In 2014, several high profile breaches, including that of Sony, JPMorgan Chase and Apple iCloud accounts, made news around the world. It is clear that the magnitude of the security related challenges is on the rise and the enterprises can’t afford to ignore the new age cyber threats.
By Pupul Dutta
If we extrapolate from the trends of 2014, we reach the conclusion that 2015 will see its share of high-profile cases of cyber crime. Hackers are expected to launch attacks on big and small organisations and they will probably succeed in breaking into the systems of few of their targets. The threats are growing extremely complex in nature.
At times the enterprise that seems to have been targeted are not actually the real target, rather they are the vehicle for launching further attacks. But even if the enterprise is not the final target, its reputation gets marred when the news of the breach gets out. Customers of the enterprise start feeling insecure about the security of the data that they have handed over to the enterprise and they begin to look for alternate solutions.
Even the simplest of errors can lead to severe financial loss, and the loss of reputation is even higher. CISOs are now recommending tighter security policies and better awareness for dealing with such complicated threats. The enterprise security market is being driven by two major thrust areas – protection and compliance. In the past few years, we have seen both of these growing in number and complexity.
Businesses have to ensure that the controls and processes are in place so that they can comply with regulations. These controls can be achieved through the use of security toolsets that address the complex IT landscape of enterprise customers.
According to Gartner, the security market in India grew from $882 million in 2013 to $953 million in 2014, and is expected to cross $1.06 billion in 2015. With the emergence of new disruptive technologies such as cloud, mobility, virtualization, Big Data and social media, the enterprise security market in India has seen a considerable and consistent growth over the last few years.
Security market
The Indian IT security market can be bifurcated into the Network Security Appliance Market and Software Security Market. According to IDC, the Network Security Appliance market is worth approximately $229 million (customer revenue) for 2014 and is expected to have a growth rate of 10% in 2015. The Software Security Market, on the other hand, is worth around $154 million in 2014 (vendor revenue) and is expected to have a growth rate of close to 15% in 2015.
There are a lot of factors that is driving the security market, one of them being, rapid expansion and growth of enterprises resulting in exponential growth of IT infrastructure (that needs to be secured) as compared to the last two decades. Secondly, increasing local and international regulatory and compliance requirements. Also, increasing frequency, sophistication and type of attacks, in terms of both capability and scalability is steering the growth.
“While everything gets connected and Internet of Things become a reality, the number of endpoints are becoming endless and diverse, thereby providing limitless attack vectors that needs to be addressed (both for device level security and as an access point).
Also, virtual attacks spanning multiple geographies are becoming possible and real in today’s world,” explains Gaurav Sharma, Research Manager-Enterprise, IDC India.
Evolving threat scenario
For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses to the tune of hundreds of millions of dollars. Maybe this market is no longer so lucrative, or probably the cyber criminal market is overcrowded. It now seems like there is a struggle being waged for ‘survival’. And, as usual, that struggle is leading to evolution.
The massive rise in the usage of social media and the proliferation of enterprise mobility has made enterprises more vulnerable than ever. Today users can access any kind of data from anywhere. The fast adoption of BYOD and cloud are accelerating this trend, and providing new directions of attack. The usage of smartphones, tablets, or next generation notebooks, by employees to connect to corporate networks, puts the corporate data, outside the company’s direct ‘sphere of influence’.
There was a time when attackers would use a backdoor entry to barge into a corporate network and siphon terabytes of information to FTP servers. Today however, more sophisticated groups use SSL on a regular basis alongside custom communication protocols.
“Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include ex-filtration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers),” explains Altaf Halde, Managing Director, Kaspersky Lab -South Asia.
“It is due to such attacks that many corporations have banned public cloud services such as Dropbox from their networks. But one needs to understand that this also remains an effective method of bypassing intrusion detection systems and DNS blacklists,” adds Halde.
Lastly, targeting hotel networks is the new norm. It is not easy to crack a hotel’s network, however, compromising a hotel reservation system is an easy way to conduct reconnaissance mission on a particular target. By launching this kind of an attack, the hackers can follow the victim and they also gain the ability of launching a physical attack, like the one launched in Mumbai in 2008.
The Darkhotel group, an APT actor, is known to have targeted specific visitors during their stay in hotels in certain countries. Basically, hotels are known to provide a good base for cyber terrorists to attack certain categories of people, such as company executives, etc. Targeting hotels is also highly lucrative because it provides intelligence about the movements of high profile individuals around the world.
Tackling threat
For years, the IT industry talked about emerging technologies such as cloud computing, mobile computing and social networking. With this increased openness and storage of data far outside the four walls of the organisation, came exaggerated threats to information security.
An unified approach to security by installing security on virtual devices/solutions with a combination of traditional methods is a way of dealing with the ever rising threat. Also, regular data integrity or log checks and reviews keeps the CISOs informed about what kind of data is coming in and going out of the organisation.
Companies should also ensure that there is encryption at all levels, even at endpoints or personal devices, if used for official purposes. Secondly, following strict industry standards and best practices helps in avoiding known forms of attack or data leakage, loss or theft. Organisations need to educate their employees on all types of possible attacks and that, even the tiniest mistake could lead to a disaster.
“Recently, the e-commerce website, eBay was attacked. The employee credentials were obtained through a phishing attack and used to steal financial data of millions of customers. To avoid this kind of situation, use of techniques like filtering and web access control should be followed. While the threats can’t be completely dealt with but one can always minimise the attacks,” says Sharma of IDC.
Spike in MitB attacks
There has been a spike in MitB (Man-in-the-browser attacks) attacks. Embedded in seemingly innocuous pop-up ads, MitB Trojans are automatically launched when users click an infected pop-up. Research reports indicate that nearly 94% of customer networks observed in 2014 have traffic to websites that host malware. Many malware families like Palevo, SpyEye, and Zeus have been found to incorporate man-in-the-browser (MitB) functionality. The most efficient countermeasure against MitB attacks is the out of band transaction verification containing transaction details along with OTP on the consumer side. On the enterprise side it includes the adoption of fraud detection based on user behaviour profiling.
Given that Internet access is pervasive in all organisations, cyber attackers usually exploit a person’s online behaviour to deliver malware and carry out malicious activities. The worrying part is that seemingly innocuous and valid websites can display this kind of behaviour. This makes it very difficult for the end user to figure out if the use of the website is for legitimate business purpose. While user awareness will help here to some extent, the rate at which such attacks are happening and changing, is very fast. “The best way to tackle such a scenario is to opt for a secure web-gateway solution. Here too the cloud based option is the best bet as it will cover all grounds including road-warriors and provide a platform for consistent and uniform policy enforcement,” says Rishikesh Kamat, General Manager, Product Development & Marketing, Netmagic.
In addition to this, companies should ensure there is secure encryption, authentication and access control from unmanaged device to gateway. This will ensure that any DNS resolution to malware sites that hosts MiTB are contained. “It is imperative that the right technology is embedded into the security architecture that minimises the risk associated with MITM breaches, with minimal human involvement,” explains Prasenjit Saha, CEO, Infrastructure Management Services and Security Business, Happiest Minds Technologies.
Security & Convergence
The world is changing rapidly and so is the way we communicate. People now have access to unprecedented volumes of data 24×7. Internet penetration too is increasing, with a growth rate of about 26% year-on-year coupled with a boom in demand for smartphones. According to Canalys, a global technology research firm, the mobile device market is expected to reach 2.6 billion units by 2016.
With this, managing the influx of devices and traffic has become increasingly difficult and complex for IT departments. Additionally, the rapid adoption of business applications such as voice-over-Wi-Fi clients means more comprehensive orchestration is needed, requiring granular policy and performance management to ensure that key applications are secured and optimised.
“Big Data, cloud, mobility and security are all mega forces, which CIOs today are having to tackle. Companies are struggling to keep pace with the increasing volume and sophistication of cyber-attacks, particularly those aimed at web applications and high-value traffic in data centres. Customers’ needs are shifting from simple connectivity to very sophisticated, large-scale networks, cloud ecosystems and High-IQ networks. In order to address the changing threat scenario, we must focus on delivering new and innovative solutions,” explains Sajan Paul, Director Systems Engineering India & SAARC Juniper Networks.
In addition to formulating a strong security framework, businesses and consumers can take few steps to better protect themselves, whether it be from a data breach, targeted attack or common spam. Firstly, companies should know the kind of data that is generated within the organisation as well as that which is accessed online. “Companies need to focus on protecting the information generated and accessed within instead of focusing on protecting the device or the data center. Basically, organisations need to understand where their sensitive data resides and where it is flowing to help identify the best policies and procedures to protect it,” says Tarun Kaura, Director – Technology Sales, India, Symantec.
Besides, companies also need to authenticate access of core business applications as well as SaaS applications for external users such as partners, vendors, customers and so on. “It is important that organisations provide controlled access to users who are using different personal devices like tablets and smart phones to access and work with corporate data,” notes Sundar Ram, Vice President, Technology Sales Consulting Oracle Corporation, Asia Pacific.
By being proactive and alert, organisations can help prevent data loss from sophisticated threats such as malware, and simple mishaps like losing a device.
Increasing security budget, a solution?
Often CISOs complain that due to lack of sufficient budget for security, the company had to compromise on the right set of tools for securing the infrastructure. However, it is not true always. While some CISOs feel it is important to devote a big chunk of the IT budget for security alone, others feel differently.
“The enterprises need to focus on procuring more enhanced tools to tackle advanced cyber threats. The overall spending will depend and differ from vertical to vertical like for example sectors like BFSI, government and telecom give high priority to budget allocation for cyber security measures,” says Sanjay Deshpande, CEO and Co- Founder, Uniken.
“Traditionally, Information Security investments have always been considered a subset of technology budgets. However, there has a been a paradigm shift in this mindset and most CISOs have their own budgets and run their own cost centres. Typically, Indian corporations (medium to large enterprises) are known to apportion between 30-40% of the overall technology spend towards information security,” says a senior official of Cox and Kings.
Information Security spending is largely based on effective forecasting and there is no right formula to correctly arrive at a budget that will address ‘all’ information security needs. This is also largely dependent on the industry verticals and the nature of business. Hence, organisations should decide carefully and judiciously on the amount they would like to use solely for securing the infrastructure of the business.
Predictions for 2015
According to a study from the RAND Corporation and Juniper Networks, hacker black markets have reached a significant level of maturity. In 2015, we are likely to see the continued expansion and maturity of hacker black markets. Fuelled by the continued vulnerability of point of sale systems and an influx of cloud services, the market opportunity for economically motivated attackers will continue to grow. The hacker black market is similar to a thriving metropolitan city with diverse communities, industries and interactions.
It is expected that focus on prevention rather than containment due to increasing monetary consequences of an incident will happen. Real time data (and trend) analysis and intelligence will become key to secure infrastructure and in turn, the organisations as well. According to IDC, it is foreseen that CIOs, in the longer run, will start reporting to the CEOs directly. Today they are mostly reporting to the CIOs.
“Security too, would be tightly embedded in the applications/devices at all levels. Biometric identification and authentication will be closer to everyone than ever before,” says Sharma of IDC.
Data integrity is expected to take the centre stage as well since data manipulation will affect organisations in the same way as data theft, if not more.
At the same time, there would be rise in malware, social (media) and access based attacks.
Lastly, identity and access management, along with offline encryption and multi-factor authentication will see wider adoption. Basically, it is foreseen that the trends will be driven by the hyper-connected nature of new-age technology, as well as growing sophistication of security threats. Cloud, BYOD and IoT related technologies are likely to create new weak links in security infrastructure as most business-functions, including security, become IT dependent. Cyber security will become a hot topic in boardroom discussions.