EvilZone

Hi there Pinas,

For starters, I think of Rescator. Rescator allows you to search for credit cards via the last 4 digits of the card, perhaps combining that with a bank would allow for extremely accurate identification of possible matches.

For example: You could request the last 4 digits and institution of the card someone wants to protect or scan for. If the last 4 digits are '1111' and their institution is AMEX, and you find a '1111' and AMEX match on rescator, then you could view the full card details on rescator and request that the individual provide the CVV and expiry date - you use this to cross-match.

If they match again, you've got a 99.99% certainty of having found a compromised card of theirs, with the only risk of misuse falling solely onto you.

I'd be very interested to learn more about your platform, and when it's expected to be live/what it's capabilities are expected to be. Could you shoot me a private message some time perhaps going into a little more detail of what sites in particular you are searching through? I've got quite a large repository of underground blackmarket/stolen data trading sites that I'd be happy to share with you.

Let me know if you're interested, and good luck for the development of the system.
I hope this post has been useful.

Foreword: This piece of writing is a break away from the low-level technical discussions that proliferate this board, and rather seeks to explore a high-level framework analysis of information security's peremptory norm: 'overkill'.

INFORMATION SECURITY OVERLOAD
From traffic lights and speed cameras to passwords and firewalls, most of our lives are touched by information security controls implemented to keep us safe. Most of us are fine with this, as the consequences of too little security are well known. Within the information management world, security controls are complex, and myriad. This is for good reason: It is widely recognized that information security requirements are constantly changing, with no silver-bullet solution. The 2015 Cyber Threat Intelligence Summit held in Washington recently noted that:

“An evolution in the goals and sophistication of computer intrusions has rendered (previous security) approaches insufficient”.

It can be said that cyber security is slowly getting lost in the ever-expanding cyber threat landscape.

The common approach taken by industry to this issue has arguably been one of ‘Simon Says’; where an increase in threat dictates an increase in security. In fact, information security spending in my country (Australia) has seen a 7.5 percent increase this year alone, with the rest of the world averaging 4.7 percent. But is this the right approach? In 2009 a study identified that staff are often constrained by an overload of information security policies. Similarly, a qualitative study in 2007 showed that high information security workload fosters conflicts between security and functionality. A similar report on data breach investigations showed that information security overload hindered professionals abilities to identify and defend against threats, effectively defeating the purpose of the controls in the first place. National Australia Bank’s CIO recently stated that increases in security often put “security at odds with user desires.” Richard Clarke, former counter-terrorism adviser to the US NSC noted as early as 2004 that:

“You can double your spending on security – and still not achieve it”.

He then explained that whilst pouring resources into information security suggests it’s being taken seriously, the real value is in how it’s deployed. To put it succinctly, these findings would suggest that there certainly is such a thing as ‘too much security’, and it may be just as bad as too little.

RISK MANAGEMENT
In the information security industry, a high-level framework for proper deployment of security controls has existed for decades. This is a process whereby security is compared to its exact opposite: vulnerability. This process is known as a Risk Assessment. More broadly, this concept is referred to as Risk Management and its role within information security is so pivotal that some have argued that the two are inseparable. In an article, aptly named ‘Information security is information risk management’, Blakely, McDermott and Geer note that information security technology alone does not reduce information risk very effectively. They suggest a new paradigm for the deployment of security controls which takes its roots in the history of medicine. This new methodology has seen huge success in maximizing response and minimizing cost in terms of security incidents. This approach is known as ‘Minimum Viable Security’ (MVS).

MINIMUM VIABLE SECURITY
In the medical world, the term ‘Minimum Effective Dose’ refers to just that: the smallest quantity of a substance required for it to work properly. This is the basis by which medical professionals will prescribe people medication. This is because giving people a ‘maximum’ effective dose, that being an amount that barely avoids overdose quantities, would be both dangerous and redundant. This same concept has been translated and applied in Minimum Viable Security. Whilst applying too much security hardly leads to kidney failure or a crippling dependency, it certainly leads to waste and inefficiency. This translates to loss of money.

Minimum Viable Security is a direct response from industry to the issue of information security overload. Furthermore, the fact that a ‘minimalist’ approach to security has seen better results than many other standard approaches raises some issues in the peremptory norms of information security management. However, most would argue that it is better to be safe than sorry in info-sec, and use this to justify huge spending in the area. In the post-9/11 age of catastrophic risk, this sounds like a rational argument, but the figures don’t seem to agree. Private studies indicate that globally, 78% of business will suffer at least one data breach every 2 years. However these studies have bias as they are conducted by security vendors. So what do Government studies say? Well, In Australia alone, every week a major data breach occurs, typically affecting 19,000 people. In the UK, a Government-commissioned report, namely the ‘2015 Information Security Breaches Survey’, found that 90% of large companies with large security budgets have suffered a data breach over the last year, with the previous year being 81%. Earlier this year, a US security advisory boldly stated that:

“The reality today is that for most organizations, if a motivated adversary wants to penetrate their network, they will get in.”


CONCLUSION
To summarize, it can be said that too much information security can be just as bad as too little. Information security overload is wasteful, inefficient and hinders response to legitimate security incidents. While too little security is equally as destructive, finding a balance of minimum viable security demonstrates proven success in increasing successful response and decreasing cost of doing so. Increasing budgets and resources into information security can achieve absolutely nothing if security controls are not properly deployed through a process of risk assessment. This risk management concept is vital in ensuring information security achieves its goals. In conclusion, without proper planning and assessment, information security has the potential to do more harm than good.