We are currently seeing a convergence of forces and circumstances that are causing significant shifts in the way we think about information security and risk management “best practices”.
I’d like to touch on each of these areas briefly, so we can explore how this situation may call for a different approach to protecting our information assets.
1. Recent high-profile breaches
2. Advancements in malware
3. Acceleration of the monetization of malware compromises
4. Pending federal breach notification legislation
Recent High-Profile Breaches
Recent major attacks against Epsilon, RSA, Sony, Citigroup, the U.S. Senate and the International Monetary Fund are highlighting a trend I’ve been watching for a while now. As technology adoption continues to increase and companies work to find more ways to leverage the Internet, the range of possible attack vectors keeps expanding, and information security professionals are facing an ever increasing challenge in trying to protect company assets. A company needs to try to protect against every possible kind of attack, whereas the bad guys just need to find one way in.
Advancements in Malware
In addition to this, we are seeing continuing advancements in malware designs, such that it is becoming more and more common for malware attacks to go undetected by traditional, signature-based security controls. As Anton Chuvakin (@anton_chuvakin) recently tweeted, “You can be ‘secure’ while only being hacked by people who you can’t detect and who don’t care about embarrassing you :-(“. Just because your anti-malware software says your environment is clean doesn’t necessarily mean it’s so. You may be surprised when you look deeper and see what’s already running in your environment, undetected.
Acceleration of the Monetization of Malware Compromises
Another rapidly developing trend is the monetization of malware installations. As a recentarticle points out, most malware today is tied to the “Pay-Per-Install” market, where hackers pay anywhere from $7 to $180 per 1000 already-compromised hosts to deploy their malware.
Part of what seems to be fueling this malware monetization trend is the adoption of “BitCoins“, an underground currency based on secure peer-to-peer communications, with no central processing authority. This technology allows for untraceable money transfers and is being widely used by hackers, drug-dealers and others might want to make untraceable purchases. This technology has recently been brought to the attention of the US Attorney General by two US senators, so the future of BitCoins is somewhat uncertain, but it’s something to keep an eye on.
Pending Federal Breach Notification Legislation
Discussion of some kind of federal breach notification law isn’t anything new, but with all of the recent high-profile breaches, there is renewed pressure to get something passed. A draft bill from Rep. Mary Bono Mack (R-Calif) would require companies to report breaches within 48 hours and establish penalties for companies that fail to do so.
Insights and Conclusions
The traditional approach of focusing on securing the perimeter simply isn’t sufficient anymore. The focus needs to be on protecting the data itself.
Furthermore, businesses need to start to face the reality that having a security breach at some point is almost inevitable. This means investing not only in security and prevention, but also in incident preparedness. If federal legislation is passed that requires breach notification within 48 hours, many companies will be in jeopardy because a breach often goes undetected for significantly longer than that. The US Secret Service recently found that almost half of all breaches remain undiscovered for months or more. Technologies are available to ensure a breach can be rapidly detected and contained, so it will become more and more difficult for businesses not leveraging such technologies to claim reasonable due diligence in protecting sensitive information.
The 2011 Data Breach Investigations Report (PDF) from Verizon supports these observations as well:
- It was noted that 92% of breaches stemmed from external agents (a 22% increase from the year prior)
- 50% of breaches used some form of hacking, and 49% of breaches incorporated some kind of malware
- The number one threat action type was found to be malware being used to send data to an external site/entity
- There has been a significantly increasing trend in the percentage of malware that was found to be customized (to help bypass signature-based controls) – 63% of malware in 2010 was found to have customization
- Over half of breaches were found to remain undiscovered for months or more
So as you start working up those 2012 budgets for information security and risk management, don’t forget to include incident preparedness considerations. Your ability to quickly detect, contain and respond to a breach will have a significant impact on the overall cost and impact of the event.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services