As I prepare to give a talk today on Point-of-Sale (PoS) malware fraud trends in Prague this morning I am struck by the concept of a looming Cyber-Gomorrah. In the bible a place called Sodom and Gomorrah became so mature in their sinful ways that God destroyed them. eCrime has been maturing for a long period of time, from one-off Trojans, and literally child’s-play attack tools being used to take down eCommerce to big business in 2015. We’ve seen a clear change this century from singular attacks to automated fully scaled global attacks; from opportunistic to targeted; from unskilled script kiddies (SKIDs) to highly sophisticated adversaries; unorganized eCrime, hacktivism, and espionage, to highly networked entities working together on a global scale for their means and motives; from singular thoughts and methods in attack vectors to diverse and deep. PoS fraud has been disclosed in the news for the last 18 months but it started years prior in the planning and maturation that led to the tidal wave of breaches and disclosures we see today in 2015. Mobile is already quickly adopting multiple solutions that will also be leveraged for eCrime profits. In fact, your toaster, your refrigerator, your car…your everything will likely have some sort of interdependence upon technology with some sort of communication capability, even if it is only a passive RFID chip.
Do you and your staff have an accurate understanding of all of your assets and their dependencies and inter dependencies upon technology? Are they well managed within a multi-layered security program? Are you aware of specific threats to your industry, organization, and/or individuals from diverse global actors in eCrime, espionage, and others? If a breach were to take place are you ready for the business interruption, loss of reputation, and response necessary to handle such an event?
Such questions only scratch the surface of complex requirements needed to manage risk in such a complex fast changing technology dependent world. Our innovation is indeed partly our downfall as we see a looming Sodom and Gomorrah. The eCrime marketplace is very mature, with highly skilled actors, campaigns, and capabilities. They are way out in front of our reactive responses. Studies show that a majority of organizations will elevate “security” roles to a higher level and with more funding than ever before. But where will they hire staff from to help secure such assets and networks? And of those hires how many have time in the cockpit fighting this “cyber-war”? The reality is that the mass majority of staff members hired in the next few years for such security positions will not have training and experience sufficient to battle a highly trained and experienced adversary on a global scale.
A looming nexus of unskilled staff and an underwhelming security response to a tidal wave of highly sophisticated adversaries who rapidly and/or in real-time monetize eCrime assets for profit is at our door step. Will it be a Cyber-Gomorrah for us?; our undoing as we increasingly become dependent upon technologies that we can’t properly secure? It will get worse before it gets better. Dramatic changes in how we think, prioritize, and battle such threats is a requirement to avert massive financial and reputation loss.