Computer crime is becoming good business, and the crooks are becoming increasingly efficient at what they do. The net result: Each attack is hitting victims harder, both in the data center and on the bottom line.
These are some of the takeaways from four major studies published in the last few days by some of the best-known researchers in the industry: the Computing Technology Industry Association (CompTIA), the Computer Security Institute (CSI), IBM's X-Force security research unit, and Symantec.
The four reports, each offering a separate view on the state of information security, agree on several trends that are shaping the evolution of cybercrime.
Symantec found an increase in the number of attacks that use complex toolkits, such as MPack, as well as an increase in multi-staged attacks, in which an attacker deploys an exploit to lay the groundwork for future attacks. (See Cyber Criminals Become More Professional.)
"The Internet threats we are currently tracking demonstrate that hackers are... making cybercrime their actual profession, and they are employing business-like practices to successfully accomplish this goal," said Arthur Wong, senior vice president for Symantec's Security Response and Managed Services unit.
IBM's study confirms both the increase in sophistication of attacks and the increasing commercialization of cybercrime. IBM's X-Force unit has identified more than 210,000 new samples of malware so far this year -- more than it found all of last year -- and an increasing instance of Trojan-type attacks suggests that the malware is becoming more complex and difficult to detect, the researchers say.
IBM also has detected an increase in the trend toward selling "exploits as a service," in which cybercriminals offer support as well as code. The latest trend is "exploit leasing," in which attackers test exploitation techniques with a smaller customer base and a smaller initial investment before attempting to broadly market their discoveries. (See IBM X-Force Report: Exploit-Leasing Popular.)
As cybercrime becomes increasingly more lucrative and professional, there is a corresponding increase in the effectiveness of each exploit, according to the studies. CompTIA's report indicates that the average severity level of a security breach has nearly doubled in the past 12 months, growing from 2.6 to 4.8 on a 10-point scale.
"This suggests that while the number of security breaches has stabilized, the breaches that are occurring are having a greater impact than ever on organizations," said Brian McCarthy, chief operating officer at CompTIA.
According to the CompTIA study, the average cost of a security breach now stands at $369,388. This figure is skewed by handful of companies who reported breach costs in excess of $10 million, CompTIA observes; about half of the respondents said their cost per breach in the last year was $10,000 or less. (See Severity Level of Breaches on the Rise.)
The Computer Security Institute study confirms that while the number of security breaches continues to grow slowly, the cost of those breaches is growing rapidly. The number of companies reporting 10 or more incidents grew from 9 percent in CSI's 2006 study to 26 percent in the 2007 study. (See Nokia Siemens in Talks to Buy Atrica.)
Perhaps more importantly, the cost of security breaches has more than doubled in the past 12 months, according to the CSI study. While breaches cost organizations an average of $168,000 in the 2006 report, 2007 respondents reported average losses of $350,424. (See Annual CSI Study: Cost of Cybercrime Is Skyrocketing.)
And the trend toward more numerous and more sophisticated attacks isn't limited to the enterprise. Distributed denial of service (DDOS) attacks are rising in the ISP space, and developments in botnet technology are making these emerging threats even harder to combat, according to a survey published earlier this week by Arbor Networks. (See Report: Attacks on ISP Nets Intensifying.)
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.