A former NSA and FBI security expert suggests that rather than throwing money at the problem, CISOs should rethink their security strategy.
by Nestor E. Arellano
It all started with a sudden spike in network activity from the machine traced to a user with the same first name as the company’s CEO. The key question at that moment was: Is this a legitimate activity or not?
Within minutes IT administrators determined that the machine in question had downloaded bogus anti-virus software which then proceeded to scan through the company’s network files and folders. Do they let the activity continue in order to discover the culprit and the target or shut it down to prevent damage but risk the chance that the attacker could go underground and attack from another angle?
Minutes turned into hours as security technicians scrambled to decipher the attack’s target, when they are again alerted that a broadcast e-mail from a mobile device had began requesting security passwords from the company’s employees.
Before the team could act to shut down the anomalous activity the malicious program had accessed the firm’s customer facing Web site, Targeted.com, and downloaded the entire client list including passwords and email addresses.
Thankfully, the two-and-a-half hour ordeal was a mere simulated attacked, part of SC Congress Canada 2011 security conference’s final keynote aptly titled: 2 ½ Hours to Network Meltdown.
The incident may have been as fictitious as the company that was being targeted but according to Rich Baich, North Carolina-based principal of Deloitte & Touch LLP, it is one that is played out in reality with a bit of variation thousands of times each day all over the world.
“Businesses and organizations large and small are under constant attack from cyber gangs,” said Baich, who earlier in his career worked as a naval information warfare officer for the National Security Agency, a special assistant to the department director for national infrastructure protection centre of the Federal Bureau of Investigation and as a senior director for the security software firm now known as McAfee Inc.
“The real bright hackers don’t strike to take down a network. They inject a Trojan and let it lie there quietly siphoning away information. Some can remain undetected for years,” Baich told ITBusiness.ca. in an interview after his presentation at the SC Congress titled: Threat of the Hour.
Threat of the hour – ZeuS
Perhaps the most dangerous and persistent threat out there, according to Baich, is the ZeuS Trojan. First indentified in 2007 when it was used to steal information from the United States Dept. of Transportation, the malware continues to survive today in various configurations that have defied antivirus programs. It spreads by e-mail and drive-by downloads.
ZeuS is believed to have infected no less than 3.6 million PCs in the U.S. alone.
Estimates of financial losses attributed to cyber criminals using ZeuS in the last three years run anywhere from $12.9 million to $60 million. Once loaded onto a machine, the malware can collect data on forms and documents, take screen shots, steal passwords and remotely take over a computer.
Despite efforts to eradicate it, ZeuS has continued to elude anti-virus software because it is polymorphic – it is able to change its signature and manages to stay a few steps ahead of filtering software looking for specific malware signatures.
Software manufacturers have trouble catching up with ZeuS because of the sheer number of variants of the malware. Baich says there are around 22 to 26 known variants of ZeuS but it is possible that hundreds may even remain undetected to this day.
No real antidote
No one-shot solution is certain to protect a network from ZeuS according to Baich. It’s polymorphic nature and variety of configuration has rendered many anti-virus software nearly useless.
“In fact, firmware products are themselves targets. Think about it, if a company advertises that its software is used by Fortune 500 companies to protect their assets – where do you suppose cyber criminals will plan to install their Trojan on?” asked Baich.
One Toronto-based security expert shares the same views. “It’s clear that anti-virus software makers have been relying far too long on their ability to detect known or anticipated signatures. Their lack of innovation is finally catching up with them,” said Claudiu Popa, principal of Informatica Corp. in Toronto.
“The combinations of size and shapes of viruses are now infinite,” he said.
Trusteer, a Boston, Mass-based security firm reports that installing an anti-virus product and maintaining it up to date reduces the probability of ZeuS infection by only 23 per cent.
Rather than throwing money and technology at the problem, chief information security officers (CISO) should rethink their security posture instead, according to Baich.
CISOs should step back and re-evaluate the company assets and determine why the company could be a target of an attack, he said.
“Instead of just building a firewall to the perimeter or purchasing anti-virus, think about what makes your company an enticing target and what are the weak points that attackers will attempt to breach,” he said.
For instance, he said, one client in the mining industry believed that the geological data their network held would not be of interest to any thief. Baich convinced them to protect it because the location of potential mineral deposits would be valuable to the company’s competitors and parties.
But in protecting the data, companies should also look at potential leaks apart from the network. For example, he said, a geologist relaying to a colleague via his cellphone information about a find could be leaking priceless data. “How well do you know the cellular network security arrangements in the jurisdiction your company operates in?” asked Baich.
The Deloitte principal said, rather than relying solely on technology, companies should “continuously monitor” data flow and network activity.
“Be vigilant with monitoring what data is going where, who is sending out what. Look for instances that are out of the ordinary,” he advised.
Greg Thompson, vice president and deputy CISO for enterprise security service at Scotiabank, agrees.
Thompson, was among the panelists at the 2 ½ to Network Meltdown simulated attack tried to steer Targeted.com’s security team. “Exercises like these reinforce the need to keeping our eyes open for anomalies,” he said.
In the case of the exercise it was a spike in network activity that tipped off administrators he said. “If they were not monitoring they would not be aware that something was afoot,” Thompson said.
But beyond monitoring, he said, security teams should have set procedures for determining the significance of threat and what steps to take, Thompson said.