Security 2011: Attack Of The Human Errors

Some household names in enterprise and consumer technology suffered the embarrassment of having been hacked by cybercriminals in 2011. RSA, of all companies -- the IT security division of EMC -- had to admit that its two-factor SecureID protection technology for customers had been compromised. And the most high profile breach affecting consumers made news when the Sony PlayStation Network was hacked, affecting 77 million customers whose private information was stolen. While these attacks represent stepped up efforts by cybercriminals to breach network security, one security expert says those and other cyberattacks this past year all had one thing in common: they all involved, to some extent, human error.

“[Cybercriminals] attack the weak points in human nature,” said Hord Tipton, executive director of the International Information System Security Certification Consortium, abbreviated to ISC, which is a global IT security education and certification group that aims to increase the number of IT security professionals protecting networks. The RSA breach, Tipton said, involved the use of what’s called social engineering and targeted attacks on individuals to break in. Rather than sending millions of phishing e-mails to random mailboxes, social engineering gleans information about individuals -- including from social media sites -- and creates a personalized e-mail to entice them to click on a link and download malware onto their computer, which could then infiltrate their corporate network.

The Sony breach represents another form of human error, he said, in a lack of appreciation for the risks and a lack of an assertive policy to protect the network. “Here you have a major corporation [with business] all over the world and the first question that comes to them is ‘What does your CISO think?’ and lo and behold they don’t have one. The bottom line is that they have one now,” Tipton said. Sony appointed its first chief information security officer in September, six months after the first breach occurred, according to news reports.

Cybercriminals have upped their attacks on enterprises faster than those enterprises can react, said John Pescatore, vice president and distinguished analyst with Gartner. He said their motivation has changed, too, from launching attacks for sport or to do sabotage to launching attacks to steal data and money. “Attacks attempting to steal corporate and customer information for very lucrative financial gain has driven the attacks to be much more targeted and to build an evasion against standard levels of defenses,” Pescatore said, in a Web cast hosted by FireEye, a network security vendor focused on thwarting “next generation threats.”

These new targeted attacks replace the previous cybercriminal strategy of “carpet-bombing” spam attacks, according to Scott Olechowski, security and threat research manager at Cisco Systems, which released on Dec. 14 the Cisco 2011 Annual Security Report. Olechowski says large botnets have been take down by law enforcement agencies and teams at network security companies and other organizations. Because of that, money stolen by cybercriminals in mass attacks fell to about $500 million today from $1.1 billion in June 2010. Nonetheless, targeted attacks can still yield sizable losses for victims.

While threats continue to exist and to evolve, one bright note is that the percentage of comprised systems globally fell to 6.5 percent in December of this year from 6.8 percent at the same time in 2010 and 7.2 percent in 2009. At the same time, Cisco warns that new vulnerabilities are in the offing as new hires at companies tend to take a lax approach to security, especially when it comes to using social media in the workplace.

The Cisco Connected World Technology Report, released simultaneously with the 2011 security report, surveyed 1,400 college students and 1,400 young professionals globally and found that 61 percent of them don’t think they are responsible for protecting corporate information, 70 percent admit to violating company security policy and 80 percent think restrictions on use of social media in the workplace -- including bans on their use altogether -- are outdated or that they don’t know that they exist at their job. “And this is our future workforce,” Cisco’s Olechowski warned.

See more on this topic by subscribing to Network Computing Pro Reports Mobile Device Security: Bring Your Own Disaster (free, registration required).