Cyber security is an essential tool for managing risks in today’s increasingly dynamic and capable cyber threat landscape. Yet the market for cyber security remains small, and organizations are making only tactical investments in cyber security measures—one of the reasons why there has been an increase in cyber attacks. Evidence suggests that this trend will last for some time to come. However, the anticipation of an increasingly open and mobile enterprise should help refocus the spotlight on strategic investments in areas like cyber security. Cyber security professionals who wish to see cyber security move up in IT’s priority queue should take immediate steps such as demanding secure software from suppliers and requiring rigorous acceptance tests for third-party code to help promote cyber security in the long run.
Because cyber security has a significant impact on vulnerability management, one could infer that the spotlight is only shifting to a different perspective and that commitment to cyber security may not have declined in the final analysis. Although viewed as a priority by many cyber security professionals, cyber security has not seen the appropriate commitment level reflected in IT’s budget allocation.
For example, data breaches resulting from web application hacking are almost always accomplished through the exploitation of application vulnerabilities like SQL injection or cross-site scripting. If cyber security is not improved at a larger scale, the industry will continue to be plagued with security incidents that result in data breaches or other consequences that are even more disastrous. Changing the attitude toward cyber security, however, would require a culture shift, a shift that places importance on proactive risk management rather than immediate return of Investment (ROI). This shift won’t happen overnight. In the meantime, cyber security professionals should follow these recommendations to implement a few immediate measures to effect positive changes:
Demand software quality and security from suppliers.
Perform stringent acceptance tests for third-party code.
Disable default accounts from applications.
Establish a secure operational environment for applications.
Implement effective bug-reporting and handling.
Perform risk assessments underpinned by strict Governance, risk and Compliance frameworks and legislations.
As the buyer side starts to demand secure cyber software, the power balance will start to shift toward more strategic approaches to managing cyber-level risks. Cyber security professionals can encourage this change by engaging in these longer-term initiatives:
Work toward an industry certification program for secure development practices.
Implement a cyber security program.
Continue to drive awareness of the changing cyber threat landscape.
So, in order to improve cyber security, companies and cyber security professionals should work in a concerted fashion to cultivate a culture that values and promotes cyber security. To help usher in such a culture, cyber security professionals should:
Do their part to promote a cyber security ecosystem.
Use mobile proliferation as a catalyst for cyber security.
Cybercriminals from China have spent more than six years cautiously working to obtain data from more than 70 government agencies, corporations and non-profit groups. The campaign, named Operation Shady RAT (remote access tool) was discovered by the security firm McAfee.
While most of the targets have removed the malware, the operation persists. The good news: McAfee gained access to a command-and-control server used by the cyber attackers and has been watching, silently. U.S. law enforcement officials are working to shut down the operation. The Chinese government is denying that it sanctioned the cyber attack operation; although, configuration plans for the new DoD F-35 stealth figher were comprised by the cyber attackers. So, with the preceding in mind, the following are five things that came to light:
Seventy-two (72) organizations were compromised.
It was just not North America and Europe.
When the coast was determined to be clear, the cyber attackers struck.
This was a single operation by a single group (probably the Chinese).
The only organizations that are exempt from this cyber threat were those that did not have anything valuable or interesting worth stealing, from a national security point of view.
The loss of this data represents a massive economic cyber threat not just to individual companies and industries, but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape; the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world; not to mention, the national security impact of the loss of sensitive intelligence or defense information.
Yet, the public (and often the industry) understanding of this significant national cyber security threat is largely minimal due to the very limited number of voluntary disclosures by victims of intrusion activity compared to the actual number of compromises that take place. With the goal of raising the level of public awareness today, this is not a new cyber attack, and the vast majority of the victims have long since remediated these specific infections. Although, whether most victims realized the seriousness of the intrusion or simply cleaned up the infected machine without further analysis into the data loss remains an open question.
The actual intrusion activity may have begun well before 2006, but that is the earliest evidence that was found for the start of the compromises. The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware; as well as, targeting for quick exfiltration the key data that the cyber attackers came for. In the end, one very critical question remains unanswered: Why wasn’t the Department of Homeland Security (DHS) all over this cyber breach during the last 6 years when “Operation Shady Rat” was alive and well?? After all, isn’t DHS supposed to be the security guardians of the cyber world?
If “Operation Shady Rat,” wasn’t bad enough, hackers are now using outfitted model planes/drones to hack into your wireless system. Built from an old Air Force target drone, the Wireless Aerial Surveillance Platform (WASP) packs a lot of technological power into a flying high-end cyber endurance package.
1: In order to implement a few immediate measures to effect positive changes, what recommendations should cyber security professionals follow? Discuss all available frameworks, legislation and regulatory requirements on which information security professionals can base their proposal(s).
2: Critically discuss long-term initiatives to encourage positive change with regards to assessing security risk and maintain privacy in a corporate environment. What kind of security risk assessment methodologies can be identified for better mapping of the threat landscape? Provide a detailed comparison of these methodologies.