We're living in a world where cyber security attacks are not an uncommon occurrence. We've become used to media reports talking about the latest large-scale data breach.
But how do these breaches go unnoticed for so long, and why is it that in many cases, the victims of the attacks are the last to know?
What's fascinating and worrying in equal measure is that 66% of cyber attacks were discovered by third parties (not the organisation that's been compromised), and a third of attacks went undetected for two years*. Two years is a long time to go undetected inside an organisation's network and gives an attacker ample time and opportunity to do as much damage as they can.
And these attackers can cause a significant amount of damage, both financially and to the reputation of a company. The payout for a hacker differs in many cases but here are some examples of the damage they can do:
• They can use a company's system as a gateway to its customers. A good example of this is the attack on security giant RSA. While the full details of what exactly was taken by the attackers is not known, we do know that they accessed password protected RAR files (including some 40 million user SecureID tokens). A couple of months after the RSA breach there was an attempted attack on Lockheed Martin, a US defense contracting corporation and a key client of RSA, using the information gleaned from the original breach. The attack on RSA was catastrophic; it cost the company approximately $66 million to deal with the fallout and it reportedly lost a number of key clients. On a wider scale, the fact that a security giant such as RSA had been breached by a phishing email shook the security industry.
• Many hackers are financially motivated and typically look for intellectual proprietary information to sell to an organisation's competitors or they access operational information in order to demand money from the company (similar to ransomware).
• Some hackers try to gain access to consumers/subscribers personal and financial info stored on the company systems, for example, the Sony PlayStation attack where the credit card details of millions of users were compromised.
• And then there are some hackers who simply do it for the fame, vandalism, or they just want to showcase their ability to breach a company or organisation defences and accesses its confidential data. The security breach of Sony Pictures Entertainment during which company data including then-unreleased movies were leaked online is a good example here.
How can large-scale attacks go undetected for so long?
Security breaches can go unnoticed for a number of reasons. Some hackers will use advanced persistent threats with advanced techniques and tools that have not been used before and so can go undetected by existing security measures. Or there may be a lack of adequate security systems or resources in place at the organisation.
In the second scenario, a trio of failures can combine to create the perfect hunting ground for a would-be attacker. A lack of adequate security measures allows easy access, a lack of security posture evaluation means that there may be vulnerabilities on an organisation's system that a hacker can exploit, and a lack of security monitoring then allows these hacks to go undetected for a long time.
There's no question that hackers are becoming more sophisticated. There is no limit to the sophistication of hackers and attacks anymore, with state-sponsored attacks on the rise and taking very complex forms. We need only look at the sophistication and scale of the so-called Project Sauron, which breached government organisations, scientific research centres, military organisations, telecommunication providers and financial institutions in several countries including Russia and Iran. The ProjectSauron 'campaign' was a long-term attack that operated from June 2011 until 2016.
How to guard against sophisticated, long-term attacks
At a basic level, companies need to develop a security framework (or work with partners who can help them build one). The framework should include four key elements:
Education: You need to educate all your users, and not just as a once-off. This needs to be constant education about new threats, best practice and company policies. The security term for this is governance, risk management and compliance (or GRC), which is focused on improving governance through effective compliance and a better understanding of the impact of risk on business performance.
Testing: Regular evaluations of your security measures and policies by a trusted party to ensure there are no known vulnerabilities that can be exploited to gain illegitimate access to company resources or data.
Protection: Investigate the best security solutions for your organisation. Speak with your IT or security provider about the measures you need to put in place to protect your organisation. You should also get your security provider to conduct an audit of your current setup, this will serve to highlight any vulnerabilities on your system and enable them to develop a security framework suited to your needs.
Monitoring: Perform continuous monitoring of your systems. You're looking for alerts or signs of attack such as a spike in data transfer rates happening after hours. Close monitoring and notifications means you can get ahead of any threat, and take appropriate measures before the situation escalates. Again, it's a good idea to talk to your security provider about implementing monitoring and a response plan.
As a first step, it's important to arrange a talk with your IT partner to assess your vulnerabilities, your overall exposure and available options to effectively protect and monitor your systems. The prevalence and sophistication of security threats today are such that no organisation can be sure of their security. But by developing a comprehensive security framework with continuous monitoring you can reduce the element of surprise and ensure your organisation does not fall victim to these long-term, costly breaches.
Hisham Marzouk is Head of Network Security Services for eir. For more information about eir's upcoming suite of expanded security services, contact firstname.lastname@example.org. If you would like to read more blog posts about security issues visit the eir Business blog.
*Source: Ponemon Institute's 2014 State of Endpoint Risk Report