According to a new report coming out of the RSA Conference 2018:
"The $1.5 trillion that cybercriminals generate each year includes $860 billion in illicit online markets, $500B in theft of trade secrets and intellectual property, $160B in data trading, $1.6B in crimeware-as-a-service, and $1B in ransomware. Evidence indicates cybercrime often generates more revenue than legitimate companies: large multi-national operations can earn more than $1B; smaller ones typically make between $30k-$50K."
How do we combat this?
I will suggest the best way to combat this is begging with education the potential victims. I believe if proper awareness/education is given it will reduce the amount of attacks thus reducing the revenue generate through these illicit acts.
Although awareness is a primary & critical factor, it can't make a difference on its own. Let's look at a potential scenario for this...
Scenario: A company 'XYZ' has developed an extremely potent psychedelic drug and strives to make money out of it. It can't market this legitimately --- at least not immediately --- so a great way to do it is through social media. (Nothing complicated here, just create fake personal profiles, befriend users & lure them into trying it.) Assuming the drug is addictive, in no time there'll be a whole lot of customers & much profit for the company. Even if any action is taken and the site compelled to disable accounts / stop activity, it won't help if all this happens after the damage is done & illegitimate profits are made.
For a qualitative risk analysis, we can look at this as: -
Putting it all into a risk matrix yields the following: -
To address the risk, any of following approaches may be used: -
To mitigate this risk, 2 of the main options are: -
Neither of these would work well by itself --- effective risk mitigation would depend on them being combined,
What usually happens is that government gets involved and tries to regulate it and make new laws (see GDPR, FISMA, etc.). Or companies get smarter about trying to protect it.
In an alternate universe some people may go to those companies to gain experience and then when the salaries become commensurate with the experience required to combat it, they will switch sides and go to protect the companies they once hacked.
As a security community we can combat this by increasing our skills and outreach opportunities. We can look for budding cyber talent and nurture and mentor them into the nextgen cyber warriors. In previous civilizations the older generations made sure to pass on their knowledge to the younger generations, however we seem to be losing that ability. I keep preaching to my daughters that the world they live in is so amazing. They have more power in the palm of their hands than I did at their age. When I was young you had to go to where the information was at, i.e. a library, a school, a mentor/sensei, etc. Now the power of the Internet brings it to the palm of your hands, although that can be modified/restricted/controlled by the powers that be (Google, etc). Still the amount of information out there is amazing and they need to take advantage of it before it gets controlled and restricted by censorship.
It is amazing that the book "1984" by George Orwell seems to be coming true....
So we combat this by looking to train up the next generation of cyber warriors.
More keyboard and less whiteboard.
First, we need to work toward introducing ways to effectively democratize threat intelligence data and share more. Instead you see more hiding of threat data to avoid litigation, competitive advantage, and reputation damage. Second, fostering even more security education is key. The best explanation that I have heard thus far is presented in a TED TALK from Caleb Barlow. See link below. Just my thoughts.
> effectively democratize threat intelligence data and share more.
Just curious...
What specifically does this mean... meaning examples of what "democratization" would do?
I hear this over and over again at conferences too but it's always a problem statement rarely a solution statement.
There's a lot of sources of threat data/intelligence out there which is publicly available, no?
Gov't
====
CVEs
CWEs
US-CERT/NCCIC
NIST
DISA
Commercial
=========
Symantec
Verisign
Cisco
FireEye
Others
=====
exploit-db
Hak5
Rapid7
...and literally hundreds of blogs and twitter feeds on the topic. I'm sure the forum could go on about sources other folks here use.
What's missing?
Leaked 0 day NSA exploits that were used in multiple waves of the ransomware were missing.
Exploits should be treated on par with biological or chemical weapons. Stockpiling them without disclosure to security community should be outlawed internationally.
(@Caute_cautim) John,
The first thing that I would like to do is deconstruct the statistics that Ms. Sheridan used in her article so that we can understand what the problem actually is.
Ms. Sheridan compares the value of the entire universe of cybercrime to individual businesses. I would venture to say this borders on the Logical Reasoning error known as, “Lying with Statistics.” If you want to look at scale, compare the entire universe of online criminal business to the entire universe of legitimate business; or compare large criminal enterprises to large legitimate businesses, and small criminal enterprises to small legitimate businesses.
The second thing that I would like to recommend is that instead of concentrating on all the failures, let’s balance the successes, and ensure that we’re not shouldering too much of the burden. The best analogy that I have is the responsible use and maintenance of an automobile.
We expect, first of all that if we drive to a bad neighborhood get out with the engine running and the keys in the car that your house will probably be cleaned out and your car lit on fire under the freeway by the time you hitchhike or Lift/Uber your way back home. You can tell people to act responsibly with their computers, but you will always have the equivalent to the person that gets carjacked, mugged, and burglarized after getting lightly rear ended in the middle of the night on a street with no lights in the inner city. The analogy to this is the "Your Computer is Infected" pop up with the number to a barely-English speaking operator that offers to remotely fix your system while browsing a dubious web site.
We also expect the licensed operator of heavy machinery to be familiar with it enough to recognize safety concerns such as odd noises and smells, and to stop driving it and get the car looked at. We expect basic maintenance tasks like changing the oil and windshield wipers, inspecting and changing the tires and brakes, and updating the operating system and antimalware definition files to be performed. How often do you think mechanics see cars come in where the brakes are completely worn away, or a multi-thousand dollar engine rebuild problem could have been prevented a couple of months earlier by replacing a $25 sensor when the Engine Light came on?
In conclusion, I would like to claim that the problem isn’t as bad as the article makes it seem. In my opinion, instead of shouldering a failure to protect people through “IT” means, we should be educating users on the responsibility they are undertaking by purchasing and using this equipment using analogy and language they can understand. Finally, we have to accept that even though there are resources available, some people are going to ignore the “check engine light” and "drive" into a bad digital neighborhood with their computers… at least it makes for good “You Tube” videos and shock-news articles. So, we should be planning on identifying, isolating, mitigating, and recovering from these scenarios rather than reacting to them by surprise every time.
Sincerely,
Eric B.