We dont think of clicking on a link as social engineering but it is. The number one cause of breaches today still is someone being tricked into clicking on a link which launches malware and compromises a system. Yes, even I have fallen into that trap in my years of computing but it was due to me not paying close enough attention to what I was clicking on. I , as many IT professionals use free tools to get certain tasks done and there are a great many dangers lurking out there when you are downloading ANYTHING for free.
Today the FBI put out a bulletin about the bad guys putting up web sites that look much like the government sites they mimic. If you are not paying attention you find yourself on a site that is going to nab you like a spider nabbing a mosquito in its web and eating it. Poof... Identity stolen.
A perfect example I keep running across is when someone lands on a site and it prompts them to "Update your Java". OMG!! Better do that!! So they click on that link and ... you guessed it. I am in there cleaning up a system again. If you really think Java needs to be updated then go to JAVA.COM and update it. That little extra step can save you a ton of grief, pain and money but I still run into companies where people just don't get it yet. And guess what? The bad guys are not getting dumber! Everytime there is a major event the fake emails with a link roll out again. Its like shooting fish in a barrel.
The numbers are all over the board as far as what this information is worth. I have heard as high as $15 per identity down to $.10. The key is volume. Back in 2013 the number of DAILY spam was 100 BILLION.. YES! Billion! Even at $.10 per identity it doesnt take a huge amount of hits to make a profit.
Recently we have hear about the breaches for medical records. Why? Medical records go for almost 10 times what a regular record goes for. 2014 seemed to be the year for retail to get hit and now we see Blue Cross and others getting hit. I am thinking that we will not really see a drop in these attacks. Many attacks in that industry are not even reported and what few people realize is that attacks are just a part of daily life in that industry.
So why? Why go after them in the first place? I get asked that question all of the time. Just replace the credit card and everything will be OK and you move on with your life. Right? In the case of medical records the bad guys use the record to buy things such as perscription drugs they can sell on the street, medical supplies or commit Medicare fraud. In the last two years Medicare fraud totaled around $6 billion according to the Medical Identity Fraud Alliance. Making matters worse is records in the health care industry are among the easist to obtain. Think about a hospital. Are they going to spend more on that new peice of medical equipment or new technology to prevent theft. I think we know the answer.
I have not even touched on PCI-DSS compliance for businesses which is a whole subject in itself. I am amazed at how many businesses do not realize that the banks took huge hits last year because of breaches. Do you think banks will continue to eat all of those costs? Ya.. I dont think so either. They are no saying you better have in place the 12 areas of PCI-DSS or you the business owner will wind up eating those costs. In many cases small businesses will not survive a breach because those costs will probably be minimum of $250000. PCI-DSS 3.1 comes out in the middle of April and it will get even more complicated because they are not allowing some technology anymore that is really common to be used for encryption (SSL). That is because of big holes discovered last year in the technology.
I will go into further detail on PCI-DSS in future blogs and go through step by step what that requirement is. The bottom line is costs will increase to do businesses because of these breaches so the time is now to understand what can be done in your corner of the world. It is more vital to your business now than ever. That importance will only increase moving forward so dont get so far behind and poof!!! GONE!!
No comments:
Post a Comment