As a professional working in the IT security field, I find it surprisingly difficult to educate people on current security events without sounding like a “fear monger.” At the same time, anyone with experience in the field would undoubtedly agree that IT security is important, and cyber attacks occur more frequently year after year.
Most of us are familiar with the “Hollywood” version of cyber attacks and can probably agree that “hackers” aren’t going to consume six bottles of wine and a box of Hot Pockets while simultaneously taking control of an entire city’s traffic control system! But what is really happening out there in the world of cyber attacks? I’d like to take a few minutes to describe a concept that will hopefully shed some light on exactly what’s happening out there in IT security, specifically in regards to cyber attacks.
As a simple generalization, I will organize the types of cyber attacks into two categories: targeted and opportunistic. A targeted attack is a cyber attack in which the “hacker” (sometimes called “cracker”) knows his victim and has some reason for trying to circumvent their security controls. An opportunistic attack is where the hacker simply stumbles upon a target (either automatically or manually), finds a vulnerability in their security controls, and decides to exploit said vulnerability.
Most movies, like Swordfish and The Net, portray “targeted attacks,” good hacker vs. evil company, or vice versa. However, contrary to popular fantasy, the most common type of attack is opportunistic. In fact, according to the Data Breach Investigations Report conducted by the Verizon Business Risk Team, 85 percent of all cyber attacks reported in 2008 were opportunistic in nature. This report, encompassing data gathered from 2004 to 2008, shows that the reality of cyber attacks is that four out of five were opportunistic. This is actually a really good thing for most individuals and organizations to hear (i.e., no “fear mongering”).
Then why are attacks and their success rates still increasing? That answer is simple—out of that 85 percent, 87 percent were considered avoidable through reasonable controls. This implies that organizational IT security maturity is still severely lacking.
Let’s take a closer look at some cyber attack specifics in the report:
- 85% of breaches were the result of opportunistic attacks
- 87% were considered avoidable through reasonable controls
- 83% of attacks were not highly difficult
- 73% resulted from external sources
- 19% were caused by insiders
- 39% implicated business partners
- 30% involved multiple parties
- 62% were attributed to a significant error
- 31% incorporated malicious code
- 22% exploited a vulnerability
- 15% were due to physical threats.
What does this information tell us? For starters, it says that as attacks increase, the skill set of the attacker decreases. There will never be an end to security breaches—it’s the nature of the world we live in, and you can never be absolutely secure.
However, given the opportunistic nature and difficulty of attacks (or rather, lack thereof) leading to data breaches, organizations should focus on ensuring essential controls are met across the organization and throughout the extended enterprise. This includes following through on security policies so they are actually implemented, periodic testing of applications and externally available resources (called “penetration testing”). Organizations should also ensure that a basic set of controls is consistently met across the organization.
Accomplishing these goals will make it much more likely that attackers will pass over your organization in favor of more low-hanging fruit. Remember, you don’t have to be faster than the bear to avoid being eaten, you just have to be faster than the person running alongside you! iBi