Opening up an organisation without opening doors to new security threats
Published 17:34, 13 March 10
These days crime is paying. Cyber criminals are earning close to US$1 trillion annually, according to a recent report. It is big business. These criminals have evolved their skills and techniques to such an extent that they can breach the four walls of any company at will.
Today’s cyber attacks are well organised, sophisticated, and targeted, aimed at specific businesses or organisations seeking to steal valuable information for resale or fraudulent use.
The 2008 RBS WorldPay incident is a good example of such an attack. First, ATM account credential information was stolen from a hacked computer system, and then used to make counterfeit ATM cards. Then over a period of a few hours US$9 million was taken from 2100 ATMs in 280 cities across three continents, leveraging a well-organised group of cashers spread across the world.
This new breed of criminal congregates anonymously in underground chat rooms where they can find similarly minded criminals who have particular specialties useful for a particular heist. There are specialists who focus only on producing and supporting malware and various exploits such as phishing and those who offer resources for rent such as botnets or hackers.
After the data is stolen the cyber criminal will either sell the information to others who will monetize it through some fraudulent scheme or the criminal will directly attempt to cash it out.
Cashing it out involves another set of players, cashers, who then take their cut. The cashers recruit and organise mule bank accounts for wire transfers and the street-level cashers, who withdraw cash from ATMs. With this loosely-coupled and anonymous yet well-organised group of players a cyber criminal can effectively attack any size of institution from the largest global bank to a local finance company.
So what are businesses doing to prepare for the day when they are singled out? For the most part, not enough. Businesses are complacent when it comes to the security risks they face. This complacency is businesses’ biggest threat and risk. Their energies are focused elsewhere. Companies are heads down re-engineering their processes to remove latency and to openly collaborate with their partners and customers.
With this focus businesses are unwittingly introducing new risks into their environment that make it even more difficult to stop the highly sophisticated cyber threats of today. In this new open and collaborative world knowing who is on the network, what data they are viewing and what actions they are taking is essential.
But companies for the most part lack this visibility which leads to undetected risks flourishing including unknown users on the network going unchecked, unauthorized accesses, fraud and information leakage.
According to the 2008 BERR Information Security Breaches survey, 13% of large business had detected unauthorised outsiders on their network. However, US research conducted by Verizon Business suggests that far more organisations are oblivious to intruders on their network and that when a data breach occurs it usually takes weeks to months to discover and is usually detected by 3rd parties.
These alarming statistics point to the fact that most companies are flying blind when it comes to really knowing what is happening with their networks, data, and applications. Add to that the fact that cyber criminals are both persistent and sophisticated enough to penetrate the perimeter defences of any company they put in their sights. This combination puts the assets and processes of these companies in serious risk.
So what are companies to do?
To thwart the efforts of the cyber criminal the key focus of companies must be on the rapid detection and response to these highly likely breaches.
The only viable solution to combat cybercrime is vigilant monitoring that delivers rapid detection and response to breaches. Cyber criminals leave digital fingerprints wherever they go.
These fingerprints show up in log files and netflows that can be collected and analysed – specifically correlated against other log files (fingerprints) to detect the telltale signs that something is amiss.
Enterprise threat and risk monitoring powered by SIEM (security information and event management) provides an automated early detection and response system. Only when rapid detection occurs on a regular basis will the cyber criminals move their attention to easier hunting grounds.