×

Global security strategist and best-selling author Marc Goodman explains why cyber attacks are getting bigger, more frequent, and more destructive, even as fewer people actually carry them out.

When you listen to Marc Goodman speak about the evolution of cyber crime, you begin to understand—at a deep and rather chilling level—why we’re seeing more and more massive security breaches. Goodman, a global security strategist and author of the best-selling book “Future Crimes,” has advised numerous organizations including Interpol, the United Nations, the U.S. government, and private sector enterprises on transnational cyber risk and intelligence. As Global Security Advisor and Chair for Policy and Law at Singularity University, his current areas of research focus on the security and risk implications of exponential technologies.

During a discussion of emerging technologies and cyber security risks hosted by Deloitte, Goodman shared some deeply insightful but alarming facts about cyber attacks and organizations’ vulnerability:

In 60 percent of the cyber attack cases analyzed in Verizon’s 2015 Data Breach Investigations Report, attackers were able to compromise an organization in minutes.

Two-thirds of breaches remain undiscovered for months or more, according to Verizon’s 2013 Data Breach Investigations Report.

Seventy-one percent of corporations that experienced a security breach in 2013 did not detect the incident themselves, according to the 2014 Trustwave Global Security Report.

The broadening scope of cyber attacks is a function of many factors, including the vulnerability of organizations and the increasing sophistication of cyber criminals. In this Q&A with CIO Journal, Goodman shares his insights on the highly professional and increasingly automated manner in which cyber crime organizations operate, and the impact of certain technologies on both cyber risk and the responsibilities of corporate technology and security leaders.¹

How has cyber crime changed over the past decade?

Goodman: We used to think of computer hackers as 17-year-old kids living in their parents’ basements. Today, the average age of a cyber criminal is 35, and 80 percent of black hat (e.g., criminal) hackers are affiliated with organized crime.² In other words, people are choosing this as a profession. That’s a radical shift, and it’s led to the creation of increasingly sophisticated criminal organizations that operate with the professionalism, discipline, and structure of legitimate enterprises.

A telling example is a now-defunct criminal organization known as Innovative Marketing that created a malware program it disguised as antivirus software. Using its crimeware tool to hijack Internet users’ Web browsers, Innovative Marketing deceived hundreds of thousands of people into disclosing their credit card numbers and buying its fake antivirus software. This criminal enterprise operated for three years before being shut down by the FBI and Interpol, both of which calculated its fraudulent sales of malicious software at over $100 million. Innovative Marketing maintained a headquarters in a three-story office building in the Ukraine and even had an org chart with a CEO, CFO, CIO, and head of HR. HR was responsible for hiring mules and bringing criminals into the organization. The CIO was responsible for the dark Web infrastructure that enabled the company to operate clandestinely on the Internet. Innovative Marketing also had a quality assurance team that tested its malicious code against over 200 legitimate antivirus programs before releasing it. At its height, the “company” had more than 600 employees and operated in more than 60 countries.

What impact has crimeware-as-a-service had on cyber crime?

Crimeware-as-a-service refers to a variety of turnkey products and services individuals can purchase to perpetrate cyber attacks. Take Blackshades as an example. Using Blackshades, cyber criminals can script everything from keystroke logging programs to denial of service attacks to identity theft and ransomware. Crimeware has allowed cyber criminals to efficiently scale their operations and perpetrate ever larger attacks; rather than hiring programmers to create malware, they simply buy it, often at a relatively low cost. Consequently, fewer and fewer cyber attacks are actually perpetrated by a master hacker sitting in front of a computer, targeting a particular company. Instead, they’re increasingly carried out by software applications, and humans are disappearing into the background of cyber crime operations.

What cyber security challenges might organizations anticipate in the future?

Looking ahead, we’ll see even more challenges due to emerging technology trends like the Internet of Things. The number of devices connected to the Internet is growing exponentially, yet most are far from secure. The average Internet of Things device has over 20 identified security vulnerabilities. If we can’t protect the limited number of devices currently connected to the Internet, what will happen when we move to IPv6 and can literally connect an exponential number of objects? We’ve wired the world, but we’ve failed to secure it.

What impact will the growth of connected devices have on the CIO’s role with respect to cyber risk?

Good security programs take into account technological security, personnel security, and physical security, yet today, most CIOs and CISOs focus primarily on technological security. Going forward, CIOs and CISOs will have to be concerned with every physical object their organizations have connected to the Internet. Their focus will necessarily expand from securing information technologies to also securing operational technologies—the production line for manufacturers, medical devices for health care providers, and connected cars and trucks for transportation and logistics companies. CIOs and CISOs will also have to work much more closely with the executives in charge of functions like HR, facilities, physical security, and loss prevention to close security gaps. The bad guys have repeatedly demonstrated their ability to slip through the gaps created when enterprises segment security across various functions within their organizations.