|Expert Reactions to Recent Cyber-attacks on Organizations Should Be Chilling to CAEs |
A recent report from Cisco Systems Inc. provides CAEs with food for thought on the security threats and trends that emerged during the past year as well as on the security “hot spots” emerging in 2010.
Mainstream news accounts of the recent assault on the computer networks of IT behemoth Google Inc. should be alarming to CAEs. Subsequently published reactions of security experts should be even more chilling.
Hackers seeking to steal the intellectual property of Google and reportedly dozens of other high-profile U.S. organizations used unprecedented assault tactics, according to researchers at the business and consumer security software firm McAfee Inc. “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”
The recently released 2009 Annual Security Report by the networking technology firm Cisco Systems Inc. does not provide chief information officers (CIOs) or CAEs with specific suggestions for mitigating the clearly escalating risks to the organization’s technology infrastructure. This 40-page report does, however, provide food for thought and conversation by summarizing in lay language the security threats and trends that emerged during the past year. It also explores emerging security “hot spots” for 2010. Two trends explored throughout the report, which is somewhat self-promotional in content and tone, are the explosive growth of social networking and cloud computing.
Cisco asserts that it is almost impossible to overstate the current impact of social media on computer security. “It is routine now for workers of all generations to interact with colleagues, customers, or partners using social networks that, a few years ago, would have been populated mostly by computer users in their teens and 20s. … The threats and security issues that come with these social networks aren’t usually caused by vulnerabilities in software. More commonly, these threats originate from individuals who place an unwarranted amount of ‘transitive trust’ in the safety of these communities.” That is, according to the report, social network users generally will trust something or someone merely because a user they know also has expressed trust in that person or subject. The high levels of trust that users place in social networks provide ample opportunities for new and more effective cybercrimes, the report continues: “Instead of searching out vulnerabilities to exploit, criminals merely need a good lure to hook new victims.”
A decade ago, when organizations managed their confidential information within closed networks, the idea of banking a sizable chunk of competitive data at a place known as “the cloud” was utterly unthinkable, the report reminds. Today, however, cloud computing is being widely pursued by leading-edge organizations as a cost-effective means of providing on-demand information access to employees whose roles often take them far from the central office. The report asserts that many of today’s CIOs have “swung in the opposite direction from their 1990s colleagues … and are so trusting of cloud computing that they conduct minimal due diligence when selecting hosting providers and evaluating data security.” CISCO says the basic questions CAEs should ask about cloud computing include:
Where are information assets going?
How are they being protected?
Who will have access to information?
How can the organization navigate policy shifts, regulatory compliance, or audits?
Among the most thought-provoking sections of the report is the list of small errors commonly made by IT departments and employees alike that, in combination, comprise a “security nightmare formula.” In summary, these errors — which organizations should strive to mitigate or avoid altogether — include:
Easy-to-guess passwords and password reuse. Obvious strings of numbers like “123456,” mothers’ maiden names, or simply using the word “password” as a password make it easy for criminals to break into accounts. Even more problematic is the reuse of the same or similar passwords.
Inconsistent software patching. Conficker, the biggest “botnet” of 2009, gained traction because of the widespread failure to download a readily available software patch. Although most of today’s attacks are being launched via social networks, criminals nonetheless continue to seek ways to exploit “old-style” vulnerabilities.
Getting too personal. By disclosing information such as birth dates and hometowns, social media users make it easy for criminals to break into private accounts and gain control by resetting passwords. Corporate users are not immune to this trend, frequently using Twitter to discuss business projects, for example.
Overdose of trust. Individual and business users of social media commonly place too much trust in the safety and privacy of their networks and are prone to respond to messages, supposedly from their connections, containing malware-laden links.
Outdated virus protection. Computer users — including IT staff — often fail to update anti-virus software timely, leaving systems vulnerable to attacks that normally would be easy to block. Although ensuring that virus software is updated provides baseline protection, sophisticated criminals are now hiring services to test their malware to ensure it will not be detected by anti-virus programs.
It won’t happen to me syndrome. Employees often intentionally violate policies and knowingly engage in risky behavior online because they believe this behavior will not actually trigger a cyber-attack or compromise their employer’s cyber-security.