09:00 AM
Ryan Naraine
Ryan Naraine
Connect Directly

Assessing the Security Disconnect: Knowledge + Investment = Power

Despite the rise in cyber attacks and risks to corporate networks, identifying cost-effective solutions continues to prove difficult for security professionals.

Sophisticated cyber espionage operations against companies like Lockheed Martin, BAE Systems, and Boeing are no longer raising eyebrows. If you pay attention to the threat intelligence being published on these attacks, it's clear there's no shortage of adversaries investing heavily in pilfering trade secrets from these high-value targets. Data and blueprints on military equipment like fighter jets, satellites, and warships is big business.

The sheer volume of these attacks can be startling. Lockheed acknowledges these attacks have more than quadrupled since 2007, with more than 40 distinct organizations actively targeting its networks this year.

As an industry, we have a fairly solid understanding of the threat landscape in the world of nation-state cyber espionage, but at the lower level, in such industries as banking, healthcare, and education, it's incredibly disappointing that there's such a disconnect between acknowledging the threats and committing to the investment required to protect valuable corporate networks.

The results of a recent Ponemon Institute study are rather depressing. After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the study found that current technology controls against advanced persistent threats (APTs) "are not working," and, inexplicably, business are still struggling to figure out the most basic defenses against malware attacks.

Here's an example. Security professionals know for a fact that the use of third-party software from Oracle (Java) and Adobe (Reader and Flash) pose the most risk in an organization. Hacking groups have access to zero-day vulnerabilities -- and exploits -- that combine social engineering and clever techniques to easily install malware on corporate networks.

We know this.

Despite these risks, 75% of those surveyed by the Ponemon institute acknowledged that their companies continued to use Java and Reader in the production environment -- knowing that vulnerabilities exist and a viable security patch is unavailable.

What's the explanation for this? In two words: budget constraints. The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff or investments available to implement a security patch.

On average, it took about 225 days to detect APTs launched against an organization.

This is the kind of disconnect between awareness and responsiveness that will keep news about targeted attacks on the front pages of mainstream newspapers around the world.

The more I talk to security professionals responsible for defending corporate networks, it's clear they are resigned to chasing their tails. The hackers are winning the cat-and-mouse game despite the availability of intrusion detection systems, corporate firewall technologies, and intrusion prevention systems.

But all is not lost. There are proactive approaches that can work to minimize risk exposure in a cost-effective way, and it's very important to start paying attention to available threat intelligence and use things like Indicators of Compromise and exploit mitigation technologies to add to existing solutions.

Threat intelligence reports can provide a useful snapshot of what's happening out there. Read them and use the data to help map out your strategy.

If you haven't deployed Microsoft EMET (Enhanced Mitigation Experience Toolkit) yet, this should be an immediate priority. EMET is a very popular security tool that helps manage security mitigations for applications running in a corporate environment. Security mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.

Stop the attacker at the door and save yourself the nightmare of cleaning up and recovering from a debilitating attack. High-quality anti-malware solutions that provide proactive exploit blocking can also give you a leg up on attackers.

As Head of Global Research & Analysis Team, USA, Ryan is responsible for the anti-malware development work and security research of Kaspersky Lab's experts in the region.Ryan brings more than a decade of experience in monitoring the threat landscape. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
More Commentary
Moving the Trader Closer to the Investment Process
The sell side can demonstrate more value by applying analytics to pre- and post-trading, and by educating buy-side clients about broker segmentation, trading behavior and algorithm shortcomings, and more.
Wirehouses May See More Independent BDs as Retention Packages Expire
Retention bonuses are expiring, leaving brokerages vulnerable to attrition. Is access to technology making it easier for brokers to go independent?
SCI: A Whale of a Regulation
The SEC's Reg SCI weights in at a whopping 742 pages. Here is what you need to know about the oversized regulation.
One Size Fits Nobody in End User Services
How building profiles from employees' roles and behaviors can help optimize your end user services.
'Enlightened' Non-IT Execs More Likely To Run Secure Organization
Do senior executives understand their role in data security? On the whole, unsurprisingly, no.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.