Hacking is no longer just a game for tech-savvy teens looking for bragging rights. It is a for-profit business — a very big business. Yes, it is employed for corporate and political espionage, activism ("hacktivism") or even acts of cyberwar, but the majority of those in it, are in it for the money."
So, security experts say, one good way for enterprises to lower their risk is to lower the return on investment (ROI) of hackers by making themselves more expensive and time-consuming to hack, and therefore a less tempting target. It's a bit like the joke about the two guys fleeing from a hungry lion. "I don't have to outrun him," one says to the other. "I just have to outrun you."
Of course, this only applies to broad-based attacks seeking targets of opportunity — not an attack focused on a specific enterprise. But, in those cases, being a bit more secure than others is generally enough.
David Meltzer made that argument recently in a post on Tripwire. "How do you stop a smart attacker? Simple: reduce their ROI to make exploiting you fiscally irresponsible."
That is the consensus of other experts. "If you make it more difficult and less rewarding for the non-targeted, financially motivated attacker, she or he will likely move on to an easier mark," said Deena Coffman, CEO of IDT911 Consulting.
Bob West, chief trust officer at CipherCloud, agrees. "The commercialization of cybercrime in the last decade has elevated ROI as a very important factor in many attacks," he said.
So does Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender. "Commercial, or non-state-sponsored hackers are usually trying to get the most profit with minimum amounts of money," he said. "The more difficult the attack, the less interested they are."
That, of course, raises the obvious question: What, specifically, should enterprises do to make themselves less tempting targets, especially since it is cheaper than ever to launch broad-based attacks?
While it is still expensive, time consuming and takes high skill to launch a sophisticated attack on a single target, the marketplace on the so-called Dark Web provides, "software apps for less-skilled thieves to purchase for little money and use to attack companies that leave their networks exposed or only have a single layer of security," said Coffman.
There is general agreement that an enterprise should start by evaluating its assets based on what an attacker would find attractive. But there are differences among experts about their worth. Most agree that the value of credit card data declines rapidly — as soon as the breach is known, the cards are destroyed and replaced.
Russ Spitler, vice president of product strategy at AlienVault, said credit cards, "are easy to steal, but actually reasonably difficult to turn into money at scale, due to the fraud detection that the card providers have developed." But, he said credit cards remain a valuable asset for enterprises, "and the one that is easiest to sell."