Although most companies are reluctant to publicly announce a cybersecurity breach, reports of attacks crop up in the news on an almost daily basis. In 2013, hacked organizations included Google and Facebook, Sony Pictures, Acer Europe, the US Public Broadcasting System, Fifth Third Bank, Ubisoft, the World Wildlife Foundation, Cambodia’s National Military Police ... even The New York Times.
The risk of being hacked grows daily. Companies are pushing online their product models, employee data, financial access and even the ability to control systems as sensitive as power plants and chemical facilities. They’re also allowing more people – employees, contractors, customers – to connect to the organization’s networks with a broad array of personal computing devices. It’s an irresistible mix for hackers fueled by a diverse set of motivations and goals. Just one small vulnerability – the wrong email opened by an unsuspecting employee, for example – will allow a patient hacker to plunder the back-end database and steal the organization’s most precious information assets. Experts agree that it’s not a question of whether your organization will be hacked. It’s a question of when.
SIZING THE THREAT
In March 2013, Trustwave, a Chicago, Illinois (USA) company that helps organizations respond to and remediate network intrusions, offered this sobering assessment: “During 2012, nearly every industry, country and type of data was involved in a breach of some kind.” Antivirus company Norton, meanwhile, estimates the cost of global cybercrime at US$388 billion, approaching the US$411 billion value of all global drug trafficking.
In 2012 alone, the 2013 Data Breach Investigations Report (DBIR), compiled by cellular data network provider Verizon with support from 18 public and private law enforcement and data-protection organizations worldwide, reported that 44 million records had been breached – and those were just the numbers it could validate; the actual figure probably is much higher.
The loss of data can have serious financial consequences for breached organizations. But the precise costs vary depending on the duration of the intrusion and what was stolen. Costs also fluctuate broadly based on the geographic location of the victim organization.
Regardless of the monetary damage from a breach, network intrusions are extremely disruptive events. “Whether the company is operating a chemical or nuclear plant or a financial organization or a healthcare facility, the impact of the breach is the same,” said Bala Venkat, chief marketing officer at Cenzic, a Web application security firm based in Campbell, California (USA). “Loss of confidential, sensitive data and financial assets, plus possible triggers to operational safety, would be primary impacts.”
Of course, the defenses needed to guard a doctor’s office from hackers are not the same as those required to deter espionage-intent nations from breaking into a chemical or nuclear plant. Any attempt to enforce a one-size-fits-all approach to securing assets may leave some organizations under-protected, while others potentially overspend, said Wade Baker, managing principal of RISK (Researching and Investigating Solutions Knowledge) intelligence at Verizon.
"During 2012, nearly every industry, country and type of data was involved in a breach of some kind."TRUSTWAVE
NETWORK-INTRUSION CONSULTING COMPANY
“Organizations need to ask themselves, ‘What kind of threat groups are going to attack me? What data do I have and who would want that?’” Baker said. “Once you have that assessment, it’s time to ask ‘What are the techniques I know of that those kinds of threat groups use?’ And that’s going to be a sort of funnel you can use to prioritize your efforts around the threats and vulnerabilities most likely to become an issue.”
THE HACKER’S DOSSIER
Even if hackers don’t want what the target organization is trying to protect, they exploit weakly secured systems as bases from which to launch attacks on more tempting targets – a bank, a nation’s electrical grid or a centrally controlled transportation system, for example.
The targets and tactics employed may change depending on the nature and motivation of the group behind it. DBIR found that organized crime gangs, for example, tend to target financial records and hardware resources that can be resold. Cyberspies, meanwhile, are generally after intellectual property and trade secrets. Hacktivist groups such as WikiLeaks aim to embarrass targeted organizations or expose a perceived or actual wrongdoing.
“We have seen that organizations must know who their enemies are and what motivates them to attack,” said Shahbaz Khan, manager for global response at the International Multilateral Partnership Against Cyber Threats (IMPACT), the Malaysian-based executing arm of the United Nations’ International Telecommunication Union (ITU). “If you can understand who would want to do you harm and what can be gained from such harm, you can better protect your company and your information.”
UP IN THE CLOUD
But what if your data doesn’t reside in-house? Cloud computing services that host customers’ data and applications on centralized-server farms are gaining popularity, in part because they hold the promise of helping organizations eliminate redundant infrastructure that is costly to maintain and secure. Cloud providers also cater to today’s more mobile workforce, allowing important projects and resources to be accessed and managed over the Internet from anywhere.
Many security experts have warned that moving data and projects to the cloud raises special security risks because it concentrates so many corporations’ data in a single location, an almost-irresistible temptation for attackers. Conversely, other experts compare cloud computing to storing your most precious assets in a bank’s vault instead of at home. “The bank is likely better armed than you to keep it safe because that’s its job,” said Guillame Lovet, senior manager of the EMEA threat-response team for Fortinet, a network security company based in Sunnyvale, California (USA).
Chris Pogue, director of digital forensics and incident response at Trustwave, said he hasn’t seen cloud services emerge as a major target of organized crime groups – at least, not yet. “We’re not seeing a lot of cloud-based breaches right now, but that doesn’t mean we’re not going to,” Pogue said. “I think it’s pretty early in the game to really see organizations get hit hard because of breaches in the cloud.”
That may change, Pogue said, as more companies move their data to the cloud. “Most of the hackers who would be interested in this stuff are looking for data they can quickly turn around and sell, and right now that’s just not (on the cloud) for the most part.”
THEY’RE IN... NOW WHAT?
If you’ve been hacked, all layers of protection provided by your security provisions have failed. At that point, the only way to detect an intrusion is to spot an anomaly, usually in the way the network or workstations behave or communicate. Some corporations at high risk employ security experts who comb network traffic in search of suspicious patterns that hint at hacker activity.
After a breach is detected, Fortinet’s Lovet advises that the first step is to pull the network plug. From there, he suggests identifying and isolating compromised systems so they can’t be used to attack or infect other systems.
“Then the job of forensics experts begins,” Lovet said. “It involves a lot of offline analysis of hard drives. Indeed, it makes no sense to simply analyze a compromised system from itself, since the system could provide false information on purpose.”
When you can’t keep invaders out, the trick to minimizing the damage from breaches involves preparing for them in advance and being ready to move quickly. Experts agree that a solid defense relies on multiple, overlapping layers of security technology, people and processes.
“If you have big secrets to protect, then you need more than one level of strong protection,” IMPACT’s Kahn said. “Any security system can break down, and you can’t afford to be without protection. If you can’t achieve this, then consider taking your valuable assets off the corporate network.”
Second, don’t settle for doing what everyone else does. “Following established ‘best practices’ is not enough to combat today’s threats,” Kahn said. “Do what is needed. Don’t follow the herd.”
Since Verizon began compiling information on security attacks nine years ago, it has documented 2,500 breaches and 1.1 billion compromised records.
Third, Kahn advises that corporations be imaginative. “Don’t be afraid to use controls that others ignore. For example, device authentication – based on trusted platform modules – is a powerful layer of control that is relatively easy to implement and manage, yet rarely exploited. It’s better to combine several less-thanperfect solutions than to aim for an ideal, single layer of security.”
Finally, Khan said, companies must develop and practice a catastrophe plan. “This is more than a conventional business-continuity plan. It’s a worstcase situation. It’s not about recovering from random outages. It’s about smart solutions for extreme situations and large-scale losses.”
Wim Remes, a managing consultant at IoActive, a software and hardware assurance firm based in Seattle, Washington (USA), believes that the most important cyber capability any organization can possess is the ability to rapidly shift into incident-response mode at any given moment.
“In any sizeable organization, there should be a cross-functional team that monitors and addresses threats and events, moving away from the ‘panic mode’ model that we witness all too often and engraining threat awareness into the process of conducting business,” Remes said. “Building this capability will enable an organization to shift quickly and with minimal impact on its key processes.”◆
Brian Krebs writes KrebsonSecurity.com, a daily news site dedicated to in-depth cybersecurity news and investigation. He is also the author of the upcoming book Spam Nation, which tracks the rise and fall of the greatest cybercrime empires ever built.
Alexandria, Virginia-based security consultancy Mandiant rocked the cybersecurity world in 2013 with its report chronicling seven years of hacking sponsored by the Chinese government bent on stealing corporate secrets. Mandiant reported that 150 organizations were broadly hacked, including The Coca-Cola Company and Lockheed Martin. The most shocking revelation: The group was just one of nearly two dozen Chinese teams besieging businesses worldwide. Richard Bejtlich, Mandiant’s chief security officer, said that about 40% of the global Fortune 1000 companies are targeted with advanced persistent threat (APT) attacks by some Chinese government-sponsored hacking team at any given time. “These guys are told, ‘Okay, here’s the mission and the type of information we’re after: Go out and find it,’” Bejtlich said. APT attacks involve tightly organized, focused hackers who often discover and leverage previously unknown software and hardware vulnerabilities to break into high-value targets. “It’s often a battle that can last years,” Bejtlich said. “When the target toughens up a bit, the APT groups will go in through a target’s business partner. After the partner closes the holes, the attackers may try to get in through some outsourced technology provider. If you end up the target of a nation-state or APT-level attacks, your board of directors has to understand that this will always be a problem for them.”
Alexandria, Virginia-based security consultancy Mandiant rocked the cybersecurity world in 2013 with its report chronicling seven years of hacking sponsored by the Chinese government bent on stealing corporate secrets.
Mandiant reported that 150 organizations were broadly hacked, including The Coca-Cola Company and Lockheed Martin. The most shocking revelation: The group was just one of nearly two dozen Chinese teams besieging businesses worldwide.
Richard Bejtlich, Mandiant’s chief security officer, said that about 40% of the global Fortune 1000 companies are targeted with advanced persistent threat (APT) attacks by some Chinese government-sponsored hacking team at any given time. “These guys are told, ‘Okay, here’s the mission and the type of information we’re after: Go out and find it,’” Bejtlich said.
APT attacks involve tightly organized, focused hackers who often discover and leverage previously unknown software and hardware vulnerabilities to break into high-value targets.
“It’s often a battle that can last years,” Bejtlich said. “When the target toughens up a bit, the APT groups will go in through a target’s business partner. After the partner closes the holes, the attackers may try to get in through some outsourced technology provider. If you end up the target of a nation-state or APT-level attacks, your board of directors has to understand that this will always be a problem for them.”
Read the complete 2013 Verizon RISK Data Breach Investigations Report: www.verizonenterprise.com/DBIR/2013