More By This Author

Current Issue

Current Issue

Posted: January 09, 2012

Why we’re losing the cybersecurity war

Time to give the good guys new weapons

Jacques Erasmus

One glance at the headlines makes it clear: If cybersecurity is a battle, the bad guys are winning. Just this past holiday season, yet another assault made the news: a notorious band of hackers pilfered thousands of credit card numbers from security think-tank Stratfor's confidential client list.

Alarming as the story is, it's nothing new. Organized cybercrime groups have launched an onslaught of increasingly sophisticated attacks over the past few years, targeting everything from businesses to nuclear weaponry facilities to the Android device in your pocket. What has the security industry done to gain the upper hand? As the CISO of an Internet security company, I can say with certainty: not enough.

The Evolving Threat Landscape: How Did We Get Here?

Think about how differently you use technology today than five years ago. We connect to the Internet from anywhere, using smartphones and tablets to search for news, email our bosses, pay bills and check into flights. Our work and personal devices are interchangeable; we switch between email accounts with a single tap, paying little attention to the network connection we're using.

This blurring of lines causes a major challenge for IT departments. How do you lock down sensitive corporate information when employees carry it with them everywhere? Securing business data in today's "BYOD" (Bring Your Own Device) environment is complex. You may have a comprehensive security and Internet usage policy in place for the desktop machines on your network, yet you may have no visibility into the number of mobile devices connecting to it.

Similarly, social networks are now used ubiquitously for both personal and professional purposes. Consequently, they have become a huge target for attacks; hackers know where there's data, there's dollars. But knowing social media is essential to certain efforts like marketing and communications, IT administrators must allow access on some levels while still protecting their company infrastructure.

But most importantly, the approach the security industry has been taking to defend against cyberattacks no longer works. Traditional anti-malware products are signature-based, which means they identify and block threats based on a list of known malware. This worked fairly well when threats were changing on a daily or weekly basis. But now that we're seeing up to 100,000 new samples every day and advanced persistent threats recompiling themselves every five minutes, this approach simply can't keep up.

How Hackers Manipulate Our Weaknesses

Hackers know that humans are a company's weakest link, and today's highly mobile, open sharing environment gives them a multitude of entry points by which to carry out social engineering attacks.

Spear-phishing attacks were behind several major data breaches over the last few years; it happened with Sony, RSA, CITI and many more. Cybercriminals will scour social networks and websites to learn about a company's organization and activities, then send targeted emails filled with "inside" details to one or two very specific employees. The intent of these emails is usually to fool users into visiting a URL that infects their machines, which puts the company's entire infrastructure at risk. Think about it: If your manager emails you a link to a sales report on the specific product you just launched, would you stop to validate the link before clicking? Hackers are using these types of social engineering techniques more and more. It is much easier to target employees than try and hack straight through the front door.

How Do We Fix It?

Several technical approaches can serve as a springboard: behavior-based detection, movement to the cloud, possibly even new forms of data, new layers of detection, and wholly new approaches as all computing becomes mobile computing. On top of all this, user education is critical.

But that's just the tip of the iceberg. What it comes down to is this: We're an intertwined Internet-based society, and together we need to ask: Now that we're here, what can we do? I envision security experts, business leaders, government agencies and educational groups coming together to ask the hard questions, to increase awareness, to train an army of cybersecurity "counter-terrorists" and to continue innovating. We all have a stake in this. It's time to develop new strategies and technologies that proactively prevent cyberthreats instead of simply reacting to the latest attack. Together, we can revolutionize the security industry. And in tomorrow's headlines, the good guys will stand in the victor's circle.

{pagebreak:Page 1}

As Webroot’s first chief information security officer, Jacques Erasmus oversees all data security measures across the business, including development, implementation and compliance. He is responsible for managing risks related to Webroot’s information security, business continuity planning, crisis management, compliance and privacy. Erasmus brings to the role more than a decade of technical expertise, including nine years leading malware detection efforts at Webroot and Prevx, which was acquired by Webroot in 2010. At Prevx, he led incident response and PCI-DSS activities for many large companies worldwide and acquired various certifications, most notably CISSP and CISM certifications. In 2009 the British Computer Society named Erasmus "Young IT Professional of the Year." Prior to Webroot, Erasmus served as a senior-level consultant for Sun Microsystems where he advised on server ranges, security and backup infrastructure. Erasmus also worked as a third-party consultant performing penetration testing for a number of South Africa’s largest companies.

Enjoy this article? Sign up to get ColoradoBiz Exclusives. The opinions expressed in this article are solely that of the author and do not represent ColoradoBiz magazine. Comments on articles will be removed if they include personal attacks.

Readers Respond

Response Reader, The folks that make this technology don't seem to care as long as sales continue. I think that if you don't use the stuff you don't have the risk. How was business conducted before? Do we really need instant responses at the risk of National Defense being risked? I suspect there are ways to continue business and to use this some of the newer technology without risk of infomation being taken by a hacker. To me technology is a drug that is legal, socially accepted, and creates the need for constant updates and safecards. More stuff to purchase. More safegards to create and sell. Another disposalable thing to throw out in 6 months. It's a genie from the lamp. By Keith Paris on 2012 01 20
And, strangely, we transitioned from pencil to digital in part to defeat the increasingly able forgers - who had been active since the advent of paper money. Of course paper money was, in part, a way to outsmart the guys who shaved the edges off of gold and silver coins. Crooks will always try, won't they? By David Sneed on 2012 01 12

Leave a comment

Remember my personal information

Notify me of follow-up comments?

Please enter the word you see in the image below:

ColoradoBiz TV

Loading the player ...

Featured Video