Vendors continue building new and improved technology to protect digital assets, and end-users are throwing more money to safeguard their information, but unless governments can get their collective act together, security will continue to be a disaster, according to NSS Labs. “We’re not going to get even close to where we need to be until governments agree to co-operate,” said Randy Abrams, Research Director for the security research and advisory company, in a recent interview with IT Trends & Analysis.
“Breaches are going to happen,” said Abrams. Even with improvements in cloud security, endpoint protection products (EPP) vendors recognize attackers are going to get through, he said, “especially if governments that are housing these criminal activities are seeing revenues as a result of these activities.”
Getting governments more involved is “going to be a critical piece of really improving security by a massive amount. You can only do so much defence in depth!”
According to the Ponemon Institute, 432 million accounts were hacked in the last 12 months, including 110 million Americans, and that’s considered to be a conservative estimate. This doesn’t include eBay’s massive breach announced last week, added Larry Ponemon, which reportedly impacted as many as 145 million customers, whose names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords, were exposed to attackers.
Back in March NSS reported that personally identifiable information (PII) of more than 300 million Americans had been “repeatedly compromised” in the decade’s 10 largest breaches. It also highlighted the fact that half of those major breaches occurred in 2013 alone.
PII protection is a big issue for Americans, according to a recent Unisys survey, which reported that 59% of U.S. respondents are seriously concerned (“extremely” or “very” concerned) about other people obtaining and using their credit or debit card details, jumping from 52% in 2013. Ranking second and third, respectively, on the list of top security concerns, 57% are seriously concerned about identity theft, and 47% are seriously concerned about national security in relation to war or terrorism.
Another recent Ponemon survey, commissioned by Raytheon, found that despite increased awareness of threats, 88% of privileged users believe privileged user abuse will increase. “The results of this survey should serve as a wakeup call to every executive with responsibility for protecting company or customer sensitive data,” said Jack Harrington, VP of Cybersecurity and Special Missions, Raytheon Intelligence Information and Services. “While the problem is acutely understood, the solutions are not.”
IDC reports that a consistent bombardment of unknown, targeted, and adaptive cyber threats are wreaking havoc in the enterprise and driving the expansion of threat intelligence security services (TISS) that are specifically designed to detect advanced persistent threats (APTs), advanced malware, and previously unidentified attacks. As a result, threat intelligence security services spending will increase from $905.5 million in 2014 to more than $1.4 billion in 2018.
“Threat intelligence is essentially a community activity,” said Christina Richmond, Program Director, Security Services at IDC. “Attack information can come from many different sources, and iterative intelligence organizes this chaotic process of information sharing in order to help organizations in making future decisions.”
NSS CTO John Pirc said he was ‘extremely impressed‘ by the ability of the National Institute of Standards and Technology (NIST) to respond quickly and put together the Framework for Improving Critical Infrastructure Cybersecurity. “I think the first draft is good and addresses the issues we’re facing today,” he said. “As with any security framework, it will receive a lot of feedback – both positive and negative. After meeting with the NIST team, I’m sure that feedback will likely be adopted into the next iteration.”
However Pirc believes that the structure is lacking in the ability to really measure and quantify the framework against implementation. “You can follow the framework by the book, but it does not guarantee that the various security products that are deployed provide you the level of security that gives you reasonable security and reduced risk of exposure.”
He defended the framework as a successful cross-industry collaboration that “might be vague in some areas, but I think that is largely because there are many different industry verticals that adopt the framework and every industry has different requirements.” As with anything new, it will take time to gain traction and adoption.
“The way I see the framework evolving stems around the employment of metrics,” said Pirc. “I believe a well-defined set of metrics will serve to showcase the efficacy of the framework and add more validity to the model which will increase the potential for adoption.”
The result of the Executive Order, Improving Critical Infrastructure Cybersecurity, issued by President Obama a year ago, the first draft of the Cybersecurity Framework was published in February. The NIST framework should help, but there is still a long way to go, said NSS Research Director Andrew Braunberg. “People talk this game but very few walk the walk.”
Things will probably continue to get worse for awhile, said Abrams. Given the significant delay in identifying breaches – less than 25% of breaches are discovered in days or less, according to the Verizon 2014 Data Breach Investigations Report – it will take a while to address the problem properly, he said.
“Not only do security vendors have to catch up to where they should have been many, many years ago, but they then will have to close ground even faster to get to where they should be now.”