Earlier this year, newspapers reported that for the first time, the U.S. had filed criminal charges against five Chinese military officers. This was the first time Washington singled out a foreign government, alleging they hacked into the computer systems of five American businesses, seeking for information and trade secrets.
This high-profile event is but one in a series of hushed combats that inflame the cyber-world. On the other side of the Atlantic, Europol has recently reported on Internet organized crime. In their comprehensive threat assessment, state hacktivists were reportedly sided by more traditional organized crime groups – albeit boasting a strong digital penchant – and other e-commerce related fraudsters.
One legitimate question arises: is this impacting on my business? Isn’t this well above my day-to-day activities and endeavours? The unfortunate answer is: no one can call himself off the scene. In fact, history tells us that over the past decades the digital underground has evolved, matured and turned into a thriving criminal industry, costing global economies in excess of USD 300 billion per year.
“Crime-as-a-Service” is on the rise, and we count as of August 2014 at least 39 specialised criminal digital marketplaces thriving on the Darknet. These markets impose several considerations:
- They give organization to otherwise disparate individuals;
- They facilitate the flow and sharing of information and knowledge among highly-focused and committed individuals;
- Traditional definitions of organized crime do not mirror the digital underground economy, as increasingly individuals are forming more coherent groups driven by purpose, i.e. a particular project or attack campaign, albeit these groups usually lack the hierarchy and structure of traditional organized crime groups;
- A multitude of criminal vendors is available to supply experience and competence and co-operate on a vast array of possible criminal schemes, and the concept of reputation holds true on the Darknet as well as it does in any marketplace.
Distributed Denial of Service (DDoS) attacks have become accessible to just about anyone willing to ask, and pay, for such services. A botnet service provider’s business model is not much different from an ISP’s.
Similar to “Crime-as-a-Service”, many other items can be chosen from a highly refined Menu of Crime, including:
- Infrastructure-as-a-Service, as cybercriminals require infrastructure which provides security, anonymity, resilience and resistance in order to launch their attacks;
- Data-as-a-Service, comprising compromised personal and financial data, such as credit cards and bank account details, and also physical items such as ID cards, passports, etc.;
- Pay-per-Install services, providing an easy and convenient method of distributing malware;
- Hacking-as-a-Service, offering varied levels of service, from baseline hacking of emails and social networking accounts to more sophisticated attacks of economic espionage;
- Money Laundering-as-a-Service, involving a combination of online and offline solutions, with money mule networks – who provide a key service in the laundering of criminal proceeds from cybercrimes – often playing a central role.
The dispersed nature of cybercriminals, their committed will to succeed and their theoretical infinite availability of resources pose a serious threat to governments and businesses alike. In particular, Malware-as-a-Service is becoming increasingly – and worryingly – professional, a copycat of the methods and business models of legitimate commercial software development companies, complemented with 24/7 customer support and frequent patches and updates to continuously improve the quality and performance of the products.
Furthermore, as the ROI is huge, malware is becoming increasingly “intelligent”, including code to prevent being deployed or executed in a sandbox environment. Malware developers will continue to refine and improve their products to make them stealthier and harder to detect and analyse.
In this scenario, oversimplified here due to the restrictions of a blog post, what are the options for an organization to defend its interest and, finally, its own existence? Here are four tips:
- Check your risk profile. Few organizations know exactly where they stand in terms of readiness and resilience. In our experience, we noticed that all focused on technology, but very few took also into account the remaining two critical elements of risk: people and processes. Furthermore, facilitators and other relevant factors should be considered, especially when outsourcing part of the business to third parties might not match the required security standards.
- Keep it simple. When the organization is open, flat and borderless, there is no point in continuing with traditional, perimeter-centric design of one’s security solutions. Focus on relevant assets and provide primary defence to the crown jewels. Innovative security models should also be considered, like Unisys Stealth solution for secure networks.
- Invest in awareness and education. The human factor is key. There is no possible defence if the employees and business partners are not actively partaking in the defence measures through their vigilance and behaviour. Again, we cannot stress enough the relevance of investing in HR rather than sheer technology. The payback can easily be the transformation from a security-passive to a security-active organization.
- Involve your business partners. No organization exists and thrives in isolation. Therefore, security measures must include business partners, sub-contractors and possibly one’s clients. Offenders can easily identify the weak points in a complex environment. Brace for pushing your requests and ideal models to your business partners, discriminating them on the basis of vulnerability and risk profile as much as on their financial solidity.
In March 2014, the European Parliament approved an amended version of the Network and Information Security (NIS) Directive. The amendment included a requirement for companies providing critical infrastructure and supporting industries to report to competent authorities any incident with impact on their core services – such as a data breach. It is likely that similar dispositions will be extended to other industries in the not-so-distant future. Aligning to similar requirements will be compulsory and therefore will fall under the tagline of “compliance”. What about anticipating the game by reducing your own risk factors? What if you would discover that the economic reward, i.e. your ROI on reducing risk is positive for your business? Think, and act, differently.
U.S. National Cyber Security Awareness Month Blog Series:
Week 1: 5 Tips for Consumers for Online Safety
Week 2: 5 Tips for the Secure Development of IT Products
Week 3: 3 Tips for Critical Infrastructure Protection
Week 4: 5 Key Security Considerations for SMBs in 2015
Week 5: 4 Tips for Organizations to Combat Cybercrime