Cybersecurity expert helps curb fraud by first stealing information, then making companies more savvy
NATIONAL — In a recent speech at Cosentry‘s Nebraska Security Summit in Omaha, cybersecurity expert Jim Stickley’s topic was Fraud: The New F Word.
Stickley, CEO of Stickley on Security, spoke with JustGOODNews.biz about his work fighting cyber crimes, and ways that individuals and businesses can work to protect their information in an age when criminals are infiltrating sensitive data to commit fraud.
He has more than 20 years experience stealing information from corporations and individuals. But Stickley is no criminal. He uses his clandestine findings to help curb identity fraud and data theft.
Your topic was Fraud: The New F Word. Tell me about why it is the new F word, when computer fraud and cyber crime has been around for quite some time.
While fraud has been around for years, the ease and increased frequency in which we are seeing organizations fall victim is the reason it has become the new F-Word. In the past, the majority of organizations assumed that they were safe because they either were not that big or they were not the typical target for cyber criminals. However, now organizations realize there are no longer any limits to who will be attacked. If your organization handles confidential information and/or banking transactions, you now have to assume you are just as likely a target as a company ten times larger than you.
Are criminals getting smarter, or are companies and individuals simply less vigilant or uniformed as to cyber threats?
I believe those kind of go hand and hand. As criminals become more sophisticated, they continue to design and discover new attack strategies. In many cases these are built around vulnerabilities in software, but in other cases it is nothing more than simple social engineering where they trick their victims by providing publicly accessible information. In the meantime you have both employees and the general public who rarely are keeping up to speed as the criminals evolve. Then on top of that you still have a large percentage of the general public that have the opinion that it would be highly unlikely that a criminal would target them personally. What people fail to realize is that it’s extremely rare that any criminal picks a specific target. That vast majority of cyber crimes start with more of a shotgun approach. For example, criminals will send out a malicious email to thousands of people. Then they just wait to see who falls victim. Once they have access to the computers of those victims they then figure out what they can do with that access.
Don’t most large companies and banks have people working around the clock to fight these sorts of attacks?
Large organizations definitely have people, but smaller organizations, including many banks and credit unions, don’t have the budget for a large security staff so instead that will have one person may be responsible for not only the security of the organization but also for installing software, keeping desktops running, fixing the printer, etc. Sadly, the reality is that even the large organizations with full-time security staff still experience security breaches. Sony, Target, the U.S. government, you can assume all of them had dedicated security personnel and yet they have all been compromised. The primary reason criminals continue to have success is because they are targeting the employees of the organizations. You can have all the latest and great technology with some of the most sophisticated security solutions in the world, but if an employee ends up making a mistake and unknowingly gives a criminal access, often all that security is bypassed. This is why most of the major breaches you have read about have all started with an employee falling victim to a malicious email.
What is one of the biggest mistakes companies/organizations make that leaves them vulnerable to attack?
Far too much access on the Internet. Most organizations will implement some level of filter to blocks sites such as porn, but for the most part they have leave web browsing open. In addition, they give the vast majority of their employees access to email. The problem is that all it takes is for an employee to open a malicious attachment, or click on a malicious link, and suddenly their computer is compromised. In turn, that now means the network that the computer is on is also now compromised. It’s no longer the 90’s and companies need to begin to adjust how they grant Internet access. Most employee don’t need any access to external email, only internal so why not just set them up that way and eliminate the external threat. The same goes for web browsing / Internet access. Companies should find out what their employees need access to and then set rules to just allow those sites. By just addressing email and web access, organizations could eliminate what makes up for about 90% of all cyber breaches.
Are more cyber attacks domestic, or do many come from outside of the United States?
I don’t have statistics on this, but I believe the vast majority comes from outside the United States.
I, personally, have been the victim of identity theft and fraud, as have many of us. The issues were ultimately resolved and didn’t cost me a dime. What effect does this have on banks and organizations that must protect consumers while also facing losses due to fraud?
To your point that when all was said and done you didn’t have to pay a dime, and yet somewhere someone is paying and ultimately it ends up costing all of us. Financial institutions maintain fraud policies but these either have a huge deductible or else have a huge cost. In either case, these costs to the financial institutions continues to go up each year. Organization are also beginning to invest in cyber security policies but still end up losing vast amount of money due to fraud. Of course everyone is in business to make a profit which means if they anticipate losing X amount, they are going to make that amount back up through the market but increasing prices which ultimately comes back to us. So while you may not have paid a dime for the identity theft committed against you personally, I assure you that you have paid plenty in increased prices over the years from organizations that are dealing with fraud.
What led you to this field of expertise?
I guess you can say that when I was a kid I was very curious and it turned out I had a knack for computers and discovering vulnerabilities in code. (No, I don’t have a criminal record.) In addition, I found that I could talk my way into just about anything, so in my teens I never paid for movies, or to go to Sea World or Disneyland or really anything where I could just talk to someone. So I got somewhat of a reputation, and by the time I was in my early 20’s, I was being hired to test the security of organizations by either hacking in via the Internet or else physically breaking in through social engineering.
How have you seen the industry evolve over the past 20 years?
It’s such a different world, I can’t even begin to write down all of the changes, but over the past five years have been the truly biggest changes. Now everyone and everything is connected. That means the security risks and ramifications are higher than they have ever been before.
I picture your life is like Robert Redford’s character in the 1992 film “Sneakers” (without the criminal past). Is your work exciting and filled with intrigue?
There is no doubt that when I am breaking into an organization it’s pretty surreal. Even after all of these years, there is still a definite rush. That said, unfortunately I spend far more time researching and developing in order to pull off those heists. Unlike in the movies, hacking rarely takes just a few seconds, and the sad reality is that I spend far more time sitting at my computer conducting research and developing software to pull off the next big heist. Of course when it all comes together and I physically breach a facility, gain access to an area I was told was impossible and walk out with an item I was assured could not be touched, I can’t help but smile.
Image and video courtesy of Jim Stickley