CSO - In covering the security threat landscape over the years, two fundamental issues have stayed constant. First, the threat landscape continues to evolve and gain sophistication. Second, attackers will always be a step ahead of the defenders in exploiting vulnerabilities across the spectrum of people, process and technologies. But what's different today is the motivation, methods and tools of these attacks: we're no longer fighting an individual hacker, but a highly organized, well-funded crime syndicate, and in some cases, even a state sponsored agent.
Also see Kark's Building a business case for information security
As IT security professionals work toward building their high-performance security organization, it will be essential to consider the changing nature of the threat landscape. In particular:
Motivation: Gone are the days when hackers bragged about their latest exploits openly in underground newsgroups to gain fame and notoriety. Today, not only is organized crime involved in these endeavors, they are also looking for big financial gains. Attackers will go after systems that store millions of records. Consider this stat: cybercrime costs $8 billion to the US economy according to US Congress reports, equivalent to the Bahamas' GDP.
Method: Unlike the visible attacks of the past, low and slow attacks provide a systematic and precise attack, where the attackers can take months gathering intelligence on the target and then going after the weaknesses systematically, covering all traces of their presence as they penetrate the different parts of the environment. The ultimate goal is to modify the application in some way where they are able to get a consistent stream of revenue over a long time period--such as the infamous TJX breach.
Tools: The move from manual to automated attacks significantly increases the amount of information and context a machine can extract from unsuspecting users. For example, French researchers have developed an automated social engineering tool that uses a man-in-the middle attack to strike up online conversations with potential victims. They were able to entice users to click onto malicious links sent via chat messages 76% of the time. Add to this the ability of machines to crawl the Web and glean publically available information about you and the results can be astonishingly precise in penetrating through your defenses.
So what is the best way for CISOs to handle this changing landscape to compete with a new level of sophistication and rate of change in attack methods? Here are three key ways to manage the development process:
1. Invest in Your People Controls to Maximize Impact: There is no denying the fact that people are the most important control in any organization. And this year, 62% of IT decision makers are making "upgrading the security environment" a critical priority, according to Forrester's Q2 Global IT Budgets, Priorities, And Emerging Technology Tracking Survey. It's about time that the entire organization, especially management, take ownership of risk and become more involved with security decision making. Additionally, as companies expand the scope of security responsibilities, it is important to recognize that spending more on security does not mean better security. Some investments in information security will deliver much more value and mitigate much more risk than others. The application security area is one good example.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
