Does IT Security Fail?

RSA, the security division of EMC, with the contribution of Northeastern University, recently published a report on the reasons why the IT security sector fails to effectively address the modern cyber attacks. The report highlights the challenges faced by the industry, while deepening the best practices that can build an organization in order to achieve everything that managed to achieve so far in safety. It also includes practical advice for professionals from the field of IT security, which can help to improve the strategy and tactics with which face modern threats.

The main messages of the report:

The attacks on the IT infrastructure of an organization and multiply them increases and the economic damage that accompanies them.

The economic impact of these attacks are important and tend to expand.

According to The Global State of Information Security® Survey Research 2015, the number of established attacks worldwide increased by 48%, to 42,8 million, which is equivalent to 117339 per day attacks. Since 2009, the incidents of attacks are growing at 66 % annually. The economic losses due to detected attacks worldwide raised to US$ 2,7 million, about 34% higher than in 2013.

The report notes that the lack of awareness of risk is one of the most vulnerable points in terms of IT security in the US.

Amounts invested in cyber-attacks prevention technologies (prevention-based security) is disproportionately high in relation to expenditure for procurement solutions that can detect and adequately address these attacks. Moreover, the situation aggravated by a "skills shortage". It is important to note that IT security should be based on adequate preparation. One needs a thorough understanding of business processes and entire operation of an organization, as well as the ability to collect and analyze all information related to the security of IT infrastructure. Those organizations do not have adequate staff or experience to deal with such situations should consider whether they need to strengthen the internal IT security team, buying specialized cloud-based services to more fully protect their infrastructures.

Recommendations for better preparation against threats

The focus should now be focused not on what attacks are detected or how successful the effort to prevent several aspiring invaders, but who managed to escape, you may not be protected adequately and what attacks might not have been known.

Preparation - The vigilance and sustained attention should be an inherent feature of any plan to protect the IT infrastructure of an organization. The access control systems can not by themselves effectively against modern attackers who launch attacks at high speed, drawing more and more new weapons to exploit any weakness of protective systems.

Setting priorities - Every IT system and all information has the same value as another. Each organization should define what is critical for a particular function (mission critical) and what about all of the activity (business-critical). What attack would prevent the business development of the company in the future and what will lead many years back or out of the market.

Customization - Those professionally engaged in IT security should first understand the nature of the changes that have occurred in terms of infrastructure - cloud, mobility, BYOD etc. - And then prepare methodically defensive plan and the corresponding tactics to neutralization of new and sophisticated threats.

Light everywhere - There should be no 'dark' points in the IT infrastructure, which could be hidden or where they could escape the invaders. The use of the tools offered by modern technology as well as the examination of the behavior of each user and each device connected to the network infrastructures help to better equip an organization.

Flexibility - A business can not operate under a system of strict policing. The officials should be given freedom and flexibility, there is - to some extent - respect for private activity and sense of confidence. Education and communication with staff should be continuous, so that users can understand and be ready to properly react to attacks that occur through social networks (social engineering).

Read More

The Future of Cyber Crime

Over the past years we have witnessed the illegal uses of the Internet to completely change in form, shape, and objectives. Today's hackers are often members of the organized crime who hack computers for profit or even for political power. Motivated by radical new goals and armed with exceptional programming skills they pose a major challenge to cybercrime researchers and law enforcement investigators alike. The field of cybercrime is a multidisciplinary area that includes law, computer science, finance, telecommunications, and data analysis.

Online security companies have made their predictions for 2015, from the malware that will be trying to weasel its way onto our computers and smartphones to the prospect of cyberwar involving state-sponsored hackers. WebSense suggests, “Cybercriminals upping their game are perfecting their campaign abilities previously associated only with advanced, targeted attacks. These advanced tactics designed to evade most modern email security solutions are quickly becoming the new norm as more sophisticated email threats increase...”

A parallel trend cited by several information security companies is the prospect of attacks on bigger companies in the private and public sector, with cybercriminals having specific goals in mind. Executives at some of the world’s largest banks are pressing government officials to pursue cyber criminals more aggressively or let the industry off the leash to fight them directly. The topic has shot up the agenda at the World Economic Forum in Davos this year, partly because of a series of high-profile incidents in the past 12 months, including the theft from JPMorgan Chase of data belonging to 75 million US households. Cybercriminals go after bigger targets rather than home users as this can generate more profits for them. We will see more data breach incidents with banks, financial institutions, and customer data holders remaining to be attractive targets.

One of the most common forms of malware in 2014 was “ransomware” – cybercriminals trying to extort money from victims either by locking their devices and demanding a fee to release them, or by accusing them of various unpleasant crimes. Ransomware will be a key strategy for malware developers and it will be a more relevant threat in coming years. During 2014, we have seen big companies hit by ransomware (like Yahoo, Match and AOL). In December 2014, in a panel discussion called “Cybercrime 2020: The Future of Online Crime and Investigations” it was said that "...ransomware is the future of consumer cybercrime".

As more of our devices talk to one another – the “Internet of Things” – there may be a range of new cybersecurity headaches to think about,  from domestic appliances to home security and climate control. It has to be said that some reporting on IoT hacking has exaggerated the scale of the problem. While it probably won’t be a massive problem next year, it is an emerging space for cyber crime.

As 2014 ended with the now-infamous hack of Sony Pictures – with intense debate about whether North Korea was involved – security firms see 2015 bringing a greater prospect of cyberattacks on behalf of nation states, even if they don’t run them themselves. Cyber warfare is very attractive to small nations. The development of a government-built malware is cheaper than any other conventional weapon and far more accessible to any nation-state. Cyber warfare represents for every government an efficient alternative to conventional weapons. The boundaries between cybercriminal gangs and governments may also blur. “Criminal groups will increasingly adopt nation-state tactics,” predicts Kaspersky.

One suggested solution is cyber security awareness and advice – where the public and businesses can go to get the information they need to protect themselves, how to implement basic controls to protect their data and privacy, and finally who to trust online and who to avoid.

Read More