‘Cyber threats are mainly about money’
Frost & Sullivan point out the real malware menace: organised crime
Global market researcher Frost & Sullivan today held its Middle East Enterprise Security Summit in the UAE, which brought together executives, senior managers and department heads from a range of industries.
Representatives from sectors as diverse as banking, telecoms, government, media, manufacturing and healthcare gathered in the Habtoor Grand Beach Resort, Dubai, to listen to discussions on enterprise ICT security that included threat trends, cost impact, the changing role of the CIO and the ever-present BYOD dilemma.
"We are under attack in many ways," said Andy Baul-Lewis, director, ICT Practice, Frost & Sullivan.
"There are people out there who are determined to break into our systems, steal our passwords, damage our reputations and also steal [data] in order to make money. Let's not forget that these people are active."
Middle East enterprise-level infrastructures have fallen victim to a series of summer exploits. In August Saudi Aramco suffered a 12-day disabling of tens of thousands of workstations and Qatar was hit by two major cyber incursions: LNG producer RasGas had to take its office systems offline and in early September the Al Jazeera news network's SMS alert system was compromised.
"These people are particularly active recently because of what we have seen over the past 10 years: growth in Internet use, growth in mobility and, in the past three to five years, growth in social networking and use of corporate access from multiple devices," said Baul-Lewis.
Security analysts also continue to refer to the Stuxnet worm, which "escaped" from its much-publicised attack on Iran's uranium-enrichment centrifuges and is thought to still pose a global risk to certain Siemens-based industrial control systems. This has sparked a wider discussion about the looming dangers of real-world impact from cyber threats. In mid October Kaspersky Lab founder and CEO Eugene Kaspersky confirmed on his blog that the security company would be developing its own OS to plug the holes in vulnerable ICS infrastructures.
But despite the publicity surrounding headline-making corporate attacks and espionage projects, Baul-Lewis insisted that government techno-agents and so-called hacktivists played a tiny role in the proliferation of malware. Frost & Sullivan figures show organised crime to be behind a staggering 80% of exploits, and while government agencies (17.5%), hacktivists (2%) and terrorists (0.5%) have political or military agendas, the criminal contingent is interested only in money.
"Hackers have been around for a long time, starting with very simple tools to [steal information] from companies," said Baul-Lewis.
"Then around 2010-2011 that [activity moved] on to the mobile platform and what we are seeing now is what we call APTs [advanced persistent threats]."
Baul-Lewis sketched out a map of what he termed the "APT attack cycle", a six-step process employed by cyber criminals to infiltrate an ICT resource and target the valuable information contained within.
It starts with social engineering: the email or link encountered by a user on one of the many devices they use to access the Web. Next comes the compromising of the device through the unwitting behaviour of the user. The exploit will then wait for an opportunity to copy itself to another node, such as a network-connected PC or a server. Once it resides in an enterprise environment the malware will use administrative data and inbuilt heuristics to target the most valuable user or resource and will then extract data (private or corporate), sending it to a remote host. The last step of the cycle is to maintain the attack, including the propagation cycle. The entire process can take weeks, or even months, but if successful, such attacks can net massive financial rewards for the cyber criminal.
"We are seeing significant growth in costs, not only on hardware and software [to protect against cyber incursions], but also in the recovery phase where systems have already [been compromised] and in the cost to brand reputation, said Baul-Lewis.