Behind the Cybercrime Surge: Smarts, Laziness and Cool
Though it's less than halfway finished, 2011 has already been a banner year for cybercriminals.
They've managed to hack through security barriers and steal sensitive data from Sony, the email wholesaler Epsilon, the security firm RSA, the Fox broadcast network, NASA and dozens of other major corporations and government agencies.
Security experts say a combination of smart cybercriminals, lax security policies at high-profile organizations and a "cool" factor associated with hacking has made 2011 an exceptional year.
It's also quickly become a frightening and cautionary year for companies and governments trying to keep themselves secure.
Cybercriminals know exactly what they're doing
Behind every security breach, there's a cybercriminal who organized and carried out the attack, and knows what he's after and how to get it.
Ondrej Krehel, information security officer for Scottsdale, Ariz.-based Identity Theft 911, said online criminals don't just randomly launch attacks.
Rather, Krehel said, they focus on specific companies the devastating RSA hack , for example where the rewards of a successful breach outweigh the risks of getting caught.
These opportunistic attacks can reap loads of personal data such as in the Sony incidents that can then be mined for identity theft.
Targeted attacks, such as those launched against Sony, NASA, Fox and PBS, "are of much greater sophistication and often involved a lot more advanced planning and research in order to breach those companies' defenses," said Chet Wisniewski, senior security advisor with the British security vendor Sophos.
Yet no matter what a company or organization does to bolster its security, there is always a margin of error that can be exploited, said Tim Armstrong, malware researcher with the Russian security firm Kaspersky Lab.
The best a company can do, Armstrong said, is to implement a strong security mechanism to "make things as difficult as possible for hackers," who will, hopefully, "simply move on to other companies that are easier to get at."
The companies need to change
In cybercrime, as in any competition, the strength of the opponent must be taken into consideration. Armstrong said online attackers are doing just that, and reaping great rewards.
"I believe the criminals are choosing companies with weak security," Armstrong said.
Wisniewski put it another way: "They find the weakest in the herd and attack."
"Companies aren't taking security seriously enough," Wisniewski added. "In many of these cases, it is understandable that an attacker may get into your network, yet when they do, they have free reign over the environment."
At the root of some of the year's most devastating network penetrations were measures taken by companies to increase convenience, Krehel pointed out.
Krehel told SecurityNewsDaily that companies that have switched to less expensive data storage solutions, "such as cloud computing," may have erred on the side of convenience and left themselves vulnerable in the process.
"After a few years of financial struggle and budget cuts, especially on the technology side of the business, the effects are noticeable," Krehel said.
The cool factor
Mikko Hypponen, chief research officer with the Finnish security firm F-Secure, said that "hacktivist" groups such as Anonymous and the new but already infamous LulzSec have not only been the cause of multiple network penetrations this year.
With their seemingly callous regard for powerful companies' security , they've changed the entire security landscape.
"The generation that grew up with the Internet seems to think it's as natural to show their opinion by launching online attacks as for us it would have been to go out on the streets with bandoleros," Hypponen said.
He added, "The difference is, online attacks are illegal. But these kids don't seem to care."