Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 7: moving towards proactive controls 5

Posted in business and convergent technologies, social networking and business by Timothy Platt on March 15, 2013

This is my seventh installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, posts 189 and 190 for Parts 5 and 6.)

Up to here in this series I have primarily focused on computers and networked computer systems that would be protected from outside intrusion. My goal for this installment is to redirect my focus outward towards the people who produce and distribute malware, pursue behavioral engineering attacks and behave as black hat hackers. In a sense I began this when I first started writing to this series, in Part 1. I wrote there about how early malicious hackers were primarily motivated by a competitive drive to show their computer knowhow and prowess to their peers, and how they collectively formed a technology aware and involved subculture. Monetary gain was not considered a primary goal – just gaining access and finding paths in through the security systems in place.

Then, as also noted in Part 1, that all changed as criminal elements driven by profit motive began to move in, and as they came to dominate the black hat hacker community. As online commerce and other sources and streams of wealth began moving online, so did people who would surreptitiously tap into that and steal value from it. Information available online was becoming increasingly valuable, and through approaches such as identity theft and for business intelligence of all sorts. And access and control of computer systems was becoming increasingly valuable in and of itself too. Botnets come immediately to mind there but they represent only a part of this bonanza of potentially available value. And to round out the relevant points that I noted in Part 1 that hold specific bearing here, this new profit motivated black hat hacker community, like its earlier technology prowess-driven hackers, formed a complex social system with members holding differing levels of position in a social hierarchy, and an economic hierarchy too. Black hat hackers formed a loosely defined and fluid, but very real community, and both for purposes of business and profit, and for establishing personal reputation and bragging rights.

• And an online marketplace formed around this phenomenon,
• With commoditized access to proprietary and confidential information, and access and control of computers and network resources the primary products marketed and sold.

This might mean bootleg software, or warez as it is sometimes called or it might mean individual credit card information or even full packages of personal information that would be used for more comprehensive identity thefts. Or this might mean any of a broad and expanding range of business intelligence resources that can be used to turn a profit, either directly or through extortion and threat of disclosure and use. And of course, along with this software and data side to this marketplace there is also a hardware market with access to and use of botnets and related resources as marketable offerings too. And sometimes these resources are sold at fixed, if competitive rates and sometimes they are sold at auction and for whatever the market will bear, then and there and for those participating in the mostly online bidding.

• A big part of proactively addressing malware and black hat hacking in general, as a risk management initiative has to involve directly addressing the vulnerabilities that are being exploited, and with a goal of identifying the types and areas of vulnerability that will be exploited next.
• But just as big a part of actively, proactively addressing this problem has to come from looking outside of the systems at risk themselves, and towards those who generate and spread that risk.
• And that is an aspect of this overall problem where new approaches are needed, as much as anywhere else in breaking out of the reactive cycle and always playing security and risk remediation catch-up as a losing proposition.

I find myself thinking back several years as I write this, to early conversations about how the New York City office of the FBI always had one or two of its agents stationed in Romania. When the USSR broke up, a number of its KGB and related employees who were tasked with information systems infiltration and compromise, joined the rush towards free market enterprise by turning to the emerging opportunities of cyber-crime. And much of this activity flowed to, or at least through Romania and the remnants of the old Romanian KGB (see Romania and North Korea – a brief tale of two generations for a part of that story.)

FBI agents in the United States, going through US courts and court processes faced longer delays in obtaining warrants allowing them to legally look at and into apparent online criminal networks and activity than their counterparts in a now post-Communist Romania. So when online criminal activity was being directed towards the United States and arriving there by way of Romania – in general coming from those new post-Communist online criminals, they could move faster if in Europe and dealing with courts and laws there. And this was seen as a real breakthrough and in many ways it was. But setting aside the very real value of developing stronger international agreements and working relationships between law enforcement agencies, for confronting cyber-crime as a global phenomenon, this was still a strictly reactive response even if a faster one. This was still just another variation on attempting to improve security by doing away with the built-in and accepted delays of a once a month Patch Tuesday release date system, for sending out software patches and updates for risk vulnerabilities that had already been found and in many cases already been exploited.

• Any more proactive approach that would be directed towards identifying and acting in regard to the people and networks that cause cyber-crime is going to have to come from developing a fuller understand the cyber-criminal social networking and commerce systems in place and their social and functional dynamics, and the structures and connections of these social networks.
• There, black hat hacking and proactively addressing its challenge can be seen as a problem in characterizing, modeling, tracking and predictively responding to business social networks, and knowable patterns of connection and interaction in them.

I am going to address at least a portion of that challenge in my next series installment where I will, as a foretaste start from a basic taxonomic model as to how social networks organize and function (see Social Network Taxonomy and Social Networking Strategy.) Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: