I’ve had several requests for a fresh blog post to excerpt something that got crammed into the corner of a lengthy story published here Sunday: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction.
Here’s the excerpt requested from yesterday’s story:
“There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations alike:
-If you connect it to the Internet, someone will try to hack it.
-If what you put on the Internet has value, someone will invest time and effort to steal it.
-Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.
-The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.
-Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
They may not be complete, but as a set of truisms these tenets probably will age pretty well. After all, taken as a whole they are practically a model Cybercriminal Code of Ethics, or a cybercrook’s social contract.
Nevertheless, these tenets might be even more powerful if uttered in the voice of the crook himself. That may be more in keeping with the theme of this blog overall, which seeks to explain cybersecurity and cybercrime concepts through the lens of the malicious attacker (often this is a purely economic perspective).
So let’s rifle through this ne’er-do-well’s bag of tricks, tools and tells. Let us borrow from his literary perspective. I imagine a Cybercriminal Code of Ethics might go something like this (again, in the voice of a seasoned crook):
-If you hook it up to the Internet, we’re gonna hack at it.
-If what you put on the Internet is worth anything, one of us is gonna try to steal it.
-Even if we can’t use what we stole, it’s no big deal. There’s no hurry to sell it. Also, we know people.
-We can’t promise to get top dollar for what we took from you, but hey — it’s a buyer’s market. Be glad we didn’t just publish it all online.
-If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry: You’re our favorite type of customer!
You forgot:
-Most victims(Especially Banks, Casinos, and Fortune 500s) never report to vendors so attackers continue to use the same zero-day for months or even years..
Even when they contract a researcher it’s NDA..