FEAR, UNCERTAINTY AND DOUBT. These are the trade of people selling security products. They don't make sales by telling you that all is well. Given the shrill voices at the moment on enterprise security, what is the realistic risk that your enterprise will be successfully breached over the next two years and, if so, what are the resulting costs?
In the old days of two to three years ago, most enterprises were relatively safe hiding behind their firewalls, anti-virus, intrusion detection systems and intrusion prevention systems. Commercial for profit crime was mostly targeted against financial institutions and there were always stories and criminal prosecutions against "hackers" trying to gain access to military systems. The chances that a "hacker" would try to access your enterprise were relatively small. What has changed since this time period?
There are three concurrent factors that has sharply raised the level of enterprise risk:
1. Organized crime has entered the internet
2. Botnets have been created
3. Malware has grown very sophisticated
The entrance of organized crime to the internet has changed the security game. Criminals have realized there is easy money to be made, on a recurring basis, from the internet and from successfully breaching enterprises. They have developed three general markets:
* Consumer identity theft via email - criminal fraud
* Enterprise breaches - corporate theft
* Enterprise denial of service attacks - essentially criminal ransom or blackmail
This is not the normal gang operation where a gang has a few hundred members around the world and targets just big business. Today, these "gangs" have several thousand members. They have thousands of programmers hired to design successful criminal software, tailored to breach a specific type of defense. They operate globally and locally. As recent as last month, enterprises with only a few thousand employees have been targeted including hospitals.
Organized crime has developed a series of computers which they have taken control over, unknown to the computer owners. Called "bots", organized crime is busily developing a vertical market.
First, they make money by sending out spam email. Today, 91% of all internet email is spam. The spam goes out to most digital citizens. In the UK, it has been documented that up to 5% of people have bought from spam emails.
When the organized criminals make money, they quickly launder it using "mules" who operate out of their homes. The money is moved around the world and then reinvested in criminal and legitimate businesses.
The clicking by citizens on the email links offers the criminals the ability to create more bots. Malicious software is downloaded into the user's computer taking over the computer.
The next step up the vertical market ladder is to now take the bots and use them to attack enterprises. It has been estimated that around 10% of all computers are infected. One recent study estimated that 89% of citizens computers were infected with spyware.
Organized crime uses bots in two general ways:
1. To launch successful denial of service attacks on enterprises
2. To quickly launch malware attacks against enterprises
Denial of Service Attacks:
The denial of service attacks on enterprises are rising. It's hard to document exact numbers since most enterprises don't want to publicly admit they were attacked. However, evidence shows it is rising. Authorities believe that only a few enterprises in every hundred attacked are reporting. Regardless, criminals can bring about huge attacks by using bots that are big enough to even shut down portions of the internet! (Read the US-Cert Advisory here and the presentation this past spring on the size of attacks here.) Faced with this type of attack, most enterprises are forced to quietly pay off the attackers.
There has been a documented, growing trend over the last two years in general enterprise attacks. The use of the bots has enabled organized crime to quickly take a new attack and "get it out" to attack millions of enterprise computers within a few days. There are two general patterns emerging for these attacks:
* Spam type email which if your employee clicks on it downloads malware into your enterprise
* Targeted attacks - this type, commonly known as "Spear phishing" is growing rapidly. It is this type of attack you should be worried about. I'll refer to this later in this blog.
The message here is that by using their botnets, criminals can quickly get an attack going against most enterprises. Since your enterprise uses email, you are prone to these types of attacks.
The third fundamental change over the last two years has been the evolution of malicious software (malware). Organized crime has put thousands to hundred of thousands of programmers to work developing attack code. As I have documented in numerous blogs (read here and here), the attack code is very sophisticated. Today, the code comes with it's own built in:
* anti-spyware code (to keep out other competing malware as well as to protect itself from enterprise anti-malware)
* the ability to hide amongst the operating systems rootkit kernels (making it extremely hard to see and even harder to get rid of once detected)
* code changes every 30 minutes (this makes the current vendor anti-spyware methods of keeping a list of the "bad guys" obsolete since the "signature" for each attack changes every 30 minutes)
It has been repeatedly shown that existing anti-virus, IPS and IDS defences are becoming more easily bypassed in the face of this malware. As bad, it has also been documented that getting rid of the malware, once it's detected by the anti-spyware software, is very poor (a study this past September against a suite of malware taken from a honey pot found that the best rate amongst a suite of vendors for spyware removal was around 38%).
In summary then, organized crime has arrived big time on the internet. They are quickly developing their own vertical markets by using spam, botnets and malware. Most experts agree that this is a real "arms race" with the advantage currently with the attackers, likely for the next TWO TO THREE YEARS!
Your enterprise firewalls are constantly being attacked by bots. The firewalls operate on the basis of allowing everyone in except for the bad guys who are maintained on a list. This type of defense is proving to be easily breachable. The pace of attack change to to your enterprise is on the order of a couple of days from when a new attack is devised to 30 minutes.
YOUR ENTERPRISE RISK
Given all the above, here are my general postulates:
1. Even with the best firewalls, anti-virus, intrusion detection and prevention services, the chance of your enterprise being breached over the next two years is very high due to botnets.
2. As a result, the chances of your workers uids and passwords being in the hands of organized crime is also high since the malware will successfully capture this and export it back out through your firewall.
3. Targeted enterprise attacks will also rise. These will involve combinations of external attacks and internal workers, janitors, temps and others.
To evaluate your risk, first let's look at your enterprise from a criminals point of view. They want to make money and not get caught. What is in your enterprise that would appeal to a criminal?:
* payables system
* data that's valuable
* products that you make
My own personal view is that over the next two years, organized crime will go after weakly protected payables systems with poor reporting processes. Why?
It's easy money. If done properly, it can be a regular cash cow for the criminals spewing out payments every month. Here's what criminals need to do to accomplish this:
1. Identify the type of software you use for payables
2. Determine the approval process and separation of duties for:
a). Creating electronic accounts
b). Approving invoices
c). Approving payment of the invoices electronically
d). Invoice approval limits
3. Determine the individuals involved in the above
4. Obtain their uids and passwords
5. Create the electronic accounts masquerading as the employees
6. Create and submit the electronic invoices
7. Approve the invoices masquerading as the employees
8. Approve the electronic payment masquerading as the employees
While all this might seem like a lot of work, it's actually not that hard to do. If criminals are smart they will target industries. For example, universities. Generally most universities use either Banner, PeopleSoft or SAP. By having the local organized crime do the footwork it won't be hard to obtain the people involved in the process and determine the approval limits. Then the rest is a matter of setting up the process such that it can be done remotely in the off hours. If the reporting process is poor and, if the invoices are kept relatively small, this can go on for a very long time before it's detected.
Data that's valuable:
Credit cards are one prime choice. This involves getting the uids and passwords of the person who administers the database. If the data is unencrypted it is child's play to take the data and then use it elsewhere to the criminal's benefit.
Other data that might be valuable is competitive information. For example, recently in Canada, WestJet airlines used scheduling data data from Air Canada's system to offer more attractive flight schedules and rates. This involved access to Air Canada's scheduling system from an ex-employee.
Products that you make:
There was another Canadian story last year about a company that had been successfully infiltrated by criminals and where invoices were created and products shipped to fictitious companies. This will become more common as criminals look for low hanging fruit in manufacturing companies.
Given the above, what is the risk to your enterprise?
If you continue to use uids and passwords for sensitive networks, applications and information behind the enterprise firewall, I say that your risk is high that you will be on the criminals hit list if you are an enterprise with over several hundred employees. Once you're this big, the chances are better for the criminal that they can operate amidst your bureaucracy and your internal business processes electronically without being noticed for quite a while.
If you have weak payables processes and use electronic payments, then the risk is also high. It's much easier for criminals to rob you than take on a bank. A little local on the ground footwork coupled with payables system knowledge means you can be easy prey.
If your internal databases holding credit card information is poorly protected, then you are also at high risk for an attack. The best part of it is for the criminals is that you might never realize you have been attacked or, it will take you months or years to realize it. The pubic cost of admitting this disclosure is high. Read here for an analysis of the cost of a security breach.
If you do manufacture products, and your business processes for approving shipment and payment are weak (using uids and passwords to approve), then you too can expect a high risk of attack over the next two years.
The general costs of these types of attacks will be in the hundreds of thousands to millions of dollars depending on the numbers of identities stolen (and disregarding the amounts lost from payables or product loss). If you have to publicly report the attacks, then the enterprise cost is much higher due to bad publicity, stock price hits, customer relations, etc.
HOW TO MITIGATE THESE RISKS
THERE IS NO SILVER BULLET. There is no one product you can buy that will magically prevent these types of attacks from happening. Instead, you need three components to prevent or mitigate the risk from such attacks:
1. Security architecture using layers of identity based security
2. Operational infrastructure to quickly detect problems in the making
3. Good solid business processes to prevent such attacks from happening or, to quickly realize an attack has happened and shut it down quickly.
As I have documented in a couple of white papers (read here and here), enterprises need to have multiple layers of security. This ranges from training users to not click on email links, through to a robust perimeter, to the user of stronger authentication as the user drills towards more high risk areas to deployment of transaction authentication protecting the enterprise crown jewels.
Get your head around protecting what's behind the firewall with all sorts of layers. Start imagining organized crime behind your firewall. Think of targeted spending to reduce the risk by deploying layers of stronger authentication.
Operational infrastructure to detect problems in the making:
This is hard to deploy in larger enterprises. You need to cross over internal enterprise silos and create teams of people and systems to detect attacks in the making. This must involve the network security, IT security, payables, customer marketing, finance and shipping. You need to have cross team meetings, reporting systems and detection systems at all levels of the enterprise working together. If you don't, then it's quite likely you will be prone for a successful attack.
You need to tighten up business processes. Think like a criminal. Identify areas where your business processes are weak and could be low hanging fruit for organized crime. Tighten them up. If you do so, you will likely either prevent these types of attacks from happening in the first place or, determine it is happening early on and contain the damage by quickly closing the hole.
The high level of FUD out there is currently justified. It is not just more scare talk by security sales people to generate sales.
Don't believe that one product is going to solve your enterprise risk problems. The challenges involved require layers of security coupled with good business processes. This will be hard to sell in the enterprise since it means that you've got to cross silos to create a successful solution that will minimize your risk.
Your CFO, CEO, COO, CIO, CSO and VP Marketing all need to be on the same page re understanding that the security game is quickly changing with organized crime entering the digital fray. Tell them that the attack patterns are changing, your existing defenses likely are breachable, the potential costs are in the millions of dollars and that it's better to spend a penny now than a pound later.
I realize that this is a tough sell to senior management. However, the main message from this blog is:
THE INTERNET IS NOW A TOUGH DANGEROUS WORLD.