09:00 AM
Ryan Naraine
Ryan Naraine
Connect Directly

Assessing the Security Disconnect: Knowledge + Investment = Power

Despite the rise in cyber attacks and risks to corporate networks, identifying cost-effective solutions continues to prove difficult for security professionals.

Sophisticated cyber espionage operations against companies like Lockheed Martin, BAE Systems, and Boeing are no longer raising eyebrows. If you pay attention to the threat intelligence being published on these attacks, it's clear there's no shortage of adversaries investing heavily in pilfering trade secrets from these high-value targets. Data and blueprints on military equipment like fighter jets, satellites, and warships is big business.

The sheer volume of these attacks can be startling. Lockheed acknowledges these attacks have more than quadrupled since 2007, with more than 40 distinct organizations actively targeting its networks this year.

As an industry, we have a fairly solid understanding of the threat landscape in the world of nation-state cyber espionage, but at the lower level, in such industries as banking, healthcare, and education, it's incredibly disappointing that there's such a disconnect between acknowledging the threats and committing to the investment required to protect valuable corporate networks.

The results of a recent Ponemon Institute study are rather depressing. After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the study found that current technology controls against advanced persistent threats (APTs) "are not working," and, inexplicably, business are still struggling to figure out the most basic defenses against malware attacks.

Here's an example. Security professionals know for a fact that the use of third-party software from Oracle (Java) and Adobe (Reader and Flash) pose the most risk in an organization. Hacking groups have access to zero-day vulnerabilities -- and exploits -- that combine social engineering and clever techniques to easily install malware on corporate networks.

We know this.

Despite these risks, 75% of those surveyed by the Ponemon institute acknowledged that their companies continued to use Java and Reader in the production environment -- knowing that vulnerabilities exist and a viable security patch is unavailable.

What's the explanation for this? In two words: budget constraints. The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff or investments available to implement a security patch.

On average, it took about 225 days to detect APTs launched against an organization.

This is the kind of disconnect between awareness and responsiveness that will keep news about targeted attacks on the front pages of mainstream newspapers around the world.

The more I talk to security professionals responsible for defending corporate networks, it's clear they are resigned to chasing their tails. The hackers are winning the cat-and-mouse game despite the availability of intrusion detection systems, corporate firewall technologies, and intrusion prevention systems.

But all is not lost. There are proactive approaches that can work to minimize risk exposure in a cost-effective way, and it's very important to start paying attention to available threat intelligence and use things like Indicators of Compromise and exploit mitigation technologies to add to existing solutions.

Threat intelligence reports can provide a useful snapshot of what's happening out there. Read them and use the data to help map out your strategy.

If you haven't deployed Microsoft EMET (Enhanced Mitigation Experience Toolkit) yet, this should be an immediate priority. EMET is a very popular security tool that helps manage security mitigations for applications running in a corporate environment. Security mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.

Stop the attacker at the door and save yourself the nightmare of cleaning up and recovering from a debilitating attack. High-quality anti-malware solutions that provide proactive exploit blocking can also give you a leg up on attackers.

As Head of Global Research & Analysis Team, USA, Ryan is responsible for the anti-malware development work and security research of Kaspersky Lab's experts in the region.Ryan brings more than a decade of experience in monitoring the threat landscape. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.