Top Threats: The 2013 OutlookExperts Offer Insights on Risk Management
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
See Also: 2016 State of Threat Intelligence Study
As security threats evolve, organizations must fine-tune their risk management approaches to reflect the new realities for 2013 and beyond.
"Our systems will never be impenetrable, just like our physical defenses are not perfect, but more can be done to improve them," U.S. Defense Secretary Leon Panetta said in a recent speech about cybersecurity.
Many organizations need to develop a much better understanding of attackers' motivations to help ensure they take appropriate steps, such as implementing the right security controls, to mitigate the risk, security experts says. Plus, many organizations are failing to train staff members on how to recognize the warning signs of an attack so that appropriate responses can be quickly implemented.
And because new versions of malware are exploiting vulnerabilities in outdated operating systems and software, a risk management strategy also must include frequent updates and upgrades of software and systems.
As we enter 2013, security experts say that the top threats are posed by organized crime, hacktivists, nation-states and insiders.
Organized Crime's Motivations
For crime rings, the motivation is simple: fraud. Cybercriminals use keyloggers and ransomware to steal identities, access confidential corporate information and perpetrate financial fraud. And they're developing advanced skills.
In August, the Federal Bureau of Investigation issued a warning about attacks that rely on a new type of malware known as Citadel. Attacks targeting consumers had been launched with ransomware feigning to be from the FBI.
While Citadel, a keylogger, worked in the background, the ransomware locked consumers' computers and then demanded they pay a fine. Unsuspecting consumers were persuaded to provide payment card details and other personally identifiable information.
Hacktivists Want Attention
Hacktivists wage attacks against well-known brands for political and social attention. Groups using distributed-denial-of-service attacks - including Anonymous, which has taken credit for attacks against Citigroup, Sony, PayPal, Amazon and others, and Izz ad-Din al-Qassam Cyber Fighters, which has attacked leading U.S. banks - have attracted international attention. Experts warn that hacktivists could be backed by crime rings or nation-states.
"These groups are trying to make a point, and they're incredibly efficient at it," says Wade Baker, director of risk intelligence at Verizon. "They're using different methods. They seem to be adapting to the response set up by the targeted entity."
Experts suggest organizations implement cross-departmental training programs to help employees recognize DDoS warning signs so that appropriate responses can be quickly implemented.
Nation-states frequently seek access to intellectual property and state secrets that they can use to gain an economic, political and military edge over other countries.
And when it comes to insiders, it seems the unwitting often pose the greatest threat. It's not their motivations, but the motivations of those who target them, that organizations have to take into account.
It's not a new threat - it's how hackers broke into security firm RSA's IT system in 2011 - but the trend toward exploiting clueless employees is gaining momentum.
The following is a breakdown of the four groups that continue to pose the greatest cybersecurity threats, the methods they use and mitigation strategies experts from numerous industries suggest.
Organized crime rings are typically behind the Trojan and ransomware attacks that strike online and mobile users. Malware is quickly becoming big business in the cyber-underworld, and hackers are selling well-planned business strategies to distribute, support and coordinate their attacks.
The new Zeus variant known as Citadel marks a new era in malware strategy. Experts say Citadel, a commercial malware, was the first Trojan to be promoted for sale in underground cyberforums along with ongoing technical support and troubleshooting.
Collaboration and joint attacks are growing as well. Citadel attacks were waged in conjunction with the ransomware known as Reveton, which used the FBI as a guise to scare online users into coughing up sensitive information.
And in the case of the newly identified Gozi variant known as Prinimalka, hackers have been working to recruit fellow botmasters to assist with a "blitzkrieg-like" series of attacks on financial institutions.
Then comes Eurograbber, an all-in-one Trojan attack that successfully compromises desktops and mobile devices. The attack, discovered in August by researchers at Versafe, gets around commonly used two-factor authentication practices in Europe.
Targeted phishing attacks sent via e-mail or social-network communications continue to grow. Phishing attacks jumped 79 percent in the second quarter of 2012, compared with the first quarter, according to security vendor RSA.
Attacks waged against mobile devices also are increasing. In late October, the FBI warned of two new Android Trojans - Loozfon and FinFisher - designed to steal mobile phone numbers and contact details and launch spyware that allows hackers to remotely control and monitor a compromised Android device.
When it comes to malware protections, experts say consumer education is critical, but so is technology.
- Invest in advanced malware detection technology. Trojans can evade anti-virus software. Intrusion-protection systems, behavioral analytics and transactional anomaly detection have been more effective, in some cases, at detecting malware.
- Consistently update software. Trojans exploit vulnerabilities in programs, such as Adobe Reader, and operating systems, such as Microsoft Windows.
- Bake malware detection and protection into mobile applications.
The players who wage DDoS attacks are difficult to pinpoint. The lines that divide and define hacktivists, criminals and nation-states are often blurred.
In September, the Financial Services Information Sharing and Analysis Center and the FBI issued a fraud alert for U.S. banking institutions, highlighting techniques cybercriminals were using to take over consumer and commercial online bank accounts. The warning: DDoS attacks are often used as tools of distraction.
"The defender is always reacting, which means we're always a step behind," says Mike Rothman, president of security vendor Securosis. "And that has to change."
A DDoS attack is an attempt to make a website unavailable to the public by overwhelming the site's server with traffic. Preventing a DDoS-attack takedown requires layers of security, and experts say more reliance on cloud-based servers is a good place to start.
Other recommendations include:
- Use virtual private networks. VPNs indirectly improve DDoS protection because attackers target publicly available sites. A VPN over multiprotocol label switching should be in place for critical or business-to-business functions.
- Scrub traffic. An Internet service provider can scrub traffic to clear suspected botnets and junk traffic.
- Regularly assess DDoS risks. Understand typical site traffic patterns to detect anomalies that could signal a DDoS.
What's new about the nation-state threat isn't the actors, but the way they could penetrate information systems to steal secrets and intellectual property.
For Westerners, China presents the greatest threat to the IT supply chain. Last fall, the U.S. House Permanent Select Committee on Intelligence recommended that organizations with sensitive information systems should refrain from using equipment manufactured by China-based component makers Huawei and ZTE out of fears the Chinese government could use their wares to access secret data or worse.
"Any bug, beacon or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks," says Mike Rogers, committee chairman (see DoD Takes Aim at Supply Chain Threat).
It's not just the potential of the Chinese spying on American systems that's worrisome. Other nation-states or, for that matter, corporate competitors or criminals, could disrupt the supply chain to implant tampered wares.
"The supply chain clearly is broken," Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit, says in a report issued by the Georgia Institute of Technology that explores the supply-chain threat. "It's totally insecure, and it is very easy for criminals to inject what they want into that supply chain."
An outright ban on products sold from Chinese companies won't thwart the problem, but more transparency could help. Suppliers should reveal pertinent information about components and equipment.
"Can your supplier show you a chain of custody from each component?" asks Gartner Fellow Neil MacDonald.
The National Institute of Standards and Technology late last year issued guidance, Interagency Report 7622: Notional Supply Chain Risk Management Practices for Federal Information Systems, which offers 10 supply-chain risk management practices.
In a recent blog for Information Security Media Group, Mike McConnell, former U.S. Director of National Intelligence, called upon public and private sector entities to re-assess their nation-state risks and take appropriate actions.
The insider threat isn't just about individuals within an organization; it's also about outsiders exploiting clueless employees, says Dawn Cappelli, technical manager of the Insider Threat Center at the CERT Program at Carnegie Mellon University's Software Engineering Institute.
One of the more notorious exploits came last summer, when a hacker tricked an employee at the South Carolina Department of Revenue into opening an attachment that contained malware. The incident cost the state $12 million in identity protection payments alone.
"This issue really is about cybercriminals attempting to commit fraud and illegal actions against many companies and many industries," Experian spokesman Gerry Tschopp says (see Fraudsters Target Bank Employees).
How can such exploits be stopped? More awareness training could help, but it's not enough. "Some of these phishing and spear-phishing e-mails are so crafty that simply relying on security awareness training is just not effective; they're just too good," Cappelli says.
Recognizing that bad guys will get into systems should prompt organizations to implement basic security controls, such as encrypting sensitive data and employing multiple password schemes, two steps South Carolina Gov. Nikki Haley confesses the state did not do.
Another defensive move is the deployment of security information and event management systems, or SIEMs, which analyze log information to detect anomalous activities.
"The best way for organizations to quickly detect abnormalities is to gain an understanding of their baseline or normal activity by reviewing/analyzing log data on a regular basis," says Jerry Shenk, a senior analyst at the SANS Institute, an IT security educational institution (see Struggling to Make Sense of Log Data).(Eric Chabrow, executive editor of GovInfoSecurity and InfoRiskToday, contributed to this story.)