Organisations are suffering repeated and regular breaches of their cyber security, often resulting in huge financial losses.
In August, security firm McAfee said it had found evidence of “a historically unprecedented transfer of wealth and closely guarded national secrets” into the hands of cyber criminals.
Earlier in the year, security breaches cost Sony and RSA £107m and £40m respectively, not to mention the stains on both firms’ reputations.
The unpalatable reality is that every company suffers security breaches almost constantly, according to Ashar Aziz (pictured), CTO and founder of security firm FireEye. The only differentiator is whether they’re aware of them.
“The bad guys have resorted to highly dynamic malware,” says Aziz. “We’ve observed this from hundreds of enterprises large and small across the world, all with a significant infiltration rate.
“The median rate of malware infection among enterprises is 450 cases per week.”
Aziz’s claims are based on the measurement of infiltration rates at FireEye customers. FireEye’s security product sits within the network perimeter, behind the firewall, anti-virus, email gateway and whatever other security a company has in place.
“We’ve measured this from inside the perimeter, from inside the network, and behind the other defences, so we’re looking at the actual infiltration rate,” says Aziz. “The vast majority of these infiltrations are minor attacks, as opposed to what is being termed an APT [Advanced Persistent Threat] attack like that which affected RSA.”
Many IT departments are unaware of this level of malware infiltration, while those that are often ignore it. These are mostly unsophisticated attacks aimed at gleaning financial information from the endpoint, rather than an APT that is designed to penetrate right through to the datacentre and do something specific, such as access or steal a certain file, or data set.
But Aziz says that organisations should be wary of accepting even this level of attack, as it could turn into something more sinister.
“We should not be as complacent about the multitudes of crimeware infections because at any one time they can become an APT. It’s a bit like watching the Matrix where any one person can suddenly become an agent.”
He explains that creators of this malware are often able to access the machines their tools have infected. And while the low-level cyber criminals will have neither the means nor the motivation to exploit this, others do.
“Infected systems are owned by criminals who can sell that ownership to the highest bidder. So if a CIO is thinking that these 100 infiltrations per day are nothing to worry about because the hackers are only after employees’ credit card details, then they are mistaken.
“These machines are now partly under the control of the criminal element; if they can’t get hold of bank logins, then they’ll choose to monetise the infiltration by selling access to the machine on the underground market. The buyer may choose to use that point of access to make a different kind of infiltration.”
But shouldn’t the various cyber security solutions that every enterprise has (or should have) installed protect them at least from the less sophisticated attack?
Eric Domage, a security analyst at IDC, quotes a CIO he knows who bemoans exactly this issue.
“Security breaches happen because users or developers make mistakes. We do the compliancy stuff and we’re still not secure. We’re going to get shafted either way.”
So why aren’t companies receiving more protection from our cyber defence tools?
Graham Cluley, senior technology consultant at security vendor Sophos, explains that the level of protection offered by any one product must be weighed against its tendency to incorrectly block innocent traffic.
“You have to weigh the detection rates against the false alarms. You have to look very carefully at not being too sensitive, a false alarm can be more dangerous than an infection.
“You can lose business and money as a result. There’s a line we walk along, the industry wants to detect everything, but we can’t get it wrong. The potential fallout from false positives is much greater.”
He added that the only way for a product to offer guaranteed 100 per cent security is for it to block all incoming traffic. While that would certainly make an enterprise secure, it would also very quickly make it bankrupt.
So given that totally guaranteed security is not an option, what should enterprises do?
Cluley suggests the best answers lie in the combination of people, processes and technology.
“An organisation should have a layered defence, at the gateway and at the desktops, something controlling the use of USB drives, and keep your systems patched and up to date.
“You also need to educate your staff on safe use practices,” he concludes.