Cyber-attacks, no longer the actions of a few rogue individuals, are now big business. It’s a growth industry crying out for serious countermeasures
If you think the recent massive cyber-attacks on Github, Sony, Target and other large organizations were committed by lone hackers working from their bedrooms, it’s time to update your thinking.
Cybercrime is a big business. Exactly how big is anybody’s guess, but it’s now a huge underground economy, essentially a shadow version of our legal economy.
Organized criminals, foreign governments and online gangs are all involved. Online forums now exist that essentially provide marketplaces where the bad guys can easily buy and sell not only stolen data — including credit-card numbers and CVV codes, social security numbers, even mothers’ maiden names — but also related services.
Need someone to launder your money in Munich, translate your spyware into Korean, or sell stolen data for you in Bangalore? These kinds of criminal services, and many others, are just a click away on this ‘dark’ web of online criminal communities. Some sites even offer educational materials to help criminals learn new, if illegal skills.
“In the past, cybercrime was committed mainly by individuals or small groups,” states the cybercrime site of Interpol, the international criminal policing organization. “Today, we are seeing criminal organizations working with criminally minded technology professionals to commit cybercrime, often to fund other illegal activities. Highly complex, these cybercriminal networks bring together individuals from across the globe in real time to commit crimes on an unprecedented scale.”
Interpol has identified three broad areas of cyber-attack: hardware/software attacks, including bots and malware; financial crime, including online fraud and phishing; and abuse, which includes sexploitation and crimes against children. All are now in the hands of organized cybercrime.
Similarly, last year’s widely reported attacks on large, well-known organizations were hardly the work of isolated amateurs. Instead, they were committed by professional criminals able to break into and violate systems run by organizations that include Domino’s Pizza, eBay, Healthcare.gov, Home Depot, JP Morgan Chase, Neiman Marcus, Sony, Target and Staples.
This rash of cyber-attacks has even elicited action from the US government. The CIA recently announced plans to conduct a major overhaul aimed in part at sharpening its focus on cyber operations. And President Obama in early April issued an executive order stating that the US government can now freeze the assets and bar transactions of entities, including national governments that are engaged in cyber-attacks.
"The effect on consumers’ continued willingness to shop and work online is difficult to measure, but it can’t be good"
Big crime syndicates, including the Russian mafia, are flocking to cybercrime for the same reason Willie Sutton said he robbed banks: that’s where the money is. A 2014 report by McAfee and the Center for International Studies, a nonprofit think-tank, estimates the cost to the global economy from cybercrime at anywhere from $375bn to $575bn a year. These figures, the researchers point out, actually exceed the national incomes of many countries. “Companies underestimate how much risk they face from cybercrime and how quickly this risk can grow,” the report states.
Indeed, the average cost of a single data breach to just one company last year was a massive $3.5m, according to another study, this one conducted by Ponemon Institute and IBM. And these costs are getting worse, rising from the previous year by 15%, the researchers say.
There’s also a huge cost in terms of consumer confidence. Years ago, having a computer hacked was unusual, the stuff of stories around the water cooler. No more. Today, tens of millions of people in the US alone have had their personal information stolen, whether from PCs or enterprise databases. The effect on consumers’ continued willingness to shop and work online is difficult to measure, but it’s easy to guess that it can’t be good.
Perhaps even more serious, consumers have good reasons to worry. Panda Labs, an anti-malware developer, says it recorded 75 million strains of malware last year, including trojans, viruses, worms and spyware. That’s 2.5 times more than it recorded the year before, a serious increase. What’s more, Panda Labs estimates that 40% of all computers in certain countries — including China, Ecuador and Turkey — are now infected with some type of malware.
Also, major cyber-attacks show no sign of fading away. This year already, attacks have been launched on organizations that include Github, Rutgers University and British Airways. The attack on Github, an online code repository for software developers, is especially worrisome, as investigators believe the attackers may be connected with the Chinese government. Github contains copies of websites that are banned in China, including one that helps internet users circumvent the government’s online censors.
What are companies doing to protect themselves? To be sure, they’re spending money on security systems — but not as much as they think they should be. In the Ponemon/IBM survey, respondents said they will spend an average of $7m on strengthening their security strategy; but they also said they should be spending about double that, an average of $14m.
Can even this higher level of spending truly protect against the cyber-attacks of organized criminals? Increasingly, it’s an arms race between superpowers. To win it, IT managers will need security solutions that are highly dynamic and extremely adaptive.
About the Author
Craig D’Abreo is vice president of security operations at Masergy Communications. He has over a decade of experience in the information security industry with expertise in vulnerability assessments, penetration testing, encryption and cryptography. Craig holds an MBA in Information Security from the University of Dallas