In recent history computer crime was less prevalent as the elements of MOM were few. Naturally the ever-present profit has always been around, but punitive revenge attacks such as denial of service, and malicious random attacks such as viruses created out of ego, are relatively new Motives. Means and Opportunity have also greatly increased as both computer knowledge and computer access have increased.
Years ago, few enough people knew how to operate a computer and even if they did there was little value in attacking them. Most companies that might have been the target of an attack were not even connected to the internet. Now that the internet is all but ubiquitous the Means and Opportunity are vastly increased.
As we have evolved, computers have become more user-friendly, and many more people have started to use them which added more MOM's (easier access using the internet, money transactions all over the web, on line gaming sites, web-based banking etc…)
Looking at IT security history, the bad guys were always far more sophisticated than the people who tried to stop them, if they were even aware of the threat, and the term security was only applicable in the physical world. Even if companies could conceive of IT security it was almost impossible to achieve it because the lack of security professionals and the lack of security protection tools in the marketplace.
Today it's a different story. MOM is more powerful than ever. Even the uninitiated can download powerful intrusion tools and can find free written guides to penetrating systems. Millions of pages of instruction available to anyone interested in reading it – massively accessible Means. In few minutes you can hack a bank account and steal someone's life savings because there are still many financial institutions that are not protecting their clients and their systems with any sophistication – for some this presents irresistible Opportunity! So we see the stage is set today - powerful Motive, perfect Opportunity and the best Means.
Today the vulnerability in the electronic space can be reduced. There are many products and strategies that can be deployed. There are many robust tools out there that log attacks and prevent them in real-time. These tools and strategies can provide security for a committed company. As long as the defense is treated as an ongoing process and not an end-state the battle can be well-waged.
Another new aspect is that as our laws regarding cyber crime evolve, more and more computer crimes are being sent to court and attackers are being sent to prison. Computer crime is being prosecuted just like physical crime so that when attackers try to attack a virtual target and they will have the same chances to be caught and punished as criminals committing crimes in the physical world. Eventually only the most skilled attackers will escape prosecution, the same as in the physical world.
Having had a brief look at yesterday and at today, let's now examine what we expect for tomorrow.
So can we conclude that if companies can apply their focus and attention to providing ongoing modern IT security then most of the attackers can be easily kept unemployed? Unfortunately we cannot. As attackers are blocked from attacking one way they will seek another. As in the past attackers attacked networks and hosts until it became too difficult so they switched their focus to attacking applications which were more vulnerable than hosts.
Being blocked at the application level now, attackers are now preying on the end users directly. This can easily bypass most of the company's IT security protocols and processes. In the last few years we see new attack patterns like XSS, Phishing and other client side attacks which take advantage of the fact that most users know nothing about IT security or their role in keeping things secure.
It was noted above that a bank with weak protection could be compromised in a few minutes. A bank where IT security is current and advanced, can be much more difficult to compromise through a direct system attack. A much easier way to attack a bank account in a protected institution would be to trick a user into providing all of their login and other access details. This is the goal of most Phishing emails we see on a daily basis. These emails often ask for some sort of verification – in fact most of these emails are dressed up as security checks! In reality the user is redirected to a cloned website where the login data is captured and later used to compromise the account.
The same technique can be used for stealing security data details from employees. Phishing emails, phony phone inquiries and other social engineering techniques can be easily used to get confidential data that can later be used to penetrate corporate systems for any nefarious purpose. Shockingly the best way to get someone's security details such as a login ID and password combination is to just ask them for it! J
So while the electronic battle is being waged in the corporate world and the defense of systems is getting better every day, individuals are still very much at risk. Root causes are older operating systems at home (most users are still running Windows 95/98) no anti-virus protection, and the general view of the computer as a home appliance. Unlike a refrigerator which might run 10 or even 20 years, a computer cannot be used for the same length of time, and also you don't store your life savings in the refrigerator (except in movies and some crazy people).
People need to increase their security education and awareness and to form new habits while breaking old ones (e.g. stop writing passwords on post-its and sticking them to the monitor). The more we know the more we can protect ourselves from the bad guys.
