What are the main types of cyber-attacks and what organisations are most at risk?
Any organisation or individual connected to the Internet is at risk. Viruses are the best known cyber attack and although the number of viruses continues to increase their impact is reducing, mainly due to better anti-virus software. Other types of attack, such as trojans (software with hidden code) have increased in prominence over the last few years with the increase of ‘key logging’, which is the recording of key strokes on a PC, for example during online banking, and can be used to steal passwords or credit card numbers.
Another key category of risk is the bot, which is short for botnet, a remote-controlled robotic malware (software designed to infiltrate or damage a computer system) that infiltrates numerous machines typically for one of two purposes: to send out SPAM emails or generate empty network packets that when targeted at a particular network address will flood it to the point that no other network traffic can get in or out.
Next, individuals continue to be bombarded with phishing related emails purporting to come from their bank and other trusted parties requesting that they enter their authentication details on a bogus site and then stealing their log in details. While phishing has been around for a while and the public are much savvier, the communication used these days can often be much more convincing than it used to be.
Finally, there are the more direct hacks on individual organisations, such as TJ Maxx which was attacked in December 2006, where customer credit and debit card details were stolen, and clothing retailer Cotton Traders had customers' credit card details stolen in January this year.
Are organisations aware of the risks that they face?
In general, organisations are waking up to the fact that personal information now has much greater value than they realised and are beginning to adopt a stronger security posture. However, we are seeing growing interest and concern from a range of stakeholders – regulators, legislators, shareholders, media and customers – and as a result every organisation with a high dependency on the Internet needs to work to maintain confidence in their service delivery.
The financial sector, particularly the banks are more aware, due to the fundamental needs to protect their customer’s accounts details. The frequency, scale and increasing sophistication of attacks is causing significant financial loss and inconvenience. As a result, these companies tend to be at the forefront of developing solutions.
Similarly, the petrochemical, pharmaceutical and manufacturing industries have adopted strong security measures to protect their information, especially their intellectual property, which would be of significant value to competitors. The telecommunications industry has adopted strong security measures to protect their networks and the customers that use their resources.
Typically, SMEs are often the least informed and therefore more susceptible to attack.
What is the difference between cyber crime and cyber terrorism?
The attacks are similar in nature but the motivation is different. Therefore the targets may differ.
Cyber crime is more often than not perpetrated by organised criminals with the intent of financial gain. It is covert in nature; the longer it remains undetected, the greater the financial gain. Organised crime is now reaping such significant rewards that criminal gangs are investing more in their work which leads to a vicious circle because it generates an increase in frequency and sophistication of attacks.
There is no one definitive definition of cyber terrorism, but it is clear that it has a different aim: to cause severe disruption and harm to humans with immediate dramatic impact in support of a political, ideological or religious cause. Most cyber terrorist attacks remain unreported in the public domain for obvious reasons; reporting would help satisfy the attacker's objective, cause public unease and possibly lead to copycat or similar attacks.
The most publicised cyber terrorist attack is the concerted ‘denial of service attacks’ in April 2007 on Estonia, a country with a high adoption of Internet-based services. The motivation for the attacks was political and the intended result was mass disruption, although there was no physical harm to humans.
Are the necessary protective measures being put in place by organisations in order to keep up with the rapid pace of technological development and adoption?
Many organisations are now proactively assessing and managing their risks, adapting their profile and mitigating accordingly, not only as technology changes but also reflecting organisational, cultural and regulatory/legislative change.
However, technological change presents a huge challenge. The more technology advances, the more complex it becomes, and the more exposed it becomes to vulnerabilities hidden by the complexity. What we are seeing is a greater blend of controls implemented at different levels, known as ‘defence in depth’, This involves preventative defence to stop a security breach from occurring, detective defence to identify any attempted security breach and corrective controls to minimise business impact when the attack has been successful.
What sort of action would you suggest to take if an incident occurs and what controls need to be in place?
Organisations should have some form of incident management framework in place, similar to how they deal with a service outage or business interruption. Without one they will at best cope at worst – fail. Key considerations are what types of attack could occur and would cause significant disruption; how quickly the incident needs to be resolved before the impact becomes unacceptable; what resources would be required to handle the incident, both human and technical; and how the incident should be reported, both internal and external.
Collectively these will form the basis of the corrective controls required, in terms of people, plans, processes, procedures and technology. That in turn could result in new or enhanced controls, as a result of review after the event. Testing will also help to confirm your incident management capability, and while it must be borne in mind that you can never prepare for every eventuality, having a framework in place will help enormously.
How can you hope to identify what risks are out there when there are so many?
As a starting point, establish a risk profile by identifying each threat and the motivation behind it. For each threat that poses a risk to your organisation, you should assess the opportunity to an attacker, looking at vulnerabilities that an attacker could exploit and the likelihood of a successful attack. From this information you are well placed to start categorising risks, eg as high, medium or low, and to prioritise the order of risks requiring mitigation and to decide what controls are required and at what cost. Above all, stay informed and adjust your risk profile regularly. Most security product vendors provide an ongoing analysis of issues and trends, plus there are several subscription services available providing more informed information. There's also a wealth of information available on the Internet, for example the SANS Institute is a good place for obtaining up to date research information. Also don't forget the news; security breaches unsurprisingly typically hit the headlines.
Do we need more co-operation and if so, where?
Co-operation helps reduce risk for everyone involved. The banking sector approach demonstrates this; seeing security not as a competitive issue, but as a precursor to collaboration in tackling common attacks, and sharing and implementing best practice. As an insurance industry we should be increasingly working together to a similar goal, and to this end, Lloyd’s will be taking the lead by increasing its reporting on emerging risks and establishing an information protection forum of market players during the second half of 2008.
