After reviewing “Under Cyber Attack, EY Global Information Security Survey 2013” and interviewing Chip Tsantes, EY’s cybersecurity leader for financial services, Forbes’ finance and technology contributor Tom Groenfeld recently wrote an article on forbes.com. In his piece, Groenfeld lays out what EY discovered from the organizations it surveyed — from what to do to avoid being victimized to what business and industry can expect from the bad guys in the future.
“(The study found that for) nearly three- quarters of organizations surveyed, information security policies are now owned at the highest organizational level.”
“The number of threat actors is increasing and each has a different high value target,” said Chip Tsantes…. “Five years ago it was protecting money, but now threat actors, nation states and hactivists are looking to disrupt, embarrass, steal IP or help their domestic industries. The number of targets has increased, techniques have gotten better and they are going after a wide array of targets.”
EY divides cyber attackers into three buckets, said Terry Jost, principal in the EY cybersecurity practice.
1. Nation states looking to steal intellectual property (IP). Threats are already a huge number and the attacks are escalating.
2. Organized crime, sometimes with backing by some other entity, looking to steal money.
3. Hacktivist[s] aiming to disrupt an organization often on behalf of some cause.
Intruders often disguise their identity and where they are attacking from. (Therefore) it is more useful to identify the technique of the attack and look for a signature than trying to figure out where it came from.
“Especially in Financial Services, our clients are getting better at determining the key targets and how to better protect and complicate the access within the network. They are also paying much greater attention to vendor networks.
Since very few transactions are done in house, vendors are handling sensitive (and) customer data. Companies must understand the full chain of custody of (a) transaction and ensure that the right handling is in place throughout the chain.”
(Consultants) encourage their clients to inventory their most important assets and take steps to protect (them). Thinking like a hacktivist helps — someone might find that targeting a CEO’s emails or cell phone is valuable, for example.
“Make sure you are spending in the right areas,” added Jost. “It’s pretty easy to spend a lot of money, but harder to know you are going to maximize the investment.” Today’s tight budgets are an issue, but the threats persist and will require constant investment in security.
“With the rising (level of) sophistication in…threats and techniques, every three to five years you probably have to spend more. It’s not like you spend once and it is over.”
Most sophisticated firms encrypt everything, so if a laptop is lost it isn’t much use. In most states, when an encrypted laptop is lost it doesn’t have to be reported as a data loss.
The major vulnerabilities are around the edge — employees using the WiFi at a coffee shop and not using VPN to connect to the company or business partners who have access to a company but [whose systems] aren’t as secure as the company’s system is.
Cell phones are a major security concern. Unlike PCs, whose design makes security layers possible, cell phones are designed to share information, including the phone’s location.
“Cell phones should be thought of as a compromised device” said Tsantes. The mobility of a cell phone breaks everything IT departments have been managing for a long time. They always knew a server was in a data center, and they could maintain data behind the firewall and allow read-only access. Now with a smart phone, a user can easily photograph screens of data.
“Smart phones are…unfenceable problems and there is an exponential level of risk of attack through them.”
Phones, however, can also improve security by becoming a secure identification, a one-time security code in addition to a user ID and password. “Smart tokens on smart phones will be big because everyone carries a phone, and it provides additional information like geo-location,” said Tsantes.
Education should be a constant part of a security environment…but it tends to fall way down the list of corporate priorities.
“Almost every breach I have seen had humans involved, Tsantes said. “It’s not Spy vs. Spy or Mission Impossible but humans making errors leading to significant breaches.”
Getting proactive is not just one more business cliché; it defines a difference in approach to security. Standard anti-virus software is based on known viruses but not very effective against new forms of attack. To protect against novel types of attacks, security experts use behavior-based analytics looking for unusual patterns to provide an early warning of something wrong on the network, malware, system-to-system communication that is rogue, or unusual human activities. They would warn that a Bradley Manning or Edward Snowden was downloading rather more documents than he needed for his work.
“That (Snowden’s or Bradley’s activities) should have triggered an alert so the activity could be shut down and investigated.” Security which might have been content to issue a warning a few years ago now monitors 24×7 and shuts down a system if a danger is spotted.
“Advanced computing and big data help with this kind of monitoring, Tsantes said. “You are looking for anomalies and can correlate many activities from the swipe of a badge to the location of a cell phone.”
Utilities are a whole other area of security concern…since they run on 15 to 18-year old controlling devices that could be hacked. The White House sent out an executive order last year to operators of critical infrastructure — about half of the firms were utilities.
The New York Times reported that a major cybersecurity attack will be simulated in a drill this fall. Jost said utilities are stepping up their spending on new, more secure controllers.
“Attackers are extremely organized and some are well funded,” said Jost who sees an offensive launched at businesses to steal IP. “Next (there) will probably be a lot more aggressive behaviors that will be launched between businesses and/or countries to protect themselves.
“This whole game is perhaps early signs of a cyber war that is starting to be waged. It’s a landscape [where] it is hard to tell whether any individual is [working alone or as part] of a team….”
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.