The criminal mind, and why it should inform your cyber security program.


In 1997 I met Boston (name changed to protect the guilty) in high school.  Boston was a bit socially awkward, not the best student; however, one exceptional talent Boston did have was that he was adept in working with computers.  As we all graduated high school we wanted to go to the local bar, being underage presented a problem.  Boston however discovered a new amazing program called Photoshop!

With a lot of patents, a moderate amount of practice, Boston learned how to create fake I.D.s in a snap!   Life was good, especially for Boston who charged us all $100.00 per ID.  If the bouncer took your ID Boston was always able to sell you another.  As our group of extended friends passed the age of 21 he no longer had a trusted network of consumers to sell his wares to, his market had dried up…

One day Boston turned and said to me, I need to find a way to make money that doesn’t fluctuate.  “I bet you I could print money” he stated!

“What?”… I replied

He explained how those little pens that you use to mark money with are looking for starches that interact with Iodine.  “You can purchase, ‘cotton paper’ and just print on that” he stated.  No reaction to iodine…  The problem was that if you got the bills wet, they ink would run all over the place.  Still he was willing to give it a shot.

Again, with a lot of patents, a moderate amount of practice, Boston was printing 20 dollar bills in bulk.  His primary targets were underpaid cash clerks at places like the movies or fast food restaurants.  Boston was living quite nicely until one day he was almost caught.  According to his recount: a drive through employee stated that local banks had contacted businesses he had been targeting requesting more information, surveillance video, etc.  It turns out the Secret Service does not take kindly to money counterfeiting even on a small scale…

What does any of this have to do with corporate cyber security program you may ask.  Today cyber criminals by and large are no longer computer nerds breaking into systems just to see if they can.  Today, cyber criminals are motivated by generally one of two things:

  1. Hacktivism – a computer hacker whose activity is aimed at promoting a social or political cause.
  2. Money – I think we can all identify with this one…

If you look at the trend over the last 12 – 18 months you’ve seen a dramatic rise in ransomware.  Why do you suppose that is?

  1. The market for fake credit cards is simply not as vibrant as is once was
  2. If you’re a hacker who steals $100,000 credit cards, you need a middle man to sell those cards to

You’re in effect shrinking your profit margin by allowing the broker to take a cut of your card data theft.  Ransomware solves this problem quite simply by extracting money right from the extorted company right to the attacker.  The motivation for today’s hackers is the same as Boston’s.  Extract the most money, in the most predictable way, with the least amount of overhead.

When CSO/CISO’s are developing their security programs they need to put one question at the forefront:  How will attackers attempt to extract money from my organization?

When you have this question at the center of your security program many things fall by the way side.  You can start to have a laser like focus protecting only the data / assets that are a real value to attackers.  One of the great quotes that came out of RSA this year was:

“Risk is Science”

We can no longer afford to view risk assessment as an art; it must be a science if we are to mount any sort of meaningful defense.  When you’re faced with the challenge of building an effective security program; remember the attacker’s motivations, remember what’s of real value to your business, and remember to prioritize your defenses around those assets.

Originally Posted on LinkedIn:


Leave a reply

− three = four

This site uses Akismet to reduce spam. Learn how your comment data is processed.