This week HP had a briefing on their latest security report, and it wasn’t pretty, but it implies a level of weaponized cyber threats that will continue to advance at rates that could cripple commerce globally if the trend isn’t reversed. Like a lot of high-profile threats, HP argued the industry isn’t taking this one seriously enough. They may be right.
Let’s talk about security this week and why we may be overwhelmed in a few short years.
HP’s Wolf Security
Of the PC OEMs, HP has taken the most aggressive position to combat cybercrime with what appears to be the strongest and most focused security effort outside of IBM. They have created what amounts to a security company that is encapsulated by HP and thus focused on the kinds of threats that HP customers experience. HP is mostly known for printers and PCs, so its solutions revolve around those platforms, but it has research labs located worldwide, issues regular security reports and performs in line with standalone security firms in terms of focus and execution.
As a result of this focus, HP’s security reports tend to be more comprehensive, forward-looking, and tied to threats users experience. The threat landscape has intensified. In 2016, for instance, NIST reported that the damage being incurred in the U.S. may have reached $770B annually.
But the trends that the Wolf Security analysts identified could make this number relatively trivial to what is coming.
The trends analysts spoke to are particularly troubling. At the heart of their argument for why cybercrime is growing out of control is the industrialization of related efforts. Companies have been moving to provide cybercrime products, created markets that sell exploits on identified servers, and credentials at scale (the price of a typical user credential is around $5 because of the sheer number of users who have been compromised).
This last certainly speaks to why multi-factor authentication should be even more common than it currently is. These sales are occurring on something the analysts called the “invisible net,” private networks that provide cybercrime tools at scale that law enforcement is currently not able to observe.
These new industrial crime tool suppliers have become increasingly sophisticated providing try-before-you-buy opportunities that demonstrate how a targeted exploit works and, even more frightening, they are rolling out crime tools as a service, meaning the criminal doesn’t have to buy the tool, only share what they make from it.
The increasing availability of cybercrime tools is changing the criminal dynamic and removing the need for hacking skills from the process. The tools do all the work, they are very easy to learn and use and they increasingly don’t require much in the way of computer skills. Until now, most criminals were stuck in the past, and due to their lack of skills, they were forced to use non-technical scamming tools like Phishing. But with these new tools, criminals gain similar capabilities to a professional hacker potentially growing the total available market for cybercrime tools by several magnitudes and increasing the potential for damage at a national level to even more unacceptable levels.
HP’s Wolf Security is unique in the market and showcases a level of security focus that is unprecedented in the tech market. Its global capabilities and tools are market-leading in the space and the company’s view into the threat landscape being created by cyber criminals is in line with other named security firms.
They highlighted this week that the trend to industrialize the production of cybercrime tools will bring unprecedented capabilities to cyber criminals and equally unprecedented threats to both companies and users.
Recommendations to assure timely patching, the aggressive identification and elimination of exploits, training and protections for users, the elimination and replacement of passwords, multi-factor authentication and tools that assure least-privileged access naturally fall out of their report. But what also falls out is the need for governments to move against this cybercrime industrialization trend more aggressively before it results in unsustainable damage. That should be on the short list of changes that need to happen before things get even worse.