Keeping pace with an evolving cyber-crime landscape

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/keeping-pace-with-an-evolving-cyber-crime-landscape/article/450207/

In the past five years the cyber threat landscape has grown exponentially.
Despite developments in cyber security and increases in security budgets,
practically every day sees a new high profile security breach being
reported in the media.

As a result, a growing number of companies are fast coming to the
conclusion that no amount of investment in security can keep them
protected, believing that when it comes to combating the cybercrime threat
it's a case of ‘when, not if.'

The fact is that companies - and even consumers - are creating, storing and
utilising data at an unprecedented rate. And it's this data that the
cybercriminals are after. What's more, experts predict that the attack
opportunities for hackers will blossom once the Internet of Things
proliferates and makes valuable data accessible from an ever-widening
selection of entry points.

Clearly, it's time for a rethink. Yet research shows that companies
continue to allocate just 1% of their total security technology spend to
data protection measures. And they're paying a heavy price for focusing
solely on network and device security alone.

A misguided focus on perimeter-based security

Until now organisations have largely adopted a perimeter-based security
strategy that's failed to keep pace with evolving attack approaches.

In 2010 companies spent nearly half of their security technology investment
(44%) on network security. In the same year, 761 major data breaches were
recorded, compromising 3.8 million records. Physical tampering, spyware and
data-exporting malware were the top three attack methods utilised, yet
little spend was dedicated to protecting the very data that serves as the
target for so many attacks.

In 2011 the use of stolen credentials emerged as the top mode of attack,
with companies like Sony PlayStation and Steam falling victim to
cybercriminals. A total of 855 major data breaches were recorded,
compromising 174 million records – a major uptick on 2010 statistics – yet
companies continued to invest 39% of their security technology spend on
network security. Despite the massive increase in attacks through the use
of stolen credentials, companies continued to invest just 1% in data
protection.

By 2012 backdoor exploitation had materialised as the hot new threat on the
block. In response to the growing cyber threat companies upped their total
spend on network security to 43%, with more than a fifth (21%) of budgets
going to database security, 13% to endpoint security/anti-virus, 8% to
identity management –  but once again just 1% was dedicated to data
protection.

Fast forward to 2014, during which stolen credentials, RAM-scraping malware
and spyware became the most popular modes of attack employed by
cybercriminals. Sony experienced yet another major breach and the overall
number of data breaches experienced by companies increased dramatically.
Overall there were 2,122 major recorded breaches, which compromised 700
million records, yet once again companies failed to shift their security
spend accordingly.

In a repeat performance of previous years, network security technology
investments continued to take the lion's share of security spending at 38%,
with 16% going on application security, another 16% on database security,
and 13% to identity management. Contrast this with data protection, which
yet again represented the lowest spending category at just 1% of total IT
security technology spend.

Evaluating the risks today – and into the future

In 2015 it's clear that cybercrime continues to grow in reach and
sophistication as cybercriminals employ new tools and malicious programs to
infiltrate corporations and exfiltrate sensitive data such as personally
identifiable information (PII), protected health information (PHI) and
payment card industry (PCI) information.

In May this year the US tax service, the IRS, reported that cyber-criminals
had used one of its online services to obtain tax return information for
more than 100,000 households in the country, using stolen PII to gain
unauthorised access to tax-agency accounts. Around 15,000 fraudulent
refunds were issued as a result. Meanwhile, high profile breaches at Target
and Home Depot placed consumers at long term risk of identity theft and
fraud.

With the Internet of Things on the horizon and the growing availability of
new mobile payment instruments such as Apple Pay, the possibilities for
attack look set to increase. Today's technology is advancing apace as new
ways to leverage cloud applications and mobile devices come into play. The
only factor that hasn't changed is that sensitive data is vulnerable and
needs to be secured with data protection technologies and policies that
follow a corporation's sensitive data while it's in use, in transit and at
rest.

The truth is our data is no longer just confined to networks where it can
be protected. And that means organisations need to turn their current
cyber-security strategy around, putting the focus on data protection
technologies and strategies rather than network security and traditional
anti-virus. Until corporations evolve their security methodologies, data
will continue to be at risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!