Canadian CSOs who are already struggling to fend off a multitude of IT security threats may soon face an even greater challenge: the possibility that organized crime and state-sponsored cyber-attackers will start working together, Cisco warned.
In a briefing earlier this week to discuss the Cisco 2015 Annual Security Report, the company suggested there was a serious disconnect between those responsible for safeguarding corporate information. For example, the report said 59 percent of chief information security officers (CISOs) view their security processes as optimized, compared to 46 percent of security operations (SecOps) managers. And although 75 percent of senior security leaders see their tools as very or extremely effective, less than half are using standard patching and configuration to prevent data breaches.
Jason Brvenik, the principal engineer in Cisco’s Security Group who joined the briefing via Telepresence from his office in Baltimore, said that while there is good awareness of potential dangers among senior leadership teams, CSOs may need to deepen their strategic understanding, and increase their ability to question the controls in place and treat security as critical operation.
“There’s an addressability gap in the corporate boardroom,” he said.
This may come as a surprise, given the rash of high-profile data breaches at Target, Home Depot and more recently Sony Pictures Entertainment. In Canada, meanwhile, alleged Chinese-sponsored cyber-attacks on Canada’s National Research Council and other incidents recently lead Treasury Board Secretariat to announce more a commitment of more than than $100 million to improve its IT security posture.
Unfortunately, Brvenik said, there’s little to suggest state-sponsored attacks are on the wane. In fact, some governments and hacker groups may strike up sort of business agreement to accelerate their attempts at penetrating corporate systems.
“There is a tendency to lump all the motivations (for cyber-crime) under this one entire umbrella, but the reality is different,” he said. “We’re beginning to see the beginnings of the industrialization of this space. A criminal organization might have information of value to a state, for example, and sell it to them. Or the state might go through the back end, as it were, rather than conducting its own front-end attack.”
In fact, one of the indicators of how sophisticated cyber-criminals have become is a technique highlighted in the Cisco report that sounds almost uniquely Canadian. The research discusses the rise of “snowshoe spam,” where attackers send out low volumes of spam from a large set of IP addresses to avoid detection, creating an opportunity to leverage compromised accounts in multiple ways. This is much more mature than the scattershot approach of old, or where hackers seemed to be working primary for bragging rights.
“The willingness to have the biggest botnet seems to have waned,” Brvenik said. “There’s no clear winner in the botnet space these days. Being No. 1 means you get taken out. The squeaky wheel gets replaced.”
The main takeaway for IT security leaders, perhaps, is to start looking at cybercriminals more like competitive peers than petty criminals.
“I find myself talking about the attackers as running a business,” Brvenik said, “and we can see them moving towards managing KPIs.”