A number of recent high profile cases highlight the problem, including the June National Infrastructure Coordination Centre (www.niscc.gov.org) warning that hundreds of UK businesses were being targeted by far-Eastern cyber-criminal gangs and the recent Israeli spyware arrests.
Phishing and Malware
There are a number of ways by which information can leave our business that circumvent the traditional security measures of firewalls and anti-virus software that UK businesses normally have in place.
Spyware can make its way into a business and transmit sensitive information – from passwords to customer details to contracts, via keylogging or other mechanisms. In the much-reported Israeli case, top executives of Israel's leading companies were convicted after uploading a piece of spyware to the computers of their commercial rivals to steal sensitive information.
Phishing attacks, which aim to fool the recipient into clicking on a bogus website and enter confidential data, are changing as users become more savvy. Attackers know they're unlikely to fool their targets, and so now use other techniques to infect those who merely click on their emails out of curiosity – just visiting a website can be enough.
The threat from within
The increasing capacity of portable devices including MP3 players means that a rogue employee could copy the entire contents of their server onto the device, wipe the system and walk out in minutes. These devices can be used to sneak confidential information out from behind the corporate firewall and act as an infection vector for spyware. They could also be used to put illegal material onto the network, for which the business then becomes responsible. So, the threat is from accidental use as well as malicious use.
There are other new transports for these threats, including VPN links that allow individuals to access the corporate network remotely, which can be wreak havoc on your data if in the wrong hands. The increasing uptake of broadband, and the rise of IP telephony, is making this kind of flexible working model more practical, and therefore more of a security issue for IT directors.
Another infection vector for malware comes from mobile workforces, who often sit beyond the protection offered by the corporate network's security systems, only to come back into the fold infected.
Current security policies are still very much focussed at point security solutions – in particular, firewall and anti-virus. These offer limited defence when faced with the new breed of data thieves. A more in-depth approach to information security is needed, starting with the Information Security policy. Businesses must update their policies to take account of the new threats and the new ways of working.
In addition to the work done by AV and firewalls, advanced behaviour and policy management software is needed to monitor for anomalous network behaviour, giving a level of protection against "day-zero" threats, and allowing policies to be implemented across an organisation.
Given the criminal involvement in data-theft, monitoring, analysis and response systems within the network layer can be used to track anomalous activity and help identify the source of the threats (in collaboration with the proper authorities such as the NHTCU).
The threat offered by mobile devices can be addressed via a number of network access control and protection initiatives that refuse access to machines that lack the appropriate security and AV patches as set out in the Information Security policy.
The current thinking many businesses have for their information security is in terms of AV and firewalls; and these tools have their place in the overall architecture. Unfortunately, current threats around data theft, from trojan emails to portable storage devices, can get past these. Any signature-based system will not be sufficient to protect against these new attacks in the new threat model. There is a need to move from this point to include a complete systems "defence in depth" approach to information security, moving beyond signature matching, and protecting against new attacks.
The increased mobility of business, accessibility of networks, portability of devices and proliferation of malware has increased the number of threats facing the 21st century company. However, tools are available to strengthen defences to ensure organisation can use the Internet safely and securely, and so increase the productivity of their business.
The author is senior security advisor, Cisco Systems UK and Ireland.