As an information security professional, you probably struggle to convey to others just how serious security threats have become. On the one hand, you may have executives who are in denial or in the dark, particularly in smaller enterprises where the executives are often unaware that SMBs are targeted by a variety of malicious third parties. And on the other hand, you may have a seemingly endless stream of new and inexperienced users...
who have had no security awareness training.
One way to raise executives’ and users’ awareness of the serious threat level is to shine a light on the challenges IT professionals face when securing systems and data. To do this, give them a glimpse of the dark side. Specifically, show them screenshots of cybercrime software such as Crimepack, the SpyEye toolkit and Incognito RAT.
These tools and others, includingBlackhole and Eleonore, have been around for some time, turning the infection of hosts and stealing of data into a point-and-click exercise. However, the fact that these tools have been openly discussed and documented by security researchers does not mean the average IT manager, CEO or computer-using employee knows about them. When they learn about these criminal tools, even just by viewing screenshots, they tend to wake up to the fact that the attackers are far more sophisticated than they had realised.
A simple screenshot of the Crimepack website will often open peoples’ eyes more effectively than statements like: “The bad guys have turned hacking your systems and stealing your information into a business, complete with point-and-click tools that anyone can buy.” That statement carries a lot more weight when accompanied by an image of the graphical front-end of a website selling crimeware.
SpyEye is one of the deadliest hacking toolkits around. It’s a sophisticated, user-friendly, Internet-based management tool allowing the user to issue commands to networks of thousands of bots. By mid-2011, it was being used by criminal gangs that collectively commanded over 2 million infected PCs to deliver spam scams, conduct hacktivist attacks and booby-trap legitimate websites with malware. It’s best known though for enabling thieves to automate siphoning cash from online banking accounts. The cost for SpyEye? Around US$95. The copyrighted (yes copyrighted) version costs thousands more. The copyrighted version includes updates just like any legitimate software, and optional plug-ins that can push the price as high as US$10,000. But ironically, hackers cracked SpyEye's licensing key, which unlocked the software for full use, thus bringing the price within reach of anyone wanting to play dirty on the Internet.
Incognito RAT is a commercial crimeware tool that is openly sold on a hacker forum. It even has its own YouTube channel. RAT stands for Remote Administration Tool, which means it provides the ability to remotely control a victim’s computer over the Internet with full access to all of the computer’s resources. Incognito comes with an app that lets “customers” control infected computers from a jailbroken iPhone – no more having to sit in front of a PC screen for wannabe cybercriminals.
The maturing of this dark technology and underground market has enabled the bad guys to concentrate on what they know best: doing bad things. They are aided by the latest in digital marketing strategies at levels of sophistication that should serve as a wake-up call to complacent executives and users.
Fortunately, for many people, seeing is believing. If you are trying to get users or management to pay greater attention to security, show them how the bad guys are operating these days. You could convince otherwise complacent users and executives that they need to raise their security game.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.