Once upon a time, conventional opinion was that major cyber-attacks required major resources, such as those available to foreign governments seeking to damage their targets. These opinions are out of step with today’s reality. Michael Chertoff, former DHS secretary, told attendees during keynote remarks at the 2011 Gartner Security & Risk Management Summit that in recent years he has seen technology evolve to the point where government resources aren’t needed to launch large-scale information security attacks.
Recent attacks have sometimes involved small groups or even teenagers, possibly acting alone, such as this 19-year old recently arrested in England as a suspect.
Before you think this is only about teenagers, know that corporations get involved as well. The following case, (and here the corporation is not the victim but the alleged perpetrator), involves News Corporation ($32 billion in revenue) and its British tabloid News of the World.
Apparently, the newspaper had for years made a habit of hacking the mobile phones of celebrities, politicians and crime victims to spice up the contents of its reporting. News Corp has basically admitted guilt by their decision to shut down the newspaper permanently. This still leaves the News International paper, also owned by News Corp. who specifically targeted the British Prime Minister:
Hackers operate under a rather murky set of ethics and codes of conduct. Corporations practicing industrial espionage may believe that the end justifies the means. Individual hackers may see themselves in a “Robin Hood” role, but who their beneficiaries are is difficult to say. Sometimes they like to be viewed as performing a valuable service, such as this group warning of a weakness in Apple’s developer website. Hard to say if this will help Apple more than it would help others immediately exploit the weakness:
Obviously there is no more room for complacency in today’s security world. Information piracy has evolved to a new level and become accessible to many more participants. Experts are increasingly saying that many recent high-profile breaches have not even involved any advanced or groundbreaking techniques. And now you don’t know whether to be on the lookout for a teenage intruder, or a corporation with substantial resources, who is testing the defenses of your networks.
Security administrators have to similarly step up their game.