Blog Author
Howard Schmidt's blog
http://www.infosecurityadviser.com/view_blog?id=15
Cyber security rises up the political agenda
Cyber security took another step up the political agenda with the launch of the UK's first cyber security strategy to address the growing online threat to businesses, governments and ordinary UK citizens from criminals, terrorists and hostile states.
Gordon Brown also announced that he will be appointing a new cyber security chief. This follows President Obama’s recent news that he is appointing a cyber security coordinator and reinforces the view that a nation’s IT Infrastructure is now one it most critical assets.
Central to the strategy is a dedicated Office of Cyber Security in the Cabinet Office that will co-ordinate policy and look at legal and ethical issues along with relations with other countries. A second body will be a new Cyber Security Operations Centre (CSOC) based at GCHQ.
While some may argue that these moves should have happened long ago, we should welcome this latest UK announcement. It reflects a growing international commitment to address growing cyber threats to economic prosperity, public safety and national security that all rely on a robust and secure digital infrastructure.
It is also encouraging that Britain seems keen to work with other countries such as the US and Canada to co-ordinate operations against cyber attacks by foreign powers and terrorists. It has been very clear for some time that no one nation or organisation can defeat criminal or state-sponsored cyber crime and terrorism in isolation.
The UK Government confirmed that it has already faced cyber attacks from foreign states such as Russia and China and we have seen reports of other state-sponsored cyber attacks. There is also a growing community of so called ‘hactivist’ groups intent on doing damage to governments and businesses that seem to act with impunity as their own governments appear to ignore their criminal activities.
Today the stakes are higher and the risks are greater than ever. And they are no longer from overzealous hackers but from organised crime and hostile regimes. I am confident that this latest announcement from Gordon Brown and initiatives from the US provide the way for other nations to ramp up and coordinate global efforts to strengthen cyber security to compliment work currently being done by agencies such as the European Network Information Security Agency (ENISA).
The Prime Minister, Gordon Brown and US President Barak Obama should be supported in demonstrating leadership in cyber security for both the private and public sectors in order to do all they can to secure their part of cyberspace.
After SaaS comes CaaS
I guess it was inevitable. With the growth in SaaS (Software as a Service), it was only a matter of time before we saw CaaS - Crimeware as a Service.
Criminal gangs are now offering services such as DDOS attacks, botnet rental, malware creation and electronic money laundering. And then there are the more exclusive, targeted services such as whaling to attack high net worth individuals and organisations.
CaaS is one of the emerging threats associated with organised cybercrime, which is at the top of the latest Information Security Forum (ISF) Threat Horizon 2011 report. Criminal syndicates are also developing more sophisticated malware such as viruses and Trojans sold on a ‘commercial’ basis with guarantees including non-detection by anti-malware software and full helpdesk support.
There is a clear shift to highly targeted and planned attacks using a combination of social engineering and technical methods to steal identities and information for fraud. And it’s not just the large corporations under threat. A recent US report indicated that organised cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies to steal valid banking credentials in order to make fraudulent funds transfers. While not attracting the same level of notoriety as larger-scale breaches, many of these smaller businesses have suffered major losses.
As well as using remote techniques, there is also evidence that criminal organisations are recruiting employees as moles or sponsoring students through their IT education and placing them into targeted organisations. Theses threats are being accelerated by the financial crisis, fuelled by increasing staff turnover and dissatisfaction and the view that online crime is a lucrative and low risk alternative to other nefarious activities.
The other threats in the ISF’s Top 5 are weaknesses in the IT infrastructure, tougher statutory environments, pressures on outsourcing and offshoring and the erosion of the network boundary. Mobile malware, Web 2.0 vulnerabilities, espionage, insecure user-driven developments and changing cultures with a blurring of the boundaries between work and personal life, make up the remainder of the Top 10.
While many of the threats in 2011 are familiar ones, they are evolving to present new and sophisticated attacks. But the advent of cloud computing, for example, will also pose a new breed of threats and it is important to have the right controls in place to mitigate the risks.
Data is now the gold, the silver and diamonds of the online world and criminals increasingly see it as a low-risk way to steal money without going anywhere near the crime scene. But even in today’s financial climate and increased threat environment, we are better placed than ever before to meet these challenges – as long as we have the resolve to strengthen and invest in security rather than reduce it. Awareness and education are central. The new generation corporate culture driven by a younger, more techno-savvy workforce presents benefits but new employees must also be made fully aware of information risks and the need for tighter controls that may restrict their IT freedom.
The ISF Top 10 Threats
1. Criminal attacks2. Weaknesses in infrastructure3. Tougher statutory environment4. Pressures on offshoring / outsourcing5. Eroding network boundaries6. Mobile malware7. Vulnerabilities of Web 2.08. Incidents of espionage9. Insecure user-driven development10. Changing cultures