Cybercrime: Understanding the landscape

“Cybercrime is a growth industry. The returns are great, and the risks are low.”

“Net Losses: Estimating the Global Cost of Cybercrime,”

McAfee and the Center for Strategic and International Studies, 2014

The cost of cybercrime is estimated to cost the global economy as much as 400 billion dollars a year, and that number is very likely to rise in the years ahead — most likely steeply. Some research even suggests a sharp upward slope that resembles a hockey-stick-shaped curve.

What’s driving the upward curve in costs? We have already discussed the fact that more and more businesses around the world are increasing their on-line exposure. The brick-and-mortar profile is shifting to the digital. And as more and more businesses migrate customer data onto the cloud the cost of protecting it will skyrocket. All this innovative new software is allowing business to do amazing new things; the same technology, however, is incentivizing cybercriminals to keep innovating too. It’s simple: the greater the rewards the more worthwhile the risk. The overall risks faced by cybercriminals has not increased compared to the staggering rise in rewards. As we have seen, the cost of entry is very low compared to the rewards. The prosecution rate for cybercrime is very low compared to other crimes; most hackers who are discovered simply shut down and reopen somewhere else with new aliases. At the same time, the global hacking community is tightly integrated and almost collegial; information and tactics are exchanged on places like the Dark Web in almost complete freedom.

On the other hand, we know that most businesses that are hacked are reluctant to make it public and most incidents go unreported. It might be that the company is leery of damage to its reputation from customers, shareholders, or investors. It might even be that the company either is not aware of a hack or oblivious to its scale or scope. However, an increasing concern for businesses — especially businesses like financial services and health care sectors with huge customer data bases — is the likelihood of civil litigation from massively expensive and time-consuming class action lawsuits. The more publicity there is about consumer data being breached in cyberattacks on businesses, the more consumers will expect and demand their data be secured and protected.

Blowback because of a cyberattack is an indirect cost that businesses can no longer ignore when it comes to its cybersecurity investment. Irreparable damage to a company brand is blowback. So is a class-action lawsuit, the time your company needs to shut down to recover from an attack, the cost involved with hiring all the extra expertise required, and so on. What a business needs to consider not only are the many direct costs involved with a cyberattack but the myriad and complex — and increasingly expensive — indirect costs.

 

But first . . .

Hacking is pretty simple. When software is created, “firewalls” are built in to protect the contents from being seized or stolen or in any way manipulated by unauthorized parties. The thing about firewalls is this: they are only as good as the designer needs them to be. And some even aren’t that good. Hacking is breaking in. We said earlier that all software will fail. It will. All you need to do is look hard enough and you will find defects. Firewalls are pretty much the same. Some are pretty good. Many are good enough. But none are foolproof.  If a hacker has the incentive it does not matter how secure you think your system is; it will be penetrated. The hack could be primitive and unsophisticated (kicking down the front door) or surpassingly brilliant and elegant (What do you mean we’ve been hacked? When? How?).

Entry can be through the front door, a back door or through a window upstairs you can’t remember leaving open. In many cases (like ransomware) it’s the burglar who turns the table and ends up locking you out.

Hacking is also pretty democratic: it recognizes no boundaries or colour lines, it makes victims of rich and poor alike, male and female. The victim could be an Iowa grandmother on a pension or a billion-dollar Wall Street commodities firm or the director of the CIA (true story). All it requires — absolutely requires — of its victims is that they have data to lose. It hardly matters what it is. Of course, some data is more desirable than other kinds. But that won’t keep you safe. And the more data you have (or the more your data is stored with everyone else’s data) the more likely it is you’ll be hacked. Hackers tend to be smart, too, meaning, most have more than average technical skills and a confidence level to match. Most hackers believe they are smarter than you (and they might be right, at least when it comes to the Internet). Also, most hackers have absolutely no remorse about what they are doing and many even consider it an important (even necessarily noble) social service. Lots of purists insist that hacking is a way of keeping the system honest. Google the phrase, “how to hack,” or something like it, for instance. You will be surprised at the effusive, enthusiastic, and almost gleeful tone of most entries, and by how helpful hackers are in terms of mentoring novices.

Someone like WikiLeaks founder Julian Assange may believe he is a cyberhero for releasing hacked emails exposing public officials or government agencies. Others, namely, the millions who had their private correspondences electronically aired might modestly disagree. The group Anonymous might also believe it is merely hacking on behalf of humanity. Well, it’s true the Boston Tea Party is remembered fondly in the US, for instance, but that is only because America won the Revolutionary War; a Brit might not have agreed that having his valuable stock of tea ruined by a bunch of liquored-up hooligans disguised as Native Americans was anything but serious criminal behaviour. In any case, it is ludicrous to pretend that the goal of the overwhelming percentage of hacking attacks is anything but criminally inspired and that most hacks — far and away the most — are grubbily monetary in intent.

We are less concerned with the reason why hackers hack than what it is they are doing and how. First, we’ll look at who the hackers might be and then what the most common kinds of hacks are. The lists below are by no means complete and boundaries are fluid and flexible. A hacker could be in it just for the money or for money plus other reasons. What needs to be remembered, however, is that the hackers are evolving — becoming more experienced, sophisticated, and creative — much faster than are the strategies for defending against them.

It isn’t a race the good guys cannot win; it is a race, however, where the bad guy always has a head start.