Is Security Software Broken?

1500

The threat landscape in 2016 is almost completely unrecognisable from that of ten years ago. Today’s landscape is populated by actors who are well resourced, highly determined and increasingly sophisticated, not to mention motivated by anything from ideology (hacktivists and cyber terrorists), geopolitical gain (state-sponsored hackers) or, most popularly, money. While there are still the worms and viruses of old popping up, most cyber criminals have all but abandoned these vectors in favour of more targeted, covert and successful attacks.

Targeted attacks and Advanced Persistent Threats (APTs) first surfaced publically in around 2010, when the so-called Operation Aurora attacks on Google and others foreshadowed the firm’s exit from China. Stuxnet quickly followed and suddenly the floodgates were open. Typically beginning with a “spear phishing” email or social media message using social engineering techniques, malware is the triggered to download onto the system. The malware will quietly load in the background without the user’s knowledge, escalating privileges inside the network until it finds the data it’s looking for. Attackers spend time researching their targets on the internet to hone their phishing lures, and are increasingly zeroing in on IT administrators, whose privileged accounts will give them unlimited access. They also spend time researching possible vulnerabilities on the system so that the malware can bypassing existing defences.

The cybercriminal underground that sits beneath all of this on the “Dark Web” of anonymisation networks like Tor and I2P and private forums is a immense, enigmatic beast. Estimates have put its size between 4-500 times the size of the “surface” web. There cybercriminals buy and sell stolen credit cards, identities, exploit kits and other attack tools which have democratized the ability to launch sophisticated targeted campaigns.

The fact that enterprises are now hugely more exposed to such threats through a flood of new vulnerabilities appearing every month, and through an explosion of new cloud services and applications, makes the bad guys’ jobs even easier. That organisations have to secure these increasingly complex environments with minimal budget is just the icing on the cake. Yet the stakes are higher than ever. The average cost of a data breach stood at $3.79m in 2015, up 23% in just two years. The repercussions are immense: loss of brand and shareholder value, damage to customer loyalty, legal costs, financial penalties, and remediation and clean-up costs to name but a few. Target claimed in Q2 2014 alone that losses related to its massive breach totalled $148m, a staggering amount but one that just begins to scratch the surface.

A losing battle?

Given the size, scale and sheer organisation of the cybercrime underground – notwithstanding the threat from state-sponsored attackers and hacktivists  – it’s not surprising that the security industry is continuously on the back foot. Its adversaries are more agile, and have the element of surprise and the cloak of anonymity on their side. Slowly the security industry has adapted – building new solutions which moved away from the old static AV signature-based model. Firstly, by developing heuristics detection – which spotted malware based on characteristics in its code – and also through behavioural-based techniques. There’s also been a shift to cloud-based threat prevention systems which stop or block threats before they hit the network.

The new generation of tools pioneered by the likes of FireEye and Trend Micro are designed to stop those all-important zero-day threats often used in targeted attacks – that is, those which exploit as-yet-unseen flaws. Sandboxing executes an unknown threat in a virtual environment in near-realtime to see if it’s dangerous or not. Security vendors have also been developing tools which leverage big data analysis of customer data and threats in the wild to identify and correlate new malware. Such is the sheer volume of threats that these companies need vast data centers and computing power to even stay on a par with the cybercriminals.

Security is broken

Yet, after all that investment software security vendors still admit that the best security stance for a CSO today is to accept that they have already been breached. If a hacker is determined enough they will get into your organisation. The best the industry can do is to provide systems which try to spot when this has happened as soon as possible in an effort to minimise the risk of data loss. It is easy to see why organisations are reducing their security budgets when security software clearly is clearly broken. Did you know:

  • Your pc/mobile device can be compromised just by visiting a malicious webpage?
  • Targeted attacks go undetected for months or even years
  • Around 4% of malicious messages are clicked on, irrespective of volume
  • Opening a malicious PDF or Word attachment could lead to a covert, multi-year data breach
  • The theft of intellectual property increased 56% in 2015
  • Apple products are not immune.
  • There are hundreds of thousands of new malware strains discovered every day.
  • The pace of malware creation is increasing all the time: the volume of malware found last year accounts for one third of all malware ever written.

From this is it easy to see why security is broken. Organisations need to find a new way of stopping these attacks, and if software-based solutions aren’t working then it is time for stronger, more resilient hardware-based solutions.

About Cesare Garlati
Cesare Garlati Chief security Strategist, prpl Foundation
Cesare is an internationally renowned leader in mobile and cloud security. He is the former Vice President of mobile security at Trend Micro and Co-chair of the Mobile Working Group at Cloud Security Alliance. The prpl Foundation is an open-source, community-driven, collaborative, non-profit foundation supporting the next gen connected devices industry that supports and provides guidance for a hardware-led security approach to IoT.
In this article