Want to lower your risk? Lower the ROI of hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/040314-want-to-lower-your-risk-280374.html?source=nww_rss


Hacking is no longer just a game for tech-savvy teens looking for bragging
rights. It is a for-profit business -- a very big business. Yes, it is
employed for corporate and political espionage, activism ("hacktivism") or
even acts of cyberwar, but the majority of those in it, are in it for the
money."

So, security experts say, one good way for enterprises to lower their risk
is to lower the return on investment (ROI) of hackers by making themselves
more expensive and time-consuming to hack, and therefore a less tempting
target. It's a bit like the joke about the two guys fleeing from a hungry
lion. "I don't have to outrun him," one says to the other. "I just have to
outrun you."

Of course, this only applies to broad-based attacks seeking targets of
opportunity -- not an attack focused on a specific enterprise. But, in
those cases, being a bit more secure than others is generally enough.

David Meltzer made that argument recently in a post on Tripwire. "How do
you stop a smart attacker? Simple: reduce their ROI to make exploiting you
fiscally irresponsible."

That is the consensus of other experts. "If you make it more difficult and
less rewarding for the non-targeted, financially motivated attacker, she or
he will likely move on to an easier mark," said Deena Coffman, CEO of
IDT911 Consulting.

Bob West, chief trust officer at CipherCloud, agrees. "The
commercialization of cybercrime in the last decade has elevated ROI as a
very important factor in many attacks," he said.

So does Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender.
"Commercial, or non-state-sponsored hackers are usually trying to get the
most profit with minimum amounts of money," he said. "The more difficult
the attack, the less interested they are."

That, of course, raises the obvious question: What, specifically, should
enterprises do to make themselves less tempting targets, especially since
it is cheaper than ever to launch broad-based attacks?

While it is still expensive, time consuming and takes high skill to launch
a sophisticated attack on a single target, the marketplace on the so-called
Dark Web provides, "software apps for less-skilled thieves to purchase for
little money and use to attack companies that leave their networks exposed
or only have a single layer of security," said Coffman.

There is general agreement that an enterprise should start by evaluating
its assets based on what an attacker would find attractive. But there are
differences among experts about their worth. Most agree that the value of
credit card data declines rapidly -- as soon as the breach is known, the
cards are destroyed and replaced.

Russ Spitler, vice president of product strategy at AlienVault, said credit
cards, "are easy to steal, but actually reasonably difficult to turn into
money at scale, due to the fraud detection that the card providers have
developed." But, he said credit cards remain a valuable asset for
enterprises, "and the one that is easiest to sell."

He believes email lists have even less value. "They really require very
high volumes to resell. Email lists are practically free these days," he
said.

But not all his colleagues agree. Botezatu said customer emails, "are the
foundation of any business. They are sold and rented on underground forums
for a specific amount of money. Often they are sold to multiple
cyber-criminals, so the profit, even if small, is constant."

And Coffman said email addresses are valuable because they are, "now used
as account names. Once an attacker has an email account, that can be used
to reset and access all other accounts that use that email address. If your
bank will email your new password to your email account, then access to
your email account is akin to access to your banking account.

Source code is another asset that prompts mixed opinions. Coffman described
its value as, "very high as the attackers now know how to compromise the
application in a way that is unlikely to be detected."

But Meltzer contends that protecting source code is not money well spent,
since, "the same source code essentially ships to all their customers
anyway. Why bother breaking into the company to steal product source, when
it's so much cheaper and easier to just buy it?"

Spitler agreed with Coffman that source code can be, "a resource to be used
in developing future attacks against the company or other users of the
software." But he said it is rarely a target in a broad-based attack for
simple profit because, "it is very hard to resell."

He said the same is true of corporate intellectual property (IP), which
has, "a very limited set of buyers -- the competitors of the company -- so
when it is targeted it is likely a nation state or a focused effort
sponsored by a pre-identified buyer of the data."

Coffman said Social Security numbers (SSN) can be enormously valuable,
"because we are still using them as a means for verifying identity. Once
someone has your name, address, and date of birth, which are all easily
obtained, they can, with your SSN, assume your identity and obtain credit,
be arrested, get a medical procedure under your insurance, etc., and wreak
havoc on your life, for the rest of your life."

Whatever the value of various assets to an enterprise, the ways to improve
their security are not necessarily complex or expensive. Meltzer
recommended decentralizing them, so they are not all in one place.

Coffman agreed, adding that they should be protected with strong encryption
-- something Bob West, chief trust officer for CipherCloud, said will
effectively cut the ROI of an attacker. Even in the event of a breach, he
said, it will be costly and time consuming to, "convert valuable data
that's been strongly encrypted into its non-gibberish state."

One of the seemingly simplest ways to lower the ROI of attackers is to keep
software up to date. Sophos Labs reported recently that, "91% of the booby
trapped documents in our reports from January and February 2014 would have
been rendered harmless by just two Microsoft patches, issued two and four
years ago."

Experts are unanimous in saying enterprises need to install patches
promptly. But Botezatu said it is not always as simple for them as it is
for the individual downloading a fix to a laptop.

"Enterprises are known for their slow patching cycle," he said, "but this
is mostly because they have to take the machines out of production, which
means downtime and, implicitly, money loss.

"Another reason for not upgrading is that some applications custom-made for
a company only work on specific configuration, such as Internet Explorer 6.
An update would break the tools and rewriting these could be too costly for
the company."

In general, however, the consensus is that basic but rigorous security
measures will keep an enterprise ahead of the pack. "Organizations now have
to focus more on restricting access to raise the bar," said Yo Delmar, vice
president of MetricStream.

"That means a well-thought-out defense and in-depth strategy with
continuous monitoring."

Coffman recommends having an outside company, "regularly scan for 'open
doors' in your network that make you an easy target for the majority of
potential data thieves that are just using inexpensive tools to troll for
the slowest gazelle in the herd."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!