How your stolen data ends up on the dark web marketplace – techrepublic database name

So what does that mean? They focus on marketing, customer service, advertising, having a consistency of supply. So a number of things that we think that a cyber criminal would focus on they definitely think about. They use analytics to look at activity and which kinds of cards are being sold where. It’s pretty mature and fairly sophisticated.

Patterson: Who are the various actors in this supply chain? Obviously when I think about the mechanics of what you just explained, marketing and metrics, I can think of legitimate professions that do that and do it really well. Are these criminals recruiting say experts in analytics? Are they trying to flip and turn normal people who have good skills?

Walther-Puri: Yeah, that’s a good question. So what we try and focus on is how that data moves along, so understanding the who is important for us in two ways.

One, that there isn’t … There aren’t a totally unique set of skills for maintaining, like you said, analytics, metrics, those kinds of things. On the dark web it’s also a community where people can network and find other resources that they need and connect with each other and find someone who has those skillsets.

Some of the more specialized aspects of cyber crime and fraud, there not only are actors on the dark web that have those capabilities, there are services out there that provide tutorials and explain how to perpetrate certain kinds of fraud, and in some cases will provide that fraud as a service.

Patterson: Fraud as a service. That’s a fascinating emerging business. What about law enforcement? Where do they come in? How are they investigating dark web channels? We know the FBI is there, but what other alphabet soup agencies are involved with dark web tracking?

Walther-Puri: Yeah, so that’s where the … starts to become really important, but they are trying to map out the networks, and as you probably know, and your viewers and otherwise know, attribution is difficult on the dark web. There’s in some cases anonymity, in other cases pseudonymity, so attribution is pretty difficult, so that’s definitely law enforcement’s challenge.

At the same time, they have embedded resources… We have the writ to investigate and try and take down some of these operations. So to that end you mentioned the FBI. Definitely anyone that’s dealing with the opioid crisis, because there’s a fair amount of that activity on the dark web, so drug enforcement agency. Then we also see a number of other kinds of security concerns that Homeland Security would be involved as well.

Then in some cases local police. Local police are involved, especially if their jurisdiction is a hotbed of drug activity or fraud, anything where they’re stealing cards en masse. We continue to see arrests happen where someone is trafficking in drugs on the dark web and at some point they have to go pick those up, right? Or if there’s other physical goods, they have to go pick those up.

Walther-Puri: Good questions. I say questions because I think there’s two in there, what does a business do, what does a consumer do? Let’s start with businesses. Businesses, the first thing is not going to be very surprising. Understand their risk profile. So the dark web provides a number of risks and I think for a lot of people it’s a scary, spooky place where they don’t know very much of what’s happening. They think it’s a Craigslist for hit men or a meetup for terrorists, and there’s a lot more that happens there that has an impact on business operations, particularly around data and security of assets.

The first thing is to understand our risk profile and to take a risk based approach. We think that’s the most effective way to allocate your resources and determine if your security controls are being affective. If you believe that sensitive data is not getting out there you need to go test that notion and understand what that exposure looks like. So that’s I think the very first step, is understanding that risk profile and then understanding controls.

For consumers it’s definitely challenging. The two things I will say not to be first, so not to be motivated by fear. Fear is not a good way to push someone towards action. You can use fear to get me to join the gym. You can’t use fear to get me to go to the gym. We need people to go to the gym. So that’s about similarly understanding their risk, but really understanding their own profile and their own data. I think people are starting to understand that their data is worth something. That’s the first thing I’d say to consumers, is value … To have some data self-worth. Your data is worth something.

The second is to take some basic preventative measures. Two aspects … I think many people have talked about them and I will encourage them as well, to use a password manager and to use multifactor authentication. But a good place to start is a password manager.