Risk
9/14/2012
03:35 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

How Cybercriminals Choose Their Targets

Attackers look for companies with poor defenses and a lack of security skills, so no business, not even an SMB, is immune.

InformationWeek Green - Sept 17, 2012
InformationWeek Green
Download the InformationWeek SMB September special issue on cybersecurity, distributed in an all-digital format as part of our Green Initiative
(Registration required.)

Whom do hackers want to hack? This might be one of the most misunderstood questions in IT security. And misperceptions here often lead businesses to make poor decisions about their defenses.

Logic tells us that cybercriminals are like Willie Sutton--they go where the money is. Banks and other financial companies, as well as businesses with lots of credit card data, would be the prime targets, right? And the bigger they are, the better targets they make.

This same logic is often applied to attacks on end users. If you're going to target a user, make it a high-level executive, a wealthy individual, or an IT administrator who has access privileges to many different systems. Go for the users with the keys to the safe.

All of these assumptions are perfectly logical. But they're also all wrong.

Most cybercriminals just aren't all that selective. True, banks handle lots of transactions, but any company with money is a good target, and a company that sells snack foods or construction equipment may have far fewer defenses.

Similarly, the perception that cybercriminals target only big companies is a myth. Large companies have more money, but they also have big security teams and high-priced defenses. Small and midsize companies have fewer security skills and little in the way of security budgets, which makes them natural targets for cybercriminals who don't want to work too hard. As you'll see in this special issue of InformationWeek SMB, smaller businesses frequently overlook core security practices that leave their data--and their finances--at risk.

People Of Interest

There are similar myths on the end user side. While it may be logical to provide extra protection for CEOs and password administrators, the notion that highly placed employees are the only people spear phishers and other targeted attackers go after is mistaken. Sophisticated cybercriminals know they don't have to crack the CEO's passwords to get access to valuable data. Line-level employees, contractors, even employees' relatives can be part of the target base. These guys aren't choosy, as long as the target is a step closer to the information they seek.

Cybercriminals are looking for low-hanging fruit. Their targets are companies with poor defenses, a lack of security skills, and vulnerable end users. They're looking for unlocked doors and open windows. The path of least resistance will always be the one most beaten down by bad guys.

There are many other reasons a cybercriminal might target your company and your employees, but the message is the same: No business, no individual is immune. Whether you're Sony or a mom-and-pop shop, you may be a target today. How you respond to that threat could make the difference between being safe and being breached.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0192
Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to gain privileges via unknown vectors related to the Java Virtual Machine.

CVE-2015-1914
Published: 2015-07-02
IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to bypass "permission checks" and obtain sensitive information via vectors related to the Java Virtual Machine.

CVE-2015-1916
Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1 allows remote attackers to cause a denial of service via unknown vectors related to SSL/TLS and the Secure Socket Extension provider.

CVE-2015-3157
Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2015-3202
Published: 2015-07-02
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report