Cybercrime-fighters reveal business weaknesses, suggest defenses
In the murky realm of cybercrime against businesses, bad guys have the upper hand, according to Francis Tam, who heads a west coast nine-person cybersecurity unit of Moss Adams from his Los Angeles office. 'They have unlimited budgets,' especially with time, Tam said of hackers, who may attack a business over months or years, patiently seek vulnerabilities then exploit them.
'I only work when someone pays me,' Tam said, noting that hackers can work any time and be based anywhere in the world. Tam appeared as one of the speakers at a recent cybercrime symposium hosted by Exchange Bank in Santa Rosa.
In 27 years helping business clients with information technology, Tam's worst case hit a company that sold DVDs online. 'The company got hijacked,' he said. Hackers contacted the company's CFO just as the peak holiday sales season opened and demanded that the company pay $15,000 a month or they would damage the business in unspecified ways.
'It was just before Thanksgiving. They did their homework,' Tam said of the hackers. Because nearly 40 percent of the company's revenue came during the holidays, the company met the extortion demand. 'They paid up until Christmas,' he said.
When the holidays ended, the victim company revamped its entire IT platform. The attack cost a total of nearly $100,000 to replace all hardware and software. 'They had to nuke the entire environment just to make sure,' Tam said.
Companies make themselves most vulnerable when they don't keep up with software security patches sent by companies such as Microsoft, Tam said. Even if a firewall, virus-checker, Internet operating system, web server or other outward-facing device is 'the best today, it could be the worst in a week,' he said. 'If you fall behind and don't do it, it could be pretty bad.'
Such patches should be installed only when an IT expert takes the initiative to go to the software provider's site to download the fix. 'You don't want to open anything' that comes as an unsolicited email attachment, he said, even if it is a known name. 'They can be spoofed,' or deliver a 'gift-wrapped executable,' sometimes by impersonating someone you know. 'You have to verify the sender' with authenticated and secure connections. 'I wouldn't trust anybody who sends me a link,' he said. 'That way you minimize the risk of going to a rogue website.'
FBI beefs up cyber-squads
'The odds are in the criminal's favor,' said Enrique Alvarez, a supervisory special agent for the FBI's 200-agent cyber-intrusion unit in Oakland. Before joining the FBI, he worked at several Internet companies in San Francisco and served as a Navy intelligence officer in Iraq. Cybercrime has drawn greater FBI attention especially since 2012, particularly on intrusions, Alvarez said.
The FBI has 40,000 employees in 56 field offices. The San Francisco office, the fifth-largest in the country, has five 'cyber squads,' with the fifth added on Oct. 1. Three of these focus entirely on national security threats ' foreign-state-sponsored intrusions.
Social networking accounts provide cyber criminals with rich troves of information that can be used to invade and attack through business and personal routes. 'We track a lot of crime data,' Alvarez said. 'That's one of the strengths of the FBI.'
Cyber criminals, particularly in Eastern Europe, are 'using a lot of infrastructure to conduct nefarious activities targeting' the financial services sector of the economy, Alvarez said. 'Those actors are hiding behind foreign infrastructure.'
In massive intrusions such as attacks on JP Morgan Chase, Target and Home Depot, 'we mobilize cyber action teams,' Alvarez said. They can work remotely because of the nature of the intrusion. 'We can get access virtually to where the victim is,' he said.
'You are dealing with lots of potential violations when you?re dealing with a bank,' Alvarez said. 'Things happen to banks. We look at practically every bank robbery in the country.' He did not find any evidence of cybercrimes against Exchange Bank, he said. All bank robberies automatically become FBI cases because banks are federally insured.
Most physical bank robberies today are not takeovers, but 'note jobs,' Alvarez said, where the robber hands a teller a note demanding money. Even more are electronic, as nearly 40 percent of people worldwide are online.
'We have sources in every industry,' Alvarez said, 'that give us the pulse of what's going on.' The aim is to identify signs of cyber-attacks before they happen.
'Criminal activity is ruthlessly efficient,' Alvarez said. 'They do a lot of experimentation. They understand what doesn't work. Dumb operators in the criminal element usually end up dying ' very Darwinistic. In cybercrime, it's the same thing. They keep trying. What works becomes tactics and procedures' that are continually refined.