If anything has been clear in the last couple of years, it’s that the barriers to becoming a successful cybercriminal keep coming down. Internet connectivity is more accessible, technology is more affordable, and traditionally ‘dumb’ devices are smarter. This has opened up a world full of opportunity for folks who want to make some easy money or have their mind set on punishing some political or personal targets.
To avoid getting into a long history of computer crime and the origins of the term ‘hacking,’ let’s say that modern(ish) cybercrime started in the 1970’s. This is the decade when email was born, Bill Gates wrote some code, and Kevin Mitnick broke into his first major computer system. Through the 1970’s, and most of the next three decades, cybercrime was for those who had inside access or advanced knowledge of how computers worked. Closed networks and BBS systems eventually gave way to worldwide Internet connectivity and increasingly affordable household access. While most Internet users were limited to the features provided by web browsers and applications like AOL, those with advanced skills were pushing boundaries and breaking laws.
Today the successful cybercriminal doesn’t have to be highly skilled or have privileged access to a system. The community of criminals on the Internet has made it possible for almost anyone to join them.
Anyone who is able to download a piece of software or copy and paste some script is able to join the ranks of the ‘script kiddie,’ or ‘skiddy.’ This the low-skilled ‘hacker’ who uses the work of others in order to find and exploit vulnerabilities in other systems. They often leave significant tracks back to their own systems because they have only a basic understanding of what they are doing. Despite their relatively low skills, they have been responsible for significant damage with the politically motivated attacks against Amazon.com, MasterCard, Visa and PayPal.
Consumers of criminal services
There is a huge ecosystem of retail criminal services that makes cybercrime accessible to a broader and lower-skilled market. Consumers who purchase these services need only to pay a fee and provide a target. One example of this is the 2015 attack using the ‘DDoS for hire’ service LizardStresser. Six teens were arrested for hiring the service to attack a variety of retailers and other websites. Although some of the LizardStresser creators were arrested, the tool remains online and available for amateurs to use. Consumers of these services may be script kiddies, disgruntled former employees who want ‘revenge’ on a company, or even higher-skilled cyber criminals who want to use someone else’s infrastructure for an attack.
The hybrid criminal
And then there are the folks who are planning their own attack but need assistance with certain tasks. These folks are the ones who use services like Satan Ransomware-as-a-Service, where a criminal can log in to the Satan website and use the developer’s tools to customize the attack. The Satan site offers custom ransom configuration and payment tracking, and even provides malware tutorials to help with payload delivery. Once the ransomware is customized, the ‘customer’ then distributes it using his own spamming system.
Obviously the modern cybercriminal doesn’t need to have a lot of skills to wreak a lot of havoc. This ‘consumerization of cybercrime’ has created a much larger group of threat actors than we’ve ever seen before.
What does it mean?
Fortunately for the industry, many of the threat actors referenced above can be stopped simply because they use outdated or predictable techniques. Barracuda security solutions are able to stop threats like this with sandboxing and Advanced Threat Detection (ATD). New threats are found and neutralized quickly by the IT security industry, but ultimately the last line of defense is the user. Unfortunately, the user is almost always the weakest link in network security.
As I mentioned earlier, even low-skilled disgruntled employees and former employees can create a cyber risk to a company. While that is a valid threat scenario, most companies are more likely to suffer from an employee who isn’t malicious at all. Each careless employee is a point of vulnerability, and the threat actors welcome the assistance. According to this article, the average cost of a data breach is about $6.2 million, but only 45% of surveyed companies make security training mandatory for employees. 29% of those companies allow senior level executives to skip the training, which means that the most privileged users may not be getting any training at all.
IT staff clearly need some top-down help in order to create a culture of mindfulness when it comes to security. Installing insecure smart devices, using the corporate password for personal accounts, ignoring the dangers of suspicious links, etc., are habits that can be changed with model behavior and enforcement. With so many malicious actors launching attacks into the wild, you can’t afford to let your last line of defense be your weakest link.