RSS Alerts

Share

More services

Related Links

Related Stories

  • Small businesses suffer from security perception-reality gap
    A survey of IT security professionals at small to medium-sized businesses shows a disconnect between organizations’ perceived protection against web-based threats and the actual number of successful attacks they have endured.
  • Interview: Charles Palmer
    No shortage of attention has been paid to the topic of cybersecurity as of late, especially with respect to the role of government. All talk aside, what is being done to address the threats, and how real are they? Drew Amorosi sits down with Charles Palmer, the director of IBM’s Institute for Advanced Security, and learned that although the US may have cybersecurity challenges, the first step toward recovery is admitting that we have a problem
  • Secret Service shows business how to fight cyberthreats
    Business needs to be more proactive in its approach to security in the face of increased insider threats and customized malware, says Verizon Business.
  • Commerce Secretary looks to improve cybersecurity in commercial sector
    Speaking at a cybersecurity symposium in Washington yesterday, US Commerce Secretary Gary Locke called on commercial, academic and public sector interests to submit their ideas on mitigating cyber threats in the commercial sphere, without stifling innovation in the internet economy.
  • The Good, the Bad, and the Ugly Insider Threats
    Whether intentional or unintentional, insider threats take many forms. The (ISC)² US Government Advisory Board Executive Writers Bureau examines this dichotomy and how it is being affected by both regulatory considerations, and the rapidly changing technology landscape
    Members' Content

Top 5 Stories

News

Security threats evolving at breakneck pace

17 August 2010

The most recent threat landscape report from Forrester claims the gap between hacker threats and suitable security defenses is widening, at a faster pace than ever before.

The threat landscape has changed dramatically according to the latest report from Forrester Research“The New Threat Landscape: Proceed With Caution”. Forrester analyst Khalid Kark, the report’s primary author, says organizations are no longer facing challenges from individual hackers or even small groups of hackers.

Instead, threats are coming from “highly organized, well-funded” crime networks, or even state-sponsored actors.

The independent research firm also examined key areas experiencing shifts in security threats, all gleaned from a Forrester tracking survey conducted among more than 2800 IT professionals worldwide.

“The attacks are much more targeted, sophisticated, and resourceful”, noted the report, which cites data from a Congressional report showing that cybercrime costs the US economy about $8bn per year.

Part of the evolving cybercriminal toolbox includes a shift toward targeted, low-profile attacks on network applications designed to bleed organizations of data – or money – over a longer period.

“Attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate”, the authors noted, adding that “the ultimate goal is to modify the application in some way so that [attackers] get a consistent source of revenue”.

The new attack strategy has narrowed in focus, Forrester contends, as cybercrimnals now target organizations across the business spectrum looking for valuable information, and not just simply seeking to bleed cash from financial institutions.

The Forrester report also highlighted the rapid metamorphosis of malware variants used by today’s cybercriminals. For example, the report examined Zeus variants, which now number more than 90 000. These custom-made viruses are tailored to evade anti-virus detection and are typically available for little or no cost.

Perhaps the most significant shift in security threats has occurred at the web application level, Forrester noted. The researcher’s data shows that 79% of breached records in 2009 were the result of web application attacks, yet a majority of companies polled focused on securing infrastructure components.

Further complicating the response to this trend is that even among companies that plan to address application security, many often find a dearth of personnel trained to deal with these issues.

This drives home the point that the gap between attackers and defenders appears to be widening as of late. As the report concluded: “The threat landscape continues to evolve and become more sophisticated, and attackers will continue to exploit vulnerabilities in people, process, and technologies to get what they want. What is different today is the velocity – the speed and trajectory – of this change.”

So what can an organization do to maximize its security investment while, at the same time, minimizing its exposure to threats? Kark and his colleagues at Forrester provided some common-sense advice.

The report recommended investing in security personnel, better management of processes, and investment in technology, but within certain parameters. The authors said organizations should not increase security staffing indiscriminately, and should instead focus on high-risk areas. One of these includes increased focus on application security issues.

And whereas the group from Forrester touted increased investment in security technology, it acknowledged that “security technology vendors in general have overpromised and underdelivered”. Instead they advocated for a layered security defense that does not rely on any one particular technology to address a single risk area.

This article is featured in:
Application Security • Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012