Hackers Have the Advantage Over IT Security Pros Thanks to Misaligned Incentives

A new report was recently released by Intel’s McAfee Security and the Center for Strategic and International Studies (CSIS), titled Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity. The authors of the survey talked to 800 cybersecurity professionals and used their answers to come to the conclusion that cybercriminals are afforded a huge advantage due to a misalignment of incentives. Here are some examples of what this means:

  • There is a disconnect between creating a strategy and implementing cybersecurity programs
  • The bureaucracy of the business is unable to keep up with free-wheeling criminal enterprises because it takes them too long to come to a decision
  • The senior executives and the people in charge of cybersecurity are being incentivised differently.

The report details each incentive that is giving cybercriminals the edge, as well as looking closer at cybercriminals and the ways in which they have jumped right over corporate cybersecurity.

There is a Booming Black-Hat Hacker Workforce

One thing noted by the authors of the report is that, even though above-board businesses are having trouble finding high quality cybersecurity professionals, there is no such problem for cybercriminals. The authors of the paper suggest that black hat hackers are creating incentives based on market forces, rather than organizational flatness.

Cybercriminals also have an advantage in terms of products. Innovation and adaption are fostered by the market economy of the criminal hacker ecosystem. It is different from the defensive market, where priorities can be affected by corporate hierarchy. The result is a slow moving bureaucratic process; much different from the decentralized, competitive, commoditized hacker market.

Black Hat Hackers Have Superior Products

Given that the digital underground market has so many qualified people creating/stealing high-quality black-hat products, it’s only natural to assume the underground market is flourishing; which is just what it’s doing. What might be a little unexpected is the sheer quality of the products. The report suggests the reason for the quality could be because of the decentralized, open nature of the market. This means that operators must steal, create, and sell only the latest and highest quality products in order to survive.

The authors of the study say that the top of the black market contains almost nothing but elite tech specialists with highly coveted zero-day exploits working as intermediaries and brokers passing high-dollar-value exploits between the buyers, the sellers, and even the government.

Even so, there’s still a lot happening on the lower-tiers of the black market. There’s plenty of demand out there for counterfeit goods, stolen financial information, spamming services, and other “exploits-as-a-service” businesses.

Why are Cybercriminals Finding Specialists?

Much like above-board security experts, cybercriminals understand the importance of employing specialists. It’s difficult for a cybercriminal to be a true Jack-of-All-Trades given the complex nature of the modern corporate infrastructure, better security systems, and the increased awareness of their potential victims. According to the report, the following are the most in-demand specialists:

  • Programmers needed to create malware
  • Web designers needed for the creation of malicious sites
  • Tech experts needed to maintain the servers, databases, etc. of the criminal infrastructure
  • Hackers needed to exploit vulnerabilities in systems and breach computer networks
  • Fraudsters needed to develop social engineering schemes such as spam and phishing
  • Intermediaries to collect all the stolen data, advertise it to their fellow cybercriminals, and sell it on or exchange it for some other illegal action

Much like an above-board cybersecurity team, the more people needed for a job means the mastermind gets a smaller cut. The authors of the paper note that the profits of a criminal business are divided between the specialists. One law-enforcement expert estimated that up to 90% of the money made through cybercrime go to the technical specialists and the money mules, rather than the mastermind who put the scheme together in the first place.

Vulnerabilities Are Always Needed

The main reason that black-hat hacker markets are always so adaptable is because this is what is needed to find, exploit, and leverage vulnerabilities before they get patched. One study shows that 42% of disclosed vulnerabilities will be exploited within 30 days of being disclosed. As soon as something is disclosed publicly, cybercriminals are already using it in their attacks and exploiting it.

This doesn’t mean that even older publicly disclosed vulnerabilities are not being leveraged. Never forget about the opportunistic nature of criminals. They will continue to focus on the lowest-hanging fruit. Rather than investing in vulnerability research and developing vulnerabilities – which can be costly – they will just make the most out of a publicly disclosed vulnerability to exploit an unpatched system.

So, What Can the Good Guys Do?

The authors of the report have some suggestions for organisations. They suggest that the good guys do the following to keep up with cybercriminals:

  • Using Security-as-a-Service to counter the operations of Cybercrime-as-a-Service. These services have the same flexibility as the cybercriminals.
  • Using specialised consultants to augment the corporate in-house team by providing them with more expertise and focusing their resources
  • Offering performance incentives and recognising the efforts of your cybersecurity team encourages them to create stronger defences and patch exploits faster
  • Continue to experiment to determine the ideal mixture of metrics and incentives for your organisation as each one is different

The Future Looks Bright for Cybersecurity

While all of this sounds like bad news, the authors of the report do suggest there is some good news. They say that more companies are beginning to recognize how serious the problem of cybersecurity is, and they are taking the necessary steps to address it. As the IAM solutions company, One Identity, has stated, “Static security, based on a collection of unlinked security factors, is no longer sufficient for controlling access.” The authors still warned that security tools and solution have a hard time keeping up with the cybercriminal market. While this can be inevitable, it can also be minimized by organizational innovation.

Hot this week

Did David Wineland and Serge Haroche Steal Idea For The Nobel Physics Prize?

Dr. Omerbashich says the Royal Swedish Academy is a Crime Scene and he has the proof that Nobel laureates stole his discovery.

New Approaches to Disaster Relief Challenges

Disaster relief has always been a challenge. NASA, Google,...

3 Legitimate Money Making Methods to Supplement Your Income

In a perfect world, when your landlord raises your...

2016 Predictions by World Renowned Medium and Psychic Lindy Baker

World renowned medium and psychic Lindy Baker is interviewed by The Hollywood Sentinel, discussing psychic power, the spirit world, life after death, areas of concern in 2016, and much more.

Digital Coupon Customers Spending More Than Double At Stores

A new study shows that customers who use digital coupons go shopping more for groceries and other household goods more often and spend more on their shopping trips.

Israel-Hamas War, What Has Israel Been Missing

The constant question one who follows this war is...

Azerbaijan and Armenia Work Towards Peace Treaty

After years of fighting each other, Azerbaijan and Armenia are working towards a peace treaty but there are obstacles, including a lack of trust.

Top IR Tools for Retail Engagement: How Arx Helps Public Companies Compete

Key Takeaways: Arx is a Tel Aviv-based investor relations...

LAJFF Reminds Us Of The Beatles And More

The Los Angeles Jewish Film Festival (LAJFF) is celebrating...

Listo Expands with Major NHL Partnerships at Bridgestone Arena and Xcel Energy Center

Listo, a next-generation premium experience and hospitality platform, is...

Don’t Demand Respect While Rejecting the Host Culture

Why demanding respect from the West without self-reflection falls flat. A powerful defense of Western values and cultural boundaries.

FUD Is the Only Thing That’s Real in Crypto Right Now

In the topsy-turvy world of crypto, where projects appear...

Related Articles

Popular Categories