Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

The New Perpetrator: Organized Crime Replaces the Neighborhood Hacker

By Courtney Macavinta

It's every CIO's worst nightmare. Someone breaks into the company's network but not to gain notoriety (as was common in the old days). Instead, the culprit blackmails the CIO to stay silent about the break-in and the sensitive data that was compromised. Or, even worse, the thief shares the goods with a wider network of criminals who will perpetrate offenses such as identity theft or illegal spamming.

"Hackers used to be 'script kiddies' doing it for bragging rights, but today there is an organized crime movement behind these threats with a profit motive," says Mark Lobel, a security expert and partner with PricewaterhouseCoopers. "The hacker model has changed. It used to be to gain attention, but now the really good folks get zero attention. They break in, do their business, clean up their tracks, and leave before you ever knew they were there."

Case in point: A 2005 survey by the FBI and Computer Security Institute (CSI) found that almost 90% of the more than 2,000 organizations surveyed had experienced security threats such as computer viruses, worms, spyware, port scanning, or data sabotage. The average loss was $204,000 due to a security breach. Overall, the companies surveyed lost $130 million due to attacks in 2005.

With organized crime rings replacing teen hackers as the new IT threat, organizations need to alter the way they protect their data, customers, employees, and reputations. At risk is not only a company's precious private data, but electronic organized crime can also result in regulatory penalties and bad public relations for an enterprise if the security breach becomes public or affects customers.

How organized criminals operate
A growing global network of sophisticated criminals is exploiting the IT security vulnerabilities of enterprises to make money. "The dollar is always king -- it's a huge motivation," says security expert George Spillman, who is a principal behind the ToorCon computer security conference. "We're seeing a lot of these attacks coming from groups outside U.S. jurisdiction, and they can sell their services for quite a hefty fee."

Experts say the main tricks of the trade include:

  • Botnets These are essentially a collection of "hijacked" computers running hidden programs that are usually under the control of a crime ring. Through a botnet, a criminal secretly controls other computers and can sell access for illegal purposes like sending spam or launching distributed denial-of-service attacks.
  • Phishing Often phishers use a botnet to hide their activities -- specifically sending spoof emails to consumers enticing them to reveal passwords, or personal and financial information. "A lot of the phishing groups are working on their own behalf," Spillman says, "but others are working with organized criminals who can capitalize on the data they get."
  • Port scanning Widely used to find out if a network can be compromised, port scanning helps criminals find backdoors into a company's IT system. Once in, they can steal data, threaten to shut down a company's Web site, expose stolen data to extort money, or resell data to other criminals.
  • Spyware Criminals often deploy spyware through virus-laden email. The spyware or "key-logger" program can then capture a company's passwords to gain wider access to more sensitive data stored on the network, for example.
  • Targeted Trojans Forrester Research analyst Paul Stamp, who follows high-tech organized crime, says that because targeted Trojan attacks -- malicious scripts that sneak onto a network via a virus -- are designed specifically to hit a particular organization, they can more easily slip under the radar of antivirus software. The UK Ministry of Defense, for example, was the focus of such an attack in 2005.
  • Human error or espionage Getting employees to divulge sensitive data over the phone, for example, is just one of the low-tech criminal tactics with high-tech potential. Once criminals gain access to one customer account they can exploit a system further. Even worse, some enterprises report that insider employees have partnered with criminals to steal proprietary digital information.
  • Wireless viruses The newest threat is viruses spread through cell phones and Bluetooth devices, PricewaterhouseCoopers' Lobel says. For now, wireless viruses are mostly "proof of concept" endeavors, and adds that hijacking phones or wireless devices will increasingly be used for illegal activities the same way online computers are today.

What's at risk
CIOs never want their network exposed or exploited. At stake is consumer trust, hefty legal liabilities, and a company's competitive edge.

However, in the past, a company might be inclined to quietly pay off an extortionist who broke into their network or to keep a security breach quiet from the public. According to the FBI's security survey, a majority of companies still don't report attacks to law enforcement. Why? More than 40% who didn't report incidents said they worried the "negative publicity would hurt [their company's] stock/image."

Even so, dozens of new laws require that companies come clean when sensitive records are compromised, which makes hiding break-ins a big risk for CIOs.

"For any company that has reporting regulations for compromised systems, there are huge penalties," Spillman says. "It can affect the financial viability of the company."

For instance, California has a data privacy law (SB 27) that requires businesses to inform customers of any third parties that have had access to their data, and another regulation (SB 1386) says that any company or individual who has customers in the state or conducts any business in the state, must go through the process of notifying consumers if their electronic records are stolen, lost, or otherwise compromised. For its part, the U.S. Gramm-Leach-Bliley Act also established stricter guidelines for protecting the privacy of customers' information and advising consumers of their privacy policies. The liability for violating this federal law rests square on the shoulders of a company's CEO and directors.

How to ratchet up security
To stave of organized criminals, CIOs need to take the lead to make sure the company has a good defense strategy.

"A good hack comes from a combination of some kind of technological vulnerability, a breakdown in process, insider knowledge, and social engineering," Stamp says. "You have to identify all those as risks." Stamp and other experts advise that CIOs improve security in the following ways:

  • Raise awareness Make sure other C-level executives are aware of the threats and adopt a culture of security from the top down. Also invest in employee training to improve data protection processes. "You have to make sure employees are aware of your policies and issues surrounding critical data they're handling, and they need to be aware of the impact that [wrongly] disclosing this data can have on the business," Stamp says.
  • Manage risk Enterprises need to take inventory of all sensitive data on their networks, assess how it could be exploited, and know which data security laws govern their data. Lobel says CIOs need to ask themselves: "Do I have preventative, protective, and responsive controls in place that will stop bad people form coming in?"
  • Put controls in place From firewalls to user authentication, encryption, and detection controls, CIOs need to be aware of vulnerabilities and have systems in place to alert them to threats or suspicious activity. "Keep as much sensitive information off public servers as possible," Spillman says. "And employees have to be trained to safeguard information, like not putting passwords on a Post-It note." And if human error is the cause of a security hole that is exploited by organized crime, then have an accountability process in place to limit risk in the future.
  • Don't give in Paying off extortionists is never the right approach, Lobel says. "If someone is threatening you, the wrong action is to succumb to the demands and hope they'll go away. If you've proven you could be extorted from once, they'll continue to blackmail you."

Whether regulations call for it or not, analysts say enterprises should have a policy that governs their data collection practices, security strategies, and how they disclose breaches if and when they happen.

"It's bad enough when you have to let customers know you lost their information -- it's worse when they have to tell you," Lobel says. "It's always less expensive to plan in advance than to react in real-time."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Hackers used to be 'script kiddies' doing it for bragging rights, but today there is an organized crime movement behind these threats with a profit motive."

-- Mark Lobel, partner with PricewaterhouseCoopers
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Cyberthieves Turning to More Invasive Approaches
Playtime: 8 min 53 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.