A new study released by Vancouver-based Telus Corp., has found that, despite an overall shift to increasingly sophisticated hacking attacks, a significant portion of them combine those methods with older techniques like social engineering.
Despite more and more IT spending in security for Canadian businesses, Rafael Etges, director of security and risk consulting for Telus, said that data breaches have actually increased in Canada by 29 per cent since 2009.
“In our forensics unit, we have seen more and more of the sophisticated type of threats affecting specific individuals. More than 50 per cent we can say in the past 12 months of the forensics investigations we’ve done were actually related to specific individuals being targeted inside organizations.”
Instead of just breaching the security through a brute force, front-door approach, Etges said that when hackers aren’t using zero-day exploits, they often use spear-phishing tactics to get untraceable access by exploiting one specific employee. It only takes one person to compromise a network, Etges said.
Rick Moy, CEO of Carlsbad Calif.-based NSS Labs Inc., said that one of the problems facing North American compliance and security testing is something he addresses at NSS Labs, practical testing.
“Our methodology is really, take real world attacks that we’re seeing on the Internet and apply those through these products to understand what gets blocked and what doesn’t. We use live attacks with live payloads.”
While it sounds a bit like Moy works in munitions, and not enterprise security testing, he said the reality is not so strange. Whereas the majority of security testing lies in the theoretical, using (his words) neutered attacks, NSS uses the exact same tools hackers use to leave remote shells in its clients systems so they can take remote control of the network.
“One of the big problems in the industry is the use of these neutered attacks, folks are getting a false sense of security. Some of the security vendors are studying for the test, if you will. They’re not really doing the live pop quizzes, they’re just kind of doing the book work.” “The problem with that kind of a mindset is that the bad guys are always trying to get in. There’s no such thing as a perfectly secure network,” Moy said.
Moy said this is one of the reasons Telus tapped NSS to help them with the new study. While Telus has the release of its annual Canadian security report with Rotman School of Business next month, this study was curated based on the findings of last year’s study.
He said complacence is the easiest way to get caught unawares. Every employee is part of the security strategy and a network is only secure if it is constantly tested and updated.
Ideally, he said the study suggests stress testing your network once a month but realistically, few could afford the time or the money to do that.