Looking back over my years in cyber security and information technology, I am stunned by the changes I have witnessed and the impact that cyber security issues are having right across society and commerce.
In the early 1990s we used to deal with relatively bland malware and routine threats to our systems. The Microsoft Word Concept virus, the first widespread macro based malware, was the first initiation into dealing with such problems for many organisations, but it was relatively easy to deal with and seems quaint compared to today’s threats.
We are now seeing the creation and distribution of attacks that are tuned to infiltrate specific targets using advanced techniques and know how. The current evolution of cyber security threats is more aggressive and potentially more damaging than I have ever seen before. Defences that may have worked a few years ago are pitifully inadequate, and we are now firmly in a more complex and difficult era of cyber security – reckoned by many to be the third cyber security age.
But what does that mean and what of the previous two ages?
The Age of Protection
When information security started to gain interest in the broader non-military/government communities most of us focused on locking systems down and protecting the network perimeter. Arguably, this prevention strategy was reasonable for the pre-internet era of mainframes and latterly client-server computing as systems could only normally be accessed via network cables or slow dialup that limited more casual use (10BASE2 coaxial cables and token ring networks anyone?) There was no universal access to systems from consumer devices as we see today, and the average mobile (cell) phone was far from smart and certainly didn’t fit into regular trouser pockets.
Although some of the built-in software security was somewhat crude (on one system I regularly reset passwords using a trivial, home built C program) it seemed to be fit for purpose in the early age of the World Wide Web.
But as threats developed it became evident that simply locking all the doors was not enough, and a different approach was needed to see and understand the evolving threats.
The age of detection was looming.
The Age of Detection
As the World Wide Web came to fruition and businesses moved to harness the utility of this medium, systems were created that detected evolving threats, and the anti-malware industry grew rapidly. Based on the notion of detecting previously referenced malware user’s systems were updated on a regular basis with new signature files to identify incoming viruses and worms.
For a number of years this was deemed to be sufficient protection for most businesses. Then hackers became smarter and found that by slightly varying the structure of a malware payload it could fly under the signature based detection system and infect a target. To deal with this signature files were supplemented by heuristics that detected malware by its behavioural characteristics. This approach seemed to cope quite well with malware threats of the time.
The development of smarter firewalls, intrusion prevention and detection systems (IPS/IDS) and data loss prevention (DLP) technologies seemed to provide us with an even better level of security, albeit whilst coping with the frustration of false positives and the strain these systems put on information security budgets.
Life was difficult at times but mostly systems were protected to an acceptable level and we could detect what was going on across our estate.
The Age of Response
Arguably the world changed in June 2010 when the Stuxnet computer worm was publically revealed, reportedly having infected nuclear facilities in Iran. Named after components found in the software (.stub and mrxnet.sys) Stuxnet was found to have been designed to attack specific technical systems in a targeted way never before seen in the public domain. These more sophisticated types of attack had been predicted a few years before Stuxnet went public and were reportedly dubbed Advanced Persistent Threats (APTs) by the US Air Force in 2006. The term was then rapidly adopted by the security industry to describe a new generation of expertly crafted, technically competent attacks delivered in a very targeted way.
Stuxnet ably demonstrated that relying on detecting general malware and the use of firewalls and IPS/IDS systems was no longer enough and targeted attacks were becoming the new challenge.
Recently, in October 2014, it was reported that a team of Russian hackers have been carrying out targeted cyber espionage attacks using variants’ of some malware called BlackEnergy. Researchers have reverse engineered the tools, methodology and approach used by the team, and have come up with some interesting findings.
Bizarrely contained in the programming code are references to planets, noble families and even a military rank used by fictional forces in the 1965 Sci Fi novel Dune by Frank Herbert. Of more interest than the esoteric references in the code is the fact that research has revealed very precise targeting of energy, telecoms and academia along with NATO, the military alliance.
It has finally dawned on many that the harsh reality is that despite spending (sometimes huge amounts of) money on locking down systems and detecting anomalous behaviour, the bad guys are going to get you if they want to.
A New Approach to Cyber Security is Needed
Business IT today is a world away from the minis, mainframes and client server computing we saw in previous decades. The evolution and arguably broad acceptance of cloud based computing, coupled with social networking, mobile devices and the internet of things presents a whole new problem space and a target rich environment for attackers.
No one would deny that good information security hygiene (patching, anti-malware, user education et al) is as important today as it was 10 or 15 years ago. What does need to change is the philosophical approach to cyber security and the acceptance that we can no longer keep the determined bad guys out, unless we lock down the business so aggressively no one can do any work. Cyber attacks are now industrialised, overwhelming and so relentless that a response mind set is crucial.
We now need to conduct regular cyber business risk assessments that reflect the constantly changing threat landscape and put in place a framework that provides a timely response to a data breach or cyber security incident. No longer is it just a technical response that is required as legal and PR experts will often need to work with security engineers in a multidisciplinary team as data breaches are getting more complex.
Pre-planning now for a cyber security incident should be a number one objective. For many cyber security practitioners this is an uncomfortable position to be in, as it seems to admit defeat and undermine the work we have been doing to prevent intrusions and lock our systems down.
My view ? Get over it and accept the new reality before it’s too late for you and your business…