Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:20 AM

Security's Silent War

Most targeted attacks come from groups of organized criminals, but we know little about them. So how do we solve the security crime problem?

If a hack falls on your company, and nobody reports it, does it help law enforcement stop computer crime?

Okay, maybe the question isn't as profound as the "if a tree falls in the woods" thing. But it does demonstrate a central truth about today's IT industry: While we're busy monitoring, analyzing, and remediating the tip, there's an iceberg of computer crime below the waterline.

Last week, we ran a story in which computer crime experts stated, in no uncertain terms, that the majority of targeted attacks against corporations are driven by groups of organized criminals working together, often with the help of someone from the inside. (See Stolen Data's Black Market.) Some of these groups are mafia types who see data theft as another revenue stream, like gambling or prostitution. Others are loosely-connected bunches of hackers who team up to steal information. Still others are essentially "hit men" contracted to infiltrate or attack an organization by a competitor or some other enemy.

They all have one thing in common: We know almost nothing about them. Technology experts see their exploits but know little about their motivation. Business executives know who their enemies are but are bewildered by attacks that are randomly targeted just to collect lists of vulnerable identities. Law enforcement agencies dedicate all sorts of resources to the problem but seldom make an arrest. I contacted the FBI, the Department of Justice, and Interpol for the story, and not one of them could connect me with an expert who could speak about trends in targeted attacks.

So with all the money and technology thrown at the problem over the past decade or so, why do we know so little about cyberattacks on corporations? The answer, not surprisingly, is the corporations don't want to talk about them.

In their annual study released earlier this year, the Computer Security Institute and the FBI found only 25 percent of companies that suffered security breaches reported those breaches to law enforcement agencies last year. About 15 percent reported the breaches to legal counsel. (See 11th Annual CSI/FBI Survey .) In our story about the black market for stolen data, one legal expert estimated only about 8 percent of computer crime cases ever reach outside counsel -- the lawyers who are best able to handle a computer crime case.

Why don't companies report these security violations? About 48 percent of companies are concerned about the negative publicity if a case becomes public, according to the CSI/FBI study. Another 36 percent are concerned that competitors would use the breaches to their advantage.

The net result of all of this silence is that well-organized criminals can basically do whatever they want. Security experts say that a hacker can hold a site for ransom at around $50,000, knowing the company would rather pay that sum than lose millions in downtime and negative publicity. Insiders who steal corporate data may face no stronger penalty than losing their jobs -- which they've already agreed to do when they defect to a competitor.

The fact is, computer crime will continue to escalate as long as criminals know their attacks will seldom be reported to law enforcement. And if we don't report the violations we see, then law enforcement -- and the industry at large -- will remain in the dark about the iceberg of exploits that make up the majority of the crimes.

So what's the answer? If companies report these breaches, they run the risk of losing their reputations and their businesses. If they don't, we'll never get enough data to effectively build a comprehensive security perimeter -- and prosecute those who break it. Perhaps law enforcement and legal authorities need to find a way to help corporations report crimes without allowing those reports to become public. But such a system would go against the grain of emerging state laws that require corporations to report suspected violations to the affected parties.

We don't have an answer. Do you? Please give us your input by posting a message to the board attached to this column. Maybe together, we can put a blowtorch to at least some of this iceberg.

Note: Your responses are invited! But please don't send email -- post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.