Organized Cyber Crime

I have been on the road so I am playing a bit of catch-up these days, but I saw this article a couple of days ago and it reinforced a couple of things I have been thinking about for a while.

The article discusses how attacks and penetrations on computer systems are increasingly being committed by organized criminals looking for money rather than crackers looking for recognition.  This follows the pattern we have seen where the goal of attackers is no longer to “get root” on a machine.  Rather, the attackers are targeting the information resources housed on the machine because those are the assets that have value.  Why go to all the trouble of trying to get root access to a server when you can just go through a web application, avoid all the intrusion detection systems, and get access to the information resource you were after anyway?

A lot of CSOs we work with are still over-concerned about preventing attackers from “getting root” and that makes them focus too much on comparatively rare vulnerabilities like command injection when they should be focusing on the problems everyone has like SQL injection and parameter/cookie tampering.  Folks need to understand that “getting root” isn’t as cool as it used to be – these days attackers are trying to steal sensitive information assets and actually make some money.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *