Our Global Security Intelligence team released its "2006 Global Business Security Index Report" yesterday, and I had an opportunity to conduct an email exchange with my cybercrime sleuth colleague, David Mackey, about this year's survey results and the overall state of cybercrime. David is a lead with IBM Global Services' Global Security Intelligence Strategic Outsourcing practice and editor of this year's report, and provided some most intriguing and insightful observations about the state of information security.
Question: First of all, can you give us a little bit of background on the Global Security Intelligence Services team. What do they do, and how did their Top 5 Predictions come about? And building on that, how's their track record thus far?
Answer: The IBM Security Intelligence service started back in 2003 as a way to give both IBM and our customers more advanced warning about impending IT threats. We do that by monitoring: security monitoring data produced by IBM Managed Security Services, any manner of Web sites, blogs, RSS feeds and mailing lists dedicated to security topics, and discussions with organizations like FIRST and AVIEN. Part of our service is tracking vulnerabilities, malware outbreaks, and other threats as more of a tactical response to every day issues. The other portion of the service is to look back on a monthly basis to see trends, important news, and other important points in the discussion of IT threats. The annual report that's received some attention lately is our attempt to summarize the key points of 2005 and look forward to 2006. This is our second year in providing predictions, so it's too early to tell how powerful our psychic abilities truly are.
Question: Renowned bank robber Willie Sutton used to joke that he robbed banks because "that's where the money is." So where's the money these days? Is it all sitting on a server somewhere, and what are some of the typical scams or guises that cyber criminals employ to try and get to my money?
Answer: There is a vibrant underground economy thriving on acts of malice on the Internet. There are thugs, mules, money launderers, gangs and bosses. They just tend to be a little more geeky than the individuals we typically associate with organized crime. These folks steal information from computers using various forms of malware. They extort Web sites by threatening to cause a denial of service unless the miscreants are paid. They trick users into divulging financial information via phishing attacks. The crimes are various, diversified, and innovative.
Question: Okay, thx. I saw that "botnets" are going to be one of the biggest threats to the Internet, and that newer botnets are going to use different methods for command and control, including jumping into peer-to-peer and IM networks. Are botnets something that IBM customers should be increasingly concerned about, and if so, what precautionary measures can they take?
Answer: Bots and botnets have been around for at least five years. However, the more concerning fact is: in 2004 and 2005, the number of infected systems participating in these botnets increased significantly. Of particular concern was the arrest in the Netherlands of three botnet operators reported to have commanded 1.5 million compromised systems. These compromised systems may have carried out any number of orders from the bot operators, including: conducting denial of service attacks, logging keystrokes on vulnerable systems, and stealing other sensitive information. We think (peering into our crystal ball) that arrests like that will put botnet operators on edge. To avoid future detection, we think they'll avoid commanding large botnets and instead use smaller cells. Additionally, these compromised systems are currently commanded via IRC so IT organizations can monitor for IRC network traffic to help root out infected systems. Botnet operators may instead switch to using peer-to-peer communication and command models to further evade detection and use new MOs.
Question: Because security intrusions and virus attacks are the industry's dirty little secret that nobody really wants to talk about, it seems difficult to get a good read on the real economic impact. So, my next question is, do we have a glimmer of any idea on what that impact is in the US and around the globe? And as a follow-up, what would your 1 minute elevator pitch be to any senior-level LOB executive.
Answer: The real answer is no; we have no real tally of the impact. Almost all organizations are reticent to discuss security incidents. The best method to-date in estimating this data is by gathering information via anonymous surveys like the FBI/CSI survey. But the numbers are very subjective and the risk -- and thus, the number of security incidents -- varies greatly from organization to organization. As far as my hello-my-name-is-David-Mackey-let-me-help-you-with-security-speech goes, I really stress to companies that they need to do a valid risk analysis. What are the goals of the business? How does IT help them achieve those goals? Which parts of the IT environment are most valuable? How much does the organization stand to lose if attacked? It's a real mistake to start throwing money at security technologies until you've successfully answered these questions. Don't let a salesperson tell you differently.
Question: Denial-of-service (DDos) attacks seem to be increasingly prevalent as a form of data hostage taking. Are most of these attacks economic in nature, or are we also seeing cyber attacks as a form of political speech as well? Meaning, are organizations or groups using DDoS attacks as a way to further specific agendas as opposed to just holding groups up for ransom?
Answer: I'm sure there's some politically or socially-motivated attacks, but most DDoS attacks so far are financially motivated. It's worth noting here that cyber extortion takes a number of forms. There are the DDoS attacks you mention, but there are also instances where miscreants may steal data (or encrypt the data in place) and then demand money in return for the data. Additionally, many so-called "security researchers" may demand money in exchange for supposedly critical information about software or Web site vulnerabilities. We've seen a number of creative, but insidious, extortion techniques.
Question: If an IBM customer feels they have been a victim of some sort of cyber intrusion, should they call a law enforcement organization or their IBM rep?
Answer: Both. Law enforcement agencies -- especially the FBI in the US -- have made significant investments in forensic technologies and investigators in recent years. They are very sensitive in dealing with the investigation and protecting the anonymity of victim organizations. Law enforcement is a necessary stop if victims would like to prosecute the attacker(s). At IBM, we deal more with the business continuity aspect. We conduct an investigation in order to help organizations get the IT assets up and running ASAP. We investigate how and when the attacks took place and then help organizations protect against future attacks. Both methods have valid goals.
Question: Is there yet a cyber equivalent of the Corleone family? I know we've heard news stories in the past about Russian and former Soviet Eastern Bloc hackers being prevalent...moving into 2006 is there a particular region or organization that has demonstrated particularly deft hacking abilities? If so, what can companies/government do to protect themselves?
Answer: There are organized groups out there, but I don't think they cut off horse heads and leave them in beds -- yet. Most security monitoring points to individuals or groups in the US being the largest source of attacks. But I should mention that one of the most difficult issues we deal with in information security revolves discovering the true source of the attack. It's very easy to obtain the source IP address of an attack (either through our monitoring or forensics services) but it's incredibly difficult to determine who was behind the keyboard. Was the IP address spoofed? Was the source computer in the US actually compromised by an attacker in Germany? This is typically the domain of law enforcement to track technical information down to a real person.
Question: I use a Mac as well as a ThinkPad, and clearly with Apple's decision to move to Intel processors, you all have suggested that Macs will be more vulnerable moving forward as one of the 2005 predictions. What can/should I do to protect myself from cyber vulnerabilities on my iMac?
Answer: In our 2006 predictions, we predict that the number of attacks -- including malware -- will increase against the Mac platform. I'm extremely nervous that most readers will view our prediction as sour grapes from IBM since Apple dropped IBM chips in favor of Intel's. And as long as I work for IBM, it'll be difficult for me to prove my team's objectivity on the issue so just pretend I work for ________. Much of the vulnerability research and exploit development in recent years has revolved around PCs -- running either Windows or Linux. Part of this research involves heavy expertise with the Intel chipset and op codes. This same expertise can now be ported to trying to exploit OS X. I also think that Mac computers will be cheaper and become more popular because of the move. (I apologize profusely to any Lenovo readers.) Any time a technology gets more pervasive, the number of threats also increases.
Question: I'm probably more paranoid about identify theft than most people, and last year subscribed to one of the three credit reporting agencies' Subscriber Alert services that immediately informs me anytime someone tries to access or update my credit history. Am I being *too* paranoid or is this kind of proactive approach going to be increasingly necessary for consumers in the 21st century if they wish to fully protect themselves?
Answer: Me too! There are a lot of resources out there now to help guard against identity theft -- including the alerting services from consumer reporting agencies. I honestly believe you can never be too paranoid in monitoring your financial activities. But I also get paid to be paranoid, so take that with a grain of salt. I could rattle off an entire list of ways to protect your home PC from attack (antivirus, firewall, and regular patching to name a few) and I could recommend ways to protect physical data (effective home security, paper shredder, and comprehensive insurance come to mind). But if you do nothing else, closely monitor your financial statements and credit rating. The earlier you discover fraud, the more options you have in setting things right.
Question: Building on that, if I feel that I am the victim of identity theft online, what are the first measures I should take, and in what order of importance?
Answer: Issue a fraud alert to the financial and consumer rating organizations. Follow the advice from the US Federal Trade Commission or related local agencies.
Question: This is a blog, so we're not supposed to talk about all the great things that IBM's various security-focused experts are doing, unless we do so in a way that masks our intention of getting customers to subscribe to said services. So, we're going to do a product/service pitch in a not-so-subtle fashion that will be masked in the guise of one of our really funny TV commercials. That way, we're a blog pretending to be an advertisement pretending to be a pitch for IGS' security services. Okay, ready? Here we go: Pretend that you're a server from one of our TV commercials and I'm the bad cyber guy and I'm holding you hostage. I'm wearing a really cool mask that hides my identity (even my goatee), the server intrusion alarm bell is ringing really loudly in the background, and I'm got about 10 minutes to embezzle the equivalent of the GNP of a small but blossoming Southeast Asian country. You have one phone call to call for help. Who do you call and what do you say to them?
Answer: No phone call necessary. My server is made by IBM so the baked-in security keeps my data nice and safe.
Blogger's Note: To learn more about cybercrime, check out our recent Web feature "The Changing Nature of Crime" or our podcast on "The Future of Crime."