In Cyber - Losers Ignore, Survivors React, Winners Predict

Wednesday, February 15, 2012

Richard Stiennon


Knowledge of the threat scape is one of the determining factors in an organization's ability to defend itself.  There are three different approaches to cyber security.  The first is to ignore the threat. 

Practically every outbreak of a worm or malicious virus has been preceded by warnings from the security community.  The CodeRed worm targeted a vulnerability in Microsoft's web server software that had been known for months. A patch was even available.

Yet, thousands of US Government and other web servers were successfully attacked in 200.  And the follow on Nimda worm which attacked the same vulnerability (and even a backdoor left behind by CodeRed) was even more successful at spreading and causing harm. 

TJX Company is the poster child for flying blind. Three years before they were infiltrated by hackers via an unprotected  wifi access point Lowes suffered a similar attack targeting their credit card information.  The recovery from the attack against TJX and the loss of over 90 million credit card records cost them more than $200 million.

Which leads us to the next level of preparedness: reaction.  Most organizations have begun to be able to react quickly to new threats.  They institute patch and configuration management and they have organized Computer Emergency Response (CERT) teams. They pay attention to the news and begin to think about possible courses of action when they see new attack methodologies or even motivations arise. 

A vocal supporter of SOPA can expect DDoS attacks from Anonymous. A law enforcement agency can expect to be the next target of F**k FBI Friday (#FFF on Twitter).  A very few law firms will be scrambling this week to review their security posture after the potentially devastating hack and subsequent leak of emails from Puckett Faraj (read:  The First Thing We Do is Hack All The Lawyers).

Judging by the number of large enterprises that bring me in to speak to their boards and senior execs there is still a problem at the top of many organizations with recognition of the rise of threats.  Even though these organizations have their own security experts they feel an outside expert can do a better job of justifying security investments and frankly, frightening their stakeholders into taking security seriously.

The very best organizations are taking measures to predict future threats to their data and operations.  Their CERTs are evolving to what I call Cyber Defense Teams.  They engage in active research on new threat actors, new methodologies, and new vulnerabilities exposed by the types of targets that are being selected by cyber criminals and state actors. 

Defense Departments and contractors are recognizing that their defenses are essentially porous to attack. Best practices at banks include concern for their major customers' data security.  A bank that holds the assets of earth resource companies watches the rising threat against that sector and starts to build in the defenses to identify when their accounts are being monitored or attacked.

Every organization has a choice: They can become a victim of cyber attack and pay the cost of recovery, they can rely on quick reactions to changes in the threat space to ensure that they survive the next attack, or they can predict the next escalation in attacks and invest early in the defenses required to avoid ever becoming a victim.

Possibly Related Articles:
Information Security
breaches Enterprise Security malware Research Cyber Security Attacks hackers Mitigation Resilience Cyber Defense Richard Stiennon
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.