The idea of a lone hacker maliciously tapping away in a dark room is an antiquated one. The business of cybercrime is now a multibillion-dollar enterprise with highly organized entities looking to exploit vulnerabilities and scam businesses and consumers in our increasingly networked world. According to a Juniper commissioned report from the RAND Corporation:
The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states. It does not differ much from a traditional market or other typical criminal enterprises; participants communicate through various channels, place their orders, and get products.
Today, attackers are much more efficient in their efforts than ever before, driven by the ability to work with others in the criminal underground. Left unchecked, I worry that the ability to defend against these organizations will be more challenging.
At its core, making a dent in cybercrime requires that we look for ways to change the economics of attacks. Simply put, if it were harder for attackers to successfully steal and exploit information at every turn, the economic incentives that drive their action will be far less appealing. This approach requires cooperation among government, law enforcement and businesses, as well as improved cyber-hygiene. Let’s take a look at the steps government and law enforcement, industry and individuals can take to better protect themselves from cybercrime.
Enabling Information Sharing Between Agencies and Industry
We know that attackers are highly organized at sharing information among themselves and it is imperative that we do the same. While attribution of attacks, and ultimately bringing cybercriminals to justice, will continue to be a challenge, by sharing intelligence on activities and the tactics being used by many of these organized crime groups, we can make everyone more secure. I am very encouraged by the continued traction that efforts like the various industry Information Sharing and Analysis Centers (ISACS) and the FBI’s Infraguard program are getting.
We also need help from policymakers who must develop new legislation that helps to facilitate greater information sharing while also protecting the privacy of U.S. citizens. As a former CISO, I’ve heard from many of my peers that they’ve been reluctant to share details of attacks they faced for fear of possible lawsuits. However, the free-sharing of timely and actionable indicators that can help detect, prevent, and mitigate an attack is essential and will eventually make it much more difficult and costly to replicate attacks.
Hardening the Enterprise
While attacks using new Zero Days tend to make the headlines, the fact remains that the majority of today’s attacks on companies are based on known vulnerabilities or social engineering targeted at employees. Be it one server that a company is planning to migrate to a new infrastructure or delays in applying the latest patches shared by technology companies, if you have a poor architecture or if your organization is not employing best practices, you’re still vulnerable. Having an effective cyber security program that gets the basics right could greatly reduce the likelihood of compromise. If every company followed these practices, it could make it much more difficult for cybercriminals to succeed. Reducing the attack landscape is foundational.
With our increasingly cloud-based infrastructure, organizations need to critically think about who they partner with and do business with. With SaaS providers, you have to be very selective and make sure that they are doing the right things – it’s no longer just about your systems and best practices, it’s about your providers’ systems as well.
It’s also important to ensure that companies put a thoughtful plan in place to put the proper protections around the data they collect, while balancing the needs of the business. Realistically, it’s impossible to provide perfect security, so it’s critical to be intentional about the security investments that get made. These decisions should involve everyone: if you’re a leader, you and your organization have to have a vested interest in approaching security from the right perspective to ensure intent and policies are well articulated, well-crafted and measured.
Individual Steps for Better Cyber-Hygiene
For individuals, basic cyber-hygiene is not only good for you, but helps to make key tools used by attackers less useful. Botnets rely on infected consumer devices to execute any matter of attack - from crippling Distributed Denial of Service (DDoS) attacks to distributing malware. However, if consumers practice basic hygiene, they can render these tools largely useless.
For many of us, the same common sense we apply to the ‘real world’ we tend not to apply to our online activities. If you think about your browsing activities, it’s about behavior and who is watching you or keeping track. In the real world, we may take a look over our shoulder when walking down a dark street to ensure we’re not being followed – think about extending this to the cyber world – who might be following your activities? I like to tell people: “If you question it, then question it.” Question who has access to your information and who is trying to get access to your information. It’s key to also ensure your choice of platform is secure when it comes to mobile devices and laptops. Applying software updates, running anti-virus software, choosing appropriate passwords and changing them regularly are all easy steps that can help.
No one company or industry can solve this problem, but through collective action I am sure we can make hacking less profitable and cybercrime less damaging.