Halting Hackers
With headlines screaming about hacking, of the latest James Bond movie Skyfall most recently, of national and nuclear weapons laboratories not so long ago, and of businesses and individuals almost on a daily basis, it’s no surprise that worldwide information technology (IT) security spending is set to hit $77 billion in 2015—almost 8 percent more than this year’s $71 billion, according to IT researcher Gartner, Inc.
Increased Cyber Security Needed to Thwart Ever More Devious Cybercriminals
The increases are attributed to escalating mobile technology, cloud-based systems, and social media, among others, rather than regulations, which drove growth during the past few years.
Ryan Olson, director of Threat Intelligence at Palo Alto Networks, says cyber security is a massive issue confronting the entire world. Within the past five years it has become much clearer that the issue is less about mischievous or malicious intent than about stealing assets for economic gain. This was made even more evident by the recent increases in cyber espionage attacks in which organizations potentially sponsored by nation states infiltrate company networks to steal their data.
Sumedh Thakar, chief product officer at Qualys, says that bad actors have moved on from merely seeking some degree of fame. “They are now organized to attack companies and research laboratories for financial gain,” he says.
Olson says that the motivations of adversaries, such as cyber crime (to steal money), espionage (to steal information), terrorism (to invoke fear through an attack), war (nation states trying to harm each other in the cyber world), and hacktivism (launching attacks to draw attention to particular causes), are helpful to intelligence analysts who are trying to decipher the objectives and likely tactics of specific adversaries. “Ultimately, the goal on our side is to apply effective tools to help prevent their attacks,” he says.
In business, scientific enterprises, and laboratory settings, risk analysts are most concerned with three types of attackers, according to Amichai Shulman, chief technology officer at Imperva. Criminal hackers, the largest category, are simply after profit, and are of greatest concern to most organizations. State actors are complex and have defined agendas. Hacktivists believe they are sure about what they are after but are not always right, says Shulman.
To underscore the role of cybercriminals, Rich Barger, chief technology officer at ThreatConnect, noted recent reports of large biomed companies being targeted for nonpublic information aimed at gaining unfair advantage in stock market transactions. Barger says that because of the widespread use of convergent devices and the increasingly mobile nature of work, risks may carry over beyond the more protected laboratory or enterprise network.
Web-facing applications and vulnerable machines in a network are the most common cyber attack pathways, says Shulman. Compromised machines usually result from common end-user mistakes such as opening email with malicious attachments or clicking on a link that delivers malware.
Shulman believes that the first step in building cyber defenses is to figure out the risks, starting with potential attackers. While the biggest concern is usually with criminal organizations, because of the nature of their work, some labs could also be targeted by hacktivists. He notes that some research organizations could also be targets of state-sponsored espionage.
The next step is figuring out what could attract attackers. In addition to their scientific and technical data, research organizations may have large human resources (HR) databases of scientists and researchers that could be targeted, he says.
Knowing what the hackers may be after could help organizations fine-tune their investments and cyber defenses, he says. Entities with a large web-facing presence should start there because that is the easiest way for intruders to gain access. He does not see the answer, however, in merely writing better codes and applications but instead in overlaying web services with firewalls.
Shulman says organizations have latitude around if and how to secure sensitive data, but some types of information, which may not necessarily be business critical, such as HR and private health data, must be secured because of regulatory requirements. To comply, organizations can monitor all their servers or they can apply security overlays. In addition to improving security, overlays could enhance efficiencies around the management of permissions and access.
One critical issue for organizations is the timely detection of network intrusion. “It is a very reasonable assumption today that your network will be breached at some point,” says Shulman. Organizations commonly respond by using anti-virus software to prevent the initial intrusion. “We have seen repeated failures of anti-virus software to prevent network intrusion and compromise in the past five years. So, we need to assume that there was a compromise, and we need other technology to detect someone inside the network,” says Shulman.
Different approaches to this problem are essentially built around monitoring activities within the network such as communications between computers, system calls within computers, access to specific resources within end points, and network traffic, among others. Shulman favors solutions that monitor differences in data access patterns in organizations. “Attackers are after large amounts of data, and will eventually have to access the organization’s data source,” he says. “They will gain access in an efficient way that is distinguishable from users within the organization—the ability to detect that is the kind of solution that I’d be looking for.”
Barger says that heads of labs or other organizations must assume that they will be targeted, that there is an actor operating on their network. “They must operate in a paranoid state that would increase their openness to look for threats or problems but without adopting a victim mind-set. They have to actively take mitigating steps that will protect their information and users, and not wait until they are told that they have a problem,” he says.
One positive development is that more mature labs that have been attacked or are familiar with these threats are collaborating with other labs around common threats while sharing best practices, he says. “One of the ways we are supporting that is through a closed, invite only, vetted, sharing environment so that some of the largest biomedical companies can discuss what worked and what didn’t, and better understand the types of threats targeting them along with the technical details on how to mitigate them,” says Barger.
Matthew McKnew, consultant for cyber security at Thermo Fisher, says his company works with a number of vendors, including ThreatConnect, to track intelligence internally. He says that the tool facilitates the uploading, coordination, and sharing of threat indicators with other groups and health care organizations, and within the ThreatConnect community to develop a better threat picture.
“We have all the block and tackle, including firewalls and intrusion detection systems,” says Chris Hart, director of cyber security at Thermo Fisher. He says that his company has invested increasingly in threat intelligence capabilities over the past few years “to get a better understanding not only of what signatures are being hit but what is happening in our network, who’s doing recognizance, and to better monitor the external facing environment.”
When selecting cyber security services, Barger says that laboratories should seek vendors with the ability to help them aggregate information on different types of threats of interest, and are capable of providing solutions to analyze data generated in their own enterprise as well as threat information provided by external sources. They should also have the ability to act on this information and to help implement the solutions for the labs, such as firewalls, monitors, and platforms that provide actionable information, he says.
Turning to the academic, research, and laboratory environments in general, Olson notes that adversaries today are almost always interested in gathering data that might be valuable to a rival organization or agents of a country competing to reach a certain goal, among others. In the case of a research lab, he says, researchers’ data, their papers, patentable processes and designs, intellectual property, technological breakthroughs, and product innovations could all be incredibly valuable to an attacker. University laboratories and their collaborating networks are unique compared with commercial entities. They operate pretty much in the “bring your own device” theater, he says. Numerous researchers, students, faculty members, and others log on to their networks with their own computers, but the institutions do not have any control over whether the computers have upto- date anti-virus software or other protections. He says that they can’t lock their networks down because they will get pushback from the users.
“The first advice I would give to administrators operating those networks is to ensure that they have visibility of all the traffic into and out of their networks—so they can identify what normal traffic looks like and compare that to any anomalies,” says Olson.
“Second, ensure that when they want to make modifications to the network, they should limit access to certain locations or users in a flexible way,” he says.
One of Palo Alto Network’s products, Next Generation Firewall, tracks the flow of traffic out of a network by applications, making it possible to monitor and control the traffic at a granular level. Olson says this tool can provide value for an organization that requires a lot of flexibility for its users.
There is need for ongoing cyber security programs, not just occasional assessments because the bad actors are constantly looking for vulnerabilities to attack, says Thakar. He says that lots of tools are available from cyber security companies, including Qualys, “which help defenders to automate auditing and even remediation.”
Cloud technology helps bring down the cost of security by sidestepping the need to deploy, manage, and maintain security software in laboratory and other enterprise environments, says Thakar. Qualys’ offers a cloud-based platform that offers deployability and reach benefits while incorporating multiple security solutions.
For many organizations, the data center and the data source are not in a single location and not necessarily under the physical control of the organization; they could be cloud-based, says Shulman. Imperva’s solutions include a security overlay for web applications, the Web Application Firewall. It also provides security as an overlay inside the network with a database activity monitoring system, file security monitoring system, and distributed denial of service (DDoS) protection.
Barger says his company’s flagship product, ThreatConnect, is a threat intelligence platform that orchestrates information and knowledge management to assess knowledge from internal and external sources such as threats identified by agencies like the Federal Bureau of Investigation. “ThreatConnect, which can be tied in with the rest of the security infrastructure, provides the tools that analysts need to automate and simplify complex security analytics, which are usually done manually, so that they can do more at scale.” This helps organizations make smarter and more effective security investments, he says.
Olson says that over the next few years, the types of tactics deployed by the most sophisticated actors of the caliber of nation states will trickle down to less sophisticated groups and create a broader base of cybercriminal actors with highly capable tools. This means that from the defensive side, much higher levels of protective capabilities would be required.
“That is the scary part,” says Shulman. “State-sponsored actors targeted specific high-end, high-value organizations, usually with a lot of manual hacking. It was a concern but it was confined. Once criminal organizations figure out more ways to monetize hacked information, we will see explosive growth of these breaches.”