ICFE eNEWS #17-22 - June 12th 2017
View this eNEWS online
In recent years, emphasis on identity theft risk management has begun to
give way to cyber-security initiatives. Large-scale data breaches have
grown as identity thieves and other abusers of sensitive information
have become more sophisticated and used high-tech techniques to exploit
weaknesses in hardware and software applications. Beyond data breaches,
schemes to utilize access through non-technical individuals have
proliferated, resulting in growth in both the number and costliness of
To some extent, it is tempting to "fight fire with fire," and respond to cyber threats exclusively with cyber defenses. In a perfect world, this would seem to make sense. In some cases, that works even in the real world, and an information technology (IT) fix or patch can often overcome a specific cyber security exploit or technical vulnerability.
However, in many other situations, it is the human factor that allows the cyber criminals to implement their exploits. Schemes such as social engineering, phishing, and other manipulations designed to inveigle individuals into launching malware or executable files, and accessing bogus web sites, are often the means used by cyber criminals. Think of a seemingly innocuous e-mail request to update account information for an active account, but with a link to a similar-sounding web site controlled by the cyber criminals, in actuality the means to capture the username and password of the victim.
In practice, the most successful cyber defense is a thoughtful combination of IT methods and education of employees and others who may have access to sensitive systems and data. One example is the human factor in failing to keep all software programs up to date with important patches to combat perceived and discovered vulnerabilities. Another is the importance of keeping all users up to date on the latest methods used by cyber criminals and identity thieves.
Drilling down another layer, a vital aspect of understanding and avoiding cyber intrusions is learning about the motivations and methods used by identity thieves, since they often overlap with the motives and modalities of cyber criminals. An illustrative list would include access to personal data, medical history and insurance coverage, and financial account information. Exploits that enable the criminals to access and take control of servers and systems are also on the rise. Getting unwary users to facilitate the launch of malware and ransomware also appears to be a technique common to identity thieves and cyber criminals.
It's worth noting that the effectiveness of many of these exploits depends upon the ability of the perpetrator to get the intended victim to open a file or launch a program. Regardless of the illicit objectives, the necessary defenses must include both IT responses and education of broader organizational population. Without getting all non-IT users to practice good "cyber hygiene," it is unlikely that the cyber defense system will be successful.
As recently reported in InformedMag, one of the most common cyber threats is based on "social engineering," a human-based technique to gather information, commit fraud, or obtain system access. For example, spear phishing, or sending emails from a trusted sender in order to obtain confidential information (bank account information, credit card numbers, passwords, etc.), is the most common type of social engineering, accounting for a major portion of such attacks. Another technique is invading the stream of communications via social media, where reports indicate cyber-attacks occur against a significant and growing number of users.
Remember, the internet as a system was not originally intended to serve as a platform for commercial transactions and a system to carry all types of private and personal communications. Essentially, today it's a leaky ship with a fast-growing number of holes, and the patches amount to a crazy-quilt of Band-Aid fixes. Until the entire platform can be separated or replaced with one more suited to the kind of integrated security systems that can assure that human failure is not possible, there will be no end to cyber exploits.
For the time being, both IT solutions and user education must be employed together in order to craft an effective defense against cyber criminals. Coordination of these two approaches can best be accomplished by educating general users to recognize and avoid the methods used by cyber criminals and identity thieves, as well as providing the technical professionals with a solid understanding of the non-technical vulnerabilities involved. In this way, the desired result of fighting cyber-attacks to a standstill is most likely to be successful.
The ICFE's Certified Identity Theft Risk Management Specialist ® XV
CITRMS® course is now available both in printed format and online.
The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at firstname.lastname@example.org
Yan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.
ICFE eNEWS is available FREE upon request by visiting the ICFE's
and filling out the contact form, selecting "Yes" for "Add to Mailing List."
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe for free. Also, visit the ICFE's new Web site:
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401