A War Marked by Fatalism and Denial

Inside Targeted attacks are here to stay, writes CYBERSECURITY Maija Palmer FINANCIAL TIMES SPECIAL REPORT | Tuesday November 1 2011 Page 4 www.ft.com/cybersecurity­november­2011 | twitter.com/ftreports

Illustration: Ian Dodds A war marked by fatalism and denial It is possible to win the highest-profile victims, out by evil geniuses, but by pressure from members of risks and cyber-incidents, a Since the new guidance “There isn’t a regulated The hope of those who including Google. young criminals using read- Congress, the US Securities number of disclosure also encompasses disclo- entity out there that on any pushed for the SEC action battles easily and “Mandiant has seen a ily available tools and scan- and Exchange Commission requirements may impose sures of risk factors, John given day isn’t subject to is that it will make cyber cheaply, explains growing number of com- ning for holes in the system said cyberattacks that could an obligation on regis- Reed Stark, a former SEC attack,” says Mr Stark, who issues command the atten- mercial entities compro- that allow them to gain be material should be trants,” the staff wrote. internet enforcement spe- heads the Washington office tion of chief executives, as Joseph Menn mised,” the company wrote access. revealed to shareholders of Potentially material costs cialist, says he expects the of Stroz Freidberg, a digital well as the public. That recently in a trends report, The $170m attack on Sony publicly traded companies. could include increased number of the largest 500 forensics firm. “It’s cer- could lead to more strategic hile large com- noting that it has been and others this year used a “Although no existing dis- security spending, reputa- companies reporting cyber- tainly going to be a large thinking on the issue, both panies around involved in cases in energy, technique called SQL injec- closure requirement explic- tion damage and lost threats to soar from today’s number that are vulnerable inside corporate hacking the world real- banking, mining, automo- tion, which can be pre- itly refers to cybersecurity revenue. handful. to this.” targets and at large. ise that cyber- tive and even the hospital- vented cheaply. Wsecurity weaknesses are a ity industry. A recent analysis by growing threat, they are not Executives have taken Imperva, a security firm, of increasing spending to meet note, telling PwC in large internet conversations on the challenge, according to numbers that APTs are the one popular hacking forum recent surveys. driving force behind their found SQL attacks were the In a PwC poll of thou- defensive spending. second most popular topic sands of executives, just Unfortunately, only 16 per of discussions, after denial- over half the respondents cent of them say they have of-service-attacks, which expected their companies to the right policies in place to need even less skill. spend more next year on ward off such threats. Some Indeed, fewer than 1 per technology security, just as key capabilities, from alert- cent of the infections Micro- they had the year before. management processes to soft detects are via security Yet the confidence of awareness training, are holes breached by zero-day those information technol- actually in declining use. events, the software group ogy executives and PwC cli- “Companies wonder: ‘Is said last month. ents in their organisations’ there really anything I can Republicans in the US defences has sunk to the House of Representatives, lowest point since the sur- who are proposing broad vey began six years ago. Frequent reports of legislation to improve the The apparent contradic- breaches at big country’s security, said in tion raises troubling ques- October 90 per cent of tions about the state of the companies have attacks could be avoided technology, corporate gov- reduced the stigma with “good hygiene”. ernance, and the ability of If executives know that, company leaders to act in a attached to victims why are they not insisting complex and evolving arena on good practices? without a short-term crisis It may be the rewards for or similar motivation. do about it?’” says Henry success and the penalties The apparent paralysis Harrison, cybersecurity for failure are too low. has deep but distinct roots. director at BAE Systems’ Because chief executives “There is fatalism, and UK-based Detica unit. “But expect security teams to there is complacency, and management is at least hav- avert catastrophes, the there is denial,” said Sir ing those conversations.” absence of a successful Kevin Tebbit, former per- The fatalism is a mistake attack is rarely grounds for manent under secretary of in the view of Mr Harrison a bonus. state at the UK ministry of and many others. Compa- And the increasingly com- defence and, before that, nies can raise the odds mon reports of breaches at director of GCHQ, the against the worst kind of big companies have reduced nation’s signals intelligence data-loss – trade secrets, the stigma attached to vic- agency. masses of customers’ infor- tims of successful attacks In October, Sir Kevin mation, and the like – if and the security figures spoke at a conference in they put in the effort. who work there. The dan- London promoting links Among other things, it ger is that the very fre- between cybersecurity and requires redefining what quency of such reports the wellbeing of businesses winning is, says Mandiant. could lead to complacency. and the broad economy, The bad guys are going to Even when the attacks and showing how good get in, but they can be are serious, the damage is practice can be a compei- stopped from getting data often unclear. The breaches tive advantage. A confer- out. In addition, most hack- may not be reported to ence convened this week by ing attacks are not carried authorities or to customers, William Hague, the UK for- so not immediately harm- eign secretary, expected to ing the brand. draw attendees from 60 They may prompt little countries, will tackle that more than security issue and others. enhancements that fall Such efforts can become within a reasonable overall an uphill battle. In part, technology budget and are that is because senior exec- unlikely to lead to a firing utives feel the fight is hope- The potential exists for less, consultants say. outright and very public Big defence contractors disaster, but it is still small such as Boeing, ManTech, Inside enough that the third prong and Northrop Grumman Sophisticated attacks of Sir Kevin’s problem have all been compromised Is there a solution to statement comes in: denial. in the past two years. So, advanced threats? Page 2 It is human nature to too, have leading security avoid hard work aimed at companies, including top Insurance Cost is the avoiding something that security software vendor main obstacle Page 2 has only a small chance of a Symantec and EMC-owned career-shortening bad out- RSA, the leading maker of SEC filings New come, veterans in the indus- tokens to authenticate com- guidelines will place a try say. A few things would puter users. burden on companies in help break out of the stasis The more educated many the US Page 2 many politicians, defence professionals become about leaders and security profes- how such high-end attacks Everyday risks Attacks sionals say is putting the are carried out, the more are getting easier and economy at risk. alarmed they become. more frequent Page 3 One would be simpler Often attributed to hack- choices, such as the option Data protection ers working with the mili- of more affordable and com- Cloud computing need tary or other government prehensive cyber-insurance. not be a security risk agencies in China, those Page 3 Something that made it attacks are often described easier to sort through the as “advanced persistent Regulation Legislation morass of marketing hype threats” (APTs). is needed but not around security software They can combine trick- everyone welcomes the would also be a boon. ing an employee by posing idea Page 3 Some of the biggest all- convincingly as a colleague, purpose technology provid- with programs that take Viruses Cyber­strikes ers, including Hewlett-Pack- advantage of vulnerabilities are becoming more ard and Dell, have bought in software, known as zero- focused Page 4 security firms in the past day exploits. year and might be on the Such campaigns were ini- Malware Threats once road to giving thorough tially aimed at government confined to computers are protection as a service. agencies and are moving to appearing on mobile But the attempted fix that embrace military suppliers devices Page 4 is likely to arrive the soon- and more recently other est is increased mandatory Liability Businesses industries, according to disclosure. often struggle to receive Mandiant, a US firm that In a lengthy public state- compensation Page 4 has conducted investiga- ment from its staff released tions on behalf of many of in mid-October after 2 ★ FINANCIAL TIMES TUESDAY NOVEMBER 1 2011 Cybersecurity The trade­off between risk and cost

loss of data, are making the Insurance issue very real for this sector. “It is now talked about as a Premiums are high when – not an if – scenario,” Ms but will fall over time, Holmes says. “In healthcare, folks are actually listening writes Maija Palmer because the High Tech law is clearly here today. Other indus- try sectors, however, are not Insuring against cyber-attack under the same government has not been high on the agenda scrutiny and so there is not the for companies up to now. But same urgency.” the attack on Sony this year Cost is one of the main factors served as a wake-up call. stopping companies taking out The attack exposed the details cyber-insurance. A typical pre- of 100m Sony PlayStation cus- mium might be $5,000 for cover- tomers and is expected to cost age of $1m, according to Mr the Japanese electronics com- DeGeorge. “We are in a very dif- pany $182m this year, and it is ficult economy and businesses facing 55 class action lawsuits. don’t have the appetite for addi- Worse yet, Zurich American, tional spending. Companies one of Sony’s insurers, is argu- think they have already ing in court the insurance it invested a lot in their internal wrote does not cover digital security and may feel that buy- attacks. ing insurance on top of that will Courts are increasingly decid- be hard to justify to sharehold- ing general insurance cover ers,” he says. does not extend to cyber- Part of the reason for the high incidents, says Steve DeGeorge, costs is that underwriters have partner at Robinson Bradshaw, difficulty assessing the threat. the law firm. The US Court of “People providing cyber- Appeals in North and South insurance are flying blind, Carolina, for example, ruled this because the threats are so year that insurance covering difficult to predict,” says tangible property does not Malcolm Marshall, head of UK extend to electronic data. information security for KPMG. “There is a perception that if “Cyber-insurance has only you have commercial general been around for about 10 years, liability insurance, you will be in a 300-year-old insurance covered,” he says. “But this is a industry. There is no reliable very risky strategy.” actuarial data to help inform In addition to well-publicised underwriters’ pricing.” Mitsubishi Heavy Industries was reported to have been infected with malware that affected equipment at its Tokyo headquarters and its manufacturing facilities Getty attacks such as Sony’s, security Mr DeGeorge says: “When any experts say thousands of other attacks on businesses go unre- ported. Experts believe most ‘People providing companies will have suffered cyber­insurance are some kind of internet attack. A UK government study this flying blind, because A huge challenge from China, year indicated internet crime threats are so costs businesses £21bn a year, with £9.2bn being intellectual difficult to predict’ property theft and £7.6bn indus- trial espionage. The cyber-insurance market is insurance product comes to Russia and organised crime growing, with Lloyds, the insur- market, there is always a period ance company, estimating it to of years when issues come to be now worth $600m a year, the fore and are fought out in enrichment facility at Natanz. more blunt: “APT is basically a worsen while opponents become them. They need to keep a close from $450m two years ago. the courts.” Security Stuxnet is widely assume to synonym for China.” more effective. We are in a con- eye on staff. Many of the most However, only a quarter of Costs may come down. Some be a worm developed by the US Others, meanwhile, insist it is stant state of infrastructure successful APTs ultimately have companies in the UK have 20 years ago, when pollution James Blitz considers and Israeli governments, though not just nation states that are compromise. But this does not their origins in a human ele- insurance against cybercrime, and environmental liability what can be done neither has confirmed this. responsible for this kind of have to mean organisations ment inside the target organisa- in spite of more than half seeing insurance first came on to the More generally, APTs have sophisticated espionage. Accord- need to live in a constant state tion.” a rise in threat levels over the market, it was very expensive about advanced been used as a potentially pow- ing to John Skipper, a cyber- of risk.” Mr Curry believes that compa- past year, according to a study because underwriters did not persistent threats erful weapon in industrial espio- security expert at UK-based PA One important point made by nies need a new range of tools, by KPMG. know how to price the risk. Now nage. Consulting Group, groups leading security companies is combined in fresh ways and tak- Just 27 per cent of UK busi- costs have come down consider- In March, an information involved in organised crime that organisations need to have ing advantage of technological nesses have insurance against ably. hat can security security breach at RSA, a lead- have been deploying APTs. systems in place that tell them advance, to tackle APTs. data loss and a policy covering “I think we will see the same companies do to ing US-based security company, But it is hard to obtain an when these attacks are taking “People need to go back to the them for business interruption development in cybercrime prevent govern- led to reported attempts to steal accurate picture of how many place. “The starting point for basics,” he says: “Limit access, by hackers. Only 22 per cent insurance,” says Mr DeGeorge. ments and large information from US defence companies is that they need to harden systems and simplify the have insurance to cover the Especially if more companies Wcorporations being attacked by company Lockheed Martin, know they will never have 100 environment rather than mak- potential large legal costs asso- in a variety of sectors are “advanced persistent threats” in which, the company said, were ‘The Chinese are per cent defence against APTs,” ing it more complex. They also ciated with an ecrime incident. obliged to report cyberattacks, a cyberspace? unsuccessful. notable for the sheer says Mr Harrison. “The key, need to start looking at security Mr DeGeorge estimates that body of data will develop. This is one of the topics that In September, there were therefore, is to have mecha- and network analysis. just 15 per cent of US publicly In the meantime, companies is most hotly debated by cyber- reports that Mitsubishi Heavy volume of what they nisms in place that recognise “Situational awareness and traded companies have cyber- can obtain lower insurance security experts. Advanced per- Industries had found that equip- do. The Russians are when your system has been orientation are vital. Very often crime insurance. In some indus- quotes by getting internal secu- sistent threats – or APTs – are ment at its Tokyo headquarters compromised and take action the question is who might tar- tries, such as healthcare and rity as tight as possible, and attacks at the most sophisti- and its manufacturing facilities less active but very accordingly. get you and your customers and banking, however, this is begin- monitoring the threats they cated end of cybercrime activ- was infected with malware. “The time lag between initial partners and why, rather than ning to change. want to be protected from. ity. They are aimed at extract- The question of who carries sophisticated’ compromise of a computer sys- how would they achieve their Kim Holmes, healthcare prod- “A policy written in 2011 ing high-value intellectual prop- out these threats is a matter of tem and the moment when an aims.” uct manager for the Chubb may be obsolete in a couple of erty from governments or corpo- much debate. The strong such attacks are taking place. attacker finds the information In the long run, the challenges group of insurance companies, years, because this area is devel- rations. They can do immense assumption on the part of west- As Henry Harrison, technical he is looking for can be a for companies will be huge. As says there has been a large rise oping so fast. Something could damage to the targeted organi- ern security agencies is that director of Detica, a technology number of weeks. The challenge Mr Curry puts it, they will have in interest from healthcare com- happen that is not covered, sation – and they can be hugely Chinese and Russian govern- consulting firm owned by BAE is to terminate the attack in to do a lot of lateral thinking if panies, after the US brought in because it was unimagined a difficult to stop. ments – and their proxies – are Systems, puts it: “The reality is that critical window.” they are to stop APTs getting the High Tech Act in 2009, tight- few years earlier,” Mr DeGeorge Over the past few years, significant forces. “The Chinese that companies don’t like to talk Companies also need to be through. “People need to stop ening protection of private warns. there have been a growing are notable for the sheer volume about being attacked, so a lot aware of a wide range of issues preparing for the last war,” he health records. “It really is the case that, number of such assaults. The of what they do,” says one lead- doesn’t get reported.” as they plan defences. “People says. “Contemporary threats Under this law, companies can every year when the policy Stuxnet worm launched against ing European security official. However, Sam Curry, chief need to build protection right can completely bypass static, be fined up to $1.5m if such data comes up for renewal, you Iran’s nuclear programme is the “The Russians are less active, technologist at RSA, says a lot across their businesses,” says traditional defences. Today’s are exposed. should look at how the world most famous APT, doing tangi- but what they do is very sophis- can be done to defend systems Mr Skipper of PA Consulting. smart APTs have a stockpile of Class action lawsuits, such as has changed and how the com- ble – though not permanent – ticated.” against such attacks. “Right “They need to monitor unusual never-before-seen tools that they the $20m suit being brought pany’s requirements may have damage to Tehran’s uranium Another security official is now, the trend is for defences to behaviour going on around will use against you.” against Stanford Hospital for changed with it.”

Contributors Businesses told to reveal true scale of losses Joseph Menn Technology Correspondent

Commission issued extensive their regular filings. System tronics group, said it stood to equipment group. This is con- Maija Palmer SEC filings guidelines to companies that are compromises that have a mate- lose about $170m after its online firmed by veteran contract Technology Correspondent publicly traded in the country, rial impact on results or finan- gaming networks were attacked investigators in the US. Fresh guidelines are spelling out when and how both cial conditions, or that are repeatedly this year. William Beer, a director of the Chris Nuttall likely to be a burden past cybersecurity breaches and likely to do so, must be reported TJX, the US retail group that cybersecurity practice at PwC, Technology Correspondent the risk of future ones should be in management discussions of owns TK Maxx, and Heartland the professional services firm, Alan Rappeport for US companies, disclosed in regulatory filings recent performance. Payment Systems, a payment comments: “It is a bit of a US Consumer Correspondent writes Joseph Menn viewable by anyone. They could even potentially processing company, said that Pandora’s box. You could dis- That will prompt many, if not be included in so-called 8K fil- being victims in some of the cover some pretty nasty prob- James Blitz all, of the several hundred larg- ings, which describe special largest credit and debit card lems, so the easy option is to Defence and Diplomatic Editor One of the difficulties in fight- est companies to start opening events. number thefts yet reported had keep the lid shut.” ing cybercrime is the uncer- up about what they have lost The combined disclosures cost them more than $250m and However, a policy of deliber- Stephen Pritchard tainty about how much it costs and what they stand to lose, should “provide sufficient dis- $140m respectively. ate ignorance might be un- FT Contributor companies, countries and indi- says John Reed Stark, a former closure to allow investors to US laws force companies to tenable in the wake of the SEC Adam Jezard viduals. SEC official and now managing appreciate the nature of the warn customers when they lose policy. Commissioning Editor Without this information, it is director of Stroz Friedberg, a risks faced by the particular sensitive data about them, If companies start to admit hard to determine what should digital security firm. registrant”, the SEC wrote, add- which can trigger lawsuits and dire events – such as software Steven Bird be spent to combat the problem Even if companies do not leap ing that reputational damage, provisions for settlements. vendors disclosing the loss of Designer – let alone who should be spend- to adhere to the agency’s man- loss of customers and strategic But, so far, the loss of source code for key programs – ing the money and on what. date that they avoid vague lan- trade secrets would all be fac- trade secrets has generally they could face stock sell-offs by Andy Mears For annual global losses, esti- guage – such as a retailer warn- tors to consider. not required disclosure. investors. Picture Editor mates range from below $100bn ing that all industry databases Though a fair number of com- In the past, some com- Security veterans disagree to as much as $1,000bn, an of customer data could theoreti- panies have mentioned hacking panies that were hit by about how often such things For advertising details, contact: industry report’s ballpark figure cally be targets – laws that threats in passing, thus far very hackers chose not to might occur, but say that any- Liam Sweeney that has been cited by Barack reward whistleblowers will few have disclosed actual learn what data were thing beyond a few public state- +44 (0)20 7873 4148 Obama, the US president. encourage employees and others breaches and their financial taken, according to ments about events on this scale Fax +44 (0)20 7873 4006 This figure includes lost intel- to tip off the SEC about serious consequence. Henry Harrison, will encourage a public debate Email: [email protected], lectual property, which could be breaches. Intel, the US microchip group, technical director at and could force stalled security or your usual representative worth far more to the inventor “The SEC has issued an all- and Google did so early last BAE Systems’ Det- laws through legislatures. than to the thief, but it does not points bulletin to any whistle- year, after the internet company ica, the information Richard Clarke, the former All FT Reports are available on include national security, which blower out there: ‘Let us know announced that hackers based security company White House cybersecurity FT.com. is hard to put a price on. and you may be able to get up in China had tried to gain William Beer owned by the defence chief, says more disclosure is Go to: www.ft.com/reports But many more professionals to 30 per cent of whatever fine access to the accounts of politi- of PwC says not only fairer to investors, but are about to start making edu- we levy’,” Mr Stark says. cal dissidents. that many could galvanise Congress into Follow us on twitter at cated guesses about the costs to “It is terrific that the SEC has However, these companies companies more helpful action. www.twitter.com/ft.reports specific companies, potentially come in, but it is going to be a have not put a dollar value on are afraid to “If you are a company and 90 helping both top executives and tremendous burden for public the impact. discover what per cent of your revenue comes All editorial content in this society as a whole understand companies,” he adds. As regards extended outages data have from three drugs and the formu- supplement is produced by what they are up against. Companies will now have to and credit card thefts, some dis- been lost las are gone and they are being the FT. On October 13, the staff of the cover specific security issues in closures have been more pre- knocked off in India, what, US Securities and Exchange the “risk factors” section of cise. Sony, the consumer elec- really, is your worth?” FINANCIAL TIMES TUESDAY NOVEMBER 1 2011 ★ 3 Cybersecurity The cloud still has a silver lining but it may be costly

And by no means all cloud contracts very tightly. It’s a may be able to deliver services prise-grade security will come putting sensitive information “Large providers of cloud Data protection services operate with enterprise- service that they want to be rep- that are as good as or better with a consumer or small busi- and data into the cloud. Busi- services can bring together grade security; many have ori- licable.” than in your own data centres.” ness cloud service. Depending nesses need to know where their security expertise and have a Stephen Pritchard gins in consumer services That, though, says Mr Beer, “Whether there’s a higher on the cloud provider, upgrad- data are stored. EU businesses really high-powered team looks at why higher designed to be cheap and easy means businesses moving to the level of security will depend on ing security may be difficult. have legal restrictions on host- defending your data and serv- to use. cloud will have less control over the size of the organisation pro- Bespoke or highly customised ing personal data outside the ices, but that also makes a big- levels of defence need Neil Campbell, general man- their operating environment, curing cloud services,” says cloud services, usually created Community. This has led larger ger bull’s eye for the bad guys to be provided ager for security at Dimension including their security, than Peter Allwood, a manager for by large IT systems integrators, cloud service providers to set up to go after,” admits Martin Data, an IT services vendor, with traditional in-house IT or information security and risk will be more accommodating. data centres within Europe. But Sadler, director of the cloud and cautions: “If it is a consumer outsourcing models. PA’s Mr Chapman says: “We businesses still need to ensure security lab at Hewlett-Pack- Not too long ago, any IT direc- service, you would expect basic However, cloud service ven- have shown clients the security security and data privacy prac- ard’s research arm. “But it’s tor would have been dismissed security controls but not a high dors are changing their business ‘A trusted cloud from a [customised] cloud serv- tices are integrated with those still more of a theoretical than a as irrational – if not dismissed level approach to security.” models to suit the demands of may be able to ice, and the conclusion was that of cloud providers. practical threat.” from the business altogether – In part, this is a function of security-conscious customers. deliver services because it was part of the pro- A more complex issue is And, as information becomes for proposing that critical com- how cloud computing works. In As well as private clouds, set up as good as vider’s unique selling point, whether cloud service providers more important to businesses, pany data be put on a shared order to be cost-effective, pro- for one company, and commu- your own,’ they could do it better than the are, themselves, vulnerable to so it will become more attrac- computer, accessed via the viders have to take a “one size nity or “trusted” clouds, created says Rupert enterprise, with more money, attack. For example, Amazon’s tive to criminals. Cloud provid- internet. fits all” approach to their busi- to serve the needs of a group of Chapman and more focus.” Web Services cloud system was ers, in turn, will have to Today, the IT industry is ness, including security. By related firms or government And, with high-level IT skills attacked by the Anonymous increase their investments in exhorting businesses to do just comparison, much enterprise IT departments, generalist cloud at Deloitte, the consultancy. – and IT security skills in partic- group over its withdrawal of security measures. that, through cloud computing. would more closely resemble service providers are also bol- He adds: “SMEs may not have ular – in short supply in most services to WikiLeaks. Security “The level of protection in the Some vendors are even bespoke tailoring. stering security. enterprise security infrastruc- western economies, moving experts warn that attacks cloud should be higher [than in bypassing the IT department, William Beer, a director in the “Amazon and Google are mov- ture. Cloud was invented for services to the cloud actually against one user of a cloud pro- the enterprise], because if the and going straight to business information security practice at ing into the business space SMEs, so they can take advan- boosts security. This is espe- vider could take out the service service provider is hacked, it is units to sell them services such PwC, the processional services through enterprise levels of tage of enterprise security meas- cially true for short-term or for all others. dead,” remarks Marc Vael, a as sales force automation, or firm, explains: “Vendors have encryption and service,” says ures the cloud provider has proof of concept projects, where And anywhere that assembles board member of ISACA, the customer relationship manage- focused on the flexibility and Rupert Chapman, an IT security developed.” cloud computing’s flexibility is large amounts of sensitive data security industry body. ment. These services are invari- cost-saving elements of the specialist at PA Consulting. “If But larger organisations already very attractive. is likely to prove a magnet for “But cloud may become a lit- ably delivered via the cloud. cloud and have locked down the it is a private or trusted cloud it should not assume that enter- But concerns remain about hackers. tle more costly,” he warns. Lawmakers asked to step into digital age

introduced data breach and cybersecurity expert. Regulation security legislation that “There’s lots of talk, but no would punish companies for real action.” Data breaches have failing to comply with mini- According to Mr Schneier, mum safeguards, require the US would benefit from a brought security prompt notification of more “cumbersome” centre stage, writes breaches and promote bet- approach that challenges ter sharing of technical companies. Alan Rappeport information. He points to Europe’s Mr Blumenthal said: “My data protection act and US cybersecurity experts goal is to prevent and deter laws in California as models say that tough regulations data breaches that put that would be helpful on a are needed to encourage people at risk of identity national level in the US, but companies to work harder theft and other serious says that companies have to protect the data of their harm, both by helping pro- been pushing hard for more customers. However, they tect consumers’ data before exemptions to avoid addi- fear that government grid- breaches occur, and by tional costs and negative lock is allowing the issue to holding entities accountable publicity. languish. when consumers’ person- Mr Wysopal says that In the past year, several ally identifiable information companies would benefit high-profile security is compromised.” from national cyber- breaches have brought He continued: “Systems security legislation, because cybersecurity to the fore as to safeguard such private it would simplify their prob- an important public issue. personal information, and lem of navigating the laws This applies to companies prompt notification in cases that apply in the different as well as to private users. of breach, both should be US states. Citigroup, Sony, Google, required, along with con- He says that there needs Lockheed Martin and Nas- sumer remedies to compen- to be a lower threshold daq OMX have all faced sate for any harm.” for corporate “negligence” embarrassing attacks that Republicans in Congress when lawsuits are filed exposed weaknesses in their against companies for data systems and put sensitive breaches, so those compa- customer data at risk. nies have a stronger busi- Chris Wysopal, founder of ness case for investing in Veracode, a cybersecurity security measures. company, says that a year “Now it’s just about ago he surmised it would brand damage,” Mr Wys- take several high-profile opal says. corporate breaches to spur ‘It will take a “The whole issue is that new legislation – but that constant drumbeat people with poor security now it is unclear what it should have liability.” will take for that to happen. of these breaches Meanwhile, the threats “I guess it will take a con- –maybe eventually are only becoming more stant drumbeat of these challenging, as an evolving breaches and maybe even- things will change’ ecosystem of devices and tually over time, things will Chris Wysopal, software becomes available change,” Mr Wysopal says. Founder, Veracode to new digital users. “Or maybe the breaches The quickly shifting land- Reputations can be have to be bigger.” scape will put added pres- The recent spate of have called for increased sure on lawmakers and reg- attacks has generated inter- information sharing about ulators to act quickly. est in legislation with real security threats between According to the Georgia teeth, but also pushback government officials and Tech 2012 Emerging Cyber from companies fearful of key industries. Threats report, mobile the main casualty regulatory over-reach. They have also asked for browsers, “apps” and cloud Last May, the Obama the Department of Home- computing are presenting administration outlined a land Security to obtain new and vulnerable targets proposal that would give more support from the for cybercriminals. for the police and much hacking a database or web sage that appears to come Who goes there? the US government the defence department. Because mobile devices Everyday risks kudos for the hacker from application. from a familiar or legiti- The frequency of attacks power to review plans that The Republican proposal, and browsers are infre- his peers. Other popular topics mate source, “one of the inspired by so­called private owners of infra- however, favours compa- quently updated or patched, Hackers can find Website defacements and include “denial of service” oldest scams in the book”. hacking collectives has risen structure had in place to nies having broader compli- they are rife with security easy lessons online, stolen passwords are not a attacks, whereby a website Even so, RSA estimates sharply in the past year defend against malicious ance standards and protec- holes. new feature of the online is overloaded with traffic that phishing attacks cost hackers. tion from lawsuits. “Mobile applications are says Tim Bradshaw security landscape. But the until it is knocked offline, businesses and individuals Social networks can be The White House also In spite of these efforts, increasingly reliant on the ease, frequency and profile and spam, unsolicited email around the world $520m in venues for phishing, and called for a US law that political gridlock in the US browser,” says Patrick of such attacks have all containing viruses or links the first half of 2011, can also inadvertently give would force companies to has dimmed hopes that a Traynor, assistant professor fficers at the risen sharply in the past to websites that can capture through tens of thousands clues to hackers about disclose the loss of cus- law will be created in the at the Georgia Tech School Boston Police year, thanks to the antics of passwords. of scams mimicking just a potential passwords. tomer data to users and fed- near future. of Computer Science. Department were Anonymous, Lulzsec and All this is a far cry from few hundred familiar online CPP Group, which pro- eral authorities. “The US government is so “As a result, we expect already having a the other hacking collec- the Stuxnet virus, which brands, such as banks. vides credit card insurance In September, Richard dysfunctional right now more web-based attacks Obad day before the phone tives that have followed in targeted industrial infra- Phishing attacks are diffi- and identity protection Blumenthal, a Democratic that nothing will happen,” against mobile devices in rang. A thousand user- their wake. structure, or the rogue cult to prevent because services, found a third of senator from Connecticut, says Bruce Schneier, a the coming year.” names and passwords from High-profile attacks on states and organised crimi- they prey on human, rather Facebook profiles contain at their union’s website had the likes of Sony, Nintendo nal groups behind sophisti- than technological, vulnera- least two pieces of personal been posted online after a and Rupert Murdoch’s Sun cated hacking attacks. bilities, says Mr Cluley. information, such as a hacking attack, apparently newspaper websites have But just as YouTube and He says that weak pass- favourite sports team or in support of the local all been executed: for ideo- blogs have democratised words, using insufficient school, which are com- instance of the Occupy Wall logical reasons; to make the creation and distribu- number or variety of char- monly used in passwords or Street protests. mischief; or, as in the Bos- tion of media, the social acters, were probably security questions. But when one Bostonian ton case, simply because responsible for October’s Consumerisation “is a police official answered the the hackers involved had hijacking of YouTube chan- really huge issue for most phone to a young man with nothing better to do. ‘It is about raising nels of Microsoft and Ses- of our customers”, says a British accent purporting “These are people work- awareness, ame Street – the latter stunt Henry Harrison, technical to be a member of the press, ing without a financial used to show videos unsuit- director at Detica, a secu- he did not expect that motive,” says Graham Clu- because if you able for children. rity firm owned by BAE insult would be added to ley, senior technology con- do foul up, it is “It’s really hard for IT Systems. “Every IT depart- injury. sultant at Sophos, the anti- managers to control, ment is under pressure, par- “We’re in the process of virus software maker. going to be on because they are putting ticularly from senior execu- investigating it,” the official “Some companies would their trust in users,” Mr tives, to let them bring said of the hack. think that they wouldn’t be the front pages’ Cluley says. “Fundamen- their iPad to work.” “Yeah, that was me,” the anybody’s target, whereas tally, it’s about raising He adds: “Historically, ‘reporter’ replied. now people are simply web has also allowed hack- awareness and educating the trend that IT has fol- “You hacked into the doing it for kicks, or for ing tools and skills to be users and C-level staff that lowed over the past 20 years website? Would you like to political reasons.” shared more cheaply and security matters, because if has been to get tighter and tell me why you did it?” the Imperva, a data security easily, and the fruits of you do foul up, it’s going to tighter control over comput- flabbergasted policeman firm, analysed an online their application to be seen be on the front pages.” ing devices, so the security asked. forum where tens of thou- more widely. He recommends repeating can be managed. “I just got a bit bored,” sands of hackers gather to Even if the resulting the security lessons typi- “Now, people are using a the young man laughed. swap tips and brag about intrusions do little practical cally taught at a corporate home device with very little Such is the world in successful incursions. or long-term harm to corpo- induction for new employ- control over what other which IT security opera- It found that a quarter of rate systems or their users, ees to long-standing staff software is on it, and they tives – and, increasingly, the discussions were hack- they are still damaging to every few years too. want to plug that into the public-relations people – ing tutorials, “ensuring”, an organisation’s reputa- The “consumerisation” of corporate network because now live. This phone con- Imperva wrote in its Octo- tion, especially if not han- corporate IT – as employees they find it convenient.” versation was recorded, ber report, “a steady supply dled and rectified swiftly. bring their own devices The trick in dealing with posted on the video-sharing of new talent”. In a recent report, RSA, a such as smartphones and such security threats is the site YouTube and passed One typical lesson, a four- security provider owned by laptops to work and use same as for more serious around on Twitter, the minute YouTube video, storage firm EMC, calls personal sites such as Face- technical hacking attacks, micro-communications net- detailed how to hack a web- phishing, whereby users are book – has opened the door Mr Harrison says. “There is work, ensuring it received site with a relatively tricked into handing over to more everyday security a classic trade-off between maximum embarrassment straightforward method of personal details by a mes- risks. flexibility and security.” 4 ★ FINANCIAL TIMES TUESDAY NOVEMBER 1 2011 Cybersecurity Era of targeted attacks is here to stay

in dealing with APTs is that Viruses most appear to come from foreign nation states, such A new kind of risk as China and Russia, has been found, although the origin of the attack is almost impossible says Maija Palmer to prove. When Google revealed its email systems had been the ust in case anyone subject of a targeted attack was starting to feel in late 2009, it pointed the complacent, re- finger at China. Privately, searchers have just security professionals talk Jdiscovered a new, highly about the fact that many sophisticated virus that attacks happen during the appears to be designed to Chinese working day. collect information secretly It is hard for companies from European and Middle to get redress when the Eastern companies. threat comes from these Dubbed Duqu the virus is quarters, but practical steps similar to Stuxnet, which can be taken. was uncovered in 2010 and One is to look for unusual apparently designed to spy network activity. If a devel- on and disrupt Iran’s oper’s laptop begins con- nuclear programme. necting to an internet Stuxnet, believed to have address halfway across the been created by a govern- world in the middle of the ment agency, alarmed IT night, for example, it could security professionals be a sign of a spy program because it was so highly at work, says Mr Hypponen. targeted and was one of the Once rogue activity is first times that a piece of detected, it is worth gather- malware was able to cause ing evidence for a while, real-world effects in terms rather than removing the of damaging Iranian malware straight away. nuclear reactors. Security experts say it is The discovery of Duqu worth trying to find out as confirms that the era of much about the attackers cyberthreats is here to stay. as possible, and seeing what Although no one knows they are looking for. quite what Duqu has been Mr Marshall says: “Hav- created for, it appears to be ing an idea of who is attack- mining companies for data. ing you is helpful for get- Over the past two years, ting a sense of what you IT security experts say they need to do to protect your- have seen more of these self, even if being able to kinds of attacks – known as prove it in court and litigat- targeted attacks or ing is not possible.” advanced persistent threats Protecting everything in (APTs) – on computer net- the corporate network is works. too expensive, but compa- Hacking attacks in the nies can identify their past used to be widespread ”crown jewels” and put and scattergun; for exam- extra security around these ple, sending millions of peo- parts of the system. ple an email tricking them The good news is that tar- into revealing bank details, geted attacks can take time or hijacking their computer to carry out, which means to send out spam messages. they can be thwarted before By contrast, an APT is critical information has focused on just a few people been compromised. in an organisation and Mr Harrison says: “The designed in such a way that traditional view was that it goes unnoticed while it Mahmoud Ahmadinejad, Iran’s president, at the Natanz uranium enrichment facility. The plant was the target of the Stuxnet virus in 2010 AP when someone got into the begins a slow and painstak- network, the company had ing probe of the network. be sent to just one com- details for 18 months before later, defence contractors law firms and insurance UK defence group, says: rity at KPMG, the profes- already lost the battle. Duqu has only been found pany. In will be highly tai- it was discovered. such as Lockheed Martin, companies. Investment “People are realising this is sional services firm, says: “But in these attacks, the in some two dozen organisa- lored to look authentic, it Defence companies in which used these RSA banks such as Morgan something they should be “Companies have to accept hackers are looking for spe- tions so far, and security will be in the right lan- general came under attack tokens, came under a Stanley have been attacked worried about. When we this is inevitable, and begin cific information and it can experts are still not sure guage with the right con- this year in a complex, two- highly specific assault. and the world’s biggest oil talked about this a year preparing for how to deal take them weeks or even how it was implanted. tent, and it tends to go stage operation. First, soft- Leaked documents this and energy companies have ago, they didn’t understand with an attack.” months to find it,” he says. Mikko Hypponen, chief completely unnoticed.” ware was stolen from RSA, year also showed that com- been infiltrated. why, but now there has About 50 per cent of the “Companies should not research officer at F-Secure, In one case, a director at the security company, panies including DuPont, Henry Harrison, technical been a change in the level security work KPMG does despair. It requires thinking the IT security company, a UK defence company had which compromised secu- Walt Disney, Johnson & director at Detica, a tech- of awareness.” is with companies that have about security in a different says: “In advanced persist- a virus on his laptop that rity tokens that it had Johnson, and General Elec- nology consulting company Malcolm Marshall, UK been subject to such an way, but there are things ent threats, an email might had been leaking sensitive issued. A month or two tric had been hit, as well as owned by BAE Systems, the head of information secu- attack. One of the problems they can do.” Banks refuse Mobile devices are likely to to pay out to be next victims of viruses – are also becoming popular. nature of smartphones makes Malware GGTracker poses as a free bat- this possible and their activity tery-saver app. Clicking on this on the network means they can protect clients Chris Nuttall looks at takes the user to a fake version easily be monitored for unusual recent efforts to keep of Google’s Android Market to behaviour by mobile operators. download and install the app, AT&T has 40 researchers ties, transport and communica- ‘black hats’ out which charges premium text working in the field of behav- Liability tions companies want to pay to messaging fees to that phone. ioural analysis to spot malware, shore up protections against A more dangerous kind of rather than relying on the tradi- Businesses targeted by attacks from abroad. Threats, vulnerabilities, Tro- monetisation spread to Android tional PC-like databases criminals are left high The financial industry has jans, phishing sites – the lan- this year from Symbian, Win- scanned to identify viruses by both that simmering argument guage of PC virus warfare is dows Mobile and BlackBerry their software signatures – the and dry by lenders, to resolve and a more immedi- this year increasingly being smartphones in the shape of fingerprints of their code. reports Joseph Menn ate one: if a business has its applied to mobile devices. Zitmo, a supposed banking McAfee, acquired by the chip- bank account drained by hack- A series of reports from secu- authorisation app. It can inter- maker Intel this year, is work- ers, who should be on the hook, rity companies suggest a surge cept text messages often sent by ing on embedding security into One of the most lucrative and the business or the bank? in mobile malware. Juniper Net- banks that provide one-time the hardware. fastest-growing sectors of the In the UK, businesses are works says Google Android mal- passwords to help users access “For years, security software cybercrime economy is the dis- often held responsible if they do ware samples grew 400 per cent accounts and transfer money. has lived above the operating tribution and use of sophisti- not recognise fraud on their between June 2010 and January Despite such alarming threats, system layer, but the goal is to cated software that assists in accounts within two days, says Institutions are better equipped to catch crooks out Dreamstime 2011, while Lookout Mobile security experts say the mobile put security lower in the stack stealing funds directly from Ross Anderson, professor of Security reports a 250 per cent malware problem is minor, com- where it can’t be tampered bank accounts. security engineering at Cam- Though the transfers from its at the American Bankers Asso- increase in the likelihood of pared with the viral warfare with,” says Mr Dasher. With most criminals operating bridge university. Banks some- accounts were so unusual as to ciation, says it is right such users encountering malware on raging in the PC world. Juniper, whose Junos Pulse from abroad, there is little risk times try to shift blame on to trigger a high risk score from cases are decided on specifics. their mobile devices between “The percentage increases Mobile Security Suite is used by of capture and there are fewer individuals, too, he adds. the bank’s security service, all He says revised guidelines pub- January and June this year. AT&T and others, advocates a steps than one needs when Under US regulations, the that did was trigger “challenge lished in June will tighten secu- Kevin Mahaffey, chief technol- holistic approach of network using stolen credit cards to buy banks generally must reimburse questions”. The criminals appar- rity. ogy officer and co-founder of ‘How do you get operators monitoring and block- goods that are then resold. consumers whose accounts are ently had the answers because Among other things, the new Lookout, says 2011 represents people to adopt ing threats as well as protection “There has been a noticeable cleaned out. But no such rule Zeus records keystrokes made rules bar reliance on passwords, the start-up phase for malware a product on the smartphone itself. increase in account takeovers protects businesses, even those on computer keyboards and the standard challenge questions “entrepreneurs” developing a without selling “There is the need to scan that result in fraudulent trans- owned and operated by a single same questions had been asked and “cookies” that identify spe- business model. through fear?’ apps as they are being down- fers from the victim’s account to individual. before. The bank won in part cific browsers. He also says a “Every new piece of malware Kevin Mahaffey loaded. Firewalls have to be set an account under the control of A small but growing number because the security rules in recent survey of 77 banks found we are seeing is experimenting of Lookout up and finally the user has to be the perpetrator,” AT Smith, of companies have been wiped effect at the time did not explic- that while attempts at fraud had with methods of distribution – educated about threats and safe assistant director of the US out by Zeus and its ilk, which itly require tokens, telephone more than doubled in a year, how do you get the malware to we’re seeing are from a tiny practices,” says Karim Toubba, Secret Service, testified in Sep- can be delivered via trick emails calls or other forms of “out-of- the amounts actually extracted people in the first place – and base,” says Ed Amoroso, AT&T Juniper vice-president of secu- tember to a Congressional hear- that seem to come from a bank band” authentication. by criminals had fallen. with monetisation – how do you chief security officer. rity and strategy. ing on electronic bank fraud, or via user visits to legitimate Though one bill introduced in make money as a malware “Most malware continues to 3LM, founded by two former which is estimated in billions of websites that have been Congress last year would have author?” he says. reside on the PC – it’s easy pick- members of the Google Android dollars a year. An FBI official infected. Low­level courts have extended the protection given to Distribution is proving easiest ings there – it’s not adminis- team, last month launched an said his agency was probing 400 In some instances, US banks been split so far on townships and school districts, in the Android ecosystem. tered and it’s on a big fat broad- enterprise security suite for cases of corporate account take- have reimbursed companies for which have been hit hard by John Dasher, McAfee senior band pipe.” Android that hooks directly into overs with losses of about $85m. all or part of their losses, but whether financial fraud, Mr Johnson says the director of mobile security, says: He says mobile security the operating system and gives Part of the problem is that the they make no promises, and institutions can be industry remains opposed to the “Apple has a walled garden, experts cannot count on learn- IT departments a management diverse digital underground con- low-level courts have been split extension of liability to either with its curating of apps for its ing from their PC counterparts console to ensure employees’ tinues to develop technology so far on whether financial held responsible for non-profit groups or businesses App Store, so it’s had far fewer either, with computer security phones are secure. quickly. As an example, some institutions can be held respon- at large. instances of malware, but now “in a pretty abysmal state”. Tom Moss, chief executive and members of the pernicious sible. cases of cybercrime “Changing the liability model Android is far more porous.” With mobile threats still low, co-founder, says this is the first “Zeus” family of credential- The rulings thus far have is particularly dangerous for the “There are more than a dozen mobile security companies are of next-generation anti-malware stealing programs can intercept depended heavily on the exact Another case, heard in Michi- community bank market,” apps sites, it’s very easy to bundling their anti-malware products that should arrive in authentication codes sent to wording of the contracts gan federal court, fell in the where institutions have less to download apps and ‘sideload’ protection with other services to the next year – just in time. mobile phones. These illegal between banks and customers other direction. The judge there spend on security and could be apps on to a device, and so it’s make them more appealing. “Now Google is introducing business models have also who opt for electronic banking, ruled that the bank Comerica ruined by major cyber-robberies, far easier for a hacker to get an “It’s a conundrum – how do things such as NFC [mobile pay- advanced, with effective DIY as well as whether the institu- did not show good faith, defined says Mr Johnson. “It is only app published that contains you get people to adopt a prod- ment] chips in addition to other crimeware kits available free in tions are deemed to have acted as including “fair dealing”, when you banks and businesses malware.” uct without selling through fear services that have financial many places. in “good faith” with “commer- when it did not act quicker to view security as a partnership The easiest way to infect a [that they may face virus components, it just makes But there is a less obvious, cially reasonable” security pre- stop wire transfers from client that it is going to be effective.” smartphone is free games or attacks],” asks Lookout’s Mr Android a bigger target for the and potentially more fixable, cautions. Experi-metal to Moscow, Esto- But others say that banks are apps that look similar to well Mahaffey. ‘black hats’,” he says. reason why the crooks continue In a big test case, a Maine nia and China. More than $5m much better equipped than known ones, confusing users That is why his company “Google will take action to prosper in bank cyber-capers: company called Patco Construc- in overdrafts were allowed on small businesses to outwit into downloading and giving the includes useful security utilities against them, but there’s also a standoff over who will pay for tion lost hundreds of thousands one Experi-metal account that crooks. authors the permissions they such as the ability to locate lost going to be a very healthy and better security. of dollars after a Zeus infection, typically had a zero balance, the But if they are not likely to be need to carry out their under- smartphones and remotely lock robust third-party developer Basically, neither govern- then lost money again after judge wrote after a bench trial. held liable, they have little rea- hand tasks. or wipe them. community coming along with ments nor privately owned utili- unsuccessfully suing its bank. Doug Johnson, policy analyst son to spend what it takes. Malvertising – ads within apps The always-on location-aware security solutions as well.”