Sun tzu in his book art of war quotes “If you know the enemy and know yourself you need not fear
the results of a hundred battles.”
Information
Security is one of the major concerns for large enterprises which spent a major
amount of their budget to protect their infrastructure from the bad guys. These
organizations have the resources, awareness, and understanding that any critical
security breach can severely impact their business and reputation as well. We
have seen in past that even such organizations that have the resources and
dedicated teams of information security; fall prey to the hacker; to give you
just few example in March last year RSA, the security
division of EMC, revealed that attackers have stolen information from the
company's IT systems. Some of that information, the company said, is related to RSA's SecurID two-factor authentication products. The investigations revealed
that the attack was in the category of an advanced persistent threat (APT) and this caused the RSA with a
reputational loss and raised concern about their two-factor
authentication products ; similarly LinkedIn which is one of the biggest
professional social site became the
victim of hackers, compromising it’s password databases after an attacker
uploaded a list of 6.5 million encrypted LinkedIn passwords to a Russian
hacking forum and very recently, passwords have been compromised from the Yahoo
Voice domain by using an SQL injection attack to obtain the data. This
clearly shows that attack pattern is increasing each passing day.SMBs
on the other hand unfortunately, do not have enough resources and budget that
they can spend to protect their infrastructure. Normally these organizations
implement security controls to meet the regulatory requirement that are imposed
by the different regulators like in banking and finance sector PCI – DSS and in
health sector it is HIPPA.But in the absence of any regularity
requirement; organizations normally consider information security a budgetary
overhead and don't care about IS program. This mindset is due to mainly two reasons:
- Lack of awareness at the management level
- Substantial cost & no obvious ROI and is seen as an overhead
It is therefore, the responsibility of the senior IT management to educate
their top management especially the business guys; and make them understand about the realization of current
threats to their infrastructure.
It
is worth noting that the trend of cyber security is shifting from big companies
towards the SBMs. According to Symantec, 36 percent of all targeted attacks (58
per day) during the last six months were directed at businesses with 250 or
fewer employees. “There appears to be a direct correlation between the rise in
attacks against smaller businesses and a drop in attacks against larger ones.
It almost seems attackers are diverting their resources directly from the one
group to the other,” said Paul Wood, cyber security intelligence manager,
Symantec.“It
may be that your company is not the primary target, but an attacker may use
your organization as a stepping-stone to attack another company. You do not
want your business to be the weakest link in the supply chain. Information is
power, and the attackers know this, and successful attacks can result in
significant financial advantage for the cyber criminals behind them. Access to
intellectual property and strategic intelligence can give them huge advantages
in a competitive market,” Wood said.
According
to 2012 Data Breach Investigations Report, external agents remain
largely responsible for data breaches, with 98% of them attributable to
outsiders. This group includes organized crime, activist groups, former
employees, lone hackers, and foreign governments.
 |
| Attack Pattern of Breaches |
“It
is not so much that there has been a decline in insiders but we are seeing a
huge increase in external agents”, Jay Jacobs, a principal on the Verizon RISK
Intelligence Team explained, adding that there have been more frequent
financially motivated attacks against small and medium-sized businesses because
they are “softer targets.” This trend has led to an increase in the number of
external attacks, as cybercriminals launch more attacks against smaller
targets.
Clearly;
for hacker, it is easier to break and compromise a system which has nominal
security controls compared to the large enterprise where security controls are
implemented in a layered architecture. SMBs can also serve attacker to launch attacks such as DDoS against other organizations, in this case the
hacker try to compromise the systems of the organization and use these systems
as Botnets to launch DDoS attacks. It is also interesting to know that within
the hacker community the bots are used as services i.e. bots can be rent out on
hourly basis.
The
above statistics are evident that SMBs are the major targets for attackers and
this trend will increase in the coming years until the SMBs start realizing
that they are the now the focus of bad guys.Now
what are the steps that SMB can take to prevent itself from these bad guys? I
will address this in my upcoming post; but at this point, I would like to
highlight that security requirement and the solution varies for organization to
organization; there is no panacea. It is all about the balance between the
risk, security control and the business function; by business function I mean
that too much security can some time become a hindrance to perform business
functions which ultimately affect the whole security program.
