Former NSA Honcho Calls Enterprise Security ‘Appalling’

Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User’s Conference in Las Vegas. ‘As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they’re doing,’ Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency’s Technology Directorate and served as the agency’s first CTO. He also held positions as the NSA’s CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act.

PWc: Information Security survey

PWC published the the survey results of Information Security survey conducted by them. Their interactive data exploration tool lets you personally select criteria and explore the data for several key questions.

With this tool, you can interact and engage with the data. You have control. Build your own data charts. Share them with colleagues and friends, or print them out for further use. And be sure to download The Global State of Information Security® Survey 2014 in its entirety to see all the results. Access the survey tool here.

Drive-by-exploits lead cyber threats

The Emerging Cyber Threat Landscape

A new report by the EU’s cyber security agency, ENISA, has resulted in calls for cloud security to be bolstered after analysing the ways in which cyber criminals are likely to make use of the new data-storage platform to carry out their attacks.

The ENISA Threat Landscape provides an overview of threats, together with current and emerging trends. It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 120 recent reports from security industry, networks of excellence, standardisation bodies and other independent institutes have been analysed.

The study, entitled ‘Threat Landscape: Responding to the Evolving Threat Environment‘,  identifies and lists the top threats and their trends, and concludes that drive-by exploits have become the top web threat.

ENISA report identifies the following top cyber threats

  1. Drive-by exploits
  2. Worms/trojans
  3. Code injection attacks
  4. Exploit kits
  5. Botnets 
  6. Denial of Service 
  7. Phishing 
  8. Compromising confidential information
  9. Rogueware/scareware
  10. Spam.
  11. Targetted attacks
  12. Physical theft/damage/loss
  13. Identity theft
  14. Abuse of information leakage
  15. Search engine poisoning
  16. Rougue certificates
Drive-by exploit refers to the injection of malicious code in HTML code of websites that exploits vulnerabilities in user web browsers. Also known as drive-by download attacks, these attacks target software residing in Internet user computers (web browser, browser plug-ins and operating system) and infects them automatically when visiting a drive-by download website, without any user interaction. Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code.

The report identifies major threat agents in cyberspace.

  1. Corporations. This kind of threat refers to corporations/organizations/enterprises that adopt and/or are engaged in offensive tactics. Corporations can be considered as hostile threat agents their motivation is to build competitive advantage over competitors, who also make up their main target. Depending on their size and sector, corporations usually possess significant capabilities, ranging from technology up to human engineering intelligence, especially in their area of expertise.
  2. Cybercriminals. Cybercriminals are hostile by nature. Moreover, their motivation is financial gain and their skill level is, nowadays, quite high. Cybercriminals can be organized on a local, national or even international level. It should be taken as given, that a certain degree of networking between cybercriminals is being maintained.
  3. Employees. This category refers to the staff, contractors, operational staff or security guards of a company. They can have insider access to company’s resources and they are considered as both non-hostile threat agents (i.e. distracted employees) as well as hostile ones (i.e. disgruntled employees). This kind of threat agents possesses a significant amount of knowledge that allows them to place effective attacks against assets of their organization.
  4. Hacktivists. Hacktivism is a new trend in threat agents. Hacktivists are politically and socially motivated individuals that use computer systems in order to protest and promote their cause. Moreover, they are usually targeting high profile websites, corporations, intelligence agencies and military institutions.
  5. Nation States. Nation states can have offensive cyber capabilities and could potentially use them against an adversary. By their very nature and due to the importance of the means at their disposal, Nation States may present a threat in the area of cyber warfare.
  6. Terrorists. Terrorists have expanded their activities and engage also in cyber-attacks. Their motivation can be political or religious and their capability varies from low to high. Preferred targets of cyber terrorists are mostly critical infrastructures (e.g. public health, energy production, telecommunication etc.), as their failures causes severe impact in society and government. It has to be noted, that in the public material analysed, the profile of cyber terrorists still seems to be blurry.

Mobile computing and social technology are among the top emerging areas for possible targets for attacks. The emerging areas are:

  • Mobile Computing: Covering several aspects of Consumerization of IT, BYOD (Bring Your Own Device) and mobile services, such as social networking, business applications and data, use of cloud services, interpersonal communication, voice, video, etc.
  • Social Technology: Use of social media is one of the main activities performed by private users. Moreover social networking plays an increasingly significant role in businesses.
  • Critical Infrastructures: This is an area that is definitely going to attract threat agents, as the impact of such an attack is big at all levels (society, government, national security, etc.).
  • Trust Infrastructure: Attacks on the trust infrastructure break the chains of trust and generate very serious impact at many levels and application areas. Success of such attacks allows attackers to greatly enlarge their attack surfaces and targets.
  • Cloud Computing: The proliferation of cloud computing and the sheer concentration of users and data on rather few logical locations are definitely an attractive target for future attacks.
  • Big Data: Use of big data within businesses but also for the enhancement of security is already in discussion. On the other hand it is also expected that attackers are going to abuse big data in order to enhance their capabilities, collect intelligence, but also to better hide their attacks.

    The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at http://www.enisa.europa.eu.