Over the past 12 months we’ve seen a steady increase— some may say stampede—in ransomware attacks and a move away from mega breaches.
I still don’t believe mega breaches will stop anytime soon – there are plenty of big corporations out there that are ripe for the taking. However, actually getting money out of the credit cards and personally identifiable information that are taken in these breaches is hard work, and in general cybercriminals will always look for the easiest and quickest way to make money.
Big breaches create big headaches when it comes to monetizing the illicit haul of data. You need money mules and credit card processors. It could take weeks to get your cash. And don’t discount the attentions of law enforcement either: A big breach can bring the heat down on even the best cybercrime gang. I think this is mostly why the criminal element has moved to ransomware.
As annoying as ransomware is, it’s petty theft. Lots of petty theft for sure, with the average haul being around $300 to $1,000. That’s hardly something that would warrant a visit from the busy officers in your neighborhood. It’s the cyber equivalent of “if you don’t pay me $100, I’ll break your car window.”
Small-time crime is usually easy to commit, too. Adrian Leppard, Commissioner of the City of London Police, asserts that around a quarter of organized crime groups in the UK are involved in financial crime. On top of this, a recent University of Cambridge study showed that 60% of cybercriminals had a record unrelated to cybercrime.
This points to the fact that cybercrime is attracting more and more criminals, and that is because the consequences are minimal and entry is easy – utilizing Cybercrime as a Service (CaaS) providers brings it all together in a nice, neat package. Based upon this data, I believe that staffing levels in electronic and cybercrime prevention have to be adjusted. It’s not like the people that were doing breaking and entering, or mugging are suddenly going to become the next Lex Luthors of cybercrime.
If we look at the cybercriminals as wolves and the victim business as sheep, you need to ask the question: What happens when the wolves outnumber the sheep – or put another way what happens to the online economy if 70%-80% is being lost to cybercrime? Would your business go online anymore?
The folks supplying CaaS – the real Lex Luthors of cybercrime – are not dumb. I think they realize that they have capability to destroy business online. They have had a great run of looting and pillaging. Yet, just like the pirates of the 17th century had their comeuppance, I think ransomware suppliers may fade into the cyber history books over the next few years; because ultimately if they destroy the very thing they feed off then they no longer have any reason to exist.
So, what is the next phase of cybercrime? I’m almost certain it’s going to be the Internet of Things (IoT). We will have to see how it becomes monetized. But don’t kid yourself: The IoT security is already an issue for MSPs and IT admins. A report from Level 3, a network provider in the US, claims that more than one million web-connected consumer video cameras and DVRs are already compromised by cybercriminals, who use the devices for Distributed Denial of Service (DDoS) attacks.
If you’ve never patched the firmware on a robot, had to remove CryptoLocker from a Smart TV, or figured out how to wipe a lost Android tablet that has corporate data on it, start getting ready as this is just the type of excitement you’ll need to expect. At Defcon 2016 a proof of concept attack on a “Smart” thermostat asked for BitCoin or it would set the temperature at 99.9F (37.7C).
I’ve spent the year talking and presenting, and getting folks prepared for this. Network segmentation and logging with the ability to write solid firewall rules to keep the IoT from being managed by bad guys is the key. Expect tools to tell you when a Fitbit starts blasting out spam. The success of IoT security depends on your skills with things like NMAP and WireShark.
Time magazine won’t put your picture on the cover as person of the year, but my view is that the MSPs and IT admins who support the networks on which IoT is going to run will be the heroes in near future. You have the tools (more are coming), knowledge (tons of opportunities here), and capability – not to mention great community support – to do IoT security right. It is time to be rock stars, as the Kardashians and Taylor Swift will be nowhere if the network you build, maintain, and clean up is not working.
While you may never be in the spotlight, the spotlight will have an IP address, and that suddenly becomes your problem.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.