By P. William Zivanchev, Executive Director, Institute of Consumer Financial Education
At first glance, readers may wonder why an article on identity theft appears in Cyber Defense Magazine, and why it comes from the Institute of Consumer Financial Education (ICFE). To understand today’s cyber criminal trends, it’s necessary to delve into the history of the phenomenon.
For nearly 20 years, the ICFE has provided the premier identity theft risk management course for professionals working with consumers and businesses. ICFE is the certifying and publishing authority for the nationally recognized Certified Identity Theft Risk Management – CITRMS® course, a credential which has been earned by thousands of professional advisers and case workers.
During that period, we have seen many changes in the threat landscape, but also many continuing trends in the ways in which cyber criminals operate and the ways in which defenders, both public and private, have responded.
Three Types of Cyber Criminals
Functionally, there continue to be three principal types of cyber criminals – and they are consistent with the three types of identity thieves:
- Money-motivated criminals, who commit identity theft, privacy infractions, and cyber crimes for the financial payoff
- State-sponsored and terrorist attackers, who desire to perpetrate disruptive effects on critical infrastructure systems and other vulnerable databases
- Thrill-seekers, who find satisfaction in being able to interfere with the smooth operations and lives of individuals and organizations holding protected information, such as personally identifiable information (PII).
High Tech versus High Touch
Over the years, the main changes have been in the tools and methods the cyber criminals utilize to perpetrate their exploits. Mirroring these developments, the responses have tended to concentrate on exploit-by-exploit methods, rather than more generalized criminal actions.
One interesting constant has been the phenomenon of social engineering, otherwise known as manipulation of the target in order to gain access to sensitive information to which the criminal is not authorized – and then to use that information to perpetrate identity fraud (unlawful use of the personal information accessed by identity theft).
Phone Scams to Email and Text Scams
For about the same time period as the ICFE has been engaged in the CITRMS® program, the Federal Trade Commission has been responsible for the administration of the “Do Not Call” list. It’s no coincidence that one of the principal means used by identity thieves is the spam call, in which the perpetrator pretends to be a family member or trusted organization seeking to extract sensitive information from the target individual or company.
Many of the reported cases of identity theft begin with the call to the phone number of the target, using manipulative scripts to produce urgency and the desire to help in a critical situation – but resulting in the undue sharing of sensitive information.
As the internet has augmented, or even replaced, conventional phone conversations, social engineering has leaped from spam calls to spam emails. These provocations typically involve some unrealistic offer or urgent message seemingly from a known party (but actually from the cyber criminal).
And, of course, the proliferation of social media platforms and usage expands these types of provocative communication into text messaging (often referred to as “smishing” in the vernacular).
Quite often the perpetrator claims to be calling or emailing from a government agency with urgent need to get information to maintain the target’s benefits or tax status; of course, Social Security and the Internal Revenue Service are the agencies most often cloned by the criminals.
Also common is the hyperlink which appears to come from a legitimate source, often a company where the target already has an account, but directed to a bogus website where the target’s username and password are collected by the criminals; this information is then used to hijack the target’s real accounts.
As identity theft threats have developed, an important aspect of the legal and regulatory response has arisen out of privacy concerns and consumer rights. This response started with the adoption of privacy laws by States and has become a focal point for federal action.
In addition to setting standards and requirements for holders of protected sensitive information, broader provisions have been created, such as disclosure and notification standards and even private rights of action. Under private rights of action, affected parties whose sensitive information has been compromised due to failure on the part of the holders, can sue for damages directly rather than waiting for government fines or punitive actions.
It’s easy to see how any failures in cybersecurity practices resulting in data breaches involving protect personal information can trigger the provisions and penalties of privacy laws and regulations.
As a result, privacy initiatives have become a major driver with immediate effect on cyber practices. It’s worth noting that even compliance with privacy laws may not provide a complete shield against liability in the event of a breach.
In the view of the ICFE, in identity theft risk management, substantial coverage of privacy issues is a necessity, especially as they affect vulnerable demographics, such as seniors, children, and veterans.
ICFE is pleased to report that this emphasis on privacy issues has resulted in the acceptance for CE credit by the leading organization in the field, the International Association of Privacy Professionals.
Enter Cyber Attacks and Cybersecurity
By the time of the most recent update to the CITRMS® XV course, cybersecurity had developed to the point that the ICFE included a whole section on the topic. We were fortunate enough to count on Gary Miliefsky, Publisher of Cyber Defense Magazine, to provide that content for the course.
At this juncture, ICFE is undertaking to launch an update and expansion of the CITRMS® course.
This will include an enhanced section on Cybersecurity, developments in the attack vectors, public and private responses, and the implications for consumers, businesses, and organizations with the responsibility of maintaining the confidentiality, integrity, and accessibility of sensitive information.
In response to the continuation of new means used by criminals to gain access to protected information, both high-tech and granular methods of foiling such attacks have tended to focus on both resilience and sustainability.
Of course, it’s important to prevent a cyber exploit in the first place. But it’s equally important to be able to recover in both the short term (resilience) and in the long term (sustainability).
Organizationally, this generally translates to maintaining systems with such actions as software updates, education and training for all employees with access to the systems, and procedures to be followed diligently. A good example is the set of “Red Flag Rules” from the Federal Trade Commission to Identify, Detect, Protect and Mitigate, and Update (for the future).
Also on the organizational level, but a with more granular focus, a fundamental requirement is initial and ongoing programs to train personnel to avoid falling into traps such as “clicking” on attachments from unknown or untrusted sources.
Personnel training addresses one aspect of insider threats, but there are several others which have resulted in the creation of an entire discipline of recognizing, identifying and responding to insider threats. They are divided into several categories, based on the individuals and their access to sensitive information.
- Knowing v. Unwitting Vulnerabilities
The insider threat is typically an employee or other individual (such as a volunteer in non-profit organizations) with access to records and files with personal sensitive information. A breach, or access by unauthorized parties, often occurs due to action or inaction by such an individual. The unwitting breach occurs when the person with access is manipulated into sharing a password, allowing physical viewing of sensitive information, or otherwise permits the breach. The “knowing” individual is aware of the unauthorized access and may be under threat or financial incentive to allow it to happen.
- Bribery/Blackmail/Disgruntled Employee
In the case of the “knowing” insider allowing a breach, there may be any of several reasons. Most commonly, the knowing party has been bribed, or threatened with some adverse action, of may be a disgruntled current or prior employee, depending on the circumstances.
- Identity Access Management (IAM)
Whether the vulnerability occurs under any of the above circumstances, an active Identity Access Management program is a necessity. With an IAM in place, authorization for access can be restricted, which in turn makes it more difficult for the criminal to gain access to sensitive information.
Changes in levels of access should be imposed when a new employee comes on board, changes positions or responsibilities, leaves the organization, and in any case, on a periodic basis (just like periodically requiring updating passwords).
Ransomware & Malware
Ransomware and other malware are on the rise nearly everywhere accessible throughout the internet. The trend is away from simple data breaches and toward ransomware attacks. Malware in general is software which invades the systems of the target organization and either prevents them from operating as they are intended or gives access and control to the criminals. Ransomware is a more specialized attack where the cybercriminal demands payment for the data it has accessed and holds hostage to encryption or public disclosure.
On a financial return basis, this makes sense. Under earlier data breach exploits, the criminals simply gained access to the personal information in the data bank of the target organization, then sold that information (usually on the Dark Web) based on the value of the data (financial, medical, etc.).
Typically, the sale would take the form of an auction, in which various (known and unknown) parties would bid and make the purchase. That process is fraught with vulnerabilities, such as the means of payment and the trustworthiness of both parties to the transaction.
In a ransomware attack, there’s just one motivated “buyer” for the safe return of the data held hostage by the criminal. The stakes are high, due to the way the ransomware operates.
The cyber attacker gets 2 bites at the apple: deny access to the target organization; and threaten to make public the ransomed data. Either or both of these threats compromises the ability of target to continue as a going concern.
How does this work in practice? Once the ransomware attack is in place, the attacker has full access to the underlying data and files. The next step is to notify the target organization that it no longer has access to its own information. Usually, the notification discloses that the data has been encrypted, and only by paying the ransom can the target get access again.
Now there is an important trust issue: can the criminal be trusted to provide the decryption key or other means of returning access to the rightful owner? There is no reliable information or statistic on this question, due to the secrecy involved in the ransom process, as might be expected. Even payment of the demanded ransom cannot assure the safe return of the hijacked data.
If it turns out that the target organization has viable back-up files of the breached data, the attacker can fall back to the secondary position of demanding payment to refrain from making all the sensitive information public. If course, such disclosure would undermine the trusted relationship between the target organization and its customers and clients. That’s why it continues as a threat to the survival of the breached organization.
How difficult is it for criminals to get ransomware? Unfortunately, fairly easy. The software itself can be purchased outright or even used through “Ransomware as a Service” facilities available on the internet.
As a result, the ease of use and financial advantages of ransomware have become widespread among cyber criminals, and there is no indication of any diminution of this trend.
The classic description of “risk management” is making an informed decision on which risks to retain and which ones to lay off on someone else (usually in the form of buying insurance to cover specified risks).
As might be expected, the perceived need for insurance against adverse cyber events has been met by a broad array of offerings by major insurance carriers. Some are added on to integrated packages for errors & omissions, director & officer, and business continuity coverage. Some are stand-alone specialized policies.
There appears to be no standardized underwriting process among the dozens of insurance carriers offering some form of cyber insurance. As a result, it is difficult for potential insured parties to make “apples to apples” comparisons of coverage limits, exclusions, deductibles, premiums, and other terms.
Further, as the carriers gain more experience with claims and payments, it appears that the market will continue to be in flux for the foreseeable future. One thing is certain: the carriers must conduct their business in a profitable manner. So ultimately, the rewards (in the form of premiums) must outweigh the risks (in the form of claims payments).
When the Risk becomes a Reality
We come full circle in this discussion, as the educational mission of ICFE is brought to bear on these challenges.
With the pending update of the ICFE’s Certified Identity Theft Risk Management – CITRMS® course, integration of all of these trends will include adding the expanded Restoration/Remediation section.
The entire realm of Identity Theft Risk Management and its implications for Privacy and Cybersecurity developments continues to be a challenging, but very worthwhile, arena for the ICFE to make its contribution to organizations, professionals, and consumers at large.
About The Author
Active with the ICFE since 1987, Mr. Zivanchev worked alongside of Paul Richard, the then president of the ICFE as the graphic and publication designer for the ICFE. In 2000, Mr. Zivanchev has appointed the office of Vice President and Secretary to the ICFE Board of Directors and titled the Director of Information Technology. The ICFE hit the internet with its online presence in 2000, with its offerings to consumers and organizations in ICFE Certification Courses, Identity Theft Risk Management and Credit Report Reviewing taking the lead.
Mr. Zivanchev, stepped in as the Executive Director for the ICFE with the passing of Mr. Richard, 2020. It is Mr. Zivanchev’s goal to take the ICFE to the next step in its evolution in the digital age.
ICFE company website https://icfe.org/