Security in Troubled Times
Depending on where you live, spring is either here or just around the corner. (Here in the mountains of Montana, it is still around the corner, which is blocked by two feet of new snow.) But with the unemployment rate higher than 8 percent, we're still in the depths of winter when it comes to the economy. And like other sectors of the economy, higher education is suffering. Most colleges and universities are looking at the deepest budget cuts in more than a generation. And spring isn't in sight.
Over the next few months I will be exploring what that means for IT security. How are institutions coping? What are there plans? But before we consider those issues, lets step back and take a look at the state of IT security. What are the problems? What are the threats?
State of Security
Fortunately there is no shortage of information about the state of IT security. A number of organizations prepare annual "State of Security" reports, including Information Week's State of Security, ScanSafe's Annual Global Threat Report, Cisco's Annual Security Report, CSI's Computer Crime and Security Survey, Sophos' Security Threat Report, Verizon's 2008 Data Breach Investigations Report, and Symantec's Global Internet Security Threat Report. They are all worth reading.
Although each report varies, reflecting both the institution sponsoring the report and the security areas emphasized, there are a number of common themes.
Common Theme 1: Follow the Money
The days of the lone hacker who broke into systems for the intellectual thrill are long gone. Now folks are in it for the money. CSI calls this the "professionalization" of computer crime. Not surprisingly the CSI reports that the most expensive computer security incidents were those involving financial fraud, with an average reported cost of close to $500,000 for those reporting financial fraud. The second-most expensive incidents were those involving "bot" computers and cost an average of nearly $350,000 per incident.
Fortunately, another financial trend CSI reports is that the average cost of all cybersecurity incidents is on a long-term downward trend.
But offsetting that good news is the fact that attacks became more sophisticated and targeted in 2008. ScanSafe found a surge in SQL injection attacks using automated attack tools delivered via botnets. The success of those attacks was such that by July the rate of Web-delivered malware was higher than the whole of 2007. And by October 2008 the rate was 21 percent greater than July. Even more troubling was that rather than focusing on credit card details and identity theft, the attacks seemed to be part of a systematic data harvesting operation.
Similarly, Information Week's State of Security Report, Dark Reading Analytics, reported that 53 percent of respondents identified increasingly sophisticated and difficult to detect attacks as the greatest challenge facing IT security departments today.
Both the CSI and Cisco reports cited targeted attacks as a top security concern for 2009. CSI concluded, "it is clear that targeted attacks--hypothetical just a handful of years ago--are a significant reality today." ScanSafe's conclusion was blunt, ""The economic condition gives rise to the likelihood that cyber-crime is proving to be a viable business opportunity in a climate where legitimate opportunities are becoming increasingly more limited."
Common Theme 2: Sometimes the Good Guys Win
There is some good news. The CSI Survey also found that the percentage of respondents reporting incidents by categories such as viruses, bots, and laptop theft has been steadily decreasing since 1999.
But before we break out the sparkling wine, there is another view of the data. The Sophos Threat Report found that while the number of e-mails infected attachments has from declined from one in 44 in 2005 to one in 337 in 2006 and to one in 909 in 2007, there was an upturn to one in 714 in 2008. More alarming is the fact that when Sophos looked at the data on a month-by-month basis, it found the number of e-mails with infected attachments increased from one in 3,333 in the first quarter of 2008 to one in 200 in September. Sophos attributed the increase to large-scale malware attacks from August 2008 onward. 2009 is not a time to be complacent.
Common Theme 3: Mobility and Remote Access
It comes as no surprise that a technology company, Cisco, was particularly concerned about the challenge related to mobile devices, Web-based tools, remote working, virtualization, cloud computing, and similar technologies. Their conclusion: "The edge of the network is expanding rapidly and the increasing number of devices and applications in use make the expanding network more porous creating new inroads for threats."
That's a topic for another column.
Common Theme 4: Beware the Insider
The danger presented by insider can be viewed from two perspectives. The CSI data showed that the percentage of respondents reporting an insider security incident has gradually diminished since 1999 and concluded that, while some insiders are particularly well placed to do enormous damage to an organization, the threat may have been overemphasized by vendors selling solutions to stop insider security infractions.
Verizon's 2008 Data Breach Investigations Report provided a more in depth look at the source of data breaches and came to a different conclusion. When they tabulated who was behind a data breach in their 500 forensic engagements in 2008, they found:
- 73 percent resulted from external sources;
- 18 percent were caused by insiders;
- 39 percent implicated business partners; and
- 30 percent involved multiple parties.
The easy conclusion would be to dismiss the threat from insiders. But when Verizon looked at the number of records compromised, it found an insider compromised a median of 375,000 records as compared to 30,000 for an outsider and 187,000 for a partner. The researchers then multiplied "Likelihood" (fraction of compromises) by "Impact" (median size of records compromised) to obtain a "back-of-the-envelope" estimate of the "Risk" from each group.
Sources of Risk and Their Impact
|Source ||Likelihood ||Impact ||Risk |
|External ||73% ||30,000 ||21,900 |
|Internal ||18% ||375,000 ||67,500 |
|Partner ||39% ||187,500 ||73,125 |
|Source: Verizon's 2008 Data Breach Investigations Report |
The greatest risk was from an organization's business partners, followed closely by the organization's insiders.
This is consistent with the results Information Week's Dark Reading Analytics, which found that 52 percent of IT Security respondents worry most about "Insider threats in which employees or partners accidentally or maliciously endanger my company's data." In the words of Pogo, a famous 1950s cartoon character, "We have met the enemy ... and he is us."
For Financially Troubled Times: Observe the 80/20 Rule
Another common theme was variations on the old maxim "Don't let the perfect be the enemy of the good." The Verizon 2008 Data Breach Investigations Report found that, of more than 500 data breaches that were investigated, more than half required no or only a low degree of skill to perpetrate. Everyday security tools and precautions would have prevented them.
- 3 percent: No special skills or resources were used. The average user could have done it.
- 52 percent: Low-level skills and/or resources were used. Automated tools and script kiddies.
- 28 percent: The attack employed skilled techniques, minor customization, and/or significant resources.
- 17 percent: Advanced skills, significant customization, and/or extensive resources were used.
The 80/20 Rule holds that roughly 80 percent of the effects come from 20 percent of the causes. And this seems to work in a wide variety of situations. Microsoft has claimed that by fixing the top 20 percent of the most reported bugs, 80 percent of the errors and crashes are eliminated. In this case, security capable of stopping a skilled attack, but unable to resist a highly sophisticated or novel attack, a "20 percent" effort, would be good enough 83 percent of the time. These are basically the run-of-the-mill tools that we should already be running. The implications are pretty clear. As we worry about the latest sophisticated and exotic security threat--and I am as guilty as anyone--we can't afford to forget that executing the standard old stuff--firewalls, anti-virus, aligning process with policy, identity management, and encryption--offer a lot of bang for the buck.