Lloyd notes that she could teach a rank beginner to use a framework and execute an attack within half an hour. "I guarantee it would get through and you would be able to take over a corporate target," she says. "It's that easy."
Both nation-states and organized crime can easily afford even the most sophisticated exploit frameworks, the most expensive of which cost about $20,000.
Education Is Key to Mitigating Data Breach Risk
There is no magic bullet for defending your business against this form of attack, but there are steps you can take to mitigate the risk.
First and foremost, education is the key. Employees need to understand what risks and attacks look like, from a social engineering attack by a hacker on the phone trying to get an employee to divulge sensitive information to an intriguing link in an unsolicited email.
Second, security specialists and system administrators need time.
"You have to make sure that the staff you have defending you-not just security specialists but system administrators-that they actually have the time to look for signs of attack," she says. "You need people with sufficient spare clock cycles to actually look for signs of attack. It's not about buying new equipment. That's not an answer for this problem. It's not about firewalls and it's not about intrusion prevention systems. It's about human beings properly configuring the systems they've got and looking for the signs on their network. It's about educating staff, because the easiest way to attack is through human beings.
Software that can review logs and send alerts about suspicious activity is also a must, Lloyd says, noting that free, open source solutions are available. In many cases, the logging capabilities of servers and network appliances are switched off or never looked at and then overwritten in time.
"Even firewall logs are generally not reviewed," she says. "You need human beings to actually look at logs and look at security incidents and actually review them."
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.
Read more about cybercrime in CIO's Cybercrime Drilldown.
