Security Corner

Feb 8 2015   7:09PM GMT

How tight does your security really have to be?

Ken Harthun Ken Harthun Profile: Ken Harthun

Targeted Attacks

laptopinchainsIn the wake of cyber-attacks that have occurred over the past year, we have all been more concerned than usual about our organizations’ network security. Questions such as, “Is my my security software up to date?” and “Am I current on firmware updates in my router and firewall?” and “Am I doing all I can to detect and/or prevent and attack?” tend to keep us a bit edgy. Certainly, we all do our best but there is always that nagging concern about our best being good enough. How tight does our security really have to be? Perhaps taking a closer look at the hacking universe in general might help to allay some of those fears.

The January issue of Bruce Schneier’s Cryptogram features an essay, “Lessons from the Sony Hack,” that breaks down the types of hackers and their hacking methods into a few easy-to-understand categories. Essentially, there are two types of hacks: Opportunistic and targeted. An opportunistic attack is one where the attackers don’t really care who they  hit, they’re just looking for large databases of information that could be valuable. The vast majority of attacks fall under this category. Schneier cites the Home Depot attack as opportunistic. A targeted attack is one where the attackers are going after a specific victim; Sony, for example. To further divide things, he talks about the skill and focus of the hackers.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet. [Opportunistic]

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so. [Opportunistic]

But even scarier are the high-skill, high-focus attacks — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame… [Targeted]

This represents a sort of scale of probability of you or your organization becoming a target: you are most likely to experience a low-skill, low focus attack and least likely to experience a high-skill, high-focus attack.

My take on it is simply that if you are timely in keeping your software patched against known vulnerabilities, your critical networking equipment updated with the latest firmware, proactively staying informed about the latest threats, and actively promoting security awareness in your organization, then you’re about as safe as you can hope to be. I don’t think that any of us can afford, either financially or mentally, to try to keep ourselves completely safe from the high-skill, high-focus attacker. I’ll leave you with this:

Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren’t sufficiently skilled, good security may protect you completely.

. . .

Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: