Security in the spotlight
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
The security sector has been in the headlines for all the wrong reasons during the past year. But behind the stories of lost data, fraud and phishing is a sector coping well with an ever-growing level of threat
The loss of 25 million personal details by a junior employee at HMRC in late 2007 was the starting pistol for more than a year of profile-raising news for the security industry.
The HMRC scandal was followed, on an almost weekly basis, by reports of other large-scale data losses, successful phishing attacks, major cyber-frauds, trojan-based identify theft and numerous other attacks that raised the profile of IT security in the public consciousness to such an extent that greater investigative powers were immediately extended to the Information Commissioner’s Office (ICO). But these incidents also ensured that information security remained a priority for the corporate executives. And, in many cases, they threw money at the problem.
Last year, IT organisations spent $10.5 billion on security software. According to Gartner, this represented an 11% increase on the previous year and stemmed largely from a growth in the scope of the security threats they faced and the extension of security coverage to a more mobile workforce. And even as the recession eats into IT budgets in other areas, the research firm predicts the upward trend will continue, with the market hitting $13.1 billion in 2012.
Bad publicity
Cynical observers have often suggested that it has always been in the security sector’s interest to play up the danger of cybercrime, although the industry itself might prefer the term ‘raising awareness’.
Certainly, the public became brutally intolerant of data breaches. A survey of 1,000 consumers by Symantec and price comparison site Moneysupermarket.com found that 89% of those canvassed were of the opinion that "reckless and repeated" data breaches ought to be punished by criminal prosecution (rather than a fine issued by a civil court), and the incarceration of negligent company directors. A further eight out of ten said there should be a “one strike and you’re out” policy.
In a follow-up poll in the streets of
But too much fear can be counterproductive, as it can discourage incident reporting.
“The Metropolitan police have said that the percentage of organisations reporting computer intrusions has declined because of fear of negative publicity,” said VeriSign security consultant Jonathan Care at Information Age’s security conference in September 2008. “One anonymous CEO even said to me: ‘If I report this, I am worried what else the police will find.’ They didn’t want police to come in and create uproar in the business.”
Growing threat profile
Some threats, though, were on a much wider scale. The potentially net-crippling DNS vulnerability discovered by Dan Kaminsky, a renowned security researcher at IOActive, was successfully kept under wraps until a consortium of governments and security firms were able to patch it. He eventually revealed the nature of the threat at the Black Hat conference in July.
Burgeoning technologies such as smartphones and the move towards mobile working also spawned new security concerns.
“[Smartphones] are nothing more than PCs in a much smaller format,” said Howard Schmidt, president of the Information Security Forum, “and they have to be managed and secured and controlled to the level you control PCs. If you’re a corporate executive who does a lot of travel, often the keys to the kingdom are in there. Emails, word documents, PowerPoint presentations – access to them is one of biggest things you need to worry about.”
Nonetheless, a survey of IT security decision-makers by information management software firm Sybase found that 71% rely solely on their employees to secure their mobile devices.
The year 2008 was also when the web surpassed email as the preferred route of attack, according to security software firm Sophos. In the first six months of 2008 the firm detected 16,173 infected web pages a day, three times the rate of the previous year, while email declined as a means of malware distribution. In 2007, “one in 332 emails were malicious. [In 2008] it was down to one in 1,500,” said senior technology consultant Graham Cluley. “The web has become the battlefield.”
One such attack, an ‘SQL injection’ – submission of database commands through web fields, such as a name or address box – has undergone several novel twists in recent times.
Firstly, an increasing number of legitimate websites, including the sites of several Sony PlayStation games and that belonging to the Association of Tennis Professionals, were hijacked using SQL injection attacks. That led visitors to a webpage offering a (fake) online security scan, intended to scare them into purchasing dubious antivirus programs – and part with their credit card details.
The second twist was the discovery that the culprit was the Asprox botnet. Asprox searched for vulnerable sites using Google, delivering an affiliate’s payload while adding to its botnet the PCs of anyone who visited the victim’s website. The exponential scaling and high level of automation of such a botnet means potentially any vulnerable site – government, private or business – can eventually be found and compromised.
Insider threats
But not all the security action was outside the organisation. External attacks were far more common, according to a comprehensive study of 500 corporate data breaches examined by forensic data investigators,
but the relative damage caused by outside hackers was low. The study by Verizon Business concluded that the most devastating threats in terms of impact come from insiders, especially ‘partial insiders’ such as third-party call centre workers who are given access to company records.
“Business partners were involved in 39% of the data breaches handled by our investigators,” the Verizon report stated. “In a scenario witnessed repeatedly, a remote vendor’s details were compromised, allowing an external attacker to gain high levels of access to the victim’s systems.”
A typical case of a partner security breach, explained Verizon Business’s director of investigative response, Bryan Sartin, involves a crime ring approaching employees in call centres or support positions, “and saying ‘if you hate your job or your boss, I’m your solution’.”
And despite being preventable through good access control on behalf of the outsourcing business, “a good nine out of ten victims of partial insider security breaches believe they have controls on the partial insider connection. Sometimes they don’t even know where their data is located,” Sartin said.
A large number of these data breaches were attributable to misconfiguration or “even a complete lack of security altogether,” the report claimed. Furthermore, when a breach does occur, in 63% of cases it takes several months to discover.
“In 70% of cases it’s a third party that notifies the business, usually banks, law enforcement or customers. The business is usually shocked when it finds out. Often we don’t even need specialist forensic tools because the answers are in the logs in black and white,” Sartin claimed.
The bad guys
As that highlights, the most striking security trend of 2008 concerned the bad guys.
Rick Howard, director of intelligence at VeriSign iDefense, monitors ‘the other side’. He observes they are adapting, “becoming commericalised, business-focused and developing a sophisticated underground economy” that increasingly resembles a legitimate software sector; malware developers are offering regular updates and SLAs, while some malware even actively removes competitive rogue software.
For these criminals, the risk is low and the potential financial gain is huge. VeriSign’s Jonathan Care says hackers are increasingly “serious, organised and showing monetary intent” – while the risks to them remain marginal. “I was talking to one [hacker] and his preferred method [was] to go to Morocco, buy a 3G card and sit in a café and run [malicious apps] from there.”
The experts paint a grim picture. But IT shouldn’t forget that even the most well-intentioned vendors can get carried away, and that security is fundamentally a business process rather than an obstacle to overcome.
“You can get too fearful,” concluded Schmidt. “Cybercriminals are not superhuman, and we can put the processes there to protect organisations. I think we’ll get there.”
