Submission By: Tom Gilheany
What image springs to mind when you think about cybercrime? Some solitary hacker lurking in a dark, dank basement lit only by displays, madly banging away on a keyboard?
Think again. And think in terms of enterprise on a global scale. Cybercrime has come a long, long way, and that means trouble for every legitimate business and individual too.
To succeed in the commercial Internet’s early days, cybercriminals had to know how to control, implement, and perform the entire theft life cycle from soup to nuts, so to speak. They needed to gain access to machines and identify useful resources, find their weaknesses, gain control of the resources, and then sell those resources.
Not anymore. Today’s online criminals can outsource expertise to contractors who specialize in specific areas, including infiltration, malware customization, and the sale of stolen information. Criminal organizations now are taking advantage of a worldwide network of technical specialists in hard-to-extradite or hard-to-prosecute places, and they are paying them in hard-to-trace digital currencies. Sometimes their part in the overall crime they are committing may not even be illegal in their jurisdiction. With a global team of specialists working together, it is a challenge to trace the entire crime to complete a thorough evidence file.
With worldwide cybercrime as a backdrop, it’s not much of a stretch to find examples like any of the following scenarios:
- An engineer calls the tech support hotline to ask about customizing some off-the-shelf software his organization has just bought. By the way, that off-the-shelf software is a ransomware kit.
- A call center employee logs into her call management database, opens her script, and picks up the phone to make the first call of the day. She and her colleagues are posing as bank employees to trick customers out of their financial information.
- The manager of a manufacturing plant sits down with a client to review the blueprints of a new part. The manager suspects that the blueprints are stolen, but doesn’t care. His plant produces legitimate and counterfeit products side by side.
- A hacker observes an online marketplace, waiting for the stolen account information from a breached bank to upload. This is a cybersecurity engineer who is tracking how this underground marketplace is disseminating stolen information.
Online Markets Hawk Malware and More
Cybercriminals browse digital marketplaces for stolen information, sell stolen information, and buy stolen assets at specialized e-commerce sites. They find the products and services they want much the same way you do. They search online and are rewarded with many options. Gray and black marketplaces hawk malware, DDoS botnets, ransomware kits, malware-as-a-service (delivered from a cloud-based platform), and stolen data for sale. Like any laissez-faire market, these shadow economies have set prices for specific pieces of data: a Social Security, credit card or bank account number all command different prices.
Even if you’re a private citizen who doesn’t prioritize hardened security on your home computer, assuming you have nothing valuable enough to interest hackers, you are in error. Just like in any economy, if a commodity has value and can be commoditized, it will be. Even if you don’t store sensitive data on your machine, it can still be remotely seized and applied to a rogues’ gallery of purposes. Among other things, it can be used as a remote phishing or Bitcoin creation server, or as part of a botnet engaged in clickbait fraud or spewing out spam messages.
The Mundane Business Matters of Cybercrime
Ironically, today’s online criminal enterprises have come to resemble their respectable counterparts. Cyber thieves use many of the same tools and are motivated by many of the same factors as regular businesses. They also want to:
- Reduce risk: Criminal enterprises aim to cut their operational risk, just like any other enterprise. To do so, they use tools such as Tor to gain anonymity, and encryption to protect their transmissions from prying eyes, competitors, law enforcement, or intelligence agencies. In addition, ubiquitous remote access allows criminals to manage several operations without being present onsite, which would expose them to greater risk.
- Increase efficiency: Normal enterprises use economies of scale and scope to access a large number of customers. Hackers use them to find and reach victims and boost the quality of information available to grab.
- Gain from social intelligence: Recruiters scan social media to pick up background on job candidates. Criminals use it to amass intelligence on targets.
- Benefit from competition among contractors: Criminals take advantage of on-demand access to virtual global teams of specialists who compete for their business.
- Take advantage of online banking: Online financial resources make it easier to transfer wealth between jurisdictions using hard-to-track cryptocurrency transactions.
- Profit from crime-as-a-service: Cybercriminals specialize in everything shady from botnet rentals to phishing services for hire. They can buy and customize malware to suit their needs.
Greater Criminal Efficiency Costs Everyone
Cybercrime emerging as a profession has vastly increased its efficiency, scale, and scope, along with its impact on legitimate enterprises and economies. This deplorable situation creates a security challenge for industries, executives, IT departments, auditors, and regulators. Compliance audits based on regulations and standards that lag behind today’s active threats, and focus on protecting very specific data, can blind executives to the current security risks that must be addressed.
It’s easy—and tempting—to equate compliance with security. Perfect compliance, unhappily, doesn’t guarantee that a system will be safe. The sheer number of risks and threats overwhelms executives who also don’t have the context to accurately prioritize, resource, and budget a comprehensive response.
Organizations that are aware that they are targets should take advantage of this insight to move past simple compliance audits, to identify what assets criminals will go after, to understand how criminals monetize crimes and use stolen assets, and to recognize the resulting impact on their everyday business conduct.
The following tips can help organizations start down the right path:
- Step into the cybercriminal’s shoes. Perform regular internal inventory exercises that identify the organization’s assets that cybercriminals would be most likely to hijack and monetize, or that would be most damaging to the organization if compromised.
- Deploy security to protect these assets with pervasive visibility.
- Hire staff and train existing employees to possess the skills to monitor real-time threat intelligence.
- Make security everyone’s responsibility. Task the business side of the organization to be security-conscious at all times and report anything amiss to the IT security team.
Know the Most Important Data to Defend
Paying attention to regulatory issues and best-practice standards is a first step. But true enterprise security requires that executives and IT professionals understand all of the risks, and what assets are the real targets. This is a much tougher issue, compounded by the list of assets changing constantly, as new systems are added or even allocated on demand. Companies may think they are covered because they have “security people.” That may be so, but businesses still need to describe as specifically as possible what data is at risk and what job roles are necessary to cover these bases. That is an important part of protecting the enterprise.
Professional cybercrime is much more banal than the image of the lone rogue hacker. But enterprises that are savvy about the methodical, procedure-heavy approach that many cybercriminal organizations are taking today will be better equipped to hone in on the specific data and systems that must be protected. If they use this insight to deploy security technology and trained staff to defend the data and systems most targeted by cybercriminals, organizations will be able to spend their security resources smartly, strategically, and effectively.
Click here to learn more about Cisco's CCNA Cyber Ops certification.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.