Datasheet
17
Chapter 1: Defining Data Loss
that use them aren’t receiving as much security auditing as traditional
client-based applications and services. Furthermore, the policies and
procedures for using these new services haven’t kept up with the
technology and the working practices that go along with it. As a result,
threats to confidential information are on the rise.
But even before Web 2.0 is fully implemented, the IT risks that go along with
it are entrenched. The next few sections take a closer look at these risks.
The business of cyber-crime
With more people going online all the time, the latest security-threat reports
from the IT industry show a worrisome shift in attackers’ behavior, motiva-
tion, and execution over the past five years. Malicious hacking isn’t just an
obnoxious prank anymore. Today’s security-threat environment is character-
ized by an increase in data theft and data leakage, and in the creation
of malicious code that targets specific organizations for information that
the attacker can use for financial gain. Attackers are becoming more
“professional” — even commercial — in the development, distribution,
and use of malicious code and services. Figure 1-2 shows how the same pro-
cesses used to develop commercial products are now used by cyber-criminal
gangs to bring new “products” efficiently to market.
Figure 1-2:
Industri-
alization of
e-crime.
The Internet
Central Management
and Marketing
R&D
Business
Development
Investment
Sales
Logistics
Manufacturing
Law
Enforcement
Law
Enforcement
Law
Enforcement
Network
I
ntervention
Awareness
Ra
ising
Market Disruption
,
Software
Design
Vulnerability Discovery
& Exploitation
Criminal Mobility
(using the Internet)
Money Laundering
Criminal Actions
Malware Deployment
(e.g. Botnet)
Malware Production
05_388433-ch01.indd 1705_388433-ch01.indd 17 1/23/09 9:36:07 PM1/23/09 9:36:07 PM