Many organisations may have a false sense of security resulting from their investments in non-agile security tools and processes they have relied on for years. Yet firewalls, antivirus, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are increasingly less effective as attackers leverage encryption and other innovative techniques to evade them.
cybersecurity Trends for 2014
Following the well-publicized mass looting of data from Target Inc. in late 2013, most companies are devoting renewed energy to bolstering their cybersecurity measures. The awareness that digital information is at risk extends across businesses of all sizes as well as to private citizens, who have become much less complacent over the past year.
A sense of urgency about digital security is fueled not just by the widespread occurrence of data theft by hackers, but also via the ongoing concern for privacy issues driven by disclosures of extensive National Security Agency (“NSA”) information gathering.
In response to these threats, companies are taking a variety of steps, and the digital security industry is seeing strong growth and innovation. CRN has talked with security firms across the industry, and reports the following trends in 2014 surrounding data protection and cybersecurity.
- Enhanced use of encryption, and more careful attention to the maintenance and proper configuration of existing encryption systems, is one of the first lines of defense used to thwart would-be attackers.
- Increased scrutiny of internal data use is another common response to Target’s woes. Behavioral analytic technologies allow firms to monitor users within the company as well as end users, remaining alert for suspicious behavior that accompanies theft or attack with malware.
- Resistance to cloud technology is growing. While this area offers huge rewards for companies and end users in terms of efficiency and access, the security liabilities that accompany cloud technology create a drag on the speed with which many firms are willing to adopt it.
- Risk assessment and software analysis to screen for vulnerabilities is gaining a front seat at many organizations. Keeping software up-to-date to avoid known weaknesses and testing proprietary software for unnoticed vulnerabilities are both front-line defensive maneuvers that are receiving more attention in 2014.
- More destructive attacks that damage computer systems and stored data could become a problem, as political and cause-focused hacktivist groups target particular corporations or government sites.
- Rising levels of smartphone malware means more security efforts directed to Android and other mobile platforms, as well as the individual apps businesses use to interact with their customers. Apps that were originally harmless but then changed ownership, much like the Chrome extensions Google recently pulled from its Play Store, pose a similar type of new threat.
- Old fashioned phishing and hacking of individual users is gaining in popularity as cybercriminals seek access to account credentials, while avoiding sophisticated security measures.
- More sophisticated malware and better encryption of malicious code allow cyberattackers to evade virus detection and removal tools.
- Active defense is a relatively new concept in computer security that is garnering extra attention these days. The idea is to convince hackers that they are into their target area, when they’ve actually been diverted and trapped in a shell where they can be easily identified and in some cases, retaliated against.
- Following up on network threats is a necessity that requires manpower organizations don’t always have available. Active monitoring and maintenance by managed service providers and hiring forensics experts to respond to threats are two popular solutions.
- The end of the internet as we know it sounds extremely dramatic, but it may actually be a possibility. CRN says that “NSA surveillance revelations could cause the Internet to break up into ‘national segments,’ which would have serious consequences for the security industry,” according to Alex Gostov, who works researching security issues at Kaspersky Lab. As countries attempt to protect their sensitive government data and that of their citizens, new restrictions on foreign access may have serious impacts on security and the functioning of the system itself.
Data theft, damage to databases and other types of cybercrimes pose an immense threat to businesses and organizations of all kinds today. A successful attack can cost huge sums of money and destroy reputations, along with years of work. With so much at stake, it is imperative that leaders acknowledge and respond to the new and intensified threats of computer security flaws.
senate cybersecurity report a horror story
Last week the Senate Homeland Security and Governmental Affairs committee’s minority staff released a 19-page assessment titled “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure.” Retiring Sen. Tom Coburn, R-Okla., sponsored the assessment. The footnoted assessment draws on more than 40 agency audits and inspector general reviews.
Coburn’s short and readable document supports its high-tech horror story with vivid, near-slapstick examples of bonehead stupidity and reckless laziness.
Slapstick and bonehead by “The Three Stooges” is comedy. Persistent, uncorrected cybersecurity errors by agencies handling extremely sensitive information is a scandal with the potential for tragedy.
By reputation, the Nuclear Regulatory Commission is a tech-savvy organization. When President Gerald Ford signed the NRC’s authorizing legislation, he said that licensing and regulating the civilian use of nuclear materials is a complicated job with “special potential hazards.”
Nuclear reactors must be protected from earthquakes, terrorists and cyberattacks on the computers monitoring their output. However, investigators discovered that the NRC “stored sensitive cybersecurity details for nuclear (power) plants on an unprotected” computer. Storing security data for reactor computers on a non-secure computer is beyond bonehead.
On to money. Regulating and insuring the integrity of U.S. stock markets is a central function of the SEC.
However, the SEC “routinely exposed extremely sensitive” New York Stock Exchange computer network data, including cybersecurity methods and procedures. The 2013 hack on Target stores compromised customer data and financially damaged the discount chain. The NYSE is a bigger target than Target. Hacking the Big Board wreaks global financial damage. Bonehead security sloppiness at the SEC, the NYSE’s chief government regulator and policeman, gave hackers and terrorists the inside skinny on the market’s IT defenses.
The report damns the U.S. Army Corps of Engineers. Hey, Corps’ IT security is much worse than my pun. In January 2013, hackers penetrated Corps’ computers, filching a “non-public database” with information on “the nation’s 85,000 dams.” The data included assessments of “each dam’s condition, potential for fatalities if breached, (its) location and nearest city.”
These sensational examples of inexcusable IT malfeasance appear on the report’s introductory page. They reveal the compromise of sensitive regulatory data fundamental to each agency’s central regulatory mission. Though sensational, they are representative. Other agencies have similar horror stories, including the Department of Defense, Department of Energy, the IRS, NASA, the FDA and Homeland Security. Homeland Security has experienced numerous problems in its cybersecurity office and its component agencies. The IRS bleeds sensitive taxpayer information.
Sophisticated hackers are a constant threat to everyone — individuals, businesses and government agencies. However, IG investigators found that many government breaches involve exploiting “mundane weaknesses.” These include failure to install software patches and using weak passwords. Investigators often found passwords written on a worker’s desk right beside a classified computer.
The government has issued numerous directives. “The National Institute of Standards and Technology, the government’s official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. And yet agencies — even agencies with responsibilities for critical infrastructure or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.”
Lots of taxpayer money buys little cyberdefense. Since 2006, the federal government has spent at least $65 billion on computer and network security.
Despite the big bucks, security management, meaning security oversight and leadership to ensure oversight, is inconsistent. Sloppiness and boneheadedness undermine discipline and thoughtful vigilance.
This is a major national security scandal. It is time for the boneheads to roll.