The news on the cybersecurity front that serves as a warning to us all is mounting up during what has become the cybersecurity industry’s equivalent of earnings season. That is a good thing. The landscape of potential vectors of vulnerability is vast and each area needs illumination to help organizations get perspectives on threats and remediation possibilities.
It is also useful to have granularity on those markets that are prime targets for malicious activities. Not only are there a growing list of threats but also an increasingly diverse group of bad guys—hackers, terrorist organizations, criminal organizations, state-sponsored groups, etc. For this reason, I like to periodically make readers aware of useful studies.
The latest security report from Clearwater, FL-based ThreatTrack Security, with the straight forward title, “Energy Companies and Financial Services Firms Remain Vulnerable to Data-Breaching Malware,” is certainly one to give those in the critical financial services and energy markets pause. It is also useful reading for all security professionals as well.
The report is based on an independent blind survey of 200 IT security managers or IT security administrators in energy and financial services organizations (100 in each) that was conducted by Opinion Matters on behalf of ThreatTrack Security in April 2014. As noted above, there are a wide range of threat actors and attack vectors targeting these two industries, and the report investigates the challenges of putting up a good defense and how organizations are planning to increase security.
APTs and inviting targets
The focus is on the two sectors that have proven to be the most targeted ones by those with malicious intent. Unfortunately, as the headline says, the top level finding that should get your attention like it got mine was that 72 percent of respondents are confident they will be the target of an Advanced Persistent Threat (APT (News - Alert)), targeted malware attack or other sophisticated cybercrime or cyber-espionage tactic in the next 12 months. In fact, 38 percent said an attack is either a "certainty" or "highly likely."
As the authors of the report state:
“Both the energy and financial services sectors are under constant pressure from attackers due to the high-value assets they hold, which represents a significant risk to the U.S. economy and critical physical infrastructure. According to the U.S. Department of Homeland Security, the highest percentage (more than half) of incidents reported to its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) occurred in the energy industry. Similarly, in January of this year, the Financial Industry Regulatory Authority (FINRA) released a letter warning of increasing frequency and sophistication of attacks against financial services firms.”
Among the key findings of the survey:
"Given the importance and value of the data that energy and financial services firms have access to, it is no surprise that they are being targeted aggressively by hackers," said Julian Waits, Sr., president and CEO of ThreatTrack Security. "The question is, what can these organizations do to better stabilize their cyber defenses, in both their own self-interest, and to protect critical U.S. infrastructure? It’s good to see these firms are planning to train their IT teams on the latest cybersecurity technologies and strategies, and that they are going to invest in advanced malware detection. The time to act is now, or the next big data breach could be one that doesn’t just affect our wallets."
While the full survey results are available upon request, I thought I’d whet your appetite with just one graphic. It highlights that while the two sectors face different enemies and challenges they both are clearly in the bad guy crosshairs. It also speaks a bit to the quote from the recent Verizon Data Breach Index Report (DBRI) that “the bad guys are winning.” The evidence here is from the survey results that a rather disturbing percentage of respondents from both sectors say that malware has evaded their defenses.
In short, keeping up with the bad guys is not easy—even when you know they are coming. In fact, if for no other reason than to get your upper management to focus on the urgency of looking at where your organization might be vulnerable and what solutions need to be evaluated to not just protect against at a minimum worst case scenarios but also assure that if attacked your response times and remediation tools are up to snuff, you might wish to get the full report.