I see a lot of posts, articles, etc... stating that people are surprised by the complexity of a cyber attack or scam. It seems that most people haven't yet learnt that this is a full blown industry targeting countless businesses, institutions and individuals 24/7, not just some script kiddies in their bedroom. There are office blocks full of trained professionals with sophisticated tools working to compromise digital security and manipulate human nature to gain access to accounts, data and funds. Everyone needs to be adopting a form of zero trust or trust but verify to every digital interaction and every use of technology.
As a passive hotel owner and active programmer, I can confirm it's always been the case. In the hotels business, getting customer requests, invoices and refund requests seemingly out of nowhere isn't too uncommon. Receptionists, who have the authority handle customer cancellations and refunds, but also package / documents receipt for them, frequently fall for the slightly more laborious scams, in spite of the safeguards in place.
The phishing emails we get at my software dev job for security certification and pen testing pale in comparison to the actual effort being put in by scammers, who coordinate bookings with parcels and random invoices so that they tell a story, always targeting different shifts (almost never the same).
As the other commenter has posted, refunds for inexistent bookings or refunds for someone else's booking are pretty frequent.
Other simple stuff is overdue payments for fictive deliveries such as soaps, toilet paper, cleaning bills or even outsourced work.
The more complex scams involve making bookings and sending packages with fees and totals paid by the recipient, they try to convince the receptionists that their package needs to be delivered, and an actual delivery of random stuff happens using a real delivery company to complete the scam. They don't always mention that there's payment required on delivery.
Other scams involve claiming lost luggage, wallets, electronics without them being the owners, and trying to convince the receptionist to send the item internationally. We're a hotel next to the airport, so international travellers are the norm, plus we have a room full of lost stuff. They make a booking with a fictional name, then cancel it or no show, and then ask for their black luggage, black wallet, tablet, gold bracelet, etc.
While zero trust is great, humans have experimentally established that it is more or less impossible to maintain by all people in all cases all the time. Eventually someone will fail, and it can even be a security professional. Trustless is a tokenbro buzzword and it's not a viable path for users in general. We need some good trusted core software from which we can move further to auth other less reliable apps or machines.
> Everyone needs to be adopting a form of zero trust or trust but verify to every digital interaction and every use of technology.
I'd be interested in hearing how folks find working with "zero trust"; my employer's adoption of a zero trust VPN has been pretty bad, but I don't know if it's normal.
In my company, it's made it much harder to give decent support to users; previously, a user knew if they were on the VPN or not, and if they were on the VPN but they couldn't reach our service, that was a very rare event and it lead to a P1 outage getting an immediate response from a senior engineer.
Now, users don't know if they've passed the device posture checks or not - user plugs in their phone to charge it? Unauthorised external storage device, silently reduce their network access. So now if a user knows they're on the VPN but can't reach our service, that's very common; it's a P4 issue and within a 4 hours an intern will tell them to reboot their PC and try again.
Apparently users can't be told when they've failed the device posture check or why, for 'security'.
Needless to say, the engineers hate the much larger support burden, and the users hate the the much slower and less helpful responses.
Weren't there implemented protocols to use the devices connected to the VPN that would proof against the most common sources of posture check failure? I imagine most problems are quite trivial, like the phone you mentionned, especially if treated as P4 (there might wven already be a document with the required advice used by the interns when telling people to reboot).
No, and this isn't the concept of Zero Trusts fault. This is inexperience and/or a lack of competency from your security people and your support people. Although, more likely given that two "silos" are impacted, systemic organizational issues that aren't going to go away.
But isn't the whole point of Zero Trust to move away from a binary "fully trusted (allowed on the VPN) or not" and towards nuanced, dynamic, semi-trusted states?
i.e. isn't the fact you can be on the VPN yet blocked from accessing the service the goal of Zero Trust?
THIS. People who are trained by common stereotypes (generally from the entertainment industry) don't have a clue.
I wonder how it might work out, if Hollywood produced a "Breaking Bad"-style series, about an ambitious young cybercriminal moving up into the really big leagues.
> if Hollywood produced a "Breaking Bad"-style series, about an ambitious young cybercriminal moving up into the really big leagues.
I'm waiting for the biopic of Ross Ulbricht. It's got all of the bits that Hollywood loves with the young protagonist breaking bad, FBI agents also breaking bad, and now comes with a guilty conviction turning into a full blown pardon.
The hard thing about this is that a montage of "complicated chemistry in an RV in your underwear" is way more interesting to watch than a montage of "typing on a computer in your underwear".
No, there are global cyber espionage programs going on.
War is something entirely different. The belligerents are not trying to disable agricultural systems or power grids; an actual war is a horse of a different color, and would likely be regarded as a proper escalation in the physical realm.
It's not unrestricted cyberwar, but I also don't think we have a complete picture of the scale of the cyber conflict, nor do we have a complete picture of the attacks and defences being mounted.
> The belligerents are not trying to disable agricultural systems or power grids; an actual war is a horse of a different color, and would likely be regarded as a proper escalation in the physical realm.
There have been any number of attacks on physical infra. and civil institutions that fit that description. Sandworm (a group in the Russian military) alone has successfully brought down power grids multiple times.
I think that there's a difference between state sponsored hacking and a government turning a blind eye to illegal activities that happen to fulfill the same effect without their hands being dirtied. Incentives, such as potential future employment or the good graces of (more or less corrupt) local authorities when it comes to other illegal activities, can make a significant impact on influencing an adversaries' overall cyber readiness.
"According to a report on grid security compiled by a power industry cyber clearinghouse, obtained by POLITICO, a total of 1,665 security incidents involving the U.S. and Canadian power grids occurred last year. That count included 60 incidents that led to outages, 71 percent more than in 2021." [0]
Uh, no. There have been a massive number of attacks attempting to take down the power grid. It's just that the protections in place are currently working most of the time.
Unfortunately, the official stats tends to combine both physical and cyber attacks, so there's no clear sense of which is dominant... But, frankly, there isn't a need to separate them. The attacks are happening.
