What’s Your Data Worth to Cyber Criminals?

Enterprise decision makers often ask me what process they should follow to budget for security. While most mature organizations use one or more of the common approaches, the changing security landscape justifies their quest in looking for a new perspective.

To truly understand the risks they face today and budget appropriately, organizations need to fundamentally change the way they think about cyber threats.

What constitutes ‘risk’ in the digital world?

Risk, in this context, means business risk: impact on the bottom line, brand reputation or customer relationships.

Traditional IT security risk assessments take what’s known as a ‘defender’ view to determine risk as a function of threat, vulnerability and impact. They start by identifying a specific threat and then try to figure out how vulnerable the organization is to it – and the likely business impact of a security breach targeting that vulnerability. Weighing all of that, the organization can then determine how much to spend on which types of resources to block the specific form of attack.

This, however, is becoming less useful in real life scenarios. Practically speaking, the probability of a threat exploiting a specific vulnerability is becoming very low in well-managed organizations – while at the same time, the impact of such incidents has been steadily increasing. This limits the traditional model’s usefulness in making risk-based budgeting decisions.

What’s missing from the equation is — to borrow from detective stories — “motive”. Why would someone attack in the first place?

Cyber criminals are in it for the money

The Internet has become a bustling pipeline for e-commerce, pushing customer value one way and money the other. More than a trillion dollars worth of e-commerce transactions were made in 2014 – and that number is only going to climb in the years to come.

The high volume and value of Internet transactions is attracting new kinds of adversaries: cyber criminals and spies. Unlike traditional hackers and crackers, they’re not looking to cause random disruption.

They’re seeking a return on investment.

Calculating risk from the attacker’s point of view

This evolved adversary profile suggests an alternative way of looking at risk – namely, from the attacker’s point of view. In this new model, risk becomes a function of how much an attacker stands to benefit from breaching an organization, weighed against the cost of carrying out the attack and the probability of negative consequences.

Let’s put this new model into action. We’ll use stolen credit card accounts as an example, since these are among the most frequently traded cyber theft commodities.

The price of black market credit card numbers varies with supply and demand. Lately, it’s averaged between $15 and $20, but that’s expected to drop to about $1 due to oversupply following some major retailer breaches in the last year. So if a breach yields 10 million credit card records, even at a conservative dollar for every card, that attack is potentially worth $10 million.

What will it cost the attacker to realize that return? The answer can vary, but the table below shows typical prices for some of the tools and services adversaries can buy to attack an organization:

Cyber crime tool	Price (USD)
Malware source code	$100 – $100,000
Exploit kits (also known as exploit packs)	$150 – $2,200
Bulletproof hosting for rent	$150 – $250 per month
Paying for malicious installs (malware) by country	$6 – $150 per 1,000 installs
‘Zero day’ exploits	$100,000 – $5,000,000

Based on these numbers and intelligence gathered from recent breaches, a cyber criminal could put together a strong attack package for under $500,000. That amounts to a return on investment in the range of 2,000 percent!

By any standard, that’s a powerful business case. But what about the last variable – negative repercussions? Surely the attacker is breaking the law and risks a long prison sentence just as a bank robber would, right?

Not necessarily.

This is where cyber crime becomes a geopolitical issue. Cyber crime laws are not uniform, and there are many countries where attackers feel safe as long as their activities do not affect local businesses or governments. Cyber crime organizations operating in these jurisdictions are often run as businesses, virtually unaffected by the laws in other jurisdictions.

The bottom line

By calculating the potential return on investment an attacker might get from your data, you can determine if your organization presents a lucrative target.

In the end, the best advice is to use multiple approaches when assessing your risk and evaluating your security budget – both the traditional threat model and the attacker-focused risk model. Knowing how much your data is worth will help you budget for protecting it.

The protection you need will also depend to some degree on the nature of the specific threats you face, so check out what Bell offers in its wide range of security solutions for medium and large enterprises as well as for small businesses.

By Matt Broda, Security Technical Fellow at Bell