Businesses are in a precariously risky situation these days. Cyber criminals have evolved their skills and techniques to such an extent that they can breach the four walls of any company at will.
Today’s cyber attacks are well organised, sophisticated, and targeted, not random, aimed at specific businesses or organisations seeking to steal valuable information for resale or fraudulent use.
The 2008 RBS WorldPay incident is a good example of such an attack. First, ATM account credential information was stolen from a hacked computer system, and then used to make counterfeit ATM cards. Then over a few hour period US$9 million was taken from 2100 ATMs in 280 cities across three continents, leveraging a well-organised group of cashers spread across the world.
According to one report the revenue generated by cyber criminals approaches US$1 trillion annually – it is big business. This new breed of criminal congregates anonymously in underground chat rooms where they can find similarly minded criminals who have particular specialties useful for a particular heist.
There are specialists who focus only on producing and supporting malware and various exploits such as phishing and those who offer resources for rent such as botnets or hackers. After the data is stolen the cyber criminal will either sell the information to others who will monetise it through some fraudulent scheme or the criminal will directly attempt to cash it out.
Cashing it out involves another set of players, cashers, who then take their cut. The cashers recruit and organise mule bank accounts for wire transfers and the street-level cashers, who withdraw cash from ATMs. With this loosely-coupled and anonymous yet well-organised group of players a cyber criminal can attack any size institution from the largest bank to a neighbourhood insurance agent for a token investment ranging from a few hundred to a few thousand pounds.
So what are businesses doing to ready for the day when they are singled out? Well, for the most part, nothing. Businesses are complacent with the security risks they face. This complacency is businesses’ biggest threat and risk. Their energies are focused elsewhere on completing the ten plus year-old business digitisation exercise of implementing ERP and business intelligence projects, and modernising legacy systems.
A recent Gartner Group survey of CIOs confirms these technology priorities for the last two years running (2008-2009). So what is going on? These priorities have been kicking around for the last 10 years, or so it seems. Companies are still heads down re-engineering their processes to remove latency (approach near real-time) and to be collaborative with their partners and customers.
By necessity companies have had to morph their inwardly focused static and inflexible processes into collaborative ones that are rapidly adaptable and interactive with their partners and customers.
To enable this change new applications have been purchased or built and legacy ones either replaced or face-lifted with service oriented architectures and “eb application front-ends. The loosely-couple service oriented architectures, custom developments, and enabling technologies have introduced new technology-based vulnerabilities that can be exploited by cyber criminals.
This metamorphosis has also introduced a significant risk from the new and evolving group of unmonitored people from partners, customers, and from within the very businesses who now interact with the businesses’ data and applications. Security beyond the checkbox is an afterthought to this major retooling of IT.
With this maniacal focus to make the business more competitive and adaptive to changing industry forces businesses have unwittingly introduced new risks into their environment that make it difficult at best to meet the highly sophisticated cyber threats of today. In this open and collaborative world knowing who is on the network, what data they are viewing and what actions they are taking is a gapping blind spot.
This lack of visibility leads to undetected risks taking place including unknown users on the network going unchecked, unauthorised accesses, fraud and information leakage. According to 2008 Verizon Breach Study Reports 74% of the companies that experienced a breach did not detect it for weeks or months after the incident and 69% of the companies did not detect the breaches themselves but third parties did.
These are alarming statistics point to the fact that most companies are flying blind when it comes to really knowing what is happening with their networks, data, and applications, and are oblivious to the real threat posed to their businesses. There is no doubt that at this very second the next biggest breach is underway being undetected now for months. The last largest ever breach occurred over 18 months and resulted in 130 million records being stolen.
Given this perfect storm where sniper-targeted cyber criminal meets complacent company, breaches are going to occur at the choosing of the criminal. I contend that even with vigilant security cyber criminal-led breaches will occur due to the criminals’ sophistication and resources. These days there are simply too many ways for malware to find it way on to the corporate network.
Whether it is from a poisoned DNS server redirecting traffic to criminal sites to phishing attacks or SQL injections into highly vulnerable Web applications, the cyber criminal will get inside and attempt to locate valuable information.
So what are companies to do? They can’t stop their process digitisation projects. They are vital to their corporate survival. Companies need to start recognising that it is equally important to secure their data and processes against attacks. To thwart the efforts of the cyber criminal the key focus of companies must be on the rapid detection and response to these highly likely breaches.
The only viable solution to combat cybercrime is vigilant monitoring that delivers rapid detection and response to breaches. The cyber criminal and their tools of trade will leave digital fingerprints wherever they go. These fingerprint show up in log files and netflows that can be collected and analysed – specifically correlated against other log files (fingerprints) to detect the telltale signs that something is amiss. Only when rapid detection occurs on a regular basis will the cyber criminals move their attention to easier hunting grounds.
Well, you might think that antivirus scanners will do the trick and there is no need to monitor. Remember these attacks are zero day attacks – custom built for their targets. Scanners won’t recognise their signatures, but their activity fingerprints can’t be missed. Fingerprints are left behind to be detected from the originating exploit, network scans, file installations, bandwidth usage, and CPU utilisation.
The best defence against these inevitable attacks is automated monitoring. Manual won’t cut it, because millions of events must be analysed daily to find the few important needles in the haystack. Humans just can’t do it without automation.
Automated enterprise visibility through technology that collects and correlates relevant event data is the vital missing link from which all companies will benefit by securing their business processes and customer and partner interactions.
This technology is called enterprise threat and risk monitoring and is often referred to as SIEM (security information and event management). Enterprise threat and risk monitoring platforms are used all over the world to detect and respond to these very threats in real time.
Nowadays businesses can no longer be complacent to the security risks opened up by their digitisation efforts. If ignored, the cyber criminals can cause overnight more harm to a business than good is being done by enterprise-wide process modernisation projects. Enterprise threat and risk monitoring will provide an automated early detection and response system so the process modernisation efforts will deliver the rewards without the risk.