Security

09:00 AM
Ryan Naraine
Ryan Naraine
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Assessing the Security Disconnect: Knowledge + Investment = Power

Despite the rise in cyber attacks and risks to corporate networks, identifying cost-effective solutions continues to prove difficult for security professionals.

Sophisticated cyber espionage operations against companies like Lockheed Martin, BAE Systems, and Boeing are no longer raising eyebrows. If you pay attention to the threat intelligence being published on these attacks, it's clear there's no shortage of adversaries investing heavily in pilfering trade secrets from these high-value targets. Data and blueprints on military equipment like fighter jets, satellites, and warships is big business.

The sheer volume of these attacks can be startling. Lockheed acknowledges these attacks have more than quadrupled since 2007, with more than 40 distinct organizations actively targeting its networks this year.

As an industry, we have a fairly solid understanding of the threat landscape in the world of nation-state cyber espionage, but at the lower level, in such industries as banking, healthcare, and education, it's incredibly disappointing that there's such a disconnect between acknowledging the threats and committing to the investment required to protect valuable corporate networks.

The results of a recent Ponemon Institute study are rather depressing. After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the study found that current technology controls against advanced persistent threats (APTs) "are not working," and, inexplicably, business are still struggling to figure out the most basic defenses against malware attacks.

Here's an example. Security professionals know for a fact that the use of third-party software from Oracle (Java) and Adobe (Reader and Flash) pose the most risk in an organization. Hacking groups have access to zero-day vulnerabilities -- and exploits -- that combine social engineering and clever techniques to easily install malware on corporate networks.

We know this.

Despite these risks, 75% of those surveyed by the Ponemon institute acknowledged that their companies continued to use Java and Reader in the production environment -- knowing that vulnerabilities exist and a viable security patch is unavailable.

What's the explanation for this? In two words: budget constraints. The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff or investments available to implement a security patch.

On average, it took about 225 days to detect APTs launched against an organization.

This is the kind of disconnect between awareness and responsiveness that will keep news about targeted attacks on the front pages of mainstream newspapers around the world.

The more I talk to security professionals responsible for defending corporate networks, it's clear they are resigned to chasing their tails. The hackers are winning the cat-and-mouse game despite the availability of intrusion detection systems, corporate firewall technologies, and intrusion prevention systems.

But all is not lost. There are proactive approaches that can work to minimize risk exposure in a cost-effective way, and it's very important to start paying attention to available threat intelligence and use things like Indicators of Compromise and exploit mitigation technologies to add to existing solutions.

Threat intelligence reports can provide a useful snapshot of what's happening out there. Read them and use the data to help map out your strategy.

If you haven't deployed Microsoft EMET (Enhanced Mitigation Experience Toolkit) yet, this should be an immediate priority. EMET is a very popular security tool that helps manage security mitigations for applications running in a corporate environment. Security mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.

Stop the attacker at the door and save yourself the nightmare of cleaning up and recovering from a debilitating attack. High-quality anti-malware solutions that provide proactive exploit blocking can also give you a leg up on attackers.

As Head of Global Research & Analysis Team, USA, Ryan is responsible for the anti-malware development work and security research of Kaspersky Lab's experts in the region.Ryan brings more than a decade of experience in monitoring the threat landscape. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
More Commentary
5 Tips On How To Prepare For A Data Breach
If you are a financial institution your cyber security defenses will be breached -- again and again. Here are five tips to respond quickly and minimize damage.
Wall Street CIOs Have a Vendor Management Problem
If Wall Street CIOs want to stay ahead of competition and ensure high-speed trading software doesn't start the next flash crash, they need better insight into vendor delivered software.
Technology Innovation Returns to Financial Services
Capital Markets Outlook 2015: Following a few years dominated by regulatory compliance and cost saving technology initiatives, financial organizations are finally investing in innovative technology and tools.
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Fintech Fast Forward 2015
What will shape the future of Fintech in 2015 and beyond?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video