With cyber attacks becoming smarter and more relentless, business needs a three-part cyber-security defence: prevent, detect and respond, says John Bruce
From worms and viruses to data breaches, cyber attacks have evolved rapidly in the past 25 years – becoming increasingly sophisticated and tenacious. It’s been a tremendous challenge for the “good guys” – cyber-security professionals, technology vendors, law enforcement – to keep up.
At the year’s biggest cyber-security event, the RSA Conference, company president Amit Yoran delivered a powerful message: the security industry needs to change its ways.
This last year of high-profile cyber attacks served as a wake-up call: prevention and detection solutions are simply not enough. Cyber-security leaders are realising there are no technological or procedural silver bullets – if cyber attackers are skilled, determined, and well funded, they’ll get into any network.
The new goal: build resilience – learn to respond to, mitigate and move on from cyber attacks as quickly and completely as possible.
By looking at milestones in the evolution of cyber crime, we can see how threats, and security strategies, have developed. We can make informed predictions of what to expect from – and how to build resilience against – tomorrow’s cyber attacks.
1989: the first worm
In 1989, Robert Morris created the first computer worm to test the size of the internet, but the self-propagating virus spread aggressively, closing much of it down. The impact was nowhere near as devastating as it would be today – but it shaped how we managed the threat for decades.
Businesses began to invest in the first preventative security products, such as firewalls. It was cyber security’s first counter-punch – the first of many back-and-forth efforts between cyber security and their cyber-criminal adversaries.
1990s: the first viruses
From here on, viruses went, well, viral. Melissa and ILOVEYOU infected tens of millions of PCs, damaging email systems worldwide with little clear objective. Cyber vandalism on a massive scale.
These threats highlighted the human factor, how employee mistakes can damage cyber security. So the industry tried to remove the human element through technology, such as auto-updating antivirus software designed to spot the signature of the virus and prevent it from executing.
2005-07: credit card cyber attacks
The new millennium saw cyber attacks become bigger and more targeted – notably with the first serial data breach of credit card numbers. Hacker Albert Gonzalez masterminded a criminal ring that stole information from nearly 50 million cards used by customers of US retailer TJX, costing the company $256m.
Businesses realised hackers could circumvent their existing security tools and processes and operate within their networks for years. Detection solutions became a top priority.
The data involved in these breaches became more tightly regulated – requiring companies to notify authorities and compensate any parties who were harmed.
Businesses learned the dire consequences of going unprotected, and began arming themselves with more sophisticated security systems.
2014: Target, Sony and beyond
The massive recent data breaches of Target, Sony and others demonstrated that today’s cyber-threat landscape has evolved to staggering new heights:
- Cyber criminals are more sophisticated than ever before, with organised criminal groups and even nation states driving cyber attacks on businesses
- More than money is at risk: intellectual property, company reputation and executive jobs were lost in the fall-out at Target and Sony
- Flying under the radar is no longer an option. Target and Sony were both relentlessly targeted for financial and political purposes
In these breaches, existing prevention and detection tools were bound to fail – but some wondered if a stronger response could’ve prevented the breaches from becoming catastrophes.
Now: the age of incident response
Prevention and detection alone are insufficient for dealing with cyber crime. In this new era, incident response is the third leg of the security stool.
By focusing on responding faster and more effectively, businesses can ensure data breaches are survivable. Just as businesses have learned to live with fire, accidents and theft for centuries, companies today can learn to mitigate cyber attacks and thrive regardless.
Provision for an attack, and then practise response processes so all parties – security, executives, marketing, PR – are well prepared to respond.
By protecting valuable information and acting swiftly and effectively when it gets in harm’s way, damage – including backlash from regulators and customers – can be avoided. By building its resilience, businesses can gracefully manage cyber attacks and the business can continue to succeed.