The last few years have seen innumerable developments in the field of information security, as it races to keep up with increasingly innovative and sophisticated groups of cyber criminals.
Perhaps most significantly, computer crime has become entrenched in public consciousness following a string of high-profile hacking and data-loss incidents that have been given the shock-horror treatment by the national media. The stakes have risen high as the damage to an organisation’s reputation following a breach can now result in far greater losses than that incurred through rebuilding systems or paying fines, while the obligation to comply with the growing volume of regulation eats into budgets with absolutely no gain.
Rick Howard, director of intelligence at VeriSign iDefense, monitors ‘the other side’ and says cyber criminals are also adapting, becoming commercialised and business-focused – in essence they are developing a sophisticated underground economy. Malware developers, for example, are building commercially available ‘botnet’ services, offering regular updates to ensure users that their services are protected, he says. The developers state, without a hint of irony, that it is illegal and a breach of copyright for users to forward the programs to anti-virus companies or use them to control competing botnets.
“There are stock markets for sites that have been compromised by iFrames exploits (which redirect visitors to malicious websites), with popular high-traffic sites receiving higher bids” he explains. “iFrames exploits are not new – what’s new is the underground economy and sub-community exploiting them.”
Beyond money, politically motivated attacks have increased in recent years.
“The Russian attacks on
Beyond cyber-vandalism, espionage is a key concern. “
And while Howard believes cyber terrorism is more likely to be an appendage to a future attack rather than the sole modus operandi – certainly Islamic extremists are using computer crime to fund their activities, and continuing the parallel to legitimate businesses, are outsourcing some of their malware development to
High gain, low pain
For hackers, the risk is low and the potential financial gain is huge. VeriSign security consultant, Jonathan Care, says hackers are increasingly “serious, organised and showing monetary intent” – while the risks to them remain marginal.
“I was talking to one, and his preferred method was to go to
In contrast, the risk for companies is high and the losses potentially devastating. Reams of compliance legislation aimed at protecting sensitive data from exploitation “has seen the information security group shift into doing more risk management work,” says Howard Schmidt, president of the Information Security Forum and former chief of security of both Microsoft and eBay. “Information security is no longer a technology problem, it’s a business problem. I think we finally recognise that.”
“When eBay opened PayPal operations in the
Increasingly, says Schmidt, “information security is being baked into infrastructure. System integrators and big companies providing ICT services no longer build something and bolt security on afterwards.” But that doesn’t address the security of legacy systems and an “ICT system built on a house of cards.”
“Banks in Africa and the
He is also concerned about emerging platforms, particularly the mobile devices he says are gaining all the functionality of a PC without the security.
“The bad guys know it and they are talking about it. We’re downloading things freely on mobile devices, but how do I know a game I downloaded is not keystroke logging?” he asks.
A final trend is the security industry’s shift from a ‘blocking’ model to an ‘enabling’ model, a trend driven by the realisation that security, while important, remains subservient to business objectives and the need to empower employees and customers rather than inhibit them.
Sophos CEO Steve Munford says this pragmatic realisation demands an industry-wide rethink, and “a policy framework that recognises you cannot be completely secure.”
“All too often [businesses] look at limiting the rights of employees and locking them down. The reality, particularly in Web 2.0, is that if you limit them you limit the pool of [intellectual] capital you can draw on and stifle creativity. It is important to educate employees about good practice and have safeguards in place if they do have an incident, to catch it and stop it affecting the business.”
“You can get too fearful,” agrees Howard. “[Cyber criminals] are not super-human, and we can put the processes there to protect organisations. I think we’ll get there.”