The Fraud Blog with Tracy Kitten

Why All Threats Are Advanced, Persistent Addressing the Risks Posed by Cyber-Attacks

I spent the past week talking with online security experts about everything from distributed-denial-of-service and web application attacks to targeted phishing campaigns and next-generation, polymorphic Trojans. And here's the central theme that's carried over from conversation to conversation: All of these attacks ultimately aim to compromise data, and virtually all are advanced and persistent.

See Also: Fencing an Imaginary Yard; How to Secure your IP with an Unidentifiable Network Perimeter

Art Coviello, executive chairman of the security firm RSA, put it best when he said during his keynote at RSA Conference Asia Pacific 2013 that the attacks hitting industries today are targeted, interactive and stealthy. "There's human involvement," he says. "They are learning and adjusting based on your defenses."

It's not just about DDoS or SQL injection or phishing and malware. It's about simultaneously addressing the risks posed by all of them. 

Take DDoS as an example. On the surface, these attacks appear to be about noise - blocking site access with bursts of traffic. But as Akamai's Fran Trentley and Imperva's Terry Ray, who both focus on online security, point out, DDoS strikes are attacking web applications and compromising DNS infrastructures. Why? Because they want to disrupt, tear down and, ultimately, penetrate systems and compromise information.

Attacks against web applications are packaged with DDoS, Ray says, making DDoS about much more than mere online traffic floods and annoyance.

"They try to steal data - SQL injection, cross-site scripting, all of the other types of attacks that people are familiar with on the Web application side ... and they are using very specific, automated tools to do that," he says. "It's a process we've been able to record. But they always end with DDoS."

What's most concerning is that many of these attacks are so well-orchestrated, they often are being waged without detection. Even the most basic type of DDoS attack, a DNS reflection attack, until recently, wasn't a security incident that most organizations readily recognized.

Redefining Defenses, and Strategies

Unfortunately, however, many organizations still think of DDoS attacks as little more than a nuisance - and that's worrisome because DDoS attacks are never waged in isolation, security experts point out.

This is why so much of the focus at the RSA Asia Pacific event was on intelligence-driven security - taking a step back to truly understand the attacks and the methods used to wage them by using big data to their advantage. In the end, organizations will learn that all attacks - even DDos attacks - are intrusive.

In Singapore, the banking industry uses the assumption that all attacks are intrusive in guiding its risk mitigation strategies. In its Compliance Checklist for Internet Banking and Technology Risk Management Guidelines 3.0, issued five years ago, the Monetary Authority of Singapore, a banking regulator, specifically called out DDoS as an attack vector that banks have to mitigate.

Why? Because DDoS poses risks to systems and networks.

"An incident response framework is established and routinely validated to facilitate fast response to a DDoS onslaught or an imminent attack," the MAS checklist states. "The framework should include a plan detailing the immediate steps to be taken to counter an attack, invoke escalation procedures, activate service continuity arrangements, trigger customer alerts, as well as report to MAS and other authorities."

U.S. banking institutions, and other organizations and agencies, for that matter, need to adopt a similar approach. And in the wake of the DDoS strikes that have been targeting U.S. banks, most have begun this process.

But the real message that needs to absorbed is that industries cannot address these attacks in isolation.

It's not just about DDoS or SQL injection or phishing and malware. It's about simultaneously addressing the risks posed by all of them.

The bottom line is that every attack poses a threat to data and intellectual property. Just as the lines that once divided the attackers who waged these attacks have blurred, so, too, have the lines that define these attacks.

Organizations have to change their thinking, redefine their defenses and realign their strategies. Security has to be the end goal, rather than conformance or compliance.



About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network