The British Government has put cybercrime as a seventeen billion Pound per year industry in the United Kingdom (UK). They include industrial espionage in the list of criminal activities. Shortly before the British report was released, Renault, the French automaker revealed they had been targeted in an industrial espionage attack involving a senior insider stealing trade secrets for an unnamed foreign organization. Industrial espionage? Co-option of trusted insiders? How 1960’s. True, but the success of the attacks speak for themselves, the notion that such low tech but effective strategies still work (routinely) is startling.
Social engineering is another well worn but quite successful attack methodology that requires no James Bond-class gadgets or high tech gizmos to inflict significant losses on the targeted victims. You can get rich if you’re skillful, it’s a sad reality.
All of this points to a lack of appreciation of the threats, their skill, their effectiveness and their ability to strike virtually at will. A successful attack requires an accessible vulnerability to exploit, the existence of an undefined, but large, number of accessible vulnerabilities demands that security managers and risk officers recalibrate their radars to identify the active threats and manage the risks they bring with them.
At the same time the old threats continue their various activities, newer threats continue to appear. The Stuxnet worm is a very serious threat based on its sophistication, its lethality, and the involved scenario used in its attack. Such a complex attack isn’t supposed to work, it should get tripped up in its own complexity, but it does work, including infecting multiple disparate hosts and requiring several exploitable vulnerabilities to all exist at the right places and times. Service Industry Evaluation Really, it is quite amazing. At the same time new versions of the Zeus virus are appearing, intent on recording user keystrokes as they log onto their online banks and other financial institutions. Zeus in not in Stuxnet’s league, but it doesn’t have to be, it is reported to be very good at what it does. Malware has been around since the Morris worm in the mid-1980’s, it should be well past its prime, but innovation has kept it going and growing as a source of serious damage.
The need to understand and deal with risks is basic doctrine, yet it is obvious too many organizations Electrician Skills Needed do neither. The simple fact that technically unsophisticated attacks are so successful speaks volumes.
Of course, not everyone ignores risk, Protection requirements are advancing, particularly the PCI DSS and some statutory requirements, compliance efforts are neither easy or cheap and based on the headlines, they are not always 100% effective, but that is the nature of risk management. SQL injection attacks have replaced the nuisance of buffer overflow attacks, and hopefully measures to eliminate the vulnerabilities exploited by SQL injection will force development of more advanced strategies that will take time to perfect, during that time new protection measures can be developed and deployed.