Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2006
07:20 AM
50%
50%

Security's Silent War

Most targeted attacks come from groups of organized criminals, but we know little about them. So how do we solve the security crime problem?

If a hack falls on your company, and nobody reports it, does it help law enforcement stop computer crime?

Okay, maybe the question isn't as profound as the "if a tree falls in the woods" thing. But it does demonstrate a central truth about today's IT industry: While we're busy monitoring, analyzing, and remediating the tip, there's an iceberg of computer crime below the waterline.

Last week, we ran a story in which computer crime experts stated, in no uncertain terms, that the majority of targeted attacks against corporations are driven by groups of organized criminals working together, often with the help of someone from the inside. (See Stolen Data's Black Market.) Some of these groups are mafia types who see data theft as another revenue stream, like gambling or prostitution. Others are loosely-connected bunches of hackers who team up to steal information. Still others are essentially "hit men" contracted to infiltrate or attack an organization by a competitor or some other enemy.

They all have one thing in common: We know almost nothing about them. Technology experts see their exploits but know little about their motivation. Business executives know who their enemies are but are bewildered by attacks that are randomly targeted just to collect lists of vulnerable identities. Law enforcement agencies dedicate all sorts of resources to the problem but seldom make an arrest. I contacted the FBI, the Department of Justice, and Interpol for the story, and not one of them could connect me with an expert who could speak about trends in targeted attacks.

So with all the money and technology thrown at the problem over the past decade or so, why do we know so little about cyberattacks on corporations? The answer, not surprisingly, is the corporations don't want to talk about them.

In their annual study released earlier this year, the Computer Security Institute and the FBI found only 25 percent of companies that suffered security breaches reported those breaches to law enforcement agencies last year. About 15 percent reported the breaches to legal counsel. (See 11th Annual CSI/FBI Survey .) In our story about the black market for stolen data, one legal expert estimated only about 8 percent of computer crime cases ever reach outside counsel -- the lawyers who are best able to handle a computer crime case.

Why don't companies report these security violations? About 48 percent of companies are concerned about the negative publicity if a case becomes public, according to the CSI/FBI study. Another 36 percent are concerned that competitors would use the breaches to their advantage.

The net result of all of this silence is that well-organized criminals can basically do whatever they want. Security experts say that a hacker can hold a site for ransom at around $50,000, knowing the company would rather pay that sum than lose millions in downtime and negative publicity. Insiders who steal corporate data may face no stronger penalty than losing their jobs -- which they've already agreed to do when they defect to a competitor.

The fact is, computer crime will continue to escalate as long as criminals know their attacks will seldom be reported to law enforcement. And if we don't report the violations we see, then law enforcement -- and the industry at large -- will remain in the dark about the iceberg of exploits that make up the majority of the crimes.

So what's the answer? If companies report these breaches, they run the risk of losing their reputations and their businesses. If they don't, we'll never get enough data to effectively build a comprehensive security perimeter -- and prosecute those who break it. Perhaps law enforcement and legal authorities need to find a way to help corporations report crimes without allowing those reports to become public. But such a system would go against the grain of emerging state laws that require corporations to report suspected violations to the affected parties.

We don't have an answer. Do you? Please give us your input by posting a message to the board attached to this column. Maybe together, we can put a blowtorch to at least some of this iceberg.

Note: Your responses are invited! But please don't send email -- post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...