Thursday, October 7, 2010

Playing with Firewalls


Few senior business executives would need to have taken one of the Millennium Trilogy of bestselling novels by Stieg Larsson with them on holiday this summer to become fully aware of the threat of cyber crime.According to the Security Tracking Study carried out by the Ponemon Institute in August this year, 83% of multinational companies believe they have been the target of a cyber attack over the past 12 months. The research noted a 20.6% rise in attacks in the past year alone. PricewaterhouseCoopers believes 92% of firms have experienced a malicious security breach at some time.Once something that only governments and the military had to worry about, cyber attacks are on the rise in the private sector thanks to the increased use of internet-enabled devices in the workplace that has left companies vulnerable to a new breed of cyber criminals.
According to Alastair MacWillson, managing director of Accenture's security practice, cyber security has become a growing area of concern for clients. "Some of it is driven by hype, but a lot of it is genuine," he says.A decade ago, many hackers were motivated by the notoriety they could gain from creating and launching a successful virus. But today's cyber criminals are better resourced, more sophisticated and are much more difficult to track down. Mr. MacWillson says: "The internet is a great place to connect crime: It is shared and integrated, offering anonymity and lack of traceability."Dr. Stefan Fafinski, a visiting fellow at Oxford University's Internet Institute, says: "There has been a marked rise in targeted attacks. We can speculate that the economic downturn is giving rise to alternative forms of acquisitive crime."
It is also making cyber criminality much easier. Zeus Trojan starter packs can be bought online for around $700, allowing the buyer to create their own malicious computer program, or malware, which they can unleash on the internet. Some hackers are doing so for kicks; others for monetary gain.Greg Day, director of security strategy atMcafee, says: "Cyber crime is organized, from groups with religious purposes, to those targeting specific things within an organization." This can include sensitive company information such as employee data, financial accounts and customer details.
One of the most recent and notorious targeted attacks was Operation Aurora, which affected the likes of Google, Adobe and Microsoft. The attack was believed to have originated in China and was aimed at obtaining intellectual property.
In July, a number of high street banks in the UK were struck by the Zeus Trojan virus, which cannot be detected by traditional firewalls and security software. In under a month, almost £700,000 was stolen from 3,000 online customer accounts. This attack stemmed from cyber gangs in Eastern Europe"Many organizations are w orried, not just because of financial loss, but breach of privacy, loss of intellectual property and reputation", says Mr. MacWillson.
Security experts say that different methods can be used to compromise companies depending on the motive of the attackers. Aurora, which took advantage of a vulnerability in Internet Explorer 6, was classed as an Advanced Persistent Threat – a hacking attack aimed at gaining continual information. They tend to lie dormant for a while, perhaps even months, before they surface. Attacks like Zeus, however, are deployed mainly for financial gain. They are designed to spread quickly and cause as much damage as possible.
One of the main reasons why businesses have become more vulnerable is the proliferation of new technologies and the growing dependence on IT. Businesses are moving away from the linear and static IT infrastructure and are becoming more flexible with different methods of computing.
"The distinction between business and home computing is becoming blurred, which is making businesses vulnerable," says Dr. Fafinski. Attackers are taking advantage of this, mainly through client-side software. He adds: "The vulnerabilities in applications greatly exceed those in Operating Systems and have been exploited in the past as a means of compromising access."
Applications like Adobe Flash, PDF or Internet Explorer are frequently targeted by attackers. According to the Symantec quarterly report for the Europe, the Middle East and Africa, the top web-based attack from April to June was related to malicious PDF activity, which accounted for 42% of total attacks.
Adobe is not alone, according to Mark Miller, director of Microsoft's Trustworthy Computing. He says: "There are thousands of applications development companies who are in competitive markets with limited resources and significant competitive pressures. In order to make revenue in that kind of environment, products have to be released quickly with more features. Therefore security is not the number one issue as, traditionally, applications haven't been a route for attack."
As businesses continue to incorporate new technologies and increase productivity, the opportunities for threats increase. Platforms like social networks, cloud computing and smartphones have all caught the attention of attackers. Marcus Alldrick, senior manager for information risk and protection at Llyod's of London, says: "Combining social networking and social engineering is also a growing risk. An attack like Aurora can identify employees of a large corporation and then socially engineer information from them."
Smartphone Threat
Mr. Day says: "The smartphone threat will take off at some point when they become more web-enabled". Research by Gartner suggests that by 2013, mobile phones will overtake personal computers as the most common web access device worldwide. Over half of employees download applications without considering the security implications. Attacking smartphones will enable criminals to gain access to company emails and documents.A more imminent threat than smartphones is cloud computing. According to Mr. Gartner, 20% of businesses will not have their own IT infrastructure by 2012. Companies have become more comfortable with handing over their data to third parties. While some cloud providers offer very high levels of security, the lack of control over company data can be disconcerting and the current absence of standardized regulation has deterred many businesses.
The average cost of an attack is $3.6 million according to Ponemon. In 2008, the Congressional Research Service announced that the economic global impact of cyber attacks on businesses had grown to over $226 billion annually. The most devastating being attacks on critical infrastructure.
But the loss of intellectual property and reputation that can result from an attack may have a even more devastating impact than a short-term monetary loss. Paul Bantick, a liability underwriter at Lloyd's insurer Beazley, says: "The better you deal with the breach, the less the liability down the road."
The consequences of an attack can be difficult to predict and handling the situation can be troublesome. The U.S. has a more sophisticated legal framework in place to handle cases of data loss. But besides Germany and Spain, Europe is still "catching up" according to Mr. Bantick. "The biggest damage if you lose client data is PR damage," he says. This has given rise to service-based insurance coverage with large excess amount to spend on public relations.
Data protection has therefore become a business issue and not just a technology concern. Research carried out by Accenture showed that 73% of organizations believe they have adequate policies in place to protect sensitive information, yet more than half have lost sensitive data within the past two years. And for over half of this group, data loss is a recurring problem.
While some attacks are targeted, most of the time, it is just bad luck. Employee negligence is one of the most common causes of security breaches. Advanced Persistent Threats can, for example, easily be deployed through infected USB memory sticks.
The challenges facing companies are as much logistical as they are financial. It will take a large firm a long time to roll out security measures, patch vulnerabilities and lock down all devices used for work purposes. Data is being shared across many platforms without standardized rules and regulations and the inconsistencies in legislation are being exploited by cyber criminals.
And yet, according to Accenture, only around 8% of organizations have good security in place. Businesses need to update security software, encrypt data and be aware of data flow.
But nothing is risk-free. Dr. Fafinksi says: "The problem is that new vulnerabilities are being created all the time and there will always be a window of opportunity for cyber criminals."

1 comment:

Anonymous said...

moja naložba [url=http://www.varcevanje.info]postopno varcevanje[/url]