Targetted attacks on the rise say SANS Institute experts

According to Dr. Eric Cole, James Tarala, and Stephen Sims, a trio of renowned IT security experts within the IT security training institute, their research suggests that these types of attacks are increasing in number.

"I know of a recent case where four companies within the manufacturing sector were targeted by one of many zero-day attacks that are occurring across the internet", said Dr. Cole, an expert in his field for 20 years.

"From the forensic evidence, it seems the attackers were after some particular intellectual property and were well organised and methodical", he added.

In his role as part of the Commission on Cyber Security for the 44th president, Dr. Cole is reported to have been privy to a growing body of evidence that suggests targetted cyber attacks are on the increase.

Dr. Cole says that, in addition to the obvious damage these attacks can have, company executives are often concerned for their reputations.

In response, he adds, companies tend to keep quiet about breaches, and this reticence to come forward makes the scale of the problem difficult to judge.

James Tarala, a senior SANS instructor with over a decade of experience in cybersecurity, echoes these thoughts, and says that there are a lot of dynamics at play.

For example, he said, the lack of a "digital pearl harbour" has helped to form a collective complacency in the minds of many firms.

"You wonder how bad it has to get before people start taking security more seriously", he said, adding that even the FBI has a backlog of cases they do not have the manpower to deal with.

Another reason for the growing rise of targetted cybercrime, he went on to say, is better organised economic model that finances many of the elements needed for complex attacks to take place.

Stephen Sims, an information security researcher, and one of only a handful of individuals who hold the GIAC Security Expert (GSE) Certification, says that he has spoken with many people on the fringes of the security scene.

Really talented programmers, many in emerging parts of the world, he says, can be tempted to head down the wrong path when they are offered tens of thousands of dollars for zero-day exploits.

Sims also points to companies, some quite reputable, that will pay for exploits ranging from a few thousand to over a hundred thousand dollars for zero days with remote code execution capability.

"This happens and it is not make believe", he said. "Major operating system patches and updates are like triggers for people looking for exploits and the financial reward means an almost unlimited supply of new threats will continue to emerge."

All three experts agree that part of the problem lies in a lack of awareness combined with a clear skills shortage.

Dr. Cole highlights a lack of mandated global requirements for maintaining good security practices.

"In the US, to be a doctor, an accountant or even a hairdresser, you need to be certified by an independent board", he said,

"To maintain IT security, there is no mandated requirement. It's an odd situation that needs to change", he added.

Emerging standards such as PCI, notes Dr. Cole, are a good step but he adds that most organisations don't have measurable metrics to find out if they are focusing their security spend in the right areas.

"This is another key skill that security professionals need to learn", he said.

What’s Hot on Infosecurity Magazine?