Cyberthreats: Protecting from the inside and out

What are today’s cyberthreats? From detailed analysis of the current threat landscape, it can be seen that the hybridised nature of today’s security threats centres on hacking, serious and organised crime and the recently-arrived issue of hacktivists.
And let’s not overlook the problem of misplaced data. Add to this the dangers hosted by smart malware code such as Stuxnet and Duqu – and the possibility of a cyberwar as outlined by Foreign Secretary William Hague this year – and you have an idea of the challenges facing government.
The risk landscape changed last year largely as a result of hacktivist groups such as Anonymous and its forebears. This is no idle threat – attacks targetted the Royal Navy, the UK government, the NHS and commercial sector organisations and newspapers.
Overactive Imagination?
For many years there has also been some debate as to the reality of any form of cyberwar or cyberconflict – which many observers ascribe to an overactive imagination on the part of the industry’s thought leaders and analysts.

Even taking into account recent high-profile system hacks – there have been no examples of a pure cyberwar casualty. While there has never been a cyberwar, let us not forget, neither has there been a nuclear war, but such weapons of mass destruction have nevertheless been used.

During 2010/2011 the US and UK governments announced they were focusing more on cyber defences. In doing so, they indicated that this low-cost method of delivering a potentially devastating payload to the heart of the enemy’s systems was now considered a serious threat.

In addition, the UK government also revealed that, at the end of 2010, various servers has been attacked using the notorious Zeus malware. On this same topic Foreign Secretary Hague informed a Munich security conference that the attack was considered to be part of an international effort to infect systems.

Though malware is still on the rise – the concept that today’s malware is ever more imaginative is weakening and, as a result, the anti-malware developers may be a little closer to developing ahead-of-the-game compliance technologies. This should not allow complacency.

The Infosecurity Europe show in the spring this year saw the threat of AETs – advanced evasion threats – becoming reality, but very little media attention was given to the development of more advanced AET threats that the malware bandwagon inevitably evolved.

AETs are real. They are not a product of an aggressively-badged application but more of an imaginative mix of old code, new vulnerabilities and skill-based imagination on the part of the developer in attempting to circumvent the security of a trusted perimeter networked device, such as a firewall, Intrusion Detection System (IDS), or Intrusion Prevention System (IPS).

Multi-faceted attack
AETs are a natural evolution of the multi-faceted attack vector threats. They may also be defined as an amalgam of various components that may be leveraged by criminal and cybercriminal fraternities, or sponsored international groups and hacktivists seeking to locate and infiltrate selected targets.

AETs can have many guises, including old-to-new cloaked code, insider contacts, integration into websites and the leverage of some other agent-seeking tool to order to embed itself in a micro endpoint, such as a smartphone. The evolution of AETs is a methodology combining imagination and creativity to achieve an objective.

The key question is whether your critical digital assets are protected against such evasion techniques. To qualify and quantify this question, Stonesoft, the company that discovered AETs in the latter half of 2010, conducted research into AET evolution. In addition, Gartner has concluded that AETs are real, credible and growing threat against the security of company networks and allied IT resources that protects governments, commerce and information-sharing systems. Once you consider the potential effects of AETs – and the prospect of being hit by a well-targeted payload from an AET-delivered vector – it is clear that our industry’s move to harnessing the power of cloud and virtualised resources needs to be paralleled by the development of better defences.
Defending government
Thought also needs to be given as to how the public sector can raise its game on defending government and allied agency computer systems.
This brings us to the new and sexy world of advanced malware code such as Stuxnet and the recently-arrived Duqu darkware – dubbed `Son of Stuxnet’ by some sources. With the advent of Stuxnet we have observed the manifestation of smart code that exhibits seek and destroy capabilities capable of locating and impacting specific types of systems and allied apparatus, most notably IT control systems from specific vendors and with specific functions that include nuclear and similar platforms.
However, as the strain in question did not directly impact the operational ability of the infected craft, it was tolerated, and allowed to accompany these smart models on their missions. Notwithstanding the malware in question did not have any designed intent to directory impact or affect the assets, it was obviously there for a reason - the malware in question was all about snooping, and the gathering of information which was passing through the bird concerned. Shortly after the infection of the USAF drones, there was the revelation that there was had been some suspected hacking of a number of terrain and agricultural satellites. There should be no doubt whatsoever that the age of cyberconflict is now upon us and has global governments in its focus. It is therefore time to look beyond those rolled up security policies and procedures, and look to GRC frameworks such as COBIT to help secure our electronic borders, no matter where they may be hosted.
Infosecurity show the threat
Cyberattacks, security budgets and BYOD were all in the spotlight at InfoSecurity Europe in April, which demonstrated new ways to protect organisations and IT users from the threat.

Most CSOs and CISOs reported that their IT security budgets, even in the cash-strapped public sector, remaining relatively intact, which underlines the importance that information security has to all sectors of the economy. But against the backdrop of cybercrime reportedly costing the world an amazing $380 billion a year, says Neelie Kroes, the European Commission vice-president, this is still not enough to protect IT users and citizens.

In her keynote speech at the event, Kroes said that since everyone uses computers, cyberattacks can affect everyone, meaning that cybersecurity is no longer the domain of national security authorities and needs a comprehensive solution that involves governments, businesses and individuals.

To assist in this regard, she explained that the European Commission will present a plan - a European strategy for Internet security - in the third quarter of this year.

The plan will be is based around five key areas. Firstly, there is a need to build a network to respond to cyberthreats and share that information - EU member countries will be asked to guarantee their minimum capabilities to respond adequately to threats, as well as sharing critical information in a secure and confidential manner.

Secondly, says Kroes, there needs to be a governance structure with member countries being required to establish competent authorities to centralise information and create regional forums to support collaboration with the private sector.

Kroes added that the third aim of the strategy plan will be to improve security at every point in the supply chain. The fourth aim will centre on the creation of vibrant IT security market. The fifth prong of the EC’s strategy, she explained, is that Internet security is not a Europe-only problem, but an international one, meaning that everyone must be involved in the creation of a more secure Internet.

Despite the underlying theme this year being about the increasing trend towards BYOD (bring-your-own-device) into the workplace, Simon Wise, deputy head of the Ministry of Defence’s global operations security centre, effectively vetoed the idea far as Government agencies in the security sector. At the MoD, he said in an Infosecurity Europe round table session: “We have a bring you own policy and it’s simple: Don’t!”

The key risk with BYOD, he told delegates, is the fact that unauthorised devices pose a serious threat to the rest of the network – which in the MoD’s case involves around 750,000 IP-enabled devices. Wise revealed that the MoD deals with 200 different firm’s IT systems, of which it has 20 main suppliers. As a result, he says, its suppliers need to be more honest about their position in the market, rather than claiming they have a `magic box’ solution to cybersecurity requirements.

Wise’s caution is backed up by the results of joint survey between PricewaterhouseCoopers and the organisers of Infosecurity Europe, which found that one in seven large organisations has been hacked in the last year – and with 20 per cent of organisations spending less than just one per cent of their IT budget on information security. Researchers found that as a result, the number of large organisations being hacked into is at a record high, with the overall cost of security breaches to UK PLC measured well into the billions of pounds mark a year.

The survey – which took in responses from a total of 447 UK organisations – found that 70 per cent of large organisations have detected significant attempts to break into their networks over the last year – a record high. On average, each large organisation suffered 54 significant attacks by an unauthorised outsider during 2011 - twice the level in 2010 - whilst 15 per cent of large organisations had their networks successfully penetrated by hackers.

Please register to comment on this article