Fraud and its Link to Confidentiality, Integrity and AvailabilityBy José Felipe Garcia Vivanco | Wed, 09/07/2022 - 11:00
When we think about cybersecurity today and its foundations, we have in mind the “CIA” triad as the fundamental component for understanding it: Confidentiality, Integrity and Availability. This model has applied for years, has not received an update as it is generic and is applicable to all industries and many of the situations in which we live, but it does not address fraud and how fraud is correlated to each one of the components of the triad.
If we analyze the events we have witnessed, many of them have a link to fraud or to some of its flavors.
How does fraud relate to the triad? Let’s start with Confidentiality. This is linked to the rules that protect information as it ensures that the data is secure from unauthorized disclosure. In recent years, we have all heard stories about data leaks at various companies, making the data available publicly. In these instances, the data is almost always being sold for varying amounts of money depending on the quality of the data but the key point is that the information wasn’t protected properly and ended up in the wrong hands.
This kind of breach triggers the possibility for fraudsters to do more data gathering for their own enrichment and then going straight to a social engineering interaction that can result in different outcomes. This leads us to Integrity, which can be defined as ensuring the data and systems that we manage are not modified or deleted by non-authorized personnel outside the business processes.
Regarding Integrity, we have heard in the past of incidents at companies where data was not well secured while in transit during an operation and that some transactions were altered, creating inconsistencies in the operation or negatively affecting the company, client or third-party.
Finally, we have Availability, which refers specifically to keeping the information consistent and available to trustworthy parties. We have heard of incidents when a company or a government has had its website shut down or where customer service channels are pulled down, leading to outages of services. Most of the time, this type of action precedes a more complex scheme. It is just a distraction while the fraudsters are stealing data, manipulating systems or affecting, among others, the full functionality of the most critical systems of the company.
In this context, we can be aware of how near the risk is from the Confidentiality, Integrity and Availability components of the triad model. Now more than ever, we are seeing the results materialize in the news. The fraud element is increasingly evident and tangible as the scammers look for more top-quality data to monetize or even go as far as hoaxing people and companies. To this end, let’s analyze some data that provides a deeper look at the impact of fraud in the global cyber environment.
The European Union Agency for Cybersecurity (ENISA) released in July 2022 the Threat Landscape for Ransomware Attacks. The numbers are surprising but open our eyes to the risks: 62.12 percent of the affected organizations may have come to an agreement to pay the ransom the delinquents were asking for, achieving their objective when securing the company’s data and equipment. However, in 94.2 percent of the incidents, it is not known if the company paid the ransom, which evidences the size of the problem we are facing. Ten terabytes of data are stolen from organizations each month, but the most alarming number is that 33 percent of this data contained employee Personally Identifiable Information (PII) and 18.3 percent included PII.
Ransomware has become the method of choice to take control of a company’s assets and demand a ransom in exchange for sanitized data, with both the asset and the operation having Confidentiality, Integrity and Availability involved. As the actors have locked, encrypted, deleted, or stolen the assets with all its content, they can then efficiently go ahead and request crypto to monetize those assets. The average ransomware cost for a business has been increasing annually. In 2021, the cost reached almost US$2 million, according to the Sophos State of Ransomware Report. This cost includes the payment of the ransom, plus downtime, administrative time, device cost, network cost, third parties involved, lost opportunities and others. This cost will tend to increase and US$2 million must be considered the average, with known ransoms having been paid above US$3.2 million.
There are other types of attacks that also result in fraud or theft. One of the most relevant, according to the 2022 Ponemon Institute State of Cybersecurity and Third-Party Remote Access Security Report is credential theft, which the report says was behind almost 54 percent of attacks; much higher than from a ransomware or a Distributed Denial of Services attack. This kind of attack can be articulated in different ways. The most notable are a quick data share of the compromised information to which the actor had access and accessing records for consumption and altering them. For the healthcare industry, for example, this becomes a critical risk as any modification of a patient registry can have severe implications. In the financial industry, alteration of data can include the modification of customer data, changes to financial statements, amendments of algorithms and programs and, finally, fraudulent transactions to access money.
Credential theft is avoidable but password management depends initially on how each company runs its personal controls and improves the overall environment of control of the organization and its employees. The use of personal password managers is still not a mainstream practice and the management of privileged accounts often opens organizations to fraud opportunities. One of the objectives of any corporation must be the use of password vaults, which help in password management and ensure they are protected with additional controls in place. We also must take responsibility as individuals because even a free password manager can improve our control posture.
For those who have a basic understanding of risk and control within the cyber environment, reviewing the CIA model is a necessity to enhance the operation and gain better control. Fraud is transversal and is evolving. It can still look like the kind of fraud we have seen in the movies but it has now evolved and has many new faces. What we are seeing are the effects of that evolution and understanding what we are facing is the only way to get to the root cause and effectively prevent cyber fraud in the first place.
ENISA Threat Landscape for Ransomware Attacks, July 2022
The State of Cybersecurity and Third-Party Remote Access Risk, The 2022 Ponemon Institute Report