In times where core enterprise processes are widely dependent on IT systems, employees are highly interconnected over ubiquitous technologies and “e-spionage” is gaining momentum. More and more professional criminal organizations as well as foreign agencies are increasing the quality and level of complexity of attacks companies are facing nowadays. IT security specialists are confronted with the challenging task of developing complex security strategies for defending against cyber-crime.
In order for an IT security specialist to develop a suitable security strategy for his enterprise, an analysis on the current threat models and assessment of the enterprise security status has to be performed. The following diagram shows a simplified version of the process of drafting an IT Security Strategy. I have named the upper box as “KNOW” and it represents the input on which an IT Security Strategy would be based. An IT security specialist should be knowledgeable in multiple company internal and external disciplines. It is important to know the own enterprise, its assets and risks, its Company strategy and its plans in order to know where to concentrate efforts and resource. In the same time a security expert should be well informed on external factors, such as the current security threats and know the attackers and their interests. Based on that information, a suitable corporate IT security strategy has to be developed and implemented.
The “IMPLEMENT” box beneath is a high level overview of a number of topics and initiatives which should realize the strategy. Measures aiming to establish IT governance structures, improving the awareness of employees, implementing centralized identity management systems, vulnerability and threat management processes, monitoring and performing permanent gap analysis would be some of the resulting action points which would implement the IT security strategy.
This blog has been planned as series and in this one I will start in this first part with the KNOW-part and discuss cyber-crime and its impact on enterprises (know the attackers and their interests).
Cyber-crime costs billions of dollars/euros of damage every year without calculating the damage on the companies’ image. History shows that security breaches could cause even the complete bankruptcy of an enterprise.
But what is the motivation of hackers to perform attacks inflicting such damage on companies, enterprises and their customers? In order to implement a functional IT security strategy an IT security specialist should know and understand the motivation and what attackers are after.
In previous days attacks were planned by opportunistic hackers or small groups, preferably requiring little effort, in order to achieve a particular aim (e.g. fun, quick financial profits, recognition). These were unconnected single individuals or small groups of people mainly looking for quick financial profits.
The hacking community did not lose momentum and has evolved in the last years dramatically in the same way as our technologies and IT infrastructures have evolved. Nowadays such groups of people are well organized and tightly connected, pursuing different interests.
Together with the vast influence of technology in our daily life, the attack motivations have also widely changed. Nowadays attacks are not only performed just for the sake of fanatical profits, but also for political orientation and influence. National states are deploying advanced viruses and malware (e.g. STUXNET, FLAME) for achieving questionable goals. Companies are being spied by competitors aiming to steal intellectual property and inflict damage.
There is though a major difference between these parties shown in the graph above – the personally/politically motivated attacks as well as most financially motivated attacks are a type of one-time “hit and run” activities which are quite dangerous and can inflict quite a damage. Often such attacks are performed for the sake of getting publicity, recognition or personal gain.
The aims of other attackers are rather different and quite the opposite. Those attacks are commonly known as advanced persistent threats (APT) – the attack should, if possible, stay undetected. In most cases the attack is initiated via multiple channels like social engineering and technical vulnerabilities. After a successful initial compromise of an internal system, further infiltration towards more critical systems would possibly be performed. The purpose of such attacks could have different motivations such as disrupting core processes in a company or long-term espionage (estimated mean time of an APT is over 400 days) of data and intellectual property. In comparison to other attacks where people are after credit card data no mater from which credit card issuer or whom the credit card belongs to, such threats are well targeted at your company and aim specifically to infiltrate your infrastructure. Targets are purposefully selected and the people behind such attacks define very clear goals which have to be achieved. Often such attacks are backed by people with extensive resources who can afford implementing specialized rootkits for achieving their purposes.
Unfortunately, a normal signature-based anti-virus software rolled out in the whole organization is not sufficient – an expert would often need less than an hour to change an existent malware so that it is not detectable any more by the signature-based scanner and therewith he/she will generate a “new malware” which if wisely used may never land in the signature databases of the anti-virus providers.
An IT security strategy should define and implement measures for protecting the enterprise from advanced persistent threats. A company should employ different type of protection approaches against such threats in order to achieve an acceptable level of defense and security state. An active cooperation of Industry organizations as well as the information exchange with IT activists/hacker groups and government agencies is necessary in order to be able to adapt security strategies in time. Additionally solutions must be implemented which would aid the detection of such threats are for example intrusion detection systems (IDS), reputation and behavioral analysis solutions, application and device control and compliance monitoring tools. These detection and monitoring systems should be leveraged by well-established monitoring and incident management processes which ensure that malicious activities are handled correctly and reported in time. It is necessary to think about the overall IT security approach and how to implement specific measures to protect key assets. More to come in the next part of this blog, talking about the part IMPLEMENT…