The extent of the ongoing IT security threat continues to expand in form, scale, and response. While both threats and responses are becoming more sophisticated, so far the threats appear to be winning. The challenge to the enterprise is substantial.
Seemingly safe sources as threats
News this week brought examples of how threats have been increasingly found to come from supposedly trusted authorities:
- Handheld inventory scanners from China have been found to contain malware for the systematic theft of logistics data.
- A government-authorized certificate authority in India has been found issuing rogue certificates for Google domains.
Continued modifications of traditional threats
Threats were also found with wrinkles on traditional methods:
- A five-year old attack, labeled ‘NightHunter’, has found been gleaning work email passwords from phishing campaigns sent to HR, finance and sales departments.
- A newer threat, ‘BrutPOS’, exploits poor RDP implementations and weak passwords to harvest credit card data from POS systems.
International economic warfare
Not only actual security issues, but also mere claims of security concerns, have become weapons in protectionist, international economic warfare. China’s state media this week asserted that the iPhone is a threat to state economic data and other interests because of its standard smartphone tracking capabilities. This complaint is an updating of a tactic that China has used previous to constrain international competition from firms such as Google and Microsoft.
Exposure of overreach by the U.S. National Security Agency (NSA) has likely been the most economically damaging so far, as an updated form of local content requirements is amassing in countries such as Germany. Both these genuine and opportunistic localized response to security concerns make business more difficult for cloud companies and their enterprise customers.
Growing government response
Increasingly large and coordinated efforts have also been amassed to take down increasingly sophisticated threats. As Dark Reading reported, “[T]he U.K.’s National Crime Agency (NCA) announced that it has seized Shylock operators’ command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands,” where Shylock is a complex bank fraud malware system.
In the last month, it had been the U.S. Secret Service that had alerted P.F. Chang’s to its security breech. The NCA this also launched a competition and training initiative to further cyber security skills and understanding.
Increasingly personal challenges
Cyber criminals are finding new ways to probe one of the greatest traditional weakness in cyber (or other) security systems, which is the human element. The Shylock criminals have actually posed as bank employees, using chat systems to gather more sensitive data. And, the use of blackmail, too, has apparently been rising.
Security firms respond
Some counter-responses naturally come from IT security firms. ThreatStream last month launched a new Modern Honey Network (MHN) tool to make it easier for enterprises to set multiple honeypot traps for lurking hacker threats. BioCatch used the occasion of the World Cup to showcase its passive biometrics technology for establishing user identity and screening bot attacks and execution. The startup FarSight Security was launched to identify newly created domains that have been set up for malicious purposes. (Gigaom Research cloud security market coverage can be found here.)
At this point, there are no signs that the good guys will successfully squelch the bad in the near, medium, or even long term. Mobile and cloud technologies have provided new frontiers for battle. While big data and predictive analytics can be applied to counter threats, they can also be used to make those threats more sophisticated.
Although government law enforcement appears to be beginning to catch up with these forms of cyber-based crime, their efforts alone of course will not be sufficient. It is clear that enterprises will have to continue to raise the bar on their security efforts on both human and technological levels.
Among the expected and required developments are the following:
On the technology level, the following have all been rightly named as key security developments:
- the use of a persistent personal identity,
- the identification of enterprise “crown jewels” data, and
- predictive analytics are all rightly named as key security developments.
On the human and organizational levels, the following should be recognized:
- C- and board-level involvement will have to become the norm in order to assure the attention, funding, and enterprise-wide coordination that are needed are provided and updated continuously.
- Just as IT spending and management are becoming more integrated across the enterprise, security will be both important enough and have sufficient reach beyond pure technology to require integrated management and responsibilities on the corporate and line-of-business departmental levels. That is, cybersecurity will also have to be managed, with authority and responsibility, at the non-IT departmental level.
- A security-oriented mindset will need to be fostered among even those technical staffers who do not naturally have such an outlook. As Kenneth van Wyk recently suggested with his idea to give developers hacking exercises in order to attune their thinking to that of hackers.
- Just as the banking credit card networks have long straddled technological implementations and the human ‘real’ world, with failsafes established in recognition of the impossibility of perfect security, organizations and individuals of all types will need to incorporate pragmatic procedures to limit and abate failures and damages. That is, the management and mitigation of security breeches will be an ongoing part of a mature security system.