The Verizon Business Data Breach (.pdf) that was published today seems to have raised a few eyebrows. But mostly, the results of the study, while extremely valid and helpful in framing issues of cyber-crime, only tell us something we already know - organized criminals, mostly from Eastern Europe, are stealing veritable tons of online banking records in an increasingly sophisticated and targeted fashion.
When I consider the organized crime that was allowed to flourish in my hometown of Boston during my lifetime, it still amazes me that the infamous characters involved were allowed to carry out their work, pretty much in the wide open, well into the 1990s. I mean, every kid in the city knew the names of these people in the '70s, and yet they kept on running their rackets and knocking each other off well into the Clinton Administration.
You just have to wonder, how did they get away with it? Especially when everyone knew who they were, where they were, and what they were doing. And there were certainly considerable resources being committed to trying to stop these people.
As it turns out the Boston mobsters just had too much juice, and too many chances to flaunt weaknesses in the system - especially the realities of human nature and corruption, to be stopped until the sheer level of scrutiny finally overwhelmed them. And that only happened when they became so greedy and brazen that they were pretty much begging to get busted.
At this point I guess we have to assume that the same type of evolution is likely to follow with cyber-crime. The question is where we stand in that process.
Verizon tells us:
â¢ Eastern Europe is known as a notorious haven for organized cybercrime outfits, which played a major role in breaches throughout 2008, though North America and East Asia also played significant roles. â¢ The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. â¢ Retailers and financial services companies remain the biggest targets for data thieves.
â¢ Some 74 percent of breaches resulted from external sources, with 32 percent were linked to business partners and roughly 20 percent traced to insiders. â¢ Sophisticated attacks accounted for only 17 percent of breaches, but those cases accounted for 95 percent of stolen records. â¢ The financial sector accounted for 93 percent of all stolen records in 2008, and 90 percent of those incidents involved groups already identified by law enforcement as engaged in organized crime.
OK, so, we know who is doing this, where they are, and what they're doing... yet, they only seem to be getting more powerful all the time.
Sounds familiar, and, just as nobody was big enough to stand up to the Northeast Irish and Italian mafia of twenty-five years ago, there hasn't been anyone with a big enough stick, and a clear enough interest of mission, to seriously threaten these criminals' ability to do business on the Internet... yet.
With the mainstream interest given to identity theft, malware attacks like Conficker, and the lack of ability that law enforcement and government regulators have had in thwarting cyber-crime, it does seem like IT security has become a big enough issue to start turning the tide in terms of awareness.
Next week, when the IT security industry is gathered at the RSA Conference sizing itself up, one of the biggest events will be the report delivered by Obama appointee Melissa Hathaway on the 44th Administration's plans to do more to address issues of cyber-crime.
Only time will tell what those plans will bring, but even if only in appearance it would seem like there is gaining momentum that people just don't want to take it anymore. I'm sure that the federal government hasn't taken it lightly that there have already been significant acts of cyber-warfare perpetrated out of some of the same regions where organized cyber-crime has also been allowed to flourish.
Verizon also notes in its report that there were 15 new criminal cases brought against accused cybercriminals in Eastern European nations during 2008, a vast improvement over the numbers it has seen in the past.
Maybe if we finally have a government in place that really cares about pushing enforcement, maybe if the people who keep those leaders in place really care enough to put the pressure on them to do so, maybe if the microscope gets widened far enough, the light shines bright enough, some of this seemingly unobstructed criminal activity finally gets slowed down.
If not, well, then we should all be prepared to keep paying the neighborhood bagman for the right to do business on the Web.
And it's our own fault for not taking stronger action based on what we already know.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.