The Internet isn't getting more dangerous because its risks are uncontrolled -- it's getting more dangerous because...
the risks have become organized and are aiming more precisely at defined weak points in specific companies, for the benefit of illicit corporations based thousands of miles away.
That's the picture painted by the Symantec Internet Security Report, a semi-annual study in which Symantec Corp. researchers examine the techniques, sources and motives behind Internet-based attacks during the previous six months.
But no matter how organized the bad guys become, the role of IT security and the value-added resellers (VARs) who provide it for their customers remains the same -- identify critical information, protect it at rest and as it moves, and protect IT hardware in the field, according to one consultant specializing in corporate security, forensics and liability.
The latest threat report shows a marked increase in the percentage of attempted data thefts, virus attacks, botnets, denial-of-service (DoS) attacks and other criminal activity that can be specifically connected to organized crime groups.
"The major themes we're seeing is that there is an increase in data leakage and the creation of malicious code that work with other elements in targeted attacks," said Vincent Weafer, senior director of Symantec's Security Response team and one of the authors of the report.
The increase in attacks on specific organizations featured custom-written malware at the high end -- mostly defense contractors or financial institutions -- and more generic approaches based on viruses and Trojans at companies that had not been targeted as specifically.
"As little as a year or two ago you were a John Doe on the 'net," Weafer said. "Now as the underground economy grows, we know you're a member of a financial institution because you get certain newsletters. We know you work for a certain company because of email address, and because of that we know you're part of a certain credit union. And, using that information, we can target that."
Command-and-control of the attacks is also more concentrated, largely by criminal gangs based overseas, according to FBI Special Agent Timothy Russell of the Boston Cyber Crime Squad, who hosted a Q&A session for attendees at last week's Secure World conference in Boston.
Criminal gangs in other countries have become specialized and highly organized, with different divisions focusing on different types of crimes, and others dedicated to laundering illicit income, he said.
"Not to pick on any one country, but Russia is a good one" as a haven for online criminal activity, Russell said. "They have a lot of educated people, and a lot of things that are crimes over here are not crimes over there. There are actually schools that teach [cyber crime]."
Those groups typically hire U.S.-based crackers to write the malware, create phishing sites, create botnets, or get control of computers that can be used to hide the source of spam or malware and launch the attacks.
"Once the target has been identified and the attack has been made, they hire runners to figure out how to actually get the money out," Russell said. "For example, getting the bank to send a fake ATM card, then going around and actually taking the money out.
Most of the cyber crime cases the FBI pursues are illegal computer-intrusion, fraud or Internet scams of various kinds, he says. Counter-intelligence work against state-sponsored foreign spy agencies is still heavy, but commercial crime is more common, and pulling away, he said.
That sounds pretty scary, but doesn't really change the priorities of either corporations or the security providers that work with them, according to Brian Gawne, central-region practice manager for CTG , a consultancy that provides advice on IT infrastructure, management and business continuity for more than 30 locations in the U.S. and Europe.
"Threats reach a scale they didn't before," Gawne said. "An antivirus failure or breakout isn't front-page news; losing 250,000 records containing personal information is going to catch more attention.
"But from a security standpoint, the basics never change -- define what your critical data is; define where it is; put controls on it to protect those assets, and make sure those policies are enforced," he said.
Endpoint security -- the current hot-button security term being used by Symantec and other vendors to point out the vulnerability of mobile devices -- is critical, but not revolutionary, Gawne said.
"You have to encrypt data when it's at rest -- on a hard drive -- and when it's in motion -- when it's moving across a network," he said. "Protect those laptops with encryption; prevent the use of USB dongles and external hard drives, and watch out for things like iPods and smartphones. Someone could walk off with the whole store with those things."