I am back in business after a short vacation period (now and then it happens!), just in time to publish the second Cyber Attack timeline of March (the first one is here), which confirms the growing trend we have been experiencing in 2015.
Two weeks packed with events, started in the worst possible way, with the massive cyber attack against Premera Blue Cross (11 million customers affected), and continued with the same baffling trend, since the list of organizations targeted by massive breaches, includes other primary companies such as British Airways, Slack and Twitch (an Amazon-owned game video streaming service).
Two weeks that also saw a sustained DDoS attack against GitHub, the discovery of several campaigns (Operation Woolen-Goldfish, the Trojan.Loziak malware targeting oil and gas companies, and the Volatile Cedar campaign originating in Lebanon), and also an official statement issued by the South Korean government, blaming North Korea for the network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP).
In background, the usual sea of smaller events driven by hacktivism or cybercrime.
If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014 and now 2015 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
In a certain sense one might say that it could be quite easy for Checkpoint to make predictions at this point of the year considered that we are in the middle of 2011 (and truthful predictions should already come true), but this is not my point of interest. My point of interest is the fact that, in my prevision evaluation of security predictions for 2011 (we were in December 2010), I was a little bit disappointed for the fact that it had not been possible to compare Check Point, a landmark in Network Security, with the other vendors since at that time it did not release any prediction for the current year. The perspective of this vendor, focused on network security, is a really interesting complement to the landscape (that is unifying endpoint, network and cloud security), since Check Point is considered the pioneer of modern firewall, as well as inventor of the stateful inspection technology, the foundation of network protection.
According to John Vecchi, head of product marketing for Check Point, the following areas will be on the radars and agendas of CISOs worldwide
- Virtualization and the cloud: according to him, the challenges associated with this trend include lack of skills in the security team, cost of new solutions and regulatory issues. To these challenges I would also add fragmentation of Cloud Environments which need powerful tools to normalize, securize and manage such environments. As a matter of fact we are experiencing the proliferation of Hypervisors, operating systems, services and application that must forcefully coexist each other on the same environment;
- IT consumerization: Tablets and Smartphones are becoming inseparable companions of Organizations and Enterprises, but, although they are breaking the line between personal and professional life, they have not been natively conceived for a professional usage, and this paves the way to new threats that need to be faced. According to the Israeli company 30% of enterprises are implementing tablet computers and by 2013, we will see a 100% increase in smartphone usage. Meanwhile, according to Juniper Networks, Android Malware increases 4 times faster…
- Consolidation and complexity in security. According to Check Point there is a huge trend to converge and unify information security technologies. This challenge is not a surprise: the company is well known among security professionals for the completeness of its management framework and the consolidation (of vendors and technologies) is a well consolidated trend in market, vendors and technologies;
- Web 2.0 and social media: this is another consolidated trend whose last (and more relevant) example is the affair of Primoris Era and the consequent risks of social espionage or social (media) engineering which can have a devastating impact for the Enterprises. But this is not the only risks: due to their six degrees of separations: social networks are a powerful (and reliable) mean to spread infections. In my opinion, this challenge is strictly related to IT consumerisation (as mobile technologies, social media is an example of consumer technologies which rapidly spread into Enterprise), and Enterprises are generally not prepared to face similar threats, which are increasingly pushing the users to cross the boundaries which separate personal and professional usage of their working tools. In both cases, in my opinion, the possible countermeasures are similar: not only technology but (most of all) education for users who should be made aware of risks deriving from crossing that line: would you ever store the last financial plan in the same computer when your son chats, surfs the web or share his life on Facebook? Why should you do on the same phone or tablet where you share your life (without considering the fact that data are continuously sent to Apple, Google and so on…).
- Data security and data loss: according to Check Point, $7.2m is the average cost of a data breach in 2011. USBs and laptops, corporate email and web mail are the largest sources of data ,loss. Agreeable security challenge, but too easy after the affair of Wikileaks.
- Threat landscape: according to Check Point, this can be broken down into two motives: Crime and profit, and Cyber-warfare and hacktivists. The biggest recent threats include stuxnet, operation aurora (belonging to the second category), and zeus zbot (belonging to the first). These are the so called Advanced Persistent Threats that are increasingly used not as “exercises of style” but as real weapons for fighting wars on the virtual battlefields or stealing money.
The last predictions have little to deal with security (in the sense that they are general concepts) but are worthwhile to be mentioned as well:
- Governance, risk and compliance: according to Check Point Governance and compliance has the greatest influence on the information security programme for 60% of companies. In my opinion this challenge goes in the same direction of consolidation and complexity in security which need unified management whose role, definitively is just to enforce the policy (at least this is my model);
- Cost-saving IT and Green IT: the latter two are strictly joined (and in a certain sense also joined with Cloud and virtualization). IT has always been considered an enabler: but probably in the current complicated situation it is not enough and IT must also support the enterprise to control costs (and moreover in this scenario information security must be a business process).
After analyzing Check Point’s Top Threats I enjoyed in comparing them with the available predictions of other vendors. Of course I had to do some assumptions, that is: I mapped the “Threat Landscape” to Advanced Persistent Threat, “IT Consumerization to Mobile”, and “Data Security and Data Loss” to Removable Media.
The results are represented in the following table:
Checkpoint confirms the mobile as the Top Threat for 2011 (as done, in total, by 6 of the 7 examined vendors, the only excluded, Kaspersky, simply put the mobile as a top threat for 2010). Similarly, Advanced Persistent Threats gained the preference of 5 vendors of the 7 examined, including Check Point, as Social Media did. Curiously, as far as Cloud and Virtualization are concerned, Checkpoint’s Top Challenge is similar to the one provided by Symantec (and Trend Micro): I would have expected more vendors addressing the Cloud and Virtualization as a key concern for the 2011 (and the examples of Epsilon, Amazon and Sony are particularly meaningful of the level of attention deserved by this technology).
On Facing the 2011 Top Security Challenges, particolarly meaningful for Check Point is the role played by the unified management technologies. This is not surprising since, on one hand, vendors and technologies are converging and consolidating themselves in few vendors with a multi-domain porfolio (the ast firm in order of example is Sophos with the acquistion of Astaro); on the other hand Check Point management technologies are considered the state-of-the-art for a unified management framework.
- Some Random Thoughts On The Security Market (paulsparrows.wordpress.com)
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
The intention by UK-headquartered company Sophos to acquire Astaro, the privately-held security company co-headquartered in Karlsruhe, Germany and Wilmington, Massachusetts (USA) is simply the last effect of the process of vendor consolidation acting in the information security market. It is also the trigger for some random thoughts…
In the last two years a profound transformation of the market is in place, which has seen the birth (and subsequent growth) of several giants security vendors, which has been capable of gathering under their protective wings the different areas of information security.
The security model is rapidly converging toward a framework which tends to collect under a unified management function, the different domains of information security, which according to my personal end-to-end model, mat be summarized as follows: Endpoint Security, Network Security, Application Security, Identity & Access Management.
- Endpoint Security including the functions of Antivirus, Personal Firewall/Network Access Control, Host IPS, DLP, Encryption. This component of the model is rapidly converging toward a single concept of endpoint including alle the types of devices: server, desktop, laptop & mobile;
- Network & Contente Security including the functions of Firewall, IPS, Web and Email Protection;
- Application Security including areas of WEB/XML/Database Firewall and (why not) proactive code analysis;
- Compliance: including the functions of assessment e verification of devce and applications security posture;
- Identity & Access Management including the functions of authentication and secure data access;
- Management including the capability to manage from a single location, with an RBAC model, all the above quoted domains.
All the major players are moving quickly toward such a unified model, starting from their traditional battlefield: some vendors, such as McAfee and Symantec, initiallty moved from the endpoint domain which is their traditional strong point. Other vendors, such as Checkpoint, Fortinet, Cisco and Juniper moved from the network filling directly with their technology, or also by mean of dedicated acquisitions or tailored strategic alliances, all the domains of the model. A further third category is composed by the “generalist” vendors which were not initially focused on Information Security, but became focused by mean of specific acquisition. This is the case of HP, IBM and Microsoft (in rigorous alphabetical order) which come from a different technological culture but are trying to become key players by mean of strategic acquisitions.
It is clear that in similar complicated market the position and the role of the smaller, vertical, players is becoming harder and harder. They may “hope” to become prey of “bigger fishes” or just to make themselves acquisitions in order to reach the “critical mass” necessary to survive.
In this scenario should be viewed the acquisition of Astaro by Sophos: from a strategical perspective Sophos resides permanently among the leaders inside the Gartner Magic quadrant but two of three companions (Symantec and Mcafee, the third is Trend Micro) are rapidly expanding toward the other domains (meanwhile McAfee has been acquired by Intel). In any case all the competitors have a significant major size if compared with Sophos, which reflects in revenues, which in FY 2010 were respectively 6.05, 2.06 and 1.04 B$, pretty much bigger than Sophos, whose revenues in FY 2010 were approximately 260 M$, about one fourth of the smaller between the three above (Trend Micro which is, like Sophos, a privately-owned company).
In perspective the acquisition may be also more appealing and interesting for Astaro, which is considered one of the most visionary players in the UTM arena with a primary role in the European market. Its position with respect to the competition is also more complicated since the main competitors are firms such as Fortinet, Check Point and Sonicwall which all have much greater size (as an example Checkpoint revenues were about 1.13 B $ in FY 2010 which sound impressive if compared with the 56 M $ made by Astaro in the Same Fiscal Year).
In this scenario, the combined company aims to head for $500 million in 2012.
Last but not least both companies are based in Europe (respectively in England and Germany) and could rely on an US Headquarter in Massachusetts.
From a technological perspective, the two vendors are complementary, and the strategy of the acquisition is well summarized by the following phrase contained in the Acquisition FAQ:
Our strategy is to provide complete data and threat protection for IT, regardless of device type, user location, or network boundaries. Today, we [Sophos] offer solutions for endpoint security, data protection, and email and web security gateways. The combination of Sophos and Astaro can deliver a next generation set of endpoint and network security solutions to better meet growing customer needs […]. With the addition of Astaro’s network security, we will be the first provider to deliver truly coordinated threat protection, data protection and policy from any endpoint to any network boundary.
Sophos lacks of a network security solution in its portfolio, and the technology from Astaro could easily fill the gap. On the other hand, Astaro does not own an home-built antivirus technology for its products (so far it uses ClamAV and Avira engines to offer a double layer of protection), and the adoption of Sophos technologies (considered one of the best OEM Antivirus engine) could be ideal for its portfolio of UTM solutsions.
Moreover the two technologies fit well among themselves to build an end-to-end security model: as a matter of fact Information security is breaking the boundary between endpoint and network (as the threats already did). Being obliged to adapt themselves to the new blended threats, which often uses old traditional methods to exploit 0-day vulnerabilities on the Endpoint, some technologies like Intrusion prevention, DLP and Network Access Control, are typically cross among different elements of the infrastructure, and this explains the rush of several players (as Sophos did in this circumstance) to enrich their security portfolio with solutions capable of covering all the information Security Domains.
Just to have an idea, try to have a look to some acquisitions made by the main security players in the last years (sorry for the Italian comments). Meanwghile the other lonely dancers (that is the companies currently facing the market on their own), are advised…
- Sophos to acquire Astaro – some reactions (nakedsecurity.sophos.com)
- Sophos Acquires Internet Security Appliance Maker Astaro (techcrunch.com)
- Application Security: What’s Next? (paulsparrows.wordpress.com)
You need to give people information and transparency so that they can understand security. It’s essential to make them a part of the security process and ensure they are aware of the company security policy.
These words were told yesterday, may, the 4th 2011 on Barcelona during the Check Point Experience, by Gil Shwed, the founder and Chairman of the Information Security Vendor, for unleashing the 3D Security model of the company, a model which focuses on policy people and enforcement.
No better moment could be found for emphasizing the role of the user inside the information security process!
The dramatic events of RSA, Epsilon and Sony Data Breach are redefining the information (in)security landscape and consequently rising many questions and concerns among the security professionals for the true extent of the events. RSA tokens, whose seeds were allegedly compromised during the breach are used in more than 25.000 corporations all over the Globe. The Epsilon Data Breach involved 2% of customers: for a company which sends out over 40 billion e-mails a year on behalf of over 2,500 clients, this means millions of individuals at risk and needing to be on alert from scams and phishing for years. Last but not least Sony, for which a total of more than 100 million records were stolen during two separate waves of attack on its PlayStation Network and Qriocity Service.
Now the question is: what do Mr. Shwed’s words deal with the latter events?
Well, (too) many words have been spent so far: recalling the security concerns for cloud based services (mostly in case of Epsilon and Sony) and the role of Advanced Persistent Threats which are becoming an harmful attack vectors for Enterprises, using spear-phishing mail to overwhelm the first line of defence made by the employees. Apparently old school techniques under renewed dresses. Nevertheless there is a point which, in my opinion, has not been adequately emphasized so far, and the point is just the answer to the previous question.
Simply said the uncovered point is the role of the people in the (in)security process which led to the breach. Hopefully this is not exactly the kind of role wished by Mr. Swhed, anyway if we reverse the paradigm, the result is exactly the same: on one hand, if it is true that the individual made aware of the policy enforces the first level of security and is the core of the security process itself, it is also tue that the unaware individual is the core of the breach. This is exactly what happened in the affair of RSA and Epsilon where the people, the first line of defense of any organization, was the first line to be breached, well before the systems, and the breach in the people was the trigger for the breach in the systems as well.
RSA clearly explained this occurrence in a blog post, and the appealing subject “2011 Recruitment Plan” of the phishing e-mail, hiding a zero-day Adobe Flash vulnerability (CVE-2011-0609) embedded into an excel spreadsheet, went into the annals of Information Security. Clearly the poisoned spreadsheet injected a RAT (Remote Access Tool) used to gain privileges and move freely into the network up to the final target.
Things were not so different for Epsilon, in which individual company employees were initially targeted for email scams and used to gain access to the internal database as happened.
So far there is not evidence of a similar occurrence for Sony, however today’s Sony’s Response to the U.S. House of Representatives, written by Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, in response to questions posed by the subcommittee members of the House Commerce Committee, in some steps closely resembles original RSA announcement.
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
And in case of RSA:
Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA.
(Not too much) curiosly the two steps are very similar, and likely the adjective sophisticated was used to emphasize an external origin of the attack aimed to exclude an internal fault and the presumable consequent fall of shares), nevertheless I could not help joining the two sentences and, presumably the two events, even if so far Sony did not show the same transparency of RSA and only few details are known.
Ultimately these events (to which I should add the Night Dragon malware), show that the new cyber-attacks are targeting users, and employees inside the Organization. Not only they targeted users to achieve the attack, but also the aftermaths will keep on targeting users for years: as a matter of facts, even if the full consequences of the RSA breach are not completely clear so far, PSN and epsilon users will presumably be the targets of a new wave of spear-phishing and spam emails (so far no news have been reported of a fraudulent use of Credit Cards Number stolen, which, according to Sony, were encrypted).
In all the cases, quoting Mr. Shwed’s words, we deduce the need for the user to be the core of the security process. The security process must shift to a level which involves policy definition, people awareness and, policy enforcement, at the device level, through an appropriate configuration, and most of all at the user level, through an appropriate education.