Chinese attacks show up useless infosec, again

Recent attacks on US newspapers are further proof that, despite making billions, the information security industry is pretty much screwed.

My American colleague Antone Gonsalves has written up some lessons learned from the Chinese attacks on the New York Times and The Wall Street Journal that were revealed last week, and argues that the media needs better security. I agree with most of it. But I'm Australian, so I'll add something much more blunt.

The information security industry is mostly screwed, and needs to admit it.

Alan Paller, founder and director of research at the SANS Institute, nailed it in their latest NewsBites newsletter.

"Three big takeaways from this story: (1) the attackers were in for a long time before they were discovered; (2) the anti-virus and other defenses were useless; (3) they didn't have people with technical security skills on staff to deal with it. These three facts are true of more than 1400 companies in the United States including most power companies, large law firms, other major newspapers and media companies, telecommunications, high tech, natural resources, manufacturers, and defense industrial base companies, just to name a few," Paller wrote.

Paller's third point isn't the industry's fault, it's just businesses being tightwads. But the first two are, and we've known about them for ages. Yet it seems as if the industry, or at least big sections of it, are still in denial.

Working backwards, it's the industry's dirty little almost-secret that traditional anti-virus defences just don't cut it any more.

Vendors race to assemble the biggest collection of Bad Things they can, so they can detect and protect you from them. They tackle the massively-increasing pace by waving the words "cloud" and "community" at the process. But what use is any of that when specific pieces of malware are used for just five minutes, or against just one target?

"[The New York Times] claims that a major factor in the success of the attackers was the fact the anti-virus software used by the New York Times did not detect 44 pieces of custom made malware used against the Times' network. If you are relying solely on anti-virus software to protect your systems, especially against custom made malware, then you will get breached," wrote Dublin-based security consultant Brian Honan in NewsBites.

 

The New York Times also reported that the hackers had been in their systems for four months. That's not unusual, that's typical.

The Verizon Business Data Breach Investigation Report (DBIR) for 2009 showed that 49 percent of breaches weren't discovered until "months" after the initial compromise, and another 25 percent took "weeks". And it looks like things are getting worse. DBIR 2012 put those two figures at 54 percent and 29 percent respectively.

When you consider the number of breaches we see reported, let alone those that are kept secret, it seems to me that we're not looking at a few little glitches. Rather, our entire approach to information security is failing. Apart, that is, from the companies taking what will inevitably be called a "big data" approach this year: recording everything you can think of, look for patterns, and hope to find them.

Yet vendors are still making money hand over fist. How does that work?

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CMO, and Computerworld.

Tags: data breach investigation report, attacks, verizon, NewsBites, anti-virus defences, Allan Paller, Antone Gonsalves, new york times, attackers, Cloud, security, SANS Institute

Review: File Recovery Tools

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Open Space Security Suite

Kaspersky Open Space Security provides complete business protection in a single integrated suite of applications that work seamlessly across all platforms.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.