I conduct a lot of risk assessments to prepare clients for ISO 27001 certification. In this context I often see a misunderstanding of the scope of cyber threats for organizations and their IT systems.
Most organizations assume that the hackers who threaten their organizations will be motivated by the value of the information the company uses to provide its services. The truth is that cyber criminals don’t necessarily care about the value of corporate, personal and/or financial data. Many attacks are perpetrated on systems because there’s value in the processing power of the systems themselves.
A recent post in the KrebsonSecurity blog discusses an online cybercrime forum that sells access to systems with hacked remote access. These are mostly Microsoft Windows systems that are configured to accept Remote Desktop Protocol (RDP). The cost of using these hacked systems is in proportion to the value of their processing power, memory and network bandwidth—not on payment card data, personally identifiable information (PII) or personal health information (PHI).
The post also exposes another myth: that most threats don’t have the means to exploit potential weaknesses in a company’s Internet defenses. In fact, the majority of compromised systems being brokered for remote access on the forum were hacked because the username and password were the same, and/or easily guessable. In some cases they may never have been reset from the defaults supplied with the software. That kind of “security” doesn’t require much skill to hack, and is a major reason why IP remote access is such a popular method of infiltration.
When I assess the probability that a threat will exploit a vulnerability in a client’s security measures, it’s based on motive, means and opportunity. An exploit that doesn’t require much motivation or means to execute, but provides plenty of opportunity, has a higher chance of being realized and therefore presents a higher level of actual risk.
As the Krebs article illustrates, it doesn’t require extraordinary motive or means to hack remotely accessible systems for their processing power. But due to poor security practices on the part of many organizations, there’s plenty of opportunity. Throw a hostile foreign government that doesn’t need much motivation but has plenty of means and opportunity into the mix, and it’s a pretty dangerous landscape of IT threats out there for any organization—no matter how mundane your business activities or how low your profile.
Contact Pivot Point Security to find out more about the kinds of risk assessments we do, and how they can help decrease the opportunities and increase the means hackers will need to steal your data and sell time on your servers.
The post Understanding the Nature of Cyber Threats appeared first on Pivot Point Security.