A Grim Story Of Daily Breaches Is No Fairytale

How secure is your network? 100 percent? 50 percent? Less?

According to security experts at FireEye the truth is that almost any system can be blown wide open. Even worse, the company claims that 99 percent of companies have at least one piece of malware penetrating their systems at any given time, often many more simultaneous breaches. Only perpetual vigilance will detect these threats before they cause damage to their chosen victims.

Media Whores Looking For Business

When I first read the FireEye 2011 Advanced Threat Report, I thought, “I know the security situation is getting serious but this is just a bunch of chancers looking for a headline.” Judging by the patchy press coverage the report achieved, it seems many other journalists thought the same.

A week ago I joined the company for dinner and now I’m quite sure they are on the level. Nothing to do with being fed and watered – I’m too feral to be bribed. No, it was the force of the company’s argument and my sneaking suspicion that the advanced persistent threats (APTs), SCADA raids, and the calibre of companies that have fallen victim to breaches are just the tip of a very large hackberg.

As the report states, “Every company studied in every industry looks to be vulnerable and under attack. Even the most security-conscious industries, such as financial services, health care and government sectors, which have intellectual property, personally identifiable information, and compliance requirements – show a significant infection rate.”

In support of this, a recent conference, organised in Washington DC by TechAmerica and RSA Security, the security division of EMC, brought together 100 of the world’s top cyber security leaders from government and business to address the impact of APTs, as well as strategies for defence and mitigation.

The details of the Summit on Advanced Persistent Threats have not been disclosed because it was held under the “Chatham House rule” which forbids disclosure. However, EMC did release the general issues and conclusions reached.

Eddie Schwartz, CSO of RSA, said, “The frequency and volume of attacks has reached pandemic levels – this is not a passing fad or anomaly. The new fact of life is a ‘state’ of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn’t mean that we as a collective of security professionals are powerless against our adversaries – we can, and should, be able to manage our risk to an acceptable level and change the ongoing and grim trends.”

So, given that these guys are not going to admit defeat, we have to read between the lines and look elsewhere for the truth. Schwartz uses the words “disruption”, “can”, “should” and “grim” which sounds ominously like elements of a prayer in hard times.

Where Does The Truth Lie?

Do we assume that RSA could, and should, have avoided the hack it suffered? If so, was the security team caught sleeping? Or was it just some “grim trend” that caused disruption?

The reality can only be that RSA didn’t see it coming – and felt that no-one would have been prepared for this. If this were not the case, Schwartz would have been gone from RSA long before the summit meeting.

FireEye said, “We believe the daily morphing of malicious binaries and domains is timed to stay ahead of the typical practice of daily DAT [files] and blacklist/reputation updates, enabling the malware to remain undetected and its communications unblocked.”

Both reports reach similar conclusions but the key message is that attackers routinely share information in real-time but “targets” rarely talk openly about what happened. RSA is on a quest to prepare the ground for this blossoming of breach sharing and 10 October will see a UK Advanced Threat Summit in London, just before RSA’s annual user conference.

This is the bit of the hackberg that floats just below the surface but there is a darker, deeper threat under that which will add a devilish twist to the Le Carré-like plot – but more of that next week.

We are spending tens of billions on security measures every year, but we are not buying security as much as safety. It’s like following all the health and safety rules before climbing a ladder. On the top rung, the climber feels secure but a determined miscreant could soon destroy that with one firm push.