Cybercrime is now an industry unto itself. And, just as any industry evolves, so does the cybercrime industry.
This industry is built upon enterprise data. Granted, there is a ready underworld supply chain and market for vulnerabilities, attack kits, botnets, APTs, phishing-as-a-service, ransomware-as-a-service and other evolving tools. Cybercriminals generate significant sums of money by trading up and down this supply chain. But stealing or obstructing access to enterprise data is the foundation of this value chain. If data were of no value to the cybercrime industry, none of these other elements would have value either, and the entire value-chain (and industry) would collapse.
Cybercriminals will naturally gravitate toward the most efficient and risk averse mode of operation. This fundamentally differentiates information security from any other IT problem. Information Security is the only IT problem where there are financially motivated human actors explicitly working to break your enterprise IT infrastructure. Their tactics will change. But what they’re after—your data—doesn’t.
In this post we discuss how the changing nature of cybercrime and app and data accessibility create risk, the essentials of application and data protection, and questions you can ask to assess how well your core data assets are protected.
Data is at the center of today’s digital environment. More data is in more places, available through more apps, accessed by more people, and cybercriminals have more places to sell it.
Any law enforcement professional will tell you, “theft is a crime of opportunity.” Fundamental to digital transformation is that enterprises are simply generating more data than ever before. It’s part and parcel of a knowledge-driven economy and how enterprises create and deliver value. All of this data—stored in an ever-shifting array of locations and repositories—simply presents more opportunity to the cybercrime industry.
"Apps" are fundamental to digital transformation. They—manifested as mobile apps, customer portals, websites and even as APIs—are now the defacto way enterprises interact with other businesses and consumers. In addition to driving down enterprise costs, these apps directly generate much of the data driving how enterprises create value. This exploding app universe serves as a direct gateway to enterprise data, and exponentially expands the potential attack vectors available to the cybercrime industry. More opportunity.
Many criminals don’t get caught stealing. They get caught attempting to transact upon what they stole. The combination of bitcoin and the dark web have reduced the transaction costs and hazards associated with being a cybercriminal today. There is less risk in relation to law enforcement, and less “counter-party” risk (a.k.a., one criminal ripping off another). This naturally draws in more actors, leads to increased specialization, and ultimately enhances the efficiency and effectiveness of the cybercrime industry as a whole.
Adding to enterprise exposure is the fact that more people now have legitimate access to data. So-called “knowledge workers” now comprise over 100 million. As an example, when bringing in a new hire, most managers extend an implicit trust so that person can perform their duties. The new hire is made privy to certain enterprise data assets. Not to mention all the data security risks associated with using contractors.
Looking externally, enterprises strive to let customers easily and directly access a multitude of apps and the data available through them. This is in fact one of the ways enterprises generate the data that is so valuable. A paradox is that this now turns consumers—coupled with all of their intrinsic security flaws (e.g., weak password reuse)—into an attack vector.
In a knowledge-driven economy, enterprises have two core assets:
Since the origin of mankind, criminals have made money based upon one of two ways:
Cybercriminals are no different, and the cybercrime industry makes its money targeting these two enterprise assets.
Extortion involves DDoS and ransomware attacks; data theft occurs with application attacks and insider threats.
Extortion attacks directly targeting data didn’t exist at scale until the relatively recent ransomware explosion—such as those instances that targeted a number of hospitals in 2016. While ransomware targeting file servers is presently the most prevalent, expect cybercriminals to develop other extortion-type attacks (such as this or this) on a continual basis.
DDoS (distributed denial of service) is textbook extortion targeting enterprise apps, although perpetrators are also looking at other methods. For example, hackers can now lock all of the doors at a hotel and demand a ransom to unlock them. This gives new meaning to “denial of service.”
Apps, which provide a publicly accessible gateway to data, are the most visible vector for data theft. Historically, application attacks exploit software vulnerabilities (i.e., OWASP Top 10 attacks like SQL injection and cross site request forgery) in the application code. This still accounts for the majority of application breaches. However, cybercriminals have expanded to application/business logic assaults (e.g., price scraping and data alteration on e-commerce sites) and credential compromise/account takeover attacks.
Direct data breaches of database repositories are ultimately an insider threat problem. In almost all cases, they involve either:
As mentioned earlier, Information Security is different than any other IT problem because there is a financially motivated opponent. As long as there is money to be made—whether via extortion or theft—there will be actors constantly evolving their tactics. However, what they target remains constant: data, and the apps that front it.
As businesses have become more sophisticated in their understanding of the realities of managing threats from the cybercrime industry, we’ve seen the beginning of a shift away from focusing on the “attack du jour” (aka the latest tactic) and towards an emphasis on better visibility and protection of the core assets that cybercriminals target, regardless of what tactics they may use at any given time.
The essentials of application and data protection.
Application and data protection—whether protecting against extortion or theft—ultimately comes down to these essentials.
The existence of the cybercrime industry is predicated upon the fact that your data has value. While cybercriminals will continually evolve their tactics, what they’re after won’t change. Here are ten questions we’ve seen organizations use to “self-assess” how well their core data assets are protected.
Organizations that can satisfactorily answer these questions are in good shape to manage the risk posed by the cybercrime industry regardless of what tactics/attacks that industry is using at any given time.