Andrea Danti - Fotolia
US health insurer Excellus BlueCross BlueShield claims it was targeted by a “sophisticated” cyber attack, but it was probably another case of spear phishing, according to Telefonica’s head of security.
“Most so-called sophisticated attacks can be traced to an email sent to the right person with the right content,” Chema Alonso told Computer Weekly.
Many of the recent big breaches, including the December 2014 hack of Sony Pictures Entertainment, he said, have been enabled by a carefully-crafted spear phishing email.
The attacks are further enabled by the fact that many companies have invested much more in securing the network perimeter than in securing the internal network, according to Alonso.
The lack of 2FA on the internal network means that once an attacker gains access to a network using log-in credentials stolen through a phishing attack, they can move around the network unchecked.
“There need to be systems to manage privileged accounts on the network to identify account abuse and limit the impact if an administrator account is compromised,” said Alonso.
“Security policies should be created bearing in mind user accounts may be compromised or employees may act maliciously,” he said.
Typically, companies are still not correctly balancing investments in preventing, detecting and responding to security breaches, according to Alonso.
“Companies need to invest as though attackers are already inside the network to detect malicious activity, then most importantly, they should invest in a capability to respond to breaches,” he said.
While Fiat Chrysler had to recall thousands of vehicles for a software update, he said Tesla had the mechanism in place to do issue a security update quickly and remotely via the internet to all vehicles.
Read more about managed security services
- MSSPs are partnering more than ever with product suppliers to offer compelling APT solutions for the complex European market, says Frost & Sullivan.
- As the economic climate becomes more uncertain, many enterprises are considering the security and cost-saving benefits of managed security service providers.
- Dell's acquisition of SecureWorks brings Dell into the MSSP market, which is good news for solution providers.
- Businesses expect pressure to secure their organisations to increase this year, according to Trustwave's 2015 Security Pressures Report.
“In all the recent security breaches, we are seeing that many companies are not well equipped to detect intruders on their networks or respond quickly and effectively to intrusions,” said Alonso.
“Ashley Madison, for example, was not ready for a security breach that could expose its members’ data because it had not planned for it, probably thinking it could not happen,” he said.
Alonso believes companies will continue to be easy targets for attackers as long as they fail to plan for the failure of all the traditional information security barriers.
However, he also emphasises that information security is complex and difficult. Even if companies deploy something like an intrusion detection system, he said it will be useless if they do not have the right people with the necessary expertise to analyse the data.
If companies do not have the right expertise in-house, he said they should ensure they have access to these technologies and skills through a managed security services provider (MSSP), for example, to give the company the capability it needs to detect and respond to cyber intrusions.
“Attackers’ knowledge is increasing exponentially, which means that defenders of corporate data need to do the same to keep pace, but few companies have the resources to do so,” said Alonso.
“If companies do not have the means to maintain cutting-edge skills internally, the best way is to source what they need from professional service providers,” he said.