2016: A reflection of the year in cybercrime

A review of 2016 cybercrime predictions, what really happened and how you can make 2017 more cyber secure.

crime scence police tape
Thinkstock

First of all it’s that time of year to reflect and be thankful. I want to thank this publication for this blog, for all of my readers and followers on Twitter and LinkedIn, I’m very thankful for my family, friends and colleagues. I’m also thankful to be a free American in the United States of America. God bless all our veterans, troops including my nephew Trevor who serves in the Navy and all first responders who sacrifice everything for each of us every day.

Last year Security Intelligence reported that 2016 predictions would include a more targeted focus on business. We are not fighting lone hackers but rather full blown organized groups with highly experienced developers with deep knowledge that is always a step ahead of us. They went on to say that mobile would see a quantum leap in fraud capabilities. This is because most of us are doing more with our highly capable smartphones from Apple and Google and letting our laptops collect dust. The predictions included the fact that cyber extortion would likely escalate and it has with massive ransomware attacks on police departments and hospitals.

They also correctly predicted the rise of Internet of Things and connected things to which we recently saw huge attacks using this technology for denial-of-service attacks. We also know that as the new Europay-Mastercard-Visa  EMV credit card chip standard is implemented in the US, we would see the same trends as was seen in the UK upon their EMV implementation. Since credit cards can’t be easily duplicated anymore, cyber thieves have once again found the path of least resistance. It’s to simply do a full account takeover or steal your identity and create a whole new account and perform CNP (Card not present fraud). I was interviewed by Florida’s WFTV Ch 9 during Thanksgiving this year on this very subject.

The predictions included information on nation state attacks continuing to cross pollinate. For example: Targeted attack tools for financially motivated cyber crime, signed malware which was first discovered when the Stuxnet worm was exposed. This has since been applied to banking Trojans, POS malware and even ransomware.

The 2016 predictions were very accurate if we just look at five breaches from 2016.

1. Feb. 7, 2016 Hollywood Presbyterian Medical Center.

Hollywood Presbyterian Medical Center was attacked with ransomware and it interfered with their day-to-day operations. The computer system was hacked and being held ransom for 3.6 million in bitcoins. The computers were used to document patient care, transmit lab work, share X-rays and CT scans, and much more. While the systems were down, the hospital was severely hindered in its ability to care for patients. In addition, any medical records of patients previously at the hospital were inaccessible because of this attack. In order to restore their systems, the hospital paid $17,000 to obtain the decryption key.

2. Feb. 29, 2016 – Internal Revenue Service

The data breach at the Internal Revenue Service (IRS) was first uncovered in May 2015 but it wasn’t until February 2016 that they realized how much damage had been done. It was determined that over 700,000 American taxpayers may have had their personal information exposed during this breach. This information was stolen by a Russian criminal organization and the plan was to file fraudulent tax returns with it. This theft shows that any system is vulnerable, including one that everyone assumes has the strongest security to protect its information.

3. May 17, 2016 - LinkedIn breached

A 2012 data breach came back to haunt LinkedIn when 117 million email and password combinations were stolen by hackers four years ago popped up online. At the time the breach occurred, members who had been affected were told to reset their passwords. That information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a reset since the breach. It is not clear who stole the information or published it online, but LinkedIn is actively working with law enforcement officials.

4. Sept. 22, 2016 - Yahoo breached

In what may be the most expansive data breach of all time, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. The thief, believed to be working on behalf of a foreign government, stole e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers. At the time of the breach announcement, Yahoo was still working with law enforcement and the FBI on an investigation.

5. Nov. 25, 2016 - San Fran taken for a ride

San Francisco’s public railway system, known as Muni, was infected with malware over the Thanksgiving weekend; this resulted in locked kiosks and computers and two days of free rides for passengers until the system went back online on Nov. 27. Fortune reached out to the hackers, who said the attack was not targeted — it was an automated attack, also known as a “spray and pray.” In this type of attack, an automated system sends links to malware out to many prospective victims; an IT admin at the transportation agency allegedly clicked on the link and unknowingly downloaded the malware files.

The hackers claim to have 30GB of stolen data, which includes the personal information of employees and riders. They want the agency to fix its vulnerable systems and pay a ransom of 100 Bitcoins, or about $73,000 — if their demands aren’t met, they say they will release all of the personal information. The agency’s systems are back online, but as of now, it does not appear that they have paid the hackers.

What’s really bad about all these recent data breaches is that all this data is still out there to be used over again and again. You can change your password, but you can’t change your identity, many of these breaches were so damaging that everything about the victims was taken. Recall the OPM breach took fingerprints!

The only personal solution is to obtain and keep identity protection services that monitor all your accounts. A good place to start is at IdentityTheft.Gov. Individuals need to practice good cyber hygiene, this includes patching systems, keeping your antivirus up to date and being aware of phishing scams. I recommend reading these tips

For corporations it’s more complex. If you have over 100 users and an IT department, I highly recommend achieving 100 percent compliance in your industry sector, PCI DSS, SOX, Cobit, IT General Controls, etc and looking at cutting edge security technology and tools like sandboxing and data analytics to look for indicators of compromise.

Hiring a full-time security analyst or security manager is no longer an option. Security is a full time job and can’t be passed off on IT as another IT duty, only to be looked at during the yearly IT audit cycle. Cybercriminals are putting 100 percent effort into taking everything they can from us, we must meet them with the same or greater force or we will continue to be taken advantage of every day of the New Year.

The Dark Web continues to make it nearly impossible to trace global cybercriminals and with IoT allowing more 24x7 unsecured access, More un-trusted devices and new malware growing faster than researchers can detect and categorize it, we are in for another bumpy ride in 2017. We must stop being reactive and be more proactive. I feel President-elect Trump's cyber security plan looks like a good start.

From my family and Maxis360, wishing you and your family a very happy holiday season and a happy New Year! 

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.