Types of Attacks Have Changed
The types of attacks have also changed, as last year was the first time there were so many "stepping stone" attacks, said Coviello, referring to incidents where an organization was breached to steal information that could be used to launch a more complex and potentially more rewarding attack.Coviello hopes that the increasing number of attacks will strengthen the sense of urgency within the industry to work on methods to improve organization defenses. In addition, the trinity of emerging technologiesmobile, software as a service (SaaS) and hybrid cloud adoptionis exacerbating the security situation. These new trends are "transformative," but because they open up the attack layer, it becomes even more challenging for IT departments to keep their employees and systems secure. It's unprecedented that employees and consumers are adopting emerging applications and technology faster than governments and enterprises can absorb them, said Coviello. It's no longer possible to separate the digital world from the physical, nor work life from personal. People have gotten so used to being able to do things online and have easy access to powerful machines that they are not willing to wait for IT to catch up. IT has to learn to manage what they can't control, and security organizations have to learn how to secure what they can't control, said Coviello. Cyber-adversaries are better at planning attacks and much faster at launching campaigns than IT teams are at detecting and blocking them. They are exploiting the gaps in a security that is a result of an increasingly hyper-connected infrastructure, he said. The industry has to move away from worrying about the network perimeter to keep threats out because the attackers can "outflank" the network perimeter. "The network will be penetrated. We should not be surprised," said Coviello. "You can't always get what you want," he added. People would like a world with no risk. No auto accidents, no stock market crashes, no cyber-attacks. Since that isn't realistic, people look for ways to reduce risk so that "smart people" can make "prudent decisions" to keep the systems and data secure. Coviello is optimistic, despite the challenges facing the information security industry: "If you try, you might find what you need."
The SecurID breach was one such attack, as there is evidence the attackers used the stolen information to launch attacks against Lockheed Martin, a defense contractor. The attacks against certificate authorities, such as the one against DigiNotar, a Dutch certificate authority, is another, as the perpetrators were focused on stealing security certificates that could be used to masquerade as legitimate Websites.