Computer World
In covering the security threat landscape over the years, two fundamental issues have stayed constant. First, the threat landscape continues to evolve and gain sophistication. Second, attackers will always be a step ahead of the defenders in exploiting vulnerabilities across the spectrum of people, process and technologies. But what's different today is the motivation, methods and tools of these attacks: we're no longer fighting an individual hacker, but a highly organized, well-funded crime syndicate, and in some cases, even a state sponsored agent.
Also see Kark's Building a business case for information security
As IT security professionals work toward building their high-performance security organization, it will be essential to consider the changing nature of the threat landscape. In particular:
Motivation: Gone are the days when hackers bragged about their latest exploits openly in underground newsgroups to gain fame and notoriety. Today, not only is organized crime involved in these endeavors, they are also looking for big financial gains. Attackers will go after systems that store millions of records. Consider this stat: cybercrime costs $8 billion to the US economy according to US Congress reports, equivalent to the Bahamas' GDP.
Method: Unlike the visible attacks of the past, low and slow attacks provide a systematic and precise attack, where the attackers can take months gathering intelligence on the target and then going after the weaknesses systematically, covering all traces of their presence as they penetrate the different parts of the environment. The ultimate goal is to modify the application in some way where they are able to get a consistent stream of revenue over a long time period--such as the infamous TJX breach.
Tools: The move from manual to automated attacks significantly increases the amount of information and context a machine can extract from unsuspecting users. For example, French researchers have developed an automated social engineering tool that uses a man-in-the middle attack to strike up online conversations with potential victims. They were able to entice users to click onto malicious links sent via chat messages 76% of the time. Add to this the ability of machines to crawl the Web and glean publically available information about you and the results can be astonishingly precise in penetrating through your defenses.
So what is the best way for CISOs to handle this changing landscape to compete with a new level of sophistication and rate of change in attack methods? Here are three key ways to manage the development process:
1. Invest in Your People Controls to Maximize Impact: There is no denying the fact that people are the most important control in any organization. And this year, 62% of IT decision makers are making "upgrading the security environment" a critical priority, according to Forrester's Q2 Global IT Budgets, Priorities, And Emerging Technology Tracking Survey. It's about time that the entire organization, especially management, take ownership of risk and become more involved with security decision making. Additionally, as companies expand the scope of security responsibilities, it is important to recognize that spending more on security does not mean better security. Some investments in information security will deliver much more value and mitigate much more risk than others. The application security area is one good example.
2. Manage Your Security Process Controls to Minimize Risk: It's one thing to develop policies and processes around security issues that the company complies with, but it's a lot harder to understand where your most sensitive data resides and what is an appropriate level of security for it. If processes are in place because "we have always done it this way," it's time to rethink your approach. Focus on avoiding inefficiencies and expenses involved in bolting on security as an afterthought. Fixing a design error after you have already deployed a Web application costs approximately 30 times more than addressing it during design process. This alone should be enough to convince business managers to make information security an integral part of the business processes.
3. Invest in Technology Controls to Gain Efficiencies: When deploying new technologies, look for ease of use, integration, and future expansion capabilities in addition to functions and features. Moving from detective to preventative controls is a sign of maturity in a particular area, but security needs to do a lot more than this. Consider having several layers of security to address more significant areas of risks, like having a DLP tool or even strong host-based security controls to give you advanced warning and help you identify malicious behavior proactively. But be sure to have complementary people and process controls. The more layers of these controls you can have, the better security you have.
These suggestions assume investment decisions are based on rational, objective risk assessments, where security programs are built on a risk-centered approach.