Feeling vindicated? Security pros everywhere rejoiced when proof that external adversaries really are targeting companies to steal intellectual property led the 10 o'clock news. Government and military agencies have been dealing for years with these attacks, but cries for help from enterprise IT groups often fell on deaf ears.
Until January. That's when Google announced that for half of 2009 it was attacked using a zero-day Internet Explorer exploit originating in China. Other companies, including Adobe, Juniper, and Rackspace, said they were also targeted with same techniques during that same period. Dubbed "Operation Aurora" by McAfee, this wide-ranging cyberassault attempted to steal the source code of applications developed by these--and possibly other--leading vendors.
As word spread, CISOs everywhere got copies of the standard "Could this happen to us?" e-mail from management and struggled to answer questions about how they could hope to fend off such exploits if Google, which employs hundreds of top security pros, had to withdraw from the largest emerging market and leave many millions of dollars on the table.
Security researchers group these attacks under the advanced persistent threat, or APT, category. We see APT as shorthand for a targeted assault, where the attacker's skill level and resources are advanced. When they get in, often via social engineering techniques, they seek to stay undetected and tunnel deep into the network, then quietly export valuable data. Cleaning up the mess is an expensive nightmare.
Fact is, after several years of both our budgets and our data being under siege, few companies have the means to fight off world-class attackers. In every security survey we deploy, a percentage of respondents say they long for a major breach to wake business leaders up. Finally, you got your wish, albeit via proxy.
Now, are you going to let a good crisis go to waste?
Early indications are promising. Companies are spending more time learning about the underlying components of APT, such as worms and bots, as shown by the 30% of the 1,002 respondents to our 2010 InformationWeek Analytics Strategic Security Survey who say they spend a great deal of time on virus and worm detection and research. This is a 25% increase over 2009.
But APT isn't only about the constant malware battle; that's just the front line of this war. Incident response is required to properly counter attacks, and enhanced security awareness is needed to keep users from infecting themselves. Our poll showed increases in those dedicating a great deal of time to both these activities, 14% and 22%, respectively.
When asked about their biggest information and network security challenges, managing complexity is the No. 1 response and has been for a number of years. We spoke with a director for a large multinational conglomerate who has responsibility for security and privacy, and he says the top source of angst is the jumble of compliance requirements his company is subject to. Between U.S. state laws and pending federal regulations and international statutes--Mexico has a new data protection law, and the trend in Europe is around data breach notification--the term "patchwork quilt" is apt. "Just understanding what the laws are should really be a full-time job--but it's not, unfortunately, so we struggle to stay on top of them," he says.
The current focus is on getting everyone in the org to use the same tools and definitions of risk, but instituting global policies and standards is difficult. "Some states require the breach to be described in detail, while Massachusetts forbids giving details," he says. "So even something as simple as drafting a notification letter is a nightmare. The best answer would be an international standards body empowered to issue guidelines, but no one expects to see uniformity anytime soon."
Another source of complexity, one that may rival compliance in a few years, is the need to detect the root indicator of APT: intent. How, for instance, can your employees decide if any given e-mail inquiry is malicious?
Solving the problem of intent requires adding resources to educate users while still providing ongoing support to the technologies that reduce existing threats. We all know it's about money, but on the other side we're seeing attackers become more businesslike in that they need an ROI for their exploits, and they'll invest in tools and expertise to get that return.
You may be thinking that this sounds a lot like phishing, and you're partially correct. Phishing is on the rise, both for our survey respondents, who say it's the No. 2 most common type of security breach in their companies, and on the Internet as a whole. And the intent trend has continued via malware distributed by attackers that leverages the trends in our social lives--and good marketing techniques--to persuade users to view sites where they can be targeted.
Maybe this shift from a technology war to a psychological one is why we see a decrease in the effectiveness of almost all vulnerability management processes. Change management, for example, does reduce misconfigurations and increase the likelihood you'll have patches deployed successfully, but it can't help the end user who clicks a link on Facebook and gets infected. So when do we start implementing a vulnerability management system for end users? Is it time to start scanning employees for bad decision-making and intervening with those who make poor choices?
In fact, scanning employees is part of our risk assessment process. We recently sent a phishing e-mail promising a free TV to the person who provided the best name for a new product. Don't think you'd have been fooled? Well, a CSO who had hired us actually clicked the e-mail, viewed the site, registered for the TV--and could have been exploited. The takeaway is that a little humility will go a long way when educating employees. Learn more on how to train successfully in our full report.
Data ... I Need More Data
When you think monetization, think personally identifiable information: Social Security and credit card numbers, protected health information, anything attackers can use to steal identities. And lucky for them, we're storing this data all over the place--business intelligence dashboards, extranets, intranets, and supply chain software all mean more and more data is being generated, saved, and shared. This is a huge concern for our survey respondents. In 2009, only 17% of those feeling an increased vulnerability to security threats were concerned about the growing amount of data, but in 2010, that number about doubled, to 33%.
So is there any area we're less worried about now? Yes, but it's not what you might expect. Of those who think their companies are more vulnerable to breaches and threats, the percentage of respondents concerned about the security of internally developed applications actually dropped 10 points year over year, from 31% in 2009 to 21% in 2010. Based on poll comments and interviews with CSOs, we think this is because IT is fixated on the idea of pushing applications into the cloud and has been reducing costs by stopping development of internal applications and laying off the programmers and consultants who produce internal software.
You wondered when we'd get to this cloud stuff, right?
Although it seems to be conventional wisdom that the public cloud is going to revolutionize IT, remember that moves toward outsourcing tend to be cyclical and tied to economic indicators. The widespread use of virtualization and incessant pressure to reduce spending on IT functions that don't directly contribute to the bottom line are adding to the legitimacy of the cloud concept. But as Greg Shipley, CTO of risk management consultancy Neohapsis and an InformationWeek contributor, discussed in his April report on assessing cloud risk, for more than a year now security has led the list of reasons not to use these services, yet we still don't see any major public cloud vendor stepping up and tackling the security risks of cloud computing head on. Don't get us wrong--the public cloud has some advantages. But before making a move, run the numbers on security, no matter how much cash you could save in the short term.
What's In Our Future
Time to pull out the crystal ball. We expect a steady increase in adoption of data-centric security strategies, enabled by growing use of data-loss prevention (DLP) technology. We base this on the positive response to our January 2010 report on data-centric security and the radically changing nature of our businesses. First, the amount of data we need to protect is increasing at a breakneck pace, according to our InformationWeek Analytics 2010 State of Enterprise Storage Survey. In addition, the enterprise perimeter is eroding as more mobile workers require internal services to be available externally. In our March 2010 Mobile Device Management and Security Survey, fully 87% of respondents said smartphones will become more predominant in their environments. That adds up to a mandate to focus on the data, who has access, and what they can do with it. No doubt that's why use of DLP has increased 31% since 2008.
Another new technology that's getting a lot of press is tokenization, the process of replacing confidential data, such as a Social Security or credit card numbers, in databases with a random value. You seem to be in the evaluation phase: 87% of those using tokenization agree it will reduce risk, but only 16% of all respondents have taken advantage of the technology. Still, based on our conversations with security professionals at conventions such as RSA, we think tokenization has legs.
Not to be a downer, but we do want to point out that tokenization won't solve the data storage problem, and it won't replace encryption at rest, simply because tokenization is akin to the magic cups game magicians play at kids' parties. What vendors and security professionals seem to forget is that, like the magic cup game, if you perform tokenization on site, there is a 100% chance that the ball is under one of the three cups--and the real data is somewhere in your infrastructure. Given enough time and domain credentials, the attacker will very likely find it. Outsourced tokenization isn't perfect either, but in some cases it does reduce risk more significantly. If you use only software and hardware that can take advantage of the tokenization service, for example, then you've transferred the most difficult part of becoming PCI-compliant.
Finally, it's clear that security folks are fighting a multifront, ever-evolving war. Well-funded adversaries are constantly attacking public and private companies, and existing security technologies, while still needed, won't help us with determining intent. We could argue that our security systems have worked too well--that we've driven our adversaries away from trying to crack passwords to get into the network to developing psychological threats to get into our employees' heads. Data-centric security, increased awareness training, and use of metrics to enhance the communication of security's value to executive management will all be essential, because the attacks are varied and unrelenting.
"We got hacked about four years ago, and one of the URLs showed that the attack originated in China," says a senior IT executive for a major U.S. city. "But we also had to install cameras because a former employee stole data. We pay $100,000 for a firewall, then have a weak link inside." Meanwhile, his organization gets phishing e-mails constantly, and he's seen executives fooled using social media techniques.
Most of the IT pros we talk with have similar tales. But take heart, because a brighter budgetary picture and the object lesson of Operation Aurora should finally buy us the ammunition we need to fight the psychological war that attackers have brought to our door.
Michael A. Davis is CEO of Chicago-based security consultancy Savid Technologies.