The bad guys appear to be winning--or, at least sharing information on vulnerabilities and attack methodologies--faster and more readily than the good guys, and the regulatory environment is lagging reality, says RSA's Chief Security Officer Eddie Schwartz. "What is out there in the public [regarding attacks] is the tip of the iceberg of what's really happening." Schwartz's company, the security division of EMC, and TechAmerica are releasing the findings from the recent Washington, D.C., summit on Advanced Persistent Threats (APTs) that drew more than 100 of the world's top cyber-security leaders from government and business. A more detailed whitepaper will be published next month.
"One of the big findings is that the adversaries are better at real-time sharing of information," says Schwartz. The frequency and volume of APTs--a long-term pattern of sophisticated and targeted hacking attacks--has reached pandemic levels, he says. The keys to fighting this onslaught are collaboration and learning to live in a state of compromise, planning and acting as though your organization has already been breached, focusing on closing the exposure window, and limiting damage. "Every single organization has been attacked."
A new study from Norton puts the cost of cyber-crime at $114 billion annually, with an additional $274 billion for time lost. On a company basis, a recent HP-Ponemon study found the median annualized cost of cyber-crime was $5.9 million per year, an increase of 56% from July 2010. Over a four-week period, the organizations surveyed experienced 72 successful attacks per week, an increase of nearly 45% from last year.
According to a recent report from Cisco Security Intelligence Operations, the overall cost of targeted attacks to organizations worldwide is $1.29 billion annually. Spear phishing attacks have increased threefold, while scams and malicious attacks have increased fourfold.
McAfee's threats report for the second quarter of 2011 noted steady growth in stealth malware, the cybercriminal tactic of hiding malware in a rootkit. Stealth malware has increased more rapidly in the last six months than in any previous period, up almost 38% over 2010.
Some of the ATP Summit findings include the necessity of situational awareness (to detect threats early and help improve security) and attack response. Sharing information with your peers, your industry/sector and government/regulators can be critical, but that's where the barriers currently exist, says Schwartz. It's about intelligence-driven security and taking a predictive rather than a proactive approach, he adds.
Another critical area of concern is the shift from attacking technology to attacking people. Organizations need to rethink how they deal with the human element of security. One strategy that seems to hold promise is role-playing, where participants are victims of a security breach and must deal with the consequences. "These are really important scenarios that hit home," says Schwartz. These types of more realistic training, where you have skin in the game and it really matters to you, can be much more effective that the traditional methods of security training, he says.
Schwartz says two other areas of interest include taking a closer look at the life cycle of your supply chain and locking it down, and making Internet management a core competency. Security is too important a concern to be left to the security professionals to handle in isolation, he says.
See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).
