The cyber war is intensifying each year and cyber attacks and those behind them are in no mood to cease their efforts. Rather than burying your head in the sand and assuming this is a US problem because of disclosure laws, Rob Warmack, Tripwire's senior marketing director in EMEA argues that this is a global issue and looks at mitigation solutions.
The cyber war intensifies each year, with an increasing number of attacks against payment card systems, the financial sector and government agencies. Cyber criminals launch thousands of attacks round the world daily, costing billions of dollars.
The purposeful intent of these attacks becomes clearer each year, with politically charged country-to-country strikes, attempts to defame or damage specific corporations and systematic theft of credit card details by organised crime.
The variety and ingenuity of attacks also continues to grow. According to the 2010 Data Breach Investigations Report from Verizon Business, hacking and malware accounted for over 95 per cent of all data compromised in 2009.
Weak or stolen network access credentials, SQL injection and data-capturing and customised malware continue to plague organisations in their efforts to protect sensitive information assets and in many cases, a combination of these techniques was used making the defence to such attacks most challenging.
While the majority of reported incidents occur in the US, a lack of disclosure requirement across the EMEA region undoubtedly understates the true level of cyber attack across the region. To assume this level of purposeful attack is not occurring in one's own backyard would be false security. The increasing intensity of cyber crime is a global phenomenon.
Cyber terrorists are very motivated. Economic and political forces are fuelling the explosion in cyber terrorism, with Gartner predicting that by 2015 at least one G20 nation's critical infrastructure will be disrupted and damaged by online sabotage.
Cyber terrorists are highly capable and attackers carefully orchestrate multi-pronged attacks executed by teams of highly skilled IT professionals. These individuals carry out incredibly complex and patient attacks, often taking weeks or months to infiltrate systems layer by layer.
Cyber attackers take a ‘low and slow' approach, gaining a step towards compromise, waiting to see if anyone notices and if not, venturing a bit further. Once through the perimeter and with access to servers, they create bogus users and grant privileges. Once their path is clear and access is gained to the target systems, the make away with sensitive data for purposes of economic gain or political advantage.
As proof of this subtle, measured approach, over 60 per cent of breaches remain undetected for months or more. The Verizon Business report revealed that organisations typically take over five months to discover a breach. Worse yet, in 61 per cent of investigated breaches, a third party rather than internal IT teams discover the breach.
The time gap between breach to detection afforded to criminals reveals that organisations and governments are enabling successful attack of a network by not ensuring security policy is consistently implemented and continuously enforced. They are giving cyber criminals the very opportunity they need to access sensitive data.
The core of the cyber criminals' strategy is to exploit today's complex and constantly changing IT environment. IT organisations are required to manage and maintain a myriad of network devices and systems subject to a continuous flow of changes.
Patches to one group of servers to enable a new application often creates a security vulnerability in another. In a sea of expected changes and events occurring across the infrastructure, it is difficult to spot the few that don't belong. It is exactly this dynamic, complex IT environment managed largely by manual means that enables cyber criminals to go unnoticed as they literally slip beneath the visibility of IT security in plain sight.
Security organisations tend to focus investments on the perimeter with the intent of creating a hard, impenetrable shell around the network. Yet research shows that compromise is targeted at the server where the sensitive data actually resides.
However, given today's highly integrated world of mobile workers and cloud computing, it is virtually impossible to secure the boundary. Organisations must shift their emphasis on safeguarding the server - the prime objective of the cyber attacker. If strong change and configuration controls are implemented at this point in the network and continuously enforced through automated monitoring and detection technologies, criminals would be denied access to the ultimate prize they seek.
Industry and governments, driven by the public effects of cyber theft, are mandating action be taken by organisations that have been too slow to respond. Indeed, this has played out in the credit card payment space, where the illegal access to stored credit card data has enabled the lion's share of economic cyber terrorism.
In fact, the Payment Card Industry Data Security Standard (PCI DSS), which specifically requires regular monitoring and enforcement of network controls, was created for the most part because those that transact payment using credit cards focused so little on building in strong security to protect this critical data.
Globally, governments have followed suit, developing regulations such as the EU Data Protection Directive to force organisations to safeguard personal data against cyber attack. Many organisations feel overwhelmed by the growing list of regulations and standards with which they must comply. But when they consider the alternative - paying the price for post-breach remediation and negative impact to brand reputation - the need for preventative investment becomes more palatable.
It should come as no surprise that despite implementation of protection technologies at the perimeter, breaches continue to rise. These tools often create yet even more data to be digested by an over-taxed staff and further cloud their visibility of suspicious activity. This practice obviously works against itself.
The reality is that organisations today simply cannot manually detect the seemingly random and innocuous changes and events triggered by skilled cyber criminals occurring over weeks and months. In the end, different technologies are needed to complement perimeter defences and more effectively enforce security policy and protect sensitive data from rising threat.
Simply establishing and dictating stronger security policy for production servers from a management perspective is not enough. Personnel needs the tools to continuously monitor compliance in production environments against security policy if they are to more effectively detect suspicious changes and events. By consolidating information about compliance status and suspicious activity, they can identify the beginnings of an attack early, immediately alert appropriate personnel and respond before business compromise occurs.
Cyber attack is unavoidable. Any organisation that fails to recognise this risk jeopardises their business, from the cost of data loss and post-breach remediation to regulatory exposure and consequence.
Unfortunately, the motivation for cyber criminals will not lessen in the near term and they are unlikely to respond to punitive threats or political negotiations; nor are they likely to become any less technically capable.
The only option for addressing the threat of cyber crime is to close the window of opportunity for network compromise. In a complex, dynamic IT environment, only those organisations that create the right security policies and processes and then enforce policy with the right automated controls to increase visibility of suspicious activity, can reduce attack and better safeguard the business.