Cyber attacks - up close and personal
Cyber criminals have changed tactics. It's up to the IT department to let everyone know
Absolute security is an absolute impossibility - and getting more impossible by the year.
The traditional model of building a strong-room around the company crown jewels is certainly no longer sufficient to deal with the types of threats that have emerged more recently. Indeed over-reliance on systems that protect against one type of threat can lead to complacency. The modern cyber-attacker will work around the target's defences, concentrating on areas of weakness including systems, software and - above all - people.
Criminals have upped their game - sometimes aided and abetted by states themselves. It is now widely acknowledged that the Stuxnet and Flame advanced persistent threats (APTs) were developed with US state backing. Russia, China and Iran are also enthusiastic players with much to gain from attacking governments and multinational businesses, and the UK government is hardly innocent in this regard either.
In many cases, then, we are talking about sophisticated attackers with considerable resources behind them. While bulk spam emails from distressed princesses may still successfully find the odd fool, the clever criminal money is now in targeted attacks, locating and exploiting the weaknesses that are inherent in every system.
The complexity of modern systems leaves many side doors relatively unguarded: a little used application perhaps, or an air-gapped industrial system connected to the internet for maintenance and not disconnected again afterwards. Changed working practices have created holes, too. The increase in remote working over the past five years has stretched the capabilities of the traditional, firewall-patrolled network perimeter, while the bring your own device (BYOD) trend threatens to break it altogether.
Assessing the threat
Computing asked 120 IT decision makers at large organisations about their assessment of the risk presented by APTs and targeted attacks. Seventy-seven per cent agreed that such attacks do present a real danger. Untargeted attacks were of concern too, but not to the same degree (figure 1).
[Click to enlarge]
Among the chief areas of concern are attacks targeting weaknesses in authentication systems (such as weak passwords and credential attacks) and those targeting human weakness - spear phishing and social engineering, both mentioned by 71 per cent.
Slightly fewer (63 and 62 per cent, respectively) showed the same level of concern about web applications attacks such as SQL injection and those targeting network communications protocols such as distributed denial of service (DDoS) and man-in-the-middle attacks.
The priorities accorded to these different attack vectors reflect the changes in threat patterns in recent years. The volume of web application attacks has dropped relative to the increase in those targeting the person, with social engineering attacks quadrupling year on year according to recent research by Verizon.
Reducing the risk
A healthy 80 per cent of respondents said they had a full corporate risk management strategy in place that encompasses information security. Furthermore, 77 per cent perform an information security risk assessment annually. So far, so good.
However, the picture is not as clear as it would first appear. Attitudes to data governance, a key plank of risk management, do not seem to be as mature among those surveyed. Less than half of those responding (46 per cent) stated that they have a board-sponsored data governance programme with named data governance officers and substantial investments in people, technology and process; the remainder rely on some sort of half-hearted or incomplete data governance system.
Cyber attacks - up close and personal
Cyber criminals have changed tactics. It's up to the IT department to let everyone know
So, data governance is still inclined to be reactive in many organisations; in these organisations information security will be harder to guarantee.
Computing asked respondents about their boards’ perception of risk and how this feeds into efforts to mitigate it. The results were very mixed. A small majority stated that information security risks are understood and that ample resources are devoted to reducing the danger. However, the next greatest proportion of respondents (22 per cent) stated that while the board had some idea about risk they underestimated its severity and 19 per cent stated that resources allocated to reduce risk do not match the perceived threat (figure 2).
[Click to enlarge]
Interestingly, when these figures are broken down, a clear picture emerges. The vast majority of those organisations that say they are devoting ample resources to information security risk reduction have IT representation on the board (63 per cent), and/or an IT department that has managed to convince the board to take action (57 per cent).
Conversely, 54 per cent of those who feel their defences are lacking say the board already feels it has done enough (in other words IT has not been able to persuade them of the risk), or that because they have not yet been targeted (42 per cent) the expense of bolstering defences is unjustified.
It couldn’t happen here, could it?
The banking sector has had a particularly torrid time of late. Following a spate of DDoS attacks on Citigroup, JP Morgan and Bank of America last year, criminals took control of the software that controls electronic transfers and made off with millions. Presumably taking down the websites provided a distraction and allowed them to cover up their activities.
In the UK, a criminal gang managed to steal £1.3bn from Barclays by means of a social engineering attack earlier this year, and investigations are ongoing into a similar plot at a London branch of Santander.
Adobe joined the long list of IT companies that have been compromised,
announcing recently that the data of over 30 million customers had been compromised, including the loss of a possible three million credit card numbers. It also admitted that the source code for Adobe Acrobat, ColdFusion and other software had been stolen.
These are headline-grabbing examples. However, in truth any organisation could be targeted. Symantec has recorded a rise in targeted attacks on smaller firms, sometimes as an end in itself, and sometimes as a backdoor into a larger organisation further up the supply chain.
It may be impossible to prevent an employee from ever being tricked, but a combination of endpoint security, education, data governance together with constant monitoring and analysis will minimise the risk.
Some common targeted attack methods
Advanced persistent threats (APTs) – long term targeted attacks by powerful entities, such as nation states or large corporations, using a variety of methodologies.
Distributed denial of service (DDoS) – Taking down a service such as a website, typically by bombarding it with more requests than it can handle.
Man-in-the-middle (MitM) – interception and manipulation of messages between two entities, generally over public Wi-Fi or weakly encrypted networks.
Social engineering – Mining of personal profiles on social media sites to obtain information that can be used in spear-phishing and identity fraud or to direct them to links containing malware.
Spear-phishing – stealing information by means of personalised messages (usually email) designed specifically to deceive a certain individual or group. Standard mass phishing is also making a comeback thanks to the rise in mobile devices where embedded links typically display less information.
SQL injection – Exploiting vulnerabilities in applications to run unauthorised commands on the underlying database.
Watering-hole attacks – planting malware on a legitimate site that the target is likely to visit.
@ComputingJohn