Last month, the FBI announced that violent crime rates had fallen dramatically in 2010 despite a tough economy. The Wall Street Journal explained this seemingly counterintuitive situation away with a list of factors. But none of those factors seem to have caused a drop in cyber-crime, as the Verizon Data Breach Investigations Report (DBIR) showed. All this poses a question – can we apply any of these factors to reduce the rate of cyber-crime?
Factor 1: “Many more people are in prison than in the past.”
Sort of the same thing took place in the virtual world—and there are some lessons. With a high volume of arrests concentrated on those who hacked banks, hackers redirected their attacks to easier targets. According to this year’s Verizon DBIR:
Criminals may be making a classic risk vs. reward decision and opting to ‘play it safe’ in light of recent arrests and prosecutions following large-scale intrusions into financial services firms. Numerous smaller strikes on hotels, restaurants, and retailers represent a lower-risk alternative.
It isn’t that hackers “may be making” the risk calculation—they are. Of course arresting hackers from overseas as well as a high volume of script kiddies is inherently challenging, but law enforcement should see the obvious: arresting hackers focused on defrauding banks made a big impact.
Yet, as more hackers are being arrested, many more get in line to take their place. The low risk of arrest is in fact a major incentive to get into the industry. And since hacking is global, it’s hard to arrest hackers in countries that don’t want to respect and enforce cyber security laws.
We should hope more hacker operations will be exposed in the future. But as hackers are feeling the heat, they are adapting and are shifting tactics to stay ahead of the game. Tactic number one – get someone else to do the dirty work. The hacking industry has established roles from the creation of hacker toolkits to the sale of malicious applications. In this underground economy, the riskier the cyber-criminal’s activity is the higher his share of the profit. The criminal monetizing stolen credit cards for example may split his earnings 60-40 with the less risk-taking credit card buyer.
Attackers are also collaborating. A compromised computer may be used not only to siphon data such as bank account numbers and webmail credentials, but also used as a relay to enter the corporate network. Existing botnets, traditionally used as spam platforms are now being used to distribute malware as SecureWorks noted in its research. By collaborating with other criminal big shots, hackers can invest resources to build malware that evades detection, distribute a higher volume of malware, carry out more attacks and hide their tracks.
As we can see, hackers are feeling the heat but it’s not going to deter them anytime soon. They have changed tactics in order to bypass security controls, and this in turn provided a fertile ground for fellow hackers to continue carrying out successful attacks.
Factor 2: “Potential victims may have become better at protecting themselves by equipping their homes with burglar alarms, putting extra locks on their cars and moving into safer buildings or even safer neighborhoods.”
Consumers are notorious for their inability to protect themselves online. A University of Texas study, conducted a decade ago, highlighted how training was ineffectual and concluded that expecting consumers to lock the virtual doors was pointless. Time has exacerbated this problem as anti-malware products have been unable to keep up with the wave of malware crashing down on users. So what does this mean? Software companies need to take the lead in baking in security.
When it comes to protecting the core assets of a company, security is taking a seat around the business table. Intel understood the importance of security when they bought McAfee. CEOs are increasingly becoming more involved in security policy decisions. But money talks and these decisions evolve around what works and where to focus the security budget. Once more we can turn towards Verizon’s DBIR which clearly indicated that PCI DSS is working. The best thing enterprises can do is take a lesson from the credit card industry and self regulate. PCI is a solid model to get “potential victims to equip their homes with burglar alarms”.
Factor 3: “Policing has become more disciplined over the last two decades; these days, it tends to be driven by the desire to reduce crime, rather than simply to maximize arrests.”
In this cyber-world, this factor should be translated to putting intel to work. In my previous column, I discussed hacker intelligence as a necessary step in building a cyber-security strategy. Hacker intelligence initiatives help us understand how the cyber-criminal world is evolving, their business models, new tools and attack techniques. Studying this information allows us to rapidly adapt our defenses and even create new defenses before the next attack. In its article, the WSJ notes that “some cities now use a computer-based system for mapping traffic accidents and crime rates”. The same measure is being applied in cyber-security when we look at reputation-based controls. Based on different parameters such as whether the request is coming from a previously known malicious source, attackers are blocked before even entering the door of the enterprise.
But the industry is not alone in its desire to build intelligence on the cyber-underground. According to the Guardian, one in four hackers is actually an FBI informer. It is certain that the FBI implants cyber-moles in hacker forums, whether this number is exact or not –we are left to ponder. But as the security guru Bruce Schneier noted – if you were the feds, you would want hackers to believe this high percentage.
Factor 4: “A big improvement in the culture.”
Criminologists believe culture is a plausible cause for the reduction of physical crime, though it is a factor that is difficult to measure. Contrary to the real world, the virtual criminal world culture actually seems to be a place where hacking is honored. The ability to hide behind the computer makes hackers feel invincible, and not seeing the victim causes some hackers to assume their activities are harmless, merely child’s play. Given these conditions, hackers convene in their forums to boast about their successes and trade “war stories”. Hacker forums are rife with “young” hackers seeking out mentors to show them the world of hacking as well as experienced gurus offering these services in exchange for payment or a portion of their stolen loot. On the one hand, these places provide a way for people to find peers with similar interests; on the other, they are places where hackers can hack hackers. Looks like trust is one thing that hackers have a difficult time earning. Money, it seems, is worth a lot more than trust.
|Part in a Series – Read Noa’s Other Featured Columns Here|
Crime is crime – no matter its origins. Laws and regulations in this realm are evolving, but ultimately it is up to the law enforcement agencies to ensure the safety of the online users and businesses. These agencies can learn lessons from the physical world and apply these to the virtual world. There is a lot of work ahead, and in the meantime hackers are enjoying their status and are continuing to conjure new scams for users to fall prey. Stay tuned for next column as I discuss how hackers are abusing the news to promote their latest malware.