Skip to content

Page327

While the threat of information warfare, or terrorists targeting information systems, might have only been the stuff of thriller novels several years ago, these threat sources have expanded both their capabilities and motivations. Every month (and sometimes every week) news headlines suggest nation state involvement as a legitimate, and likely, threat source. Though it would be reasonable to assume that only critical infrastructure, government, or contractor systems would be targeted by this style of attack, this assumption is unfounded. Organizations that have little to nothing to do with the military, governments at large, or critical infrastructure are also regular targets of these types of attacks.

This is illustrated by the infamous “Aurora” attacks (named after the word “Aurora,” which was found in a sample of the malware used in the attacks). The New York Times reported: “A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation".

Financially Motivated Attackers

Another recent trend that impacts threat analyses is the greater presence of financially motivated attackers. The attackers have come up with numerous ways to monetize attacks against various types of organizations. This monetization of cybercrime has increased the popularity of such attacks. Whether the goal is money via exfiltration of cardholder data, identity theft, pump-and-dump stock schemes, bogus antimalware tools, or corporate espionage, the trend is clear that attackers understand methods that allow them to yield significant profits via attacks on information systems. One of the more disturbing prospects is the realization that organized crime syndicates now play a substantial role as the source of these financially motivated attacks. The justification for organized crime’s adoption of cybercrime is obvious. With cybercrime, there is significant potential for monetary gain with a greatly reduced risk of being caught, or successfully prosecuted if caught. With respect to BCP and DRP, an appreciation of the significant changes in the threat sources’ capabilities and motivations will help guide the risk assessment portions of the planning process.

Learn by Example

Targeted Attacks

Many organizations still believe that attackers are not targeting them. Even more would argue that they do not represent high-value targets to organized criminals, terrorists, or foreign nation states. It is easy to refuse to consider one’s own organization as a likely target of attack. In the same way that the most vulnerable in society are often targets of identity theft, attackers also target family-owned businesses. While compromising a small family-owned restaurant might not net the attacker millions of credit cards, these smaller targets are often less likely to have either the preventive or detective capabilities to thwart the attacker or even know that the attack has taken place. If attackers can make money by targeting a smaller business, then they will. Virtually every organization is a target.

A 2022 report by Barracuda found, “The smaller the organization, the more likely their employees are to be targets for an attack. In fact, an average employee at a small business with less than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise. SMBs are an attractive target for cybercriminals because collectively they have a substantial economic value and often lack security resources or expertise” [14].