The Business of Cybercrime

I am not sure I want to be the guy who keeps yelling and pontificating, frightening the children and generally being a menace. However, I have to question how engaged we all are in the task of trying to combat Cybercrime. As an ‘IT’ guy I am concerned at the seeming lack of concern in the public domain and even in professional circles. So at the risk of ‘scaring the horses’, her is some information that should get your attention.

The Cybercrime Economy

Cybercrime is now considered an Economy. Not just a business, but an Economy. As of 2018, the Cybercrime Economy was on par with the Russian Economy. That is the Gross Domestic Product of Russia! The combined output of every Russian citizen can only match the GDP of all Cybercrime in 2018. Remember that the above statistic was published in 2018. Nearly three years have passed since, and that figure certainly has not shrunk.

The Cyber Economy Today

2021 saw a number of high profile hacks. Colonial Pipeline ransomware hack. The Department of Justice supply chain attack and the FBI mail servers hack, to name just three. And this may be where the problem lies. People tend to start thinking that they don’t have to worry because, ‘They are only interested in the big guys.’ This is of course a big mistake because what you see in the media is only the sensational. The day to day crime, the increasing percentage of the attacks, never make it to the media.

The truth is that most of the money in cybercrime is made from the sale of information. Cybercriminals have now developed a ‘Platform Business Model’ for their criminal enterprises. These criminal enterprises now make money facilitating the trade of information. This trading of information is a multi billion dollar business. But it is not the only method for generating income.

What is this leading to?

An environment that allows you to make a very good income from trading information must have a large number of buyers and sellers. No doubt there is a lot of wastage in the information traded. But the sheer volume indicates that there is a  huge amount of useful information passed along. Thus, the odds of your information being amongst the traded data increases. And the number of individual buyers must also increase. More bad guys with more information means more individual hacks.

What can we do about it?

For starters, we can make the information less useful.

A lot of the information gathered is old email addresses, old usernames and  old passwords. The key word here is ‘old’, which is why I typed it four times. Sure there is a massive amount of personal information being traded, but it you want to make the hacker’s life harder you need to make it more difficult to break in.

If you are an IT guy you can use Powershell to check for users who have the ‘password never expires’ box checked. Believe me, this is not uncommon. And the type of user who has this value set is quite often a user who holds most of the ‘Keys to the Kingdom’. Uncheck this immediately and take care to teach the users in question about good password security habits.

Do set your password to expire in less than 90 days. 75 days seems to be a value most users can handle. And do make sure that the last 10 passwords cannot be repeated.

Do use Multi Factor Authentication as much as possible. This one action is pivotal. It is not a panacea, but it does make things a lot more difficult for the average cyber criminal.

Finally, continue to teach and encourage your users to think about how they generate passwords and to not use them across lots of accounts.

The Business of Cybercrime and the Cybercrime Economy

If we are to reduce the gross profit enjoyed by the business of Cybercrime and the Cybercrime Economy, and we should certainly try, then making life more difficult and more costly is where we might start.