Cyber-security is a concentration of information security focused on computers, systems and other IT-related resources connected to the Internet. As private and government sectors continue to grow their online presence, there is an increasing demand for controls to limit the risk of cyber attack threats. Numerous high-profile cyber incidents in recent years highlight the need for cyber security awareness; the increase in awareness should address the issue of ensuring the information security program is aligned with the company’s or government’s tolerance for risk.
In the early 1980s, as computer systems started to interconnect more widely, electronic nuisances began to emerge. Starting as experiments designed to answer the question, “What is possible?,” computer “viruses” began to be harvested for their usefulness as tools for mischief and crime. Awareness of these activities grew, and in 1986, Congress passed the first computer security-related legislation as the Computer Fraud and Abuse Act, which addressed federal computer-related offenses. In response to emerging and evolving threats, this piece of legislation has been amended several times, as recently as 2008 by the Identity Theft Enforcement and Restitution Act. Additionally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Federal Information Security Management Act of 2002 (FISMA), and the Sarbanes–Oxley Act of 2002 (SOX) set standards for information cyber security for the healthcare industry, federal government and publicly held companies, respectively.
Threat Evolution
It is important to understand the motivation of your adversary to understand a threat fully. Like everything in the IT world, the human threat factor to computer security has seen a quick evolution. Early computer “hackers,” a term that originated in the 1960s around MIT to describe model train fanatics, were computer enthusiasts, tinkerers and programmers who modified their equipment to change how it worked and customized computer hardware and software to optimize it for their specific needs. They were motivated by their expertise, curiosity, excitement and the exploration of the unknown. Pop culture in the 1980s and 1990s glorified what was possible with “personal” computers in movies like Hackers, Sneakers and WarGames, which ushered in a younger generation of hackers. Soon after, the hacking community encountered a divide, with the younger adversaries directing their technological know-how to pirate software, movies and games, as well as to create viruses and worms that were often used to shut down computer systems.
According to a new GAO report on the Defense Department’s cyber efforts, the major sources of today’s cyber threats are hacktivists, criminal groups, insiders, terrorists and foreign intelligence services. Cyber warfare and espionage are often used to describe malware campaigns lodged against what appear to be very selectively targeted victims.
How This Applies to Business
The movement toward highly-organized, typically well-funded cyber threat campaigns is apparent. With security controls becoming more and more sophisticated, attackers now operate with very specific objectives, designing their attacks with much higher precision. Recently released information regarding the highly publicized attack against EMC, makers of the widely-used RSA SecurID token, support this claim. Information released by the security firm F-Secure suggests that a nation-state, unable to steal military secrets from Lockheed-Martin and Northrop-Grumman because both companies used RSA SecurID tokens for network authentication, shifted their attack to EMC. The attack was launched with a targeted email to EMC employees that contained an attachment with embedded malicious code. Ultimately one or more EMC employees opened the attachment, which created a backdoor into the EMC’s network, allowing the attackers access to steal sensitive technical details on how RSA security tokens worked. The EMC compromise led to the replacement of RSA SecurID tokens for private companies and government agencies around the world, at an estimated cost in the millions of dollars.
Approach to Current Threats
Technical security controls such as network firewalls, anti-virus software, client firewalls and intrusion detection/prevention systems, properly deployed using a defense-in-depth strategy will limit the risk of remote cyber attacks. But as was made evident in the EMC network compromise, the most vulnerable and ever-increasing attack vector is the end user. Client-side attacks, in which end users are led to execute a process by opening a malicious email attachment, visiting a website hosting malware or plugging in a removable media device, are on the rise. Organizations need policies, processes and plans in place to prevent, detect and respond to these types of threats. Had the EMC employee(s) been well-trained in what types of suspicious activity to be aware of, the breach may never have materialized.
Continuous end-user security training, situational awareness programs and acceptable use policies should all be implemented and enforced to instill a security-minded atmosphere in organizations. Organizations can perform their due diligence by cultivating a cautious and guarded workforce with a well-defined situational awareness program. Users should be made aware of emerging threats and trained in their role in reporting incidents or suspicious activity to the organization’s security team. Unexpected email attachments should not be opened and found USB keys should not be used. When in doubt, services like virustotal.com should be used to scan files and URL web links for malicious content. iBi
Sean Hope, CISSP, CISM CISA, CEH, is a senior security analyst with CIAN, Inc., on the web at ciancenter.com.