Information security is one of the hot topics of 2012. We asked Sam Curry, chief technology officer at security firm RSA, for his assessment of the threat landscape that businesses face
What do you see as the key threats to data security in 2012?
There is definitely something that seems to be heating up, there’s a sort of boiling of the kettle, if you will. The most important thing is that the emphasis should no longer be on the tools and techniques the bad guys use; the bad guys themselves should be the focus. Rather than talk about the worm of the week or the latest virus, it’s much more important to think in terms of who the adversaries are.
The first group consists of cyber-criminals. Frankly you are quite a stupid criminal if you are still holding up corner stores or banks. The real money to be made is online. Cyber-criminals are out for profit. The good news is that we can understand that and use it to anticipate their behaviour. Like financial markets, they behave in predictable ways, based on margins and return on investment.
There is a second group of people often described as “advanced persistent threats”. I prefer the term “advanced persistent adversaries”. If you’re a nation state, a terrorist organisation or a hacktivist, you are probably quite stupid if you’re not investing in hacking as a means to achieve your ends. Groups like LulzSec and Anonymous, certain nation states and large criminal organisations are all doing this. That was really the hallmark of what was happening last year.
This year, the message is: be aware of who your opponents are. It’s not about the tools they use – there’s no pride of ownership over whether they do phishing or use Trojans – it is the people on the other end that you really have to understand.
Do many companies believe their activities couldn’t possibly bother anyone, and therefore they have no opponents?
There is a risk of that sort of thinking, and in some industries, they might be more or less correct. I don’t think it’s time to run to the hills screaming that the barbarians are at the gate – to mix metaphors a little bit – it’s much more important to understand who the actors are out there and that even relatively small companies face a threat.
I’ve dealt with smaller local companies who have perhaps four to five branch offices, and they tell me that even they see hacking activity.
In crime there is something called Locard’s Principle, which says there is an exchange of evidence between a criminal and a crime scene. That’s why we have all these TV shows based around forensics departments. There are two ways of defeating the authorities if you want to commit a crime. The first is to try to cover up all the evidence and hide it, while the other strategy is the exact opposite – the criminal can try to leave so much evidence that it’s difficult to tell who is the criminal and who is not.
That means that even if you are a relatively small company with a relatively small local business, even if you’re not being targeted, you may see the detritus of other attacks. That’s the debris left behind by the increased volume of attacks that these people create by encouraging a generally hostile environment.
Having said that, almost every organisation has some online component. You might have insider information floating around your networks, you might have personally identifiable information such as credit card or healthcare information, or you may even have things like intellectual property.
So you have to imagine that someone from the outside might want to get to you or your partners because they want the data that belongs to your customers or your partners. You might just be a vector to get to someone else.
Are companies more likely to be targeted by hackers if they’re going through a mergers and acquisitions process?
There’s a generally sustained level of hacks happening behind the scenes all the time against any two companies that are about to merge. Firstly, the knowledge that a merger is happening means that they might get hacked, and then once it’s gone public, they may see a sustained set of attacks. There are many reasons for that.
The first and most obvious one is when you’re joining two organisations, there are bound to be seams. If company A does their IT one way and company B does it another way, while they harmonise on a new way, there’s a transition period in which neither company is familiar with what the other one is doing. The first organisation doesn’t know the size of the network because it’s twice as large, or the second organisation might not know the processes to follow.
When there are seams, when things are in flux, that’s an opportunity for the bad guys. Very often, especially when the financial markets are involved, having insider information and being able to manipulate performance by denying the ability to do business helps these guys.
If you know you can shut down a company and predict the impact that will have on revenue, then you in effect have information that other people don’t have. When companies come together, it’s a chance for stocks to go up and down and that naturally attracts organised crime.
If you’re acquiring a company or being acquired by someone else, it’s a very good idea to think about what the threat landscape is for you. Are you worried about hacktivists who might not like the types of businesses you’re involved in?
There are some rather extreme opinions on almost everything out there. Are there nation states that want access to your intellectual property or organised criminals who could take advantage of being able to disrupt business or obtain insider information?