In-Depth
A New Age in IT Security
Cyber attacks are increasing at an alarming rate, forcing IT to rethink protecting systems.
More on this topic:
An alarming increase in reported cyber attacks this year is extending the onus on IT pros to once again step up efforts to protect their infrastructures. While attacks have escalated routinely over the past several decades, they've also increased in frequency, intensity and sophistication, leading to heightened awareness and concern. That's raising the bar for how businesses and government agencies need to respond.
Major banks, media outlets, government agencies -- including those in law enforcement -- and other organizations have sustained unprecedented penetrations, many since the beginning of this year. Intruders have ranged from criminals seeking big paydays to activists looking to make a point to state-sponsored probes of the critical infrastructure of the United States.
The increased incidents reached the point in March when the intelligence community declared cyber attacks have supplanted terrorism as the leading threat to the nation's security, in part due to recent revelations that many of these attacks represent government efforts originating in China, Russia, Iran and North Korea.
"The volume of attacks is still on a multiplicative growth curve, and spans all forms of enterprise targets, from small law firms in Silicon Valley to Fortune 50 financial institutions, and every branch of government: from city government offices to the DoD [Department of Defense]," says Simon Crosby, theone-time CTO of Citrix Systems Inc. and founder of XenSource, and now cofounder and CEO of security software firm Bromium Inc.
Like many providers, Bromium is tackling the increased proliferation of attacks in a novel way by offering a specialized hypervisor for the client device. Experts agree traditional forms of defense like firewalls and anti-malware, which many still rely on, are no longer enough to combat today's escalating threats.
"The threats that exist today are getting through many of today's existing security controls," warns Gartner Inc. analyst and Research Director Lawrence Pingree. "Advanced threat protection appliances that leverage virtual execution engines as a petri dish for malware are most effective to deal with the latest threats. Also, organizations must continue to upgrade their endpoint protection suites. The antivirus they bought several years ago is not the same as it is today."
The cyber threat issue has grown so intensely that the U.S. government has stepped up its efforts to fight back. In February President Barack Obama sidestepped Congress and issued an executive order mandating policies aimed at defending against attacks and espionage by, among other things, encouraging better communication between the government, businesses and those managing key Internet infrastructure.
"We know foreign countries and companies swipe our corporate secrets," Obama said in his annual State of the Union address. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Worst DDoS Attack Ever
This shift in the philosophy of cyber criminals -- a change in focus from data theft to acts that shut down businesses -- was nowhere more in evidence than in the massive distributed denial of service (DDoS) attack that crippled the networks of Spamhaus, Cloudfire and European switching stations with an unprecedented 300Gbps load of traffic in March.
That attack was the result of a group angered by the fact that Spamhaus has effectively blacklisted any organization it finds to be a spammer, leading anti-spam systems to block them. While Spamhaus is often attacked, the latest was the worst DDoS on record.
"It's the largest DDoS ever witnessed," says Dean Darwin, senior VP for security at F5 Networks Inc. "Because it was so large there was certainly the potential for collateral damage for those adjacent to the attack. It's unique because of the amount of power they've been able to harness."
Despite the raised magnitude of attacks, Darwin warns they may just be the tip of the iceberg. "It's the kind of attack we're going to see a lot more of," he says, noting the massive Spamhaus attack is the latest data point showing the need for CIOs and CSOs to step up their game by providing application-level security to their systems.
Banks Targeted
Making matters worse, banks, including the nation's largest -- Bank of America and J.P. Morgan Chase -- as well as PNC, U.S. Bank and Wells Fargo, among others, have reportedly sustained massive and prolonged DDoS attacks. Back in September, the Financial Services Information Sharing and Analysis Center (FS-ISAC), which advises banks and brokerage firms, upgraded the threat level from elevated to high.
After several months, banks are still under attack, according to experts. While enterprises have suffered sporadic DDoS attacks for decades, most have lasted a few days or at most a week, says Dan Holden, director of the Security Engineering and Response Team at Arbor Networks Inc. "To go for months is unprecedented," Holden says.
The goal of DDoS perpetrators apparently isn't to steal insecure credit-card numbers in a database, learn corporate secrets or obtain blackmail material through employee e-mail. It's to cause mayhem and the total shutdown of operations against a specific target.
But is corporate IT, which has been primarily focused on waging war against data thieves, up to the challenge of defending against a different breed of cyber criminal?
Phil Lieberman, president and CEO of Lieberman Software Corp., doesn't believe so. "As with any type of addiction -- and this is to outdated security methods -- the first step is to acknowledge that you have a problem and want to address it," says Lieberman. "Many companies figure that they are immune or have nothing of value, so the threats to them are minimal or nonexistent -- [meaning], everything is nothing more than scare tactics of security vendors."
Lack of Planning
Keeping the data safe is just one key aspect in a comprehensive security plan -- another is having IT properly incentivized not only for uptime, but for the success in identifying and stopping a potential problem before it occurs.
So what can IT pros stuck in one security mindset do to change their thinking? Step one is to segment your security plan to target specific types of attack -- a one-size-fits-all strategy won't work.
"The fundamental difference between hackers who are trying just to show their muscles as cyber thieves [by] trying to get a financial advantage and governmental-sponsored attacks is in scale of operation," says Leonid Shtilman, CEO of Viewfinity Inc. "It's hard to believe that a group of two-to-three thieves could have developed Stuxnet [the computer worm used to attack Iran's nuclear operations]. IT organizations may be well armed to protect databases containing credit-card data, but at the same time will not be prepared for an attack on Group Policies, which will lead to damage to the global infrastructure."
New Approaches
It's one thing to identify where the problem is. It's another thing to address the problem. And facing the problems of today with the security tools of yesterday won't work. "Application control technology can play a significant hand in prevention of the latest attacks," says Gartner's Pingree. "Defense in depth and detect in depth are concepts that all customers should explore."
That's what Bromium thought when creating its analytics-based cyber defense weapon, Bromium vSentry, which the company describes as a specialized hypervisor designed to protect Windows PCs by automatically, instantly and invisibly isolating hardware from any untrustworthy event at the CPU level so that, when processing data or executing code from an untrustworthy source, this so-called "micro-VM" can't modify Windows or gain access to enterprise networks, systems and ultimately data. "When the user ends the task -- closes a browser tab or a document -- the micro-VM is discarded, automatically discarding all malware," Crosby says.
Cupertino, Calif.-based Bromium's vSentry is just one of many third-party tools emerging that are engineered not only with the capability to protect against known attacks, but that have a core focus to actively monitor the online landscape to protect against the malware of today and what will be engineered tomorrow.
Another is ThreatAnalyzer from ThreatTrack Security Inc., a company spun out of GFI Software in late March to focus on enterprise security. ThreatAnalyzer aims to use analytics to become more proactive in reacting to attacks. ThreatTrack CEO Julian Waits says because there's no such thing as a standard signature from a single antivirus product, many approaches to intrusion detection and intrusion prevention, as well as antivirus, are signature based. Customers of ThreatAnalyzer, formerly known as SandBox, receive a behavioral analysis of what's going on in a particular file.
"You can use that to create your own customized signature that you can basically put inside whatever perimeter tool you're currently using," Waits says. "That's the way our customers have been using it. They capture the behavior, [then] they create a signature that they place inside of Qualys or Rapid7 or whatever the tool happens to be that they use, or they use it for correlation purposes in ArcSight [from Hewlett-Packard Co.]."
For its part, F5, whose core business historically emphasized boosting application performance, now has a formidable security practice based on its BIG-IP portfolio. With its application security manager, application firewall manager, access policy manager and VIPRION application delivery controller (ADC), F5 has added intelligence to the application infrastructure to combat attacks.
Darwin argues the fastest traditional firewall under optimal conditions (without adding intrusion-protection systems and anti-malware) can ward off an attack at 500,000 connections per second. A recent DDoS attack on U.S. banks from Iran clocked in at 2 million. "Firewalls are out of the game before they ever started," Darwin says. "They just got blown out of the door."
With its high-end VIPRION 4480 ADC, Darwin says the F5 product can fend off 8 million connections per second. "We're coming out with solutions that double and triple that," Darwin says.
To be sure, networking and security companies of all sizes are doubling down as well, including AccelOps Inc., Alert Logic Inc., Barracuda Networks Inc., Cisco Systems Inc., Dell Inc., HP, IBM Corp., McAfee Inc., Palo Alto Networks, SolarWinds, Splunk Inc., Symantec Corp., Trend Micro Inc. and Websense Inc., among scores of others.
The problem, according to Shtilman, is that adopting new security tools takes both time and money -- two things that small to midsize enterprises may be unwilling to part with, especially when the financial cost, anticipated targets and the regularity of politically and idealistically based attacks are so hard to predict.
Further, those that do have the resources to devote to sabotage-motivated attacks must also continue to strengthen their resolve to counter what is still the top enterprise threat: data theft.
According to Shtilman, financially driven attacks focused on breaking into corporate databases are picking up steam faster than any other attack type.
Increased Data Loss
The number of breaches disclosed over the past two years has increased 40 percent, according to accounting firm KPMG LLP, which also found hackers penetrated 681 million records between 2008 and 2012. The report noted that 60 percent of all incidents reported were the result of hacking.
"The fastest-growing attack vector for enterprise attacks seems to be the use of stolen credentials, often acquired through spear-phishing campaigns, to gain access to protected networks," says Shtilman. "As several of the technical components of information systems have gotten more secure, attackers have shifted their focus to targeting the human link in these systems. [They] are finding it easier to trick people into giving them access to their credentials and using those to access networks than to find ways to sneak into those same networks without credentials."
Lieberman agrees, noting these attacks are still being exploited at high levels because of the success hackers are having with custom attacks against one-time targets. "Using inexpensive and plentiful labor as well as access to vast amounts of personal data in Facebook, LinkedIn and other sites, attackers can now create perfect e-mail attacks that allow the insertion of remote-control software," he says.
Address the Obvious
The best defense enterprises can take to limit the damage done by stolen credentials is to protect the ultimate target of the attackers: user passwords. This involves both making sure you reiterate to users the importance of strong, complex passwords and, according to the Sophos Ltd. "Security Threat Report 2013," making sure that the password database is hashed multiple times.
This sounds simple enough, and it's advice that's been handed down for decades. But how often have we heard after a major data theft at a large corporation that -- as in the case of Yahoo! Inc.'s data breach in the summer of 2012, where 450,000 passwords were stolen -- the passwords swiped were unencrypted? Experts say IT needs to step up and insist that lax passwords will not be tolerated regardless of the enterprise's size, especially because of the relative ease in securing those passwords.
The key for enterprise IT in today's threat landscape is balance. Continuing to solely focus on battling data loss while completely ignoring the chance of service disruption and sabotage attacks leaves a huge hole open in your network. And devoting all your time and effort to battling a new breed of enemy while fundamental data protection falls to the side will lead to disaster.