Is limiting damage the best hope for cybersecurity?

With forecasts of more frequent, sophisticated and targeted attacks, government's best bet might be to limit the damage rather than trying to prevent the threats completely.

When it comes to cybersecurity, government defenses tend to be measured against broad threats such as cyberespionage and possible nation state attacks on the country’s critical infrastructure. As recent studies show, however, that focus may be a bit wayward.

Symantec’s 2014 Internet Security Threat Report  shows yet again why it’s the smaller, oft-used threats that likely remain the biggest problem for agencies. Those have grown in number, but also continue to evolve in response to the development of better defenses.

Spear phishing, for example, was a major problem in the past but had been seen as diminishing as other threats grew and took up more of organizations’ attention. Not so, according to Symantec, which called reports of the death of spear phishing “greatly exaggerated.” In fact, while the total number of emails used per phishing campaign decreased, along with the number of targets, the total number of campaigns almost doubled in 2013.

“This ‘low and slow’ approach (campaigns also run three times longer than those in 2012) are a sign that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering, Symantec said.

The even worse news? Government is in the top three targets for these kinds of attacks, the report said, with odds of 1 in 3.1 that at any given time a government employee is being subject to a phishing attack  (though, admittedly, the method they used to come up with that ratio is a little fishy!).

The rest of the Symantec report is not more hopeful, and its conclusions make for scary reading:

  • More zero-day vulnerabilities were discovered in 2013 than any other year, in fact 2013 registered more of those than the previous two years combined.
  • Ransomware attacks, where perpetrators pretend to be local law enforcement demanding payment of fake fines, grew by 500 percent in 2013 and “turned vicious.”
  • There was explosive growth of scams and malware attacks via mobile media in 2013, though the prevalence of those is still relatively low.
  • Users continue to fall for scams on social media sites, and the fear is that this behavior will have even worse consequences as the activity migrates to mobile devices.
  • Attackers are now turning to the Internet of Things. With device manufactures so far not paying much attention to security, the onus falls on the user, which surely has attackers salivating at the prospects. As Symantec said, there’ll be a huge increase in data because of the IoT, and “big data is big money.”

The latest illustration of the potential for attackers came with the revelation on April 7 of the so-called OpenSSL Heartbleed bug, a vulnerability that had existed in the OpenSSL 1.01.f standard for a couple of years but that had only recently been patched.

Some high-profile sites had apparently been open to leaking information because of the bug, including the FBI’s main site. OpenSSL is a widely used SSL library, and is the basis for a lot of data encryption across the Web.

Looking ahead, Symantec makes a salient point: Even though better cooperation between law enforcement and industry is making it increasingly difficult for cyber criminals to operate, this won’t make them stop. Instead, Symantec said, e-crime is likely to move toward a new and more professional model.

That’s in line with other recent reports. As this blog recently pointed out, not only are cyber criminals becoming more professionalized, the market for the attacks tools they use is also proliferating, ramping up threats posed by a profit-based, market-driven business.

It may be tempting for those in government to throw up their hands and concede defeat. How is a ponderous and slow-turning ship like the government supposed to compete against the nimble and light-footed criminal set?

The easy answer is that it can’t. There’s no way a bureaucratic and budget-constrained organization like the government, or its agencies, can compete at that level. But it can instill a mindset that will drive government responses to cybersecurity, and even that has been missing, until recently.

The champion in this case is the National Institute of Standards and Technology, a non-regulatory body that has been pushing for a risk-based framework for cybersecurity that emphasizes limiting damage from attacks rather than trying to prevent them completely.

That approach has been adopted by the Department of Homeland Security, and private industry is also increasingly taking it up. Earlier this year, the National Association of State Chief Information Officers (NASCIO) said it was adopting NIST’s framework, which “provides states with a common platform on which to base strategic security decisions, allocate resources and build defenses against both common and sophisticated attacks.”

The final leg in the stool came with the decision by the Defense Department a few weeks ago, after several years of negotiation and discussion, to adopt NIST’s risk management framework as the basis of its cyber defense. With that, there is now a common language that all levels of government and the private sector can use to define and coordinate their cybersecurity efforts.

It won’t stop cyber criminals getting into government systems, and breaches will continue. But it provides a foundation for something that could, finally, provide a resilient defense.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.