IT Security – State of Play Update for October 2014

un_security_councilNew technology initiatives such as cloud computing, mobility and BYOD are designed to reduce cost of business however the security sector sees a widening gap between the ever growing complexity of connected devices and the ability of the security team to secure the environment and quickly detect and resolve incidents within the business.Old technologies, used for decades, deeply embedded in the most important security controls now prove to have massive security holes (think HeartBleed, ShellShock, Cupid) reducing the confidence of the security team that these controls are hardened. Vendors assume via Diffusion of Responsibility that the code has been thoroughly checked when it appears this is not the case.

Currently IT Security Professionals are losing the battle

Thousands of hostiles from script-kiddies to APT’s attempt to breach the security perimeters of a business every minute. In order to have success the hostile only needs one attempt to be successful. For the security team they must be successful 100% of the time – this is not possible.

The latest Unisys report [4] states that 67 percent of respondents say their companies have had at least one security compromise that led to the loss of confidential information or disruption to operations over the last 12 months. Twenty-four percent of respondents say these compromises were due to an insider attack or negligent privileged IT users.

Reading reports of how businesses deal with vulnerabilities such as HeartBleed and ShellShock highlights that most businesses are ill-prepared for a major security attack especially when the ability to detect and remove the vulnerability is reliant on third-parties such as vendors and outsourced arrangements.

Additionally, earlier this year Arbor Networks released the results of a survey [8] that indicated one in three businesses have no incident response plan!

Bruce Schneier in a keynote at the IP Expo Europe conference [9] suggested that incident response is failing. He suggested that the OODA (observe, orient, decide and act) loop – a strategy which was developed by the US armed forces for air combat – should be looked at by business as an effective approach to incident response.

More of concern is the speed-to-release of target malware exploiting the issue can be created in hours if not minutes which instantly places a business in a vulnerable state until a patch or mitigation can be provided by the security team and/or the vendor.

Cybercrime is a business – and a bloody good one

The cybercrime network is now a business following the same organizational structure as legitimate businesses. High value targets are identified for value, scanned for vulnerabilities and custom-made attacks designed solely for the target. Other criminals invest in board attack vectors for maximum ROI, malware such as ransom-ware and building bot networks to be used for DDOS outsourcing are a focus.

A business also has internal threats to worry about – disgruntled employees seeing an opportunity to sell company IP or help criminals breach security.

The 2014 Internet Organised Crime Threat Assessment (iOCTA) report [7] provides more detail on the growth market that is Cybercrime-as-a-service (CaaS) [6] including the growth of the supporting supply chain for cybercriminals such as customer support for blackhat software, custom malware design and creation, bug fixes released on a schedule, bullet-proof hosting, virtual currency services, hackers/developers for hire, CaaS investment opportunities.

Trust in Open Source is eroding

A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers.

The common statement that open source is better because everyone can look at the code is showing cracks. Diffusion of responsibility is very much alive as everyone assumes someone else is reviewing the open source code.

Trust in business to protect their data is also eroding

The publics’ erosion of trust that business can protect their personal data is rapidly increasing after well-publicize breaches of millions of customers’ personal data from Abode, Target and others [2]. A breach that public are made aware of can damage the businesses profit line as many customers stay-away for fear of further breaches of their personal data.

Resources

1. PwC’s Global State of Information Security Survey 2014 Report

http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml

2. Cisco Annual 2014 Security report

http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf

3. Project SHINE (SHodan Intelligence Extraction)

http://www.securityweek.com/project-shine-reveals-magnitude-internet-connected-critical-control-systems

4. Critical Infrastructure: Security Preparedness and Maturity report

http://www.unisys.com/insights/critical-infrastructure-security

5. Open Source is not safe by default

http://thehackernews.com/2014/10/zero-day-in-bugzilla-exposes-zero-day_6.html

6. Cybercrime-as-a-service the new criminal business model

http://www.scmagazineuk.com/cybercrime-as-a-service-the-new-criminal-business-model/article/374124/

7. The 2014 Internet Organised Crime Threat Assessment (iOCTA) report

https://www.europol.europa.eu/sites/default/files/publications/europol_iocta_web.pdf

8. Arbor Networks Survey Findings

http://www.scmagazineuk.com/1-in-3-businesses-have-no-incident-response-plan/article/338644/

9. Bruce Schneier – keynote at the IP Expo Europe

http://www.scmagazineuk.com/bruce-schneier-incident-response-is-failing/article/376260/