'Zero day attacks' and other advanced threats are changing the cyber security landscape in Asia and beyond, says Anshuman Singh, Group Product Manager, Barracuda Networks.
How has the threat landscape changed over the years? What are the threats uppermost in the minds of security professionals?
The monetisation of hacking has permanently changed the threat landscape for the foreseeable future.
Cyber security is no longer an arena where paid professionals square off against talented hobbyists. It is now a battleground where trained professionals duke it out in a never-ending race to find and exploit or patch every possible hole in security infrastructure. Hackers are banding together and forming teams that carry out coordinated attacks. This has also led to them using more advanced and sophisticated attack vectors.
Right now, a big concern for many security professionals are "zero day attacks", which are undiscovered exploits and bugs in the software or hardware stack. Testing and securing software can be a challenge and finding all the bugs in your own software is not a guaranteed thing.
Defending against advanced persistent threats is another large concern. In the past, most hackers were individuals operating independently. With the advent of cyber warfare and the rapid monetisation of hacking, larger highly collaborative groups are able to actively coordinate efficient and organised attacks on companies.
Also, while DDoS attacks have been around for the longest time, they are morphing from being only a network layer phenomenon to being an application layer construct. Today they are an even bigger threat to businesses especially with increasing amounts of business transactions being moved online. Every time ecommerce functions go down, you are losing potential revenue gains. The problem is so severe that financial institutions have even started switching to "always on" DDoS mitigation.
What are some of the most active threats in the Asia Pacific region?
There are advanced persistent threats (APTs) where a group or organisation actively targets a specific entity. These groups normally have a high level of ability and the resources available to persistently attack a single company. Companies at risk of being the target of APTs tend to be those that hold a large amount of personally identifiable information. These include the likes of banks and other financial institutions as well as institutes of higher learning.
Another active threat in APAC would be botnets. As Asian nations continue to improve their networks and the computing power of personal computers catch up with those in other developed nations, it is likely that we will see more computers in the region being targeted by bot herders. Nations with faster Internet speeds and higher computing power tend to be more attractive targets for bot herders looking to increase their botnet armies.
Data theft is also rife in the region. Hackers are interested in the data that you hold. Customers' credit card numbers, their social security numbers and other parts of personally identifiable information (PII) is of interest as these pieces of information can be sold in the cyber black market.
Which companies are most likely to be the target of cyber attacks?
Generally, you will find that hackers are most interested in compromising companies such as financial institutions, online retailers, news sites and research institutes. The data that these companies store are intrinsically valuable and can easily be sold. However, SMEs are also likely to be targeted as well, as they tend to have lower levels of security in place and after these companies are infiltrated, they are used as legitimate client networks from where attacks on larger, more secure networks can be launched.
To be entirely honest, a company is at risk of being hacked so long as it has a web presence. Take Eu Yan Sang for example, a company that sells traditional Chinese medicine was hacked and had its web page defaced due to an Indonesian hacktivist taking offence to Indonesia being blamed for the recent haze in Singapore. While no confidential information was stolen, this attack almost certainly would have had a negative effect on the brand's image.
In view of the increased waves of state-sponsored attacks as well as hacktivism, should security vendors work with government agencies to tackle local and global attackers? Are they the new arms dealers?
It has been claimed that warfare can now take place in a fifth theatre - online. Originally it was just land, air, sea and space. More governments are recognising the need to keep their confidential data secure. Especially, when that data relates to national security.
The Internet is a great enabler and governments are enabling more services for their citizens on using the internet. So, just disconnecting from the Internet is not a viable option. What is required is to build networks and systems that are secure.
Security product companies, like Barracuda Networks, help build secure "facilities" online. And it is important for security vendors to work with not just governments, but other security vendors and the myriad of businesses that operate in the online space.
One of the main reasons why the hackers are winning is that those who are defending the online realm are not sharing new attack vectors that they come across for fear of bad publicity. If we do not know what is coming, it is going to be hard to stop it. Hackers on the other hand are always collaborating and sharing.
There is a large, "black market" of sorts where criminal elements of cyber space can purchase zero day exploits for five figure sums. Many, zero days last an average of 365 days before they are rendered useless through patches. If we can find them earlier and patch them quicker, their value may drop, making the quest to find exploits less profitable.
How would BYOD impact businesses in the Asia Pacific region? What is BYOD's implications in terms of risk management, data protection, and data management?
BYOD programmes are clearly having a large impact on the IT landscape and one of the largest concerns over this so called mobile revolution is the security implications that BYOD policies bring into focus.
Businesses in APAC are looking towards BYOD as a means of improving employee morale as well as a way to keep costs down by reducing spending on IT devices such as smartphones and tablets. However, this opens a whole can of worms for the IT department.
Supporting BYOD means adding layers of complexity to your mobile support and security strategy. There are varying device types, different networks, mobile data security features as well as multiple OS platforms to contend with as well as the loss of control over the device itself.
Companies must ask themselves just how much control they have over their employees' devices and their networks. Can you remotely wipe company data if the device is lost or if the employee quits? Are you able to quickly install firewalls, intrusion detection and prevention systems on devices quickly and efficiently? Do you have the manpower to effectively monitor for anomalous traffic 24x7 on your networks? All these factors affect risk management, data management and protection.
Earlier, companies could control the security policies that were enforced on the devices that connected to its network. Even for the laptops that were carried home by the employees a basic level of security could be enforced. Now, with BYOD, the device is owned by the employee and it may not have the latest anti-virus software installed on it.
So when the person is outside the company network they can be tricked into downloading a malware on the system and then the system just becomes a conduit for bringing in the malware into the network. Now, just securing the perimeter is not sufficient, as attacks could be launched from within the networks from compromised devices.
What do organisations in Asia Pacific lack in terms of security awareness and strategy?
This answer depends on what sort of organisation we are discussing. If it is an organisation that operates overseas in Europe, the UK or the US, they are quite likely to be well versed in terms of data security compliance. However, being compliant does not necessarily mean being secure. It is simply the most basic sort of security one should have in place.
It is necessary for companies to go above and beyond when securing their data. The issue with IT security is that it is hard to quantify the business value of keeping data secure and chief executives often under-estimate the impact an intrusion can have one the company's bottom line.
One of the weaknesses in almost every company's data security policy is not the network itself but the people who use it. Endpoint users can help hackers overcome all your defences simply by clicking on a link that they shouldn't have. More often than not these larger international companies will have decent security in place as long as they constantly communicate best practices to their employees effectively.
The smaller local organisations such as SMEs generally tend not to have advanced security strategies in place nor are they aware of the threats they are facing. Many seem content to think that they are too small to be targeted. Which is entirely untrue. Take for example the quite recent spate of ransom hacking that has been taking place in Australia. Hackers target SMEs with unsophisticated security, take over their databases, encrypt them and then hold the data ransom. More often than not these companies have no option but to pay to have their data released.
Quite a number of SMEs that I have spoken to believe that they don't have the budget to mount effective security solutions. They should evaluate their security risks and take appropriate precautions. If they are connecting to the Internet just to access the internet and do not host any data themselves, then they can use an enterprise grade firewall with capabilities to secure against most modern attacks.
In case, they host some data that external entities can access, then they would need to take care of protecting that as well. Another option would be to outsource their IT security needs to external vendors so they can rest at ease knowing that their incoming and outgoing sever traffic is being monitored 24x7.
How can local businesses change their strategy to cope with the new threats?
Being aware of the threats is an important first step. Given that SME's may not have the resources to have a full cyber security division, they can leverage the expertise being built by the government agencies or managed security services provider companies.
While outsourcing their security to third parties, the companies should be aware of what type of security is the third party offering. In many cases, we have seen that the hosting service providers either don't mention the level of security in their contracts or just provide the basic level of security which is really not sufficient for the types of attacks that are happening nowadays. This takes us back to step number one - be aware of the threats and ask your vendors what they are doing to protect you from that.