The unveiling of the largest-ever U.S. cyber crime prosecution last week serves as a blaring siren for Corporate America to ramp up security and thwart complex attacks, but companies still seem to struggle to keep pace.
Advanced persistent threats – the type unveiled last week in the Department of Justice indictment against five Russian and Ukraine nationals – are a growing problem that can slowly, oftentimes without detection, siphon critical data from corporate systems for years.
The problem has grown persistent over the last few years, with cyber evildoers illegally capturing billions of dollars worth of data and money from unsuspecting victims. In the most recent case, the criminals inflicted “hundreds of millions of dollars” in damages and stole 160 million credit card numbers over six years.
However, corporate enterprises have so far either struggled to keep up with the rapidly evolving methods used by hackers or simply have not made security a priority, putting precious customer data like credit cards and Social Security numbers at risk.
“This one needs to be a wake-up call,” said Dr. Bill Curtis, chief scientist at software analysis giant CAST.
Sixty-four percent of organizations attacked in 2012 took more than 90 days to detect an intrusion with the average time for detection being 210 days – 35 days longer than in 2011, according to a report released earlier this year from data security firm Trustwave.
Five percent took more than three years.
The Weak Link
Especially unnerving is the widespread success of SQL injections. Remote access and SQL attacks, the tool of choice by hackers in the scheme unveiled last week, together made up 73% of the infiltration methods used by criminals in 2012, according to Trustwave.
“This is not anything new for people in the space, it’s an old approach that has been used for decades,” said Dov Yoran, co-founder and CEO of malware analysis and threat intelligence firm Threat Grid. “And it's only going to grow as these systems get more complicated."
Some industries have been forced to adapt and alter faster than others due to the high level of attacks, particularly U.S. banks like J.P. Morgan Chase (JPM) and Bank of America (BAC), card companies like Visa (V) and MasterCard (MA) and retailers that have a more direct line to cash.
Nearly a year ago DDoS attacks in September temporarily downed the consumer websites of some major U.S. banks. But a fourth wave of attacks declared last week against some of the same victims has so far proven uneventful.
“Credit-card companies are good at tackling bizarre spending and have good defenses,” Curtis said. “But even a few hours with that card can do a lot of damage.”
But even boardrooms that do have up-to-date security systems and are focused on staying ahead of the problem still find it difficult to keep up with the rapidly altering techniques of hackers.
At some point, it becomes too costly to pay for the defenses necessary to stay far enough ahead of them, and that’s when security systems become outdated.
“Businesses should take a step back and re-evaluate their security posture,” said Trustwave CEO Robert McCullen earlier this year.
Letting a security system run without maintaining it or constantly checking for vulnerabilities is like “driving your car for several years without an oil change,” said Kevin Mahaffey, co-founder and chief technology officer of Lookout, a mobile security provider.
Last week’s cyber roundup is the latest in a series of wake-up calls that have been slowly building since Heartland Payment Systems (HPY) was breached through an SQL injection in 2009, causing an estimated 130 million accounts to be compromised.
“It’s not that companies can be hacked, but how easily they can be attacked that has surprised so many people,” Mahaffey said. “It’s a growing challenge as we rely on more technology.”
The problem, notes Curtis, is that the industry is “still struggling with the infancy of software engineering.” It takes a "real commitment to security," he says, a drive to ensure employees understand potential vulnerabilities and how to identify them.
“It would take a little extra time and money to make sure a system is secure, and many companies don’t want to make that investment,” he said.
Executives need to make security a priority, place developers in critical spots within the company, give them the necessary resources to fight against the bad guys and train staff to identify attacks, audit code and detect and thwart attacks.
“You can’t really prove [that your system it secure], so it’s just a matter of how much that organization takes security seriously,” Yoran said.
The ongoing attacks publicized over the last year have triggered a warning call, says Mahaffey, he just hopes someone in the boardroom is listening.
“Thankfully there hasn’t been a mass destruction like you see in the movies,” he said. “I hope these small events that happen early will encourage people to start locking their doors.”