The threats to a corporation's security are changing so quickly that it is difficult to determine what steps are required to ensure that a company is both secure and legally compliant. What are the most important risk factors that companies should address to ensure compliance and security-hardened security posture?
While compliance and security are often used interchangeably in literature and in conversation, efforts to improve either security or compliance do not always converge. It is true that threats are changing rapidly as they always have. “Security” or trying to improve is an inherently adversarial activity, while compliance is focused on strengthening best practices around policies, data retention, privacy and the like. The pendulum of popular opinion swings back and forth regarding the value of security vs compliance initiatives. The truth of the matter is that both strong security initiatives and a strong underlying compliance regime are required to reduce risks in the corporate environment.
One of the most important risks in this context is one that is not frequently reported. When organizations focus all of their security efforts on the strict implementation of compliance standards, there is a danger that by focusing on the “letter of the law”, important trends in security are missed. Meeting compliance standards is really a trailing indicator of how secure an organization is. This is the case because compliance regulations are drafted based upon mistakes made by regulated companies and organizations. Compliance is the tide that raises all boats, but it does nothing to prevent a freak storm or rogue wave. What is required is the balanced implementation of legal protection through regulatory compliance and the implementation of strong security controls that extend protection beyond regulation.
Which threats are more pressing for enterprises? Do you think browser-based exploits are an area of concern?
The most pressing threat to enterprises is still the user. The use of general computing devices from desktops to smartphones introduces infinitively complex and variable risk to the enterprise. Users today have grown accustomed to treating corporate assets as their own, and in doing so will use corporate assets for personal activities. These activities often lead to the infection of corporate assets with increasingly advanced malware. And it is not just personal activities that lead to infection. Malware authors have changed tactics in the last 12-18 months to ensure that users can be infected when they visit legitimate sites as well.
The browser is not the main infection vector, email still takes the prize, but browsing is more risky because there are fewer controls, policies and educational programs in place to protect end-users. A recent worm infected thousands of web servers via an advanced application-layer attack and simply left malware on the servers. Whenever a user visited those infected servers, they were infected. There are very few defenses against these sorts of attacks, and traditional malware protection on the user endpoint are not up to the task.
How much money is being stolen by cyber criminals? Are they becoming better organized and more dangerous?
Cyber criminal organizations are similar to mafias or other well known organized crime groups and it is known that traditional organized crime groups are making inroads into cybercrime. However, cyber criminals are not generally family oriented and are not strict hierarchies. Cyber crime is more similar to a vast and decentralized black market. Market forces such as prices, competition, supply and demand are shaping cyber criminal markets just like they shape legitimate global markets. It is common for small groups or gangs to focus on one specific aspect of cyber crime and to offer their services for a fee to others. For example, many gangs offer specialized services such as printing holographic film for the use on cloned/faked credit cards, and others honed their skills to acquire vast numbers of American social security numbers for printing fake documents. The prices of these services rise and fall just like legitimate products and services in the open market. While there are individuals at the top of the pyramid making most of the money, many are not, which is the case in most international organized crime and illicit drug markets.
That being said, the danger and power of this market is growing. Figures indicate that more money is awash in these black markets than the total global security spend designed to stop them. In a war of attrition, the cyber criminals are better armed and better equipped.
Do you see a shift from mass-mailing worms to sophisticated targeted Trojan attacks with rootkits?
This trend has been at play for the last several years, but as we have seen recently, mass-propagation worms are still used and are still quite effective. Whichever attack or technique that will yield a successful result at any given time will be favoured until it is no longer cost-effective. Cyber criminals are running their organizations like businesses now so the same rules apply. I suspect that Trojan/rootkits and other targeted attacks will still be the weapon of choice for the time being because the defenses are still not up to par. It is still too easy for a trojan to steal and re-use login credentials for an online bank. Rootkits are the focus of innovation for the underground communicate because they are more difficult to detect and even more difficult to remove. They promise lower-level control of the operating system and can hide themselves more efficiently. Prevention is available for low-level rootkits, and stronger hardware-oriented solutions are being devised to limit the effectiveness of rootkits.