The threat landscape has changed dramatically according to the latest report from Forrester Research – “The New Threat Landscape: Proceed With Caution”. Forrester analyst Khalid Kark, the report’s primary author, says organizations are no longer facing challenges from individual hackers or even small groups of hackers.
Instead, threats are coming from “highly organized, well-funded” crime networks, or even state-sponsored actors.
The independent research firm also examined key areas experiencing shifts in security threats, all gleaned from a Forrester tracking survey conducted among more than 2800 IT professionals worldwide.
“The attacks are much more targeted, sophisticated, and resourceful”, noted the report, which cites data from a Congressional report showing that cybercrime costs the US economy about $8bn per year.
Part of the evolving cybercriminal toolbox includes a shift toward targeted, low-profile attacks on network applications designed to bleed organizations of data – or money – over a longer period.
“Attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate”, the authors noted, adding that “the ultimate goal is to modify the application in some way so that [attackers] get a consistent source of revenue”.
The new attack strategy has narrowed in focus, Forrester contends, as cybercrimnals now target organizations across the business spectrum looking for valuable information, and not just simply seeking to bleed cash from financial institutions.
The Forrester report also highlighted the rapid metamorphosis of malware variants used by today’s cybercriminals. For example, the report examined Zeus variants, which now number more than 90 000. These custom-made viruses are tailored to evade anti-virus detection and are typically available for little or no cost.
Perhaps the most significant shift in security threats has occurred at the web application level, Forrester noted. The researcher’s data shows that 79% of breached records in 2009 were the result of web application attacks, yet a majority of companies polled focused on securing infrastructure components.
Further complicating the response to this trend is that even among companies that plan to address application security, many often find a dearth of personnel trained to deal with these issues.
This drives home the point that the gap between attackers and defenders appears to be widening as of late. As the report concluded: “The threat landscape continues to evolve and become more sophisticated, and attackers will continue to exploit vulnerabilities in people, process, and technologies to get what they want. What is different today is the velocity – the speed and trajectory – of this change.”
So what can an organization do to maximize its security investment while, at the same time, minimizing its exposure to threats? Kark and his colleagues at Forrester provided some common-sense advice.
The report recommended investing in security personnel, better management of processes, and investment in technology, but within certain parameters. The authors said organizations should not increase security staffing indiscriminately, and should instead focus on high-risk areas. One of these includes increased focus on application security issues.
And whereas the group from Forrester touted increased investment in security technology, it acknowledged that “security technology vendors in general have overpromised and underdelivered”. Instead they advocated for a layered security defense that does not rely on any one particular technology to address a single risk area.