The most worrying issue for the UK's C-level security professionals is fear of the unknown, Andrew Kellett discovered at a roundtable discussion hosted by SC Magazine in association with FireEye.
The chief information security officer (CISO) is the person in direct line of fire when breaches occur – and, given the deteriorating state of the sector, taking overall responsibility for security is a perilous role. Our CISOs are realists. They completely understand the elements of IT security that are under their control, but recognise the technology shortfalls that allow breaches to go undetected for too long.
During the past 12 months, several leading organisations have admitted to serious data breaches. As a result, organisations are being advised by security industry experts that defence in-depth will not keep everything safe, and no matter how secure they think they are, all organisations are potential victims. Businesses are being told to act as though they have already been breached. The emphasis is on the need to identify data breaches at the earliest opportunity and deal with the impact as quickly as possible.
The CISO community recognises that there is a clear difference between professional hackers that use stealth tactics to attack organisations in order to steal information for financial gain, and hacktivists who target organisations because they hold a personal or idealistic grudge against them and want to see them held to account.
Previously, the latter were seen by our CISOs as vandals rather than activists. But in the past two years, they have become more organised – and more focused on the extent of damaging press coverage that data theft and its online publication can cause.
The three disgraces
The fact that cyber crime is on the increase is reflected in the views of most leading CISOs. Many of them believe that both criminality and malicious acts are on the rise, and there is a general acceptance that three distinct groups are involved and that each has its own agenda.
State-sponsored attacks are seen as targeted, well-resourced and well-organised. But, realistically, their attack methodologies don't have to be mega-advanced with a zero-day payload to get past the baseline defences that exist across some sectors of government and industry. CIOs and CISOs accept that organisations can be breached by fairly simple approaches that need only be advanced enough to get past a Maginot line of static defences and, at state level, have the support of a sponsor who is interested in the information on offer.
Traditional financially motivated cyber criminals continue to silently hoover up sensitive business, customer and account information in order to make a profit. These attacks are generally opportunistic, not necessarily well-resourced or targeted, but often successful. Like their state-sponsored counterparts, the objective is to break in unobserved and silently go about the collection of data for as long as the attackers' presence remains undetected.
The third element is significantly different. It involves groups motivated by the prospect of publicity and which are now organised to the extent that hacktivists are known to have stolen more data in the past year than their traditional counterparts in the world of cyber crime. CISOs accept that a kudos element remains with some hacktivist-led attacks, but recognise that this is overshadowed by the top-secret information that is stolen and then published for the world to see.
A real horrorshow
Each public and private sector organisation faces a diverse range of security problems. Very few are unique, but at the same time it is difficult to imagine two more diverse ends of the security spectrum than the business requirement for basic anti-virus protection and the latest consumer-led initiatives. Yet both continue to have a significant influence on IT security. Products that can form part of a successful malware attack can be bought online. Breach models often combine social engineering with a supporting cast of off-the-shelf malware tools.
Other areas, particularly in the not-for-profit sector, continue to suffer from old-fashioned virus attacks. This happens because users share information across a variety of locations with insufficient anti-virus software in place. It is often a user issue as people still don't have the security awareness required to protect the organisations they work for. In this context, the problem for the CISO is about education and the struggle to get anti-virus protection for the type of basic network connections that continue to be in use. For example, there are serious concerns about how long it takes these organisations and their users to do the essentials, such as patching and updating anti-virus software.
When considering the majority of successful security breaches last year, there was a consistent theme. Most were driven by common sequel injection, the type of attack that has stayed in top-ten vulnerability lists for the best part of the last 15 years. Our CISOs recognise that some of the big players such as Microsoft have made significant security improvements to their products, but complain that in most software, including applications developed for the mobile market, there is little or no attention to security.
Access all areas
The consumerisation of IT and bring your own device (BYOD) are making high-profile security headlines. However, for many CISOs, this is merely part of a larger device and data management issue. Consumer applications and BYOD add an extra degree of complexity, but are generally considered just another thing to worry about. CISOs are more concerned about the management of data and devices and the inability to classify data effectively.
On the data side, organisations struggle to identify that which is critical, and the supporting classification disciplines are not mature enough. Data classification is seen by CISOs as too hard, while users continue to make unauthorised copies on their CD drives and personal devices.
There are also said to be more problems that need to be addressed with the fixed devices in corporate networks, which are incorrectly assumed to be more secure and well-managed than the next generation of mobile devices, our CISOs report.
The user demand for 24/7 access to corporate networks from mobile devices is believed by CISOs to be out of line with real business need. In reality, the organisational requirement only demands extended access in exceptional circumstances. CISOs say that if there were better identity management and access control, the issue of unwanted access could be better controlled. Potentially, there would be benefits in changing from role-based access to rule-based controls.
Don't have nightmares…
Across the industry, our CISOs are realists. They believe that any improvements made to IT security in the future will have to be cost-justified.
There is a strong weight of opinion that it isn't worth spending significantly larger sums on fraud protection without clearly defined business benefits.Keeping up with the next generation
Over recent months, cyber criminals have shifted focus from targeting unwitting individuals for relatively low financial gain – through low-level hacks to steal credit card data – to longer-term, persistent attacks on large corporations, political groups and even nations. The recent discovery of the Flame virus, as well as Google's announcement that it will warn Gmail users if they become vulnerable to state-sponsored email spying, show that we have entered an era when malware is used for cyber warfare and espionage.
As the threat landscape evolves, it is vital that organisations' security defences evolve too, but the rising number of high-profile attacks, on organisations such as RSA, Citibank, eHarmony and Last.fm, is evidence that traditional security solutions are failing to keep up with ever-more sophisticated malware.
The firewalls, IPS, NGWG and anti-virus products used by most businesses, while playing a necessary part in maintaining enterprise security, are not enough to truly protect against these next-generation threats, as they provide little or no defence against advanced malware, zero-day and targeted advanced persistent threat (APT) attacks, all of which are adept at bypassing both signature- and heuristics-based technologies.
Organisations must therefore look to next-generation security systems that are capable of monitoring, identifying and blocking the attempts of these next-generation cyber attackers, in order to plug the holes left by their inadequate legacy security solutions.
By implementing signatureless defences to catch the unknown attacks missed by the traditional signature-based defences, networks will no longer be vulnerable to the potentially disastrous consequences of zero-day and APT attacks.
Andrew Kellett is principal analyst, security at Ovum