Hackers winning says US Secret Service

News by Steve Gold

But there are viable defence solutions say the security experts...

What happens when you get the US Secret Service to co-sponsor a security threats report from PwC - along with support from CERT Division of Carnegie Mellon University and CSO magazine? You get an in-depth security report that concludes that hackers are winning the cybercriminal battle.

The just-published analysis - entitled `US cybercrime: rising risks, reduced readiness - key findings from the 2014 US state of cybercrime survey' - draws on interviews with 500 professionals in US businesses, law enforcement services, and government agencies.

The report - the 12th in an annual series - says that hackers are now more technologically advanced than those trying to stop them.

It also notes that around three quarters of interviewee organisations detected at least one security breach in the past year - with the average number of security intrusions per year weighing in at an eye-watering 135 per organisation.

The top five attack methodologies identified in the report include malware, phishing, network interruption, spyware and DDoS attacks.

The solution to the rising challenge posed by cybercriminals, says the report, is four-fold:

Firstly, identify your executive business sponsor and engage.

Secondly, assess your current security posture and use a risk-based approach to assess your cybersecurity practices against the industry standards and guidelines.

The third step is to define a target profile and execute by establishing a current profile of cybersecurity activities and risk-management practices, then identifying gaps to draft a prioritised action roadmap and execution program.

The fourth step is to continuously monitor, communicate, and collaborate - which the report defines as a reiterative process of continuously monitoring and routinely assessing your threats and defences.

Are the hackers really winning?

Peter Wood, CEO of pen-testing specialist First Base Technologies, says that if you take a snapshot of most companies today, then the answer to this question is yes.

"The problem is that most IT security professionals are employed in companies and work normal hours. Cybercriminals are typically self-employed and are very prepared to put the hours in, which their corporate colleagues only rarely do," he explained.

The solution, he says, is to address the issue at a senior level within the organisation - and then filter the response down to the employees.

Amichai Shulman, Imperva's CTO, says the hackers have been winning for the last four or five years - and the problem is not getting any better.

"It's a really major problem. The security of the Internet is turning into the Wild West," he said, adding that the good news is that the state - in the shape of the police and law enforcement officials - are now able to muster the resources needed to tackle the major hacker problems, as witnessed by the arrest of the man behind the Silk Road darkware trading portal in recent months.

"Smaller firms can also deploy relatively simple security systems and software to defend themselves, whilst larger organisations can install more complex and layered security defences," he explained.

David Howorth, vice president of Alert Logic, says that that the challenge for SMEs continues to be complex - as this report shows `only 20 percent of small companies rely on a security function to handle insider attacks compared to larger organisations.'

"With compliance and the need to protect personally identifiable information continuing to be a key driver for these companies, many are looking to their service providers to deliver ever more sophisticated security services that are able to detect, respond and mitigate to these threats,” he said.

“Ultimately they have a security outcome that they want to achieve and they would rather partner with a specialist provider who has the know-how and the people to help protect their data, than leave it to chance," he added.

Keith Bird, UK managing director with Check Point took a different view, saying that one of the key issues identified in the report is that organisations don't share intelligence on threats and responses, which, he adds, helps new malware variants to spread faster.

"This is because information about these new threats isn't easy for firms to access," he said.

Stuart McKenzie, a senior investigative consultant with Context Information Security, said that cyber criminals are not necessary winning the war, even if companies are experiencing higher attack levels.

"Organisations need to focus on quickly finding and remediating attacks on their networks. This means ensuring that cyber defences are aligned to trusted metrics such as the Sans Critical Security Controls and the organisation has a strong cyber strategy, which the board supports with continued investment in resources and preparedness for an attack," he explained.

McKenzie went on to say that leveraging threat intelligence to spot the latest attacker tools or a user visiting a strategic Web compromise will all add to defences.

"Applying additional controls to protect your crown jewels, once identified, and ensuring that any breach is investigated in a speedy manner is a more pragmatic approach to defence," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews