Security

09:00 AM
Ryan Naraine
Ryan Naraine
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Assessing the Security Disconnect: Knowledge + Investment = Power

Despite the rise in cyber attacks and risks to corporate networks, identifying cost-effective solutions continues to prove difficult for security professionals.

Sophisticated cyber espionage operations against companies like Lockheed Martin, BAE Systems, and Boeing are no longer raising eyebrows. If you pay attention to the threat intelligence being published on these attacks, it's clear there's no shortage of adversaries investing heavily in pilfering trade secrets from these high-value targets. Data and blueprints on military equipment like fighter jets, satellites, and warships is big business.

The sheer volume of these attacks can be startling. Lockheed acknowledges these attacks have more than quadrupled since 2007, with more than 40 distinct organizations actively targeting its networks this year.

As an industry, we have a fairly solid understanding of the threat landscape in the world of nation-state cyber espionage, but at the lower level, in such industries as banking, healthcare, and education, it's incredibly disappointing that there's such a disconnect between acknowledging the threats and committing to the investment required to protect valuable corporate networks.

The results of a recent Ponemon Institute study are rather depressing. After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the study found that current technology controls against advanced persistent threats (APTs) "are not working," and, inexplicably, business are still struggling to figure out the most basic defenses against malware attacks.

Here's an example. Security professionals know for a fact that the use of third-party software from Oracle (Java) and Adobe (Reader and Flash) pose the most risk in an organization. Hacking groups have access to zero-day vulnerabilities -- and exploits -- that combine social engineering and clever techniques to easily install malware on corporate networks.

We know this.

Despite these risks, 75% of those surveyed by the Ponemon institute acknowledged that their companies continued to use Java and Reader in the production environment -- knowing that vulnerabilities exist and a viable security patch is unavailable.

What's the explanation for this? In two words: budget constraints. The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff or investments available to implement a security patch.

On average, it took about 225 days to detect APTs launched against an organization.

This is the kind of disconnect between awareness and responsiveness that will keep news about targeted attacks on the front pages of mainstream newspapers around the world.

The more I talk to security professionals responsible for defending corporate networks, it's clear they are resigned to chasing their tails. The hackers are winning the cat-and-mouse game despite the availability of intrusion detection systems, corporate firewall technologies, and intrusion prevention systems.

But all is not lost. There are proactive approaches that can work to minimize risk exposure in a cost-effective way, and it's very important to start paying attention to available threat intelligence and use things like Indicators of Compromise and exploit mitigation technologies to add to existing solutions.

Threat intelligence reports can provide a useful snapshot of what's happening out there. Read them and use the data to help map out your strategy.

If you haven't deployed Microsoft EMET (Enhanced Mitigation Experience Toolkit) yet, this should be an immediate priority. EMET is a very popular security tool that helps manage security mitigations for applications running in a corporate environment. Security mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.

Stop the attacker at the door and save yourself the nightmare of cleaning up and recovering from a debilitating attack. High-quality anti-malware solutions that provide proactive exploit blocking can also give you a leg up on attackers.

As Head of Global Research & Analysis Team, USA, Ryan is responsible for the anti-malware development work and security research of Kaspersky Lab's experts in the region.Ryan brings more than a decade of experience in monitoring the threat landscape. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
More Commentary
The Bankerless Bank
Regulatory upheaval has distracted banks from developing innovative technology. When will banks return their focus to building technology for competitive advantage?
4 Factors Driving Enlightenment & Big-Data Adoption in Regulatory Compliance
Whether seeking to maintain compliance or to drive business value, emerging technologies can unleash tremendous potential.
The Art of Leveraging Governance, Risk & Compliance Technology Tools
Eliminating compliance risk across information channels is a constantly transforming task. Ongoing auditing and auto-corrective technology can increase trust, accountability, and transparency.
The FSB's Swaps Data Aggregation Report, a Technical Review
The Report discusses legal, technological, and regulatory issues to be resolved in order to obtain a complete view of swap transactions around the world.
Raising the Data Management Stakes
Data management can get firms only so far. Advanced data analytics is needed for all business lines and for calculating risk, especially with BCBS 239 on the horizon.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video