The rising threat of Cyber Attacks & expectations from the ... · The rising threat of Cyber...

A presentation by

The rising threat of Cyber Attacks

& expectations from the

Professional Accountants.

1

Mohammed Humayun Kabir FCA

Council Member and

Past President, ICAB

April 10, 2016

The rising threat of Cyber Attacks & expectations from the Professional Accountants.

We are living at the digital (internet) age where liquid assets are

increasingly being transferred between parties via electronic means.

The thief or “Chor” that relies upon electronic means to commit the

Chori is in today‟s jargon a „Cybercriminal‟ or „Hacker‟. The thief is no

longer one with a stocking over his face and wearing a striped

jumper, he or she is more likely to be a geek sitting at home with

other geeky friends thinking up ways to steal your electronic identity

or use some sort of digital Trojan horse to enter your system and

steal your cash. The accountancy profession is used to handle big

numbers and there are big numbers around when it comes to

cybercrime.

If we are asked to get split into two categories - those that know they

have been hacked, and those that have been hacked but don‟t know

it, probably the „hacked but don‟t know it‟ category would be large.

2


3

Cyber attacks pose a threat to all organizations & Individuals

using internet. Financial institutions are particularly at risk. Cyber

attacks involving data breaches caused by hackers or

unauthorized parties have grown in number and sophistication in

recent times across the world. Cybercriminals often target one

organization and steal a large amount in a short period of time. In

a cyber heist, large known accounts or institutions are often the

focus; at other times the target may be many customer accounts

that collectively contain a large sum of money.

There are two types of hackers. Yellow hackers may be just to

warn you that there is a need for improvement in your cyber

security system. But if you are under attack of black hackers, their

objective is not innocent but to commit a crime of stealing or a

heist.


4

The Black hackers may carry cyber attacks to -

Untargeted Targeted

In an untargeted attack, criminals do

not focus on a particular victim but

target as many devices, users or

services as possible through cyber

attacks such as phishing; water

holing; ransom ware; and scanning. Phishing is sending mass emails requesting sensitive

information or directing users to visit fake websites.

Water holing is creating fake websites or compromising

legitimate websites in order to exploit visitors. Ransom

ware is locking out and holding files hostage via

encryption or other means until the owner of the system

pays a ransom to have the files unlocked, which often

does not happen even after the ransom is paid.

Scanning is attacking wide sections of the internet

randomly.

Cyber criminals are increasingly

employing targeted attack strategies

specifically against the financial

institution, including through spear

phishing (sending emails with malicious software

attached to individuals at the institution), launching

distributed denial of service attacks (shutting off internet access to bank services by

directing waves of internet traffic from compromised

computers to the bank, sometimes involving efforts to

distract bank personnel while criminals gain

unauthorized remote access to accounts),

and subverting the supply chain (attacking the equipment or software that is delivered to

the organization).

Cyber Attacks may be against :

5

Individuals Property Society at large Government.

Harassment via E-Mails

Intellectual Property Crimes

Child Pornography

Cracking into a government or military maintained website by enemy state or by individual(s) patronized by enemy state(s) There is increasing threat of destructive cyber attacks by enemy state(s). If you are connected to the Internet, you are vulnerable to determined nation-state attackers.

Cyber-Stalking Cyber Squatting Cyber Trafficking

Defamation Cyber Vandalism Online Gambling

Hacking Hacking System Financial Crimes

Cracking Transmitting Virus Forgery

SMS Spoofing Cyber Trespass

Carding Internet Time Thefts

Cheating & Fraud

Assault by Threat

Obviously to carryout these attacks one needs sophisticated/ expert knowledge in ICT


Cyber attacks against Banks & Financial Institution :

Bank heists were surprising because it made no difference to the

criminals what software the banks were using. It remind us that the

world's financial systems are vulnerable to cyber attacks.

Online banking accounts are often the targets of cyber heists. The

accounts may be found through hacking or phishing campaigns and

cashed out in a single operation. The theft may involve a specific bank‟s

customers or a single large account.

Credit cards, debit cards and bank accounts are also targets in cyber

heists. Cybercriminals might steal track 2 data credit card or debit card

data and use card embossers and magnetic strip encoders to create card

clones. Point- of -sale malware is often used to acquire massive

numbers of cards. In either case, the cybercriminals might use cloned

credit cards for cashing out at ATMs or sell them on underground online

sites. 6


7

In December 2012, for example, cybercriminals stole $45 million from

two Middle Eastern institutions, the Bank of Muscat and RAKBANK.

Withdrawals where made from 27 different countries through over

36,000 transactions. Forty million was stolen within 10 hours from Bank

of Muscat, the larger of the two.

In the series of coordinated bank cyber attacks that was initiated in late

2013, an unknown group of criminals stole as much as USD$1 billion

from banks and financial institutions in USA. The criminal group gained

access to 100+ banking entities via spear phishing emails sent to bank

employees. The emails appeared to be legitimate banking

communications in the form of Microsoft Word and CPL files. The

emailed files contained malware that, once the files were opened onto

the institution‟s network system, exploited vulnerabilities in Microsoft

Office and Microsoft Word and executed a remote backdoor providing

criminals remote access to the banks‟ computers.


8

Once access was achieved, the attackers installed additional software

and spied on the activities of bank employees and administrators

through video surveillance, allowing the criminals to impersonate

legitimate users to perform later actions, including manipulating

accounts, transferring money and ordering ATMs to dispense cash at

designated times and places.

In most cases, the institutions‟ accounts were compromised for several

months before the attackers actually stole any funds. Particularly

concerning to banks is that, the bank heists were surprising because it

made no difference to the criminals what software the banks were

using.

Among the more notable cyber attacks was a July 2014 attack

involving a large regional bank network in USA that was accessed by

an unknown third party, and placed over 72,000 customer accounts at

risk of exposure.


9

In 2014, cybercriminals waged what appears to be an

expanding offensive of cyber attacks on financial institutions in

USA. Following an investigation, it was determined that the

unauthorized third party may have obtained access to customer

information, including names, addresses, account numbers,

account balances, and personal identification numbers. In

another cyber attack several weeks later, a large national bank

was victimized by one of the largest cyber security breaches

involving a U.S. bank, with approximately 76 million household

and 7 million small business accounts compromised. The cyber

attackers gained access to the bank‟s servers that housed

consumer account information.


10

Due to the manner in which the cyber attack was orchestrated,

the attack went undetected for almost two months before the

bank discovered it and moved to close access paths of over 90

servers. A particular aspect of cyber attacks that complicates

the ability of banks effectively to monitor and maintain adequate

cyber security protocols is that sometimes an attack may come

from very conventional means that exploit a network system or

process vulnerability that may not be evident or obvious to an

institution. This was the case when a highly publicized mobile

payment platform was unveiled and cybercriminals seized upon

a method employing identity theft, rather than hack into the

payment system, to exploit the customer sign-up process to

validate credit cards for use on the new payment system.


11

The cyber criminals exploited the sign-up process at the front end

by taking easily obtainable customer information to validate a

credit card to participate in the mobile payment system counting

on the fact that some banks would be motivated to streamline the

customer account sign-up process and not require additional

verification information to validate customer credentials, i.e., to

make the process as seamless as possible. As a result,

notwithstanding an extremely secure token security methodology

embedded in the mobile payment platform, cybercriminals were

able to infiltrate customer bank accounts at the bank end of the

validation process via relatively rudimentary means. As a result,

the mobile payment provider and banks are reviewing procedures

to prevent this issue from repeating, including the possibility of

utilizing a PIN issued by a bank to its customer for a one-time use

to register a new card.


12

In February 2016, Cyber criminals stole $81 million from

Bangladesh's central bank. The theft surely qualifies as one of the

biggest cyber heists ever. The cyber thieves hid their tracks by

installing malware that manipulated a central bank printer to hide

evidence of the heist, according to a person familiar with the

investigation. A computer and printer that the Bangladesh Bank used

to order SWIFT wire transfers was manipulated so that authorities

could not see records of outgoing wire transfer requests or receipts

confirming that they had been received. Details about the issues with

the computer and printer were among the first clues to surface as to

how the attack was carried out. Malware was suspected to have

been installed on the central bank's computer systems. Then, the

hackers appeared to have stolen Bangladesh Bank's credentials for

the SWIFT messaging system, which banks around the world use for

secure financial communication.


13

The computer linked to the SWIFT system at Bangladesh Bank

was supposed to keep records so they could be easily reviewed

by bank staff. The officials saw the first signs that something was

off on February 5, 2016 when they noticed a glitch with a printer

that is set up to automatically print all SWIFT wire transfers.

When they realized the previous day's transactions had not been

printed, they attempted to manually print them but were unable to

do so. One official asked that the printer to be repaired before

leaving the office that day, which was a Friday and the first day of

the weekend in Bangladesh. Other bank employees later decided

to wait until the next day to fix it. When the officials tried to

access the computer the bank uses to send SWIFT messages,

they got messages saying a file NROFF.EXE "is missing or

changed.


14

They were eventually able to access the SWIFT messaging

system on February 8 and print out messages after obtaining

clearance to use other means to access the system from senior

bank officials. When they printed the SWIFT messages there

were three from the New York Fed seeking information about

several suspicious transactions, which flagged them to the heist.

Brussels-based SWIFT, a bank-owned cooperative that runs a

secure private messaging system widely used for requesting

money transfers said that "SWIFT's core messaging services

were not impacted by the issue and continued to work as

normal."


15

The money moved from Bangladesh's account at the Federal

Reserve Bank of New York to private accounts in the Philippines,

from which it was channeled to other accounts, including those of

some gambling operations and a casino. The New York Fed has

disclaimed any responsibility for the fraudulent transfers. In a

statement, it said: “There is no evidence of any attempt to penetrate

Federal Reserve systems in connection with the payments in

question.... The payment instructions in question were fully

authenticated... in accordance with standard authentication

protocols.” Assuming the Fed's defense survives scrutiny, it

suggests, but does not prove, an inside job at Bangladesh Bank

and at least one bank in the Philippines. Were people bribed to

reveal the access codes or to overlook suspicious transfers? Did

the criminals plant people inside the bank to orchestrate the theft?

We don't know.


16

Another source of confusion is that the theft occurred in February

but wasn't revealed - even to other parts of Bangladesh's

government - until March. What is known is that the scheme's

ambition far exceeded the $81 million that was transferred to the

Philippines. The original goal was apparently about $1 billion to

be conveyed through 35 separate transfers. Most of those

transfers were never made. Why? By one press version, doubts

emerged when a word was misspelled on one transfer document.

(The word "foundation" was spelled "fandation.") By another story,

the fact that so much money was going to private accounts stirred

suspicions. It's unclear whether someone at the New York Fed

stopped the transfers and, if not, who did. The hackers may have

penetrated the central bank's computer system for several weeks

before the transfers occurred.


17

Whatever the final story, there are lessons to be learnt. Whatever the

Fed's direct involvement, it failed to spot a phony transaction before

the funds were sent. Why was this? Can screening be improved?

Bangladesh cyber heist should ring alarm bells for financial world :

Central banks make fat targets. Those in the developing world, with

lots of new capital but not as much digital fortification, are especially

at risk. Bangladesh has some $28bn in foreign currency reserves

with alarmingly rickety fences around it: A hacker‟s dream. Officials

at Bangladesh Bank also kept quiet for more than a month, a grim

reminder of how crucial information sharing is. Even after a

successful heist, preventing hackers from moving the money

requires global co-operation. The thieves in this case laundered

much of the cash through casinos in the Philippines where casinos

are exempted from otherwise strict anti-money-laundering

requirements.


18

What's ultimately at stake is a stable global financial system.

Financial networks depend on trust that what's deposited won't

vanish, and that transactions are legitimate and not falsified. The

loss of trust threatens to undermine payments networks and the

reliability of financial record keeping. The theft confirms that most

electronic networks are no stronger than their weakest links. "More

connectivity“ - making networks more useful - "means more

vulnerabilities“- making networks more defenseless. This dilemma

defines the Internet Age.

The government has to recognize and take appropriate steps to

respond to the growing threat of cyber terrorism. There is need for

sharing of cyber security threat information within the private sector

and between the private sector and the government through the

formation of Information Sharing and Analysis Organizations.


19

Professional Accountants in Practice are sometime responsible for

advising the organizations improving their cyber security. Professional

Accountants in Business are part of the team responsible for governance

of the organizations. Both group should know & see that effective Cyber

Risk Management Program – CRMP are functioning in the organizations

they are related to. The core components of an effective CRMP is:

Risk management and oversight involves governance, allocation of

resources, and training of employees. The Senior Management should

clearly defines the roles and responsibility for identifying, assessing, and

managing cyber security risks across the institution. Training programs

should be updated to respond to changing circumstances and provided

routinely.

Risk

management

and oversight

Collaboration Security

controls

External

dependency

management

Cyber incident

management

and resilience


20

Collaboration requires the analysis of information to identify, track

and predict cyber attacks, and includes monitoring and sharing

information from multiple sources.

Cyber security controls should include preventative controls to

impede unauthorized access to systems, detective controls to

identify attacks, and corrective controls to address identified

vulnerabilities. Financial institutions should incorporate measures

that impede unauthorized access to their internal systems and

consumer data, such as by encrypting consumer information.

Institutions should also invest in and implement anti-virus and anti-

malware detection tools, routinely scan information technology

networks for vulnerabilities and suspicious activity, and test systems

for exposure. Furthermore, institutions should develop and test

processes for shutting down unauthorized access and remediating

damage to IT systems.


External dependency management involves connectivity to third

party providers and customers and the financial institutions‟ oversight

of these relationships. Institutions consider the risks of each

relationship and evaluate a third party‟s cyber security controls before

entering into third party contracts.

Cyber incident management and resilience involves incident

detection, response, mitigation and reporting. Financial institutions

should have procedures for notifying customers, regulators and law

enforcement when incidents occur. Institutions should also develop

business continuity and disaster recovery plans, and test such plans

across business functions to identify gaps before cyber attacks occur.

21


Cost of cyber attacks : There are numerous additional costs that

institutions must consider in the new world of cyber risks and

vulnerabilities. Besides loss of money (own/depositors), all

organizations particularly Banks and other depository institutions

must be mindful that they may incur additional cost consequence to

cyber attacks.

Litigation cost - Identity theft and breaches of consumer privacy

expose financial institutions to a significant risk of consumer

litigation. For example, in 2014, a USA hospital sued its bank to

recoup losses from a cyber-heist in which cyber thieves broke into

the hospital‟s payroll accounts and put through three unauthorized

payments, siphoning over $1 million. The hospital sued the national

bank for processing an unauthorized transfer request, arguing

breach of a contractual provision, which require the bank to

implement a risk management program. 22


Cost to comply regulatory requirements - The pace of new

regulatory requirements can challenge the change-management

capabilities of some financial institutions and lead to increased

operational and compliance risks if banks do not adequately

invest in control processes, systems, or staff. Institutions may be

cited for weak cyber security systems and inadequate controls as

part of an overall operational risk review. Of particular concern is

the likelihood that the industry will see increased enforcement

actions given increased regulatory concerns over data privacy

and cyber terrorism. Cyber attack could lead to the imposition of

regulatory, civil and/or criminal fines and penalties arising from

the failure of a depository institution to maintain an adequate

cyber security program.

23


Goodwill /Reputational Loss – Data breaches expose

customers to an increased risk of identity theft and loss of

privacy, which will result in loss of confidence in a financial

institution‟s security systems and in the financial institution

itself. Not only can a cyber attack damage an institution‟s

relationship with its customers, but the negative publicity

surrounding a breach can have long-term impacts. A

successful cyber attack not only can lead to loss of business,

but can expose the financial institution to consumer litigation,

regulatory enforcement actions, and even criminal

investigations, all of which will further exacerbate damage to

the institution‟s reputation.

24


Other Costs – One cost that many institutions are now taking on

involves cyber insurance policies that can help to mitigate some of the

costs and liabilities created by cyber attacks and data breaches.

Specialized cyber insurance policies now cover data breaches, identity

theft, loss of data, business interruption, cyber extortion, crisis

management, and other cyber-risk areas. As with any other significant cost

decision, institutions must carefully weigh the extent of the additional

insurance and whether the cost is justified based on the additional

insurance protection provided under a particular cyber insurance policy.

Third-Party Risk Management – Vendors may sometimes provide a

“backdoor entrance” for hackers seeking to steal sensitive bank customer

data. An area of particular concern to bank regulators is the exposure and

vulnerability of banks to third party service providers that may not be

adequately prepared or equipped to address their own cyber-security

vulnerabilities and, thus, may wittingly or unwittingly act as a Trojan horse

to expose banks to new cyber-risks. 25


Impact on Smaller Institutions – Larger banks generally have

sophisticated IT systems to guard against cyber attacks. By

contrast, smaller community-based banks generally lack such

systems and, therefore, are often a prime target for cyber

thieves. However, many institutions, particularly smaller

community-based institutions, have yet to face a full-blown

cyber attack and, thus, may not fully appreciate the extent of

the risk. This remains a significant industry challenge.

26


Cyber Attcaks in Business Organizations: So far we have discussed the

cyber attacks in Financial Institutions. Let us now look the cyber attacks

in Business organization perspective:

Cyber attacks are becoming more common, more varied and more

sophisticated. As John Chambers, executive chairman of Cisco, the US

network equipment company, said: “There are two types of companies:

those who have been hacked, and those who don‟t yet know they have

been hacked.”

The list of well-known companies whose IT has been hacked is growing.

After TalkTalk announced that it had been hacked its shares fell sharply

and the company‟s chief executive, Dido Harding, struggled to reassure

customers, investors and the media that the company was getting to the

bottom of what had happened. Just a few days later a second telecoms

company, Vodafone, also said that it had been the victim of an attack by

hackers. 27


The company directors who more often discharge their duties by

delegating them to professional accountants, who then have to come

up with methods to protect the company silver increasingly in a

digital environment. No doubt there is merit in creating complex

passwords, keeping passwords secure, changing them frequently but

accountants have to keep up with changing technology. The

increased use of smart phones and apps where many employees use

one devise on which to perform their professional and social activities

could lead to a cyber-breach. Cybercriminals often use pieces of

information from social media pages to assemble a target‟s identity.

we are overly casual with our cyber hygiene. From top to bottom

passwords are often shared, sensitive information is dropped in

conversation; systems are left running and unattended. As

professional accountants working in industry some ownership or

rather leadership has to be adopted to drive cyber hygiene in our

organizations. 28


Cyber Protection : Biometrics

Cyber attackers demonstrate considerable agility and

adaptability. In some cases, savvy attackers used increased

levels of deception by hijacking companies‟ own infrastructure

and turning it against them. Advanced cyber attackers are using

legitimate software on compromised machines to continue their

attacks without risking discovery by anti-malware tools used a

company‟s management tool technology to move stolen IP

around the corporate network built “attack software” inside their

victim‟s network, on the victim‟s own servers. Protection against

cyber attacks therefore has become more challenging than ever

before. However many experts recommend for using Biometrics

to tighten security.

29


Biometric technology, which identifies a person by their unique physical

or behavioral characteristics, is increasingly used as a convenient

alternative to a password, authorizing online payments or gaining entry

to a building. Convenience may have drawbacks, though. Some

security experts reckon that hackers will focus more on stealing

people’s biometric data as it becomes more widely employed.

Therefore Biometric security isn‟t mainstream yet.

What can companies and their accountants do to minimize security

risks, then? Some suggestions are :

First, get an overview of your IT. Keep an up-to-date inventory of your

hardware – your devices (all servers, workstations, laptops and remote

devices connected to your business network) and software

(particularly the stuff that has security vulnerabilities and software

that‟s not authorised for business use). This should make it quicker to

find and fix IT after it has been hacked.

30


Next, review the information your business holds, work out what‟s the most

important information (for example, designs for an innovative new car if

you‟re a car maker or customer credit card details if you‟re a bank). Make

protecting this information a priority.

Don‟t rely on one type of security technology, such as anti-virus software on

workers‟ desktops. Add more controls like anti-malware technology and

email gateway security controls (technology that blocks spam emails and

also helps to prevent the loss of data).

More employees are using their own smartphones and tablets for work,

which can improve productivity and make it easier to work out of the office. It

can also cause IT security problems if workers download customer data and

other intellectual property, and possibly viruses, onto devices that may not

be as secure as ones supplied by their employer. Develop company rules for

using own device by the employees. Some companies give workers “read

and write” access to data on a mobile device but doesn‟t allow them to

extract it outside the corporate network.

31


Cloud Security

Cloud computing − large networks of web servers and data

centers that are run online rather than on customers‟ own

computers – is increasingly popular in business, including for email

system customer-relationship management and accounting

software and document-sharing applications such as Drop box.

Storing data online is usually cheaper and can be a useful backup

for data stored in company offices. If there‟s a fire or major IT

failure at your company, retrieving data from the cloud can be

done quickly.

But take care. Companies are responsible for any security

breaches on the part of the supplier holding their data, so it‟s

important to check the supplier‟s arrangements for security and

data backup/business continuity. 32


IT security for Accounting

Accountants need to get their own houses in order first. There are firms of

accountants who do payroll accounting for lots of their clients, so they hold

personal data, such as bank account details that are considered sensitive. If

they lose clients‟ data, or if the data is hacked, accountants could be fined and

jailed if found guilty. As accountants, you hold significant amounts of

confidential data. Cybercriminals will get in, take your data and leave and make

every effort to not leave a trace. Do you know whether your data has been

accessed, read, copied? Most won‟t.

Opportunities for Accountants

Cyber threats could also be good news for accountants. The reality is that

there‟s no one explaining IT security to small and medium businesses. There is

a huge opportunity for accountants to provide new services to engage with

clients and have sensible discussions about information security. Security

training doesn‟t have to be overly technical. It‟s useful for accountants to know

how to install a firewall but they probably don‟t need to know how to write

computer code.

33


Accountants can help business clients identify their most important

information, how serious the security threats are to that information and

any gaps in security, such as staff who need training in IT security.

Employees are often the cause of accidental leaks of data.

While preparing for discussion with management for advisory services on

cyber security look for the answer to the following questions:

Does the organization use a security framework? For example NIST 800-

53 (U.S. Federal Government comprehensive framework). COBIT

framework (Governance, Risk, and Control).

What are the top five risks the organization has related to cyber security?

The potential areas of risks are: Proliferation of BYOD and smart

devices; Cloud computing Action; Outsourcing of critical business

processes to a third party (and lack of controls around third-party

services); Disaster recovery and business continuity; Periodic access

reviews.

34


How are employees made aware of their role related to cyber

security?

The organization should have a security awareness training

program, and each employee should be required to review the

training and pass the test annually. The CEO (or other top

executive) must communicate the importance of safeguarding

the organization‟s critical assets.

Cyber security, though prosaically boring, is everyone‟s

responsibility. (“I am not a technical person,” explanation can‟t

help.) Making better use of encryption, access controls and

strong verification systems with constant updating can help, but

nothing can substitute for training and vigilance. The financial

world needs be on alert round the clock.

35


Who is accessing what IT

Keeping track of who is accessing what IT is another important part of

information security. Companies can reduce the damage caused by

successful hacks by encrypting their most important information (for

example, credit card data for banks or patient records for hospitals).

Does the business have a continuity plan? A good business continuity plan

can also help minimize the damage if security fails. The plan, which should

be tested at least once a year, can help maintain business functions or get

them up and running again quickly if there is major disruption, such as a

fire or flood, serious illness among workers, or a massive cyber attack.

Business continuity plans vary but most will focus on three things: people

(are staff trained to take on different jobs if a disaster happens and

colleagues are injured or killed?); premises (relocating workers to another

company building if the head office is damaged/destroyed, or enabling

them to work remotely); and technology (running computer systems from

backup locations).

36


You should define what is classed as a disaster for your

businesses, how quickly you need to be operational and identify

key people and systems which are mission critical to the operation

of the business. Your service level agreement with your provider

should reflect these. As each business is different so is a business

continuity plan - it‟s all about understanding your objectives.

As technology becomes more advanced so do hackers and

organized crime. The mass of information and claim and counter

claim about security threats and technology to deal with them can

be confusing. Accountants can help business clients be prepared

for the worst hacks and boost their fees at the same time. prepare

for discussions with management and internal audit. For simplicity

and brevity, each question outlines suggested action items.

37


Business complacency is one of the real concerns today. The following

statements are against cyber security :

We don‟t need protection as we have never had a data loss or breach;

Our email is already secure enough;

Of course we are fully protected, our IT guys sort all that out;

If we implement security for our customers they will go elsewhere;

We have added a disclaimer to our emails;

We are insured so it doesn‟t matter;

We think the problem is over-stated; and

Our board won‟t spend the money.

The list is actually far longer but you will see a common theme here,

which is: a failure to assess the risk and a failure to act upon it. The first

point is the strangest. It is analogous to saying I don‟t need to wear a

seat belt as I have never had a crash. 38


One thing is clear, countries need to act and needs to act fast. The time that

businesses are taking to get their house in order and the complacency

around the general population is having a marked effect. Cybercrime is

growing in two ways. The first is in quantity – there are increasing levels of

attacks against individuals and businesses. The second growth is in

sophistication – their methods are becoming more cunning. If you put fast

growth in cybercrime activity and slow growth in our ability to deal with it, you

can easily spot the issue. We have a growing gap between the rate we are

able to detect, protect, catch and prosecute and the rate at which cybercrime

is growing.

If you believe that cybercrime does not concern you and it is something that

impacts other people, think again. One of our biggest challenges is simply

lack of imagination. Cybercrime is high volume, low value on the whole. They

may not be targeting you specifically because of who you are, you are simply

in a numbers game. You may not be targeted for any other reason than you

have inadequate protection and you can be exploited. Your data is valuable. 39


So what has this to with the accountancy profession? E-mail is the

backbone of our communications. But is our email protected? The

answer is either yes or no. If it is protected you will know it as you will be

doing something extra to normal email. If you simply think that it is

“probably secure” then it isn‟t. If your email is not protected, then maybe

it‟s time to stop contributing to the wider risk of cybercrime.

Protecting yourself from viruses, spyware and phishing scams may seem

obvious when you receive an email from someone you do not know

saying you have won £500,000,000. But what about when it 'appears‟ to

be from somebody you know and trust?

Most threats are designed to be tricky to spot which is why you need be

alert and ensure that you are protected at all times. You don‟t need to

know everything about computers to protect yourself; you just need to

know what to look out for and how to avoid it.

40


Some tips to help stay protected:

Match the person or company sending you the email with the context

before deciding it is real. Your bank will never send you an email asking for

your personal details, just because it looks nice doesn‟t mean it is right. In

almost 100% of cases what is actually happening is a hacker has masked

their email address to look like it is from someone else. You click the link

and navigate to the FAKE website so they can capture your details. The

next minute you have no money left.

When downloading a file online be wary of what you are downloading, a

virus won‟t be called virus.exe, it may be called something like receipt

29836 or summer_photos Oct. Just because something looks genuine it

doesn‟t mean it is, always check who is sending you these files and if you

are getting them from a website, is the website trusted. Anti-virus software

will not always save you when downloading a virus, sometimes it may be

able to detect it when you try downloading the file but sometimes it won‟t.

41


Just because you have anti-virus software doesn‟t mean you are safe. Be

vigilant when browsing the internet and don‟t visit pages you are unsure of.

Be careful when opening attachments, do you know the sender? Are you

expecting the email? Although anti-virus will protect you 90% of the time,

nothing gives you 100% protection. Think of it like this, you don‟t need a lock

on your front door, but is much harder for a burglar to break in if you have

one! Sometimes, using common sense is the best way forward. You wouldn‟t

let a stranger in your house so why do the same to your computer.

Phishing is one of the main threats to people and to businesses. Phishing

appears in many different ways but its end goal is always the same, they

want your personal information to take your data and/or money. Do you know

where that link is actually sending you? It is not hard to make a link look like it

is going to Google when it is actually going to some server elsewhere. When

you receive a link, you can hover your mouse over it to reveal the true

destination. Try it now, your web browser should show you the address

actual www.hallidays-it.co.uk (Chrome users hover then look bottom left).

42


The link above looks like Hallidays' IT website but it actually links to

moneynowsucker.com. This is called Phishing – the term used when you

think you are clicking on a link to do one thing, but what actually happens

is another. This type of threat is something that an anti-virus cannot

protect you from.

Cyber criminals will usually send you something like this to make you think

that your account is in danger. To protect yourself just log in and change

your account details. What they are really doing is sending you to a bogus

site to log your information. Phishing has become increasingly common

and as it is rarely detected by anti-virus, many people are affected.

Is your computer password......password? Perhaps password123? Do you

use your name, your pets name or your date of birth? Hacking is much

easier when you use simple or personal passwords. The best way to

protect yourself is to use something random, something that nobody could

guess from any personal information. 43


Misconceptions surrounding computer security

When you get a virus you lose everything on your computer AND

need to buy a new one.

You need to be a computer expert to protect yourself, your family

and your business.

FREE antivirus is just as good as a paid for service.

NONE OF THE ABOVE IS TRUE! Computer security is an ever

increasing headache for business owners and users. The first

thing you need to do is be aware. Once you are armed with the

right knowledge, you are already much better prepared.

Working in partnership with auditors can go long way and if

managed effectively, can help in improving security posture of the

Organization.

44


All types of cyber crimes involve both the computer and the

person behind it as victims. Cyber crime could include anything

as simple as downloading illegal music files to stealing millions

of dollars from online bank accounts. Cyber crime could also

include non-monetary offenses, such as creating and distributing

small or large programs written by programmers called viruses

on other computers or posting confidential business information

on the Internet. An important form of cyber crime is identity theft,

in which criminals use the Internet to steal personal information

from other users. Various types of social networking sites are

used for this purpose to find the identity of interested peoples.

45


In conclusion, computer crime does have a drastic effect on the

world in which we live. It affects every person no matter where

they are from. Hackers are as old as the Internet and many have

been instrumental in making the Internet what it is now. It is our

role to keep the balance between what is a crime and what is

done for pure enjoyment. Passwords might be replaced for more

secure forms of security like biometric security. Criminals have

also adapted the advancements of computer technology to

further their own illegal activities. Without question, law

enforcement must be better prepared to deal with many aspects

of computer-related crimes and the techno-criminals who commit

them. Certain precautionary measures should be taken by all of

us while using the internet which will assist in challenging this

major threat Cyber Crime.

46


Recommendation

Establishment of Regulatory Authority for framing framework & standards

for cyber security.

Updating of ICAB study manuals & syllabuses on ICT & cyber security.

Holding workshop to strengthen IT knowledge & cyber security issues for

members.

47

The rising threat of Cyber Attacks & expectations from the ... · The rising threat of Cyber...

Documents

Transcript of The rising threat of Cyber Attacks & expectations from the ... · The rising threat of Cyber...