Enterprises ignore cyber crime trends at their peril, says security researcher

Cyber criminals know the value of data better than the organisations they are targeting, according to a security strategist who studies hacker behaviour....

Cyber criminals know the value of data better than the organisations they are targeting, according to a security strategist who studies hacker behaviour.

"Data is what they are focusing on, it is their goal, and it is what they are commoditising," says Noa Bar-Yosef, Imperva's senior security strategist.

The strategy unit helps guide Imperva's technology development programme by monitoring hacker forums, analysing attack tools, and tracking attackers.

These activities have shown that user credentials are now the top target for hackers.

"Credentials for online services are worth up to $50 (£30.57), but credit card numbers cost less than $1 because they have a shorter lifespan and are more difficult to monetise as additional information such as the CVC number and expiry date are needed," says Bar-Yosef

Despite the value that criminals put on credentials, not many businesses are giving much thought to how they might be protected, she says.

Organisations should also take note of discussion around the opportunities being opened up by increased amount of data being stored and transmitted using mobile devices.

"Despite the fact that mobile devices are now capable of storing entire customer databases, the threat this opens up for the enterprise is largely being ignored," says Bar-Yosef.

There has been a massive increase in chatter around the Android operating system in the past six months, she says, making it now as widely discussed on hacker forums as the operating system for Apple's iPhone and Nokia's smartphones.

Intelligence around cyber criminal activities shows that they are moving up the stack to target vulnerabilities in mobile applications, she says, which need to be recognised as part of the enterprise and controlled in the same way as PC-based applications.

"Major data-stealing Trojans like Zeus and SpyEye are being developed for use in the mobile world, where many web applications still trust user input and do not implement the same basic protections as the PC versions such as SSL," says Bar-Yosef.

Intelligence gathering also shows that cybercriminals are feeling the heat from US and other international operations to shut down botnets such as Coreflood, roundup money mules, and arrest those responsible for DDoS attacks.

"They are feeling the heat and reacting accordingly, by consolidating resources to make massive investments in crafting bigger and more effective attacks that are designed to evade security controls," says Bar-Yosef.

While it is still important to patch applications and operating systems, deploy anti-malware software, and maintain firewalls, she says, organisations have to understand that they will be targeted and that these measures alone will not be 100% effective.

"Enterprises need to be aware of and planning for the risks involved in using social media, cloud computing and mobile technologies," says Bar-Yosef.

Research has shown that cybercriminals are early adopters of these new technologies and are better equipped to use and exploit them, which means it is more important then ever for enterprises to put controls around their data assets, she says.

Read more on IT risk management