[BreachExchange] Keeping pace with the evolving cyber crime landscape

[Audrey McNeil]

http://www.itproportal.com/2016/03/05/keeping-up-with-evolving-cyber-crime-landscape/

In the past five years the cyber threat landscape has grown exponentially.
Despite developments in cyber security and increases in security budgets,
nearly every week sees a new high profile security breach being reported in
the media.

As a result, a growing number of companies are fast coming to the
conclusion that no amount of investment in security can keep them
protected, believing that when it comes to combating the cyber crime threat
it’s a case of ‘when, not if.’

The fact is that companies – and even consumers – are creating, storing and
utilising data at an unprecedented rate, and it’s this data that the cyber
criminals are after. What’s more, experts predict the attack opportunities
for hackers will blossom once the Internet of Things proliferates and makes
valuable data accessible from an ever-widening selection of entry points.

Clearly, it’s time for a rethink. Yet a study by 451 research shows that
companies continue to allocate just 1 per cent of their total security
technology spend to data protection measures. And they’re paying a heavy
price for focusing solely on network and device security alone.

Too much focus on perimeter-based security

Until now organisations have largely adopted a perimeter-based security
strategy that’s failed to keep pace with evolving attack approaches.

In 2010 companies spent nearly half of their security technology investment
(44 per cent) on network security. In the same year, 761 major data
breaches were recorded, compromising 3.8 million records. Physical
tampering, spyware and data-exporting malware were the top three attack
methods utilised, yet little spend was dedicated to protecting the very
data that serves as the target for so many attacks.

In 2011 the use of stolen credentials emerged as the top mode of attack,
with companies like Sony PlayStation and Steam falling victim to cyber
criminals. A total of 855 major data breaches were recorded, compromising
174 million records – a major uptick on 2010 statistics – yet companies
continued to invest 39 per cent of their security technology spend on
network security. Despite the massive increase in attacks through the use
of stolen credentials, companies continued to invest just 1 per cent in
data protection.

By 2012 backdoor exploitation had materialised as the hot new threat on the
block. In response to the growing cyber threat companies upped their total
spend on network security to 43 per cent, with more than a fifth (21 per
cent) of budgets going to database security, 13 per cent to endpoint
security/anti-virus, 8 per cent to identity management – but once again
just 1 per cent was dedicated to data protection.

Fast forward to 2014, during which stolen credentials, RAM-scraping malware
and spyware became the most popular modes of attack employed by cyber
criminals. Sony experienced yet another major breach and the overall number
of data breaches experienced by companies increased dramatically. Overall
there were 2,122 major recorded breaches, compromising 700 million records,
yet once again companies failed to shift their security spend accordingly.

In a repeat performance of previous years, network security technology
investments continued to take the lion’s share of security spending at 38
per cent, with 16 per cent going on application security, another 16 per
cent on database security, and 13 per cent to identity management. Contrast
this with data protection, which yet again represented the lowest spending
category at just 1 per cent of total IT security technology spend.

Evaluating the risks today – and into the future

2015 saw some of the biggest data breaches on record, particularly in the
US healthcare sector, which is seen as an easy target due to low IT
security budgets and high volumes of sensitive data. Last year’s mega
breaches in healthcare tell the tale, with the top five globally – Anthem,
Premera, Community Health Systems, Carefirst, and Systema – totalling just
shy of 100 million records lost.

Add to this the growing threat of state sponsored hactivism, and a worrying
picture begins to emerge. The last 12 months has seen more than its fair
share of highly targeted, state sponsored cyber attacks with China and
Russia two of the major perpetrators, amongst others. It’s widely believed
that many of the US healthcare attacks mentioned above were the work of
Chinese espionage, particularly the attacks on Anthem and Premera.

But while attacks are growing in sophistication, many individuals and
organisations are also encountering old tactics being used in more creative
ways. In particular, social engineering attacks like spear phishing have
become more targeted and resourceful, relying on crafty cyber sleuthing and
other tricks to make their efforts even more effective. For instance, many
victims of the recent TalkTalk data breach in the UK claim to have been
targeted by very sophisticated phishing attacks, some occurring even before
the breach was reported in the media. In one case, the perpetrators were
able to slow down the victim’s internet connection before contacting them
under the guise of TalkTalk’s technical support team. They then used the
personal details stolen in the breach to try and extract payment
information from the target.

With the Internet of Things here to stay and the growing availability of
new mobile payment instruments such as Apple Pay, the possibilities for
attack look set to increase. Today’s technology is advancing apace as new
ways to leverage cloud applications and mobile devices come into play. The
only factor that hasn’t changed is that sensitive data is vulnerable and
needs to be secured with data protection technologies and policies that
follow a corporation’s sensitive data while it’s in use, in transit and at
rest.

The truth is our data is no longer just confined to networks where it can
be protected. And that means organisations need to turn their current cyber
security strategy around, putting the focus on data protection technologies
and strategies rather than network security and traditional anti-virus.

Until corporations evolve their security methodologies, data will continue
to be at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/7bea139f/attachment.html>