Cybersecurity Awareness Month, Day 13)


It's day 13 of Cybersecurity Awareness Month and I'm guessing there are some folks out there for whom this is their first serious encounter with cybersecurity. We know for a fact that cybercrime has risen dramatically in 2020. By mid-April, FBI Deputy Assistant Director Tonya Ugoretz was saying that the number of internet crimes reported to IC3 had "quadrupled compared to months before the pandemic." In this article, written in May, I called it the Covid Effect (also available as a video).

So, if you're relatively new to cybersecurity you may find the jargon confusing. Or maybe you'd like to read more about cybersecurity but don't want to buy a whole book about it. I understand, and I say that as someone who has written whole books about it. 

I figured I would provide links to some resources for folks who are just getting into this. At the same time, these resources can be helpful if you're faced with training employees on security and/or raising security awareness among colleagues.

A Glossary of Common Cybersecurity Terminology: there are quite a few out there, but this one is nicely referenced and tied to standards.

A glossary more focused on malicious code: written by ESET malware researchers (malware is short for malicious software, also known as malicious code—like computer viruses and worms).

At StaySafeOnline.org you will find a good starting point for both learning about cybersecurity and helping others to understand the need for cybersecurity awareness. This site is also the hub of activity for the annual cybersecurity awareness month (October), now observed in many countries.

The award-winning blog WeLiveSecurity.com is a website offering security news, advice, opinion, and award-winning security research, presented in five languages: English, Spanish, Portuguese, German, and French.

Here are some of the leading associations of security professionals, all of whom have websites with articles worth reading:

(ISC)2: International Information System Security Certification Consortium, best known for creating the CISSP credential (Certified Information System Security Professional).

ISSA: Information System Security Association, which has a lot of local chapters but is also international.

ISACA: began as the Information Systems Audit and Control Association but now goes by just ISACA.

AITP: a broader IT group, the Association of Information Technology Professionals is part of CompTIA, a leading provider of certifications in IT and security.

The articles on the Krebs on Security website might be of interest once you start picking up the cybersecurity lingo. This site is where journalist Brian Krebs reports on some of the more interesting cybersecurity problems (he's the one who broke the news of Target breach, and quite a few more since then).

You can find a lot of cybersecurity news on the website of Graham Cluley, a security expert who is also a good writer and speaker. I encourage you to sign up for his newsletter, cheekily called GCHQ (the initials of Britain's top cybersecurity agency). 

Another good newsletter is Weekly Cybersecurity from Politico which examines the latest news in cybersecurity policy and politics.

In the same vein, check out the Third Way Cyber Enforcement Initiative where you can learn more about public policy issues related to cybercrime. All the articles there are written for non-technical readers.

There are lots more places to turn for cybersecurity information—including several subscription-based newsletters from women in cybersecurity that are well-worth paying for. I will cover these soon, but the above should get you started.

#BeCyberSmart

Monday, October 12, 2020

Cybercrime victim support: positive developments, growing resources (Cybersecurity Awareness Month, D12)


Thinking before you click any link in an email is good advice. But as the second full week of Cybersecurity Awareness Month 2020 gets under way, it is important to bear in mind this simple fact: all the cybersecurity awareness in the world cannot guarantee that you won't be victimized by people intent on abusing digital technology for their own ends. 

Of course, that's no excuse not to learn, and do, as much as you can about cybersecurity, but I'm sure all of us have been tempted to click dodgy email links at one time or another. And who hasn't received one of those dreaded notification emails that are sadly real: "we're sorry but your account information was exposed by a breach of our security." In other words, becoming a cybercrime victim is sometimes out of our hands. And that bring us to today's topic: what to do if you're a victim of cybercrime?

Fortunately, this question is a lot easier to answer today than it was even five years ago because numerous agencies and entities have stepped up to help cybercrime victims. A notable example in the US is the Cybercrime Support Network. As you can see from their home page on the web, the Cybercrime Support Network (CSN) is "a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime."

To help cybercrime victims CSN runs an excellent website at Fraud Support.org which can direct you to suitable resources based on whether you are an individual or a business and what type of problem you are dealing with (the website is much easier to use than this image is to read—I made this mash-up to give you a sense of much help Fraud Support has to offer). 

There is a lot of helpful information for cybercrime victims on FraudSupport.org

FraudSupport.org defines cybercrime and online fraud as "any illegal activity involving the internet, such as websites, chat rooms, email, and social media accounts." Examples include advance-fee schemes, non-delivery of goods or services, or fake employment/business opportunity scams. Basically, we're talking any crime that involves the use of the internet to communicate false or fraudulent representations to individuals and businesses. 

One of the things I really appreciate about FraudSupport.org is how quickly you can find the right help when something has gone wrong. Suppose you're an individual who has experienced some form of internet-related fraud. Maybe you think someone is trying to scam you out of a deposit on an apartment. Chey and I ran into this scam a few moves ago and I'm going to blog about that experience later this week, but I wish FraudSupport.org had been around back then. These days, but here's what you can do if this happens to you.

Go to the FraudSupport.org home page and select "I'm an Individual and I need help with..." You will be shown five categories. If you chose Financial/Purchase Scams you will be shown nine types of scams. In this example, Real Estate and Mortgage scams is closest to what you're dealing with. When you chose that option you get a page full of information about what you can do and who to contact. Furthermore you are given a systematic approach to dealing with the problem in three stages: Report, Recover, and Reinforce. Links and suggestions are provided for each stage.
   
FraudSupport.org is the brainchild of Kristin Judge, a passionate advocate for cybercrime victims. And she's not stopping with online support. Her goal is to create a national cybercrime reporting infrastructure by 2021 so that anyone in the US will be able to dial “211” to report a cybercrime. Already the 211 number is ready to handle calls dealing with hacks and breaches in: Rhode Island; Kent county in Michigan; and Orange, Osceola, and Seminole counties in Florida. Check this site for more information

More cybercrime victim resources

ITRC: In the cybercrime surveys I have seen and done, identity theft always shows up as a serious problem, one that can be particularly upsetting to victims. Fortunately, there is an Identity Theft Resource Center, the ITRC, to which victims can turn: 

"The ITRC is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cyber security, scams/fraud and privacy issues."

FTC: In my opinion, one of the most consumer-supportive agencies in the US government is the Federal Trade Commission. The FTC offers good advice and resources on identity theft

IC3: Another victim-friendly agency is the Internet Crime Complaint Center, often referred to as IC3. The IC3 website is the place to go to report a cybercrime of any kind. 

And this is a good place for me to add my own plug for the act of crime reporting. 

Even though reporting a crime can seem like a lot of effort, and the agency to which you report it may offer little hope of resolving things to your satisfaction, every report of a cybercrime adds weight to the argument that the government should devote more resources to cybercrime deterrence. 

I was several years into my study of cyber-criminology before I realized that a vicious cycle exists in which law enforcement folks who are eager to fight cybercrime can't get enough resources to pursue cyber-criminals because not enough cyber-criminal activity is reported, often because victims don't think law enforcement can do much about cybercrimes, which is too often true because they don't have enough resources, because not enough of the cyber-criminal activity that is happening is being reported...and so on.

So, please do report any cybercrime you encounter. Your crime report not only helps the effort to get more resources for, and more attention focused on, the struggle against cybercrime; your report might be the missing piece in a pattern that helps the authorities crack and a case and identify suspects. And of course it could the one case that convinces a decision-maker that "enough is enough" and it is time to fully fund cybercrime deterrence.

Thank you! 

Do Your Part. Report Cybercrime. #BeCyberSmart

Sunday, October 11, 2020

Cybersecurity awareness: history and the ethics factor (Cybersecurity Awareness Month, Day 11)


Encouraging people to think of cybersecurity as a shared responsibility is a recurrent theme in cybersecurity awareness programs. This probably strikes you as entirely reasonable if, like me, you think there is a clear need to establish norms of attitude and behavior in cyberspace, just as humans have done in meatspace. 

For example, I would argue that most humans today frown on things like theft, extortion, bullying, and deception for selfish or malicious purposes. In many instances, in many societies, such things are considered crimes, and traditional crime reduction programs have long encouraged consumers to "do their bit" to reduce crime (for example, I pass several Neighborhood Watch signs every time I walk to the corner store).

At the top of this article I have pasted one of the official graphics from the organizers of the 2020 Cybersecurity Awareness Month in the US. Here are three of the suggested social media messages that go along with this image, with emphasis added by me:

This message of shared responsibility has been stressed for many years. For example, here is a message from the 2014 campaign, known back then as National Cyber Security Awareness Month and referred to as NCSAM: 

Messaging about share responsiblity from National Cyber Security Awareness Month 2014

(Note that in 2014 the hashtag for cybersecurity awareness month was #NCSAM and a quick search today suggests some folks have not yet switched up to the 2020 tag which is #BeCyberSmart. However, fans of cybersecurity history can see tweets from 2014 with this search link.) 

My purpose in writing about this today, Sunday, October 11, 2020, which is day 11 of cybersecurity awareness month, is to encourage us to reflect on the fact that this theme of shared responsibility is based on several assumptions about ethics, such as: a) most people have a well-developed sense of right and wrong, and b) they are willing to apply this to their actions in cyberspace. 

Rather than delve into the validity of these assumptions—something I may do later in the month—today I just want to provide some historical perspective. To that end, please consider this statement:

During the last five years, hundreds of new security products have appeared, but hundreds of new threats have emerged. It is clear that ultimate success in the struggle to protect information depends not upon technology, but upon the development of appropriate ethical standards for the information age. 

Photo of the NCSA Guide to PC and LAN Security by Stephen Cobb, 1995
Can you guess when that was written? The answer in 1996. The "five years" to which the writer refers are 1991 to 1995. I know this because I wrote those words. They were published by McGraw-Hill in the final chapter of the NCSA Guide to PC and LAN Security* which came out towards the end of 1995. (I should point out that the NCSA in the title is not the same NCSA that runs cybersecurity awareness month—it's complicated.)

Today, I stand by those words. In fact, today I am even more firmly convinced that the development of appropriate ethical standards for the information age is of critical importance to our future. Back in 1995, I made this call to action:

We have to insist on higher standards of conduct on all sides. That means everyone, from users, who tend to flaunt software-licensing agreements, to vendors, who tend to prefer quick bucks over commitment to the user community, to CEOs, who demand growth without budgets for security and training, to employees, who don't realize that their continued employment depends upon effective security.

Thankfully, over time, I have seen numerous examples of people and organizations committing to higher standards of conduct, and enforcing them; but regrettably it appears that the world at large is still falling woefully short. The reasons for this are numerous and undoubtedly complex, but part of the problem is the slowness of our response to what I went on to say in that chapter:   

It also means teaching our kids to respect property and privacy rights in cyberspace, while providing them with educational and employment opportunities that keep them challenged (many of tomorrow's hackers will be kids whose curiosity about digital technology outpaced the meager facilities of underfunded or ill-managed schools).

Fortunately, the most recent five years has seen more attention paid to engaging young people in cybersecurity and hacking—in the best senses of that word. From established international events like DEFCON, to growing regional events like CORNCON, there has been a growing effort to encourage children to consider the implications of technology and the ethics of messing about with it. Young people can now participate in cybersecurity competitions like the US national CyberPatriot program in the US, and also a range of regional programs (see these two videos on Mayor's Cyber Cup programs and how they are empowering a diverse group of young people). 

What I did not grasp clearly enough back in 1995, was the role of governments in addressing the ethics of digital technology and the many ills inherent in the abuse of digital technology. Here's what I did say then about the need for higher standards of conduct: 

[..it] means governments and corporations setting aside the cynical exploitation of the marketplace and public opinion so that bad actions are once again seen to have bad consequences, from the top down.

Twenty-five years ago I was concerned that the abuse of technology was not being taken seriously enough, with governments failing to appropriately prosecute computer intrusions and theft of intellectual property, even as they surreptitiously adopted these tactics for government purposes. At the same time, digital products were being marketed as though they could not possibly have any downsides at all.

While I was able to imagine things going badly if we stayed on that course, and have constantly warned of the need to change course, I did not think we would so quickly arrive at a point where a man aspiring to be President of the United States could not only get away with publicly urging foreign actors to criminally abuse the data systems of US citizens, but he would actually get elected on the back of them doing so.

So, in addition to being aware of what we can do to increase the security of information systems, we need to do what we can to ensure most people have a well-developed sense of right and wrong, and that they are willing to apply this to their actions in cyberspace. 

#BeCyberSmart

* The book is still listed for sale on Amazon, but I regained the copyright some years ago to make a free PDF version available, in three parts, on this blog—the links are near the top right of the page you are now reading—mainly as an historical artifact because some of the technology discussed in the book is no longer in use.

Saturday, October 10, 2020

In praise of vendor-neutral cybersecurity awareness (Day 10 of Cybersecurity Awareness Month)

Image of empty seats in from of a speaker who has been pitching product instead of educating the audience

Raising people's cybersecurity awareness can help reduce cybercrime and increase the chances that humans will enjoy a net benefit from digital technology. You might say the goal is to help us all "enjoy technology more safely." 

That sentiment is echoed in the tagline of a security software company called ESET: Enjoy Safer Technology. This article is about the connection between cybersecurity as an industry, and cybersecurity awareness as a public good. 

In my opinion, companies that sell cybersecurity products and services should not hijack Cybersecurity Awareness Month to pitch those products and services. I wrote something along these lines a few years ago in an article on LinkedIn titled: Vendor-neutral cybersecurity education: a New Year’s Resolution

Before going any further I should make it clear that I spent most of the last decade working for ESET with the title Senior Security Researcher. (I left last year, as explained here, and I am now a self-employed independent researcher, quoted as such by journalists in publications such as Bleeping Computer). 

At ESET I led a team devoted to analysing threats to information systems and the data they process, then sharing the implications of their findings with the wider world, through published articles, press interviews, and speaking engagements. And here's why that is relevant: we were under orders from ESET management to do all of this in a vendor-neutral way. 

In other words, even if a journalist were to ask me, as someone working for one of the world's largest suppliers of anti-malware products, "what can people do to keep malware off their systems?" my answer would be something like "install a reputable anti-malware product." I would not say "buy ESET anti-malware." (Sometimes, if I was pushed to name reputable security products I would list several, including ESET if it had a relevant offering.)

[Disclaimer: I no longer have any financial interest in ESET, no shares, no company pension, and I don't stand to gain anything if what I'm saying here leads you to buy the company's products.]  

Quite a few of those published articles, press interviews, and speaking engagements that I referred to earlier occurred in the context of cybersecurity awareness programs, including Cybersecurity Awareness Month. Indeed, ESET was a supporting member of NCSA, the body that orchestrates Cybersecurity Awareness Month in the US, and for a couple of years I was on the board of NCSA.

Now, you could argue that ESET was only putting all this money and effort into "vendor-neutral messaging" because it helped raise brand awareness, thereby leading to more revenue. And I would agree that "educating the market" for a product is a thing. People are more likely to buy products if you can persuade them that they need them; but not all needs are the same. Educating the market takes on an ethical dimension when it involves goods and services that are necessary to protect and maintain the safety and wellbeing of society.

Many years ago I described cybersecurity as "the healthcare of IT," and I see my role, and that of companies like ESET, as protecting and caring for information technology so that it can continue to deliver benefits despite attempts to abuse it, and the forces of nature that imperil it (storms, floods, fires, earthquakes, etc.). That protecting and caring remains job #1, whoever you work for or with in this field. 

Here's real life example of what I mean. Suppose you're invited to be on a panel to talk to a group of newspaper publishers about what they should be doing to protect their operations now that they are increasingly reliant upon digital technology. I don't think you should spend your time telling the audience about the ways in which your company's security product is superior to its competitors [allegedly]. I saw this happen a few years ago and it was truly cringeworthy, not to mention utterly unprofessional. It went pretty much like this:

  • Moderator: What's the first thing publishing companies should do to get a handle on cyber risks? 
  • Invited cybersecurity expert from company X: Buy our product.

About the only good thing I can say about this event is that a whole lot of people learned—via the cybersecurity grapevine—not to invite the expert in question to speak at future events. Naturally, people like "that guy" lead organizations to avoid speakers from cybersecurity companies. That's unfortunate because companies that create and deliver commercial cybersecurity products and services accumulate valuable knowledge about dealing with cybersecurity problems. Society risks losing out when that knowledge is not tapped because information security professionals can't commit to sharing what they know in a vendor-neutral manner.

So, as you see all these messages about cybersecurity this month, bear in mind that many are put out there by companies that have security solutions to sell. That's doesn't mean the messages are not important or relevant, they may well be on point and worth heeding. Just watch for product pitches and call out those that cross the line and put profits ahead of the public good. 

#BeCyberSmart 

Friday, October 09, 2020

The Internet of Things to Get Smart About (Cybersecurity Awareness Month, 2020, Day 9)

I applaud the organizer's of 2020's Cybersecurity Awareness Month for focusing attention on the Internet of Things (IoT) early in the month. That's because, like many cybersecurity professionals, I think IoT is increasing the already enormous challenge of protecting the privacy of consumer data and the security of online activities, including online transactions. 

To be clear, IoT is a broad term for electronic devices that use digital technology and connect to the internet but are not traditionally thought of as computers, things like remotely accessible smart thermostats and smart appliances, connected toys, home security cameras, and so on. Whether you have been turning your home into a smart home or just watching a smart TV, then you are using IoT devices.

Here's an awareness message you may see on social media this week from Stay Safe Online talking about the need to protect internet-connected devices:

Every new internet-connected device is another entry point for a cyber criminal. If you connect it, protect it. Know what steps you need to take to secure all internet-connected devices at work and home. Do Your Part. #BeCyberSmart 

And here's an article from a security software company offering tips to help secure your smart home and IoT devices. You can read another "actionable" IoT article here

What's the problem?

At this point you may be wondering: why are these IoT devices so risky? Well, as I said in the video in yesterday's blog post: many digital products have holes in them. These holes are technically referred to as vulnerabilities. Once a digital product is available to purchase, some people will probe them to see if they can find vulnerabilities. If they find a vulnerability, then they will try to figure out if it could be exploited for selfish purposes. What happens next depends on the finder. Here are some common scenarios:

  • A. The finder—possibly an academic, university student, security company employee, independent security professional, or freelance coder—is a responsible person so they notify the maker of the product that a potentially exploitable vulnerability exists. They may or may not receive a reward and/or recognition for this (some companies have formalized of process for this in what are called "bug bounty" programs).
  • B. The finder sells the vulnerability, and/or an exploit based on it, to a criminal (for example, to make more money or faster money than in scenario A).
  • C. If the finder of the vulnerability/exploit is a criminal they will decide when and how to monetize it based on current conditions (for example, if current email phishing scams are profitable using known exploits, they may delay use of newer ones).

What should happen and often does happen is that the the maker of the product fixes any potentially exploitable vulnerabilities as soon as they are aware of them. This can often be done with a software update that "patches" the hole. That's why you will see this #BeCyberSmart message out there:

Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. #BeCyberSmart by turning on auto-updates. 

Unfortunately, some holes are hard to patch, particularly if they are baked into the product. A classic example is a default password "hard-coded" into a device. That is a hole that can only be fixed by changing the hardware, something that may cost more in time and effort than the device is worth. 

And of course, once a default password becomes known, criminals can use it to access and abuse the device (something that happened in the Mirai Dyn DDoS Attack of 2016 which exploited default passwords in digital video recorders (DVRs) and IP cameras).

Help may be on the way in the form of IoT Standards

Fortunately, some governments are taking action to address IoT insecurity, motivated in part by the sheer scale of the potential problems they can create. For example, the Mirai Dyn incident I just mentioned probably cost online stores millions of dollars in orders, not to mention the massive productivity hit from thousands of companies activating their crisis response teams to deal with the situation. 

There are way more IoT devices connected to the internet today than there were in 2016 when the Mirai Dyn incident occurred. By 2025, there could estimated 75 billion internet connected devices worldwide, a fix cited in this extensive UK government report on IoT security

The main focus of government action on IoT security right now is to establish standards, as discussed in that UK report and this IEEE article. I am not going to go into these emerging standards right now but you should know that California has already passed a law in this regard. The California IoT Security Law requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. 

And just this month, Singapore launched a new cyber security label for smart home devices. The government of Singapore hopes to have the standards behind this labelling adopted overseas. This announcement made me very happy because it is exactly the type of action that will facilitate one of the three calls to action I made in yesterday's video: use your buying power as a consumer to chose safer, more secure digital products. 

#BeCyberSafe


Thursday, October 08, 2020

3 Ways to Improve Our Chances of a Bright Digital Future (Cybersecurity Awareness Month, Day 8)


After several long, text-heavy articles, I thought I would post something more visual for day 8 of Cybersecurity Awareness Month, 2020. I decided to use video of a talk that was recorded in 2015 because the content is still very relevant today.

Somewhat ironically, I gave this talk at the 2015 TEDx San Diego which had as its theme "20/20 Vision." The idea was for each speaker to present a vision of the future, five years out, given their field of expertise. 

Now, if you are familiar with the "TED talk" concept, you know that it is not considered good form to leave your audience depressed and without hope. But if you are familiar with cybersecurity, you can probably relate to the fact that, in 2015, I was not feeling optimistic about the future, given the rate at which criminals were breaching systems and companies were ignoring data privacy principles.

Upon reflection, I decided there were in fact some signs of hope and/or calls to action that would be worth presenting, particularly if I could combine these with useful lessons that I was learning in my criminology studies and my work for a major security software company that was deeply committed to cybersecurity awareness and education (ESET).

As you will see, my talk closes with three things we can all do. As I look at these again now that 2020 is here, I can assure they still need doing.  
  • Exercise our civic rights to encourage politicians to allocate more resources for law enforcement to catch more cybercriminals more quickly. 
  • Use our buying power as consumers to chose safer, more secure digital products.
  • Strive in whatever ways we can to get more women and minorities involved in decision-making in technology.
Enjoy the video (it packs a lot into 13 minutes). And #BeCyberSmart.


 


Wednesday, October 07, 2020

Situational Crime Prevention, Security Awareness, and Cybercrime (Cybersecurity Awareness Month, Day 7)

Window with bars (thanks to Sincerely Media for sharing their work on Unsplash)

This is the second part of an article in which I relate situational crime prevention to cybersecurity awareness (the first part is here, but this article also stands on its own, or at least I think it does). 

The attitude that situational crime prevention or SCP takes toward crime is "worry less about the underlying motives of people who commit crime and focus on understanding the circumstances in which it occurs." Pursuing research with this focus, social scientists Felton and Cohen found that social, economic, and technological factors drive increases in the opportunities for crime; this led to the routine activity theory of crime which holds that: 

crimes occur when there is ‘convergence in space and time of offenders, of suitable targets, and of the absence of effective guardians’ (Felson and Cohen, 1980) 

From this perspective it is possible to develop techniques for curtailing the opportunities for crime, thereby producing a drop in crime. Over time, advocates of SCP developed this table of 25 techniques within five categories: increase the effort and the risks, reduce the rewards and provocations, and remove excuses (Cornish and Clarke, 2003).

Clearly, SCP has wide application in efforts to reduce crime in cyberspace as well as meatspace, starting with things as simple as choosing stronger passwords when establishing online accounts and using different passwords for different accounts. However, SCP can also help when cybercrimes get complex, for example when criminals use malicious code to illegally access millions of computers and organize them into botnets for nefarious purposes (including emptying online bank accounts even when they have strong passwords). 

You can see how SCP helps to fight to cybercrime in this article by my friend Alexis Dorais-Joncas, Security Intelligence Team Lead at my former employer ESET, one of the world's largest security software companies: "Doing time for cybercrime: Law enforcement and malware research join forces to take down cybercriminals" is available on WeLiveSecurity. By focusing minds on the critical triad of "offenders, suitable targets, and the absence of effective guardians," SCP still has a serious role to play in crime reduction as well as security and risk management. 

Internet Crime Losses in Billions of Dollars US as reported to IC3/FBI
Unfortunately, as the chart on the right indicates, efforts to rein in internet crime do not appear to be succeeding. (For the reasons why this chart is a valid indicator, see my notes at the end of this article.) 

Of course, you could argue that not all of those efforts are wasted since we're still making extensive use of computers and the rise in crime losses is merely a reflection of our increased use of, and reliance upon, digital technology. 

My response to that argument is four words: architecture, infrastructure, politics, and profits. The architecture of the spaces and places in which we live and work has, over the last 40 years, become less criminogenic, thanks to the influence of situational crime prevention. I don't think the same can be said of cyberspace. In fact, by the late 1980s it was clear to many technology experts that the fundamental building blocks of digital technology were riddled with holes, yet the world proceeded to build a massive global digital infrastructure out of those blocks. 

Meanwhile, politicians failed to establish norms of behavior within cyberspace, partly because abuse of those blocks can generate funds and advantage, both of which are highly sought after in politics. And of course, the demand for cybersecurity products and services has created huge profits for some companies and minted numerous multi-millionaires and several billionaires. (Disclaimer: for a short period of time, that ended over a decade ago, I was a cybersecurity millionaire; these days I am nowhere near being any kind of millionaire, except maybe in Swedish krona.)

The opportunity structure for predatory crime 

I started researching SCP to write a postgraduate essay on this topic: "The main problem with situational crime prevention is that it fails to address the root causes of crime. Critically discuss." I concluded that SCP does not even try to address the root causes of crime, but that is not its main problem. I argued that SCP cannot fully address the phenomenon of changes in society that produce new opportunities for crime at a faster rate than those opportunities can be reduced. This is the phenomenon that Felson and Cohen (1980:404) warned about in their early work on routine activity theory when they wrote: ‘opportunity for predatory crime appears to be enmeshed in the opportunity structure for legitimate activities’. Indeed, the phrase “opportunity structure for legitimate activities” is an apt description of the place where a massive and global crime wave is currently in progress: cyberspace.

Despite clear indications that the networking of computer systems greatly increases their potential for criminal abuse (Cobb, 1995), few calls for restraint in the adoption of network technologies have ever been heeded, at least on the basis of the criminal opportunities that they create. To give cybercrime some historical context, consider the 2013 attack in which 1,800 stores belonging to US retailer Target were penetrated. Thieves compromised 40 million payment card records, impacting over 100 million people (Star Tribune, 2014). By taking advantage of the opportunity that Target gave its suppliers to manage orders online, criminals earned around $54 million, based on the amount they were charging when they sold the stolen data in online markets; meanwhile, banks paid $200 million to replace compromised card (Krebs, 2014a). 

To the best of my knowledge the perpetrators of the Target hack have never been brought to justice. The politicians who promised action to angry constituents who were victimized by the attack clearly haven't  done enough to stem the tide of criminal technology abuse. This abuse generates profits at many levels, and in a rare win for law enforcement the Latvian computer programmer who designed "a program that helped hackers improve malware—including some used in the 2013 Target breach" was arrested, convicted and, in 2018, sentenced to 14 years in prison (Washington Post). 

The fact is, the failure by governments to act effectively against cybercrime in the 1990s and 2000s led to the industrialization of technology abuse. Today, many cybercrime schemes employ proven business strategies such as division of labour, specialization, modularity, and marketing, including A/B testing. Furthermore, a large percentage of cybercrime is enabled by a sophisticated system of virtual markets that facilitate the buying, selling, and renting of cybercrime tools, resources, and stolen data (Krebs, 2014b, Ablon et al., 2014). This activity is often quite brazen, as I demonstrated to a radio journalist last year (recording here and backstory plus graphics here).

Cybercrimes are often executed by ad hoc groups of geographically dispersed individuals who have been developing virtualized trust mechanisms for at least ten years (Krebs, 2014b; Holt and Smirnova, 2010). A realistic assessment of the current state of affairs is provided by the Institute of Chartered Accountants (2014): ‘there is a growing gap between business and cyber attacker capabilities … Many businesses are falling further behind and the risks are growing’.

The problem is not that SCP has been silent on fighting cybercrime. IT security practitioners regularly employ technique number one in the table of SCP strategies: target hardening. The cybersecurity concept of “kill chains” has valuable parallels in “crime scripts” (Cornish, 1994, as cited in Clarke, 2012). Some criminologists were quick to apply SCP to cybercrime (Newman and Clarke, 2003). Unfortunately, the speed at which their recommendations have been outpaced reveals the nature of the problem: it is hard to “follow the money” when today’s cybercriminals prefer to take their profits in a crypto-currency like Bitcoin that did not exist in 2003 (Bradbury, 2013). 

So I would argue that the main problem with situational crime prevention is its failure to acknowledge the following: just as crime prevention that is based on addressing the root causes of crime faces a daunting future because it requires fundamental changes in society, so too does any crime prevention approach based on reducing opportunities. 

We just don't spend enough on fighting cybercrime
Cybercrime is driven by the abundance of ‘opportunity for predatory crime’ that is clearly ‘enmeshed in the opportunity structure for legitimate activities’ (Felson and Cohen, 1979: 404). This makes it is hard to escape the conclusion that cybercrime will not be substantially reduced without either addressing the root causes of crime, or scaling back the use of cyber technology and thus ‘modifying much of our way of life’ (Felson and Cohen, 1979: 404).

I leave you with a slightly garish graphic that I made a few years ago, but which is probably still roughly correct, at least in terms of ratios (please DM me @zcobb if you have more recent numbers). The ratios between the spending figures tell me that the US government just does not grasp how badly wrong things could go if cybercrime prevention and reduction are not addressed with adequate resources. And while the US government does support cybersecurity awareness programs in October and throughout the year, there is way, way more work that needs to be done. The hockey stick of cybercrime needs to be turned into a downhill ski run towards a safer, brighter digital future. 

#BeCyberSmart  

Tuesday, October 06, 2020

Situational Crime Prevention and Security Awareness (Cybersecurity Awareness Month, Day 6)

Based on Cornish, D. B. and Clarke, R. V. (2003) ‘Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention’, in Smith, M. and Cornish, D. B. (eds) Theory for Situational Crime Prevention, Crime Prevention Studies, Vol. 16, Criminal Justice Press, Monsey, New York.

On day six of Cybersecurity Awareness Month we're going to take a closer look at something that helps explain the origins and goals of security awareness programs: situational crime prevention (SCP). This is a perspective on crime that seeks to explain and reduce criminal activity by examining the circumstances in which it occurs, then curtail the opportunities for crime to recur (Clarke and Mayhew, 1994). 

Security awareness plays a significant role in the first of the five crime prevention strategies that evolve under SCP: increase the effort and the risks, reduce the rewards and provocations, and remove excuses (Cornish and Clarke, 2003).

For example, the SCP approach to crime reduction includes encouraging us not to park our cars on the street outside where we live, because that is an opportunity for car theft. Parking your car in a garage reduces that opportunity, although it's not option that is available to all car owners. Another example comes from studies that found placing gates across residential alleyways in English cities significantly reduced the opportunities for, and occurrence of, domestic burglary (Bowers, Johnson and Hirschfield, 2005). 

[Note: this article, which is posted in two parts—of which this is the first—draws heavily on an essay that I wrote as part of my master's in security and risk management. The second part of the article is here. You can see that left the academic references in the text and I have provided the source list at the bottom of the post. Also note the spelling is a mix of American English and English English, and both parts of the article are long, but hopefully you will find them worth reading.] 

The origins of Situational Crime Prevention

With its focus on reducing the opportunity for crime, situational crime prevention encourages “awareness” programs that urge the public to adopt crime-reducing tactics such “leaving outdoor lights on, putting indoor lights on timers, asking neighbors to watch your house, watching the neighborhood, reporting suspicious activity, and forming community groups to prevent crime” (Wikipedia).

The logic behind SCP can appear compelling; however, ever since it emerged from research on crime in the 1970s, objections have been raised on both practical and theoretical grounds. A notable and persistent charge levelled against SCP is that it fails to address the root causes of crime. This article examines this charge while considering the potential for SCP to reduce cybercrime. 

First, I will review the evolution of SCP, including objections raised by its detractors and defenses offered by its supporters. Then I will explore the implications for SCP of the current digital crime wave.

Rate of property crimes in the US, per 100,000 people, 1960 to 1980s
Rate of property crimes in the US,
per 100,000 people, 1960 to 1980s
As you can see from this chart based on FBI reports, a very different crime wave was occurring in the 1960s in America. A similar phenomenon was occurring in Britain: rising rates of burglary, robbery, vehicle theft, and all manner of violent crime (Home Office, 2010; Farrell, Tseloni, Mailley and Tilley, 2011). These trends caused many policymakers to question approaches to crime that had been shaped by efforts to understand criminals and the conditions in which they lived (Clarke, 1980, 1997a, 2012; Hayward, 2007). As Jeffrey (1977, 9) declaimed: ‘Deterrence and punishment are failures; treatment and rehabilitation are failures; the criminal justice system is a failure from police courts to corrections’.

In fact, the phrase “Nothing Works” began to appear in criminal justice debates after American sociologist Robert Martinson published a bleak assessment of programs intended to rehabilitate criminals in the 1950s and 1960s: ‘our present strategies … cannot overcome, or even appreciably reduce, the powerful tendencies of offenders to continue in criminal behavior’ (1974: 49 as cited in Sarre, 2001). The phrase embodied frustration with the perceived impotence of the dispositional approach to understanding why criminals offend. 

This frustration was compounded by failed attempts to reduce delinquency through welfare programs. Although Martinson recanted his “Nothing Works” assessment in 1979 (Sarre, 2001), some crime researchers were already shifting their focus from the character of criminals to the nature of the criminal act, inspired in part by an assumption that in any given situation the commission of a crime is essentially the result of a calculated decision about whether or not to offend. 

While not a new perspective – Beccaria (2008 originally 1765) had articulated a similar view of crime in the eighteenth century – the idea that offending is based on balancing ‘rational incentives and deterrence’ was given new weight by Wilson’s Thinking About Crime (1983). Analyzing the situations in which the rational decision to proceed with a crime occurs frequently was a logical next step. Manipulating those situations to reduce the frequency of crimes became the goal of SCP, which identified location, opportunity, and reasoned choices as the key elements of criminal activity. 

However, with the benefit of hindsight, I will argue that the manner in which SCP blended these elements to focus on preventing physical crimes— committed in physical spaces—obscured important implications of its theoretical underpinnings.