Page 1 of 2
A shift in the security landscape that has moved hackers to professionalize cybercrime will ultimately require organizations to make a cultural shift toward a more security-oriented mentality.
Hugh Thompson, chief security strategist for People Security, underscored that there was tremendous value for organizations to understand the mentality and motivations behind the current hacker threat in order to adopt a security-oriented philosophy and adequately protect their data from attack.
Thompson delivered his presentation, "Hackernomics and Gateway Data," at COMDEXvirtual, the online conference hosted by CRN parent company Everything Channel. The show takes place November 16 - 17, and sessions are available on-demand until May 17, 2011.
Thompson noted that the security landscape has undergone a significant shift in terms of defense technologies, accessibility of data and security threats over the last 10 years.
Once upon a time, it was incumbent upon organizations to protect their perimeter, usually with some kind of robust firewall. Not so anymore, he said.
"IT security used to be about building very strong perimeter -- a high wall -- between trusted folks in the enterprise, and everyone else. Today those perimeters are very porous," he said. "This has some interesting implications. Network defenses are covering a shrinking portion of the attack surfaces. They're covering less risk today."
At the same time, Thompson added it's simply easier for hackers to steal information these days with more access to legacy code and personal data online.
"There are lots of public records, all searchable online. There's detailed biographical information about almost anyone," he said. "Mechanisms that we've relied on for a long time, such as password reset [and] biographical questions, get less effective the more of that biographical information is online."
However, one of the biggest shifts is within the hacker community itself, Thompson said. Hackers of the previous decade overwhelmingly created cyber attacks for attention or to stir up trouble by launching viruses or other pranks.
Nowadays, hackers have become "more organized and professional in their appearance," he said. 'They're willing to invest. They're willing to build a credibility infrastructure to get you to fall for a scam."
"Most attackers aren't evil or insane, they just want something," he added. "Ten years ago, most attackers were evil or insane, especially those things that were done for fame. It wasn't towards some financial goal. Today, that's changed."
Often functioning like a corporation, hacker groups have built a complete underground economy around the business of cybercrime, complete with a division of labor that includes sales and marketing components, meeting places for buyers and sellers, money mules and digital cash companies that enable them to turn electronic records into dollars. Sellers of stolen credit cards even offer their buyers service level agreements, allowing them to get significant discounts on bulk orders of data.