infoTECH Feature

April 17, 2015

Cyber Threat Week in Review

Next week is the annual RSA gathering of security professionals in San Francisco. This can only mean two things.

The first is prepare yourself for a slew of new product and service releases on every aspect of data protection for the enterprise from devices and app management to authentication and encryption solutions to network access and beyond.  Given the daily headlines about data breaches, distributed denial of service (DDoS) attacks, the explosion of malware, etc., RSA (News - Alert) is always a great time to assess what the good guys have up their sleeves to deal with cyberthreats.  

The second is that this is the time of year for various members of the security community to issue report on bad guy activities, and there are several of significance.  As a handy reference guide below are just a few with links to the full reports.

Between insiders, organized crime syndicates and rogue nations, it’s safe to say that the bad guys are having a good go at 2015.

Enterprises not spending enough on inside threats

An interesting place to start is with the user activity monitoring and analysis solutions provider SpectorSoft. They recently released the results of the SANS 2015 Survey on Insider Threats. This survey of 772 IT security professionals regarding their experiences preventing and detecting insider threats found:

  • 74 percent of respondents are concerned primarily with employees when looking at threats, whether malicious or merely negligent
  •  44 percent said they don't know how much they currently spend on solutions that mitigate insider threats.
  • 45 percent don't know how much they plan to spend on insider threat technology in the next 12 months.

As the report author notes, “Although organizations know insider attacks pose a salient threat, spending on insider threat defenses falls short. Without a comprehensive understanding of what they are spending to prevent the problem, it is likely that organizations also will not know what insider threat defenses they lack or where they can invest further to fill in security gaps and bolster protection against a potential insider attack.”

In fact, while 69 percent of respondents said they have an incident response plan in place more than half said their plan does not incorporate special provisions for insider threats.  In a word this is a woeful situation and the report really should serve as a call to action given the huge financial consequences of insider actions either by intent or through negligence.   

The Feds need to be careful but should step up their game

MeriTalk, a public-private partnership focused on improving the outcomes of U.S. government IT, announced the results of its new report, “Federal Cyber Uncertainty – KVM XYZ,” underwritten by Belkin Government.  Once again the news is not so good.

The number of incidents reported by Federal agencies to the Federal information security incident center has increased nearly 680 percent in the past six years.

It is noted that to defend against increasing threats, agencies must comply with an alphabet soup of cyber security mandates:

  • CDM (Continuous Diagnostics and Mitigation program of Homeland Security)
  • FISMA (Federal Information Security Management Act)
  • HSPD-12 (Homeland Security Presidential Directive 12)
  • TIC (Trusted Internet Connection initiative OMB)

As MertiTalk says, even with all of these mandates, collectively they often fail to take the user experience into account.

As the report highlights, while the Feds are more mindful of security issues and the need to address them, they “still lack confidence in their ability to protect sensitive data and experience challenges when it comes to compliance.”  In regards to the mandates, the survey found:

FISMA:  Just over half of Feds say FISMA has improved security at their agency and only 27 percent were perfectly compliant with FISMA in fall 2014.

HSPD-12: Despite all of the PIV cards issued, 5.3 million unprivileged user accounts with limited access can log onto Federal networks with only a user ID and password and 134,287 privileged user accounts – system admins with access to everything – are just using user ID and passwords (instead of PIV)

CDM: Fifty-six percent of Federal agencies are able to measure success in their CDM implementation, but only 44 percent are experiencing better security as a result of the CDM controls

TIC: While successful, TIC is cumbersome for mobile access and reduces easy access to data and apps, one of the major benefits of cloud computing

The report concludes that agencies must do more than protect from sophisticated outside cyber threats. As the previous SANS report also highlights, they must be just as vigilant against insider threats while ensuring security measures are user friendly. This is particularly true in regards to securing endpoints where so much data resides.

This is a view summed up by Mauricio Chacon, Director of Product Development, Belkin Government who stated:  “Cyber attacks from within an agency need to be as rigorously addressed as those originating from outside sources…KVM switching devices allow government employees to switch networks with various security levels from one desktop. Agencies need innovative, secure solutions that meet the latest government security standards to protect data from both internal and external threats. Our secure switching solutions are tested to the latest government security standards.”

The Verizon (News - Alert) 2015 Data Breach Investigations Report

The Verizon 2015 Data Breach Investigations Report (DBIR) is a treasure trove of useful information. This year’s DBIR contains the top threats with granularity on impacts on different industries. It is based on an analysis of nearly 80,000 security incidents, including more than 2,100 confirmed breaches. And, yes you read correctly, more than 2,100 confirmed breaches.  It is an incredibly useful reference on how to prioritize security threats and be prepared for what is more than likely coming at you.

The DBIR found that the bulk of cyberattacks (70 percent) use tried and true techniques like phishing and hacking but that the attacks are becoming much more frequent and sophisticated.

Reiterating a theme from prior years, this year's findings again pointed out what Verizon researchers call the "detection deficit" – the time that elapses between a breach occurring until it's discovered. Sadly, in 60 percent of breaches, attackers are able to compromise an organization within minutes. 

And, in a word to what probably would be called the “unwise”, the report says that many of these attacks could be prevented through a more vigilant approach to cybersecurity.  In fact, it highlights that: 71 percent of known vulnerabilities had a patch available for more than a year prior to the breach.

"We continue to see sizable gaps in how organizations defend themselves," said Mike Denning, vice president of global security for Verizon Enterprise Solutions. "While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. This continues to be a main theme, based on more than 10 years of data from our 'Data Breach Investigations Report' series."

A few things to note, which is why this one is worthy of spending time with, include:

  • Verizon security analysts used a new assessment model for gauging the financial impact of a security breach, based on the analysis of nearly 200 cyber liability insurance claims. The model accounts for the fact that the cost of each stolen record is directly affected by the type of data and total number of records compromised, and shows a high and low range for the cost of a lost record (i.e. credit card number, medical health record). 
  • Verizon security researchers explained that the bulk (96 percent) of the nearly 80,000 security incidents analyzed this year can be traced to nine basic attack patterns that vary from industry to industry.
  • The report indicates that, in general, mobile threats are overblown. In addition, the overall number of exploited security vulnerabilities across all mobile platforms is negligible. 
  • While machine-to-machine security breaches were not covered in the 2014 report, the 2015 report examines incidents in which connected devices are used as an entry point to compromise other systems. The report also examines the co-opting of IoT devices into botnets—a network of private computers infected with malicious software and controlled without the owners' knowledge—for denial-of-service attacks.

Symantec (News - Alert) weighs in

Another one of my favorites is the annual report done by security giant Symantec. It is out with its Internet Security Threat Report (ISTR).  For those unfamiliar with the report, it is Symantec’s largest annual research report and provides an overview and analysis of the past year in global threat activity. This report covers a wide swath of malicious activities which includes emerging trends in attacks, malicious code activity, phishing and spam. It shows that last year cybercriminals used deceptive new tactics to infiltrate corporate networks and evade detection by hijacking the infrastructure of major corporations and turning it against them.

Other highlights from the 20th volume of this report include:

  • Five out of six large companies were targeted in 2014, a 40 percent increase from 2013. The total number of breaches increased by 23 percent
  • There was a record high of 24 zero-day vulnerabilities discovered in 2014, and it took vendors an average of 59 days to create and roll out patches—up from only four days in 2013
  • 28 percent of all malware in 2014 was “virtual machine aware” and able to avoid detection from researchers using virtual environments.

“Attackers don’t need to break down the door to a company’s network when the keys are readily available,” said Kevin Haley, director, Symantec Security Response. “We’re seeing attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them—giving attackers unfettered access to the corporate network.”

In short, trickery is on the rise. However, it should be noted that an emerging area to combat such trickery is deception technology where the good guys actually fool the bad guys as the best way to mitigate risk. 

A few observations from the report might induce you to download this one as well.  Symantec observed attackers:

  • Using stolen email accounts from one corporate victim to spear-phish other victims higher up the food chain
  • Taking advantage of companies’ management tools and procedures to move stolen IP around the corporate network before exfiltration
  • Building custom attack software inside the network of their victims to further disguise their activities.
  • Digital extortion is on the rise. Email is the main attack vector for cybercriminals, but bad actors are continuing to experiment with new attack methods across mobile devices and social networks to reach more people, with less effort.

The nice thing about this report is that Symantec has provided some helpful hints for businesses and consumers on best practices for keeping safe that are worth printing out.

Gemalto (News - Alert) exposes widening gap between perception and reality of security effectiveness

Last and certainly not least, digital asset security solutions company Gemalto has released the latest findings of its 2015 Data Security Confidence Index (DSCI). As the sub-headline says the report reveals a widening gap emerging between the perception and the reality of perimeter security effectiveness amongst global IT decision makers. The research shows increasing levels of investment in this area of data protection, but it is not keeping up with an exponential growth in the number of data breaches.
 
When it comes to perimeter security challenges as with other areas of enterprise security there has been an explosion of activity. Gemalto found for example:

  • More than 1,500 data breaches led to one billion data records compromised in 2014 alone, a 49 percent increase in data breaches and a 78 percent increase in data records stolen or lost compared to 2013.
  • Despite this 87 percent IT decision makers feel their organization’s perimeter security systems are effective at keeping out unauthorized users.
  • The relatively good news is that 64 percent of respondents said they are looking into shoring up things in the next 12 months.
  • Interestingly and where things get disconcerting, when thinking of the most recent breaches, the average amount of breached data protected by encryption was below 8 percent.

 Equally as troubling, 33 percent of respondents said they believe unauthorized users are still able to access their networks and a further 34 percent are not confident in the security of their organization’s data, should a breach occur. And, while spending is going up on perimeter solutions, 30 percent admitted that in the past 12 months their company has been victim to a breach and 62 percent of respondents are no more confident than they were this time last year in the security industry’s ability to detect and defend against emerging security threats.
 
“With the number of sophisticated breaches on the rise, relying on perimeter security systems alone is no longer enough. Traditional security staples such as firewalls and anti-virus should be part of a much greater security strategy. IT decision makers need to take into account that if someone is motivated enough they will breach a network, no matter how well it is protected,” said Tsion Gonen, Vice President of Strategy for Identity and Data Protection at Gemalto.

While I hate to be a bearer of bad news, individually and collectively all of these reports point to the same thing: the bad guys are having a great time exploiting enterprise security vulnerabilities and a holistic view of threat detection, prevention and remediation needs to be an urgent matter.  It is a given that no security solutions are failsafe, but the failure to take measure against known problems where patches are available is something that must be addressed. Plus, the security industry has been a source of accelerated innovations which will be on display at RSA, terrific place to kick a lot of tires for solutions that could provide you with greater peace of mind. 




Edited by Dominick Sorrentino
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers