Cybercriminals may be using many of the same attack techniques, but today they have a mountain of information at their fingertips, making it easier to target specific individuals and pull off more complex social engineering tactics.
"None of this is radically new, but with so much information available today attackers can get much more sophisticated and targeted in their attacks."
Christian Christiansen, Vice President for Security Products and Services Group, IDC
Targeted attacks are using browser vulnerabilities, seeking flaws in Web applications and finding clever ways to trick end users and penetrate corporate networks, said industry analyst Chirstian Christiansen, program vice president for security products and services group at Framingham, Mass.-based IDC. The recent attacks targeting search engine giant Google Inc. and up to two dozen other companies have helped highlight the fact that companies may be relying too heavily on traditional security methods, including signature antivirus, to protect endpoint machines.
"None of this is radically new, but with so much information available today attackers can get much more sophisticated and targeted in their attacks," Christianson said. "Obviously phishing activity is much more profitable, because you get a greater percentage of response."
Cloud security, targeted attacks:
Security challenges with cloud computing services: Panel discusses cloud computing security issues including encryption and user authentication.
Hackers used IE zero-day in Google, Adobe attacks, McAfee says: The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.
Chinese hacker attacks target Google Gmail accounts, top tech firms: Up to 33 Silicon Valley tech firms, financial companies and government contractors have been breached by a sophisticated attack believed to have originated in China.
On Wednesday industry analysts said fears that cybercriminals are more easily penetrating corporate networks could have attendees at the 2010 RSA Conference looking for better ways to defend the inner sanctum, but also taking a more cautious approach to new technologies promising to secure virtualized environments, cloud computing and a number of other corporate initiatives. They shared their views during a teleconference previewing the annual event taking place March 1-5 in San Francisco.
While some RSA attendees may look for ways to provide better security on thinner budgets, a CISO at one company doubled their security staff in 2009, despite the economic downturn, to meet the sophistication and frequency of attacks they were getting, said Khalid Kark, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc., who is moderating a panel discussion at RSA next week with several CISOs. Kark said a combination of issues has CISOs concerned. Adoption of social media, which has doubled at enterprises from 2008 to 2009, the increasing use of Software as a Service applications and the use of other cloud-based services has some CISOs worried about the increased risks they pose.
"We're seeing not only a shift in technology, but really the velocity of this change is unprecedented," Kark said.
In addition, companies are increasingly looking into outsourcing security services, said Scott Crawford, research director at Boulder, Colo.,-based Enterprise Management Associates Inc. The trend started with messaging security, but is moving into penetration testing, vulnerability assessments and code analysis services.
Cloud computing hype, cloud security issues
Many companies are moving slowly with cloud computing adoption, Crawford said, despite an increasing number of vendors refitting their technologies and their distribution methods to provide cloud-based services. The integration between servers, storage networks and management software is adding more complexity, and the complexity and lack of visibility into cloud environments breeds insecurity. All of the challenges being cited could be causing companies to be more cautious in adopting cloud-based services. In a recent Enterprise Management Associates survey of 850 IT executives, only 11% indicated they planned to implement cloud in the next 12 months, Crawford said.
Some of the challenges include the lack of visibility in cloud environments and the loss of control over company data and how it's being secured by service providers. Crawford said too many vendor proprietary systems are complicating cloud adoption. New standards could change all that, he added, citing the MashSSL Alliance, which focuses on establishing secure channels during browser sessions, as a good start.
"There's considerable attention being paid to the potential risks of cloud computing, but the number of organizations planning on adopting cloud computing models is small compared to a lot of the hype in the market," Crawford said. "A lot of the hype about cloud services out there is out of proportion to what companies are really doing."