"Eighty percent of problems would be solved if employees took basic security measures," says Garry Sidaway, global director of security strategy at NTT Com Security, a global information security and risk management organization. "The majority of breaches are around vulnerabilities that don't require any great skills to compromise."
With so much focus on information security, especially following the Target breach, it's possible we've lost sight of where the largest security threats are concentrated; betting on individual oversight. Indeed, more security teams have noticed a shift from hackers trying to knock through the firewalls to trying to work around them. They have become patient, using web and social tools to profile networks before launching specific attacks like false e-mails from a manager or even instant message chats.
These are called Advanced Persistent Threats, or APTs, and according to Sidaway they are simply not being taken seriously. They are only "advanced" because hackers have taken to social engineering to craft malcode specific to the business, and persistent because it's really low level noise, and a constant threat.
"As an enterprise it's very easy to implement the basics," he says. Perhaps 85 percent of known vulnerability already have fixes. "Our defensive team combats cases where the issue was fixed 5 years ago, they know all about it and should be able to put measures in place."
It all comes back to the simple fact that we, humans, are still the best hacking tools. We respond because we don't consider the possibility of being a target. As soon as an important e-mail comes in from the "boss" you don't think about it, you service the interrupt rather than concentrate on what you're actually doing that's walked by all defensive systems in place.
"It's surprising, we put a lot of infrastructure and technology in place that's done a good job, and those defense in layers are all good things. Then we click a link or go to a website, and something like that is walking past all the good security measures."
Reevaluating the Defense - A Collaboration
Large organizations typically fight the same battles on several fronts, experiencing the same threats across disparate parts of business and not collaborating to solve that problem. Dollar for dollar of security spend, this may be where we should be focusing for best impact, argues Sidaway.
"That's a challenge where we've always tried to look at individual things, what can it do for business, we're now trying to see how to start sharing information across multiple companies to help combat the threats. And we're starting to see barriers break down as well, first as across the organization and then the wider networks."
We're seeing from a business perspective a move towards managed security programs, he adds. It comes off as a lot of noise in the network but managed security systems starts picking out anomalies like Joe Smith has had 3 failed log-ins in one system, 4 in another, 3 more in a third.
"If I look at the global network we see a lot of information is traversing our network that is individual. How do we time those things together to indicate a compromise? New York, Boston, a UK office, invariably businesses are monitoring those individually. If there's a failed log-in here and there, events are not tied together. We need a system that gives visibility across organization and that is an indication we have been compromised somewhere."
The dream of collaboration starts to pick up when it includes disparate third party - like an online shopping site or cable provider - that alerts other providers they've been attacked and that they may want to lock their systems. Sharing information across networks will be challenging, often coming down to the accepted taxonomy that allows for sharing and collaborating in a public domain, but we should start to see some of that collaboration coming through in the near future.
"The way we work today will be very different tomorrow so you have to start looking at the problem in a different way. Instead of bolting on security we need to embed it, so that allows us to change business model because we know it's built into what we do. Financial services will constantly drive a lot of what we see in terms of shifting models but it applies across the board now. The old adage that I am not a target, it's gone. It doesn't matter where hackers get information now, they can use it to compromise other areas."