As I sit in a jury duty waiting room on a summer morning, I’m reminded of a close friend of mine that worked in a grocery store during his high school years, and was famous for this people-watching observation during those long hours stocking shelves. The grocery store is the great equalizer - everyone has to shop for groceries. All socio-economic levels. All races and creeds. All genders, ages, sexual preferences, and all political parties. The grocery store doesn’t discriminate.
The same could be said for the DMV…and jury duty. As I scan the room filled with my jury candidate colleagues awaiting our numbers to be called, I see faces from every walk of life. No matter who you are or where you’re from, you can’t escape jury duty indefinitely (aside from a bed-ridden illness). The call is random, and everyone gets their turn in the barrel.
So what does this have to do with cyber security? Hollywood teaches us that bad actors deliberately plan and target specific organizations for attacks, painstakingly researching and stalking their prey for months before launching complex and innovative attacks. And, without question, nation-state actors and perhaps highly sophisticated cyber crime syndicates conduct operations thusly.
But, there are countless cyber criminals perfectly content to randomly scan the internet for vulnerable machines and launch attacks without distinction. Like the DMV and jury duty, they don’t discriminate.
There was a time, say, before the advent of cryptocurrency, that gave criminals an untraceable means of monetizing ransomware attacks, when cyber criminals targeted specific organizations almost exclusively. Nation-State actors were interested in national security or intellectual property secrets from targeted organizations; hacktivists attacked pre-determined enterprises on a mission to embarrass or discredit them; and financially-motivated cyber criminals looked to steal valuable data like medical records that could be illicitly sold to those who exploited them for fraudulent profit schemes.
But today, with ransomware understandably all the rage amongst profit-seeking bad actors, specificity of the target is of much less concern.
Does an enterprising young cyber criminal prefer to take hostage the data of a 500-person manufacturing company in rural Indiana, or a high-profile investment bank in New York City? Their ransom dollars are both the same shade of green…or, more accurately, the same bitcoin zeros and ones. In fact, it’s likely the investment bank is much better prepared to defend itself from an attack, so the much-less-sexy manufacturing company is probably a more attractive target.
Fortunately for the bad actors, there are a number of readily-accessible tools that cyber criminals can use to scan the internet for vulnerable devices, and they can do so - scan the internet, that is - on an hourly basis. So, the broad availability of scanning tools, combined with a cyber criminal ransomware profit ethos attracting more and more bad actors, translates into much higher risk for any enterprise connected to the public internet.
In today’s threat landscape, you don’t have to be a high-profile private or public organization to be targeted. You don’t have to be storing highly valuable technology IP or high-value health records, and you don’t have to piss off a hacktivist group with a bone to pick. You simply have to have an unpatched vulnerability that pops up on a list delivered to a threat actor after indiscriminately scanning the internet.
Keeping your figurative head down and banking on anonymity as a defense won’t work to avoid jury duty, or a cyber attack.