May 24, 2013 By Larry Karisny
In this three-part series, researched facts will assure you that if you own a computer, are a government employee or run a business, you have been cyber-compromised. This is not the bad news though. The bad news is that things are getting much worse, according to statistics.
Vulnerabilities are Real and Increasing
We are reaching alarming thresholds in volume and vulnerabilities as they relate to cyberattacks on the Internet, private enterprise and industrial control systems. As our usage of and dependency on these information systems have increased, so have the attacks on those systems. Panda Security’s anti-malware laboratory published its latest Quarterly Report, analyzing IT security events and incidents from January through March 2013. In the first quarter of 2013 alone, more than six and a half million new malware samples were created. Trojans set a new record, causing nearly 80 percent of all computer infections worldwide. Recently the largest denial of service attack ever to hit the Internet targeted the websites of major banks, slowing down and even stopping transactions. It is clear that the technologies we use to protect our information technology networks have reached scalability and capability limits.
Even private enterprise information systems are not safe from these security shortcomings. A recent Dell SonicWALL customer survey found that 68 percent of all corporate employees cannot identify fraudulent attacks on the corporate network. The CEB, a member-based advisory service formerly known as the Corporate Executive Board, compiled some practical concerns in cybersecurity over several years. A recent survey of 165,000 employees showed 93 percent of workers knowingly violate policies designed to prevent data breaches. These are staggering numbers underlining the potential vulnerability of corporate intellectual property or even a government’s state secrets.
Current Security Technologies Not Enough
Even if security precautions are taken, the billions of dollars that businesses are spending on security technologies are limited. A recent RSA conference expert security panel admitted that it's time to prepare for a post-crypto world. Recent breaches have validated these concerns. More than 50 million users of the daily deals site LivingSocial were asked to reset their passwords after hackers attacked the company's servers and potentially made off with personal data. The cyberattack resulted in unauthorized access to customer data on their servers, including names, email addresses, dates of birth and encrypted passwords. Combining these breaches of encrypted information with problems of key mismanagement, key theft and unencrypted chip sets, it is clear that current key encryption technologies, storage and transport methodologies must be changed.
Intrusion Detection System (IDS) security fares no better, with experts stating that it may be time to dump anti-virus as endpoint protection. One of the biggest problems we have in cybersecurity, as stated earlier, is our increasing inability to even see malicious file attacks. For example, when Google analyzed the performance of four anti-virus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected.
The AV-TEST Institute registers over 200,000 new malicious programs every day, with 1,000 new attacks directed towards Android smartphones daily. These attacks are not only increasing in volume, they are getting nastier -- some can morph, hide and activate at a later time upon request. With no end of malicious attacks in sight, it is clear current intrusion detection systems must also find new ways to detect and block malware.
Is the Perfect Crime Reaching a Trillion Dollars?
Without a shot fired or hostage taken, one of the largest global bank robberies took $45 million in cash from hundreds of ATM machines around the world. This is the new signature of cybercrime: fast, easy and no one gets hurt. Sadly, even these heists can be considered chump change when it comes to the most expensive robbery, intellectual property (IP) theft. Estimated at a trillion dollars by McAfee executives, it is clear that IP theft is where the most damage can be done. If the perfect crime is one that goes completely undetected, then corporate cybercrime is a prime example. Corporations and governments are being breached daily, and as seen by previous studies, the victims are often completely unaware that their corporate information assets are being stolen.
Cybercriminals anonymously target a corporation's confidential information then leave without a trace, using or selling the information for economic gain. A dollar in IP theft is not just a dollar, as it can be multiplied many times over when invested return generates recurring revenues and paychecks that in turn produce more money and jobs over decades. Sadly, these most valuable IP assets are the ones that are being targeted and successfully attacked with one disturbing difference. You can see and measure a bank robbery loss in dollars. IP is just duplicated, leaving little trace of the theft. These types of breaches are found years later in products produced in factories or the development of adversarial defense systems. For every dollar in IP theft, thousands of dollars can be lost.
Criminals don’t even have to work very hard. Now these efforts are targeted toward browsers, operating systems and applications that are easily exploited via employee endpoints. This is a far simpler path into the corporate network than directly attacking networks. Unpatched “zero-day” vulnerabilities allow cybercriminals to secretly install malware on employee endpoint devices and essentially gain the same level of access to the corporate network, applications and data that employees have. And it doesn’t cost much. The new endpoint BYOD smartphone and some readily available exploit software and hardware is the new hacking capability that could absolutely devastate a corporate, government or critical infrastructure control system.
Exploit Tools, Offense or Defense?
One of the most disturbing developments in cyberwar has been the development and use of exploit tools that are used to effectively assist hackers. With little regulation and few if any laws on the books, these tools are being sold globally. They target vulnerabilities in software and network devices like smartphones or even complete control systems operating critical infrastructure applications like the power grid. These exploit programs can be built by anyone, and once demonstrated, can then be offered not only to the targeted company's product that was compromised but also to the highest bidder desiring the exploit tool.
Whether black hat or white, there is no doubt that the cyberattack game is on and it needs to be taken seriously. If these attacks are not taken seriously, there will be a lot of money, property or loss of life. We need to divert money currently focused on offensive cyberexploits and start directing it towards defensive cyberprotection.