Don’t let crime rule your network – building an efficient cyber crime strategy

a ComputerWeekly report in association withPH

OTO

: AET

B/IS

TOC

K/T

HIN

KSTO

CK

a ComputerWeekly report in association with

-2-

With cyber attacks becoming more sophisticated and widespread, companies must start taking stronger measures to prevent and tackle them. Lisa Kelly reports

PH

OTO

: BR

IAN

AJA

CK

SO

N/I

STO

CK

/TH

INK

STO

CK

CIOs are facing a security challenge on an unprecedented and growing scale as their organisations operate in a dynamic and interconnected environment, putting them at greater risk of cyber attack.

Companies are at risk from a growing number of cyber criminals, new and sophisticated strains of malware, and state-sponsored cyber espionage.

While enterprises enjoy the benefits of working any time, anywhere, the flip-side of using multiple devices, cloud and trends such as bring your own device (BYOD) mean companies need to be more pro-active in the way they manage risk.

The concept of a defendable enterprise perimeter that can be shored up against the flood of attacks from both organised criminals and governments is dead, but the playing field is far from level, with the market for cyber crime estimated at $104bn, according to research by HP – twice the money spent worldwide on protecting information assets.

Paul Vlissidis, technical director at the NCC Group, says the perimeter has been stretched beyond recognition due to new technologies. “The world is now highly mobile, cloud is becoming mainstream and trends such as bring your own device (BYOD) are increasing,” he says.

“Corporate data is in the cloud so it renders the idea of the perimeter as useless; it is a 1990s security mindset. This doesn’t mean unplug the firewall, but organisations have to think about how information is structured and flows through not just their own networks, but the whole cyber world,” adds Vlissidis.

With criminals directing so much resource at attacks, it is no longer a case of if you are targeted, it is a case of when, as one IT specialist comments: “Noise at the perimeter is just noise. A hacker who has researched and targeted an organisation will almost certainly find their way in. Organisations need to put in

Rising cyber crime calls for greater security

a ComputerWeekly report in association with

-3-

place security controls, but best practice is also about monitoring threats and responding appropriately when attacks happen. The challenge for an IT leader is to have an appropriate response strategy.”

Eric Ahlm, an analyst for Gartner, says security technologies are evolving to detect the unknown and overlooked. “One of the key goals of both government and private-sector buyers in augmenting their cyber security practice is to deal with very sophisticated attacks that target their users or organisations directly and can remain persistent in their networks for long periods of time until a deadly attack, such as massive data exfiltration, can be fully executed by the attacker,” he says.

Focusing only on the perimeter and spending up to 80% of the security budget on perimeter defences is no longer tenable, and activities should instead be directed at disrupting potential attackers.

Gartner confirms that recent sophisticated targeted attacks show preventative security systems alone, such as firewalls, intrusion prevention systems, antivirus software and other controls, although beneficial, can miss such attacks.

“What is missing in many of these preventative controls is the ability to detect unknown malware, find currently compromised systems and, in general, find the attacks that succeed or are missed by current security controls. The need to mix more detective controls has been a catalyst in evolving security technologies and services,” says Ahlm.

Vlissidis says the front line is now the desktop, as users deep within the organisation are being targeted: “Phishing emails are aimed at users who are in the soft centre of an organisation. There needs to be an acceptance that the network is exposed and to protect it; different islands or zones of security are required, but the bigger the network, the harder it is to kick out the threat.”

Organisations must be absolutely clear about how they respond to an attack, and need to understand what has happened before they make announcements and claim a threat has been detained, only to find they are hit again a week later.

“Once the security basics are in place, organisations need to focus on reducing impact and understanding how to recover more quickly,” says Nunn-Price.

Tightened security

He believes that with the growth of trends such as BYOD, and the proliferation of powerful devices used in both work and home environments, coupled with the often international aspect of a breach, where different countries handle security breaches, it can take days to get to the bottom of what exactly has gone on and which assets have been hit. “Proactively monitoring what has happened on your network and how to respond is a major challenge for an IT director,” says Nunn-Price.

In the face of a relentless and dynamic threat environment, with increasingly sophisticated attacks, many attackers go undetected by their victims once they are inside the organisation. Some estimates suggest response to an attack has increased from 10 to 30 days.

Organisations clearly want to be able to respond in as near as real time as possible to any attack, but the brutal fact is it can take weeks, and in some cases months, for an organisation to respond, by which time the damage mounts up, says security expert David Lacey, former director of security at the Royal Mail, and founder of the The Institute for Information Security Professionals (IISP).

David Lacey has over 20 years’ experience managing information security for Royal Mail Group, Royal Dutch/Shell Group and The Foreign & Commonwealth Office.

He was the original author of the British Security Standard BS7799 and founder member of The Jericho Forum for security and The Institute for Information Security Professionals (IISP).

He is the author of a number of influential books on security, business continuity and risk management, and is a past chairman of government and industry advisory groups, including the National ID Card Private Sector User Group.

David Lacey

a ComputerWeekly report in association with

-4-

“The dwell time for advanced persistent threats, which are very stealthy attacks, can be months. Organisations have been trying to get it down to weeks or days. Ideally, response should be in real time. Smart companies with good security will have targets. If you can close down an attack quickly, the damage is substantially less,” says Lacey.

Just as it takes time for an organisation to work out the extent of an attack, it takes a cyber criminal time to milk the organisation of its information by discovering critical data, mapping it and getting it out of the organisation into the hands of the criminals who can effectively use it.

“An attacker may find a way in through social engineering, such as via an email to an employee who has attended an event with a request to look at a particular website where it has planted stealthy malware,” says Lacey.

“Once this is installed, it acts as a beacon to a command and control centre, which directs it to penetrate the organisation further. There is a discovery process where it looks around an organisation and reports back – for example, collecting as much credit card data as possible,” he says.

Increased detection

Interrupting the criminal’s discovery process as quickly as possible is the ideal response, but unfortunately, many organisations are just not equipped with the budget and resources or the necessary skills. Lacey points to the American retailer Target; despite having a malware detection tool installed, it ignored its alerts, resulting in 40 million stolen credit card numbers, and the CEO and CIO’s resignations.

Finding the right security partners, therefore, to extend capability is paramount to having any success in tackling security threats. “I know so many organisations that buy security and don’t use it properly. You need understanding of technologies and what resources to put in place,” says Lacey.

Nunn-Price says that with so many security products, a new approach is required. “The concept of actionable intelligence is about distilling information and consolidating alerts, systems and feeds that an IT director can do something with, rather than just being hit by information,” he says.

Collaboration between organisations within and across sectors is getting better, says Nunn-Price, and is encouraged by the government security initiatives in many countries. “If there is no confidence in the digital economy, everyone loses out. The UK must be a lead in cyber security or jobs will go elsewhere. Cyber security is bigger than IT; it involves marketing, HR, sales, and research and development,” says Nunn-Price.

Compliance is often considered an aid to understanding security in an organisation, but Lacey says just ticking the boxes to meet regulation and compliance requirements is not enough.

“There is no business case for security; it is perceived as costing money, closing access and taking time, which are negative things. This means compliance kicks in, which forces people to answer 400 questions to just tick a box,” says Lacey. He says staff are bogged down with compliance regulations, including legislation such as Sarbanes-Oxley, PCI DSS and ISO 27000 certification.

“Compliance generates a half-hearted response and it has not evolved over the past 30 years. But let us recognise the difference between compliance and security. Separate security from compliance, and devote a percentage of resources to doing the right things based on common sense. Organisations

“Separate security from compliance, and devote a percentage of resources to doing the right things based on common sense” David Lacey, security expert

a ComputerWeekly report in association with

-5-

should find out what is really important to them and spend IT budget on securing those assets,” says Lacey.

Every organisation’s risk profile varies according to their nature of business and which sector they work in – something that Ian Campbell, a professional interim CIO, is very aware of. He is currently CIO of Value Retail, but has worked for a variety of organisations in different sectors, and with varying risk profiles.

Campbell says it is vital to understand your risk and which assets must be protected, but with the proliferation of devices and interconnectedness, he believes the idea of treating an organisation like a citadel that can be protected by a moat is nonsense in today’s digital world.

“Today, users want multiple access any time from anywhere, and security needs to move from perimeter protection to identity management and authenticating access. A bank, however, is very different from a retailer, and how you manage risk varies, but the move is generally towards the cloud and global access, so security needs to evolve to keep up with the new world,” he says.

Security breaches

He points out that security breaches also come from inside the organisation. “Over 70% of all security problems are caused by internal staff, which doesn’t come to light so often,” he says.

Campbell says security is changing so rapidly that new approaches are essential to keep ahead of the threat and he is an advocate of specialist help: “Most of us are still reacting and hoping not to get caught out, but there are specialist dedicated teams and partners who can constantly look out for threats ahead.”

He also believes it is the CIO’s duty to ensure that the board listens to security concerns. “The CIO must ensure security is never off the board’s agenda; you can turn it into a positive by focusing on how security looks after staff, ensures resilience and by highlighting how many months your organisation has gone without an incident,” he says.

Achieving a single view of risk across an organisation is a goal that just over half of organisations have achieved, but the view is clouded because every time a new technology is introduced, some new element of risk enters and often a patchwork response to security evolves.

“For every device, there is a simple fix that leads to patchwork growth, but having an enterprise-wide view can be perceived as slow, expensive and difficult to manage at a time when businesses want to be agile and have quick solutions,” says Lacey.

With the reality of increasingly sophisticated attacks, the expert advice is to extend capability, because organisations can’t stand alone against the tide of attacks. Sharing information with other organisations – even competitive rivals – is becoming more common, while selecting the right partners that have a global view of the real-time threat network is vital if an organisation is going to stand a chance against attacks, because the future for security is not going to get any easier, says Lacey.

“We are heading for a more open and complex world. People say ‘keep security simple’, but it is impossible. As more devices become more connected with more features and are more powerful, there are benefits to society and business, but a hyper-connected world is hard to protect and secure,” says Lacey.

“How you manage risk varies, but the move is generally towards the cloud and global access, so security needs to evolve to keep up with the new world”Ian Campbell, Value Retail

PH

OTO

: SE

RG

EY

NIV

EN

S/I

STO

CK

/TH

INK

STO

CK

a ComputerWeekly report in association with

-6-

However, this does not mean IT chiefs can bury their heads in the sand – they need to develop effective risk management, says Vlissidis.

“Understand what risk means to you as a business; information is a more valuable asset than a physical asset in the digital world. Do not do security just to meet compliance; make any strategy meaningful to the organisation. There is a global threat network and proper international crime rings, but organisations can focus on extending capability by asking experts for help. You can never outsource risk, but you can outsource some of the tasks,” he says.

All digital assets are at some degree of risk in today’s hugely connected and dynamic environment, and CIOs need to know how to act, writes Lisa Kelly. They must understand the risk and threats to digital assets and just how fast and effective their response to a breach will be when – not if – it occurs.

However, HP research shows that 57% of executives are not trained in how to respond once a breach is identified. Andrzej Kawalec, chief technologist at HP enterprise security services, says a host of threats, including cyber criminals and nation states, are threatening enterprises.

“The risk that’s facing our digital assets at every step of the supply chain and every moment of the day is a very dangerous trend,” he says.

Kawalec says a global, interconnected cyber criminal market is worth about $104bn – around twice the money spent worldwide on protecting information assets.

Faced with this security imbalance, CIOs must tackle three key challenges: the relentless threat environment; compliance; and the explosion of connected devices.

In 94% of all breaches, the CIO is not the first to discover a breach – they will be informed by a third party, or via Twitter. Once a breach has occurred, the ability to remediate attacks is deteriorating each year, moving from 10 days to 30 days to close a breach.

“You don’t want to be the last person to find out,” says Kawalec.

Trying to balance best practice, compliance and audits is even tougher for enterprises operating in multiple geographies, while trends including mobile, tablets, cloud and bring your own device (BYOD) are further exacerbating the challenge.

Kawalec says HP advises its customers to “disrupt the adversary” every step of the way, from the research stage to how attackers get into an organisation and then take and steal assets.

However, 80% of security budget is spent at the perimeter, which is not a failsafe, warns Kawalec.

Worryingly, an attacker has 243 days on average, before being discovered, to find and take key digital assets. By focusing on understanding the behaviour of users and systems and people, HP is aiming to turn that figure around to milliseconds.

CIOs need to focus on managing risk, but over half of organisations at executive level lack a single view of risk across the organisation “Without understanding that risk you can’t make the key decisions about what key things to protect and which to enable,” says Kawalec.

CIOs can extend capability, by picking partners they can trust. “By not sharing information and acting as islands without a common view of the attack threat, enterprises are set to fail,” says Kawalec.

Managing IT risk – trends in global information security