PGP CEO Blog

Chapter 1: Meet the New Enemy...You’re Not Going to Like Him

It was heartening to see the news yesterday that eleven suspects have been arrested and charged with executing the epic TJX data breach. It was the largest data breach ever recorded when it occurred. The thieves made off with more than 40 million customer credit card records and authorities now estimate personal and corporate losses are in the hundreds of millions of dollars and rising. While the arrests are certainly good news, this case points out some of the key changes that have occurred in the battle to protect confidential information in the last couple of years.

This week starts a series of blogs about these changes and what they mean for those of us in the business of protecting confidential information. First we’ll take a look at the changing nature of the enemy. Next week we’ll look at some of the new techniques we’ll need to fight this new data war. In the coming weeks we’ll look at what corporations can do individually to protect themselves in this rapidly evolving conflict and what we’ll need to do in collaboration with the public sector to minimize the number of TJX style cases that occur.

When the anthropologist and author Carlos Castenada was asked, “How do you become a man of knowledge?”, he replied simply, “You must forget everything you know.”

Having closely monitored the volume and changing nature of threats to confidential information, I’ve concluded that those of us responsible for protecting that data need to adopt a similar attitude to prevent the vast majority of confidential information from escaping our control or fall into the wrong hands. Now I’m not proposing we simply forget everything we’ve learned about data breaches and their perpetrators as I also firmly believe that when it comes to preventing data breaches that George Santayana was correct when he observed,

The art we must master to address the new threats we face is to combine these two seemingly contradictory philosophies and then create new models and approaches to protect the critical data that now drives the global economy. The key, in my view, is to forget everything we think we know about cybercrime without ignoring the process we used to learn it.

The people that track trends in Internet crime claim we passed a key milestone late in 2007. Up until last year the majority of cybercrimes were perpetrated either by individuals or small, loosely connected teams of hackers interested in the “glory” they could achieve by hacking into a big corporate or government repository. There was a small element of organized crime involved in Internet fraud and data theft, but for the most part they were amateurs leveraging vulnerabilities and exploits originally developed by hackers for whom writing a virus or a worm was an intellectual challenge, not a career path.

Last year, however, global, large well funded and well organized criminal gangs assumed a leadership role in the development and deployment of malware intended to steal both personal information and money from retailers, banks, and public sector institutions. John Pescatore, Research Fellow with the Gartner Group, believes that there is now more malware being written in the world by these criminal gangs than there is legitimate commercial software in development globally.

We shouldn’t be completely surprised that the bad guys have become such enthusiastic perpetrators of online crime. The potential profits are enormous, the odds of getting caught (at the moment) are low, and given the incredibly complex legal issues, the odds of getting convicted or spending material time in prison are inconsequential.

To cite just one example of how lucrative cybercrime can be, Peter Gutman, researcher at the University of Auckland, reports that a moderately talented programmer can easily earn more than $200,000 per year (untaxed for the most part) writing root kits, worms, zero day attacks, and new classes of threats that we haven’t even named yet.

The problem with this kind of data is that the market for these tools does not occur in the “light of day” so all estimates of the value of the malware market are just that…estimates. But, even if you assume that Gutman is off by 50%, this is still a very robust market for global organized crime syndicates to exploit. Now these gangs don’t make product announcements and they certainly don’t publish quarterly results, but the fact that multiple leading and very credible analysts believe that malware has become “big business” is indicative of just how much the world has changed in the last few years.

At PGP Corporation we have spent much of the last five years talking about the “evolution of data threats” and developing security products to address these threats. Let me be perfectly clear about this point: There is nothing “evolutionary” in what we are now seeing. It is a fundamental discontinuity in the nature and volume of threats we now face. The major credit card issuers having looked at this change are now conceding that they expect Internet based fraud to double ¹ in the next two years.

Not only is the amount of fraud expected to make an unprecedented step up in volume, the nature of the attacks has changed markedly in the last two years. Recent data from the FDIC shows that the bad guys have moved on from simple identity theft and service provider breaches to much more sophisticated attacks focused on…well and here’s the scary part; we don’t know.

Let that sink in for a minute. The FDIC data comes from the most sophisticated financial institutions in the world that spend hundreds of millions of dollars each year to protect their infrastructure and their customer’s data. Despite that investment, these firms reported last year ² that the number of “suspicious activities” detected had increased 45%. At the same time the cost per “SAR” ³, as they’re known, increased 170%. Despite the breathtaking increases, these enterprises had to admit that they could not identify the exact nature of roughly two thirds of the breaches.

For the moment these “Other” sources of suspicious activity are being attributed to a new class of Trojans, but the fact is that we (and I mean the larger “we” of security vendors, architects and regulators) are a bit in the dark about the nature of the enemy we now face and his capabilities.

All of these changes mean that when it comes to fighting the battle against data breaches everything we’ve seen in the past really is just prologue and many of the techniques and tools we’ve developed will only provide limited relief…thus my admonition that you “forget everything you know” as you plan to address the attacks now aimed at your data, your infrastructure and your customers.

So, I’d like to formally introduce you to your new enemy…he’s a lot like the old enemy except he’s smarter, better armed, better funded and MUCH more numerous.

- Phil