The British Government’s Cyber Security Strategy has four stated objectives, which are for the UK:
- to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace;
- to be more resilient to cyber attacks and better able to protect our interests in cyberspace;
- to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies; and
- to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives.
These are well-meaning intentions, certainly, but can only go so far. The majority of cyber crimes are perpetrated overseas, beyond the jurisdiction of British authorities. The global nature of the Internet means that, for example, a financial institution in London can be attacked from China, and there’s nothing the British authorities can do about it.
The popular misconception of hackers being clever but socially awkward young men coding individually in darkened basements is inaccurate too: cyber attacks are a serious international business, and are more often committed by criminal organisations. The UN estimates that 80% of cyber crime originates in organised activity, and as Europol notes, “Serious organised crime groups are increasingly multi-commodity and poly-criminal in their activities, with extensive, diverse portfolios of business interests and significant collaborative activity.”
Fraud as a Service (FaaS) and other resources for criminals
Organised crime recognises how easy hacking is for beginners, and delivers it as a professional service. On darknet sites like the Silk Road, cyber criminals provide products and services including beginners’ tutorials for all manner of criminal activities. If you want to learn how to hack credit cards or exploit known vulnerabilities in ecommerce websites, for example, the information is readily available online. Qualifications for hackers are even offered.
Phishing email templates, malware toolkits and other forms of advanced crimeware are also available online, just as legal software is, often for a monthly licence fee. The Citadel Trojan, for example, is the most advanced crimeware tool money can buy, and is supported by a skilful development team. Version-controlled updates are issued, and there is even a dedicated customer relationship management system to address customer concerns.
That these readily available malware toolkits can work on any usable scale is testament to the number of known vulnerabilities that exist.
Cyber Health Check
Assess the state of your vulnerability to attack with IT Governance’s Cyber Health Check, a two-day service that combines on-site consultancy with remote vulnerability assessments to assess your cyber risk exposure. The four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.