Photo Credit: blakeboulka Flickr via Compfight cc
Reading the National Cyber Security Centre (NCSC)’s publication on understanding the online business model for Cyber Crime reminded me of the many sunny Sunday afternoons as a dog handler, at RAF Brize Norton. As part of the “work hard, play hard” ethos of the early 1990s, team-bonding became an integral part of the job and, hence, the members of the dog section would come together most Sundays for a game of ‘Scavenger Hunt’.
There would be an appointed ‘Team Leader’ who would set the rules of the game (extent of the hunt, cut-off timings, etc.) and issue a list of target assets that needed to be found. Each asset was assigned a score based upon the value and predicted difficulty of access.
The participants would then divide themselves into teams:
The Coder. That member of the team that could decipher new and innovative ideas for maximising the potential for accessing the listed assets. Often this was the driver of the vehicle, who would work closely with the Network Administrator to navigate their way through the environment.
The Network Administrator. The expert navigator in the team, who had extensive knowledge of the environment and who could provide the most effective directions (short cuts) to maximise the time available to them.
The Intrusion Specialist. That member of the team, who was quick, agile and ready to deploy from the vehicle, as soon as an opportunity presented itself, to intercept an exploitable target item.
The Data Miner. The person armed with the target list, a pen and extensive ideas of where the team might find the target assets, located within the specified geographic area.
The Money Specialist. The ideas person who could help the team to understand the value of the target assets, maximising the time available to them. For example, working with the team to evaluate it would be more beneficial to pursue 10 low value (1 point) items, over 1 high value (10 point) item.
Having created their teams, the hunt would begin as the teams spread out far and wide, rushing around the countryside, desperately trying to gather as many treasures as they could, in the time allocated to them. Each team would need to ensure that they managed to gather as many items as they could and return their haul back to the ‘Team Leader’, before they ran out of time. Of course, whilst the team had been out vigorously harvesting the countryside, the ‘Team Leader’ had been preparing the teams’ rewards – frequently a BBQ, alcohol and endless games of volleyball (of course!).
Alongside the various team structures, there were also the odd ‘Lone Wolf’ who wanted to participate in the hunt but still wanted to take the opportunity of going out alone, armed only with their CBR 600, the target list and their enthusiasm. It was extremely rare for these competitors to better the efforts of the teams, but they still thoroughly enjoyed the thrill, excitement and invigoration of the hunt.
Of course, we only did this for the pleasure of the hunt and to improve morale. More than 20 years later, we see daily reporting of organisations becoming victims of the opportunist ‘Scavengers’ (be it the Organised Criminal Gangs or the Lone Wolf).
However, today’s cyber ‘scavengers’ are not attracted by the lure of ‘Team-Building’, BBQs, alcohol and volleyball, but by the thrill of the hunt combined with the potential financial reward that can be gained from their target lists.
Consequently, as more and more people are increasingly sharing their data online, with companies or through mobile devices, the hunting ground of the cyber scavengers is ever widening and the numbers of victims of credit card fraud and identity theft continues to grow.
With effect from 25 May 2018, the European Union (EU) is hoping to curb the potential rewards for these scavengers through the implementation of more rigorous personal data protection laws (EU-General Data Protection Regulation (GDPR). A critical element of this new legislation is for companies to look at their own environments and to create their own scavenger list, where each item of personal data is identified, listed (inventoried) and given a score. The results of these will then form the basis of the Data Privacy Impact Assessments (DPIAs).
Once organisations have carried out their DPIAs, they will be better placed to mitigate the risks posed by today’s cyber scavengers. Imagine how difficult it would be if the information that identified or distinguished an individual(e.g. name, National Insurance number, date and place of birth, mother‘s maiden name, or biometric records, etc (higher (8-10) pointers)), or linkable data (e.g. medical, educational, financial, and employment information (moderate to high (6-8) pointers)) were isolated from each other, kept under lock and key (during aggregated storage) and only made available to those who had a legitimate need to access, for timebound durations.
Much like the hunts of the 1990s, we (the scavengers) would collect data from wherever they may have presented themselves, to gather as many items as we could from our treasures list. For example, (hypothetically) I’m sure that if those garden gnomes’ owners had known that these were on a treasures list, they might have restricted the times when they put them out into their gardens, or even cemented them down.