I guess it was inevitable. With the growth in SaaS (Software as a Service), it was only a matter of time before we saw CaaS - Crimeware as a Service.

Criminal gangs are now offering services such as DDOS attacks, botnet rental, malware creation and electronic money laundering. And then there are the more exclusive, targeted services such as whaling to attack high net worth individuals and organisations.

CaaS is one of the emerging threats associated with organised cybercrime, which is at the top of the latest Information Security Forum (ISF) Threat Horizon 2011 report. Criminal syndicates are also developing more sophisticated malware such as viruses and Trojans sold on a ‘commercial’ basis with guarantees including non-detection by anti-malware software and full helpdesk support.

There is a clear shift to highly targeted and planned attacks using a combination of social engineering and technical methods to steal identities and information for fraud. And it’s not just the large corporations under threat. A recent US report indicated that organised cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies to steal valid banking credentials in order to make fraudulent funds transfers. While not attracting the same level of notoriety as larger-scale breaches, many of these smaller businesses have suffered major losses.

As well as using remote techniques, there is also evidence that criminal organisations are recruiting employees as moles or sponsoring students through their IT education and placing them into targeted organisations. Theses threats are being accelerated by the financial crisis, fuelled by increasing staff turnover and dissatisfaction and the view that online crime is a lucrative and low risk alternative to other nefarious activities.

The other threats in the ISF’s Top 5 are weaknesses in the IT infrastructure, tougher statutory environments, pressures on outsourcing and offshoring and the erosion of the network boundary.  Mobile malware, Web 2.0 vulnerabilities, espionage, insecure user-driven developments and changing cultures with a blurring of the boundaries between work and personal life, make up the remainder of the Top 10.

While many of the threats in 2011 are familiar ones, they are evolving to present new and sophisticated attacks. But the advent of cloud computing, for example, will also pose a new breed of threats and it is important to have the right controls in place to mitigate the risks.

Data is now the gold, the silver and diamonds of the online world and criminals increasingly see it as a low-risk way to steal money without going anywhere near the crime scene. But even in today’s financial climate and increased threat environment, we are better placed than ever before to meet these challenges – as long as we have the resolve to strengthen and invest in security rather than reduce it. Awareness and education are central. The new generation corporate culture driven by a younger, more techno-savvy workforce presents benefits but new employees must also be made fully aware of information risks and the need for tighter controls that may restrict their IT freedom.

The ISF Top 10 Threats

1.  Criminal attacks2.  Weaknesses in infrastructure3.  Tougher statutory environment4.  Pressures on offshoring / outsourcing5.  Eroding network boundaries6.  Mobile malware7.  Vulnerabilities of Web 2.08.  Incidents of espionage9.  Insecure user-driven development10. Changing cultures

Delicious

Digg

Reddit

Facebook

StumbleUpon