In this article Martijn Sprengers, information security advisor at KPMG IT Advisory, talks about the developments of cyber crime. He enlightens us with his view on the risk of cyber crime and furthermore he explains different cyber security methods. Managing cyber risk through the eyes of an attacker Open the newspaper or your favorite online blog and you see examples of identity theft, cybercrime, hacking and digital espionage every day. Should organizations worry? Should you worry? Yes you should, but not more than with any other risk. Security, and especially digital security, is often approached from the perspective of Fear, Uncertainty and Doubt (FUD). Because of its digital and intangible nature it can be hard to grasp, let alone understand, all the threats and possibilities of threat actors. Therefore, it has become a key theme in today’s business reality. Now that the success of many organizations has proven to be dependent on digital assets, they should start looking at cyber security as an opportunity that will add extra value to a company’s products and services. In this article, I will mainly focus on the aspect of learning from your opponent: become more resilient to digital threats by looking through the eyes of an attacker. Looking through the eyes of an attacker To ensure that the company’s most important (digital) assets are safe, it is important to know who wants to attack our organization, and why? In other words: what are the most relevant threat actors and what are their motivations to target you or your organization? Is it digital vandalism? Hacktivists who pursue idealistic goals? Organized crime or stage sponsored espionage? The threat landscape is changing: first the aforementioned groups operate independently, whereas currently they are more and more connected. For example, a hacker can work alone on one day, join an activist campaign the other, and get hired by the government to develop state sponsored malware later. Given their fear, companies want to protect all their assets, but that’s unfeasible. It’s not a matter if attackers will breach their security, but when. Therefore, companies should focus on implementing preventive, detective and responsive measures while assuming the attacker has already compromised their first layer of security. For example: It is not only about focusing to keep viruses and malware out of your employees laptops, but also about detecting any malicious behavior or misuse, as I usually see that five to eight percent of the laptops is infected with malware. During my penetration testing activities, I don’t have to attack the structured data sources (e.g. databases or the ERP applications) anymore. Infecting one end-user who has access to Sharepoint or shared folders is usually enough to steal the ‘crown jewels’ of organizations. You will also see this new approach in the cybercrime underground. The last year, an emerging group of hackers called FIN4 also uses these methods. They don’t penetrate deeply into the network of their victim company, they only obtain access to e-mail inboxes of specific, targeted, employees (such as finance departments). They then use the information obtained, such as upcoming mergers and acquisition deals and trading information, to gain advantage on stock exchanges or sell this data on online marketplaces. From system to data oriented security Since systems are more and more connected, organizations are continuously exposed to all kinds of digital threats. Some companies get attacked even thousands of times a day. However, this does not mean that these attacks are successful and the hackers are able to modify or steal your most important data. Earlier, these ‘crown jewels’ were tangible and easily protected by putting them in a (digital) vault, for example in structured sources such as databases. As a result of this tangibility and simplicity, companies organized their IT security on system level. This means that on a technical or operational level, the individual systems are usually reasonably well protected. However, the focus of IT security should actually be on a data level: where in your (digital) organization are these crown jewels stored? They can be virtually anywhere, especially in unstructured data sources: in e-mail boxes of employees, cloud services (like Dropbox) or smartphones. An attacker doesn’t look at the security of the individual safety, he is looking for the weakest link in the complex IT environment. During my recent penetration tests, in which I test the security of companies by trying to hack my way in, I don’t have to attack structured data sources anymore. Infecting one end-user’s laptop which has access to sensitive data is usually enough to steal the company’s crown jewels. This is also a pattern that is identified in the dark side of the Internet. For example, one of the prevalent threats is the group of hackers called FIN4. Without penetrating deeply into their target’s network they copy the e-mails of employees, usually by carefully selecting their targets. This group is especially interested in information regarding mergers and acquisitions for large multinationals and financial institutions. The information is then sold on the black market or used to their own advantages in stock trading. Another upcoming threat is the theft of intellectual property, usually performed by nation states such as China. A recent example of this is the breach of ASML’s security. The problem with these attacks is that nothing gets ‘stolen’, only ‘copied’: the data is not modified and still residing on the organization’s systems. To mitigate such attacks, the focus of companies should be on protecting their data, not only their systems. Encryption provides less security than expected Another preventive measure that organizations use to protect their data is encryption: using a secret key to ensure that only authorized personnel with knowledge of this key can access the crown jewels. However, encryption can give a false sense of security, as it is often not correctly implemented or insecurely configured. As a professional hacker, encryption never held me back (for a long time) from stealing the ‘crown jewels’ of organizations while testing their security. With just simple attacks (like an SQL-injection or