The good guys are losing the cybercrime war. One major reason is that they don't understand their enemies, and therefore are not fighting back effectively. Another is that Edward Snowden, currently the world's most famous insider threat, apparently has a lot of company.
Those are among the most important, and sobering, conclusions of the 2013 State of Cybercrime Survey from PwC US and CSO magazine, which included responses from 500 U.S. executives, security experts, and others from both private and public sectors.
This, the 11th survey of cybercrime trends, released last week, found that while cybercrime threats are increasing, current defenses against them remain ineffective, in large measure because too many executives still do not understand the extent and seriousness of those threats, or have simply become numb to the news about them.
"There were no significant changes in C-Suite threat awareness, no spikes in spending on cyber-defense, no breakthroughs in the use of technology to combat cybercrime, and no significant change in the ability of organizations to measure the impact of both cybercrimes committed by insiders and those caused by external cyberattacks," the survey reported.
That, according to Dave Burg, PwC Global and US advisory cyber security leader, has been the case for a decade. "(We) have seen virtually no movement by survey respondents in the past 10 years," he said.
"Possibly the most alarming theme that came out of this year's survey results was that U.S. organizations are misjudging the severity of risks they face from cyber attacks from a financial, reputational, and regulatory perspective," said Bob Bragdon, vice president and publisher, CSO.
The result is that organizations aren't developing better ways to detect and counter attacks on their networks. The report said too many senior executives resemble the proverbial "frog in the pot of hot water" — losing awareness of the increasing threat environment.
"When organizations fall victim to cyberattacks, only then do they realize the time to take action was yesterday," the survey said.
And it is not nearly enough to defend the perimeter of a network. The survey found, for the second year in a row, that insiders — many times with malicious intent — are a greater threat to organizations than outside attackers. Insiders are not just direct employees either — they can be contractors, consultants, outside service providers, suppliers and business partners who have access privileges.
The survey, co-sponsored by the CERT Program at the Carnegie Mellon University Software Engineering Institute, CSO and the U.S. Secret Service, with collaboration with the FBI, found three major themes:
- Many organizational leaders don't even know who is responsible for their cybersecurity. That may be in large measure because their security experts are not communicating effectively about threats, attacks and defensive technologies.
- Many of those leaders underestimate the capabilities of their attackers and the damage they can cause.
- Leaders remain unaware that while technology advances in the modern workplace improve productivity and convenience, they also increase vulnerabilities to cyberattacks. Those changes include social collaboration, expanded use of mobile devices, storage of information in the cloud, digitizing sensitive information and moving to smart grid technologies.
The cyber threats confronting modern businesses are many and varied. And the survey found that too many of them are enabled by a lack of attention to risk. Among the more obvious risks are supply chains, both of the hardware and software supporting IT and the more traditional supply of parts and services.
"In today's interconnected ecosystem, both of these supply chain avenues are often direct freeways to compromise company assets," the survey said, noting that many vendors and business partners "can have lower — even nonexistent — cybersecurity policies and practices," than the enterprises they serve.
Dave Burg said it is not necessarily that suppliers don't care about security, but that they may not have the same resources that their client enterprises do.
"The threat actors know this and are targeting the small and medium sized organizations in order to exploit the weaker target as a means to get to the ultimate target," he said.
Getting suppliers to comply with privacy policies can also be a problem, especially in industries like financial services, health care and the Payment Card Industry (PCI), where the protection of personally identifiable information (PII) is crucial.
"Yet fewer than one-third of all industry respondents to PwC's 2013 Global State of Information Security Survey required third parties to comply with privacy policies," the survey reported.
Randy Trzeciak, technical manager of the Insider Threat Center at CERT, said it can be very challenging for an enterprise to get suppliers to match its security needs since many times there needs to be an integration of very disparate systems.
"You need to communicate your expectations," he said. "You need to write them into service level agreements prior to signing anything. And you need due diligence as well. You should be able to go out and inspect those suppliers if needed."
The threat is just as high, and the potential damage even higher, from more direct insiders — employees. As the survey noted, those with malicious intent already have access, they know what the company "crown jewels" are and they often know where they are.
To mitigate that threat requires both technical and nontechnical means. Trzeciak said CERT promotes "trust but verify" — trusting workers to support the organization, but limiting access to what they need to do their jobs. He said CERT has a Common Sense Guide to Mitigating Insider Threats on its website that offers 19 practices for enterprises to detect and prevent insider threats.
They include the centralization of information and tools across functions including IT, information security, physical security, HR and legal, rather than keeping them in separate repositories.
But technology is not enough. The survey quotes an FBI insider at February 2013 RSA conference, who said, "the risk from insider threats is & a people-centric problem. So you have to look for a people-centric solution."
"Poor performance, issues with colleagues, disciplinary actions, living beyond their means; these are signs that employees and managers will notice, not IT security tools," the survey said.
Insiders can also be a problem even when they're not malicious, since they can be "spear phished" — tricked into clicking on a link in an email purporting to come from a trusted source, or through social engineering.
Training and awareness can mitigate that, but John McClurg, vice president and CSO at Dell, said the skill with which spear phishers harvest details from social media sites, "even the most security aware employees can be induced into clicking in a moment of weakness."
But, he added that "great cyber intelligence is available through (different) groups, and is an indispensable asset any CSO can leverage."
There are other ways for enterprises to improve their security posture. The survey concluded that companies could defend against 80% of attacks simply through better education, IT infrastructure maintenance and monitoring.
Another 15% can be defeated through effective strategy, better awareness of the threats and good asset identification and protection. The final 5%, which come from sophisticated, nation-state actors, need to be confronted with the help of government agencies.
But that requires a cybersecurity strategy that includes planning for attacks and better sharing of information on threat levels, neither of which are being done by a majority of enterprises.
"A cybersecurity strategy is the cornerstone of protecting sensitive business assets, yet nearly 30% of companies surveyed do not have a plan. And of those that do, half fail to test it," the survey found.
Dave Burg said part of that plan means that an organization must, "understand what its critical assets are from a threat actor's perspective. Determining the most serious threat actors depends on what is being targeted."
"For example, nation states, motivated to achieve economic, political, and/or military advantage, tend to target trade secrets, sensitive business information, emerging technologies, and critical infrastructure. Organized crime groups, looking for immediate financial gain," he said.
It also found that while the Department of Homeland Security (DHS) coordinates interaction between Information Sharing and Analysis Centers (ISACs) and key sectors of the US critical infrastructure, "awareness and use of ISACs is particularly low and has not increased appreciably over the past three years, with the exception of the banking and finance industry."
This is partly due to security and business executives getting their threat information from public sources, which the survey said, "vary greatly in quality, accuracy (and) timeliness."
And it is partly because, "many of the companies who lack or fail to test a cybersecurity plan are likely the same ones who report they don't know what government agency to contact when a cybercrime is suspected."
The FBI declined to comment on the report, but furnished a link to testimony before Congress by Richard A. McFeely, executive assistant director of the agency's Criminal, Cyber, Response, and Services Branch, promising better cooperation with the private sector.
"In the past, industry has provided us information about attacks that have occurred, and we have investigated the attacks, but we have not always provided information back. We realize the flow of information must go both ways," McFeely said. "As part of our enhanced private sector outreach, we have begun to provide industry partners with classified threat briefings and other information and tools to help them repel intruders."
But even that requires readiness to respond by the private sector. The survey quoted a retired FBI official saying that the agency is sharing information as quickly as it gets it, but most companies dont have response plans in place to take advantage of it.
Finally, companies must address their "technology debt," which the survey estimated will soon reach $1 trillion.
"Companies are spending their IT budgets on emerging business technologies while allowing their IT infrastructure to age and atrophy to the point that systems can't support basic data security functions," it said, comparing it to the neglect of transportation infrastructure in the U.S.
It recommended inspecting firewalls, identity management systems, operating systems, hardware, enterprise applications, routers and switches, to make sure they are current.
While deferred maintenance is nothing new, it noted, "What is new is that adversaries have raised the risk for many corporations."
Burg said that analysis of cyber incidents often finds that attackers gains entry to an organizations infrastructure, "through known vulnerabilities in older operating systems, hardware, and software on which maintenance, upgrades and retirements have been delayed to meet near-term budget pressures. In effect organizations are increasing their attack surface."