Want to lower your risk? Lower the ROI of hackers

Most hackers are in it for the money. So, enterprises that make it more difficult and costly to breach them will send attackers looking for easier targets.

Hacking is no longer just a game for tech-savvy teens looking for bragging rights. It is a for-profit business – a very big business. Yes, it is employed for corporate and political espionage, activism (“hacktivism”) or even acts of cyberwar, but the majority of those in it, are in it for the money.

So, security experts say, one good way for enterprises to lower their risk is to lower the return on investment (ROI) of hackers by making themselves more expensive and time-consuming to hack, and therefore a less tempting target. It’s a bit like the joke about the two guys fleeing from a hungry lion. “I don’t have to outrun him,” one says to the other. “I just have to outrun you.”

Of course, this only applies to broad-based attacks seeking targets of opportunity – not an attack focused on a specific enterprise. But, in those cases, being a bit more secure than others is generally enough.

David Meltzer made that argument recently in a post [http://www.tripwire.com/state-of-security/featured/attacking-roi-advanced-persistent-threats/] on Tripwire. “How do you stop a smart attacker? Simple: reduce their ROI to make exploiting you fiscally irresponsible.”

That is the consensus of other experts. “If you make it more difficult and less rewarding for the non-targeted, financially motivated attacker, she or he will likely move on to an easier mark,” said Deena Coffman, CEO of IDT911 Consulting.

Bob West, chief trust officer at CipherCloud, agrees. “The commercialization of cybercrime in the last decade has elevated ROI as a very important factor in many attacks,” he said.

So does Bogdan “Bob” Botezatu, senior e-threat analyst at Bitdefender. "Commercial, or non-state-sponsored hackers are usually trying to get the most profit with minimum amounts of money,” he said. “The more difficult the attack, the less interested they are.”

That, of course, raises the obvious question: What, specifically, should enterprises do to make themselves less tempting targets, especially since it is cheaper than ever to launch broad-based attacks?

While it is still expensive, time consuming and takes high skill to launch a sophisticated attack on a single target, the marketplace on the so-called Dark Web [http://www.csoonline.com/article/2137223/data-protection/dark-web--an-ever-more-comfortable-haven-for-cyber-criminals.html] provides, “software apps for less-skilled thieves to purchase for little money and use to attack companies that leave their networks exposed or only have a single layer of security,” said Coffman.

There is general agreement that an enterprise should start by evaluating its assets based on what an attacker would find attractive. But there are differences among experts about their worth. Most agree that the value of credit card data declines rapidly – as soon as the breach is known, the cards are destroyed and replaced.

Russ Spitler, vice president of product strategy at AlienVault, said credit cards, “are easy to steal, but actually reasonably difficult to turn into money at scale, due to the fraud detection that the card providers have developed.” But, he said credit cards remain a valuable asset for enterprises, “and the one that is easiest to sell.”

He believes email lists have even less value. “They really require very high volumes to resell. Email lists are practically free these days,” he said.

But not all his colleagues agree. Botezatu said customer emails, “are the foundation of any business. They are sold and rented on underground forums for a specific amount of money. Often they are sold to multiple cyber-criminals, so the profit, even if small, is constant.”

And Coffman said email addresses are valuable because they are, “now used as account names. Once an attacker has an email account, that can be used to reset and access all other accounts that use that email address. If your bank will email your new password to your email account, then access to your email account is akin to access to your banking account.

Source code is another asset that prompts mixed opinions. Coffman described its value as, “very high as the attackers now know how to compromise the application in a way that is unlikely to be detected.”

But Meltzer contends that protecting source code is not money well spent, since, “the same source code essentially ships to all their customers anyway. Why bother breaking into the company to steal product source, when it’s so much cheaper and easier to just buy it?”

Spitler agreed with Coffman that source code can be, “a resource to be used in developing future attacks against the company or other users of the software.” But he said it is rarely a target in a broad-based attack for simple profit because, “it is very hard to resell.”

He said the same is true of corporate intellectual property (IP), which has, “a very limited set of buyers – the competitors of the company – so when it is targeted it is likely a nation state or a focused effort sponsored by a pre-identified buyer of the data.”

Coffman said Social Security numbers (SSN) can be enormously valuable, “because we are still using them as a means for verifying identity. Once someone has your name, address, and date of birth, which are all easily obtained, they can, with your SSN, assume your identity and obtain credit, be arrested, get a medical procedure under your insurance, etc., and wreak havoc on your life, for the rest of your life.”

Whatever the value of various assets to an enterprise, the ways to improve their security are not necessarily complex or expensive. Meltzer recommended decentralizing them, so they are not all in one place.

Coffman agreed, adding that they should be protected with strong encryption – something Bob West, chief trust officer for CipherCloud, said will effectively cut the ROI of an attacker. Even in the event of a breach, he said, it will be costly and time consuming to, “convert valuable data that’s been strongly encrypted into its non-gibberish state.”

One of the seemingly simplest ways to lower the ROI of attackers is to keep software up to date. Sophos Labs reported recently that, “91% of the booby trapped documents in our reports from January and February 2014 would have been rendered harmless by just two Microsoft patches, issued two and four years ago.”

Experts are unanimous in saying enterprises need to install patches promptly. But Botezatu said it is not always as simple for them as it is for the individual downloading a fix to a laptop.

“Enterprises are known for their slow patching cycle,” he said, “but this is mostly because they have to take the machines out of production, which means downtime and, implicitly, money loss.

“Another reason for not upgrading is that some applications custom-made for a company only work on specific configuration, such as Internet Explorer 6. An update would break the tools and rewriting these could be too costly for the company.”

In general, however, the consensus is that basic but rigorous security measures will keep an enterprise ahead of the pack. “Organizations now have to focus more on restricting access to raise the bar,” said Yo Delmar, vice president of MetricStream.

“That means a well-thought-out defense and in-depth strategy with continuous monitoring.”

Coffman recommends having an outside company, “regularly scan for ‘open doors’ in your network that make you an easy target for the majority of potential data thieves that are just using inexpensive tools to troll for the slowest gazelle in the herd.”

Copyright © 2014 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!