We are in the midst of a cybercrime wave. For many security professionals, it’s manifesting as an increase in sophisticated phishing activity. Others are becoming victims of ransomware. Still, others are seeing an increase in brute force attacks on their networks. Cybersecurity is quickly taking center stage in the c-suite and in boardrooms across the world. CISOs and cybersecurity professionals are busier than ever and they are looking for ways to organize their approach to dealing with the CISO function.
Think of the emotions that you would have if someone walked into your residence and took your most valued possessions? Your reaction is normal if you answered that you would feel angry, frustrated, victimized, or violated. Tell your story to some friends at your favorite Friday night restaurant and watch their reactions. Now, imagine that your friends leave the restaurant at 8:30 pm and head home, but you decide to stay behind. When you finally do leave, you leave alone and decide to take a shortcut through a darkened alley. You are accosted by a couple of thugs hiding behind a dumpster – you are beaten and they take your jewelry and purse with all your money, driver’s license, credit cards, and keys.
Because we are seldom confronted by a physical criminal, many of us in information security tend to forget the reality that behind every phishing e-mail, behind every ransomware attack, behind every brute force attack against our networks sits a criminal. Even a 16-year-old kid hacking into your network to see if he can is the equivalent of a very disrespectful trespasser jumping your fence and violently shaking your back door at 3 am to see if he can get in. We should never lose sight that we are in the business of not only safeguarding our company’s property but also dealing with criminals. Some of these people are very scary and they will hurt you.
In the 1970s, criminologists Marcus Felson and Lawrence Cohen developed Routine Activity Theory. What these two gentlemen began to notice is that crime tends to occur in clusters, like darkened alleys, late at night, in certain parts of town. Their theory was foundational in part because the theory extended our understanding of criminal activity beyond the offender and encompassed broader environmental factors. In time this theory gave rise to crime triangles, which are similar to the fire triangle.
A fire triangle presupposes that for a fire to exist, a source of fuel must be present, along with oxygen, and heat. The presence of fuel, oxygen, and heat creates the conditions which allow for the chemical reaction of fire to sustain itself. Deprive a fire of any one of these needed elements and the fire triangle collapses. Firefighters do this through a variety of tools. Water is favored because it is plentiful and takes away heat from a fire, causing it to extinguish. Sometimes firefighters use a special kind of foam that forms a barrier between the fuel and the atmosphere, depriving the fire of needed oxygen, needed for combustion.
Crime triangles operate in a similar fashion. In order for a crime to happen, three factors must be present: the victim, the criminal, and an opportunity. In the example at the beginning of the article, a crime occurred because a person decided to walk through a dark alley late at night where two criminals were present. The criminals and victims were present and the criminals had an opportunity to perpetrate a crime. The crime triangle formed.
If the victim had never taken the shortcut through the darkened alley, the victim would not have been present and the crime triangle would have been collapsed. The same would be true if a policeman guarded the alley and strong lighting illuminated the alley. In that case, the criminals would have been deprived of an opportunity to commit a crime. Finally, if a previous police roundup had arrested the criminals for other crimes, the criminals would not have been present in the alley to commit the crime.
The learning from using crime triangles was multifold. First, it moved us away from thinking only about criminals and forced us to think about our actions and about the environment conducive to crime: the opportunity. This allowed proactive policing to focus on factors that foster crime: the opportunity for crime, the presence of criminals with intent, and the behavior of victims.
In the context of being a corporate security officer, it’s sometimes useful to adopt proven tools that have worked well in the past. The crime triangle is an example of a good tool. Like crimefighters of the early 20th century who focused exclusively on the criminal, cybersecurity experts today tend to focus almost exclusively on vulnerabilities. A question that the author asks routinely at conferences is whether the authorities were called after a cybersecurity breach. It’s uncomfortable to hear that too many times the authorities are never contacted, even when there are direct ties to a US domestic criminal element.
Cybersecurity professionals many times fall into the misconception that a creator of viruses or phishing scams always hails from a faraway country and that focusing on eliminating vulnerabilities is the only approach to protecting from cybercrimes. The threat should merely be accepted. Cybercriminals walk among us. They could be sitting in the chair next to you at a security conference. Even if the cybercrime is international in nature, sharing it with local authorities can be helpful. US law enforcement does coordinate with multiple legal entities around the world and we do bring criminals to justice – even those in faraway lands.
If you suffer a cybercrime against your company, prudently encourage the officers of the company to share as much information as they can with the relevant authorities, in alignment with your company policy. It’s natural to feel shame or be worried about public exposure, so develop a plan that works for your company and that helps authorities bring bad actors to justice. Every cybercriminal that is arrested and prosecuted is one less targetting our enterprises.
On the other leg of the triangle, work to lower your company’s profile as much as possible. It’s natural to feel pride in the great success your company is enjoying, but don’t be overly prideful of your company or of your unique solutions. Many times corporate employees are too willing to share the particulars of their application or network landscape with vendors and third parties without considering that criminals could use that information to target the enterprise. Sometimes company executives require harsh NDAs with a vendor but go on to share very detailed company diagrams and publically boast at conferences of the very valuable information held by their companies, their long list of prestigious clients, or they tout the efficacy of their cybersecurity program – sometimes directly challenging criminals to target them. Share your business case with your qualified prospects and be guarded with everyone else. In other words, don’t lock your front door and leave your back door and windows wide open. And, whatever you do, don’t taunt the criminals – they can get in and they will, particularly if they are motivated.
If you haven’t already, please consider thinking of information security as a criminal matter. Behind every kid-hacker is a trespasser jumping your fence and testing your doors at 3 am to see if they’re locked. Someone who codes viruses is the same as a vandal who willingly takes a baseball bat to your mailbox. Behind every ransomware attack is a real criminal who is looking to take your property by force and fear. Behind every hack or phishing attack is a criminal who is attempting to steal your information or your customer’s valuable property. These are not good people. These are people you would not welcome into your home. These are people who should be prosecuted. It’s going to take all of us working together to control the wave of the cybercrime that we are experiencing:
- Bad Actors – | point them out to the authorities | There are many bad actors, both international and domestic. Develop a policy within your company directing the coordination with local authorities depending on incident type. Reach out to and coordinate with your local authorities. Every ransom paid, whether from insurance or out of company funds, empowers criminals and further develops the criminal ecosystem. Every incident where law enforcement is not consulted is a lost lead that potentially leaves a criminal out in the field to attack another corporation. Even if you don’t think you get much value from your police relationship, sharing as much information as you reasonably can provide valuable leads for law enforcement to follow. Those leads could lead to the removal of a criminal or criminal syndicate from the ecosystem.
- Vulnerabilities – | have a comprehensive plan to protect your property | No security program can protect against all vulnerabilities. Identify the most important information that you have to protect, your crown jewels, and focus on protecting that critical information. Use the various standards, like ISO27002, NCSC, ETSI’s TY CYBER, or NIST to develop a pragmatic plan to protect your vital information and critical process vulnerabilities. Establish a compliance program and follow it diligently. Leverage formal audits and attestations like SOC1/SOC2 to audit your processes and ensure compliance. Subscribe to best practices from product vendors regarding network architecture, patching, updating of systems, and use virus protection. Finally, leverage professional networking groups to network with your peers and keep up to date on the ever-changing security landscape.
- Your Company – | don’t unnecessarily advertise that you have items of value and don’t share your treasure map | Have a policy over the types of information that your company can share with the public, with third-party vendors, with customers, and with partners. Do not unduly share the type of information your company deals with, your network architecture, or details of your security processes and procedures. Even seemingly innocuous details, like always appending your title to your e-mails, could be used by criminals to map out your organization (use signature lines for introductory e-mails only). Do not elevate your company’s posture unnecessarily.
In summary, do everything you can to eliminate as many vulnerabilities as possible. Lower your profile by not exposing your company’s information. If you see a crime or are a victim of a crime, share as much as you can with the local authorities so that the next innocent person who walks down a dark alley has less of a chance at becoming a victim. And, avoid walking down dark alleys at night.
References:
Cohen, Lawrence E.; Felson, Marcus (1979). “Social Change and Crime Rate Trends: A Routine Activity Approach”. American Sociological Review. doi:10.2307/2094589. JSTOR 2094589.
Lynch, James P. (1987). “Routine Activity and Victimization at Work”. Journal of Quantitative Criminology. doi:10.1007/BF01066832. JSTOR 23365566.
Pratt, Travis C.; Holtfreter, Kristy; Reisig, Michael D. (2010). “Routine Online Activity and Internet Fraud Targeting: Extending the Generality of Routine Activity Theory”. Journal of Research in Crime and Delinquency. doi:10.1177/0022427810365903.
About the Author:
Joe Marroquin is a CISO and cybersecurity professional. A former U.S. naval officer and combat veteran, Joe spent the last 25 years consulting for Fortune 500 and Global 50 corporations. A c-suite executive and board advisor, Joe is a published author and public speaker who writes and speaks on security and on the intersection of business and disruptive technologies.