A new type of threat has emerged that poses a significant risk to businesses - this threat is real. There are examples of it in the news. There are security experts who are warning against the risk. So why are most companies ignoring it?
It could be that most companies and most IT executives are training for the "last war" because the old threat has been in place for the better part of their careers as IT security professionals. It's the only danger they know.
A new threat emerged just a few years ago, and its reach and exposure are increasing faster than most companies realize. Before we examine this new threat, let's take a brief look back at the history of cybercrime and how we got here.
Phase 1: The Age of Phreaking
It's funny to look back at the seemingly innocent little things that end up having major, and often unintended, consequences. The age of phone phreaking, the precursor to hacking, began with one such episode. In 1971, the toy prize in a box of Cap'n Crunch kids cereal was a little toy whistle. This little whistle could be made to blow a perfect 2600Hz tone, which just so happened to be the frequency that unlocked a telco switch to open a long distance phone line. It wasn't long before teenagers all over were using these toy whistles to make "blue boxes," which allowed an easy way to tie into phone lines and make undetected long distance calls.
This may not seem like such a big deal now, but back then a cross-country phone call cost over a $1 a minute. This was the hurdle that had to be overcome to dial into remote computer networks and take tens or even hundreds of hours attempting to crack into them. With phreaking, the cost barrier to this type of "exploration" had been overcome. It was the birth of hacking as we know it today and it started with a free prize in a sugar-coated cereal.
Phase Summary: This was the discovery phase of cyber crime, marked by free and undetected long distance. Without the ability to obtain free long distance, hacking would have never been born (or at least would have taken longer to develop).
Time Line: 1970s – Early 1980s
Harm: Other than some lost revenue for "Ma Bell," there was little direct harm done to society or to business at large.
Phase 2: The Age of ‘War Gamers'
Once people (mostly teenagers) figured out how to reach remote networks without incurring any cost, hours upon hours were spent reaching, and then breaking into, remote computer networks. Networks at that time were mostly owned by government agencies, large corporations or universities, who would connect with one another to share information using low-speed, direct-connect modems. Security was limited to simple passwords, if there was any security at all. Most of the time was spent trying to navigate the systems.
This phase gave birth to computer clubs (the kids doing this were not referred to as hackers until much later). These clubs were merely social gatherings before the internet became available to the general (non techie) public. In this phase, data was rarely stolen or damaged and even when it was, it was rarely on purpose. These clubs often competed for bragging rights on electronic billboards. Towards the end of this phase, these clubs began educating each other on how various systems could be compromised. The skills needed to hack into a network proliferated on the electronic billboard underground.
Phase Summary: Future hackers and some prominent internet millionaires were learning and perfecting their skills, while growing a new sub-culture.
Time Line: Early 1980s – Early 1990s Harm: There was harm in the sense that there was trespassing on some very sensitive networks (such as the Los Alamos National Laboratory nuclear facility), but data was rarely stolen or destroyed. In the mid 1980s, the Computer Fraud and Abuse Act was passed – oddly, the law did not include a provision for the prosecution of juveniles, despite the fact that it was teenagers who were committing most of the crimes.
Phase 3: The Age of Anarchy
In the mid 1990's something changed for the worst. As the internet exploded in popularity and was embraced by every company on the planet, including the entire Fortune 5,000 and beyond, more hackers emerged. This new breed was not just looking to see if they could break into a network, they wanted to break the network altogether.
Whether the hackers were disgruntled employees, political activists or avowed anarchists, the object was to shut down networks, destroy data and interrupt the flow of business that had become more and more dependant upon computer networks in general, and the internet in particular. This age gave birth to the computer virus, the trojan and denial of service attacks. Near the peak of this era, a program called AOHell was released. This program allows low skilled individuals to easily create and launch network attacks. Sophisticated computer or hacking skills were no longer required to be a hacker, as thousands of "script kiddies" joined the fray.
Phase Summary: This phase was marked by the willful destruction of online property and the intentional disruption of online business.
Time Line: Early 1990s – Early 2000s
Harm: There have been many studies on the cost of network downtime, which ranges from tens of thousands per hour for some businesses to as much as tens of millions of dollars per hour for large financial institutions. While it is difficult to put an exact figure on the cost of the damage, we do know that a multi-billion dollar IT security industry was born from this era. This is the stage that spawned the proliferation of firewalls, Intrusion Detection Systems (IDS), Unified Threat Management (UTM), Virus Protection and the like. This is also the phase that most IT executives have spent their entire careers focusing on. It is against this Phase 3 threat that organizations dedicate their budget dollars. This is cause for great concern, as hackers have changed their tactics and organized crime has entered the market.
Phase 4: The Age of Theft for Profit
Since the early 2000s, there has been a growing threat from criminal elements that are looking to capitalize on the value of stolen data - information that is largely being sent in clear text on networks across the world. How big is the market for stolen information? Big enough that IDC has started forecasting its growth as a standalone market, currently valued in the billions and growing.
While most IT security news reports are still dominated by Phase 3 thinking, the bad guys have changed their game. They have found an easier method for obtaining private data that is much less expensive and much more effective. They are simply hiring employees or contractors inside the companies to steal the information. No hacking skills are required and there is no need to try to penetrate a firewall, spoof an IDS or outsmart a UTM defense. Unlike the previous phase, these cybercriminals want your network to be up and running as effectively as possible to ensure a smooth process of siphoning your data without interruption.
Whether it's on the network you own, your service provider's network, the dozens of smaller providers they outsource to on a regional basis or a foreign-owned network that your data passes over on the way to your overseas offices, criminals just have to find someone with insider access and pay them to steal your data.
A look at the Telecom Italia scandal provides a cautionary tale. Data stolen by an executive and members of the networking team was used in an extortion attempt – stolen data. Not stolen through a breach of sophisticated defenses, but stolen by company insiders who had access to data in clear text (unencrypted). Stolen not to make some grand political statement, but to make a quick buck or two. This is the new phase of cybercrime and the phase most worth protecting against.
Phase Summary: This phase is marked by the malicious and deliberate theft of data-for-profit.
Time Line: Early 2000s to present
Harm: The real harm here, at least in dollar value, has yet to be calculated, but it goes well beyond the actual dollar value of the raw data. Personal lives are harmed through identity theft, careers are destroyed as blame is laid for security breaches and the brand value of companies is tarnished for years or possibly decades, destroying shareholder value.
A new threat: A better defense
The bad news is that the defenses of the previous phases will not help you with this new phase 4 threat. While network security is important, the network is no longer the sole target requiring protection. Cyber criminals are now after your data. As put by Art Coviello, president of RSA at this years RSA Conference, "We need to secure the king instead of the castle. Information is king and it likes to move around."
For all the focus on the network defense and security, the net effect is that most companies have dug a deep moat and built a tall wall around the castle, but left the king sitting out in the open for all to see. If that wasn't bad enough, he regularly travels outside the perimeter defenses with no guards, protection or attempts to camouflage. He is just sent out in the open. If the bad guys who want a crack at him can't find an insider in the castle, they'll just wait for the target to come to them. Because they know that eventually it will.
So what is one to do? You must focus on protecting your data no matter where it goes. Encryption is the only method to truly protect the data itself. Protect your data from one end to the other via encryption. Encrypt it in motion. Encrypt it at rest. Provide the security keys to only those whom you want to see the data and the data becomes useless to the rest of the world. If you are worried about the operation cost of encryption and the issue of key management, look again. These old limitations have been resolved.
This new threat must be met by a new defense, a better defense. Organizations that adopt an encryption-based defense will protect their company's information and their customers' data – and ultimately prevent their company from being the example of "what not to do."
- Jim Doherty is the chief marketing officer for CipherOptics.