What new enterprise security threats will 2012 throw at us?

Are you a target for cybercrime?

How much of a target are you for cybercrime? In its 2011 Data Breach Investigation Report (DBIR) Verizon Business offers a simple answer: 'Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don't do)'. As we'll see' in most cases it's what they don't do. Most of the attacks we saw in 2011 demonstrated the sophistication of the attackers and the failure of organisations to protect their data. In this 2012 update of IT Security: How Exposed Are You? We examine recent events and emerging trends to show:

Why so many organisations are still exposed;
The new sources of cyber vulnerability;
Why it's still so easy for criminals to crack enterprise security;
Why traditional security approaches won't stop them; and
What protection you need in 2012 and beyond.

2011: Cybercrime in focus
2011 was a big year for cybercrime; it was labelled 'endemic' in the UK with an estimated cost of 27 billion a year, the EU increased jail sentences for attacks on critical infrastructure and is currently strengthening data protection laws (already the most stringent in the world). In the USA, President Obama announced the National Strategy for Trusted Identities in Cyberspace (NSTIC) to combat rising identity theft.

2011 was also the year of hackivists, who targeted high profile organisations for ideological rather than financial reasons. When the dust cleared, crikey.com wrote that the high-profile hacks of 2011 'said far more about the poor security of governments and major corporations' than it did about the skill of the perpetrators. That message was underscored by Sony Corporation who looked for its first CISO after some 100 million customer records had been compromised.

Going by 2011 trends, unless your organisation is a likely target for hacktivists, you should be more worried about attacks seeking commercial gain. In 2011 there were plenty of those: highly targeted attacks designed to steal specific information, ranging from Intellectual Property (IP) to Personally Identifiable Information (PII). David Lacey made a grim summation in his security blog: 'If your organisation owns information of commercial value to others, has found new sources of oil or gas, or designs products that are the envy of your competitors, then you will need to raise your game above traditional best industry practice levels to resist these attacks.'

Late in 2011, we saw LG Australia's website hacked, along with a major service provider, compromising some 60,000 customer records. 2012 began with a hack on Zappos, an online retailer owned by Amazon, which resulted in some 24 million customer records being compromised. Large customer databases are clearly still highly attractive targets.
Same old, same old

Despite the obvious rise in number, size and severity in 2011, Verizon's latest DBIR (analysing 2010 data) found that almost all of the breaches it investigated 'were avoidable without difficult or expensive corrective action'. The 2011 statistics show that the trends identified in the 2010 report are getting worse not better:
83% of victims were targets of opportunity (indiscriminate, one-off attacks on soft targets);
92% of attacks were not highly difficult;

76% of all data was compromised from servers;
96% of breaches were avoidable through simple or intermediate controls;
89% of victims subject to PCI-DSS had not achieved compliance.
In recent months, you've probably heard about Advanced Persistent Threats (APTs), stealthy, targeted attacks designed to evade traditional rules-based IT security. While some assert that security vendors are 'spinning' the APT risk to sell more of their wares, APTs weren't given a lot of space in Verizon's 2011 DBIR, yet nearly two-thirds of the malware investigated was customized.

What Verizon's DBIR clearly shows is that organisations must do a whole lot more to protect themselves from avoidable breaches. The report also mentions that 'the numbers of public sector victims hit an all-time high,' with 'more incidents involving theft of classified information, intellectual property, and other sensitive organizational data than ever before,' so neither sector can afford to be complacent.