My take:

• New Internet-based technologies bring new opportunities for the bad guys.
• The growth of the applications we use has gone from dozens to nearly 1,000.
• The losses are huge, and while the top-line number is disputable, no one can argue that cybercrime losses have reached previously unforeseen levels.
• Regardless of whose survey you read, the majority of respondents have been impacted by cybercrime.
• There has been no let-up in vulnerabilities — vendors need to be more responsible.
• The sheer number of signatures needed to defend ourselves has impeded their effectiveness.
• Our failure to apply vendor patches in a reasonable time seems to be regularly taken advantage of by today’s bad guy.
• Botnets continue their explosive growth.
• The flood of available stolen data has commoditized it and impacted prices — a stolen credit card can be bought on the black market for as little as 50 cents. Even the cost to rent a botnet for nefarious uses has plummeted to $70/1,000 PCs for 24 hours of use.

From Michael Calce a.k.a Mafiaboy:

• As a 15-year-old in the early days of the Internet, Mafiaboy felt he was perhaps perpetrating a victimless crime. He certainly learned differently, and he paid the price and did the time.
• The same fundamental issues that allowed his actions to work then are still issues today.
• Social engineering is becoming an even larger factor with today’s social Web sites.
• With respect to Web 2.0 and cloud computing, we are rapidly developing new technologies before we have completely secured the existing ones … a recipe for disaster.
• There are three levels of attackers today:
  • Low level – script kiddies doing point-and-click hacking
  • Mid level – knowledgeable hackers leveraging recent vulnerabilities
  • High level – highly skilled hackers leveraging day zero attacks
• Motives have evolved to financial gain — it is no longer just a game.
• The reasons organizations are at risk are well-known. Hackers have the opportunity and the will. At the same time, we have the opportunity to mitigate the risk, but seem to lack the will.

From Byron Acohido:

• We live in a time where cybercriminals are integrating multiple attack vectors for their criminal pursuits.
• Two markets:
  • Stealing data
  • Using stolen data
• Three main ways to steal data:
  • Via e-mail
  • Via the browser
  • Database breaches
• We first witnessed the shift to the application layer. Now we see the focus within the application layer itself on Web-based applications.
• The bad guys regularly use normally trusted services to enhance their actions, i.e., SEO with Google to increase the page ranking of a malicious Web page.
• Social Web site-based exploits like Facebook and Twitter are becoming more common because of the implied trust we place on them.
• Conficker is a good example of a current generation multi-faceted attack.
• There is a current shift from commoditized goods, such as credit cards, to the theft of high-value intellectual property with targeted attacks.

What do we need to do:

• From a Macro View
  • Select an effective Cyber Czar
  • Set forth an effective mix of incentives and regulations
  • Foster private/public partnerships
  • Engender global cooperation
• From a Micro View
  • Recognize all data is a valuable asset
  • Data privacy and security must be core competency
  • Keep everything updated to the current, most secure version
  • Recognize the inherent risks of social media

Closing Statements

• The issues we face are not something we can simply throw money at to solve — we have gotten into the habit of trying to throw new technology at each problem as it arises. We need to step back and perhaps get back to the basics by focusing on building a secure foundation, i.e., flaw remediation and enforcing the rule of least privilege.
• Knowledge is power, and we need to be as knowledgeable as our adversaries if we want to win the fight.
• More to come — we have dived head-first into the world of social media with little regard for security.

Given more time, this is how would have expanded on today’s discussions.

Commoditization is a Red Flag
We saw it happen with the value of stolen credit cards that were once traded on the Internet black market for hundreds of dollars that have today fallen to a mere fraction of the price ($10 per card in qty of 100) as they became a commodity on the Internet.  Internet portals that engage in the sale of stolen credit cards are becoming more common and serve a global audience. A quick look at http://feedjit.com/stats/sellcvv2.blogspot.com/map/ shows the global reach in the online sale of stolen credit cards. Redirected Internet bandwidth due to the installation of malware is also today recognized as a commodity. In fact, a stock exchange to trade this bandwidth called Robot raff has been operational for some time now. The redirected traffic can be purchased by a malicious person to be directed to a malware-laden Web site in an effort to compromise the PCs that are part of the traffic stream.

Today, we see that botnets have also reached commodity status. A recent report notes that the auction Web site “Golden Cash” is now trading bots (compromised PCs) for as little as $5 for a batch of 1,000 PCs in Asia to $100 for a batch of 1,000 PCs in Australia. The buyer can either use the bots for nefarious purposes or install their own malware on top of the malware originally used to compromise the PC.

It is a battle of wills — and we are losing
The commoditization of botnets should be taken as yet another reminder that our current approaches to security are simply not working. It is not a matter of a lack of the necessary technology to defend ourselves. The bad guys easily reverse-engineer vendor patches to create automated exploits and clearly have demonstrated their will to use them. We as a community have the ability to deploy vendor patches to eliminate the underlying vulnerabilities that are being used to compromise our networks on a daily basis, but apparently, we lack the will to use them.

In an environment where we are failing to handle the basics in the very foundation of network security by deploying vendor patches in a timely manner, is it any wonder that automated toolkits that take advantage of unpatched vulnerabilities ranging from months to years old have commoditized our network assets. Technology can address software issues, but in my opinion, perhaps we need an update in will if we are ever going to turn the tide and take back our networks. Until our will to defend ourselves is greater than the will of a bad guy to wreak havoc, we will never gain any ground.

In case you missed the webinar on the Profile of the World’s Top Hackers, you can view the presentation below. Tell me what you think and if you agree.