By Rodrigo Fragola, president of Aker
For some time now, experts in digital security and the media dedicated to the subject have been reporting an impressive evolution of the technological competence of digital crime, which acts both globally and locally.
This illicit segment already employs brand new and complex technologies, such as social engineering applied to social networks (using semantics, grammar and link analysis) and the use of "clustering" thousands of slave machines for the collaborative processing of large masses of data. And these are just some of the examples of a level of excellence that most companies – and even national governments – are still far from mastering and that are already part of the cybercrime arsenal.
But the most surprising novelty that is beginning to be revealed is the sophisticated management view of criminal groups, involving the application of techniques and concepts still beyond the reach of most companies. It includes everything from the outsourcing of services to mass attacks, through which high-level criminals recruit highly specialized labor in the underworld of the web to produce attack tools.
But the list goes much further, covering, for example, the adoption of BPM (Business Process Management) tools to manage attacks and monitor their productivity; and the use of malware acquisition models in the "software as a service" model. In this last specific example, US experts from the company Loockout recently discovered a Russian crime center that has the practice of "renting" malware components so that other criminals can produce digital artifacts aimed at multiple functions, such as data breach, information hijacking, diversion of "Bitcoins", theft of passwords, invasions of data treasures or remote control of smartphones of thousands of users for the practice of others and other crimes.
In this "malware as a service" model described by Loockout, partner-in-crime contracts take place on shadowy underground Internet channels. Nevertheless, their fishing for "unwary" takes place exactly on the public thoroughfare of the World Wide Web where, we honorable citizens, establish our relationships and our business transactions.
In addition, the new virtual thieves do not locate their cronies openly, even in these dark zones. They constitute top secret lists of exclusive knowledge of the criminal groups themselves, which exchange "stickers" among themselves. And it is in these closed lists that they compose their metier and carry out their consortia. Once able to attack, through third-party code, accessed in the cloud, the attacker 'client' it delivers part of its victims to the supplier of the "solution" and thus a sophisticated brotherhood is characterized.
If tracking and identifying an individual attacker, or disrupting a specific group specializing in the production of malicious code, was already a Herculean task for authorities and companies, imagine the current situation, in which the originator of the crime uses indirect ways and so difficult mapping.
To all this is added the glittering market for cybernetic weapons of all kinds, from which you can attack either a hydroelectric plant or a pharmacy chain, a cardholder or a cash carrier.
For the cost of a few dollars, it is possible for any adventurer to acquire malware to steal credit card information and then market this information underground to other cyber criminals, or simply prey on victims and reap direct dividends. The diversification of businesses and the definition of "niches" of preference for agents is another worrying sign of the maturation of crime, as it makes tracking and dismantling these groups even more difficult and complicated.
In other words, it can be seen that certain organizational practices, still in the consolidation phase in most companies, are today at a stage close to being trivialized in cybercrime communities.
The situation is, therefore, of constant threat to the entire global cyber system, but it is especially dramatic for the small and medium-sized company, whose financial capacity and organizational culture are undeniably short of this attack power, described here only in some of its aspects.
And while large companies and governments protect themselves, on the basis of increasingly significant investments in tools, people and consultancies; these most vulnerable parts of the Internet connection link end up contaminating the entire production chain as they are inextricably linked to the largest global business networks. This is because, as we know, the current economy, as a whole, is essentially processed through electronic means.
This is how the market stall, for example, or the gym (with its low levels of informational or financial criticality) ends up transmitting high doses of insecurity to international card payment networks, thus nullifying the practical effect of millions and millions of dollars spent on security.
Fully aware of these facts, the payments industry and the security sector, as well as large corporations and governments, are constantly developing mechanisms and processes for the dissemination of secure practices, and trying to rigorously take them to all points in the chain. There are standardizations on the market such as PCI-DSS, which seeks to address the issue of security at the core and at the ends of the process, and a multitude of standards such as ISO 27000 and its variants.
There are numerous and well-structured technical initiatives, with great strategic effectiveness, at least from a theoretical point of view. But making them, in fact, requires a deeper democratization of access to technology and – mainly – to day-to-day management tools that, let's admit, are still not within the reach of the great mass of economic agents.
The good news, however, is that the new models for delivering applications and security services in the cloud are beginning to create scale so that the best-structured providers can support solutions that are compatible with the reality of companies as a whole.
This new class of providers, initially planned to serve the elite of the markets, and with all the necessary preparation for the permanent evolution and updating in the face of advances in the standard of crime, will soon be recognized as an important factor in the maturing of global Internet security. .
This combined development could represent an important strategic gain, even from a national defense perspective. Something very positive at this moment is that the bodies focused on security and sovereignty are mobilized precisely to create a national (Brazilian) base of knowledge and devices that allow us to face cyber fragility also in its macropolitical aspect.
It is through this model that all companies in Brazil will be able to take a significant leap forward in the prevention, protection and documentation of network incidents, also allowing for greater sharing of alerts, experiences and discoveries between the most diverse public and private agents according to of network security.
It is up to the Brazilian government to pay the utmost attention to the strategic nature of this emerging segment. Either by promoting policies to encourage its technological evolution, or by collaborating itself (the public sector) with the improvement of the skills that are articulated in its production chain.