If targeted cyber attacks weren’t already one of the year’s top security concerns, a new study revealed that they’re no longer limiting their focus on the corporate giants of the world. They’re becoming the norm for midsized businesses, as well. This was just one of several recent reports and newly surfaced malware like the Stuxnet worm that have security professionals on high alert. With more stealthier attacks aimed at beating forensic efforts, cyber crime continues to have a growing impact on organizations and their bottom line. Here are some of the top security stories from July 2010.
Targeted malware attacks are the new norm, not the exception
Stealthier, targeted cyber attacks aren’t exclusively going after high-tech giants anymore. Research presented at last month’s Black Hat Conference said advanced persistent attacks that have hit defense agencies and high-profiled corporations like Google are also becoming the norm with medium-sized businesses.
In two separate analyzed attacks, researchers Nicolas Percoco and Jibran Ilyas of TrustWave’s Spider Labs research group said the malware didn’t discriminate between the size of the organization. The primary goal of the attack was to avoid detection and maintain a presence on the intended networks.
“Targeted malware is the norm, not the exception,” said Percoco.
Research has found that advancements in malware and anti-forensic features allow remote attackers to stay on their victims’ networks an average 156 days before they are detected. By avoiding detection, more persistent threats enable hackers to dive deeper into a mission-critical applications to steal valuable intellectual property or sensitive financial data they can resell on the black market.
Cyber crime costs businesses each $3.8 million per year
A new report by the Ponemon Institute on the cost of cyber crime revealed that midsized and large U.S. organizations from different industries and government agencies are each paying $3.8 million per year to fight weekly cyber attacks, malicious code and rogue insiders. The annual cost, which represents the direct cost of dealing with the attacks (not the antivirus software used to protect their networks), was derived from varying business reports that ranged between $1 million to a whopping $52 million per year.
The study also found it took, on average, 14 days for an organization to respond to a successful cyber attack, which cost businesses $17,696 per day. According to the report, defense, energy and financial services companies experienced higher costs than organizations in retail, services and education.
No matter if you’re working in the public or private sector, Larry Ponemon, director of the Ponemon Institute, said the study shows the impact cyber crime continues to have on businesses and their bottom line.
“The eye-popping thing we found is a lot of organizations are very disorganized in even understanding the environments they’re dealing with.”
Study finds SCADA systems security “like a ticking time bomb”
While organizations that run SCADA systems claim their networks are secure because they’re not connected to the Internet, findings from an extensive nine-year analysis of more than 120 security assessments of systems that manage power plants, oil refineries, and other critical national infrastructure found the opposite to be true.
The study, conducted by Jonathan Pollet, founder and principal consultant of Red Tiger Security, found that critical infrastructure facilities across the U.S. have been operating with tens of thousands of security vulnerabilities, outdated operating systems, and unauthorized applications. According to the report, facilities unknowingly had computers crucial to the operations running everything from Windows 95 and other unauthorized software such as peer-to-peer applications to games and pornography that contained major vulnerabilities.
“It’s kind of like a ticking time bomb. I’m hoping the message that we’re giving here can open a few eyes.”
While most systems contained common errors and were vulnerable to SQL injections, cross-site scripting and denial-of-service attacks, Pollet found that deploying a patch could take up to a year on systems that couldn’t be taken offline or were too important to risk installing a patch because it would disrupt a critical process.
Unfortunately, system vulnerabilities like these are exactly what attackers use to write malicious code around. Take, for example, the newly surfaced Stuxnet malware, which targets utility companies and exploits a zero-day vulnerability in Windows to access the Siemens WinCC SCADA systems database. Advanced knowledge of system flaws are the key to creating worms that target control systems. You can bet the energy sector is keeping a close eye on this one, and doing everything they can to work with NERC, the U.S. Department of Energy, and others to develop strategies to protect their critical infrastructures.
Are cyber spies already in your system?
It may sound a little farfetched, but some security experts believe that an increasing number of organizations are under surveillance by foreign spybots that are spying on U.S. businesses to gain competitive advantages or exploit weaknesses in their systems. While it’s difficult for researchers to pin down the magnitude of these insidious threats, they’re enough to put security professionals on high alert. Mark Lobel, advisory principal at PricewaterhouseCoopers, said the quiet nature of electronic cyber espionage can be deceiving, particularly when they are undetected by the usual security tools.
“Because the whole point is for the espionage to be stealthy, there is truly no way to know the size and scope of the issue. In conversations with people in the industry, they are confident that it is a larger problem than most people recognize or understand.”
Gartner VP of research for computer security, Neil MacDonald, takes it one step further by maintaining that as many as 75% of enterprises have been or are being infected with undetected, financially driven, targeted attacks that evaded their traditional perimeter and host defenses.
While there’s no way to completely protect an organization against increasingly sophisticated attacks, one security strategy that many experts agree can reduce the impact of such attacks is to practice defense in depth. While most companies continue to remain blissful of electronic surveillance, MacDonald added that denial never works. Taking false comfort in antivirus software and network scans that show zero infections doesn’t mean that a system hasn’t already been compromised.
Thanks for reading this monthly recap of some of the top stories within our space. Please feel free to provide feedback on any of these important topics.