The phenomenon of hackers accomplishing corporate espionage over the web is hardly new. But even probably the most hardened, cynical observer of knowledge security would raise an eyebrow on the volume of information leaving corporate networks today. Researchers, experts and vendors report thousands of information loss incidents because of cyberespionage, and attacks are indiscriminate of industry. Hospitals, banks, government agencies and mom-and-pop stores are losing data to organized criminals and state-sponsored thieves operating online; the difficulty points a harsh light at the failure of signature-based defenses, difficulties in attributing attacks, and the shortcoming of coordinated response.
It almost appears like they're giving up, that they are already hit. They're scrambling to lay defenses in place, and do not know they're hemorrhaging data. Jeff Bardin, chief intelligence officer, Treadstone 71
“In most cases, organizations still operate in see-detect-and-arrest mode, meaning it's still all about after-the-fact response,†said Jeff Bardin, chief intelligence officer for security consultancy Treadstone 71. “We are in this sort of mode that the past two years, many of the major [security] positions hired in organizations are incident response. It almost looks like they're giving up, that they are already hit. They're scrambling to position defenses in place, and do not know they're hemorrhaging data.â€
News of mastercard and private information breaches fail to shock to any extent further. The industry is enthusiastic about tales of China attacking major corporations with sophisticated, persistent attacks that exfiltrate intellectual property by the gigabyte. Nortel is the latest high-profile victim. The Wall Street Journal recently reported the company had been losing data to hackers using a server in Shanghai. The group had access to Nortel's network for more than a decade, and one U.S. intelligence official told the Journal the attack was typical. “If I'm looking to get a jump on my R&D,†he said, “that's a good way to do it.â€
Nortel, once a giant in switch making and telecommunications, has been selling off parts of its business for the last few years, and is now essentially out of business. It's not alone as a victim. RSA Security's loss of the seed keys for its SecurID authentication tokens cost the company a reported $63 million to repair in terms of manufacturing upgrades and token replacements. The company has spent the better part of a year repairing its relationships with customers and next week hosts the security industry's largest annual conference, RSA Conference 2012. While still a thriving business, RSA demonstrated that even what are supposed to be hardened targets can fall.
Why?
It's easy to blame the technology companies, but it's also your own fault for not testing what you buy and terminating the deal if it doesn't work.Dave Aitel, founder, CTO, Immunity
Experts continue to preach that companies should allocate security resources according to the latest threats and adversaries. Enterprises should classify their most sensitive assets and secure those to the hilt. Yet for too long, experts said, companies are stuck in an endless cycle of protecting perimeter machines, updating servers and endpoints with the most recent Microsoft and Adobe patches, and largely hiding in the weeds praying they're not the next Nortel or RSA.
“Companies have been in business a long time and have invested in infrastructure over the past 20 years. For them to change is an extremely long process and it has to be driven from the top,†said Dave Aitel, founder of security company Immunity, and a former NSA research scientist and @Stake consultant. “You don't see companies on their own discovering things they need to invest in, unless they get hit. Are companies taking proactive strategies against current cyberespionage attacks and abandoning technology that doesn't work? When they're forced to, yes. It takes an incident to change a company.â€
In the meantime, attackers are exploiting vulnerable systems and also exploiting security strategies reliant on signature-based defenses such as antimalware and intrusion detection that experts said cannot keep up with the dynamic nature of malware development.
“It's easy to blame the technology companies, but it's also your own fault for not testing what you buy and terminating the deal if it doesn't work,†Aitel said. “Attacks are the test.â€
And most times, attacks succeed. The situation is worsened because it's difficult to attribute attacks to their source. Attackers are nimble at covering their tracks and aren't noisy once inside corporate networks. While the Department of Defense would want to know the origin of an attack, a midmarket company losing data might be interested in just choking off a hacker's access.
“If you can attribute back, how far back in the kill chain do you want to go? Do you want to move from active defense to offensive counter intelligence and cyberactivities?†Bardin asked. “You don't want to stand in the ring and take punches any longer. You're going to want to start throwing some. But how legally do you do this? Lots of organizations don't have the stomach, capabilities or awareness to do such a thing. They have to change their behaviors if they want to survive.â€
Bardin suggests that companies understand their own attack surface by monitoring social networks for details posted about the corporate or individuals that could be used against the organization in an attack. This reconnaissance is similar to what attackers do to prepare for a targeted strike against an enterprise or government agency. Eventually, Bardin said, the industry needs to go from defensive and detective technologies and services to preventative and predictive technologies that look at patterns and help figure out an attacker's next move.
“You can take these nuances and build it into your defensive posture,†Bardin said. “You come to a point when everyone wants to evolve their security environment. In some cases, you must take revolutionary steps. In certain cases, you blow it up and rip out stuff that isn't working and ask: Are we getting enough bang for our buck? Or are there better solutions we will be able to installed place?â€
View all of our RSA 2012 Conference coverage.
Nessun commento:
Posta un commento
Comments links could be nofollow free