Communications - December 2010

business will last for a year or so and then they will move on. We need to be careful of the models we’re using and should not claim them to be universal.

BoRG: You can identify certain categories, and as you do so, you are also providing the business with clues as to what needs protection. If you are a cost leader, you have to think about what makes you a cost leader and try to secure those things. If you are a technological innovator but not a cost leader, you have a very different focus on what systems you should be trying to protect.

CLaRK: Would it be fair to say that while the defense industrial base has been the prime target over the past 10 years, things are clearly changing now?

BoRG: One of the real problems with this subject, with this whole field, is it’s so hard to keep on top of it. Eighteen months ago, military contractors were overwhelmingly the leading target. That has now shifted to a host of other companies.

We are hearing about companies in South Korea, Indonesia, and other countries that are being offered business research services that will provide them with profiles of competitors and detailed advice on the state of the art in certain growth industries. Many of these research services are selling information they obtain through cyber attacks.

How does this marketplace work? Often there are black-market Web sites that offer the services and have customer reviews and satisfaction ratings.

CREEGER: Are there any concrete examples of industries being cloned?

BoRG: Until relatively recently, the main organizations carrying out this kind of activity were national intelligence agencies. They were probably spending millions of dollars to steal the information from one of these target companies. They tried many, many generations of malware, as well as many different attack vectors. We now have privatization of these original efforts—spin-offs from the original national intelligence efforts working for hire.

We are talking about an illegal service—something that’s not being sold as a one-off product. We’re talking

anDY CLaRK
The structure
of available
worldwide attack
services is broadly
commoditized.
You can pay using
credit cards, not
necessarily your
own, to buy yourself
a worldwide attack
service.

about a sustained business relationship where the customer starts out by buying information for a few thousand dollars (U.S.), becomes gradually convinced of the criminal organization’s “integrity,” and then goes on to make larger, more strategic purchases.

My organization has been theorizing about ways to subvert these criminal markets. Just as you can use cyber attacks to undermine trust and damage legitimate markets, you can use those same techniques, including cyber attacks, to undermine criminal markets.

CLaRK: The structure of available worldwide attack services is broadly commoditized. You can pay using credit cards, not necessarily your own, to buy yourself a worldwide attack service.

CREEGER: We have learned that business sophistication and marketing in these criminal areas rival anything seen in the legitimate world. As an IT manager, what should I focus on in the next one to three years?

BianCo: Focus on hiring people who understand how this stuff works.

noRTon: Get people to raise their eyes, look around, and ask, “What is unusual, and how was it caused?”

BoRG: In addition, your company needs to be running Symantec, McAfee, Trend Micro, or another retail Internet security package. In many cases, it needs to be hiring the services of an intrusion-detection specialist.

Also, the company has to look at what it is trying to protect: “What are the attackers’ motives, what are they going try to break into, what are they after, and what do you need to defend?” Basically, you have to answer the question, “Are you a target, and why?”

CREEGER: You’re all strongly saying that the IT people need to be thought of as much more than just the people akin to supporting the plumbing, electrical, and telephone system. IT needs to take a much more integral role in the company’s operations and contribute to how the company faces both challenges and opportunities.