Automated cyber attacks set up by criminal organisations mean
no business is immune to data theft, IDC's IT Security Conference
in London has heard.
Businesses following a risk-based approach to security tend to
assume that if their risk profile is low, they are unlikely to be
targeted, said James Lyne, senior technologist at security firm
Sophos. "This is not true because an increasing number of automated
attacks target any business they can, irrespective of the company
profile."
Although cyber attacks have become increasingly targeted, the
use of automated search engines to look for vulnerabilities in web
applications means that no business can bank on being overlooked,
Lyne said.
A comprehensive security plan to mitigate these and other
web-based attacks is important for all organisations connected to
the internet, he said.
Invisible attacks
"Threats are increasingly becoming invisible, such as those
carried out using PDF documents that are used and trusted by most
businesses," said Lyne. In reality, PDF documents are easily
exploited by cybercriminals, who can take control of a computer in
an organisation simply by inserting a Java script into a PDF
document, he said.
An increasing number of legitimate websites are also being
exploited by cybercriminals to carry out attacks using
SQL-injection, which is also invisible to end-users targeted by
these attacks.
Cybercriminals are focusing on stealing information, which can
be done by planting malware on legitimate websites, include those
routinely visited by companies under standard business processes,
he said. According to Lyne, up to 70% of legitimate websites are
routinely targeted by cybercriminals for information such as log-in
credentials, intellectual property and financial information.
"Cybercriminals are outsourcing information captured in this way
to specialists in various industry verticals who can make sense of
the data and sell that intelligence to other criminals," he
said.