Cyber Security’s Biggest Threat is Decidedly Low Tech

Published Thu, Mar 8th, 2012   Matthew Weinschenk, Senior Analyst

Two weeks ago, I explained how a new threat to cyber security – the Advanced Persistent Threat – would change spending on security intensely.

Since then, a recent piece on “60 Minutes” covered the details of the Stuxnet virus, bringing the story to a wider audience.

However, Stuxnet is wildly atypical of cyber security attacks, and doesn‘t reflect the everyday cyber attack threats that will drive the cyber security boom.

The big shift from old cyber security to new cyber security stems from dealing with the advanced persistent threat, or APT. In an APT, sophisticated hackers determine a target of value and launch a focused attack to penetrate its network. This is in sharp contrast to the old type of threat that cast a wide net and preyed on a few weakly defended internet users.

Without question, Stuxnet was the most advanced and most persistent threat ever created. It passed from computer to computer via infected USB flash drives, and once inside a computer, it determined what other systems it was attached to. If it didn’t find what it was looking for, it waited for a new USB flash drive to infect, and then repeated the process for as long as possible.

The target Stuxnet was searching for was Siemens S7 PLC, an industrial controller that’s often connected to a uranium enrichment centrifuge. Specifically, it was trying to work its way into Iran’s nuclear facilities. Once Stuxnet found an Iranian centrifuge, it altered the centrifuge’s speed in a way that damaged it beyond repair.

Stuxnet was amazingly more complicated than anything that came before it. So much so that most analysts believe it could’ve only been executed by a joint effort between the United States and Israel, both of which, unsurprisingly, have remained silent about any possible involvement.

But whereas Stuxnet is exceptional, common methods are more mundane…

The New, Old-Fashioned Threat

The methods hackers use every day are low tech and fairly unexciting. The main point of entry isn’t your computer – it’s your phone.

A common tactic: Find a phone number for an employee at the target company, call them, pose as IT staff and get the employee to reveal his or her password. This is called “social engineering” and simply means convincing people to give you information that they shouldn’t.

The massive hack of RSA Security used a similar method. Hackers sent a carefully crafted email to a single RSA employee and attached an infected file called “2011 Recruitment Plan.” Once the employee took the bait and opened the file, the hackers were in. According to anonymous sources that spoke with Reuters and The New York Times,* the information stolen from RSA was used to launch attacks on Lockheed Martin, Northrup Grumman and L-3 Communications.

These attacks – not those Stuxnet represents – are the kinds of attacks that endanger our data. And it takes a new type of cyber security to stop them.

A firewall that simply tries to prevent attackers from entering the network doesn’t work, because humans – gullible and impressionable – invariably let them in.

Instead, it takes intelligent monitoring systems known as next-generation intrusion prevention systems and firewalls.

The previous intrusion detection systems looked at each “packet” of data as it came into the network and checked for signs that the data contained something malicious. Essentially, the system would check each small, discrete packet’s code against known fragments of viruses and see if there was a match.

Next-generation systems, on the other hand, look at multiple packets in relation to each other. The system is aware of the applications and typical use of the network and can spot anomalies. It can identify content, file types and more.

So passwords may forever be given out over the phone and employees might endlessly be conned into opening the wrong email attachments, but next-generation cyber-security systems make all that irrelevant. They look at how and when passwords are used, as well the broader context of any given email attachment. If anything runs afoul, the proper alerts are raised and actions carried out.

As of now, most networks have firewalls and intrusion prevention system, but very few have stepped up to next-generation levels.

Yet, the fallibility of human users in the face of the APT entails that security upgrades are inevitable. Gartner projects that spending on next-generation intrusion prevention systems and firewalls will grow 20% and 25% a year, respectively.

As an industry, cyber security will benefit immensely from the necessary spending, growing an estimated $7.2 billion over the next four years.

Nearly every security company is developing next-generation systems, including Cisco (Nasdaq: CSCO), Juniper (NYSE: JNPR), CheckPoint (Nasdaq: CHKP) and Fortinet (Nasdaq: FTNT). (They’ll all profit, but I’ve recently pointed out my favorites to readers of The WealthTronix Alert.)

Without such systems, a company’s network is only as secure as its weakest link. And its weakest link is any one of the millions of erring humans sitting at corporate computers.

Ahead of the tape,

Matthew Weinschenk

*Note: At a reader’s request, this article was corrected to reflect the source of the connection between the RSA information and the subsequent attacks on the government contractors. RSA and the other companies involved haven’t revealed the direct link, except in the case of Lockheed Martin. RSA claims that the Lockheed Martin attack was unsuccessful, and neither party has announced what information, if any, was stolen.