On Sunday, March 2nd, from 7 AM to 9 AM,... Read More
Cybersecurity Threats Are Rising
Cybersecurity Threats Are Rising — EY
Cyber security has moved from operations to a concern of the C-suite and the board, EY (formerly known as Ernst & Young before getting carried away with hip rebranding), the consultancy, has found in its work across industries.
“For nearly three- quarters of organizations surveyed, information security policies are now owned at the highest organizational level,” the firm concluded in a recent report on cyber security, “Under Cyber Attack, EY Global information security survey 2013.” Because the attacks are becoming more numerous and more sophisticated, organization have to improve their defenses and get proactive. (For a fascinating look at how Obama’s security is protected — a tent that is erected in hotel or conference rooms with tools to protect against eavesdropping, see The New York Times.)
“The number of threat actors is increasing and each has a different high value target,” said Chip Tsantes, cybersecurity leader for financial services at EY. “Five years ago it was protecting money, but now threat actors, nation states and hactivists are looking to disrupt, embarrass, steal IP or help their domestic industries. The number of targets has increased, techniques have gotten better and they are going after a wide array of targets.”
EY divides cyber attackers into three buckets, aid Terry Jost, principal in the EY cybersecurity practice.
1 Nation states looking to steal intellectual property (IP). Threats are already a huge number and the attacks are escalating.
2 Organized crime, sometimes with backing by some other entity, looking to steal money.
3 Hacktivist aiming to disrupt an organization often on behalf of some cause.
Intruders often disguise their identity and where they are attacking from so it is more useful to identify the technique of the attack and look for a signature than trying to figure out where it came from.
“Especially in Financial Services, our clients are getting better at determining the key targets and how to better protect and complicate the access within the network. They are also paying much greater attention to vendor networks. Since very few transactions are done in house, vendors are handling sensitive data, customer data. Companies must understand the full chain of custody of that transaction and ensure that the right handling is in place throughout the chain.”
The consultants encourage their clients to inventory their most important assets and take steps to protect those. Thinking like a hacktivist helps — someone might find that targeting a CEO’s emails or cell phone is valuable, for example.
“Make sure you are spending in the right areas,” added Jost. “It’s pretty easy to spend a lot of money, but harder to know you are going to maximize the investment.” Today’s tight budgets are an issue, but the threats persist and will require constant investment in security.
“With the rising sophistication in the threats and techniques, every three to five years you probably have to spend more’ it’s not like you spend once and it is over.”
Most sophisticated firms encrypt everything, so if a laptop is lost it isn’t much use. In most states, when an encrypted laptop is lost it doesn’t have to be reported as a data loss.
The major vulnerabilities are around the edge — employees using the wifi at a coffee shop and not using VPN to connect to the company or business partners who have access to a company but aren’t as secure as the company’s system is.
Cell phones are a major security concern. Unlike PCs whose design makes security layers possible, cell phones are designed to share information, including the phone’s location.
“Cellphones should be thought of as a compromised device” said Tsantes. The mobility of a cell phone breaks everything IT departments have been managing for a long time. They always knew a server was in a data center, and they could maintain data behind the firewall and allow read-only access. Now with a smart phone, a user can easily photograph screens of data.
“Smart phones are an unfenceable problems and there is an exponential level of risk of attack through them.” Phones, however, can also improve security by becoming a secure identification, a one-time security code in addition to a user ID and password.
“Smart tokens on smart phones will be big because everyone carries a phone, and it provides additional information like geo-location,” said Tsantes.
Education should be a constant part of a security environment, they added, but it tends to fall way down the list of corporate priorities.
“Almost every breach I have seen had humans involved, Tsantes said. “It’s not Spy vs. Spy or Mission Impossible but humans making errors leading to significant breaches.”
Getting proactive is not just one more business cliché; it defines a difference in approach to security. Standard anti-virus software is based on known viruses but not every effective against new forms of attack. To protect against novel types of attacks, security experts use behavior-based analytics looking for unusual patterns to provide an early warning of something wrong on the network, malware, system-to-system communication that is rogue, or unusual human activities. They would warn that a Bradley Manning or Edward Snowden was downloading rather more documents than he needed for his work.
“That should have triggered an alert so the activity could be shut down and investigated.” Security which might have been content to issue a warning a few years ago now monitors 24×7 and shuts down a system if a danger is spotted.
“Advanced computing and big data help with this kind of monitoring, Tsantes said. You are looking for anomalies and can correlate many activities from the swipe of a badge to the location of a cellphone.”
Utilities are a whole other area of security concern, they added, since they run on 15 to 18-year old controlling devices that could be hacked. The White House sent out n executive order last year to operators of critical infrastructure — about half of the firms were utilities. The New York Times reported that a major cybersecurity attack will be simulated in a drill this fall. Jost said utilities are stepping up their spending on new, more secure controllers.
Attackers are extremely organized and some are well funded,” said Jost who sees an offensive launched at businesses to steal IP. “Next will probably be a lot more aggressive behaviors that will be launched between businesses and/or countries to protect themselves. “This whole game is perhaps early signs of a cyber war that is starting to be waged,. It’s a landscape we don’t see to it is hard to tell whether any individual is one of a team or is an individual. It will continue to get a lot more complicated.”
This article is available online at: http://www.forbes.com/sites/tomgroenfeldt/2013/11/11/cybersecurity-threats-are-rising-ey/