Why You Need Cybersecurity

Written by Christopher Myers

Ransomware, trojans, rootkits, spyware, worms, and viruses. Depending on your experience with Information Technology, these words likely either sound completely benign, a normality, or nouns out of a techno-thriller novel. Very little of the population has a good grasp of what any of these types of malware are, let alone how prevalent they are and the damage they can and have caused. Are individuals and organizations actually at risk of suffering a cyberattack, and what kind of damage can a cyberattack actually accomplish? The core question that the below paragraphs attempt to answer is: why should I care about cybersecurity?

Information Technology is arguably the industry that the largest amount of the human population interacts with on a daily basis, with almost no understanding of how it was built or how it operates (my personal belief is that the other is roads… after all, very few citizens actually understand the difference between an HMA overlay and chipseal project). One of the greatest challenges to defending against these threats is the fact that there are simply not enough employees with knowledge and experience in the cybersecurity industry. According to the Center for Strategic and International Studies, in 2019 there were a total of 716,000 cybersecurity roles in the United States of America’s workforce, and there were 314,000 positions that still needed to be filled.1

This means that in the US, arguably the most technically advanced nation in the world, businesses altogether weren’t even able to fill 70% of their needed cybersecurity roles. Imagine a fast food restaurant operating with only 70% of its staff during the lunch rush, or even more appropriately: a hospital operating with only 70% of its staff during a local emergency. But when cybersecurity comes up, most people are quick to ask whether they should even be concerned about being affected by malware.

Many Americans believe that they are far removed from the world of cyberspace. 56% of America’s small business owners say they are not concerned about being targeted by a cyberattack, and only 28% report that they have a plan in place for how to respond to a one.2 If that many are unconcerned, then surely this supposed threat isn’t truly as disconcerting as it sounds, right? In a near direct refutation, Verizon’s 2019 Data Breach Report shows that small businesses are the number one target for criminals, representing 43% of all data breaches.3

Verizon’s report speaks to small businesses though, so what about the danger to the average American household? Well, the Cybersecurity & Infrastructure Security Agency shows that a third of homes with computers are infected with malware, and that 47% of American adults have had their personal information exposed to cyber criminals.4 People may be surprised to find that the 47% isn’t even heavily weighted down with elderly Americans falling susceptible to cyber crimes at a higher rate than the rest of the population. In fact, while Millennials may believe themselves to be safer and more tech savvy, CISA shows that 44% of Millennials have been victims of an online crime just within the last year.5

Nearly every American has a chance of falling prey to a cyberattack, as nearly every single American is connected to and utilizing Information Technology on a daily basis. Pew reported that in 2021, 97% of Americans owned a cellphone, and 85% of Americans owned a smartphone.6 The American Community Survey Reports noted in 2016 that 77% of households had at least a desktop or laptop computer.7

Each and every one of these devices can be infected with malware. There are currently over 210,000 active computer vulnerabilities that are known to the National Institute of Standards and Technology, more than at any other time in human history.8 These vulnerabilities could arrive in widespread phishing emails, directed spear phishing emails that appear to be from legitimate organizations, through neighboring infected machines, and through background installation techniques when victims attach devices to what they believe are only USB power outlets.

If at this point you now believe that you could plausibly fall victim to a cyberattack, your next question is likely: what kind of damage can one actually achieve? The FBI reported that in 2022 alone, $10.3 billion was lost because of cyberattacks.9 The Hiscox Cyber Readiness Report noted in 2019 that small businesses lost on average $200,000 when they fell victim to malware.10 Considering that the average small business is self-financed with the average loan totaling around $417,316, and that the median income for self-employed entrepreneurs is just over $51,000 a year, a single cyberattack can directly lead to small business failure.11 A multitude of headlines in today’s media offer viewers actual scenarios that have led to substantial losses due to cyberattacks aimed at both individuals and organizations. An example of just a few of the headlines in 2023: “Woman loses $29K after being targeted by banking scam with victims in 9 states,” “‘Everything we had was gone’: Small business owner says he lost nearly $200,000 to wire transfer fraud,” and “He lost $340,000 to a crypto scam. Such cases are on the rise.”12,13,14 Falling prey to a cyberattack isn’t just a possibility, but a high probability in today’s environment.

The average computer-user may understand how viruses and worms work, and may even understand rootkits and ransomware, but very few understand the extent of information that today’s malware can gather. Gone are the days of annoying pop-ups and simple adware being the average user’s greatest concern. They still exist, but tend to be eliminated quickly with the right software and cyber hygiene. Today’s cyberattacks are much more invasive, quickly gathering passwords and financial information from the victim. These types of malware also often avoid antivirus and firewalls by utilizing unique exploits or unawareness on the part of the user. These cyberattacks don’t purely come from criminals either, but also originate from state-sponsored attacks out of nation states like Russia, China, and North Korea. For interested readers, below are two examples of how exactly some of these types of malware collect and exfiltrate sensitive data.

Many mobile phone users believe their device’s camera to only function when the camera application is in-use, but Indiana University has shown otherwise. Indiana University’s School of Informatics and Computer, in collaboration with Crane Naval Surface Warfare Center, provided a proof-of-concept for a Trojan malware that collected enough data about a user’s environment to build a three dimensional model of that space. Once it has infected a user’s mobile device, the PlaceRaider malware uses that device’s camera, in conjunction with the device’s acceleration and orientation data, to capture photos of that user’s surroundings whenever the device is in an opportune position to gather this data.15 For example, Alice could be working from home, with sensitive personal and organizational financial documents spread out across her desk. If Alice’s personal mobile device is infected with PlaceRaider, then as soon as she picks it up to answer a call, text a friend, or browse the internet, the malware detects the movement of the phone and begins taking photos. Because PlaceRaider runs in the background, there is no point when Alice is informed that photos are being taken, and her camera application does not at any point appear to be active. The transmission of information is also accomplished in the background, with every photo compressed and sent to the attacker over the target’s own Wi-Fi network. This kind of malware can provide an actor with not just sensitive financial data, but an entire three dimensional rendering of the target’s office and private residence.

In another case, Indiana University Bloomington, in collaboration with the City University of Hong Kong, provided evidence of how sensitive audio can be targeted and transmitted to adversaries, providing banking account numbers, credit card numbers, social security numbers, and user passwords. The malware that they utilized, called Soundcomber, was able to discover sensitive user data by gathering and then parsing audio recordings that it collected over time.16 Soundcomber masqueraded within normal Android applications that a user would download to use as a common memorandum assistant or voice dialer, each of which would request the normal use of the user’s microphone. Soundcomber then collected sensitive data by observing and then determining a baseline to gauge a user’s conversation, dial tones, and if the user is communicating with an interactive voice response program. Whenever the user dialed a number, Soundcomber would determine what number was being called, simply by listening to the audio of the numbers that the user was pressing. During a conversation, it would then listen for a series of numbers, as well as specific repetitive audio patterns, which it would then transmit to an adversary without the user ever aware of the attack. This process helped to minimize the chance of detection, with Soundcomber using minimal processing power and battery, as well as insignificant networking bandwidth since it would parse through and send only sensitive data, instead of all of the possible audio that it could feasibly record.

These cases, as well as the current statistics on how widespread cyberattacks truly are, should give readers pause, and hopefully encourage education and additional awareness into cyber hygiene. Ransomware, trojans, rootkits, spyware, worms, and viruses shouldn’t be unfamiliar terms to any mobile device or computer user, as they are prevalent in today’s society. The first step you can take to combat these attacks is to understand your own vulnerability to them, and if you’ve made it this far into the article, then I have faith that you at least have a greater understanding of that vulnerability.

Two key articles (Protecting Your IT and Preparing for Cyber Disasters) are currently available on Aquilitz Technology detailing what actions users can take to minimize the chance (and the damage) of a cyberattack, but readers should feel free to review the current guidance that CISA and NIST have available on their websites, as they are the two US government organizations that have the most up-to-date and extensive cybersecurity resources. Always remember that even if you fall victim to a cyberattack, that you are not alone in responding to one.

References:

  1. Lewis, J. A., & Crumpler, W. (2019, January 29). The Cybersecurity Workforce Gap. Center for Strategic and International Studies. https://www.csis.org/analysis/cybersecurity-workforce-gap
  2. Rosenbaum, E. (2021, August 10). Main street overconfidence: America’s small businesses aren’t worried about hacking. CNBC. https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-about-hacking.html
  3. Verizon. (2019). (rep.). 2019 Data Breach Investigations Report.
  4. The Facts. Cybersecurity and Infrastructure Security Agency CISA. (n.d.). https://www.cisa.gov/be-cyber-smart/facts
  5. Ibid.
  6. Pew Research Center. (2023, May 11). Mobile fact sheet. Pew Research Center: Internet, Science & Tech. https://www.pewresearch.org/internet/fact-sheet/mobile/
  7. Computer and internet use in the United States: 2018 – Census.gov; United States: 2016. American Community Survey Reports. (2018, August). https://www.census.gov/content/dam/Census/library/publications/2021/acs/acs-49.pdf
  8. National Vulnerability Database. National Institute of Standards and Technology. (n.d.). https://nvd.nist.gov/vuln
  9. FBI. (2023, March 22). Internet crime complaint center releases 2022 statistics. FBI. https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics
  10. Hiscox. (2019, April). Hiscox Cyber Readiness Report 2019. https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf
  11. Small business statistics. Chamber of Commerce. (2023, February 15). https://www.chamberofcommerce.org/small-business-statistics/
  12. Jones, J. (2023, February 28). Woman loses $29K after being targeted by banking scam with victims in 9 States. KIRO 7 News Seattle. https://www.kiro7.com/news/local/woman-loses-29k-after-being-targeted-by-banking-scam-with-victims-9-states/5HQLWY5DCVGBNEVGGKXGU6XHZU/
  13. Newberry, B. (2023, March 17). “everything we had was gone”: Small business owner says he lost nearly $200,000 to wire transfer fraud. KPRC. https://www.click2houston.com/news/local/2023/03/17/everything-we-had-was-gone-small-business-owner-says-he-lost-nearly-200000-to-wire-transfer-fraud/
  14. Allyn, B. (2023, June 25). He lost $340,000 to a crypto scam. such cases are on the rise. NPR. https://www.npr.org/2023/06/25/1180256165/crypto-scam-senior-victims-spirebit
  15. Templeman, R., Rahman, Z., Crandall, D., & Kapadi, A. (2012). (rep.). PlaceRaider: Virtual Theft in Physical Spaces with Smartphones. Bloomington,, IN: Indiana University.
  16. Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., & Wang, X. (2011). (rep.). Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. Bloomington, IN: Indiana University.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.