It’s time for corporations to wise up and use the latest, most effective weapons to safeguard and secure their data.
High-tech devices, software applications, emails, user accounts, social media and networks — even those presumed safe — are being hacked with alarming alacrity and ease.
Security tools, encryption and patches are certainly necessary, but they are not enough. Corporations must arm themselves with the latest technologies in order to effectively combat a new breed of malware and malicious code, and ever-more proficient hackers. I’m referring to continuous monitoring tools that identify, detect and shut down vulnerabilities before hackers can find and exploit them.
Big Ugly Business
In the late 1980s — the “early days” of computer networking — hacking was a means to an end. The modus operandi of hackers, (usually white males in their teens and twenties) was to perfect their skills, perform a high-profile penetration, claim it was a mistake, and then land a well- paying job with a legitimate security company. Many of today’s hackers are professionals who operate within an organized ring. Hacking is the means and the end. It’s an extremely lucrative business.
“The hackers have upped their game,” says Stu Sjouwerman, founder and CEO of KnowBe4, a company that trains corporate knowledge workers on how to avoid spam, phishing, spear phishing and social engineering hacks.
“Hackers have gone completely professional. They’ve graduated from identity theft to full-fledged Internet bank robbery or cyberheists. There are now highly organized computer security ‘Mafias’ in Eastern Europe, Russia, the Ukraine and Romania that employ highly qualified computer science majors who do nothing but hack. Most companies are woefully ignorant and unprepared to deal with the new threats,” Sjouwerman asserts.
On June 1, 2010, the National Institutes of Standards and Technologies (NIST) published new guidelines that require enterprises to engage in continuous monitoring of their networks.
These guidelines, based on a wealth of real-world experience, highlight the necessity of using new tools to facilitate implementation, says Maj. Gen. John P. Casciano, USAF-Retired, who served as director of intelligence, surveillance and reconnaissance, and was deputy chief of staff for air and space operations. Currently president and CEO of GreyStar Associates, Casciano consults on cybersecurity issues.
“In the dynamic and ever-changing network, continuous monitoring simply can’t be performed manually; it must be supported by software that provides powerful new weapons with which to successfully defend and thwart attacks,” he says.
Continuous monitoring is a preventive and prescriptive measure encompassing both a new approach and new products and tools. It enables organizations to detect threats as they occur and, most importantly, to identify vulnerabilities that can be mitigated or plugged in advance of a cyberintrusion or attack.
The NIST guidelines are based on a wealth of real-world experiences that include routine attacks launched on individuals’ online social media accounts like Facebook and Twitter. Each day, the headlines deliver yet another sobering call for corporations and consumers alike to wise up and defend their data.
We all know that there is no such thing as a 100-percent hack-proof network, application or device. Hacks from malware (phishing, Trojans, bots, worms, zombies, et al) to exploits that result in forgotten back doors, to targeted corporate espionage are facts of 21st Century computing life.
Hacker Heaven
Hackers have had a bonanza in April, May and June (so far). Nary has a day gone by without news of yet another major attack. Here’s a partial list of some of the most publicized hacks of the last 10 weeks:
RSA Security: On April 1, in a move akin to raiding Fort Knox, RSA’s Secure ID technology (one of the industry’s gold standards in security software) was hacked. RSA executives described the hack as “very sophisticated.” They characterized it as an advanced persistent threat (APT)-type targeted attack. It used a routine tactic — a phishing email that contained an infected attachment that was triggered when opened.
Epsilon: Epsilon handles customer email messaging for more than 150 firms, including large banks and retailers like Best Buy, JPMorgan Chase, Citigroup and L.L.Bean. In April, millions of consumers learned that Epsilon’s networks were breached when they received emails from their banks and credit card companies informing them that the hack might have exposed their names and email addresses to the hackers. Epsilon released a statement assuring consumers that only email addresses and names were compromised, and that no sensitive data was disclosed.
Sony: Sony’s PlayStation gaming network suffered a series of massive security attacks in April/May that affected more than 100 million online accounts and shuttered the site for days. Sony executives estimate the hacks cost the Japanese electronics firm $170 million.
Lockheed Martin: On May 21, the aerospace giant released a statement saying its internal information systems network had been penetrated by what it called a “significant and tenacious” attack. The company declined to divulge details other than stating that “no customer, program or employee personal data had been compromised.”
Public Broadcasting System: Tthe PBS website was hacked in mid-May and the perpetrators planted an erroneous story stating that deceased rapper Tupac Shakur was alive in New Zealand. The group that claimed credit for the hacking was apparently unhappy about PBS’ recent “Frontline” investigative news program on Wikileaks.
Google: At least 84 instances of malware have been discovered in the company’s Android Market app store in the last three months. In March, Google removed 50 applications from the store that contained malicious code embedded in legitimate applications. Over the Memorial Day weekend, Google was forced to pull an additional 34 smartphone applications off Android Market because of suspected malware infections. Google’s security woes don’t stop there. In early June, Google disclosed that Chinese hackers targeted the email accounts of top U.S. officials and hundreds of other prominent people in a fresh computer attack certain to intensify growing concern about the security of the Internet. The victims, including government and military personnel, Asian officials, and Chinese activists and journalists, were tricked into sharing their Gmail passwords with “bad actors” based in China, according to a Google blog post. The attack’s goal was to read and forward the victims’ email.
Apple (yes, Apple!): The Mac OS X 10.x operating system has been under attack for the last month from the malicious MacDefender/MacGuard malware. Apple engineers released a fix, and 24 hours later the hackers struck again with a new virus variant called “Mindinstall.pkg,” which is specifically designed to bypass Apple security.
Hackers are more organized, and the attacks themselves are becoming more sophisticated and more pernicious. They use the Internet as a superhighway to circumnavigate the globe faster than you can say “Magellan.” What’s worse, the hackers are aided and abetted by corporations with lax, porous and often outdated computer security measures.
Consumers too, are often the hackers’ best helpmates — particularly when they don’t keep their antivirus and firewalls up to date and don’t check the privacy settings on the many social networking sites they frequent!
Security experts warn that malware is proliferating at the astounding rate of 73,000 new threats cropping up on a daily basis — that’s a 26 percent increase over 2010. Even if we apply the 10/90 rule — 10 percent of all malware and rogue code is responsible for 90 percent of the damage — the upswing in security threats is alarming.
Unfortunately, corporations and consumers tend to get complacent in the absence of a data breach that directly impacts them. It’s easier to rationalize and downplay the very real security threats and delay implementing the necessary proactive measures.
It takes headlines — or more recently those messages appearing with alarming regularity in our personal email boxes — to give us all a much needed jolt. Computer, cellphone/smartphone, notebook, tablet and networking security are fragile, ephemeral and fluid, meaning the risks are always present, and exploits are always lurking in the shadows.
This Is War: Continuous Monitoring
In response to the growing cyberthreat, U.S. Sens. John Kerry, D-Mass., and John McCain, R-Ariz., have introduced an online privacy bill designed to protect and control personal information. If the legislation passes, it will prohibit the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.
The 2010 Verizon Data Breach Investigations Report, released last July and based on a first-of-its kind collaboration with the U.S. Secret Service, found that breaches of electronic records last year involved more insider threats, greater use of social engineering, and the continued strong involvement of organized criminal groups.
The report cites stolen credentials as the most common way criminals gained unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations. Organized criminal groups were responsible for 85 percent of all stolen data last year, according to the report.
The stories behind the statistics are even more alarming. Hackers are collaborating via the Web and forming their own online communities to exchange data and perfect hacks. And now they’re moving from V2P — that is, virtual to physical — with entire communities, most prominently in Eastern Europe, devoted to the pursuit of career cracking.
The city of Ramnicu Valcea, population 120,000, located three hours outside of Bucharest in the Transylvania Alps, has been dubbed “Hackerville” by global law enforcement agencies. The town is brimming with cybercrooks whot specialize in targeted corporate malware attacks and e-commerce scams.
Business is so profitable that the town is home to luxury car dealerships and apartment buildings, as well as upscale restaurants, shops and nightclubs. The town’s reputation as a malware maelstrom has become so notorious that it was the subject of a feature in the March issue of Wired Magazine.
Rays of Light
The real lesson of the Verizon Business Data Breach Report — and even Hackerville — is that the overwhelming majority of data breaches can be thwarted if companies establish and follow good computer security practices and back these up with the latest technical weapons. Astoundingly, only 4 percent of breaches assessed in the Verizon Business Data Breach report required difficult and expensive protective measures. The report further claimed that 87 percent of attacks could be prevented using simple, proactive measures.
The 2010 Verizon report concludes that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Nearly two-thirds of breaches — 60 percent — continue to be uncovered by external parties and then only after a considerable amount of time. While most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.
Any corporation that is serious about creating and maintaining a secure environment needs to deploy continuous monitoring tools, maintains Casciano.
Right now, there are two types of continuous monitoring devices: “those that address what’s going on in the enterprise and identify vulnerabilities, and those that enable companies to plug holes and correct vulnerabilities in advance so the attack is not effective,” Casciano says.
There are several companies that address this emerging market segment. Veteran security firm ArcSight, which was acquired in 2010 by HP, and the Einstein Program developed by the Department of Homeland Security produce products that enable businesses to identify the potential weak spots in their networks.
Other companies, such asRedSeal, and the Security Content Automation Protocol (SCAP) address the rapidly emerging secure product class of both identifying and closing the holes in the network.
RedSeal’s Systems Network Advisor v4.1 and Vulnerability Advisor v4.1, for example, are near real-time risk management solutions that use network and vulnerability data to determine risk and provide prioritized remediation recommendations. RedSeal security packages allow organizations to assess and strengthen their cyberdefenses. Unlike systems that detect attacks once they occur, RedSeal identifies holes in the security infrastructure that create risk — before they are discovered by hackers.
Organizations must utilize both types of continuous monitoring, Casciano says.
The products in the first group (HP’s ArcSight and the Einstein Program) provide business with “tactical warnings and a snapshot in time of the activities within the IT enterprise” so that management can react to specific events. The second class of products (RedSeal and SCP) “exposes the strengths and weaknesses of the entire IT enterprise, identifies potential avenues of attack, and enables management to take defensive actions well in advance of an attack,” Casciano notes.
Ultimately, computer security products represent only half the solution. The other 50 percent is human element. Companies and their IT departments must construct strong computer security policies and procedures, disseminate them to the entire staff and employee population, and enforce them. In an age when hackers’ ranks are swelling and successful penetrations are increasing, corporations would be wise to arm themselves with continuous monitoring tools to thwart cyberterrorists.
Ask yourself: “What have I got to lose?”
Nice article Laura! I certainly look forward to seeing more pieces like this out in the news. With the proliferation of tablets, laptops and mobile devices in the workplace has definitely added to the near epidemic in cyberterrorism. Today it’s more important than ever that corporations ensure the detection and blocking of mallicous attacks as early as possible at the network boundaries in order to ensure Data Leakage Prevention (DLP) to prevent the outflow of user/corporate data. Our company, Wedge Networks has focused on building such solutions for years and is leading efforts to prevent the good things from flowing out and the bad things from flowing in.