Cyber-threats are not strictly for money and are certainly not all commercial

(17/03/2010)

Thanks to tough economic times (and the resulting hit on our wallets) and a generous dollop of fear-mongering from the media and opportunistic profiteers, we’ve all become myopically obsessed with cyber-crime. This is not entirely a bad thing. Unless you’ve been living under a rock, everyone knows that technology has created unimaginable opportunity for resourceful crooks. The pitfall is in our myopia. We’ve become so obsessed with cyber-crime – a “petty” offense in the grand scheme of things – that we’ve overlooked the bigger picture.

A recent New York Times article reminded us of a conspicuously under-reported digital security threat: Cyber-Terrorism. Dennis Blair, the Director of National Intelligence (the uber-agency which houses the CIA), made the following comment in an appearance before the U.S. Congress: “Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication.”

U.S. Secretary of State Hillary Clinton also recently shed light on the critical nature of this global issue when she urged NATO members to “modernise and strengthen” their alliance to combat cyber-terrorism which has created a climate in which conventional weapons (i.e. missiles and bombers) are “no longer sufficient” to keep Europe and the U.S. safe.

These are important reminders that all cyber-threats are not strictly for money and are certainly not all commercial. In fact, there is good reason to believe that the largest increase in systems security vulnerabilities will occur as a result of political, not criminal, activity. The good news is that most IT environments already have most (but not all) of the tools to deal with this emergent threat.

In discussing this issue, it is important to first have a decent working definition of “politics”. Politics is the creation, distribution and maintenance of power across some group of people. In this case, as we have seen with the alleged Chinese attacks on Google, the struggle is over the power of information.

This new brand of digital threat takes advantage of a weakness in the hierarchy of law. Most of what we’re exposed to is either civil law (like lawsuits, generally) or criminal law (the kind we need police to enforce). This new form of exploit, however, runs up against international law. While I am not a lawyer, the principal issues with international law are that it is both ill-defined and expensive (or impossible) to enforce.

If the increased nature of the geopolitical cyber-threat is indeed true, it says something about the current, often hysterical, narrative floating around the industry about “cyber-crime”. I have to admit, it is getting some traction in the media, as a cyber-crime story even appeared on NPR’s Fresh Air show.

A number of competitors (nominally in the Log Management market) are shamelessly hyping the dangers of cyber-crime to degrees that border on the irresponsible. Yes, it is true that we need to be aware of hackers who want to steal our data. But in reality, true systems security is reliant on people, products and processes; it’s not just about one single product which will solve all the world’s security problems.

The fact of the matter is that bad things happen. You will be hacked. You may have already been hacked and not know it. A rational organisation will do three things. First, put up the best defenses you can. Second, implement the best people-processes you can. Finally, be ready to clean up and perform forensics when you do get hacked, because one way or another, it will happen.

But the tools do exist to prevent, or at least discover when these types of attacks occur. The core assets IT environments can leverage are the mountains of log files that modern systems generate (but often ignore).

As has been noted by Mark Nicolett of Gartner, the best place to start is with Log Management. In his report, “How to Implement SIEM Technology”, Nicolett recommends the following starting place for building out what he calls a “Security Information and Event Management” infrastructure:

Deploy a log management infrastructure. In most cases, the project team should implement log management functions before event management capabilities.

The reason Gartner recommends log management is that real visibility and control of your IT environment starts with the fundamental elements of what is *really* happening in and around your systems - the logs. Logs and their log messages are the core of building true visibility in your systems. The Greek philosopher Demosthenes calls them smallest, indivisible bit of matter atomos, or atomic. Log messages are the atoms of IT visibility in that they form the core of what elements of visibility into any environment.

Everything else builds on that, including security event management, and event management in general. And from this base, a whole new class of threats can be dealt with and managed. This includes the new class of state-sponsored threats which go way beyond the current narrative around cyber-crime.

LogLogic are exhibiting at Infosecurity Europe, on 27th – 29th April at Earl’s Court, London, www.infosec.co.uk.

Related topics:  Hacking and intrusion prevention   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources