Until three years ago, cyber-attacks on critical infrastructure were considered hypothetical at best. Then along came Stuxnet, changing the threat landscape for good.
The idea of weaponised malware had moved from theory into practice – for governments around the world, vendors, and enterprises, it was a bleak reality, and Stuxnet was quickly followed by several other major threats – Duqu, Shamoon and Flame.
Today SCADA and industrial control system vulnerabilities are understood, accepted and reported; however, security on these systems remains a legacy of the 80s and 90s, secured by dangerously weak default passwords, buggy software, and badly patched PCs with woefully inadequate AV.
The attacks of today are highly targeted, usually aiming at a specific entity or individual, says Lutz Blaeser, MD of Intact Security. “All companies are vulnerable – all companies have information that is potentially valuable to cyber thieves.”
He adds that if a threat actor is determined enough, they will eventually succeed. “Even seemingly bullet-proof entities like RSA and Sony have fallen victim, even though they have top security systems and protocols.”
Add to this that the Ponemon Institute’s research revealed that 67% of organisations say their present security solutions are not enough to defend against a targeted attack, and the picture is grim indeed.
According to Blaeser, almost all targeted attacks make use of spear phishing and social engineering to breach an organisation. They also employ a specific vulnerability or a set of vulnerabilities to succeed, such as the recently reported flaw in IE, that left it open to watering hole attacks.
Businesses are targeted for several reasons, he says. “They might have access to customers’ credit card details, or confidential product specs; it may be unique intellectual property or merely because the company is a stepping stone to a much bigger fish.”
Blaeser adds that there has also been a rise in attacks aimed at disrupting business, or making a point, be it political or ideological. Like hacktivists such as Anonymous or the Syrian Electronic Army, the latter having launched a slew of attacks against large media houses such as the New York Times, The BBC and The Washington Post.
These attacks all used spear-phishing to target individual employees as a means of breaching the target organisations.
Due to the nature and complexity of these attacks, defending against them needs more than the conventional technologies alone, and should include means to handle the fallout once a breach has occurred.
Many tools are needed to defend against these attacks – network monitoring systems for situational awareness; big data advanced analytics for picking up unusual behaviour within the network; cyber intelligence capabilities and tools; and virtualisation and sandboxing technologies, which allow untrusted apps to be run within a secure, virtual environment – all of these are crucial elements.
Add to this, Web filtering, e-mail protection, whitelisting and blacklisting, application control anti-virus, endpoint protection – client security. Today a standalone AV is not good enough, and a layered approach to security is essential.
“In addition, businesses must have a handle on the BYOD phenomenon. Companies must be able to monitor mobile devices and users on their networks. In this way, the source of many issues, such as insider threats, policy violations and data leakage, can be uncovered.”
Moreover, entities must be able to detect threats beyond worms and viruses. Threats for which no signature is yet available, and bots, and DDoS attacks must be detected too. Network monitoring helps to keep an eye on the network, and pick up unauthorised access, misconfigured devices and the like.
Blaeser says not to forget user education. “A security solution is only as strong as its weakest link, which is usually the end user. Educate employees on opening mails or links from untrusted sources. Educate them too on privacy, and the dangers of oversharing on social media.”
Targeted attacks have potentially catastrophic consequences. Not only can valuable data and information be stolen, reputations can be damaged and large fines incurred. To protect themselves and their customers, businesses must adopt a more comprehensive security approach.