March 2015: The Rise of Cyber Attacks and Threats – A Security Conversation

 “…in the last few weeks, typical technology columns on major news networks, which cover major technology trends and news, were instead flooded with news of cyber attacks, threats and vulnerabilities….welcome to a world less safe everywhere you look…”

CYBERSECURITY NEWS HEADLINES

Of late, I have noticed that few days pass by without some major cyber security incidents and developments, and many get headline news coverage.  We are already familiar with security attacks and breaches reported at Anthem, Sony, Target, Home Depot, JPMorgan, and many more.  Yet, just in the last few weeks, typical technology columns on major news networks, which normally cover major technology trends and news, were instead flooded with news of cyber attacks, threats and vulnerabilities.  These are some of the headlines we find in columns covering Technology trends in just the recent weeks:

• “Welcome to a World Less Safe Everywhere You Look”
• “U.S. creates new agency to lead cyber threat tracking”
• “Cyber attacks top US threat list”
• “JPMorgan Goes to War (with Cyber Security Team)”
• “(Singapore) Government to set up Cyber Security Agency in April”
• “Spying Campaign Bearing NSA’s Hallmark Found Infecting Thousands of Computers”
• “Sim card firm confirms hack attacks”
• “FBI Puts $3 Million Bounty on Russian Hacker Tied to Heists”
• “Samsung hit by latest smart TV issue”
• “Account data stolen in TalkTalk hack”
• “China ‘drops US technology firms’ (from China’s official list of approved products)”
• “Lenovo victim of cyber-attack”
• “FBI Is Close to Finding Hackers in Anthem Health-Care Data Theft”
• “Intuit Denies Putting Profit Before TurboTax-User Security”
• “Malicious Emailers Find Healthcare Firms Juicy Prey”.

BOARD & EXECUTIVE MANAGEMENT RESPONSE

This is a very disturbing trend.  Many senior executives and board directors are at a lost on how they can effectively respond to this “new” challenge.  For sure, this is by no means “new”.  Yet, the pace at which new attacks are hitting corporations, and the destructive effects and negative publicity are getting senior executive management and board directors extremely nervous.

Most senior executives and board directors have very limited or no understanding of what is seen as the technical nature of cyber security threats.  Yet, they are no more difficult to understand than many of the requirements in the Dodd-Frank Act, such as the Comprehensive Capital Analysis and Review (CCAR) Stress Testing, Modeling, estimation of PD’s, LGD’s, and other complexities are perhaps equally if not more complex than cyber threats.  Once we remove the fluff of complexities that many specialists would like to throw at the less informed senior executives and board directors, things become a lot more comprehensible.  We just need to learn how to connect the dots.  Pleading ignorance and incompetence will no longer suffice.

While senior executives and board directors are not expected to know all the technology details surrounding cyber threats and security, “sufficient” education is needed so that they can discharge their oversight and management responsibilities effectively, or at least meet basic fiduciary expectations of stakeholders, especially regulators.  Given the massive deployment of all sorts of technologies in today’s enterprises, it will indeed be hard to even know where to start looking.  Basic education, internal controls and processes (e.g. password management, segregation of duties, etc.) are important, but they will not adequately cover what is needed for the threats that enterprises face today.  Beyond those basic controls, it would be important to look at current state of security exploits.

SECURITY EXPLOIT THEMES

Many security providers have good frameworks and methodologies to address these challenges.  It would be worthwhile though to point out just some key thoughts from recent cyber-security research.  The recently released HP Security Research’s Cyber Risk Report 2015, identified several key themes that are helpful in understand today’s cyber security threats, and areas that everyone needs to keep a lookout out for.  Below are comments extracted from the above 2015 Report on key themes found in HP’s studies, with some of my thoughts and edits:

Theme #1: Well-known attacks still commonplace

Attackers continue to leverage well- known techniques to successfully compromise systems and networks.  Many vulnerabilities exploited took advantage of code written many years ago—some are even decades old.  Attackers continue to leverage these classic avenues for attack.  Exploitation of widely deployed client-side and server-side applications are still commonplace.  These attacks are even more prevalent in poorly coded middleware applications, such as software as a service (SaaS).  While newer exploits may have garnered more attention in the press, attacks from years gone by still pose a significant threat to enterprise security.

Suggested Action:  Businesses need to employ a comprehensive patching strategy to ensure systems are up to date with the latest security protections to reduce the likelihood of these attacks succeeding.

Theme #2: Misconfigurations are still a problem

Many vulnerabilities reported were related to server misconfiguration. Access to unnecessary files and directories seems to dominate the misconfiguration-related issues.  The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed.

Suggested Action: Regular penetration testing and verification of configurations by internal and external entities should be performed to identify configuration errors before attackers exploit them.

Theme #3: Newer technologies, new avenues of attack

New technologies bring with them new attack surfaces and security challenges.  This past year saw a rise in the already prevalent mobile-malware arena.  Even though the first malware for mobile devices was discovered a decade ago, 2014 was the year when mobile malware stopped being considered just a novelty.  Connecting existing technologies to the Internet also brings with it a new set of exposures.  Point-of-sale (POS) systems were a primary target of multiple pieces of malware in 2014.  As physical devices become connected through the Internet of Things (IoT), the diverse nature of these technologies gives rise to concerns regarding security, and privacy in particular.  Even as we look at new technologies, we must not forget older technologies that are still used pervasively.  Many of these have very basic and structural failures and loopholes, like hardcoded passwords, etc. which leave them extremely vulnerable.

Suggested Action: Enterprises should understand and know how to mitigate risks being introduced to a network prior to the adoption of new technologies.  Enterprises should also take stock older technologies, understand vulnerabilities that these might pose and take necessary mitigating measures to remove as many vulnerabilities as possible, and mitigate residual risks as needed.

Theme #4: Gains by determined attackers

Attackers are persistent and use both old and new vulnerabilities to penetrate all traditional levels of defenses.  They maintain access to victim systems by choosing attack tools that will not show on the radar of anti-malware and other technologies.  In some cases, these attacks are perpetrated by actors representing nation-states, or are at least in support of nation-states.  In addition to the countries traditionally associated with this type of activity, newer actors such as North Korea were visible in 2014.

Suggested Action: Network defenders should understand how events on the global stage impact the risk to systems and networks.

Theme #5: Cyber-security legislation on the horizon

Activity in both European and U.S. courts linked information security and data privacy more closely than ever.  As legislative and regulatory bodies consider how to raise the general level of security protection in the public and private spheres, the avalanche of reported retail breaches in 2014 spurred increased concern over how individuals and corporations are affected once private data is exfiltrated and misused, such as incidents re: Anthem, Sony and Target.

Suggested Action: Companies should follow developments and stay up-to-date on new cyber security and related legislation and regulation. These, among other things, will impact how companies must monitor their assets and report on potential incidents.

Theme #6: The challenge of secure coding

The primary causes of commonly exploited software vulnerabilities are largely facilitated by defects, bugs, and logic flaws.  Security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors.  Much has been written to guide software developers on how to integrate secure coding best practices into their daily development work.  Despite all of this knowledge, we continue to see old and new vulnerabilities in software that attackers swiftly exploit.

Suggested Action: It may be challenging, but it is long past the time that software development should be synonymous with secure software development.  Management should insist that third-party products/ services used or internal software developments have this as a key requirement, and that developers concerned should demonstrate how this requirement has been effected.  While it may never be possible to eliminate all code defects, a properly implemented secure development process can lessen the impact and frequency of such bugs and exploits.

Theme #7: Complementary protection technologies

In May 2014, Symantec’s senior vice president Brian Dye declared antivirus dead and the industry responded with a resounding “no, it is not.”  Both are right.  Mr. Dye’s point is that AV only catches 45 percent of cyber-attacks—a truly abysmal rate.  The 2014 threat landscape shows that enterprises most successful in securing their environment employ complementary protection technologies.  These technologies work best when paired with a mentality that assumes a breach will occur instead of only working to prevent intrusions and compromise.

Suggested Action: By using all tools available and not relying on a single product or service, defenders place themselves in a better position to prevent, detect, and recover from attacks.

CONCLUSION

Cyber attacks will continue, and many corporations are starting to take cyber security a lot more seriously.  In part, this points to the need to catch-up on the past’s lack of attention on something so fundamental as security of the enterprise technology infrastructure, including third-party solutions and outsourced services.

Technology deployment will continue to occur at lightning speed.  Controls and security cannot be allowed to fall behind.  In the pursuit for new revenue channels and greater profits through the exploitation of new technologies and solutions, senior executives and board directors need to be cognizant of the “industrial strength” of these products and solutions.  Technology and solution providers must be held accountable for delivering products and services that meet requirements.  While it is true that we can never plug all security holes, many of the current attacks and breaches are created by basic failures, program bugs, and sloppy programming methods.  Holding third-party providers accountable for more secure solutions, and ensuring internal teams bolt down systems through proper configurations, along with basic internal controls and security practices will go a long way to minimize loopholes and points of attacks.  Having said so, this will be a long process that will require transformational changes across the enterprise; especially in the development and deployment of technology solutions.  Above all, not forgetting though that the people issue, which we did not touch on here, will be the weakest link.  Education, awareness, and cultural changes will be needed to help enterprises more effectively protect themselves against the rise of cyber attacks.

Steven P. Lee, Global Client Consulting