Posted: January 09, 2012
Why we’re losing the cybersecurity war
Time to give the good guys new weaponsBy Jacques Erasmus
One glance at the headlines makes it clear: If cybersecurity is a battle, the bad guys are winning. Just this past holiday season, yet another assault made the news: a notorious band of hackers pilfered thousands of credit card numbers from security think-tank Stratfor's confidential client list.
Alarming as the story is, it's nothing new. Organized cybercrime groups have launched an onslaught of increasingly sophisticated attacks over the past few years, targeting everything from businesses to nuclear weaponry facilities to the Android device in your pocket. What has the security industry done to gain the upper hand? As the CISO of an Internet security company, I can say with certainty: not enough.
The Evolving Threat Landscape: How Did We Get Here?
Think about how differently you use technology today than five years ago. We connect to the Internet from anywhere, using smartphones and tablets to search for news, email our bosses, pay bills and check into flights. Our work and personal devices are interchangeable; we switch between email accounts with a single tap, paying little attention to the network connection we're using.
This blurring of lines causes a major challenge for IT departments. How do you lock down sensitive corporate information when employees carry it with them everywhere? Securing business data in today's "BYOD" (Bring Your Own Device) environment is complex. You may have a comprehensive security and Internet usage policy in place for the desktop machines on your network, yet you may have no visibility into the number of mobile devices connecting to it.
Similarly, social networks are now used ubiquitously for both personal and professional purposes. Consequently, they have become a huge target for attacks; hackers know where there's data, there's dollars. But knowing social media is essential to certain efforts like marketing and communications, IT administrators must allow access on some levels while still protecting their company infrastructure.
But most importantly, the approach the security industry has been taking to defend against cyberattacks no longer works. Traditional anti-malware products are signature-based, which means they identify and block threats based on a list of known malware. This worked fairly well when threats were changing on a daily or weekly basis. But now that we're seeing up to 100,000 new samples every day and advanced persistent threats recompiling themselves every five minutes, this approach simply can't keep up.
How Hackers Manipulate Our Weaknesses
Hackers know that humans are a company's weakest link, and today's highly mobile, open sharing environment gives them a multitude of entry points by which to carry out social engineering attacks.
Spear-phishing attacks were behind several major data breaches over the last few years; it happened with Sony, RSA, CITI and many more. Cybercriminals will scour social networks and websites to learn about a company's organization and activities, then send targeted emails filled with "inside" details to one or two very specific employees. The intent of these emails is usually to fool users into visiting a URL that infects their machines, which puts the company's entire infrastructure at risk. Think about it: If your manager emails you a link to a sales report on the specific product you just launched, would you stop to validate the link before clicking? Hackers are using these types of social engineering techniques more and more. It is much easier to target employees than try and hack straight through the front door.
How Do We Fix It?
Several technical approaches can serve as a springboard: behavior-based detection, movement to the cloud, possibly even new forms of data, new layers of detection, and wholly new approaches as all computing becomes mobile computing. On top of all this, user education is critical.
But that's just the tip of the iceberg. What it comes down to is this: We're an intertwined Internet-based society, and together we need to ask: Now that we're here, what can we do? I envision security experts, business leaders, government agencies and educational groups coming together to ask the hard questions, to increase awareness, to train an army of cybersecurity "counter-terrorists" and to continue innovating. We all have a stake in this. It's time to develop new strategies and technologies that proactively prevent cyberthreats instead of simply reacting to the latest attack. Together, we can revolutionize the security industry. And in tomorrow's headlines, the good guys will stand in the victor's circle.
As Webroot’s first chief information security officer, Jacques Erasmus oversees all data security measures across the business, including development, implementation and compliance. He is responsible for managing risks related to Webroot’s information security, business continuity planning, crisis management, compliance and privacy. Erasmus brings to the role more than a decade of technical expertise, including nine years leading malware detection efforts at Webroot and Prevx, which was acquired by Webroot in 2010. At Prevx, he led incident response and PCI-DSS activities for many large companies worldwide and acquired various certifications, most notably CISSP and CISM certifications. In 2009 the British Computer Society named Erasmus "Young IT Professional of the Year." Prior to Webroot, Erasmus served as a senior-level consultant for Sun Microsystems where he advised on server ranges, security and backup infrastructure. Erasmus also worked as a third-party consultant performing penetration testing for a number of South Africa’s largest companies.