In an increasingly connected world, corporate IT systems are more vulnerable than ever to external threats, including viruses, hacks and phishing attacks.
We look at the top five cyber security threats facing business today, and suggest what can be done to prepare for and defend against them.
In terms of sheer frequency, the top spot on the list of security threats must go to viruses. According to a DTI survey, 72% of all companies received infected emails or files in 2003, rising to 83% for larger companies.
Worms and Trojan horses share the first prize in malignancy: the internet experienced three worms in only 12 days in summer 2003, causing £1.8bn in damages, according to Symantec’s Internet security threat report.
Virus back doors
The after-effects of viruses are so dangerous that they take second place. The vulnerability here is the back doors viruses leave in their wake, or the chinks in the corporate armour that later generations of code can exploit.
For example, in January, MyDoom left a back door that was subsequently exploited by Doomjuice and Deadhat. Companies that failed to close the back door, as well as rid themselves of the primary attack, remained exposed.
Another related threat is the worms that turn PCs into remote mail servers and send cascading volumes of emails that cause denial of service attacks. These attacks are becoming more sophisticated.
“Most mass email viruses require the recipient to open the attachment to run the malicious code,” says Carole Theriault, security consultant at antivirus company Sophos.
“However, there are viruses that can take advantage of security flaws which means that only viewing or opening the email is enough to launch the malicious code.”
Hacks, and application-specific hacks in particular, have become smarter. Many companies are alert to the threat posed by so-called buffer overflows, the techniques by which web servers are overloaded causing a denial of service attack.
But the new kid in this category, and the one the security industry is talking about, is the more advanced SQL injection.
SQL injection forces a database to yield otherwise secure information by causing it to confuse classified data, such as passwords or blueprints, with information that is for public consumption, such as product details or contacts.
It is hard to do but, according to experts, there are plenty of hackers up to the task and plenty of customers ready to pay for the service.
“We see it all the time,” says David Litchfield, founder of NGSSoftware. “It is behind breaches such as the half a million credit card numbers stolen by Russian gangs or details from the Drug Enforcement Agency being sold on to drug runners. These are documented cases. SQL injection is not getting the respect it deserves.”
Phishing, or identity theft, is most commonly targeted at bank customers but everybody should be alert to it. The bank users receive an email as if from the bank asking for their password. According to risk specialist company mi2g, less than half of 1% of customers oblige – a significant figure if millions of emails are sent.
A more sophisticated version of phishing, cross-site scripting, is on the rise, where users are driven to an identical but fake version of the bank’s website and are lured into handing over confidential information.
Blended attacks are combinations of two or more of the above and are doubly alarming. The solution to protecting a company against these attacks is to combine the piecemeal security systems that protect against each kind of threat.
But how secure are these security systems and who is winning – the attacker or the attacked?
Three layers of protective measures
Most of the measures companies can take to protect themselves are reactive, and antivirus patches and firewalls are now, for the most part, implemented as standard.
But these are responses to known attacks, rather than an anticipation of the unexpected. They do nothing to thwart the activities of worms that turn PCs into machines from which further attacks, such as mass emailing, can be launched.
Nor can they deal with the more sophisticated hacks, such as SQL injection. To combat this level of threat, additional security must also be in place.
This security can be grouped in three layers. The first layer scans IT systems for suspect activities by using intrusion prevention technology and by monitoring anomalous requests. For example, SQL injection often works by sending unusually long search strings to database query tools.
“An intrusion prevention system that monitors traffic and watches for unexpected behaviour such as this should pick up the attempt,” says Nick Garlick, sales director of Nebulas Security.
Alternatively, a denial of service attack might be thwarted if the security system recognises high levels of a particular sort of traffic before they become so high the network falls over.
Garlick also points out that testing new software adequately before it goes online is important. “The big issue is that coders tend to work to deadlines and do not think like security people,” he says. “Build processes should also include penetration testing.”
A second layer is added when defences are integrated. For example, if a virus is known to open up a back door, the antivirus system should not only search for the virus but also for the back door.
Alternatively, it must prompt the firewall to stop entry through the back door. This is a complex process to carry out across enterprise-wide IT systems, and so experts advocate the installation of security management systems.
“Suppliers are starting to develop the capabilities of systematic and effective patch management systems,” says Jan Fundgren, a security analyst at Forrester. “When there is no all-in-one solution, better enterprise security management is more likely to succeed.”
Compliance tools add another form of defence and can monitor how thoroughly systems have been patched against viruses.
The third layer is good risk assessment. Online systems inevitably bring a degree of vulnerability along with excellent business opportunities, so internet security should be built into the company's calculations.
If the business can understand which systems are most vulnerable, protective measures can be taken to cut the risk. That is the essence of dealing with external security threats.
Read more about cyber threats
- Small to medium-sized enterprises are failing to prepare adequately to address cyber threats – despite the risks – because of a false sense of security, particularly in the UK, a survey has revealed.
- While there is increased focus on cyber security education for young people in the UK, the latest government reports have prompted calls for better education at board level.
- UK government plans to implement the EU’s Network and Information Systems (NIS) Directive have been welcomed for assuring its commitment to cyber defence post-Brexit.