More Security Breaches: Denial Not An Option!

It has happened again. Another breach. Another report of millions of credit card numbers at risk. Another round of media coverage. Another reminder that despite all the sophisticated technology that enterprises have deployed to protect computer networks, these breaches still happen. But despite the negative publicity that comes from continuing reports of such breaches, the need to be vigilant about thwarting such attacks remains, says Steve Durbin, global vice president of the Information Security Forum (ISF).

“It’s big business, big money and cybercriminals tend to follow the money,” says Durbin, whose organization recently released a report, “Threat Horizon 2014: Managing Risks When Threats Collide,” that warns of the increasing sophistication of cyberattacks to spread malware and break into networks to steal data and money.

The latest breach was reported Friday when Visa and MasterCard acknowledged that the computer network of a third-party payment card processor had been breached. Various news reports identified the target as Global Payments, of Atlanta. While estimates of the number of credit card accounts exposed ranged from 1 million to 3 million to as many as 10 million, there’s no evidence yet that any fraud has occurred.

Still, this event underscores the point the ISF makes in its Threat Horizon report that “the range and complexity of information security threats is set to rise significantly over the next two years.”

The report looks at three broad areas of security: external threats from cybercriminals; regulatory threats, such as laws requiring greater transparency and disclosure of breaches, as well as stricter data privacy protection; and internal threats from new technology introduced onto data networks without proper security vetting, such as the “bring your own device” (BYOD) trend.

The ISF, a global not-for-profit organization based in the UK that shares research and other advice on security best practices with organizations, warns in its report that cybercriminals are getting more sophisticated in their attacks and that different groups of cybercriminals are learning from each other. For instance, says Durbin, there have been cases in which organized criminals have adopted techniques developed by online activists, such as the group Anonymous, which has launched distributed denial of service (DDoS) attacks on Web sites to make a political point.

In addition, the distribution of malware has exploded, Durbin says, referring to the places on the Internet and other networks from which malware is disseminated as “malspace”. Also on the rise is the distribution of malware on mobile devices, such as the recent case in which several apps on the Google Android Market were found to be tools to distribute malware.“As malspace matures, the general sophistication and scale of the global crime industry will develop even further,” he says.

Durbin also raises a concern about the potential security vulnerabilities surrounding cloud computing. The risk there is of what he calls “cloud harvesting.”

“Cybercriminals will take advantage of infrastructure-as-a-service facilities to scan through some of the clouds that are out there and harvest data in that fashion,” he says.

The ISF report echoes the troubling sentiments about the state of network security at the recent RSA Conference 2012, at which people like Art Coviello, RSA’s executive chairman, warned in his keynote address that, "We are at serious risk of failing.”

Nonetheless, the ISF’s Durbin says enterprises should continue to invest in multi-layered network security, security should get the buy-in not just from the IT team but also C-level executives and all employees. And denial is absolutely not an option.

“You can’t keep some of these [threats] out but you can prepare for the day when you get hit and hope that you never get hit,” Durbin says. “But if you adopt an approach that ‘It won’t happen to me,’ you’re going to be badly surprised.”

Learn more about Strategy: Choosing the Right Vulnerability Scanner for Your Organization by subscribing to Network Computing Pro Reports (free, registration required).