Hackers: the invisible enemy

Cyber crime is a silent, invisible battlefield and an entire economy has sprung up online to support and feed a cycle of fraud and theft, as Rob Rachwald tells Police Professional.

Not long ago, a senior executive from one of corporate America’s large bellwether stocks received a telephone call from law enforcement explaining that the company had a major software vulnerability in its corporate website. The agent described the vulnerability and its location in great detail and requested that it be fixed immediately. But he refused to disclose how he knew.

At the executive’s request, the organisation’s chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign government had penetrated the organisation’s applications infrastructure and was in a position to bring it down whenever the time was deemed right.

Cyber security is no longer just the job of IT. As the true story above highlights, cyber crime today is a silent, invisible battlefield. The anonymity and universal access of cyberspace makes cyber crime attractive and easy. If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers as well.

Defending against cyber crime is costing billions of dollars. According to Gartner, organisations worldwide spent $288 billion on information security products in 2007. The US Government is allocating $7.9 billion in 2009 for cyber security, which is $103 out of every $1,000 requested for IT spending – up 75 per cent from 2004. US companies spent $79 billion in 2007.

But is all this investment making an impact? Consider:

•The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities.

•Between 2001 and 2007, 180 million credit card records were stolen.

•The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007.

What’s not working? Businesses build applications to store, process and transact money and data for the sake of efficiency – but they often failed to properly defend these applications.

As businesses modernised, software security didn’t – and hackers have sniffed out the weaknesses. Traditional cyber defensive measures – including firewalls and anti-virus – protect against data breaches.

Application security: A new business imperative

The days of hacking for fun are over. The new face of cyber crime has evolved in two ways.

First, foreign governments are also after intellectual property, particularly in the military and security domain, and the Internet is their portal into the applications and databases that hold these secrets.

Countries such as China, for example, have now become proficient in the art of cyber warfare and cyber espionage after setting up specific hacking centres to this end.

North Korea, on the other hand, has invested in a hacking school, from which about 100 hackers graduate each year, while Russia fetes its cyber-savvy practitioners as national heroes. The rationale is, why invest vast sums in conventional weapons or risk international scandal if spies are discovered, when such operations can be conducted quietly online these days?

Second, the amount of money that can be made from online fraud and theft at relatively little risk compared to operations in the physical world inevitably makes such undertakings attractive. This means that both individuals on the make and organised crime are now becoming involved.

And a very sophisticated industry is also developing around the pursuit. Consider how the opponent has mobilised:

•In recent years, a growing number of hacker match-making sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range