STORES Magazine - May/June 2017 - LP52
The FBI has identified several types of specialist cybercriminals: coders,
programmers, vendors, techies and hackers who search for and exploit application,
system and network vulnerabilities to gain administrator or payroll access.
businesses, 28-year-old Gonzalez pleaded guilty in 2009 to 19
counts of conspiracy, computer fraud, wire fraud, access device
fraud and aggravated identity theft. He was sentenced to 20
Peretti said she learned a lot from Gonzalez when he was an
"Albert was an educator," Peretti told The New York Times
Magazine, which ran a cover story about his criminal activities.
"We had to learn the characters, their goals, their techniques.
Albert taught us all of that."
After years of investigating and prosecuting cybercrimes,
Peretti is in a position to help businesses deal with issues such as
privacy, financial crime, fraud, regulation, economic espionage
and intellectual property theft.
Along the way, she has developed a broad awareness of what
typically goes wrong for retailers as they try to protect both
their data and that of their customers. Peretti has also developed
a hierarchy of actions retailers can take to reduce the likelihood
of becoming an attack victim.
It doesn't take much to become a victim in an area where it
isn't just attacks that get the attention of authorities. Merely
identifying vulnerabilities in information systems has generated
regulatory activity and even litigation.
Peretti suggests that businesses can address the issue by
conducting vulnerability assessments. She also recommends
having a formal system in place - a vulnerability management
system - for addressing identified vulnerabilities.
"Internal testing may also be supplemented by a 'bug bounty'
program, or at minimum, a process for receiving, reviewing
and, as necessary, remediating vulnerabilities reported by third
parties," such as customers or vendors, she says.
Businesses can also monitor and track vulnerabilities identified
by security researchers in white papers or reported in the news,
since not addressing these publicly known issues could lead to
scrutiny from regulators, Peretti adds.
Ignoring alerts about vulnerabilities could lead to unpleasant
consequences. "The current legal liability landscape increasingly
demands active and even proactive engagement with
vulnerability management," she says.
Businesses sometimes develop cyber incident response plans
but often fail to test the plans, Peretti notes.
"Just as there is no perfect plan, there is no one-size-fits-all
testing technique," she says. "Plan testing is largely an art, not
an absolute science."
Peretti suggests "start small, work to big," meaning start with
a training exercise, follow that up with a "walk-through" and
eventually work up to a "near-live-fire" simulation.
STORES May/June 2017
When testing cyber incident response plans, Peretti emphasizes
that companies must understand what they are trying to test.
They should also choose the facilitator/moderator carefully, use
real-world scenarios and incorporate international elements into
She says companies shouldn't script the entire exercise (or
share the script with participants) but also cautions against
being too informal. Each participant should have a role, and the
scenario must be connected to the plan.
The point about including international elements comes from
real-world experience, since investigations into cybercrime
networks frequently lead off-shore.
"While international cybercrime investigations present
additional challenges to overcome, federal law enforcement
agencies and the Department of Justice have made great
strides in being able to overcome these challenges in recent
years," Peretti says.
"Sometimes victims of such crimes perceive no immediate
results or no results at all, but it is often the case that
international investigations can take years to yield any
"At the same time," she says, "criminals are also
taking advantage of techniques such as encryption and
specializations, for example, that are making it harder for law
enforcement to pursue cybercriminals, whether international
The FBI has identified several types of specialist
cybercriminals: coders, programmers, vendors, techies and
hackers who search for and exploit application, system and
network vulnerabilities to gain administrator or payroll access.
There are also fraudsters who create and deploy social
engineering schemes, including phishing, spamming and
domain squatting; hosters who provide "safe" hosting of
illicit content servers and sites; and "chasers" who control
drop accounts and provide those names and accounts to other
criminals for a fee.
The list also includes "money mules," individuals who often
travel to the United States on student or work visas to ply
their trade, tellers who help with transferring and laundering
illicit proceeds through digital currency services as well
as between different world currencies, and leaders, many
of whom don't have any technical skills at all but are the
"people people," Peretti says.
With overseas operatives capable of hacking anywhere in
the world, newer technologies involving such things as mobile
applications, social media, cloud storage and the Internet of