Why has cyber crime become organised and turned into a big black hat business? Does this mean there is money to be made (if so, how much?) and that major enterprises have a lot of work to do to protect themselves?
• Cyber crime is definitely involved in a lot of the data breach cases we work on these days, and more so in recent years. Organised crime is a business and therefore exists to make profit. Recent attacks have yielded an extremely large number of stolen payment card records, and we have therefore seen a dramatic drop in the price of payment card data or dumps on the black market. The asking price per payment card record is one per cent of last years price in some instances. As stated before, organised crime is a business and is therefore switching to more profitable targets, such as PIN data. By targeting PIN data, organised crime is able to directly withdraw cash from the consumers account whether it be a checking, savings, or brokerage account. This is much more of a concern from a consumer point of view as PIN fraud typically places a larger share of the burden upon the consumer to prove that transactions are fraudulent. This makes the recovery of lost assets more difficult than with standard credit-fraud charges. On the brighter side, we are happy to report that our investigative efforts in collaboration with law enforcement led to arrests in at least 16 cases (and counting) in 2008.
• Major enterprises do have a lot of work to do. But a large proportion of vulnerabilities would be neutralised if organisations followed their own policies. The three highest yielding attacks (Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs) are preventable through simple remediation efforts, and would be not permitted to exist in every organisations policy. Additionally, these vulnerabilities are detectable through simple scanning techniques. We believe that the complexity and business demands of technology environments often lead to omissions or an incomplete job being performed in the deployment and review of a technology environment. If the three simple vulnerabilities (Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs) were eliminated, it is likely that more than 90 per cent of the 285 million records in our case load from last year would not have been breached.
Who are the major bad guys and where are they based? What is being done by the authorities to track them down and how successful have governments been in doing this?
• The three main areas of bad guys that we see are (in order):
Sign up for CIO Asia eNewsletters.