Over the past year, a number of high-profile cyber-attacks have caught the attention of the media; from the case in February when £650m was stolen from numerous British banks in the biggest cybercrime to date, to last year’s attack on Sony Pictures and even an infiltration of the White House for President Obama’s schedule. Both the targets themselves and the frequency of breaches indicate just how pressing and dangerous the threat has become.
“These days, the web is where all interesting economic activity has migrated, and so it’s a rich target of opportunity”, says Grady Booch, IBM Fellow Chief Scientist for Software Engineering. The methods and tools with which hackers now infiltrate computer systems and remain undetected are reaching new heights of sophistication. Yet organisations around the world, both private and public, have been slow to implement robust security strategies; for various reasons, their systems are lagging far behind the tactics used by those who break into them.
As companies rely increasingly on IT services to support key aspects of their businesses, they have become more vulnerable to security breaches. Out-dated methods in IT security can even heighten the risk of infiltration.
Of large organisations have had a staff-related breach
“We’re at a point now where traditional antivirus is completely obsolete and even the more advanced malware detection tools really can’t stop new, sophisticated malware from getting into a system”, says Dave Aitel, CEO of specialised security provider Immunity. “One major change in what modern malware does is smuggle the data out of your network in a number of new and interesting ways: inside DNS requests, ICMP, or a picture sent to a social network”.
Many have been slow or reluctant to alter their methods of IT securitisation during this transitional phase, so the weaknesses of their out-dated systems leave them susceptible to attack.
“Those that want to take advantage are often able to do so because systems haven’t been hardened and there’s a lack of general housekeeping and system hygiene”, says Ryan Rubin, Managing Director of Protiviti for EMEA Security & Privacy IT Technology Consulting. “People just aren’t looking out for these things, therefore the lack of awareness and monitoring of activity means that companies only find out about these problems much later down the line.”
What makes new security risks particularly challenging is their fluid and dynamic nature; the rapid rate of change has proven to be increasingly difficult for organisations to keep up with.
“It’s somewhat like being in a submarine with leaks that pop up in random places at random times”, Booch explains. “You have to be vigilant about not just reacting to security threats – any company has to be diligent about keeping up with the latest patches and attending to zero day exploits – but also to be proactive in seeking out potential risks”.
The traditional and perhaps even stubborn mind-sets of those in the IT sector are slowing down progress in cyber securitisation, so accustomed are people to protecting their businesses and assets in a certain way. Yet this rigid approach is no match for hackers.
“I think the first thing that needs to be done is realising that a change in strategy is required”, says Richard Bejtlich, Chief Security Strategist at FireEye. “The current strategy has been one of walking around, checking the doors and windows to make sure they are locked, and not paying enough attention to the fact that there are already intruders inside the house.”
Failure to acknowledge this major alteration in the way cyber-attacks are conducted has led to a situation where hackers can remain in a system, undetected, for months, as illustrated by the recent breach of the US State Department; despite the intruders first being discovered last November, an incident in February revealed they were still present within the department’s computer network.
Many firms are still under the false impression that they are impervious to cyber-attacks – either internal or external – in spite of the rising frequency of cases and widespread reporting in the media. “They are either moving so fast they don’t feel they have the time or focus to worry about such things, or they assume it would ‘never happen to them’, because they feel they are small enough to never be a target, or they are sadly clueless because they don’t appreciate the risk”, Booch explains. Yet, the reality is, unless an organisation operates in complete physical and cyber isolation, it is in danger of being hacked.
“The first thing I think that people need to realise is that, if you’re a significant target on the internet, there’s a good chance you’ve already been attacked and that the intruders could still be in your environment”, says Bejtlich. “So the first priority has to be to find the intruders that are already there. The second priority is, once you’ve found the people who are already there, you have to get ready for the ones that are going to come back. Dedicated adversaries are going to break into your environment, and then, as soon as you kick them out, they are going to try to get back in. So you have to have a persistent detecting response operation. Then the third priority is working on improving your defences so that it’s tougher for someone to get into your company and get access to your data”.
Over-confidence in third parties, customers and even employees has become a looming risk in terms of cybersecurity. It is easy for management to assume that those within their inner circle and network will not act in malicious ways to harm their business, but this is exactly what happens in many cyber-attacks. In the 2015 Information Security Breaches Survey conducted by PwC and published by the UK Government, 75 percent of large organisations surveyed had experienced a staff-related security breach; an increase of 58 percent from the previous year.
“Someone in a privileged user position or with privileged access to key core systems may become disgruntled, they may get dismissed or decide to leave the organisation”, says Rubin. “Because of the level of access that they have to the underlying systems, they may maliciously decide to destroy some of the company’s IT environment or create a situation where the company experiences some downtime that wasn’t planned.”
Acknowledging breaches can happen from the inside is crucial, particularly given the growing incidence of this type of attack. Therefore, additional layers of protection are essential. This type of approach will also help stave off external attacks, as a major focus in security strategy for a number of years has been the application of firewalls and anti-virus software, but these methods are based on creating a perimeter around a system; once a hacker infiltrates a computer network, there is very little to protect an organisation’s data or vital processes.
Cost is probably the most common reason for the slow adoption of a robust cybersecurity programme, because arming against hackers is an expensive enterprise; small companies must contend with an additional expense on modest budgets, while, for large firms, the cost is far greater due to their size. Of course, it is logical that the bigger the firm, the bigger the risk, but that does not mean smaller firms can remain idle in their security strategies.
“Building, deploying and operating secure systems costs money; money that is important, but that does not necessarily advance the functional mission of an organisation”, says Booch. “Hence, it’s sometimes a calculated trade-off: ‘Security will cost us x but the risk is y and so our exposure is z… Let’s make a calculated business decision that our exposure is sufficiently low that we won’t invest that much.’ This, of course, is a dangerous strategy.” Although this type of cost analysis is logical for any business decision, there is a general underestimation of cyber risk.
Many organisations are still in reactive mode, responding to a threat sometimes several months after their system has been infiltrated. Yet there are numerous tools, guidance services, software processes and technologies widely available to help companies become more proactive. While implementing a basic layer of protection across the entire organisation is essential (such as basic firewalls, passwords and rudimentary security systems) it is not cost-effective or even practical to implement a strong defence throughout.
Instead, it is far more feasible for organisations to focus on the most important aspects of operations and to add extra layers of protection to the areas that drive success. This may entail additional protection of an information asset or a business process, i.e. whatever is deemed as the element that could bring down an organisation if breached, stolen or used maliciously.
“People are recognising that it’s actually impossible to protect ourselves 100 percent, therefore we need to accept a level of error or weakness and really try to protect things that matter most to us and our organisation”, says Rubin.
Finally, a holistic approach in terms of awareness and understanding is now essential in order to ward off hackers; cybersecurity is not limited to an individual or even to the IT department. “There is a perception that security is an IT problem and we can throw IT products and solutions at it, whereas we’ve seen that clearly it’s something that needs to be tackled at different layers in an organisation”, says Rubin. According to PwC’s survey, 50 percent of the worst breaches that the companies surveyed suffered were a result of human error.
Looking forwards, IT security must be embedded within the culture of an organisation so employees are aware of their actions and refrain from risky behaviour that can make a system vulnerable to attack. Providing training to all staff, as well as the tools needed to protect the businesses’ information and processes, can provide a greater level of security across the entire organisation.
Of course, while it is impossible to predict a breach, there are some industries in which it is inevitable. The financial sector, for example, is always at risk from a host of attackers, ranging from criminal groups to nation states and hacktivists with a political agenda. But the risk is no longer confined to these obvious targets. As Bejtlich asks: “Who would have predicted that the creation of a movie would result in the hacking of Sony Pictures?” It comes down to understanding which groups would benefit from access (such as competitors, governments or criminals) and implementing the necessary procedures and processes to reduce the threat.
“These days, everyone is a target”, says Aitel. “Those most likely to be hacked will have data or access that a hacker finds valuable. For instance, a company that stores credit card numbers for its customers, or employee socials, or a vendor to a Fortune 1000, or a university with valuable research and data, such as engineering programmes, etc. And even if your data isn’t valuable on the black market or to a foreign intelligence service, it’s still probably valuable to you, and ransomware attacks will exploit that fact.”
In the rapidly advancing world of hacking, old systems and habits have become a major security threat, particularly as more organisations begin migrating to the cloud and using mobile technology. Other advances in computer systems have exacerbated the danger, such as wireless technology and social media platforms. Thus, as online culture evolves, so too must the methods with which these systems are protected and defended.
IT as a field is still relatively new, as are the software products in use; its foundations are therefore inherently insecure and, as such, a drastic overhaul of current systems is key. This will be difficult during this transitional phase – particularly as there is still a limited number of cybersecurity experts – while outsourcing presents another host of concerns.
But while the rigidity of security strategies endures, hackers find themselves in a golden age of attacking IT systems with relative ease; at present, the world is their oyster. A drastic shift in thinking in terms of securitisation is needed urgently, and it does not have to be as costly as many organisations fear. Understanding the mounting dangers in maintaining current policies, protecting the ‘crown jewels’ and raising company-wide awareness can promptly enforce a proactive security strategy that is fit for today’s evolving cyber threats.