informa
/
Vulnerabilities/Threats
News

Security's Silent War

Most targeted attacks come from groups of organized criminals, but we know little about them. So how do we solve the security crime problem?

If a hack falls on your company, and nobody reports it, does it help law enforcement stop computer crime?

Okay, maybe the question isn't as profound as the "if a tree falls in the woods" thing. But it does demonstrate a central truth about today's IT industry: While we're busy monitoring, analyzing, and remediating the tip, there's an iceberg of computer crime below the waterline.

Last week, we ran a story in which computer crime experts stated, in no uncertain terms, that the majority of targeted attacks against corporations are driven by groups of organized criminals working together, often with the help of someone from the inside. (See Stolen Data's Black Market.) Some of these groups are mafia types who see data theft as another revenue stream, like gambling or prostitution. Others are loosely-connected bunches of hackers who team up to steal information. Still others are essentially "hit men" contracted to infiltrate or attack an organization by a competitor or some other enemy.

They all have one thing in common: We know almost nothing about them. Technology experts see their exploits but know little about their motivation. Business executives know who their enemies are but are bewildered by attacks that are randomly targeted just to collect lists of vulnerable identities. Law enforcement agencies dedicate all sorts of resources to the problem but seldom make an arrest. I contacted the FBI, the Department of Justice, and Interpol for the story, and not one of them could connect me with an expert who could speak about trends in targeted attacks.

So with all the money and technology thrown at the problem over the past decade or so, why do we know so little about cyberattacks on corporations? The answer, not surprisingly, is the corporations don't want to talk about them.

In their annual study released earlier this year, the Computer Security Institute and the FBI found only 25 percent of companies that suffered security breaches reported those breaches to law enforcement agencies last year. About 15 percent reported the breaches to legal counsel. (See 11th Annual CSI/FBI Survey .) In our story about the black market for stolen data, one legal expert estimated only about 8 percent of computer crime cases ever reach outside counsel -- the lawyers who are best able to handle a computer crime case.

Why don't companies report these security violations? About 48 percent of companies are concerned about the negative publicity if a case becomes public, according to the CSI/FBI study. Another 36 percent are concerned that competitors would use the breaches to their advantage.

The net result of all of this silence is that well-organized criminals can basically do whatever they want. Security experts say that a hacker can hold a site for ransom at around $50,000, knowing the company would rather pay that sum than lose millions in downtime and negative publicity. Insiders who steal corporate data may face no stronger penalty than losing their jobs -- which they've already agreed to do when they defect to a competitor.

The fact is, computer crime will continue to escalate as long as criminals know their attacks will seldom be reported to law enforcement. And if we don't report the violations we see, then law enforcement -- and the industry at large -- will remain in the dark about the iceberg of exploits that make up the majority of the crimes.

So what's the answer? If companies report these breaches, they run the risk of losing their reputations and their businesses. If they don't, we'll never get enough data to effectively build a comprehensive security perimeter -- and prosecute those who break it. Perhaps law enforcement and legal authorities need to find a way to help corporations report crimes without allowing those reports to become public. But such a system would go against the grain of emerging state laws that require corporations to report suspected violations to the affected parties.

We don't have an answer. Do you? Please give us your input by posting a message to the board attached to this column. Maybe together, we can put a blowtorch to at least some of this iceberg.

Note: Your responses are invited! But please don't send email -- post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5