Hackers are not script kiddies any more. They are sophisticated, mature, and keen business people who understand where to look for something they want and know how to get it. They have evolved, and so too must organizations if they are going effectively defend themselves against the attackers.
How did organizations get complacent? I would call it a combination of media hype and historically ineffective attacks. In the mid-1990s, the media became overwhelming in its coverage of "widespread damage" malicious software (called malware), feeding a sense of fear that computers had opened each of us to random attacks. First, viruses such as Michelangelo introduced the media to the concept that an attacker could launch a coordinated large-scale attack on anyone and everyone. Then, malware worms, such as Nimbda and Code Red, infected the media consciousness as self-replicating attack agents similar to the SkyNet of Terminator fame that would seek out vulnerable computer systems, infect them, and then use them to launch new attacks. Worms then evolved into Distributed Denial-of-Service (DDOS) attacks that brought down the networks of large companies, including Microsoft and Yahoo!, demonstrating that real damage could be done.
Those past attacks were more nuisances than damaging, though. From an IT perspective, responding to any attack was fairly simple, with the worse case being the need to "rebuild" a computer operating system. Businesses didn't fail because of the attacks, people weren't hurt by them, and no government agency really lost any data to them. Even when infected, organizations never really developed a sense that they were targeted, only that they were unlucky, preventing any sense of victimization that drives change. Reports of the attacks became boring, and thus ceased being good news.
Starting at around the 2007 timeframe, all of that changed. The attack vectors have evolved into "targeted" efforts characterized by a new sense of discretion and stealth. Hackers now build more traditional business structures to better monetize their efforts and have enhanced malware to quietly take advantage of the organizational complacency. Rather than attack randomly and increase the risk of detection, hackers now carefully mine corporate web sites and social networks such as LinkedIn to identify key "targets," and then proceed to attack those targets using "spear phishing" tactics to get them to install malware. A new class of persistent malware called "root kits" don't just infect machines, but give the attackers full long-term control to do whatever they wanted with the systems while evading anti-virus and network intrusion detection controls.
Hackers have evolved into a well-organized modern mafia that is crushing small businesses, defrauding banks of billions of dollars a year, and, as the Stuxnet worm demonstrates, sabotaging critical infrastructure. To effectively counter these modern hacking institutions requires more than just installing a new anti-virus product or network device. Organizations need new, innovative IT practices and professionals to implement them that disavow traditional approaches and protect organizations at their core.
Don't believe the lack of hype. Everyone is a target that is currently on the losing side of the battle. Organizations should demand more than the IT industry is generally providing them. To do our part, we're actively working to help businesses and government organizations defend themselves better with new, modern techniques that emphasize protecting the organization over implementing inappropriate security controls for security's sake.
In upcoming posts, I'll address the anatomy of the modern hacker organization and how to defend against one of the most prominent and fantastically effective attacks that one organization alone used to steal nearly $130,000 per day over an 18-month period.
We founded InfusionPoints to be our clients' first choice for an independent trusted partner to build secure systems that protect their employee's, partner's and customer's data