Is It Time to Rethink Cyber-Security Strategies?By Samuel Greengard | Posted 2016-04-21 Email Print
Despite the efforts made to thwart attackers, cyber-security threats keep growing, and many question whether conventional methods are enough to protect a firm.
The possibilities and opportunities that result from digital technology aren't lost on today's business and IT leaders. However, securely locking down enterprise systems, software, data and other resources has become a growing nightmare.
According to a "2015 Cost of Data Breach Study" from the Ponemon Institute and IBM, the average cost of a data breach has reached approximately $3.8 million. This represents a 23 percent increase since 2013. What's more, social engineering attacks—including phishing and whaling (phishing with a high-profile target)—are becoming far more sophisticated and dangerous. For example, ransomware attacks have risen by double digits since 2015.
Navigating today's threat landscape and putting the right cyber-security tools in place is a daunting challenge. For years, organizations have thrown an array of security solutions at various hazards. These include firewalls, anti-malware products, intrusion detection and prevention, endpoint protection, data loss protection and encryption.
Despite the money and effort devoted to thwarting cyber-attacks, the problem only grows worse. "Criminals are becoming smarter and better organized," warns Eddie Schwartz, a member of the board of directors for ISACA and the president and COO of White Ops. "Cyber-security threats are increasing, and this trend will likely continue for the foreseeable future."
Questioning Conventional Security Technology
As a result, many are questioning whether conventional security technologies are enough to protect an organization. "There is a realization that security has not been part of the design of IT systems, and that, in the past, many organizations treated all assets equally [even though] they aren't all equal," says Shahryar Shaghaghi, leader of the Technology Advisory Practice at BDO Consulting.
This is leading many organizations down a path that involves new and different approaches to dealing with cyber-security threats to business. These include more advanced security analytics and big data security analytics, end-to-end encryption, intelligence sharing and even deep learning. For most organizations, "There is a need to rethink the fundamental approach," Shaghaghi advises.
As cloud computing, mobility and the Internet of things (IoT) take hold in organizations of all sizes, attack surfaces and entry points are growing exponentially. In addition, cyber-thieves are increasingly adopting so-called "low-and-slow" attack methods. Once they gain entry into a system, they may stealthily lurk there for months or years, slowly extracting data and intellectual property—or using the knowledge gained to conduct more effective spear-phishing or impersonation attacks. In many cases, they simply misuse application resources rather than directly attacking network stacks.
According to a January 2016 report from Radware, more than 90 percent of the companies surveyed reported experiencing cyber-attacks in 2015. A fundamental problem, according to ISACA's Swartz, is that many CIOs and security executives continue to think about cyber-security in conventional ways—and they act accordingly.
However, "There really is no security perimeter at this point," he says. "Threats range from servers to mobile devices and refrigerators. Consequently, "Cyber-security is no longer about building a fortress to keep everything safe. There's a need to look at individual applications, how they interact with devices, how to containerize and sandbox, and how to use authentication and encryption most effectively."
Using Tools to Deal With Top Cyber-Security Threats
The need to lock down data didn't escape Heartland Payment Systems. The company was breached by a criminal organization in 2008, admits Bob Carr, the chairman and CEO for the fifth largest debit and credit card processing company in the United States.
As a result, the firm, which has about 300,000 merchant locations using its payment systems, embarked on a project to take cyber-security efforts to a much higher level. Heartland contracted with Voltage, now part of Hewlett-Packard Enterprise (HPE), to embed encryption technology in card readers and swipe devices.
"At that point, it was about company survival," Carr explains. "We had to find a way to stop the bad guys, who had become very good at getting malware into point-of-sale systems."
Heartland Payment Systems ultimately worked with the vendor to engineer a new microchip, along with software that would deliver Advanced Encryption Standard (AES) encryption on every transaction. The company introduced a Tamper-Resistant Security Module (TRSM) in readers beginning in June 2009, and began distributing them immediately. That effectively put an end to over-the-air theft that had been taking place and had hit a slew of companies.
Since then, Heartland has expanded encryption within internal IT systems. "We now have end-to-end encryption in place," Carr says. All of this complements an array of other internal security tools and systems to thwart malware, intrusions and various other threats.