The threat agenda

The last few years have seen innumerable developments in the field of information security, as it races to keep up with increasingly innovative and sophisticated groups of cyber criminals.

Perhaps most significantly, computer crime has become entrenched in public consciousness following a string of high-profile hacking and data-loss incidents that have been given the shock-horror treatment by the national media. The stakes have risen high as the damage to an organisation’s reputation following a breach can now result in far greater losses than that incurred through rebuilding systems or paying fines, while the obligation to comply with the growing volume of regulation eats into budgets with absolutely no gain.

Rick Howard, director of intelligence at VeriSign iDefense, monitors ‘the other side’ and says cyber criminals are also adapting, becoming commercialised and business-focused – in essence they are developing a sophisticated underground economy. Malware developers, for example, are building commercially available ‘botnet’ services, offering regular updates to ensure users that their services are protected, he says. The developers state, without a hint of irony, that it is illegal and a breach of copyright for users to forward the programs to anti-virus companies or use them to control competing botnets.

“There are stock markets for sites that have been compromised by iFrames exploits (which redirect visitors to malicious websites), with popular high-traffic sites receiving higher bids” he explains. “iFrames exploits are not new – what’s new is the underground economy and sub-community exploiting them.”

Beyond money, politically motivated attacks have increased in recent years.

“The Russian attacks on Estonia were a proof of concept, although not as much a cyber-war so much as cyber-riot,” Howard says. “Estonia is very digital, you can get your licence and groceries online, and when the Russians launched a denial-of-service (DDoS) attack they were very successful. The Russian government uses the hacker community as assets; a blunt tool. Anyone in a conflict with Russia may have to deal with hacker sympathisers.”

Beyond cyber-vandalism, espionage is a key concern. “China is very public about it,” Howard says. “They even recruit by holding cyber-competitions, offering invitations to go on intensive 30-day information warfare courses. The US government is so worried it launched operation ‘Byzantine Foothold’, and is spending billions trying to close holes in its network.”

And while Howard believes cyber terrorism is more likely to be an appendage to a future attack rather than the sole modus operandi – certainly Islamic extremists are using computer crime to fund their activities, and continuing the parallel to legitimate businesses, are outsourcing some of their malware development to Russia’s renowned experts.

High gain, low pain

For hackers, the risk is low and the potential financial gain is huge. VeriSign security consultant, Jonathan Care, says hackers are increasingly “serious, organised and showing monetary intent” – while the risks to them remain marginal.

“I was talking to one, and his preferred method was to go to Morocco, buy a 3G card and sit in a café and run [malicious apps] from there.”

In contrast, the risk for companies is high and the losses potentially devastating. Reams of compliance legislation aimed at protecting sensitive data from exploitation “has seen the information security group shift into doing more risk management work,” says Howard Schmidt, president of the Information Security Forum and former chief of security of both Microsoft and eBay. “Information security is no longer a technology problem, it’s a business problem. I think we finally recognise that.”

“When eBay opened PayPal operations in the UK, the FSA required me to sign on the dotted line, validating that my systems were secure and we were following best practices. That was pretty scary – I enjoy many things, but [the prospect of] going to jail is not one of them.”

Increasingly, says Schmidt, “information security is being baked into infrastructure. System integrators and big companies providing ICT services no longer build something and bolt security on afterwards.” But that doesn’t address the security of legacy systems and an “ICT system built on a house of cards.”

“Banks in Africa and the Middle East are picking up technology we no longer need that was not designed to for a high-threat environment. As they become more affluent, we then need them to be secure – in the case of the financial system, we have a tremendous investment in making sure they become secure,” Schmidt says.

He is also concerned about emerging platforms, particularly the mobile devices he says are gaining all the functionality of a PC without the security.

“The bad guys know it and they are talking about it. We’re downloading things freely on mobile devices, but how do I know a game I downloaded is not keystroke logging?” he asks.

A final trend is the security industry’s shift from a ‘blocking’ model to an ‘enabling’ model, a trend driven by the realisation that security, while important, remains subservient to business objectives and the need to empower employees and customers rather than inhibit them.

Sophos CEO Steve Munford says this pragmatic realisation demands an industry-wide rethink, and “a policy framework that recognises you cannot be completely secure.”

“All too often [businesses] look at limiting the rights of employees and locking them down. The reality, particularly in Web 2.0, is that if you limit them you limit the pool of [intellectual] capital you can draw on and stifle creativity. It is important to educate employees about good practice and have safeguards in place if they do have an incident, to catch it and stop it affecting the business.”

“You can get too fearful,” agrees Howard. “[Cyber criminals] are not super-human, and we can put the processes there to protect organisations. I think we’ll get there.”

Related Topics