As cyber landscape evolves, so do the bad guys

A pair of cybersecurity studies show how hackers and criminals adroitly adapt to a shifting IT environment while systems defenders stand still.

A pair of cybersecurity reports released April 19 painted a pessimistic picture of the threat landscape, indicating that the bad guys are adapting quickly to new conditions while systems' owners and defenders are making little headway.

One example: The number of compromised records in 2010 was only about 2.7 percent of the number compromised in 2009, but they resulted from significantly more attacks aimed at specific, smaller (and often easier) targets.

The nation’s critical infrastructure also appears to be vulnerable.

“Overall, we found little good news about cybersecurity in the electric grid and other crucial services that depend on information technology and industrial control systems,” the second annual report from McAfee on critical infrastructure protection concluded.

Related stories:

Attackers find old vulnerabilities are still the best

New threats emerging, and IPv6 won’t make defense any easier

The report found that although Stuxnet raised security awareness in the last year, improvements have been marginal.

“There were gains, but they’re modest,” said Stewart Baker, a visiting fellow at the Center for Strategic and International Studies, which helped analyze data for the report.

Within the energy sector, which is making large investments in the development of a Smart Grid that will significantly increase the attack surface of the nation’s power distribution system, one third of companies surveyed said they were taking no additional security measures. “That is not a prudent response to the emergence of Stuxnet,” Baker said.

Another report, the Data Breach Investigations Report for 2011 from Verizon, indicated that although reported data breaches appear to up in 2010 from 2009, the number of records compromised in those cases paradoxically dropped, from about 143 million in 2009 to only about 3.8 million last year.

But that is not necessarily a reason to celebrate, said David Ostertag, a Verizon global investigations manager and an author of the report. The change is one of quality as well as quantity. “We’ve had a dramatic change in what the bad guys are stealing,” as thieves respond to changes in the underground market.

Verizon’s data breach report is based on an analysis of more than 900 data breach cases investigated from 2004 through 2009, together with another 667 cases in 2010, investigated by Verizon as well as the U.S. Secret Service and the Dutch National High Tech Crime Unit.

In 2009, data breaches typically involved large volumes of personal financial account information. In 2010, they had shifted more to intellectual property and business information. This is reflected in an increase in precisely targeted, high-value attacks at one end of the spectrum, and more small crimes of opportunity on the other end.

“I think there is a different type of clientele now,” that is driving the type of data being stolen, Ostertag said. “We don’t know enough right now to make any specific statements” about the end users of the stolen data, but for business information, “the parties that would obviously be most interested would be other businesses.” There is no way to rule out nation states as customers for the information, he said.

Criminals also seem to be targeting more small businesses, which yield smaller batches of information, but also are easier targets. This is illustrated by the difficulty of the attacks studied by Verizon. In 2009, about 15 percent of attacks were rated as being of high difficulty, requiring advanced skills, significant customization and extensive resources. For 2010, just 8 percent were rated difficult.

These shifts in target and technique probably are a response to successes by law enforcement in the past year, and also to a glut on the underground market of personal account information from the boom years of 2008 and 2009, Ostertag speculated.

“All of this goes in a cycle,” he said. “And supply and demand drive that cycle.” Credit card account data that sold for as much as $16 per account in 2005 now is going for as little as 20 cents.

As compromised accounts are closed, however, that underground glut will rapidly clear and demand for stolen information will increase, Ostertag said. “Next year’s reports are going to blow this year’s figures out of the water,” he said. “We already know that.”

The McAfee-CSIS report is based on detailed surveys of 200 critical infrastructure industry executives in 14 countries.

One concern identified in the report is that the United States’ rush to develop a smart-energy delivery grid is being done without adequate attention to security. McAfee CTO Phyllis Schneck likened the effort to the adoption of the Internet for critical transactions without adequate security. “It appears we’re making the same mistake,” she said.