A couple of months ago we published an article suggesting that one of the best ways to approach online security is to focus on making it expensive for cybercriminals. Recent research from Google reconfirms the efficacy of this approach.
Cybercrime is a multibillion-dollar business that depends on many different working parts. Cybercriminals approach their enterprise in much the same way as legitimate businesses. They make rational decisions about how to maximize the return on their investment. They aim to lower costs and increase revenue. If the cost of carrying out a particular criminal exercise exceeds the potential payoff, they won’t waste their time.
Criminal enterprises depend on various “profit centers” that include malware, extortion, spamming, identity theft, and so on. Each of those profit centers leverages a complex array of infrastructure.
“This infrastructure includes compromised hosts, human labor, networking and hosting, and accounts and engagement—all available for a fee.”
The infrastructure requirement is why online criminals are so intent on hacking into your WordPress site or brute forcing your server’s SSH authentication.
Google’s research focused on the way it has increased the cost of using its infrastructure and services for online crime. Google accounts are valuable to criminals because they can be used in any number of scams and criminal enterprises. A typical strategy described in the paper is to use Google accounts to register social media accounts which are then used to spam affiliate links to fake goods. Google accounts currently cost around $170 per 1000. By making those accounts more expensive — by limiting bulk account registration — Google has managed to increase the cost of accounts by 30-40%. Cost increases like this hit the bottom line of online criminals.
The same logic can be applied to smaller scale infrastructure like a WordPress site or a hosting provider. Compromised sites are a valuable commodity for online criminals — that’s why they are constantly battered by port scans and much effort is expended discovering remote code execution vulnerabilities in WordPress and other content management systems.
Compromising a site or a server is only worth the effort if it’s cheap to do. Sites with good security have a high cost-to-compromise. A corollary of which is that criminals will almost always go for the low hanging fruit — badly secured sites — because it can be done in bulk and it’s much more cost effective.
The perfectly secure site or server is a myth. There will be vulnerabilities for as long as human beings are writing code and criminals are motivated to find flaws. But it is within the power of every server administrator and site owner to make their infrastructure more expensive to compromise — so expensive that it’s not worth the time and resources to cybercriminals.
Image: Flickr/free pictures of money