by Malyssa Woodward
In the wake of recent large-scale breaches at companies like Epsilon and Sony, which compromised the personal data of millions of consumers, security concerns are at their peak. But are these concerns translating into action? Recent surveys indicate that while companies understand the security threats to their systems, many are not taking proper steps to protect themselves from attacks.
A survey conducted by the Courion Corporation polled about 1,250 IT decision makers from large companies around the globe. Most of the participants hail from corporations with more than 1,000 employees. The survey found that nearly one third of the respondents do not believe their companies have accurate assessments of the security risks facing them, including threats stemming from both internal and external sources. Essentially, the people responsible for securing their company’s systems are feeling insecure about their ability to do so.
Their feelings are not without merit, the survey reports, finding that more than 90% of respondents cite identification of user access as a primary method for assessing IT security risk, yet 60% claim to only review this access once a year or even more infrequently. Upon reviewing their company’s access rights, nearly half the respondents found excessive user rights existed in their systems. Obviously the more people who have access to a company’s sensitive data – especially those who do not need this access – the wider the door is left open for potential breaches.
“The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk,” said Kurt Johnson, Courion’s vice president of strategy and corporate development.
A similar misunderstanding seems to permeate infrastructure firms, who most will agree face an ever-increasing risk with the emergence of sophisticated malware like the Stuxnet worm.
Stuxnet targets Siemens Supervisory Control And Data Acquisition (SCADA) systems, which control and monitor industrial systems like those found in electric, water, gas and other key infrastructure sectors. The malware takes over the operation of specific equipment components and causes them to behave erratically, but reports back to system operators that everything is functioning normally. It is believed the worm caused real damage to the Natanz nuclear facility in Iran last year, proving its dangerous potential to hinder operations in similar plants.
A recent study conducted by McAfee and the Center for Strategic International Studies (CSIS) found that utility companies are aware of the increased risk, yet are not adopting security technologies intended to protect against such threats.
Over 200 leaders in the oil/gas, energy and water sectors around the world were surveyed in the study, which found that many critical infrastructures were not adequately protected against cyber attacks. Forty percent of these executives believe that their industry is more vulnerable to such attacks, and even expect a major attack to occur against their sector within the next year.
Almost 30 percent do not believe their company is prepared to respond to a cyber attack, and a staggering 80 percent have been the victim of large-scale denial of service attacks. In addition, 70 percent of the respondents have reported frequently finding malware on their systems that is designed to sabotage them, including 46 percent of respondents in the electricity sector who reported finding Stuxnet on their systems.
So what are these companies doing to increase their security measures? According to the study, not enough.
When comparing this year’s report findings to those from last year, experts see a concerning – and continuing – lack of attention to security. In her blog, McAfee Vice President and Chief Technology Officer for Global Public Sector Phyllis Schneck writes that “Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent.”
Oil and gas companies were slightly more progressive, increasing their adoption of security technologies by 3 percent, while the water and sewage sector took the lead by increasing their security measures by 8 percentage points.
Overall, despite clear evidence that they are at an increasing risk of sabotage, key infrastructure organizations are slow on the draw to implement technologies that could protect them and prevent large-scale threats to public safety. Is budget to blame? In a struggling economy that’s very likely. Spending resources to protect against a chance attack by an unseen threat may not seem worth it. Yet surely the recovery cost will be much higher should such an attack be perpetrated on an electric grid, for example. Perhaps companies have a difficult time understanding the impact of such an attack until they are targeted directly.
Whatever the reasons, the survey results paint a rather grim picture of potentially vulnerable targets left unprepared to handle what seem to be inevitable attacks against them.
Another recent report lays out the need for basic security implementation, while indicating that cyber crime trends may be shifting. The 2010 Verizon Data Breach Investigations Report was released in April. This 4th edition of the report included 800 new breaches that were investigated by Verizon and the US Secret Service last year, an all-time high since the first report was published three years ago. The first three years combined totaled about 900 breaches.
But while the sheer number of breaches skyrocketed, the number of compromised records plummeted to just under 4 million. That number was 144 million in 2009, and in 2008, a frightening 341 million. Recording the highest number of breaches in the same year as the lowest number of records compromised seems like a fluke, but perhaps it signals a trend in the way cyber criminals attack their targets.
Experts suggest that the large-scale breaches like the one at Heartland Payment Systems might be considered too high-risk for hackers now, or that perhaps these huge breaches have flooded the black market with enough credit card numbers, causing their value to drop.
The Verizon report found that 92 percent of attacks stemmed from external sources, up 22 percent from 2009. Fifty percent of the attacks used some kind of hacking technique, up 10 percent from the previous year. Incorporated malware also increased in popularity by 11 percent, constituting 49 percent of all breaches.
An interesting note is the increase in physical attacks like ATM skimming and Point of Sale (POS) equipment tampering. The figure that doubled in 2009 doubled again in 2010, accounting for 29 percent of breaches.
Also interesting and likely a bad sign is the increased number of customized malware discovered in the caseload studied. Nearly two-thirds of the malware investigated had been customized, indicating that the cost of customization is low and it is more accessible to criminals. With an increase of the “malware-as-a-service market,” this does not bode well.
Card payment data is still the number one breach, according to the report, and most victims (83 percent) were ones of opportunity. Most attacks were not particularly difficult, and a whopping 96 percent of them could have been avoided by instituting simple or intermediate controls.
The advice Verizon offers to businesses is familiar – focus on essential security first:
- Eliminate unnecessary data and keep tabs on what’s left
- Change default credentials
- Review user accounts on a regular basis
- Restrict and monitor privileged users
- Assess remote access services
- Test and review web applications
- Monitor and mine event logs
- Examine ATMs and other payment card input devices for tampering
These three reports indicate an evolving cyber crime landscape and a slow response on the part of many businesses to update their security practices. Are you concerned that your business is falling behind on security measures? Your Net Guard specializes in network security and can help you keep your systems protected. Call Ron with your concerns – he’ll be glad to help find a solution that meets your needs.