We are all potential targets of cyber crime. We all use the internet, we all conduct our business in the digital world, so we all have something to lose. And the cyber bad guys have the advantage. They are always “on,” and they are persistent. By using automated systems that target known vulnerabilities, they make us all targets.
Do you know how cyber criminals go about choosing their targets? The criminals have a four-step process that they use to attack our digital world. The four questions they ask themselves are:
What weapon to use?
The criminals have a wide variety of attack weapons that they use to access our digital information. Here are a few of the better-known ones:
- Virus, malware and worm attacks, usually delivered through spam and media transfer.
- Malware and spyware delivered from infected web sites, or through search and P2P.
- Social engineering to improve their attack vectors through spear phishing and human gullibility.
- Automated systems to exploit unpatched systems on anything connected to the digital world.
The advantage of tools like spam emails and infected websites is that they can target many people with very little effort. On the other hand, if you are known to have large amounts of money or high-end intellectual property, then the black hats will target you specifically.
How sneaky can I be?
The cyber criminals are a sneaky bunch. They are looking to target anyone they can, and they do not tell you they are coming. I have told you about a friend of mine who found a Boing USB drive in the car park of a Las Vegas casino, and promptly corrupted her laptop by opening the files on it. Although she was not the target, it didn’t matter to the bad guys.
The digital criminals are now using our own human gullibility against us, and in some cases they are very good at it. They use everything else that normal users and businesspeople do. They have LinkedIn pages, Facebook pages, and Twitter accounts that they use to communicate in code. Your best defence is increased awareness, with a generous dab of paranoia.
How much time do I need to do to get it?
So the digital criminals have the weapons, and they are pretty sneaky about using them. They are also persistent. In some cases they take the long-term view on how to steal your digital world. There have been several high-profile breaches that show how persistent they can be.
In 2006, Chinese hackers conducted a persistent attack on Rolls Royce, trying to steal information about commercial and military aircraft engines the company makes. They used a specially designed Trojan to access their network. After 18 months, they gained access to at least part of what they were after. This shows how persistent they can be.
When is the best time to release the wolves?
Once the criminals have the other three components in place, they have to work out what is the best time to target either the whole digital world, through automated systems, or an individual or group of individuals, through a targeted attack.
Often it is world events that will determine the attacks’ timing. It could be a celebrity doing something stupid that they will piggyback off, or a natural disaster. People who are in a hurry to download that celebrity sex tape, or donate money to tsunami victims, won’t take the time to exercise good judgement. A large proportion of attacks are based on what is happening in the real world. But if there is no opportunity for a specially timed attack, there are plenty of other ways for the criminals to exploit your gullibility.
Why do they go to so much effort? There are two underlying drives for all cybercrime. It can take the form of state-sponsored attacks looking for corporate or government IP (as with the Rolls Royce hack). In other cases, criminals are simply looking to steal anything they can from either a single target, or a cross-section of the digital community.
Once you realise how many options cyber criminals have, you’ll begin to understand why it’s not enough to buy some cheap antivirus software and forget about the problem.
The bad guys are out there. They want our stuff, and the only protection we have is to use the same kind of smarts, critical thought and planning that they do. Be aware and vigilant: If it looks wrong, it probably is. And always be paranoid: It’s not a question of whether you’ll become a target, but how and when.
When it comes to cyber security, the bad guys think everything through. So should you