Someone recently posed this question to me and a few cohorts here at Tripwire:
What are your Top 5 IT Security Events for 2010?
At first, I responded with RSA, Blackhat, Infosecurity Europe, B-Sides, etc., then realized the question attempted to get at incidents or interesting developments in the last year. That task proved to be much harder.
Any time I’ve been asked to cobble together a list of “Top anythings”, it has always been akin to “What are your Top 5 bands or movies?” By that, I mean, they usually change George Costanza-style on the drive home (video) (ohhhhh, I should’ve said < Insert obscure, uber-hip band name here>).
With that in mind, here are my Top 5 IT Security Stories/Incidents worthy of consideration in no particular order, with a detailed rationale for each of my choices. Agree? Disagree? Think of one on the drive home? Fire away in the comment section.-ME
The “Stuxnet Effect” on Cyber Security
In 2010, “Stuxnet”
- Captured media and global governmental attention because it was the first high-profile case of a dramatic shifting of war from on-the-ground to the cyber world. While the republics of Georgia and Estonia had illustrated this shift first in 2007, the Stuxnet attack in the Spring/Summer of 2010 brought the new battlefield home to the U.S. Government because it attacked Command and Control (SCADA) systems responsible for regulating the energy grid.
- Showed, through its combination of four Zero-day attacks that very talented, coordinated and probably state-financed groups can wreak global havoc on really old equipment. Some energy grid systems are 50-80 years old and rife with vulnerabilities that are ripe for current attack methods or modern advancements in malware development.
- Taught an important lesson: If you are a target of this type of attack, it will happen and it is next to impossible to prevent.
- The countermeasure for high profile targeted attacks such as these is to return to the basics of info and system security:
- Protect (monitor all systems around the clock for up-to-date patches and configurations across the entire IT infrastructure)
- Detect patterns of behavior that are suspicious using a correlation of suspect log events, system changes and near real-time alerting of configuration errors that attackers exploit
- Resolve compromises as fast as possible with the ability to find the breach and return systems to a secure state by combining a pre- and post-breach cyber forensics program and automating the system baselining process.
- Another key lesson with Stuxnet that will hopefully have a lasting impact was the realization that an attack of this kind in one place is a global event that will require a global response and the cooperation of governments and businesses around the world.
Security & Compliance in The Cloud
Much like the concept of cyberwar in the Stuxnet example, “The Cloud” is here to stay. Your first clue is “The” in “The Cloud.” It’s kinda like Madonna, Cher, Prince or The Hoff. (No, not that “Hoff” ). Love ‘em or hate ‘em, once they’ve attained “The” status, they’re not going anywhere. Why?
- The Cloud is largely perceived by business users as a lower cost, environmentally responsible alternative to cash- and energy-sucking server farms that are holding an exponentially growing deluge of data that exceeded the storage available in 2007 (See image).
- Large cloud providers like Amazon have rushed to become PCI compliant in an effort to protect sensitive data, namely cardholder data, but the cautionary tale here is that providers, particularly small and medium businesses using The Cloud to cut corners and save money have to realize that they have a responsibility to secure their own systems and sensitive data as well or it can be compromised where it lives in their environment and on user systems
- One other critical issue that security experts point to is that by storing sensitive data in one place, and sometimes in a shared environment with other companies, they have unintentionally created a very rich singular target for a patient, deliberate and well financed cyber crime organizations.
- The key, and this is certainly true of where Tripwire is working to address security in the cloud, is to monitor the critical systems, infrastructure and sensitive data stored with cloud service providers, alert on high-risk behaviors in the public, private and hybrid cloud environments and resolve anomalies on demand to guard against cyber attacks of this kind.
Cyber forensics as an emerging industry
OK…I have to admit, I see a David Caruso spin-off here in our future, complete with aviator shades, IT-flavored one liners (“His Java Script didn’t have a happy ending”) and a screaming Who song (in my Top 5, btw). Not sure if that’s a good thing or a bad thing, but that digression aside, for me, the driving factors behind cyber forensics are:
1. Rapid evolution of attack methods and malware have created the need to approach threat detection beyond the old signature-based model of known vulnerabilities to real-time behavioral analysis of anomalies in an IT environment across systems, files and security controls already in place (firewalls, anti-virus, security policy frameworks like CIS, etc.).
2. A desire to be proactive on IT security rather than reactive to breaches. Cyber forensics enables pre-breach analysis that can identify risks and in most cases guard against a breach. In addition, it improves incident response by delivering post-breach analysis for reporting purposes and identifies how sensitive data or systems were compromised to harden the environment against future attacks.
3. Technology advancements that enable real-time, continuous monitoring, alerts based on suspicious occurrences and automated, intelligent resolution: Tripwire’s behavioral approach to detecting threats includes monitoring the IT ecosystem around the clock for incidents that weaken a company’s security posture, correlating suspicious log events and suspicious file changes in near real time to identify threats faster and on-demand remediation of any configuration errors in the environment that contributed to the breach.
SMBs taking a big-boy beating on the cyber attack front
- Recent reports are pointing to a growing trend that cyber attackers are seeing the complex traps being set for them in the enterprise space with seven layers of security defense, complete with firewalls, IDS, IPS, Access management, threat behavior analysis via the correlation of file changes and suspicious log events, etc., and opting to go for the easy pickings in the education, nonprofit and SMB sectors.
- In complex DDoS attacks or sophisticated botnets, these easier-to-access servers and machines are being used to attack larger targets en masse or providing simple, unfettered access to the sensitive data available and letting attackers collect data from a multitude of weakly guarded targets Examples include Zeus and its financial account access-stealing malware that continues to plague non-enterprise organizations.
- While an IT budget vs. mission or security budget vs. headcount seesaw will always be at play in these cash-strapped and often technically challenged environments, it’s important to keep hammering on the fact that attackers see them as the path of least resistance for obtaining social security numbers, health records, financial accounts and/or an entire zombie army of machines poised to do their dirty work because they are mostly likely misconfigured or poorly managed. All security do-gooders need to band together in the years to come to stem this rising tide.
Recent news feeding my fire on this trend:
Education sector most affected by malware
AmeriCorps Security Breach
SMB Cloud Is A Hacker’s Paradise
Cyber Criminals Now Target SMB Bank Accounts
Security industry consolidation
Point solutions like Arcsight (now a part of HP) and even larger security luminaries like McAfee (now a part of Intel) got gobbled up by larger mega corps to build out their portfolio in the white-hot security space. In fact, according to my fingers and toes, in the last 5 years alone, 26 smaller companies Tripwire used to compete with head-t0-head are now part of the machine. In my view, this changes the landscape in two ways:
- Security solution buyers will be tentative in buying yet another technology to throw into their security mix and seek out comprehensive security suites to address a multitude of their security and compliance challenges related to protecting sensitive data and critical systems.
- Security solution providers, in their efforts to meet this buyer desire and address a complex threat landscape, will find themselves partnering with former adversaries to create super solutions in the security space built on providing better visibility into true threats, real-time detection and rapid resolution to avoid cataclysmic breaches with massive data losses.
I can hear you all now. What about Aurora? (Ohhhhh! Jerk Store!) What about WikiLeaks? What about…? Share your wisdom and defend it in the comments section below.
Have an incident-free holiday and see you in 2011. @MarkAEvertz