On Thursday February 2 the IRS put out a press release warning schools, hospitals, restaurants, tribal groups and "others" to be on the lookout for sophisticated W-2 phishing scam that has netted crooks millions of dollars and cost employees, in some instances, their jobs. This diverse list of potential targets and "others" is of note because the W-2 phishing scam is growing in reach and effectiveness, hoovering up a larger and more diverse group of victims. Discovered in 2016, the W-2 scam is particularly dangerous because it is a blended attack that targets employees with authority to do two things: release employees’ W-2 tax information in bulk and/or conduct wire transfers on behalf of their employers. Wire transfer scams are called business email compromise (BEC) scams and are carried out using similar means to the W-2 hacks.
Part II – Identity
As the business world continues to embrace cloud and mobile technologies, and any semblance of a secure network perimeter is being obliterated, it is imperative for cyber security pros to focus their efforts on the technologies and techniques that will have the greatest impact in the shortest amount of time for the greatest number of users. This is why focusing on identity management is increasingly seen as a sound cyber security practice. In a perimeter-less world, if you can know what people are doing on the network and can limit that activity and their access based on roles or other privileges, you will be far more able to thwart a cyberattack before it gets out of hand or even gets started. According to one highly placed security industry CTO, "If you could achieve that guarantee at all times, your problems would more-or-less be solved. And identity is foundational in that regard."
Part I – Visibility
As has been made abundantly clear by the 2016 presidential election, hacking has entered new territory. This land grab shouldn't come as a surprise to anyone responsible for cyber security but, if it does, what they need to realize is cyber security today is about a lot more than protecting a few credit card numbers. Thankfully, the seriousness of countering these bad actors is finally getting the Board Room notice it deserves. So now that a beachhead in the battle for basic awareness is finally being established, the focus can shift to mounting an effective counter-offensive? We use this term deliberately. Up until the past few years, most cyber security measures have been defensive in nature: firewalls, IDS/IPS, anti-virus, monitoring, alterting, etc. According to analyst Zeus Kerravala writing NetworkWorld, the average company deploys security products from 32 different vendors.
In the good old days when shadow IT was just a piece of hardware or a few lines of borrowed code, CIOs
could expect their networks and infrastructures to be reasonably well-protected from all but the most determined foes.
Ever since Amazon jump-started the industry in 2006, companies have been moving workloads to the cloud in droves. And for good reason: cloud frees up tech resources for more business-facing activities, shifts spending from big dollar CapEx to more predictable OpEx, relieves the business of the burden of purchasing, provisioning, and maintaining costly infrastructure and software licenses … and on down the line.
It was not too long ago that e-mail scams were laughably easy to spot: the Nigerian prince scam, for example. These early attempts at getting victims to part with their money were transparent and amateuristic. Today, however, these thieves have learned a thing or two and are now using simultaneous attacks to fool busy executives into becoming unwitting accomplices.
Historically, cybersecurity has been about higher walls and wider moats but this strategy no longer works. There is no better evidence than the constant barrage of massive data breaches and other cyberattacks like ransomware exploits, making headlines month after month. And that doesn't even touch the data breaches that go unreported or that involve intellectual property (IP).
In the early days of the Internet, hackers hacked for fun and to show off how smart they were. Remember the movie War Games? A lot has changed since a young Matthew Broderick was asked "Would you like to play a game?" by a DOD computer, almost setting off World War III.
Cybercrime is no longer an IT problem, it's a business imperative and CEOs and boards of directors are finally starting to take notice. "Increasing threats to corporate information systems, critical infrastructures, and intellectual property—as well as compliance risks, liability concerns, and the potential for reputational damage or lost business—continue to make cybersecurity a top priority in the boardroom and the C-suite," says the National Association of Corporate Directors.
When the internet of things (IoT) arrives in force it will be two things: a boon for scientists, analysts, and anyone else interested in making things run better, faster, cheaper and, potentially, a security nightmare for everyone else.