The cyberthreat environment has shifted from attacks that steal information to those that do real damage to systems and the operations they control. The Australian Defence Signals Directorate (DSD) knows what to do to stop the types of attacks that are coming from nation states. The DSD has developed a list titled Top 35 Mitigation Strategies; it also found that implementing just the top four strategies can block 85 percent of targeted cyberattacks. Topping the list is whitelisting, followed by patching applications, patching operating systems, and limiting administrator rights to people who actually need that access.
This year, DSD has moved application whitelisting to the top of the list.
Well, the latest evidence would seem to suggest that things are getting worse with a consistent and rapid rise in attacks in 2012. It isn’t just the number of attacks that’s concerning but the fact that the focus of the attackers is also shifting.
“One of the largest companies in the United States told me that in April they were having about a thousand attacks in the first quarter, then five thousand in the second quarter. These are major attacks, not port scans [which merely probe for vulnerabilities],” Alan Paller told security professionals in Sydney last week.
Paller is founder and director of research for the SANS Institute, which runs the Internet Storm Centre and provides training and certification for security professionals. He’s connected.
According to Paller, the bad guys have started playing rough in the last two months. It’s no longer just espionage and noisy but easy-to-counter distributed denial of service attacks (DDoS), Paller says. Attacks are now causing physical damage.
Mid-August saw what is arguably the most damaging attack ever. Oil company Saudi Aramco had 30,000 computers infected and wiped. With their master boot record destroyed, every machine needed on-site attention and a complete rebuild.
“That’s the same kind of problem you’d have if you hit it with a bomb. Not literally, but close enough in terms of the amount of rebuilding you have to do,” Paller says.
It seems like every security professional can point to examples of the rising danger. But when it comes to dealing with it, the industry suffers a conceptual disconnect.
Vendors are selling an ever-bigger big data approach. Log everything and pay for their secret-sauce analytics so they can dig back and tell you that, yes, your network was first penetrated on 18 December 2011 at precisely 4.28pm. But practitioners tell us it’s more important to concentrate on the basics, making steady improvements through “continuous monitoring” (CM) of risk, rather than infrequent security audits, and “measured risk reduction”.
CM is now mandated for all US federal networks following a wildly successful implementation by the State Department and Paller believes other nations will soon follow. It’ll be a “huge shift” in the way information security is done and could potentially transform the industry.
Share
NOV
2012