10 Reasons Why IT Security is Getting Worse Not Better

CNet had an article a while ago an article entitled Data breach incidents are increasing which told the following tale:

In the recent past, about 30 percent of large organizations would suffer a data breach each year. This figure remained roughly consistent from 2005 through 2007. But in a November 2008 survey the figure had risen to 56 percent. So why is this happening?

Here are 10 reasons:

Insider Dealing Many company insiders and recent leavers are ready, willing and able to kill to collaborate with outsiders and have sufficient knowledge to help outsiders break in to areas of a network where critical data is stored. Every news story that tells of a data breach is also an advert to dishonest employees that highlights ways to boost their income. The paucity of stories about hackers being caught acts as a further incentive.

The Recession The devil finds work for idle programmers to do. Those programmers who have no moral scruples and lose their jobs are likely to turn to hacking as a worthwhile pursuit. They will often have sufficient knowledge and contacts within companies they've worked for to be a genuine threat.

The Black Hat Economic Ecosystem If you want to be proficient at Photoshop there are many sites of the web that can help you. The same is true if you'd like to set up a Black Hat business. There are many opportunities, including some that have minimal risk. For example if your the kind of geek that creates exploits you can simply auction them off for others to use. If you're into writing viruses there are hundreds of sites out there offering source code starter packs. Even the hacker community thinks Open Source is cool.

The Attack Technology is Impressive (so its users don't need to be) The time when Black Hats needed a Ph D in computer science is long gone. Anyone who knows how to download and install software can take a trip to the dark side. There are web sites that sell fully functional hacker toolboxes at prices of a few hundred dollars. I've been told that if you know the right hacker clubs you can even get well-designed root kits. That's frightening. The root-kit is the WMD of the malware world.

IT Security Technology Aside from the fact that some IT security technology is ineffective, like AntiVirus (always slamming the stable door after the horse has bolted), right now there is no vendor selling a comprehensive IT security platform which has the ability to manage all threats. Even if such a product set were available most companies would be unable to afford it. Truth is that getting through the security barriers that most organizations have in place just isn't that difficult.

An Absence of Forensic Information Among the inadequate defenses that many companies suffer from is the simple lack of good audit trails. With insider fraud it is often the case that even if you know who pulled off the fraud it isn't easy to actually prove it, because of the absence of log records. Some estimates suggest that only one in three internal hacks can be proved via digital forensics. This fact acts as an incentive to insider fraud or collaborative fraud that involves insiders.

Hacker Resources: Botnets It may not occur to you to think this way, but a hacker with a well organized botnets actually has more computing resources than your organization. Botnets often run to tens of thousands of computers and have been known to be larger than a million. A hacker with a botnet is well armed and dangerous. He would be able to multiple attacks at the same time, denial of service plus spam assault plus virus assault plus attack through recent vulnerabilities. The point of such an attack is to keep the IT security staff overwhelmed while you slip in surreptitiously and plant a back door. It will be very hard to identify the one attack that made it through because of the surrounding noise.
There's a Market for Stolen Data. You can pull off direct scams, like the recent one hacked in to a bank and raised credit limits on a few hundred cards and then had people all over the globe taking money out from ATMs on those cards. The problem is that you need a big team - although that particular raid netted $9 million, so I guess it could afford a big team. But if you manage, for example, to steal a whole file of thousands of credit card details, you cam always sell the data. Prices of $30 per credit card are not unknown and if you get the PIN number of the card (a difficult data item to get your hands on) then it could be $500 per card. There are markets out in cyberspace where you can sell data-not just credit card data, but Social Security Card data (for US citizens), birth certificate data, billing data and driving license data (all of which can be used to set up bogus bank accounts).

The Remote Hacker Is A Safe Hacker Sometimes hackers get caught but remote hackers get caught far less frequently. As a hacker, there's a good deal of sense in making it look like you're working from abroad even if you're not. Throw a bit of Russian into your code or use a few characters from an Arab or Chinese keyboard and always work through botnet PCs that are actually abroad. Keep your money in a convenient offshore account in the Cayman Islands or at least pass all your ill-gotten gain through there. Despite the fact that banks get hacked all the time, when did you ever hear of Cayman bank being hacked?

Success Breeds Success Above all else, success is breeding success. Until the risk/reward ratio for hacking activities changes the Black Hats are going to make a good living. Right now the vectors are all in their favor. The recession is ensuring that less money will be spent of IT Security and it will delay the move to more secure operating systems (i.e. to Vista from XP). Even if better security products (like whitelisting products) gain further traction, the growth will be slow and it will be many years before genuine authentication is so widespread that is begins to close the loopholes through which the hackers so deftly navigate.