Hackers and Threats: Cybercrime Syndicates Go Global

Tuesday, August 04, 2015

Steve Durbin


The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of today’s most trusted organizations.

The stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack around the globe and organizations of all sizes need to be aware of the important trends that have emerged or shifted over the past few years. With the speed and complexity of the security threat landscape changing on a daily basis, those organizations that don’t prepare will be left behind, most likely in the wake of reputational and financial damage.

Crime Syndicates are Taking a Quantum Leap

Organizations are struggling to cope with the quantum speed and sophistication of global cyber-attacks being carried out by organized cyber-criminal syndicates. Moving forward, businesses need to prepare to be targeted at any time, and any place, by multiple assailants. Organizations that wish to keep pace with these developments, and remain financially viable, need to take action now, or face the consequences.

Criminal organizations are becoming more sophisticated, more mature and are migrating their activities online at greater pace than ever before. They are beginning to develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations and are taking their activities worldwide. They are also basing their operations where political and law enforcement structures are weak and malleable, and where they can conduct their activities relatively undisturbed. This is forcing domestic organizations to adapt their security strategies and fortify their internal business operations in order to protect themselves from the inevitable data breach.

So how much does a data breach actually cost an organization?

Total Cost of a Data Breach

According to the Ponemon Institute’s 2015 Cost of Data Breach Study, the average consolidated total cost of a data breach is $3.8 million. The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. Ponemon also found that 47% of all breaches in this year’s study were caused by malicious or criminal attacks and the average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $134 per record.

Now, let’s take a look at another area of loss that is affecting organizations of all sizes. The cost associated with lost business has been progressively increasing over the past few years and potentially has the most severe financial consequences for an organization. Ponemon found that the cost of lost business increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.

Cyber Crime Increases as Malspace Matures

I mentioned earlier how criminal organizations arebecoming more sophisticated and mature. In addition, crime syndicates are aligning commercially and diversifying their enterprises, seeking profits from moving more of their activities online. They are basing their operations where political and law enforcement structures are weak and malleable, and where they can conduct their activities relatively undisturbed. This is forcing domestic organizations to adapt their security strategies and fortify their internal business operations. 

In a criminal marketplace with a global talent pool, professionalization will encourage specialization. Different criminal business units will focus on what they do best, and strategy development and market segmentation will follow best practice from the private sector. Malware development will be a prominent example of specialization. Profits will allow crime syndicates to steadily diversify into new markets and fund research and development from their revenue. Online expansion of criminal syndicates will result in increased Crime-as-a-Service (CAAS) along with distributed bulletproof hosting providers that sell services and turn a blind eye to the actions of malicious actors.

In today’s global, connected society, businesses must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. With the growth of the Internet of Things (IoT), we’re seeing the creation of tremendous opportunities for enterprises to develop new services and products that will offer increased convenience and satisfaction to their consumers. The rapid uptake of Bring Your Own Device (BYOD) is increasing an already high demand for mobile applications for both work and home.

Smartphones are already the control center for the IoT, creating a prime target for malicious actors. The information that individuals store on mobile devices already makes them attractive targets for hackers, specifically “for fun” hackers, and criminals. Unauthorized users will target and siphon sensitive information from these devices via insecure mobile applications. The level of hyper-connectivity means that access to one app on the smartphone can mean access to all of a user’s connected devices.

But do the apps access more information than necessary and perform as expected?

Worst case scenario, apps can be infected with malware that steals the user’s information – tens of thousands of smartphones are thought to be infected with one particular type of malware alone. This will only worsen as hackers and malware providers switch their attention to the hyper-connected landscape of mobile devices.

I’ve touched upon mobile and the IoT so let’s shift gears for a moment to the supply chain. Here’s a question for you: Do you know if your suppliers are protecting your company’s sensitive information as diligently as you would protect it yourself?  This is one duty you can’t simply outsource because it’s your liability. By considering the nature of your supply chains, determining what information is shared, and assessing the probability and impact of potential breaches, you can balance information risk management efforts across your enterprise.

Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Information shared in the supply chain can include intellectual property, customer or employee data, commercial plans or negotiations, and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, all of whom share access, often to your most valuable data assets.

To address information risk in the supply chain, organizations should adopt robust, scalable and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.

Reducing the Risk of Attack

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Cyber resilience is all about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.

Inside and Out: Preparing Your People

Organizations continue to heavily invest in developing human capital. Let’s be honest. No CEO’s presentation or annual report would be complete these days without stating its value. Leaders, now more than ever, demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative.

Many organizations recognize their people as their biggest asset, yet many still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control. But, instead of simply making people aware of their information security responsibilities and how they should respond, the answer for organizations is to embed positive information security behaviors that will result in their behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new employee behaviors can reduce that risk.

We’ve discussed preparing for an incident, but what about external communication once a breach occurs. Due to the ever-increasing velocity of the 24/7 news cycle, it has become virtually impossible for organizations to control the public narrative around an incident. Responding to unwelcome information released on someone else’s terms is a poor strategy, and a defensive posture plays poorly with customers whose personal details have just been compromised.

The perspective that disclosure will be more damaging than the data theft itself – is a guaranteed way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments. The lesson that we tell our members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. This is particularly true as data breaches are happening with greater frequency and as the general public pays greater attention to information security. I also recommend running simulations with your PR firm so that you are better prepared to respond following a breach.

Have Standard Security Measures in Place

Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do is ensure they have standard security measures in place.

The Information Security Forum(ISF) has designed its tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an “out of the box” approach to address a wide range of challenges – whether they be strategic, compliance-driven, or process-related. For example, the ISF’s Standard of Good Practice for Information Security (the Standard) enables organizations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organizations, and trends from the ISF Benchmark, along with major external developments including new legislation.

Another example that organizations can use is the ISF’s Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.

As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.

Don’t Find Yourself in Financial and Reputational Ruin

In preparation for making your organization more cyber resilient, here is a short list of next steps that I believe businesses should implement to better prepare themselves:

  • Focus on the Basics
  • Prepare for the Future
  • Change your Thinking About Cyber Threats
  • Re-assess the Risks to Your Organization and its Information from the Inside Out
  • Revise Information Security Arrangements

Organizations of all sizes need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping themselves to better deal with attacks on their business as well as their reputation. It may seem obvious, but the faster response you have, the better your outcome will be.

Cloud Security General HIPAA PCI DSS General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.