In touch again Maxim Gorshkov, information security specialist of the corporate cloud provider Cloud4Y. I would like to raise the issue of activities, the results of which are usually invisible, but extremely important for the business. I mean cybersecurity. As a cybercrime investigator in the recent past, I have seen enough of companies that have suffered from a lack of seriousness in information security.
To begin with, running a private business in Russia is not easy. The head of the company is constantly faced with the task of cost optimization. This is a normal practice, if you do not build the principle of cost optimization into an absolute. Otherwise, the “optimization” so beloved by many “effective managers” can play a cruel joke on the company.
I am sure that you can name more than a dozen companies in which there is a huge gap between the salary of a manager and a top manager. Or where, according to fashion trends, the number of marketers exceeds the number of technical specialists.
For the Russian leader, the motives for this behavior are obvious. Why should a manager pay more if they already get a job? Why do we need employees who do not bring money? If the conditional technical department is already doing something and it seems like everything works.
Perhaps this is also the case in your company. All this is familiar, it has been working for a long time and seems to suit everyone. But what if I said that companies with similar business principles could disappear in the foreseeable future? No, this is not a thickening of colors. This is more of a warning.
Let me give you real examples. Cybercrime in law enforcement practice began to sound around since 2014. Prior to this, extremely rare “hacker” cases were isolated and were often promoted in order to show the active work of law enforcement officers in this field.
Frauds using social engineering were not taken seriously at all, and criminal cases for such crimes were not always initiated. People wrote statements, but the matter could not progress beyond the materials of the checks. And the number of crimes started to grow.
As a result, the law enforcement system was forced to reconsider its attitude towards crimes on the Internet. Things began to be started more actively. I remember cases when more than 100 criminal cases related to Internet crimes were initiated a day.
Probably, you are now asking: how does business stand sideways here? And the fact is that the criminals quickly changed their profile, switching from attacks on grandmothers to attacking businesses. In my memory, there were about 50 companies, whose accountants transferred impressive sums to criminals, having received a “personal order from the director.” The sellers of the outlets “took the cash off” and transferred money to the fraudsters. And some companies had to shut down from real cyberattacks altogether.
Moreover, the attack vectors were different. Vulnerabilities such as EternalBlue were not always exploited (CVE-2017-0144 with the help of which the ransomware WannaCry, Petiya were widely distributed), although they also existed. There was also a banal tossing of storage devices with a malicious program that gains remote access to a PC, for example, a chief accountant or director.
To be honest, the law enforcement system is “optimized” to the point that it cannot fight cybercrime effectively enough. So we can say that cybercrimes threaten not only business, but also the state as a whole.
What will change in the near future? Cybercrime evolves and leaps forward in the fight against the law enforcement system. Because of this imbalance, hacking is sometimes more profitable than developing your own business. Just imagine that the average social engineer, or simply a telephone fraudster, can earn about 100 thousand rubles per working day, while in regional companies a system administrator with information security functions does not earn even 50 thousand rubles a month.
And I’m not even talking about the income of professional cybercriminals who know how to write exploits. Are you sure that a new exploit will not be used on your company before it gets into the antivirus database? It’s not a very cheerful prospect of becoming a testing ground for a new malware.
Pinching the nuts is also not worth it
It is worth noting that there is another extreme in business, which concerns mainly corporate business. Let’s call it the “illusory barrier”.
In corporations run by individual, effective managers, an army-like work environment is created. And in most cases, these rigid internal routines only increase the stress factor of company employees. And they are not useful. Why is this conclusion and how is it supported? And you try to google the databases of bank customers, and not only in the open part of the Internet. And in the matter of protecting the personal data of clients of certain major companies, much will become clear.
Why is this happening? Because the top executive’s directive management model often fails to address the issue of whether security spending is insufficient or going in the wrong direction. Relatively speaking, a meeting is being held where the company’s expenses are discussed. The CFO says he needs to expand his sales force, the CIO says he needs to improve security. The CEO asks them one question: what will the company gain from this? The first talks about money, the second about abstract security. And the decision in the distribution of funds becomes obvious. Obvious until that time “H”, when the damage from a cyberattack will exceed the benefit from the work of an entire marketing department for several years to come.
Will you say I’m pumping again? In the recent past, with the help of malware embedded on the servers of a nuclear power plant, attackers were able to harm Iran’s nuclear program. And this, for a minute, is the key strategic facility of the whole country. More than 10 years have passed since that moment. Now attackers are acting even more cunningly, coming up with new ways to “make money”.
I will cite a very recent case, which was told by former colleagues in the investigative work. Digital signatures are being actively introduced in Russia. It is planned that soon everyone will be able to sign something directly from their home computer. While this is all at the stage of implementation, the attackers have already developed a criminal scheme.
Yes, the state is more or less protected, but part of the functions: for attestation, registration of digital signatures, has been transferred to private companies that have received a license for this type of activity. And members of one criminal group were employees of such a private company that has the right to issue digital signatures.
What happened next? Having received the opportunity to register digital signatures of citizens, the attackers found recently deceased lonely pensioners and formalized the purchase and sale of an apartment “retroactively”. The deal was successfully registered with the Rossreestr and the apartment went to the intruders. The scheme existed for quite a long time, and was disclosed when the deceased had heirs who achieved the initiation of a case under a strange deal. This is an example of “everyday” cybercrime that is relevant today.
What will happen next
It should be understood that the implementation of such a scenario requires the participation of qualified specialists. Cybercrime is sometimes more experienced in terms of qualifications than even the specialized information security departments of companies. In the capitalist world, experience and professionalism are where there is money. So as long as companies save on specialists, they will live like a powder bomb. The era of enthusiastic hackers is coming to an end, the era of large-scale criminal business is coming, which understands perfectly well that the conditionally invested 50 million rubles in the search for zero-day vulnerabilities and the development of exploits for them can bring billions, destroying entire business sectors in the bud.
Is your business ready for cyberattacks of such communities, in which a whole staff of financially motivated programmers, pentesters, and all kinds of analysts work? It is not without reason that the state is intensively preparing for an unprecedented possible “cyberwar”. But I recommend you to attend to the same issue.
Thanks for attention.
What else is interesting in the blog Cloud4Y
→ Frequent errors in Nginx settings, due to which the web server becomes vulnerable
→ Password as a Horcrux: Another way to protect your credentials
→ Tim Berners-Lee suggests storing personal data in pods
→ Prepare vApp template for VMware vCenter + ESXi test environment
→ Create AlwaysON Availability Group based on Failover Cluster
Subscribe to our Telegram-channel so as not to miss another article. We write no more than twice a week and only on business.