This article will explain, using recent statistics, how the nature of attacks has changed from floppy disks and firewall probes, to a more intelligent system that targets human weaknesses.
I was writing a presentation on Microsoft’s new cloud-based enterprise security solutions for a sales event, and I realized that I needed some facts to support my assertions. I went digging and found some reports by Microsoft and HM (the United Kingdom) Government.
The Microsoft report is a sales and marketing tool, but it does contain information that is sourced from multiple independent sources before the actual sales pitch begins. The UK government report, while based on UK business, does give us a good sample of attacks that are happening in businesses around the world. The information is gathered by survey, covering the calendar year of 2015, and deals with small/medium (< 500 employees) and large (500+ users) businesses.
I read the reports, and the information was scary. The days of a teenager poking your firewall are over. Attackers have changed, and the origins of the vulnerabilities have changed too. The reason that this is scary is that most businesses (small and large) have built IT security to defend against threats from the 1990s and 2000s.
Before you start planning, you need to understand the field of battle. So let’s get started.
Scale of Attacks
No matter what size of industry that you work in, you are a target. Businesses in all sizes of markets are reporting a large growth in breaches from 2014 to 2015. The UK reports that the number of breaches grew from 2014 to 2015. There was a dip in the previous 2013 to 2014 interval, but it looks like attackers have found new vulnerabilities to take advantage of. It appears that businesses expect the growth to continue: 59% of respondents expect more attacks in 2016.
How many breaches did these companies experience? Large enterprises had a median of 14, and small/medium businesses had a median of 4. That might not seem like a lot until you consider the costs of each attack, which includes:
- Damage caused
- Repair costs
- Costs to prevent repeat attacks
- Other improvements, including process and training
The average cost for a small/medium enterprise was between $100K and $414K, and the large enterprise experienced costs of between $1.94 million and $4.17m. Imagine a large enterprise having 14 attacks, each costing $2m, with a total cost of $28,000,000 in just one year, and that number is trending upwards (3 times higher than in 2014)! Ah! It gets worse. The Microsoft report quotes a paper by Juniper Research called “The Future of Cybercrime and Security: Financial and Corporate Threats and Mitigation,” saying that the predicted average cost of a data breach in 2020 will be $150 million.
Clearly, IT security is a board level issue and not something for some over-their-head accountant (the usual path to CEO) to pretend doesn’t matter. The UK Government report states that 82% of businesses believe their senior management are taking IT security seriously – I wonder how many of their techies agree with that! Experience teaches me that those same execs are probably more interested in the latest iPhone, cancelling meetings on sunny days in favour of golf, and breaching IT security rules instead of securing their shareholders’ investments.
What the above figures tell me is that stealing information from an enterprise is big business and not something for pimply teenagers hiding in their parents’ basement in South Korea.
Whatever we are doing with IT security, it’s just not enough, and the figures back this argument up. It’s time to review methods, vendors, processes, and how the business really values IT security … and maybe how regulators enforce the law.
The reports typically break down attacks based on method of attack and the origin of the vulnerability (deliberate or accidental in nature). We typically think about someone brute-forcing a password or spreading malware, but a large percentage of breaches have their origins rooted in an accident caused by a human. Two thirds of large enterprises and one quarter of SMEs experienced accidental breaches.
Moving on to malicious attacks, we would expect malware to top the polls. Actually, the rate of breaches caused by malware has dropped quite a bit to third place, despite the headlines created by the likes of CryptoLocker. The top two kinds of breaches were:
- Theft or unauthorised disclosure of confidential information
- Attack or unauthorised access by outsiders
The favourite methods of attack were (in this order):
- A mix of all
- Organization being impersonated (a phishing email and/or site)
- A person being impersonated (after successful phishing)
- Denial of Service (DOS) attack
- Network penetration
- Attack on Internet or telecoms traffic
Three quarters of large enterprises and 38% of SMEs suffered attacks that originated from external attackers. There is a big disparity between the two markets. that’s because there’s more treasure in those bigger companies and more attack surfaces to victimize. But don’t be fooled into thinking that small businesses are immune from attack: 38% is a big number, and it was up from 33% in 2014.
DDOS attacks were once all the rage, but the number of these attacks is dropping. Attackers are switching from crude large-scale attacks to more intelligent, less obvious, surgical attacks. The worst type of breach that both small and large businesses reported was the unauthorized disclosure or access of information, either by external or internal staff.
It’s clear that identity is an attack vector for attackers. If I have an employee’s username and password, I can VPN or remote into the network, I can sign into cloud services, and if they have single sign-on, I have complete access to everything that user can legitimately touch. All of these are true in the era of Monkey, Dragon, and Password123 – who needs social engineering or phishing? We really need to pay more attention to protecting identity and monitoring identity usage. A 2015 report by Verizon, Data Breach Investigations Report, quoted by Microsoft, states that attackers were able to compromise an organization within minutes. I guess I could do that, too, when armed with an employee’s credentials.
Those working in IT security know that employees of the organization can play a role in a breach, either by accident or deliberately. 81% of large organizations reported some element of staff involvement:
- Unauthorized access increased to 65% of organziations.
- Breach of data protection laws was up to 57%.
- Loss/leakage of confidential information was up to 66%.
The number for SMEs was much lower at 27%. #
The Microsoft report states that it takes an average of 70 days to contain a malicious insider attack. That’s 70 days from the point of detection, and 70 days during which the attacker can continue to cause damage.
These kinds of internal attacks are on the rise, and businesses need to pay more attention. A damning statistic is shared by the UK report: 67% of large enterprises believe that an insufficient priority being placed on IT security by senior management was a contributing factor to internal attacks.
It’s also quite depressing to read that attacks are only being detected by monitoring/defence systems around 27% (large organizations) or 29% (SMEs) of the time. 74% of all attacks take longer than a few hours to detect, with 33% of penetrations taking over 1 week to detect. In the era when malware scanning companies are admitting their own ineffectiveness against innumerable variants and zero-day attacks, this shouldn’t be surprising. And how are you expected to scan for an employee downloading data within their assigned security boundary?
The problem here is that we:
- Put in firewalls to block unwanted protocols so that legitimate and abused are observed and protocols pass straight through
- Expect malware scanning on our servers and PCs to handle attacks that have never been seen before
- Continue to install point solutions within the inexperienced islands of our own networks that can never identify the trends of an attack across different systems
- Continue to ignore the risk of passwords and users
- Don’t value IT as an asset that must be managed from the board level and secured from the board level
- Pretend that IT hasn’t progressed from a time when grunge music was still depressingly all the rage
In a future post, I’ll talk about how we can use some new cloud-based solutions from Microsoft to protect our businesses assets that are being targeted from a new era of attacks, originating internally or externally.