A recent Lancope survey, provided to Infosecurity, has revealed that nearly two-thirds of organizations believe that they have not experienced any security incidents over the last 12-18 months, or are unsure whether they have or not.
Given the statistics uncovered by general forensic analysis, it is highly unlikely that so few have been breached.
“Any system you connect to the internet is going to be targeted by attackers very quickly thereafter”, said Lancope’s director of security research, Tom Cross. “I would assert that if you’re unsure whether or not your organization has had a security incident, the chances are very high that the answer is yes.”
He added, “Every organization needs to know whether or not they’ve been subject to a security breach, and if companies believe they have not, the question may be are they really aware of everything that is happening on their networks.”
APTs and insider threats are often stealthy and hard to detect, unlike website attacks. Accordingly, Lancope found that some businesses were willing to admit they’ve had a problem. About one-fifth, or 18% of respondents did admit to suffering from malware over the last year and a half, and 16% said they had been the victim of distributed denial-of-service (DDoS) attacks.
But, Cross noted that these are fairly in-your-face attacks that are virtually impossible to ignore.
“DDoS will break your infrastructure, which an organization would hopefully know about pretty quickly. Similarly, malware is relatively easy to detect, as your antivirus software will often find it on your network,” he said.
In contrast, because they don’t typically use common attack methods, and often employ authorized network access to get the job done, insider threats and APTs are more difficult to detect. Targeted, external attackers in particular use sophisticated methods to infiltrate a network, and go to great lengths to conceal their activity. Organizations can be victims of an APT attack for months or even years before becoming aware of it, the research noted.
“A false sense of security may be a product of some of the security tools that organizations are relying on,” said Cross. “A traditional approach to protecting enterprise networks involves the use of commercial, endpoint antivirus software, coupled with perimeter defenses such as network intrusion prevention systems (IPS) that are designed to detect known attacks. The fact is that attackers know this formula – they test their malware against commercial security solutions before distributing it, making sure that it will not be detected.”
Insider threat activity can also be difficult to differentiate from legitimate network transactions and is often not detected by signature-based security systems that are designed to identify malware and the use of software exploits. Using valid credentials and authorized access, insiders can easily sabotage IT resources or steal confidential data. Even insiders without malicious intent can be a threat if their actions are negligent or if their machines are compromised.
Another indication of the denial issue is the fact that 38% of respondents said that they experienced absolutely no impact from recent security incidents. According to Cross, this is definitely inaccurate. “Even the most basic malware infection has some financial cost to the organization, even if it’s just the cost to clean infected machines,” he said.
Then there are the costs associated with addressing the original security deficiencies that caused the infection, or in extreme cases, dealing with the financial repercussions associated with data loss, customer distrust, regulatory fines and the list goes on.
One quarter (25%) of respondents did admit to suffering reputational damage from a security breach, while roughly 20% said that they had experienced financial loss. According to Cross, “cost should be relatively contained if an organization has a solid incident response and management program in place and can quickly identify which systems have been compromised.”
“Organizations need to make sure that, when faced with the inevitable, they can identify an incident as quickly as possible, and that they have a detailed plan for how to respond that is both efficient and effective,” said Cross. “How quickly an organization identifies a breach, understands its scope, and can recover business operations has a huge impact on the overall cost of security incidents. With new attacks making headlines on a nearly weekly basis, it’s time for organizations to take a more strategic, holistic approach when it comes to network security.”