informa
/
Attacks/Breaches
News

Advantage: Bad Guys

As long as rules and practices leave loopholes, it's a cybercriminal's market

2:45 PM -- I'm thinking of becoming a computer criminal.

Seriously, folks. Lately, all of the trends seem to favor the bad guys. Legal loopholes, poor user practices, administrative blind spots -- there are so many opportunities for the cybercriminal. I'm just not sure where to start.

It's a computer criminal's market. But don't take my word for it -- look at some of the stories we've filed this week.

In California, the Governator said hasta la vista to a proposed law that would have made merchants more directly responsible for the damage to customers' identities following a security breach. Without such laws, merchants are bound only by Payment Card Industry requirements that continue to be flouted by smaller retailers. Advantage: bad guys who exploit vulnerabilities in retail systems. (See Schwarzenegger Terminates CA Retail Data Security Law.)

Webroot Software followed that thread with a study that proves small retailers and other small businesses are completely understaffed and underskilled to defend themselves against online attackers, both inside and outside the company. Many small businesses are not even aware of their vulnerabilities, and have done nothing to eliminate them, the study says. Advantage: hackers who target malware and spam toward mom-and-pop shops. (See Small Business: Hackers' Low-Hanging Fruit.)

And how about IT administrators? They've essentially had the run of the company data for decades, giving themselves the freedom to snoop any system or file they like at any time via administrative passwords and privileges. A new category of tools is closing this hole, but so far, it has been implemented by a small number of enterprises. Advantage: "insider" attackers. (See Wolves in IT Administrators' Clothing?)

Perhaps the most disturbing fact is that even if a company finds a vulnerability in its Website or systems, there's no law that forces the company to fix the problem. In fact, you're actually less liable if you don't know about a new vulnerability than if you knowingly avoid fixing an old vulnerability. Advantage: hackers who exploit new flaws in software or systems. (See No Breach, No Foul.)

Maybe the industry just had a bad week this week. But these four stories all point to fundamental, structural problems in the security environment that can't be solved with a simple round of new technology. They require a rethinking of laws and regulations, business and IT practices, ethics, and liability rules.

Rather than struggle with how to solve these problems, then, I've decided to become a computer criminal. It's a lot less complex and, from what I hear, the money's pretty good.

I wonder if they have a dental plan?

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5