Cyber crime has exploded in 2011. US-CERT noted a 40% increase in computer intrusions and the FBI's number-one criminal priority is still cybercrime. The recently released SAIC / MacAfee study, "Underground Economies," is fairly damning of the laissez-faire approach to cyber security taken by corporations around the world.
Here's a summary of the key findings from the study:
1) Security budgets decreased.
2) 85% of their assets are intangible assets stored in networks.
3) 25% halted a merger, acquisition or product rollout due to cyber attack.
4) 50% did not investigate cyber breaches due to costs.
5) Penetration testing is listed as fundamental to securing their systems.
6) 65% of the executives were worried about wireless and mobile device security.
We often bemoan the stark reality of cybercrime and espionage, but rarely do we take a long look in the mirror. The cyber underground is thriving with new actors, capabilities and infrastructure (much of which is comprised of our “owned” machines). Big brother is no longer the monopoly of the United States government but rather anyone who uses free hacking tools and a botnet. Often it is not merely the naive end user but the corporation on whose networks the end user depends that has become the “hot zone” for infiltration.
Corporations must dispel plausible deniability and begin to conduct robust attack path mapping so as to discern the avenues by which our common enemies can colonize our data. The first step in healing is acceptance of the reality: The big bad wolf is not at the door but rather in the kitchen, so the time for bricks (not sticks) is here ...
- Tom Kellermann, VP security awareness and government affairs