If you follow security news in the media, you get the impression that there are millions of super-evil, super-intelligent nation state and hacktivist hackers constantly attacking you, and you specifically, in order to ruin your day, your business, your life, and perhaps even the lives of everyone you have ever known. Is this true? Are there hordes of barbarians targeting you specifically? Probably not.
So what is the reality? The reality is that the threat landscape is foggy; it is hard to get a clear view. What is obviously true, though, is that you can easily fall victim to cyber criminals – although it is less likely that they are targeting you specifically. Of course, if you are the CEO of a big defense contractor, or you are the CIO of a large energy conglomerate – you are most likely specifically targeted by lots of bad (depending on perspective) guys – but most people don’t hold such positions, and most companies are not being specifically targeted. But all companies are potential targets of automated criminal supply chains.
The most credible cyber threats to the majority of companies and individuals are the following:
- Phishing attacks with direct financial fraud intentions (e.g. credit card fraud).
- Non-targeted data theft for the sake of later monetization (typically user accounts traded on criminal marketplaces).
- Ransomware attacks aimed at extorting money.
None of these attacks are targeted. They may be quite intelligent, nevertheless. Cyber criminals are often quite sophisticated, and they are in many cases “divisions” in organized crime groups that develop smart malware that can evade anti-virus software, analyze user behaviors, and generally maximize the return on their criminal investment in self-replicating worms, botnets, and other tools of the cybercrime trade.
We know how to protect ourselves against this threat from the automated hordes of non-targeted barbarians trying to leach money from us all. If we keep our software patched, avoid giving end-users admin rights, and use whitelists to avoid unauthorized software from running – we won’t stop organized crime. But we will make their automated supply chain leech from someone else’s piggy bank; these simple security management practices stop practically all non-targeted attacks. So much for the hordes of barbarians.
These groups may also work on behalf of actual spies in some cases – they may in practice be the same people. So, the criminal writing the most intelligent antivirus-evading new ransomware mutation may also be the one actively targeting your energy conglomerate’s infrastructure and engineering zero-day exploits. Defending against that is much more difficult – because of the targeting. But then they aren’t hordes of barbarians or an army of ogres anymore. They are agents hiding in the shadows.
Bottom line – stop crying wolf all the time. Stick to good practices. Knowing what you have and what you value is the starting point. Build defense-in-depth based on your reality. That will keep your security practices and controls balanced, allowing you to keep building value instead of drowning in fear of the cyber hordes at your internet gateways.