×

Cyber crime is no longer the exclusive domain of computer prodigies. Crimeware-as-a-service, a term used to describe the many ready-made services available to execute a variety of cyber attacks, has made perpetrating cyber crime easier—and cheaper—than ever.

Cyber crime has come a long way since 2005, when Albert Gonzalez began hacking into the TJX Companies’ corporate network to ultimately steal and resell 45.7 million credit and debit card numbers. Back then, Gonzalez and his partners had to write the code they used to probe and penetrate TJX’s network and extract credit and debit card information from databases. It took specialized skills and a sophisticated knowledge of network and software security vulnerabilities.

Today, cyber criminals don’t have to be half as smart or savvy to break into a corporate network. It takes just a few dollars or bitcoins to buy malware and rent a botnet to sling infected emails or launch a phishing campaign. For as little as $13, online miscreants can use so-called “booter” services to initiate distributed denial of service (DDoS) attacks. Booters provide hackers with an anonymous network for perpetrating the DDoS attack, which hackers employ to paralyze websites or overwhelm servers to breach a corporate network. The DDoS attacks levied against several large banks’ consumer websites in 2012 and 2013 used a variety of booters.

Booters represent one example of the many cyber crime services available to a variety of bad actors, from hostile nation states and organized crime rings to disaffected teenagers. “A vast supply chain of malware authors, botnet owners and operators, distribution networks, hosting and resilience providers, and money movers has lowered barriers to entry and effectively turned cyber crime into a turnkey business,” says Lance James, Deloitte & Touche LLP’s head of cyber intelligence.

The proliferation of services designed to make cyber crime easier to perpetrate and harder for law enforcement to stop, sometimes called crimeware-as-a-service, greatly increases the odds of a business getting attacked, according to James. “It’s the cyber equivalent of giving out AK-47s, and it should cause corporate leaders to re-evaluate their cyber risk programs in the face of this threat,” he says.

Specifically, James advises CIOs to focus on three areas:

Assess the threat landscape. Like businesses launching new products, criminal groups and hacktivists run their own “campaigns” targeting specific organizations. “Hacktivists in particular are often vocal about their plans and targets,” says James, noting that they often promote them on social media sites and discuss them on a variety of online forums and file-sharing sites, like Pastebin or The Pirate Bay. “Organizations should monitor these forums to see if their company or industry is mentioned,” says James. “That visibility can make a big difference in a company’s ability to detect and prevent potential threats.”

Understand your adversary. In many cases, your enemy is just as likely (if not more so) to be a teenage hacker as a hostile nation state or organized crime gang, according to James. He says arrest records show that individuals apprehended for DDoS attacks are typically in the range of 12 to 20 years old. James says they’re driven by what they perceive as a challenge, a desire for Internet notoriety, and a deep-seated psychological need for validation.

“These kids are dangerous,” he says. “What scares me is having a 16-year-old on my network, grabbing any data he can get his hands on, then bragging about it and sharing it online.”

Theft of IP or confidential customer information is just the tip of the iceberg. Sometimes, teen hacker activity gets personal: They “dox” executives—meaning, they find as much embarrassing, incriminating personal information about an executive (address, phone number, how much they pay in real estate taxes, divorce records, personal emails)—and post it online. James notes teenage hackers’ motivations for doxing are sometimes ideological: They target executives at companies whose mission or actions run counter to hacktivist beliefs. Other times, they’re simply opportunistic: They dox because they can.

Know your network. If hackers manage to enter your network, will they be able to access sensitive information? To answer this question, map your network and the location of customer data, employee data, financial information, intellectual property, and other assets at higher risk for theft. James urges companies that haven’t already done so to implement basic security measures and access controls to limit hackers’ reach. He also recommends redesigning lateral corporate networks so that they’re layered and compartmentalized. Tiered, compartmentalized networks help to further restrict unauthorized access and contain breaches when they occur.

*****

The underground market for cyber crime services has existed for more than a decade and, in that time, it has grown exponentially as the cost of perpetrating cyber crime has decreased while the ease has increased, according to James. “Cyber crime is now more lucrative than the illegal drug trade,” he notes. “Consequently, more people are attracted to it, making it an even bigger risk for organizations.”