Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
This morning I exercised my true American right. I voted.
For some, voting is a delicate process that involves days of analysis, research and personal preference. For some, just having the ability to vote is more important than the outcome.
For some, however the election is a ruse. A rote, choreographed series of motions undermined by well-scripted television ads, slick marketing campaigns and overstated commitments.
For those who truly understand the global state of information security, it’s something altogether different.
In fact some believe that the new regime has already assumed power. This new guard isn’t a bunch of Harvard-educated attorneys and career politicians. They have no experience in legislative process, and they’ve never run a campaign. They are nameless and faceless. They’re 17 years old. They’re in their mid-thirties. They’re Russian, British and American.
And they control the world.
Using 100 million infected PCs globally, they can shut down power grids and cause financial chaos. Using weaponized software they can destroy intellectual property and control military networks. They own your credit card number and can listen to your mobile phone calls. They are CyberGods, and there are no term limits.
They have assumed control.
The world in which they operate is limited only by their imaginations, and their cyberwar is not bounded by rules of engagement. Their power is growing. Their reach is expanding. Their wealth is multiplying. Their armies have already overthrown nations in Africa and the Middle East. They are so much more than thieves. They are organized. They are evolving.
They are motivated.
On this Election Day, remember that the true ruling party – this legion – was not voted into power by throngs of rabid fans, they were implicitly elected by a movement of ignorance. An ethos of apathy.
Throughout history the people have risen up to unseat their oppressors, but not before tremendous hardship. A body in motion tends to stay in motion, as Newton once said, and geo-political movements have been no exception. Those in power will do their best to stay in power, and the cybercrimelords that are feasting on our negligence will find new, more deceptive ways to maintain their rule.
We have waited too long. Their momentum is too great. This global network of organized cybercriminals will not simply resign. The people will need to rise up. We will need to stand and fight.
It may take bloody revolution.