We often think about online security in terms of networks that need to be kept secure, separated from the wild open Internet where bad men and women work to learn our secrets and infect our machines. We lock everything up as tight as possible, but, somehow, the hackers seem to find their way into even the most robust systems. There are other ways to think about security, one of which is security as a commitment to making crime expensive.
Online criminals are so persistent because online crime pays extremely well. According to a new report from Trustwave some online criminals see an ROI of 1425%. They invest little and because of the scalability of their enterprise, they gain a great deal in return. According to the report, an investment of about $6000 — split between payload, the infection vector, and traffic acquisition — can reap $90,000 over 30 days.
Online criminals are in it for the money. The days of hackers hacking for the challenge and the reputation are largely a quaint memory. Modern online crime is a billion dollar business, and the best way to discourage criminals is to make data theft so expensive that it isn’t worth the effort.
LastPass’s recent breach is a good example. The company was attacked and hashed master passwords were stolen. But because they had used multiple passes of a very slow hashing algorithm on master passwords, the expense of retrieving a password from a hash is enormous. So large that for the most part, it doesn’t matter that the hashes were leaked, because the expense of reversing the hashes significantly outweighs any potential benefit to the attackers (although you should still change your LastPass master password).
Of course, slow hashing algorithms are also an expense for the company using them — they require a lot of processing. And that’s where thinking of security as expense generation comes in. If a company acknowledges that Internet-facing services are more than likely to be breached at some point in the future — whether because of an OS vulnerability, a service vulnerability, or simple human error, the question becomes how can we make it as expensive as possible to reap the reward of such a breach — efficiency isn’t the primary concern.
None of which is to say that firewalls and other traditional network security tools aren’t as important as they ever were; they’re all part of making life more expensive for online criminals. My point is aimed at those companies who choose to use weak hashing because it fulfills their conception of a minimum security requirement while not imposing any great computational burden on attackers. It’s aimed at those who update their content management systems once a month instead of immediately applying patches. And it’s aimed at companies without a decent patch management strategy in place for their servers.
Think of what it will cost an attacker to reap a reward from an attack on your site or server. And think how little you have to spend to multiply the expense burden of online crime.
Image: Flickr/pictures of money