Thursday, March 24, 2022

FBI 2021 Internet Crime Report Void of Actionable Info, Ignore Occam's Razor

The  Federal Bureau of Investigation's (FBI)  2021 Internet Crime Complaint Center (IC3) Internet Crime Report shows a loss of $6.9 billion in Internet-enabled crimes, the highest in the last five years. The top three cyber crimes reported by victims in 2021 were phishing scams, non-payment/non-delivery scams, and personal data breach.  


Victims lost the most money to business email compromise scams, investment fraud, and romance and confidence schemes, with Business Email as the single biggest lost at around $2 billion, followed by Investment Scams at $1,5 billion, Romance Scams at close to $1 billion, Personal  Data Breaches at one-half billion. 




In addition to statistics, the IC3’s 2021 Internet Crime Report  contains information about the most prevalent internet scams affecting the public and offers guidance for prevention and protection.  Just yesterday, the FBI  reportedly warned the U.S. energy sector about network scanning activity stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber hackers ‘who previously conducted destructive cyber activity against foreign critical infrastructure.’   According to  the CBS News  “The FBI has identified 140 overlapping IP addresses linked to ‘abnormal scanning’ activity of at least five U.S. energy companies, as well as at least 18 other U.S. companies spanning the defense industrial base, financial services, and information technology,” However, according to the FBI assessment, the focus appears to be on entities within the energy sector. “US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed,”



Simultaneously, John Sherman, Department of Defense Chief Information Officer (DoD CIO) has been using the White House's FACT SHEET: Act Now to Protect Against Potential Cyberattacks to warn about potential cyberattacks, which according to the FBI Internet Crime Report predominately affects seniors 6 years and older.  

Both recommendations from the White House and the FBI read very much like the UK's National Cyber Security Centre's 10 Steps to Cyber Security Both fail to provide actionable information regarding the number one complaint Business Email and neglect to even mention Occam's Razor:  Ponnurangam Kumaraguru; Steve Sheng; Alessandro Acquisti; Lorrie Faith Cranor; Jason Hong in their paper Lessons from a real world evaluation of anti-phishing training, Published in 2008 eCrime Researchers Summit state that "Real world evaluations of anti-phishing training involve classroom and office training as well as training delivered via an online game. Researchers have evaluated the effectiveness of security notices and embedded training in laboratory studies. The idea of sending fake phishing emails to test users’ vulnerability has been explored by several groups. Jagatic et al. conducted a study in which they sent phishing emails to Indiana University students that pretended to come from one of their friends (this information was obtained through social networking websites.  Ferguson did a two-part study among West Point cadets. In the first phase, cadets were tested for their ability to detect phishing attacks. In the second phase, cadets were given classroom training and lectures about phishing and then tested. Ferguson showed an improvement in the cadets’ ability to identify phishing emails after the training.  Besides the FBI and White House suggestions to the Information Technology departments to "just do your job," I would have expected the FBI and or White House to provide anti-phising applications and training material.  I would add that manaers must not only provide training but also hold employees accountable using and appropriate incentive program usually found in accident prevention programs.



Perhaps the most important omission by the White House and FBI -   bordering on malpractice is both ignored the Inside Threat. Now consider that depending on pundits, 70-90% of organizations have experienced some sort of insider attack- organizations do not like to report such attacks for obvious reasons. A hackivist is a person who gains unauthorized access to computer files or networks in order to further social or political ends. However, when the computer access is not only allowed, but encouraged, it provides motive, means and opportunity and this is no longer a hackivist, but a partyvist, Where Means is the expertise government employees acquire through their day-to-day job, through trial and error or education.  Motive is associated with their party's ideology and  Opportunity.  In the digital connection for work and play is like having the criminal element sitting right next to you in your lounge room. It is ever-present.

The largest employer in the USA is the government with bloated bureaucracies and anachronistic labor practices which include public unions - these usually yield more power than elected officials who are supposed to manage represented government employees- read it takes an act of Congress to get rid of the undesirable employees, such as  Dr #Faucci, for example. Partyvists, like the IRS's Lois Lerner,  have motive, means and opportunity to commit any crime, including voter fraud.  Yet The FBI and DOJ consistently ignore the Insider Threat and fail to provide any actionable information.  

Let's face it, there is a war out there and partyvists are galvanized: Applications that may exploit vulnerabilities include Tik Tok, Huawei & Kerberos.  The FBI and DOJ do not show much interest in these apps and completely ignore partyvists.








No comments: