If you want to know why attackers are able to outflank CISOs take a look at the latest annual underground hacker market from Dell SecureWorks, which lists average prices data and services offered around the world. It shows how cheap it is to get into business.
It costs only US$500 to hire someone to crack a corporate mailbox, or $129 to break into a Gmail/Yahoo account. To break into a Web site a service charges $350. For $90 you can get a victim’s IP address.
A so-called Fullz (full information package) on a Canadian, likely from stolen data, with name, address, credit card information, date of birth and more runs a mere $20 — down from $35 to $45 in 2014.
A remote access Trojan runs between $5 and $10. An Angler exploit kit will cost between $100 and $135.
Denial of service attacks are charged by the clock: $5 to $10 an hour, $30-$55 a day or $200 – $555 a week.
And for those who don’t know what they’re doing, tutorials are available for between $20 and $40.
These rental services — and promises of good customer support like round the clock support in some cases and satisfaction-guaranteed-or-your-money-back promises — are the biggest reason why CISOs shouldn’t expect to see a decline in the number and variety of attacks on their organizations any time soon.
Small wonder a former Scotland Yard cyber crime expert was quoted as saying there’s almost no hope for security on Internet. “We have been talking about this for years and the fundamental dichotomy relates to funding and collaboration. The miscreants are light years ahead of the Internet security community in terms of their R&D budgets and the maturity of their marketing and sales operations.”
What do CISOs need to do? Dell has a long list of suggestions, which boil down to a full data protection strategy. Number one on the list is teaching employees spot computer security threats, particularly spear phishing.
Also advocated is mandating the use of two-factor authentication for all remote access solutions and for all company employees and business partners authorized to access the corporate network.
Limiting the number of people who have administration accounts and access to sensitive data, of course, is on the list.