Organized criminals devise ever more ingenious attacks to steal personal information, gain intellectual property, and disrupt individual businesses and public institutions. Motivated by financial or political gain, these individuals are well funded and immensely capable. They exploit weaknesses in today’s IT infrastructure and operational practices, capitalizing on any available opportunity to attack and acquire sensitive data.
Industry reports of breach investigations reveal several disconcerting trends: Cyber attacks are increasing. Breaches, if discovered, go undetected for months. Compromise is targeted at where the actual data resides—at the server—not at the perimeter where organizations traditionally focus their security investment.
To diminish the opportunity for these attacks and their threat to sensitive data, organizations must establish stronger security policy for production servers, continuously monitor security policy compliance, and more effectively detect and respond to suspicious changes and events.
Although we can’t lessen the motivation and capability of cyber criminals, we can reduce their opportunities for attack by enforcing security policy with automated change and event monitoring.
Business at war
The cyber war intensifies each year, with an increasing number of attacks against payment card systems, the financial sector, and government agencies. Cyber criminals launch thousands of attacks round the world daily, costing billions of dollars. The purposeful intent of these attacks becomes more clear each year, with politically charged country-to-country strikes, attempts to defame or damage specific corporations, and systematic theft of credit card details by organized crime.
The variety and ingenuity of attacks also continues to grow. According to the 2010 Data Breach Investigations Report from Verizon Business, hacking and malware accounted for over 95 percent of all data compromised in 2009. Weak or stolen network access credentials, SQL injection and data-capturing and customised malware continue to plague organizations in their efforts to protect sensitive information assets. And in many cases, a combination of these techniques was used making the defence to such attacks most challenging.
While the majority of reported incidents occur in the US, a lack of disclosure requirement across EMEA undoubtedly understates the true level of cyber attack across the region. To assume this level of purposeful attack is not occurring in one’s own backyard would be false security. The increasing intensity of cyber crime is a global phenomenon.
Unbridled motivation and capability
Cyber terrorists are very motivated. Economic and political forces are fuelling the explosion in cyber terrorism, with Gartner predicting that by 2015 at least one G20 nation’s critical infrastructure will be disrupted and damaged by online sabotage. Cyber terrorists are highly capable. Attackers carefully orchestrate multi-pronged attacks executed by teams of highly skilled IT professionals. These individuals carry out incredibly complex and patient attacks, often taking weeks or months to infiltrate systems layer by layer.
Cyber attackers take a “low and slow” approach, gaining a step towards compromise, waiting to see if anyone notices, and if not, venturing a bit further. Once through the perimeter and with access to servers, they create bogus users and grant privileges. Once their path is clear and access is gained to the target systems, the make away with sensitive data for purposes of economic gain or political advantage.
As proof of this subtle, measured approach, over 60 percent of breaches remain undetected for months or more. The Verizon Business report revealed that organizations typically take over five months to discover a breach. Worse yet, in 61 percent of investigated breaches, a third party rather than internal IT teams discover the breach.
Closing the window of opportunity
The time gap between breach to detection afforded to criminals reveals that organizations and governments are enabling successful attack of a network by not ensuring security policy is consistently implemented and continuously enforced. They are giving cyber criminals the very opportunity they need to access sensitive data.
The core of the cyber criminals’ strategy is to exploit today’s complex and constantly changing IT environment. IT organizations are required to manage and maintain a myriad of network devices and systems subject to a continuous flow of changes. Patches to one group of servers to enable a new application often creates a security vulnerability in another.
In a sea of expected changes and events occurring across the infrastructure, it is difficult to spot the few that don’t belong. It is exactly this dynamic, complex IT environment managed largely by manual means that enables cyber criminals to go unnoticed as they literally slip beneath the visibility of IT security in plain sight.
Security organizations tend to focus investments on the perimeter with the intent of creating a hard, impenetrable shell around the network. Yet research shows that compromise is targeted at the server where the sensitive data actually resides. However, given today’s highly integrated world of mobile workers and cloud computing, it is virtually impossible to secure the boundary.
Organizations must shift their emphasis on safeguarding the server—the prime objective of the cyber attacker. If strong change and configuration controls are implemented at this point in the network and continuously enforced through automated monitoring and detection technologies, criminals would be denied access to the ultimate prize they seek.
Industry and governments, driven by the public effects of cyber theft, are mandating action be taken by organizations that have been too slow to respond. Indeed, this has played out in the credit card payment space, where the illegal access to stored credit card data has enabled the lion’s share of economic cyber terrorism.
In fact, the Payment Card Industry Data Security Standard (PCI DSS), which specifically requires regular monitoring and enforcement of network controls, was created for the most part because those that transact payment using credit cards focused so little on building in strong security to protect this critical data.
Globally, governments have followed suit, developing regulations such as the EU Data Protection Directive to force organizations to safeguard personal data against cyber attack. Many organizations feel overwhelmed by the growing list of regulations and standards with which they must comply. But when they consider the alternative—paying the price for post-breach remediation and negative impact to brand reputation—the need for preventative investment becomes more palatable.
Safeguarding IT assets through automation
It should come as no surprise that despite implementation of protection technologies at the perimeter, breaches continue to rise. These tools often create yet even more data to be digested by an over-taxed staff and further cloud their visibility of suspicious activity. This practice obviously works against itself.
The reality is that organizations today simply cannot manually detect the seemingly random and innocuous changes and events triggered by skilled cyber criminals occurring over weeks and months. In the end, different technologies are needed to complement perimeter defences and more effectively enforce security policy and protect sensitive data from rising threat.
Simply establishing and dictating stronger security policy for production servers from a management perspective is not enough. Personnel needs the tools to continuously monitor compliance in production environments against security policy if they are to more effectively detect suspicious changes and events. By consolidating information about compliance status and suspicious activity, they can identify the beginnings of an attack early, immediately alert appropriate personnel, and respond before business compromise occurs.
Cyber attack is unavoidable. Any organization that fails to recognize this risk jeopardises their business, from the cost of data loss and post-breach remediation to regulatory exposure and consequence.
Unfortunately, the motivation for cyber criminals won’t lessen in the near term and they are unlikely to respond to punitive threats or political negotiations; nor are they likely to become any less technically capable.
The only option for addressing the threat of cyber crime is to close the window of opportunity for network compromise. In a complex, dynamic IT environment, only those organizations that create the right security policies and processes, and then enforce policy with the right automated controls to increase visibility of suspicious activity, can reduce attack and better safeguard the business.