For Cyber Security Awareness Month, we’re taking a closer look at cybercrime, and what organizations can do about it. To address cybercrime, you need both prevention and detection. That’s an obvious-sounding platitude, and it’s not as helpful as it could be, despite it being true.
The biggest problem when it comes to detection is that skilled attackers will look exactly like authorized users. That may be either because they’re good at impersonating them, or because they are them. It will fall on you to be able to tell whether it’s the wrong person doing the right things, or the right person doing the wrong things.
Many of the strategies you can use to do this involve assuming that your users are well known and static—they will always be using a known device, coming from a known IP address or geolocation, and be doing the same things with your applications and systems. This assumption holds up if you have a relatively locked-down workforce of enterprise users that you can profile and monitor, and for whom you can restrict to known functions. It doesn’t work as well for administrators, who may need to do anything and everything—including changing software on the fly—and who could be called upon to do it at any time (and possibly in a hurry). But you should know who’s on your team and have vetted them before hiring.
Beyond that, customers are the biggest threat to the enterprise. They don’t get vetted the way that employees do; you can’t force them through awareness training; you can’t control what devices they’re using; and they are very happy to take their business elsewhere (and complain about you on social media) if you make life inconvenient for them. Some customers also commit fraud, so it’s not just a matter of making sure the person logging into the account is the same one who originally registered. They could be thoroughly identified and authenticated, and still be an attacker.
You know nothing about customers except what they tell you coming in. If they’re not lying, you might be able to create a profile of them by acquiring data from third parties. But this practice starts to make people nervous, particularly if you’re using data that isn’t relevant to your business with them. When I was working on authentication for an online driver’s exam, someone suggested using a service that pulled up the user’s credit history. I decided that was too creepy and rejected it. But this is where conflict can start: between the organization’s need to protect itself, and the customer’s right to privacy to the extent that it doesn’t impede making a business transaction.
Since cybercrime happens online, there are fewer clues to go on than in the real world, since everyone and everything is reduced to ones and zeros. Either you have to find out more about your customer than they’re used to revealing, or you have to restrict what they can do—which is pretty much the opposite of innovation. As new forms of payment and monetization are rolled out, such as online gift cards and rewards programs, criminals quickly figure out how to exploit them. And the built-in automation that allows customers to be served at scale allows fraudsters to scale their work, too.
To detect and prevent cybercrime, it’s easy to encourage enterprises to circle the wagons and block “bad traffic.” But for those organizations whose mission is to interact with the outside world, such as government agencies who have to serve citizens, or retailers who must grow their business, security through more restriction is not a valid option. When those organizations are running scared, it’s even worse. According to a recent New York Times article on security at Yahoo!, CEO Marissa Meyer resisted implementing a password reset of user accounts because she was afraid it would drive more email users away.
We need better answers to these security threats than “just do X,” and we also need to find a way to detect the wolves in sheep’s clothing without violating sheep privacy. The biggest challenges in cybersecurity are still waiting to be solved.