09:00 AM
Ryan Naraine
Ryan Naraine
Connect Directly

Assessing the Security Disconnect: Knowledge + Investment = Power

Despite the rise in cyber attacks and risks to corporate networks, identifying cost-effective solutions continues to prove difficult for security professionals.

Sophisticated cyber espionage operations against companies like Lockheed Martin, BAE Systems, and Boeing are no longer raising eyebrows. If you pay attention to the threat intelligence being published on these attacks, it's clear there's no shortage of adversaries investing heavily in pilfering trade secrets from these high-value targets. Data and blueprints on military equipment like fighter jets, satellites, and warships is big business.

The sheer volume of these attacks can be startling. Lockheed acknowledges these attacks have more than quadrupled since 2007, with more than 40 distinct organizations actively targeting its networks this year.

As an industry, we have a fairly solid understanding of the threat landscape in the world of nation-state cyber espionage, but at the lower level, in such industries as banking, healthcare, and education, it's incredibly disappointing that there's such a disconnect between acknowledging the threats and committing to the investment required to protect valuable corporate networks.

The results of a recent Ponemon Institute study are rather depressing. After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the study found that current technology controls against advanced persistent threats (APTs) "are not working," and, inexplicably, business are still struggling to figure out the most basic defenses against malware attacks.

Here's an example. Security professionals know for a fact that the use of third-party software from Oracle (Java) and Adobe (Reader and Flash) pose the most risk in an organization. Hacking groups have access to zero-day vulnerabilities -- and exploits -- that combine social engineering and clever techniques to easily install malware on corporate networks.

We know this.

Despite these risks, 75% of those surveyed by the Ponemon institute acknowledged that their companies continued to use Java and Reader in the production environment -- knowing that vulnerabilities exist and a viable security patch is unavailable.

What's the explanation for this? In two words: budget constraints. The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff or investments available to implement a security patch.

On average, it took about 225 days to detect APTs launched against an organization.

This is the kind of disconnect between awareness and responsiveness that will keep news about targeted attacks on the front pages of mainstream newspapers around the world.

The more I talk to security professionals responsible for defending corporate networks, it's clear they are resigned to chasing their tails. The hackers are winning the cat-and-mouse game despite the availability of intrusion detection systems, corporate firewall technologies, and intrusion prevention systems.

But all is not lost. There are proactive approaches that can work to minimize risk exposure in a cost-effective way, and it's very important to start paying attention to available threat intelligence and use things like Indicators of Compromise and exploit mitigation technologies to add to existing solutions.

Threat intelligence reports can provide a useful snapshot of what's happening out there. Read them and use the data to help map out your strategy.

If you haven't deployed Microsoft EMET (Enhanced Mitigation Experience Toolkit) yet, this should be an immediate priority. EMET is a very popular security tool that helps manage security mitigations for applications running in a corporate environment. Security mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.

Stop the attacker at the door and save yourself the nightmare of cleaning up and recovering from a debilitating attack. High-quality anti-malware solutions that provide proactive exploit blocking can also give you a leg up on attackers.

As Head of Global Research & Analysis Team, USA, Ryan is responsible for the anti-malware development work and security research of Kaspersky Lab's experts in the region.Ryan brings more than a decade of experience in monitoring the threat landscape. Prior to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
More Commentary
Interactive Data Launches Continuous Fixed Income Pricing Service
Independent intra-day FI pricing is helping to shine light on the opaque fixed income market.
Gartner: 75% of Mobile Apps Will Fail Security Tests Through 2015
The rise of BYOD means enterprises must implement security testing and containment solutions, according to new Gartner research.
Chip & Pain, EMV Will Not Solve Payment Card Fraud
Switching to EMV cards will lower retail fraud, but it's not enough. Here's the good, the bad, and the ugly.
With UCITS V, $9T Isnít as Easy as It Used to Be
With UCITS V's restrictive remuneration rules and hidden costs, going global may get a little less attractive.
Banks to Increase IT Spend on Big Data Challenges, Finds Aite Report
Big data has presented the greatest challenges and dissatisfaction for banks, yet it is the most likely to see upward spending in the next two years.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.