"The Business of Hacking" -- Recommended Reading for CEOs, Boards of Directors, Governance Leadership

What is your view of the "hacking community?"  Is it one of masked computer operators working in a darkened room or that of a white-coated laboratory technician?  Well, your views of the hackers working on new products and "services" to steal your information may be substantially changed after your read the most recent document from Hewlett Packard Enterprise entitled The Business of Hacking:  Business Innovation Meets the Business of Hacking.

http://www8.hp.com/us/en/software-solutions/hacking-report/index.html?jumpid=va_gpnq3t2xdw  

This document is an easy and compelling read for Chief Executive Officers, Chief Information Officers, Boards of Directors, Risk Analysts and cyber security students.  The article does an excellent job giving a straight-forward discussion regarding the "reality" of the cybercrime community and their "business models."

The HP whitepaper does a nice job clearly identifying "who" the "Bad Guys" are with a simple chart (shown below):

This is extremely helpful to those trying to understand cybercrime and cyber "hacking" because it shows there are different types of hackers with different motivations and capabilities.

The article almost reads like a Gartner report with a "Magic Quadrant" depiction of where the attackers are working relative to Payout and Effort/Risk to their "business."  The quadrant analysis is shown below:

Although the report doesn't go into details on how organized cyber crime is used by Nation-States, analysis has shown that some countries may be using organized cyber crime to do their cyber attacks thus giving the Nation-State the ability to offer "plausible deniability."

Finally, this report will reinforce to the CEO's, et al that the cyber crime business is just that...a business...where the hackers want to maximize profit and minimize risk...where the hackers need to do research and development and they need to have a finance minister to run their economic shop.

On a parenthetical note, in 2006 I wrote Chapter 1A, "Cybercrime's Impact on Information Security,"  in Cybercrime & Security edited by Pauline C. Reich.  In my article I discussed cybercrime as a business -- albeit nefarious - but with a CEO, COO, HR manager, VP of R&D, CFO, etc. and that their motives are focused on "....profit maximization and risk management..."

Key Take-Aways

This white paper from HP is a great educational piece to get to your Board of Directors, CEO, COO, CFO, CIO and cyber security students who need to realize that one way to hamper cyber crime is to alter the criminal's business operations .... raise their expenses and increase their risk.

###

SCADA Attacks are Up - Maybe We Need an ICS-OWASP?

In its annual security analysis -- 2015 Dell Security Annual Threat Report -- Dell observed that attacks have doubled on SCADA systems since January 2012.

Dell's report noted the following:

• SCADA attacks increased from 91,676 in January 2012, to 163,228 in January 2013, to 675,186 in January 2014.
• The majority of the attacks targeted Finland, the UK and the US.  And, according to Dell, these countries were targeted because SCADA systems are more common in these regions and more likely to be connected to the Internet.

An interesting graphic in the Dell Report also shows key SCADA attack methods -- useful info for a defender to be aware of...

Dell continued to comment that "SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries, rather than credit card information."  They are right...SCADA is NOT where the $$ is but you can certainly do some harm under the right circumstances.

Now the Dell report drew my attention today; however, back on March 11 the ICS-CERT published its ICS-CERT MONITOR for the time period September 2014 to February 2015.  In the report's cover graphic (below) there was a major increase with the number incidents reported by the Critical Manufacturing Sector.  And, don't forget, Critical Manufacturing also uses SCADA for its larger plant control systems.

And, of course, the Energy Sector is a major user of SCADA controls due to the large geographic footprints they operate across.

Conclusions...

So the take away from these two reports is that attacks on SCADA systems are on the increase and when you look at the Dell graphic on attack methods, the miscreants are taking advantage of software issues we've seen for years with Web applications, etc.  Perhaps we need an OWASP initiative but for Industrial Control Systems/Software?  It does appear that the vendors need a lot of assistance in making their ICS software more secure.

###

ENISA Publishes Cyber Threat Analysis of 2014

Our friends at the European Union Agency for Network and Information Security (ENISA) has published the ENISA Threat Landscape 2014 on 27 January 2015.  The report includes some details on developments made in 2014 relative to the top cyber threats and emerging threat trends - mainly in the cyber arena.

You can download a copy of the report (Free) at:  http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

From the Executive Summary of the report, below are some of the "positives and negatives" of today's cyber threat landscape from ENISA's point of view.

Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilisation of the cyber-security community (bolding by Ernie Hayden):

• The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
• Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
• NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
• SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
• Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.

But there is a dark side of the threat landscape of 2014:

• SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation .
• 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
• A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
• Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
• Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.

The report does include a summary table of trends (Page 4) that the reader may find useful.  A copy of the table is shown below with some highlights on the areas declining and a note about ransomware.

Lastly, one area the report raises as a new focus is "Cyber-Physical Systems."  These are engineered systems that interact with computing equipment and integrated to control, manage and optimize physical processes.  The areas they mention of concern are power supply, medical systems/healthcare, industrial systems and manufacturing, transportation, telecommunication, etc.  The report includes a table (below) of the Top Emerging (Preliminary) Threats to CPS (Page 67):

Overall, the report is of excellent quality and is a useful summary of the cyber issues of 2014.

###

Today's Cybercrime - The Market is "Growing Up"

I've been a student of cybercrime since my full-time entry into cybersecurity in 2001.  When I had some time on my hands recovering from an accident I actually spent a month reading every document I could find on the Internet covering the subject.

Well, I wouldn't recommend that you spend a month recuperating in front of the Internet but you will find a report from RAND Corporation on today's cybercrime market fascinating and disturbing and will give you a sense of the maturity of the cybercrime market and its "workers and leaders."

http://www.rand.org/pubs/research_reports/RR610.html

The Rand report (picture above) is 83 pages of discussion about today's black market for such things as credit cards, passwords, identities, etc.  To quote the preface of the report...

This report describes the fundamental characteristics of these markets and how they have

grown into their current state in order to give insight into how their existence can harm the

information security environment. Understanding the current and predicted landscape for

these markets lays the groundwork for follow-on exploration of options that could minimize

the potentially harmful influence these markets impart. This report assumes the reader has a

basic understanding of the cyber, criminal, and economic domains, but includes a glossary to

supplement any gaps.

The final take-away to offer is another quotable quote from the report:

In certain respects, the black market can be more profitable than the

illegal drug trade; the links to end-users are more direct, and because worldwide distribution

is accomplished electronically, the requirements are negligible.

Action:  To my fellow security professionals, take a moment to give this to your boss and maybe the CEO and Board of Directors.  They need to see that the threat is real and the opportunities for the miscreants are increasing.  Hence, you need more resources - money, qualified staff, tools, techniques -- to do your job.

###