Want to lower your risk? Lower the ROI of hackers

Hacking is no longer just a game for tech-savvy teens looking for bragging rights. It is a for-profit business -- a very big business. Yes, it is employed for corporate and political espionage, activism ("hacktivism") or even acts of cyberwar, but the majority of those in it, are in it for the money."

So, security experts say, one good way for enterprises to lower their risk is to lower the return on investment (ROI) of hackers by making themselves more expensive and time-consuming to hack, and therefore a less tempting target. It's a bit like the joke about the two guys fleeing from a hungry lion. "I don't have to outrun him," one says to the other. "I just have to outrun you."

Of course, this only applies to broad-based attacks seeking targets of opportunity -- not an attack focused on a specific enterprise. But, in those cases, being a bit more secure than others is generally enough.

David Meltzer made that argument recently in a post on Tripwire. "How do you stop a smart attacker? Simple: reduce their ROI to make exploiting you fiscally irresponsible."

That is the consensus of other experts. "If you make it more difficult and less rewarding for the non-targeted, financially motivated attacker, she or he will likely move on to an easier mark," said Deena Coffman, CEO of IDT911 Consulting.

Bob West, chief trust officer at CipherCloud, agrees. "The commercialization of cybercrime in the last decade has elevated ROI as a very important factor in many attacks," he said.

So does Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender. "Commercial, or non-state-sponsored hackers are usually trying to get the most profit with minimum amounts of money," he said. "The more difficult the attack, the less interested they are."

That, of course, raises the obvious question: What, specifically, should enterprises do to make themselves less tempting targets, especially since it is cheaper than ever to launch broad-based attacks?

While it is still expensive, time consuming and takes high skill to launch a sophisticated attack on a single target, the marketplace on the so-called Dark Web provides, "software apps for less-skilled thieves to purchase for little money and use to attack companies that leave their networks exposed or only have a single layer of security," said Coffman.

There is general agreement that an enterprise should start by evaluating its assets based on what an attacker would find attractive. But there are differences among experts about their worth. Most agree that the value of credit card data declines rapidly -- as soon as the breach is known, the cards are destroyed and replaced.

Russ Spitler, vice president of product strategy at AlienVault, said credit cards, "are easy to steal, but actually reasonably difficult to turn into money at scale, due to the fraud detection that the card providers have developed." But, he said credit cards remain a valuable asset for enterprises, "and the one that is easiest to sell."

He believes email lists have even less value. "They really require very high volumes to resell. Email lists are practically free these days," he said.

But not all his colleagues agree. Botezatu said customer emails, "are the foundation of any business. They are sold and rented on underground forums for a specific amount of money. Often they are sold to multiple cyber-criminals, so the profit, even if small, is constant."

And Coffman said email addresses are valuable because they are, "now used as account names. Once an attacker has an email account, that can be used to reset and access all other accounts that use that email address. If your bank will email your new password to your email account, then access to your email account is akin to access to your banking account.

Source code is another asset that prompts mixed opinions. Coffman described its value as, "very high as the attackers now know how to compromise the application in a way that is unlikely to be detected."

But Meltzer contends that protecting source code is not money well spent, since, "the same source code essentially ships to all their customers anyway. Why bother breaking into the company to steal product source, when it's so much cheaper and easier to just buy it?"

Spitler agreed with Coffman that source code can be, "a resource to be used in developing future attacks against the company or other users of the software." But he said it is rarely a target in a broad-based attack for simple profit because, "it is very hard to resell."

He said the same is true of corporate intellectual property (IP), which has, "a very limited set of buyers -- the competitors of the company -- so when it is targeted it is likely a nation state or a focused effort sponsored by a pre-identified buyer of the data."

Coffman said Social Security numbers (SSN) can be enormously valuable, "because we are still using them as a means for verifying identity. Once someone has your name, address, and date of birth, which are all easily obtained, they can, with your SSN, assume your identity and obtain credit, be arrested, get a medical procedure under your insurance, etc., and wreak havoc on your life, for the rest of your life."

Whatever the value of various assets to an enterprise, the ways to improve their security are not necessarily complex or expensive. Meltzer recommended decentralizing them, so they are not all in one place.

Coffman agreed, adding that they should be protected with strong encryption -- something Bob West, chief trust officer for CipherCloud, said will effectively cut the ROI of an attacker. Even in the event of a breach, he said, it will be costly and time consuming to, "convert valuable data that's been strongly encrypted into its non-gibberish state."

One of the seemingly simplest ways to lower the ROI of attackers is to keep software up to date. Sophos Labs reported recently that, "91% of the booby trapped documents in our reports from January and February 2014 would have been rendered harmless by just two Microsoft patches, issued two and four years ago."

Experts are unanimous in saying enterprises need to install patches promptly. But Botezatu said it is not always as simple for them as it is for the individual downloading a fix to a laptop.

"Enterprises are known for their slow patching cycle," he said, "but this is mostly because they have to take the machines out of production, which means downtime and, implicitly, money loss.

"Another reason for not upgrading is that some applications custom-made for a company only work on specific configuration, such as Internet Explorer 6. An update would break the tools and rewriting these could be too costly for the company."

In general, however, the consensus is that basic but rigorous security measures will keep an enterprise ahead of the pack. "Organizations now have to focus more on restricting access to raise the bar," said Yo Delmar, vice president of MetricStream.

"That means a well-thought-out defense and in-depth strategy with continuous monitoring."

Coffman recommends having an outside company, "regularly scan for 'open doors' in your network that make you an easy target for the majority of potential data thieves that are just using inexpensive tools to troll for the slowest gazelle in the herd."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CipherCloudMicrosoftSophosTripwireWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place