As per information security organizations, cyber spying is one of the biggest threats to private sector companies. Cyber spying is also known as cyber espionage. It can also be considered a part of cyber warfare between various countries. Many countries including US, UK, Russia, China etc. have been using cyber espionage as part of their military arsenal since a long time. Businesses are becoming more aware of these malicious practices and are therefore taking help of information security consulting companies to mitigate these risks.
There is a drastic rise in the number of cyber crimes and the need for information security consulting professionals. Even many countries that were not involved in cyber warfare activities have now started running cyber spying campaigns. The primary consumers of cyber warfare products are government agencies. They are meant for controlling the cyber space and private sector companies for corporate information security and corporate espionage. The vendors of cyber warfare products are information security organizations, defense contractors, private sector information security consulting companies and independent hacker groups.
IICS is an information security consulting company and we have helped many companies with cyber espionage. The objective is to detect theft of confidential or intellectual property data. Most of the time, these cases are state-sponsored or by private sector companies with the help of independent hackers, so it is already a fundamental requirement to have information security consulting professionals to protect from cyber spying.
Cyber espionage for economic motives is very common, as countries such as China are using data theft as a means to gain economic advantage in business deals. Information security organization experts claim that with these state sponsored attacks, private sector companies in China can take market advantages by stealing competitor’s product designs, marketing and business strategies
Information security consulting experts mention that usually zero-day exploits are used in conjunction with social engineering methods such as spear phishing and watering hole attacks to break into corporate information security architecture. Zero day exploits are used for cyber espionage and for doing cyber attacks. IICS, Information security organization which deals with zero day vulnerabilities and zero days exploits; mentions that there is huge market for these and are sold to highest bidders. Zero day vulnerabilities are used as weapons by governments, private sector companies, criminals, and private arms dealers.
Hackers or information security organizations, who find these vulnerabilities, usually don’t get the necessary attention from software or hardware companies, or even worse, in some cases these companies try to sue information security organizations. This is one of the reasons why information security researchers sometimes end up selling zero day vulnerabilities in the black market or to cyber weapons dealers. That’s why information security organizations refer to zero day exploits as cyber weapons.
Experts from information security organizations explain that there is a race to buy and pile up zero-days. Also the international arm control treaty doesn’t limit buying and selling of zero days as of now. US government has defined its policy towards zero-day disclosure, however other developed countries such as Australia, Spain, Germany, Russia and the United Kingdom have not even initiated the development of zero-day disclosure policy at all. Thus as of now information security organizations, independent information security consulting researchers and hackers can continue trading zero-days exploits as long as they are selling them to the right party.
Governments from developing countries like Dubai, Sri-Lanka, Saudi Arabia, Thailand, Malaysia, Singapore, Nigeria, Kenya and South Africa have jumped into the race for buying zero day vulnerabilities. It’s very easy for independent information security consulting researchers to sell zero day vulnerabilities to governments of developing countries through brokers or information security organizations.
There are three kinds of markets for selling 0-day vulnerabilities, black, gray and white zero day market. Independent hacker groups, freelance information security consulting researchers and brokers do trading in the black market. Experts from information security organizations claim that many companies buy exploits from the black market. However high prize exploits are not sold through this market.
Information security organizations and governments do trading in gray market. Countries like USA, Russia, UK, Mexico, Brazil, Colombia, Costa Rica, Argentina, UAE, India, Pakistan, North Korea, Israel are some of the big buyers in gray market. Also big defense contractors and information security organizations trade high value zero day vulnerabilities and exploits in this market.
Trading is done in the white market by freelance information security consulting researchers. As per information security organizations, the white market is also known as the bug bounty market. In it, companies offers a sum of money, to anyone who finds in their software or hardware and discloses the existence of a vulnerability to them. Bounty is paid to those people who use their skills to find and disclose vulnerabilities so that companies can fix them, thereby improving overall information security.
As an information security organization we use the following parameters to calculate the cost of zero day vulnerability:
1. Target range of the vulnerability and exploit.
2. Level of diffusion till date of the vulnerability and exploit.
3. Scope of its usage.
4. Validity of the exploits.
5. Reliability of the seller of zero days.
6. Exclusive usage rights of the zero-day are a very important for information security organizations.
7. Financial escrow service fees and insurance fees, in high value cases.
8. Exchange broker connections.
9. Number of brokers and respective fees.
The day is not far when governments will be coming together with information security organizations to regulate zero day trade to control cyber arms race and cyber espionage. Cyber espionage is a global issue with actors such as government agencies, information security organizations and other private sector companies targeting for political and commercial interests. IICS, is an Information security organization that is actively working in zero day exploits and the vulnerability market with governments. Also our information security consulting experts have been actively involved in the global zero day landscape, thus helping our clients with advance surveillance tools and services.
With research centers in Mexico, U.S. and India, the International Institute of Cyber Security (IICS) delivers the cyber surveillance tools and information security consulting services. We have a partner program that recognizes the effort and investment of strategic allies, offering consulting services to achieve sustainable and mutually beneficial business. Our partners/partners program is available in Australia, UK, Dubai, Qatar, Sri-Lanka, Saudi Arabia, Thailand, Malaysia, Singapore, Nigeria, Kenya & South Africa.