This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.
In April 2018, Bromium released a report, Into the Web of Profit
, that noted cybercrime is now a $1.5 trillion criminal industry. By comparison, the GDP of Russia is just slightly higher than $1.5 trillion. Security Intelligence
quotes Bromium CEO Gregory Webb who says:
“The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as the web of profit continues to gain momentum.”
Why should cities care? This massive amount of money made at the expense of victims around the world is a wakeup call to cities in five key ways.
1. Hackers are not adolescents in a basement.
People hacking cities are often part of highly sophisticated organized crime rings. Quoted in Information Age
, Dr. Michael McGuire (the lead researcher of the Bromium report) says that cybercrime is “a hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale.”
These criminals are targeting your cities with tactics ranging from spear phishing
(imitating key decision makers at your city) to ransomware.
2. Usernames, passwords, and other sensitive information is regularly sold on the dark web.
A recent report
noted “a 135% year-over-year increase in financial data for sale on dark web black markets between the first half of 2017 and the first half of 2018, and it saw a 149% spike in the amount of credit card information for sale on black markets over the past 18 months…” A McAfee report (summarized in Digital Trends
) says, “When [...] login credentials are weak, hackers can use brute force attacks to gain the username and password for each [Microsoft Remote Desktop Protocol (RDP)] connection. McAfee found connections up for sale across various RDP shops on the dark web ranging between a mere 15 to a staggering 40,000 connections.”
These are just two examples of many reports that indicate how usernames, passwords, financial data, and other information sells on the dark web—often cheaply. Criminals use this information to help steal your money or weaponize for further attacks. An entire economy exists on the dark web that facilitates the buying and selling of such information.
3. Criminals exploit your security vulnerabilities.
Criminals know that most organizations don’t patch and update their software. Computer Weekly
said, “Only 16% of companies investigated are clear of software vulnerabilities that external cyber attackers could use to gain access to their IT systems, a study by security firm Rapid 7 has found.”
Cities lag even behind most businesses when it comes to “cyber hygiene” such as patching and updating software. Some cities use software that can be over 10 years old (an eternity in technology time) that is no longer supported by the original vendor. That means security patches and fixes often aren’t occurring, leaving your software incredibly vulnerable to hackers.
4. Criminals take advantage of your employees.
If your employees aren’t cyber-savvy, then hackers will easily take advantage of them. Some examples include:
- Your employee gets tricked by a fake PDF attachment that actually downloads ransomware and infects all of your systems.
- Your employee gets an email saying that they need to change their banking password. They click on the website link and end up downloading malware to your systems.
- Your employee gets tricked by a fake Word document that seems to come from the city manager and ends up downloading a virus that infects your servers.
- Your employee gives away your city’s banking information over email to a phisher posing as the city manager.
- Your employee gives away their username and password over the phone to a hacker posing as an IT vendor.
Without training and constant reminders about cyber awareness, your employees will become the weak link in your security—even if you’re doing well with your technical security. Training will help your employees spot email scams (such as phishing, spear phishing, and whaling), phone scams (vishing), and in-person scams.
5. Criminals take advantage of weak passwords.
Every year, SplashData publishes a list of the worst passwords
actually used by organizations mostly in North America and Western Europe. In 2017, the top five worst passwords were:
Other bad, commonly used passwords include “admin,” “starwars,” and (yes) “trustno1.”
Think about it. Sophisticated criminals aren’t hacking into your servers and computers and then spending time guessing your password. They are using automated software that helps them crack passwords. Easy passwords will crack so easily that getting into your systems will seem like a joke. Passphrases, complex passwords, two factor authentication
, and other password best practices
can help prevent criminals from easily gaining access to your sensitive and confidential information.
Cybercriminals are not playing games. Over a trillion dollars is the reward. They are after your money and data. The question is: Are you going to support their efforts with your weak security? Or will you invest in the right security to encourage them to pass you over?