In security response, practice makes perfect

We've heard it many times in many forms -- expect to be breached, expect that you've been breached, expect that you are being breached.

The unfortunate reality is that most organizations don't even know that they've been compromised and therefore don't do anything to block spreading of the malware, control the damage, prevent loss of information, or even recover from the technical problems associated with the compromise.

IN PICTURES: The worst data breach incidents of 2012 -- so far

Shawn Henry, former executive assistant director (EAD) of the FBI and now president of CrowdStrike Services, told the 6,500-plus attendees of the recent Black Hat conference that the FBI has knocked on the doors of numerous companies to let them know their data had been discovered on the Internet (usually discovered in unrelated investigations). "Months, or even years later -- with unfettered access, and unbeknownst to the people that own the networks -- organizations are being alerted to being compromised and their data being stolen," said Henry. This is both shocking and unacceptable.

When people think FBI they often think about national security and nation-state adversaries. And there's no lack of speculation about these nation-states being the most threatening sources of these corporate attacks. This assessment doesn't come without cause. According to Henry, "dozens of our adversaries are extracting information from the U.S. every day, stealing corporate strategies, grabbing intellectual property, and looking for any competitive advantages they can find." [Also see: "Advanced persistent threats force IT to rethink security priorities"]

Henry also noted the threat implications where the U.S. critical infrastructure is concerned. "We're seeing an uptick in threats against industrial control systems (ICS), the devices that control the nation's critical infrastructure," Henry said.

The increase in attacks against ICS points to increased sophistication of the attackers. "Attacking a GE control system device is very different from attacking a website," said Francis Cianfrocca, CEO of Bayshore Networks. "It is easy to find a lot of effective material in the public domain to attack websites and enterprise apps, but the knowledge to attack ICS typically has been far less developed."

Critical infrastructure systems are generally much more open in design, and therefore, are much more vulnerable to attack than commercial/enterprise systems. Some might even say that ICS are wide open to attack because of their design and implementation. "Even though they are vulnerable, if you are going to attack ICS, you will require a lot of specialized knowledge as the devices and systems are often highly customized," Cianfrocca said. "All critical systems are different and use different protocols; vendors violate the protocols in different ways, essentially minimizing the hactivists and increasing the focus on nation states."

However, enterprises don't have the luxury of focusing solely on the nation-state adversaries as there are many more threats and adversaries they need to consider. Henry noted that organized crime is not too far behind the nation-state adversaries both in terms of skill and capability. And, once organized crime attackers get a few successes under their belts, funding is often not a problem either. "Businesses have formed that are offering 'hacking as a service,' and there are plenty of insiders and lone wolves taking legitimate jobs with a direct aim to extract sensitive information from the private sector," said Henry. [Also see: "EPA data breach highlights worrying trend"]

It's difficult for companies to protect themselves given the level of sophistication of many adversaries. "With the most sophisticated attacker at the threat controls, organizations won't stand a chance," said Phil Lieberman, president of Lieberman Software. "They would need to have NSA-like teams on staff -- or NSA-like partners -- if they are to prevent targeted attacks," Lieberman said. Henry shared a similar view, noting that a sophisticated adversary can and will easily jump over the fence -- hopping over or around the firewall with ease.

1 2 Page 1
Page 1 of 2
Now read: Getting grounded in IoT