Running the Gauntlet
2014 saw major blue-chip organizations within IT, Retail, E-commerce, and Media become victims of cyber theft, and while experts warn 2015 is set for further disasters, organizations continue betting on not being targets rather than addressing the core problems.
2014 was a bad year for cyber security, and many agree 2015 could be even worse. The scale of attacks indicates that cyber crime is not only a considerable challenge but that the criminals are winning.
A previous article summarized a keynote presentation from Melissa Hathaway which reported the current status of cyber security to policy makers. It was reported a staggering 1% of BNP in the US is lost from theft of IP (intellectual property). A similar survey reports 2% of BNP is lost as a result of cyber-crime in the Netherlands. While the true figure is not known, it is estimated the total cost of cyber-crime, including theft of IP is close to 3% of BNP.
Hathaway “Protecting the value of digital investments is top of mind for global leaders. Countries are provisioning near ubiquitous communications to every household and business, and pursuing a development and modernization agenda to nurture their information society into the digital age. These initiatives promise to increase productivity and efficiency, enhance work force skills, drive innovation and deliver GDP growth. Yet these investments have also created an attractive infrastructure and platform for a wide range of nefarious cyber activities that erode GDP growth. For example, the Netherlands has shown that cyber crime costs Dutch society at least 10 billion Euros per annum, or nearly two percent of their GDP. Germany and the United Kingdom report similar losses. The United States estimates the annual impact of international intellectual property theft to the American economy at $300 billion or one percent of its GDP. Put simply, no country is cyber ready”
Rather than implement effective security, many organizations are simply gambling that they are not an attractive enough target compared with their peers. This is an increasingly risky approach.
The internet has become a lucrative arena for criminals, activists and terrorists motivated to become noticed, make money, cause havoc or bring down corporations and governments through online attacks. In 2013, IBM reported 1.5 million monitored cyber attacks took place in the US, so it should be no surprise that cyber-security threats are an everyday event and breaches will continue to occur. It is not a question of if but when organizations will be affected.
To make matters worse, cyber criminals are not only hacking the obvious targets such as smart-phones, e-health devices and credit cards; they are beginning to see smart-vehicles, smart-meters, smart-devices and similar network connected devices as potential targets. The exponential adoption of IOT devices is contributing to the risk. The risk to critical infrastructure is increasing rapidly with our dependency on communications technology.
We have seen security predictions for 2014, so how did these predictions turn out? The Web Sense 2014 Predictions Accuracy Report shows that security experts have identified most key problems correctly. The key prediction in the report concerns the cloud which has become the preferred location for storing data. Cyber criminals have focused their attention on attacking the cloud, not necessarily the devices connecting to the cloud.
Other predictions that appear to have come true include a shift from simple data theft at corporation level to national level, a decrease in the quantity of new malware resulting in more targeted attacks and cyber criminals targeting the weakest links in the information chain, such as third-party vendors, contractors, point-of-sale devices and out-of-date software.
The major incidents during 2014 in brief include:
Major US retailers who reported that 110 million accounts had been compromised. Passwords and credit card numbers were stolen, significant economic loss occurred, share value and reputation have been impacted and civil lawsuits are in progress.
The Heart-bleed bug which made its presence known in April, affecting an estimated 60% of all websites on the internet. The Heart-bleed bug was identified in Open-SSL which encrypts communications between a user’s computer and a web server, and the bug resulted in exposure of users’ personal information and credit card numbers. What is significant is Open-SSL is widely used and adopted by many commercial products. Open-SSL is open source software which had been in use for well over a decade, tested and maintained by thousands of skilled developers. No one noticed the serious bug. Heart-bleed was a wake-up call for increasing our focus on secure software development and testing techniques which should be part of the modern development process.
Cyber criminals are not only after personal or financial information. Quite recently, a premier media/film organization suffered a major cyber attack that resulted in upcoming movies being leaked. A nation state was accused of being behind the attacks in an apparent attempt to prevent the release of a film that shows the nation’s leader threatened by assassination. The huge media attention and loss of reputation has resulted in significant losses and the CEO of the organization stepping down.
Each year we see the frequency and severity of security attacks increase, and there no reason to think 2015 will be any different. Notice that most reported incidents seem to occur in the US, not the EU. This is because the US has existing legislation which requires prompt reporting of incidents. Similar legislation is due to be in affect within the EU. There will be harsher measures within the EU on companies who are not adequately prepared for security breaches and it is possible that as in the US, we will see CSOs or even CEOs lose their jobs as a result. A previous article summarized amendments to the EU Data Protection Act. Briefly, the new EU Data Protection act will take effect in 2016 and will now require disclose after a breach.
Quite possibly during 2015, there will be an attack on an even larger scale, which will have global effect, so large and far-reaching that it will change the management agenda of many companies.
While this is not new for the US, expect to see insurance companies offering insurance packages in the EU to cover economic losses from security breaches. However the insurance companies will insist on a minimum baseline security if there are to offer coverage. Expect to see some interesting developments within this area.
More attacks, Less Change?
2015 will continue to demonstrate security is everyone’s problem.
According to Ernst & Young’s findings from Get Ahead of Cybercrime report, organizations remain largely unprepared. For the most part, the report claims, organizations lack the awareness, budget and skills to prevent a cyber attack.
EY’s global cyber security leader Ken Allen says “This expansion of cyber crime is not being matched by a corresponding expansion in the capability of organizations to manage the risk, creating an ever increasing gap. All of this contributes to a greater likelihood that a cyber attack will have serious negative consequences, potentially leading to the ultimate demise of an organization.”
Of the 1,825 organizations surveyed, 67 per cent face rising threats in their information security risk environment, and 37 per cent have no real-time insight into cyber risks necessary to combat these threats. Despite an increase in attacks, 43 per cent said their organization’s budget will stay approximately the same, and 53 per cent believe a lack of skilled resources is another obstacle in defeating cyber crime.
“Cyber crime is not slowing down for a number of reasons,” says Allan. “Firstly, the level of opportunity for criminals to profit from crime continues to grow. We not only have the sale of commodity information such as credit card details, we also have the sale of sensitive business information, such as intellectual property.”
“There is more to attack now. As businesses expand their digital footprint to create more channels or more cost effective ways to market, there are greater opportunities for cyber criminals.”
“Lastly there is the inevitable adoption of mobile devices and the increasing connection of the Internet of Things, again increasing the footprint that can be attacked.”
Ken Allan says there are three roadblocks.
- First is lack of agility, as organizations admit there are still known vulnerabilities in their cyber defenses and they are not moving fast enough to mitigate these.
- Second, more organizations are reporting that their information security budgets will not increase, meaning they are unable to face growing threats effectively.
- Third is the lack of cyber-security specialists. Organizations need to build skills in non-technical disciplines, such as analytics, to integrate cyber security into the core business.
“The approach organizations need to take to get ahead of cyber crime has little to do with technology. Organizations have to ensure they are adaptable to business needs, and incorporating cyber security strategy into business decisions,” says Allan.
“They also have to have a clear view of what it is they want or need to protect. Identifying the so-called crown jewels is essential. This implies a differential approach where some assets are better protected than others.”
The Web Sense 2015 Security Predictions Report states that cyber espionage, the Internet of Things, healthcare, credit-card theft and mobile attacks are the biggest cyber threats to come in the next 12 months.
“Cyber crime will continue to boom in 2015 as we see more criminals enter the profession not wanting to miss out. The reason for this is simply that cyber crime pays; the rewards heavily outweigh the risks. The likelihood of getting caught is very small in comparison to other serious crimes, plus there is a low cost of entry, as the tools needed to attack even the most comprehensive security systems are incredibly cheap when compared with what could be gained.”
The hacks themselves are getting easier: An attacker doesn’t necessarily have to have the knowledge of an exploit or delivery mode to have a successful campaign; they can go to market and buy those things. They are not individuals anymore. This is organized crime.
Healthcare systems in particular provides an attractive target for cyber criminals because patient records hold a treasure trove of data that is valuable to an attacker, plus no other single type of record contains so much personally identifiable information that can be used in a multitude of different follow-up attacks and various types of fraud.
The Internet of Things presents another problem for 2015 and will change the security landscape in cyberspace. For the moment consumer products and household items do not present the main security threat: business use will be the main focus. Web Sense forecasts that there will be at least one major breach of an organization via a newly introduced Internet-connected device, most likely through a programmable logic controller, or similar connected device, in a manufacturing environment.
Spurred by the major incidents in 2014, the retail industry is under the spotlight. According to Web Sense the game is changing. Although credit-card theft through point-of-sale systems is the norm, credit cards are now being hacked and then put up for sale on carding sites world-wide. Of course when a credit card is flagged up as stolen and then cancelled, the value in the card decreases; however the criminals hack another site to gather more cards.
Furthermore, Web Sense predicts, cyber espionage will be hard to control, as countries are already fighting a cyber war through economic, industrial, military and political means.
The Sand Worm zero-day exploit made big headlines when its discovery was revealed in October. Part of the reason was because of the technical implications, but the other was because of the impact. We know that at least one hacking group used the vulnerability to target critical infrastructure, a trend that will continue in 2015.
Mobile phone attacks are not solely seen as ways to crack the pass code or to steal data from the device itself any more, but increasingly as a way to steal information from the cloud it is connected to. As businesses tend to rely on the cloud to store data, a variety of devices, such as desktop PCs, mobile phones and tablet PCs, will have access to it, meaning cyber criminals will be able to hack into the business’s cloud platform through a mobile and gain more company data.
2015 will bring more Heart-bleeds, Shellshocks and high-profile cyber-security breaches.
Users today have too much access to too many resources, from too many places, using too may identities, which cannot be allowed to continue. Identity and Access Management will become the most important first step to regain control over access to data.
As I mentioned in a previous article there is a proliferation of passwords and a common mis-understanding how secure passwords are. Alternatives to passwords will be used sooner or later.
IT has become ‘de-parameterized’ as a result of cloud and mobile technologies, with traditional security, such as firewalls now inadequate, and identity management solutions have become more important to handle identity as the new perimeter. It’s only logical that this will lead to a rise in cloud-based identity management services, so-called identity as a service or IDaaS, where new features can be added incredibly fast as needs dictate, compared with traditional on-premises software products.”
The latest news is that Capgemini Group has established a global Cyber Security business unit. The business unit brings together the Group’s established capabilities in cyber security including 2,500 Capgemini professionals with proven cyber security skills – consultants, auditors, architects, R&D specialists and ethical hackers1- its network of five Security Operations Centers (SOCs) across the world and a broad ecosystem of technology partners. With plans for high double digit growth over the next twelve months, this new portfolio of leading-edge security services is designed to allow organizations to embrace digital transformation securely and leverage the power of SMACT technologies – social, mobile, analytics, cloud and internet of things (IOT) – with confidence.
Frank Greverie who manages the new business unit also posted on Expert Connect where he highlighted the importance of putting Cyber Security at the heart of digital transformation
Although individuals are being advised to protect their passwords better, the real change must come from organizations, as they have much greater opportunity to combat cyber crime. There needs to be more focus on finding alternatives to passwords, increased use of multi-factor authentication to replace deficiencies with passwords, and focus on reducing the explosion of user identities – so businesses should demand their SaaS application providers provide federated authentication. Capgemini is currently developing an IDaaS offering as part of its global Cyber Security offering. Keep posted for further announcements
Threat intelligence and threat knowledge-sharing (using big-data and predictive analytics) shows growing promise, representing a real opportunity to turn the tables on the bad guys. Currently there are a number of obstacles to its success, including the relative quality of the data involved and how complicated it can be to share.
Automated security solutions still lack the human-factor e.g. judgment that’s needed to make sure that the countermeasures they prescribe are not worse than the security incident or threat they address. The ideal approach will leverage computers for information collection and analysis, but rely on humans to fine-tune the response. Watch out for significant progress within this area
Find out more www.capgemini.com/cybersecurity and SMACT blog series.