Major Attacks Spur Security Innovation

The recent string of high-profile cyber-attacks that victimized email marketer Epsilon Data Management, the Texas state comptroller’s office, EMC’s RSA security division and Sony’s PlayStation Network serve as important reminders that no one—not even an IT security vendor—is safe. It’s a message that IT security professionals at organizations of all sizes have gotten, spurring them to turn to newer, more innovative approaches.

These breaches grabbed the headlines, but they also obscured what appears to be a growing trend in the world of IT security: The bad guys are increasingly picking on organizations that don’t have the assets of giant corporations and don’t appear to be obvious targets.

“I can’t keep up with all the hacks and attacks that come at us 24/7,” says an exasperated Gary Doan, vice president of IT at Dallas Telco Federal Credit Union.
With its three branches in the Dallas area, the credit union doesn’t have a bull’s-eye painted on its back, but Doan isn’t taking any chances. He recently replaced the company’s security appliance with a hosted offering from Network Box, handing over a healthy portion of his protection needs to a managed services provider.

Doan paid $7,000 for a Network Box appliance for Dallas Telco’s main branch and another $3,000 each for smaller appliances at the other two locations—plus annual maintenance fees. This setup allows Doan to control network and desktop configurations, while Network Box remotely monitors all traffic coming into and going out of the company. It also keeps the credit union up-to-date on the latest virus definitions and intrusion-detection capabilities.

With the previous setup, Doan was paying nearly as much for just the hardware, without getting any of the services Network Box provides. The difference, Doan says, can be measured by the peace of mind he gets from knowing experts are watching his network for him.

“We’ve never had a serious attack that tried to shut down our site or breach it, but that doesn’t mean it couldn’t happen,” says Doan. “And it doesn’t mean we don’t have to guard against it.”

Based on numbers released in April by Verizon Communications as part of its “2011 Data Breach Investigations Report,” Doan is wise to prepare for the worst. With help from the U.S. Secret Service and Dutch High-Tech Crime Unit, Verizon investigated some 761 breaches in 2010—by far the most in the report’s four-year history. (The 2007 report spanned the 2004-to-2007 period.) Surprisingly, the number of actual records breached plummeted precipitously, from 143 million in 2009 to fewer than 4 million last year.

One takeaway, says Christopher Porter, principal of Verizon’s risk and intelligence team, is that cyber-criminals are seemingly content to attack smaller companies and make off with smaller batches of credit card numbers and other data in exchange for the decreased odds of getting caught.

Wary of Cyber-Criminals

At Berry College in Mount Berry, Ga., about an hour northwest of Atlanta, Dan Boyd, the school’s senior network architect, is more concerned with breaches that result from students bringing malware-laden devices to campus and infecting the school’s network. Boyd realizes that small liberal arts colleges aren’t typically a favorite target of cyber-criminals, but he’s wary of them using the school’s network as a conduit for attacks elsewhere.

“The fact that we have 200MB of bandwidth sitting there is enough to be attractive to [cyber-criminals],” says Boyd.

Because of the number of devices Boyd has to account for—the 1,100 PCs used by the school’s staff and faculty, as well as the thousands of laptops, smartphones, tablets and Internet-enabled gaming consoles that are out of his control because they’re brought to campus by some 1,700 students—monitoring application-level traffic is critical, but it had become exceedingly complex.