The threat from cybercrime? 'You ain't seen nothing yet'

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.cnbc.com/id/100959481

Combating cyber-crime will become an uphill struggle, with the tools
needed to commit technological crimes readily available to anyone
armed with a computer and a few dollars, experts told CNBC.

According to numbers collated by the Center for Strategic and
International Studies, the United Nations Office on Drugs and Crime
and antivirus firm Norton, cyber-crime is worth around $400 billion
annually. Cyber-crime can range from data mining and individual fraud,
to industrial and state-sponsored espionage. Worryingly, "cyber-crime
as-a-service" is also a growing phenomenon, where anyone can buy
hacking or malware software online.
(View more: The world's most lucrative criminal activities)

"Now, everybody can be a hacker," Troels Oerting, head of the European
Cybercrime Centre, told CNBC on Tuesday. "You don't need to be
tech-savvy or to have a special education, you can simply just
download a program…With the increasing number of people on the
internet – which is set to reach 4 billion in a short amount of time –
we will see much, much more crime and it will be facilitated by these
cybercrime-as-a-service producers."

The cyber security market is worth around $60 billion a year and is
growing around 8 percent a year as more people try to combat
cyber-crime. However, Raj Samani, the chief technology officer of
McAfee EMEA, agreed with Oerting that the rapid evolution and
commodification of cybercrime meant that it still posed a great
threat.

"The previous view of a hacker was a technical genius, but today all
you need is $3, access to an online auction, and then you can go out
and buy half a million email addresses, or bring down a website. So
really, one of the biggest challenges we're facing as an industry is
how the bar has been set so much lower," Samani told CNBC.
(Read more: Global drugs trade 'as strong as ever' as fight fails)

According to research by PricewaterhouseCoopers (PwC), which has
researched corporate cyber-crime since the 1990s, security breaches at
large companies cost between £450,000 ($697,000) and £850,000 ($1.3
billion) on average, in 2013. For a small business, a breach could
cost anything between £35,000 and £65,000.

Andrew Miller, director of information security at PWC and Raj Samani,
vice president and chief technology officer at McAfee EMEA, talk about
the rise of cyber-attacks and what it means for the global economy.

"It really is a professional, industrialized, distributed industry,"
Andrew Miller, director of information security of PwC, told CNBC.
"Organizations or criminal individuals can go to a variety of places
and source the components for a sophisticated attack."

Oerting added that cyber-crime was challenging to police, as it eroded
the usual link between the perpetrator and the crime scene.

"I can be in a basement in Africa and actually attack thousands of
millions of people in many, many countries without even travelling and
that is a huge challenge for the police to see if we can handle that
threat," he said.

PwC's research suggested that of those companies reporting
cyber-crime, there had been a 50 percent increase in security breaches
from 2012, with half of those breeches by internal users. However,
only 11 percent of the attacks were malicious.

"What we've seen is a stabilization for attacks for large
organizations, but in the small company arena we've seen quite a big
jump, from 76 to 87 percent of respondents being attacked," Miller
said. "Larger organizations are beginning to put in the controls to
protect themselves, while smaller ones don't necessarily have the risk
assessment or the funding to put it all in place, so attackers
naturally swing from one set of targets to the next."

Oerting warned: "If we can get on top of it, I think humanity will
survive the internet but it will be a very, very bumpy road towards
that goal. We can reach it, but right now we're still in its infancy
and you ain't seen nothing yet,"
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.