IT Leaders' Forum: Security in the age of insecurity
How can organisations avoid falling dangerously behind in the cyber security arms race?
There was a time when the stereotypical image of the average malware writer was of a greasy Herbert holed up in a dreary suburb of Moscow or Chisinau, supposedly banging out dodgy code at the behest of a local Mr Big.
Although Eastern Europe and Russia probably harbour more than their fair share of malware writers, the truth is that such software is being written all over the world today, warned security specialist Graham Cluley. "In the past, it was sad young men who needed more vitamin-D who did it for fun," he told the IT Leaders' Forum.
Furthermore, warned Mark Sparshott, EMEA director of channels, alliances and OEM at security software vendor Proofpoint, attackers are using increasingly sophisticated techniques to evade detection - and even using "campaign" tactics adopted from the world of marketing.
"Attackers are using clever techniques to bypass reputation and content-checking technology at the front end when they are delivering the email. For example, they rotate the IPs [IP addresses] that they use to send the email. They rotate the sending email addresses and they rotate the websites that they are pointing people to with those links," said Sparshott.
So, for an attack sending, say, 135,000 messages to 80 major organisations - which sounds like a lot but will be less than 0.05 per cent of the email they receive that day - the use of link, IP address and email address rotation means that very few of the messages will be identical. "Everything is highly rotated to avoid those ‘reputation systems'," said Sparshott.
"They are also managing content in order to entice clicks, in a similar way that you might find a leading marketing or advertising agency doing. So attackers are really looking at it from a campaign perspective," said Sparshott.
What makes it even more challenging is the range of threats and attackers that organisations need to secure themselves against. The rise of "hacktivism" and state-sponsored malware - such as the attacks by the UK's intelligence agency GCHQ on the backbone of Belgian telecoms company Belgacom - ought to open people's eyes to just how widespread and wide-ranging attacks have become, warned Cluley.
And then there are the threats emanating from the supply chain. Often, warned Martin Dexter, IT security manager at insurance giant Skanska, if an attacker has a particular organisation in mind, it will start by targeting a weaker link in its supply chain. As a result, many companies now engage in proactive security auditing of potential partners.
For example, Airbus physically audited companies around the world when it was seeking suppliers for its super-jumbo A380 jet. For many organisations, said Dexter, it will be more practical to ask due diligence questions around their use of security software, for example, and whether they still use Windows XP in their organisation.
Furthermore, really determined attackers, he warned, might place "sleepers" within an organisation who will work perfectly legitimately for a year or two before they use their privileged access to strike. That ought to be a concern for any organisation conducting high-tech research, such as consumer products company Dyson, he added.
The trouble is, many organisations struggle to put together a comprehensive response to the range of threats they face. For example, said Neira Jones, independent adviser and chairman of the Global Advisory Board, Centre for Strategic Cyberspace & Security Science, "most security awareness programmes are there only to satisfy compliance".
"They are normally required once a year and organisations are most concerned that people have ticked the box," she said.
Others, however, take a more imaginative approach, she added. For example, a number of consultancies will now offer to run "phishing" campaigns as part of a penetration test to raise security awareness. This will involve running the campaign first as a baseline, then running a subsequent test later to see whether staff have got the message.
Such initiatives, though, take time and cost money. Yet Computing research indicates that the organisations that are most effective at protecting their systems are those where there is genuine understanding of the issues and support from the very top down.
Perhaps the best place to start is with money. In our survey, 44 per cent of respondents pinned a £400+ average cost on each customer record were their organisation to be subject to an attack. For an organisation with just 100,000 customers and potential customers, that could add up to a £40m bill.
If that doesn't make the board sit up and take notice, nothing will.
@GraemeBurton
• To register for the next IT Leaders' Forum - "Managing the hybrid cloud" - click here.