Many attacks may still be random, security should not be
With all the talk of targeted attacks, it easy to lose sight of the fact that for the majority of us, especially in our lives as consumers, random malware is still the greatest danger. Random malware is distributed en masse, by whatever means, in the hope it will find its way onto the most vulnerable of devices. A targeted attack on the other hand, means it is you and/or your organisation, which an attacker specifically wants to penetrate, however that might be achieved.
The best protection against random attacks is still regular patching and host-based anti-malware packages. That was the message from Kaspersky Labs at recent press round table. Of course, as a vendor of such products, Kaspersky was keen to remind all present that is was not time to ditch more traditional security capabilities just because you have now invested in state-of-the-art protection against targeted attacks. Quocirca agrees, having issued similar advice in a free 2013 research report 'The trouble heading for your business'.
If anything, the issue of random attacks is set to get worse. More devices, with more diverse systems software, often attached to public network access points, increases the attack surface, especially as mobile devices are used more and more for online banking and payments. This will mean random attacks are not quite as random as before, malware variants will be needed for different operating systems, browsers and apps (whereas in the old days it was Windows, Windows, Windows).
However, it should still be worth the cyber-criminals' effort as at present many mobile devices do not have anti-malware installed. Kaspersky says the focus has been on Android, but iOS users are becoming more and more of a target. Overall Kaspersky saw 295,539 new mobile malware samples in the first half of 2014.
There is also the potential for collateral damage. Although a mobile device user's personal, banking and/or payment card details may be the primary target, where data protection controls are not in place, business data may make its way on to personal devices too. This may also be compromised with the potential to land data controllers in regulatory deep water if PII (personally identifiable information) is involved.
Security distributor Wickhill was also at the round table and pointed out that one of the problems resellers find is that too many organisations are still rolling out applications without giving up-front consideration to appropriate security. This is especially true of SMB's who see security as a cost not a benefit. Wickhill also finds that security is being overlooked with mobile deployments.
There was general agreement that security needed to focus on data itself rather than the rapidly dissolving network edge. This requires a holistic approach to security that applies to data wherever it is being transmitted or stored. Measures are need to control what access internal and external users have to data and what they can do with it, which was the subject of two free 2014 Quocirca reports What keeps your CEO up at night?and Neither here nor there?
Technology helps drive all this, but as Wickhill pointed out, education is also needed, both of users and the IT teams which deploy and manage the devices and applications they use. For the more lackadaisical SMBs, help is at hand. Many resellers, that are already trusted advisors to their customers, are adding managed security services to their portfolio.
Quocirca expects this will increase the uptake amongst SMBs of cloud services. This is now seen as the best way for many to acquire both infrastructure and security, as another free Oct 2014 Quocirca research report Online domain maturity shows. Kaspersky found that many early adopters of cloud services found security lacking, however, the Quocirca report shows that more recent adopters now see security as one of the main benefits of online services.
Random attacks may still be a problem to worry about, but there is no excuse for random security. The products and services are out there to make organisations, if not 100% safe, at least safer than many others. If you are targeted, you will have better chance of withstanding the onslaught, and random attacks should pass you by to trouble a weaker organisation.