I recently attended a very interesting 2015 Threat Report seminar from Websense titled “8 High-Risk Lessons.” Like many of the webinars and reports I have written about, while Websense has security products they would like you to license, the report provides important analysis of the current state of cyber attacks. I highly recommend that you read this 30-page report.
Websense, Inc., with headquarters in Austin, Texas, is a global leader in protecting organizations from advanced cyber attacks and data theft. Behind those products is the analysis of up to five billion security event inputs every day from around the world. Their analysis expertise interprets those events with respect to the context of the attack activity and their potential impact.
My five key takeaways:
- Cybercrime is getting easier.
Cybercrime is a huge business with huge profits. As I reported earlier, the cybercriminals who engineered the Target attack received around US$53 million of income from that attack. The cybercrime industry provides an efficient marketplace to exchange tools and stolen information, plus get trained on the necessary skills. This is the age of MaaS, Malware as a Service, where a budding cybercriminal can rent an exploit kit form $800-$1,500 a month. In 2014, Websense tracked three times the number of different exploit kits as compared to 2013.
- Cybercrime is constantly adapting.
Today’s cyber criminal is more likely to be attacking a class of users or systems instead of just throwing out an general attack. That may be a line of business, a specific application, an individual company or organization, or even a few employees in one department. If your IT department successfully defeated last year’s attacks, tell them “thanks” and remind them that this year’s attacks may be different. Some of today’s individual attacks are often very small and harder to detect. All the cyber criminal wants to do initially is gain a foothold, an entry into your systems somewhere. Then use that foothold to find exactly where in your organization is most vulnerable or most valuable to the attacker. Then attack that specific server or group of users.
- The Internet of Things will make security even more interesting.
The Internet of Things is exponentially growing number of gadgets that are getting connected to your home or office network, or to the Internet itself. Do you have a thermostat at home that allows you to monitor or change the temperature in your house from your cell phone? Then so can, potentially, anyone else. As a real example, consider a cyber terrorist who gains access to your office control system. They might lock the doors to your server room and deny access to anyone, then set the thermostat in the server room to 100 degrees. In a few hours you will have a pile of nonfunctioning servers, physically destroyed by someone a few feet or a few thousand miles away. The fear of BYOD (bring your own devices like smart phones or tablets) is justified, but maybe not for the reason you believe. Cyber criminals are not stealing information from the BYOD, but using it to gain access to your internal corporate network.
- Don’t try to attack the attacker.
Some companies try to determine where the attack came from and attack them back. Bad idea. It will take a lot of time to determine the real source of the attack. The “obvious” answers are often false, with the attackers using a series of links before it gets to you. I find the CSI and NCIS type of television shows entertaining, but not very instructive. There is no Nell and Eric who can track a cyber attack back to the originator in 4.5 seconds. Don’t waste your time and possibly attack an innocent party. Let law enforcement handle it, and cooperate with them.
- More focused attacks.
You may see fewer attacks in the future. Websense observed almost four billion security threats in 2014, down about 5% from 2013. Considering the serious breaches that made the news, and the even more that did not make the news, the threats are higher than ever. You can bet that you will be attacked. If your IT tells you that your company has never been attacked, be very scared. It more likely means that your IT department is not detecting the attacks.
Security is a distraction. The real task of your IT department is to make data readily available to your employees, your partners and your customers. IT wants to be the land of “yes!” Security tends to make it the land of “No!!” The trick is to set up your infrastructure and IT department to get as close to “yes” as you can while protecting the company’s and your customers’ assets.
As part of your annual internal user training on ethics and security, make sure you include how to detect and avoid phishing attacks and how to use WI-FI safely (and where not to even try). I personally receive 3-5 phishing mails a day from a set of seemingly related places telling me I have a commission payment, or there is a question on an invoice, or a friend has gifted me with a book, program or some other item. Many of them have a “Go ahead and download it here!” link. Make sure your users know to always hover the mouse over the link first. This will display the actual URL. If it is not something the user recognizes, they should not click on it.
The last word:
Looking for a job in IT with a huge need, or do you have a child or grandchild thinking about the IT field? There is currently a worldwide shortage skilled security practitioners, expected to grow to more than two million by 2017. It takes about eleven years of training and working in the field to become really skilled, but these skills are needed now and companies are hiring now to bring new people into this arena. I don’t see the need diminishing anytime soon.
Keep your sense of humor.