Today’s cyber criminals are stealthy, clever and ruthless — thieves who slip in the back door unnoticed to steal information and money.
The fight against cyber crime has evolved, and the good guys are still fighting the bad guys, but apparently, the bad guys are winning.
Experts say cyber criminals are better at attacking than the good guys are at defeating them. While technology — and threats to it — is undergoing rapid changes, defensive measures haven’t changed in decades.
“We still have our training wheels on, because we’re using the Internet for things it was never designed for,” said Marcus Sachs, vice president of government affairs and national security policy at Verizon. “The threats hit everyone equally — the private sector, the Department of Defense, personal consumers. The Internet is filled with lots and lots of bad people.”
Imagine a banking employee clicking on a link in an email that takes him or her to a website. In most cases, it’s a legitimate website — but it’s been taken over for a few hours by a cyber criminal. Going to the website allows the cyber thief to place a small bundle of code on the computer. Once it’s unpacked, it sends just a few bits of information to the controller: “I’m here. What are my instructions?”
But a clever criminal doesn’t start taking piles of money out of the bank. Instead, he shops around for the highest bidder and sells the computer controls to them. That’s the person who steals millions of credit card numbers — and sometimes cash — from the bank’s networks.
In most cases, computer systems and firewalls are never aware that the intruder is there, lurking in between millions of lines of code.
Nation-states are even more nefarious. For the most part, they’re not interested in disrupting networks or stealing cash. They want information. And the way to get it is quietly and quickly to enter a network system and download the data. Then they’re out — leaving few footprints behind them and few ways to track them down.
That’s the challenge described at the 2013 Cyberspace Symposium hosted last week by the Rocky Mountain Chapter of the Armed Forces Communications and Electronics Association at The Broadmoor.
Thanks to mobile devices and the cloud, it’s getting easier for cyber foes to enter networks and get information. Company information is at risk every time an employee uses open wi-fi at a hotel or the local coffee shop.
The good guys — the government, the banks, the telecommunications industry — must be swifter and more clever not only to defend against constant cyber attacks, but also to go on the offensive and keep them out in the first place, experts say.
“With the mobility in the cloud, you have information you can hold in your hand,” said Michael Singer, executive director for technology security at AT&T. “Mobility isn’t just the future — it’s the present. We need to come up with solutions to security threats in the mobile space.”
Companies should create a policy for the intranet, for the public cloud and for the private cloud, he said. And they should train IT professionals to seek new ways of combating cyber crime.
“The more mobile we get, the more security concerns we’ll have in and around the cloud,” he said. “We’re in a different environment now, and we need to be ready to protect it.”
Singer said the new mobility makes it easier to do business — but also makes it easier for the devices to be hacked.
He said Anonymous, the famous hacker group that shut down bank websites last fall, is particularly known for its “hacktivism” — shutting down sites with policies they oppose.
“They even created a java version so other people can do it,” he said. “They had an iPhone app for sale in 12 hours. Four hours later, they had version 1.4. That shows the people we’re dealing with are innovative and fast. We have to be more innovating and faster. And no, we don’t recommend you download their app to see if you can slow your competitors’ websites.”
And because it is such a brave new world, security experts have to change their mindset.
“You have to protect the information — not the machine,” said Steve Ballmer, CEO of Microsoft. “That’s the reality of this new world — especially in the Department of Defense. We send information to our coalition partners, to nations we collaborate with.
“We’re not sure what security measures they have in place — so the information itself needs to be protected.”
But threats can come in other forms too, experts said. Since manufacturing is now a global industry, computers and computer parts are increasingly coming pre-loaded with malware. Guarding the supply chain is increasingly important.
And sometimes that means spending more money to make sure companies are receiving the product they need — not a cheaper knockoff that could be infected. Going to Amazon or eBay might not be the wisest choice.
“Everyone rewards their supply managers for saving money,” Singer said. “So when a supply manager goes online for the cheapest price, sometimes they’re getting a counterfeit. And that counterfeit could be coming with spyware. For instance, Microsoft’s did a test and ordered 20 computers from a website. Half of them were infected — because they knew they were going to the Microsoft headquarters. Imagine if you could download information directly from there — imagine what information they could get.”
The effort to protect networks and businesses has led to strange bedfellows. Groups and companies that normally compete — like AT&T and Verizon — are teaming now to fight cyber crime, and they’re openly inviting others to join in the conversation.
“We’re getting to a place where we haven’t been before.” Singer said. “We’re so much on open platforms that security concerns in and around the cloud need to be open and shared.
“So we’re sharing what we’re doing and asking people to take a look, see if they can break it.”
Lawrence Orans, head of network security research at the Gartner Corp., agrees that companies have to compare information to fight off cyber criminals and cyber spies.
“These attacks are targeted, and they’re constant,” he said.
“So we’re ‘leaning forward,’ being proactive.”
The groups are looking at security tools and using intelligence and analysis to control security threats, Orans said. The effort involves business leaders, providers, developers and programmers.
It also means gathering information that’s already out there.
According to Microsoft’s latest report, the things that companies protect against aren’t the biggest threats.
Less than 10 percent of attacks come from viruses, for example. The biggest group is labeled “miscellaneous,” which Sachs says means companies aren’t able to put them into a specific category.
To fight against an ever-changing, innovative enemy, he says, companies have to become nimble and flexible.
“Especially since cloud computing is now 25 percent of the market,” he said. “We have to mind the gap, identify targets and evolve security controls by upgrading the intrusion points. We have to avoid ‘rear view driving’ — we can’t just address yesterday’s concerns, we have to be more proactive.”
Working together will allow both the private and public sector to fend off the stealthy attacks of today — those attacks that are under companies’ radars, but lead to serious information leaks.
“This is scary stuff,” Orans said. “The types of attacks have taken an 180-degree turn. They are stealthy, quiet — and they are far more dangerous.”
$6 billion — firewalls
$1 billion — intrusion prevention systems
$3 billion — endpoint protection
$800 million — secure web gateways
Source: Marcus Sachs, vice president of government affairs and national security policy, Verizon
Cloud computing: Use of computer resources, both hardware and software, delivered over the Internet. The network that comprises the cloud handles the load of applications. Hardware and software demands ease, as the user’s computer only needs to run the cloud system’s software.
Private information and Social Security numbers of 780,000 people stolen from the Utah Department of Health. The reason: A password was not strong enough.
1.4 million credit card numbers stolen from processing company Global Payments. Names and security codes were not stolen. Cost: $84 million.
High-profile information including user identifications and passwords stolen from 6 million accounts at Bank of America and Wells Fargo.
Cyber criminals wiped out 30,000 computers at Aramco, a Saudi Arabian oil company. It took a week to fully restore services.
A number of denial-of-service attacks hit U.S. banks. Banks were unable to combat the attack. Izz ad-Din al-Qassam cyber fighters took credit for the attacks.
Red October, classified as malware, steals data from diplomatic, government and research agencies around the world. Russian analysts discover the hacking group and find it has been stealing global security information for years. The location of the group has not yet been determined.
Source: AFCEA Cyberspace Symposium