17 Jul 2008

The Perfect Storm

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.