COMDEXvirtual: Rise Of The Professional Hacker

A shift in the security landscape that has moved hackers to professionalize cybercrime will ultimately require organizations to make a cultural shift toward a more security-oriented mentality.

Hugh Thompson, chief security strategist for People Security, underscored that there was tremendous value for organizations to understand the mentality and motivations behind the current hacker threat in order to adopt a security-oriented philosophy and adequately protect their data from attack.

Thompson delivered his presentation, "Hackernomics and Gateway Data," at COMDEXvirtual, the online conference hosted by CRN parent company Everything Channel. The show takes place November 16 - 17, and sessions are available on-demand until May 17, 2011.

Thompson noted that the security landscape has undergone a significant shift in terms of defense technologies, accessibility of data and security threats over the last 10 years.

Once upon a time, it was incumbent upon organizations to protect their perimeter, usually with some kind of robust firewall. Not so anymore, he said.

"IT security used to be about building very strong perimeter -- a high wall -- between trusted folks in the enterprise, and everyone else. Today those perimeters are very porous," he said. "This has some interesting implications. Network defenses are covering a shrinking portion of the attack surfaces. They're covering less risk today."

At the same time, Thompson added it's simply easier for hackers to steal information these days with more access to legacy code and personal data online.

"There are lots of public records, all searchable online. There's detailed biographical information about almost anyone," he said. "Mechanisms that we've relied on for a long time, such as password reset [and] biographical questions, get less effective the more of that biographical information is online."

However, one of the biggest shifts is within the hacker community itself, Thompson said. Hackers of the previous decade overwhelmingly created cyber attacks for attention or to stir up trouble by launching viruses or other pranks.

Nowadays, hackers have become "more organized and professional in their appearance," he said. 'They're willing to invest. They're willing to build a credibility infrastructure to get you to fall for a scam."

"Most attackers aren't evil or insane, they just want something," he added. "Ten years ago, most attackers were evil or insane, especially those things that were done for fame. It wasn't towards some financial goal. Today, that's changed."

Often functioning like a corporation, hacker groups have built a complete underground economy around the business of cybercrime, complete with a division of labor that includes sales and marketing components, meeting places for buyers and sellers, money mules and digital cash companies that enable them to turn electronic records into dollars. Sellers of stolen credit cards even offer their buyers service level agreements, allowing them to get significant discounts on bulk orders of data.

Next: Organizations Will Need To Build Security Into Everything

Inflation in this underground economy occurs when security mechanisms render old techniques outdated, requiring more technical expertise and investment from the hacker, Thompson said.

Subsequently, Thompson recommended that truly protecting data will require organizations automatically to factor security into their IT infrastructure.

"Security is about mitigating risk at some cost," he said, adding that many security organizations actually overspend on security because they haven't assessed their risk. Perhaps surprisingly, "most cost of breaches comes from simple failures, not form attacker ingenuity," he said. "This is an important lesson for us to learn."

Most users will make naturally poor decisions about security simply because it's not intuitive from a performance or usability standpoint. Therefore, organizations will have to make security an inherent part of their culture by enabling users to make the best security choices, he said.

"We need to outsource the minimal amount of security decisions to the user or make it easy for them to make good security choices," he said. "Security is everyone's responsibility. It needs to be weaved in. We all have to understand security risks to some degree."

Register now to attend COMDEXvirtual or to access on-demand sessions.