Posts Tagged ‘cyber targeting’
“… there are other ways to move from a position of constant and reactive defense to a state of preparedness: sharing our individual experiences. The bad guys are already organized and collaborating effectively on how to compromise our systems; we need to start sharing, and sharing openly.”
How do we beat the bad guys at their game? That’s the question Chris Poulin is asking in this new article for part of his ongoing series at SecurityWeek. The answer? Thinking like your adversary. Well, at least that’s part of it.
In his latest article, “Compromise Full Disclosure: Collective Knowledge Brings Stronger Defense,” Poulin explains how, in order to fight organized cyber attacks, security professionals need to be more organized themselves. This means more collaboration, knowledge sharing and, of course, the adoption of security intelligence. The end goal is to create an environment where breaches and the details of the attack (and not the vulnerability) are shared among professionals so that others can learn from these attack strategies and prevent their own breaches.
Click here to read the full article and share your thoughts about Poulin’s call for more full disclosure.
It’s clear there’s an increased level of concern today over new threats posed by the smart grid. For example, smart meters running on mesh networks bring in a new level of potential vulnerabilities to both consumers and providers.
From power outages to rerouting or stealing consumption to the possibility of a targeted attack at critical infrastructure – - it goes without saying that the global energy market is emerging as an industry that is facing some real security challenges
Recently, Q1 Labs partnered with Ponemon Research to present a ground-breaking study tapping 291 IT and IT Security executives that unveiled the challenges and critical perspectives global energy and utility organizations have on today’s threat environment.
What we found was over half of global energy organizations do not view IT Security as a strategic initiative across the enterprise. This was intriguing, based on the fact that physical security, as might be expected, scored higher on the priority scale.
Additionally, 76% said they suffered one or more data breaches over the course of the last 12 months. This was interesting not just because of the high percentage of those who said they were breached, but because of how recent the breaches actually occurred.
And as noted in Bloomberg, management teams are challenged in understanding exactly what they are up against in terms of external threats. Honestly, the statistics keep coming – you can read through the summary of findings from Ponemon here. (a more detailed white paper will be coming soon)
As part of the presentation, our California ISO (Independent System Operator) customer walked through how they leverage SIEM as a prescriptive measure that meets their security and compliance requirements.
One interesting comparison between research findings and what CAISO presented was the criticality of NERC/CIP compliance. The research showed that 77% of companies in the industry weren’t prioritizing compliance initiatives as part of their security programs. CAISO outlined how NERC compliance was not only the biggest driver in acquiring a SIEM solution, but also aided in integrating other best practices and key guidelines like NISTIR 7628 for the smart grid.
What CAISO also communicated was that centralizing logging was an important driver, so that they could correlate log data from multiple sources, which speaks to the breadth of integration QRadar offers to this market. And finally, he spoke to the value of flow technology in terms of monitoring ports and services running on the CAISO critical infrastructure. Again, please feel free to check out our recorded presentation for more context.
As the market continues to evolve in terms of identifying threats and vulnerable areas, so must the security industry. As the industry is seeing more targeted attacks, QRadar is helping many energy organizations counter these threats in the pre and post-exploit phases for better visibility across the network. It’s the constant evolution of threats and counter measures that drives IT Security, but within the energy industry, there seems to be an inordinate number of threats that are known by all.
The term Advanced Persistent Threat (APT) has seen increasing usage in information security circles, and for good reason. The term refers to a much more sophisticated, determined, and patient type of opponent in the game of information security than what we’ve become accustomed to. An appropriate (and perhaps accurate) metaphor is that these are the generation of script kiddies who spent their time defacing websites in the late ‘90s, and having now grown up, are interested in employing their skills for nothing but financial gain.
APTs represent a unique type of challenge, and distinguish themselves from your household variety of security threats in a number of ways:
- A high degree of sophistication. The responsible parties behind APTs are generally organized crime and state-sponsored cyber-warfare groups. These groups are well-funded, highly organized, and tend to have significant resources at their disposal.
- Deliberate and targeted. Rather than engaging in indiscriminate drive-by shooting tactics, casting wide nets and trawling the Internet for vulnerable systems, these groups tend to only pursue carefully selected targets.
- A high degree of patience. Subtle, persistent, and inconspicuous is the name of the game – no banging on the front door or tromping noisily through your network. The objective is to silently infiltrate and sometimes even maintain a long-term presence within the target, ultimately to carry out the objective of the attack.
With APTs becoming more prevalent, there seems to be a growing consensus that traditional security tools and techniques fall short of addressing the problem. The general message here isn’t terribly new: reliance on checkbox-style compliance with industry security and control standards, and deployment of perimeter defenses and signature-based threat detection, may enable an organization to detect and deflect the bulk of “dumb” activity. But managing the risk posed by APTs requires a correspondingly more sophisticated approach, in conjunction with a more sophisticated set of tools.
Rather than employing an approach of “let’s look for all individual known bad things”, a more suitable tactic might be “let’s look for things that don’t jive with our operational profile”. This clearly speaks to an anomaly detection capability, both at an application and a network level. But beyond that, there is a need for a higher degree of overall security intelligence.
Security intelligence can be a somewhat difficult concept to pin down, but it might be best described as the ability to derive actionable information from the sum of ALL security data available to an organization, placed in context of relative importance, rather than the narrow compartmentalized view currently employed by individual, silo’d components of the traditional security toolset.
Posted by Tom Turner in Threat Management
In the sentencing news about the TJ Maxx hacker, I couldn’t help but be struck by the list of possessions Mr Gonzalez agreed to forfeit to authorities. Now I don’t know anything about him or his family background, but this 28 year old ‘college drop out’ had to give up:
- A condo in Miami
- A BMW
- Tiffany rings and Rolex watches
- $1.65M in cash!!!!
Hopefully I can be excused for assuming that even though such riches are a good sign that cyber fraud had temporarily been good to him, he finally got his just rewards.
This is a pretty good indicator that security professionals within organizations clearly have to worry about their assets being a ‘target of choice’….as opposed to the less discriminatory days of viruses and worms when everyone was a ‘target of opportunity’.