Security Threats Outpacing Solutions

Wednesday, August 25, 2010 @ 06:08 PM gHale


The gap between hacker threats and suitable security defenses is widening, at a faster pace than ever before, according to a research report.
Organizations are no longer facing challenges from individual hackers or even small groups of hackers. Instead, threats are coming from “highly organized, well-funded” crime networks, or even state-sponsored actors, said Khalid Kark, an analyst at Forrester Research.
The independent research firm also examined key areas experiencing shifts in security threats, all gleaned from a Forrester tracking survey conducted among more than 2,800 IT professionals worldwide.
“The attacks are much more targeted, sophisticated, and resourceful”, according to the report, which cites data from a Congressional report showing cyber crime costs the U.S. economy about $8 billion per year.
Part of the evolving cybercriminal toolbox includes a shift toward targeted, low-profile attacks on network applications designed to bleed organizations of data, or money, over a longer period.
“Attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate,” according to the report. “The ultimate goal is to modify the application in some way so that [attackers] get a consistent source of revenue.”
Cyber criminals now target organizations across the business spectrum looking for valuable information, and not just simply seeking to bleed cash from financial institutions, according to the report.
The Forrester report also highlighted the rapid metamorphosis of malware variants used by today’s cyber criminals. The report examined Zeus variants, which now number more than 90,000. These custom-made viruses evade anti-virus detection and are typically available for little or no cost.
A more significant shift in security threats has occurred at the web application level, Forrester said. The researcher’s data shows 79% of breached records in 2009 were the result of web application attacks, yet a majority of companies polled focused on securing infrastructure components.
Further complicating the response to this trend is even among companies that plan to address application security, many often find a dearth of personnel trained to deal with these issues.
This drives home the gap between attackers and defenders appears to be widening as of late.
“The threat landscape continues to evolve and become more sophisticated, and attackers will continue to exploit vulnerabilities in people, process, and technologies to get what they want. What is different today is the velocity – the speed and trajectory – of this change,” the report said.
It is one thing to talk about attacks, but it is another to figure out how to safeguard your enterprise. The report recommended investing in security personnel, better management of processes, and investment in technology, but within certain parameters, Kark said. Organizations should not increase security staffing indiscriminately, and should instead focus on high-risk areas. One of these includes increased focus on application security issues.
While it is easy to say companies should invest in security, Forrester said “security technology vendors in general have overpromised and underdelivered”. Instead they advocated for a layered security defense that does not rely on any one particular technology to address a single risk area.



Leave a Reply

You must be logged in to post a comment.