The daily barrage of headlines focused on security threats and data breaches has reached deafening proportions. But garden-variety breaches and break-ins are now taking a back seat to highly sophisticated intrusions and theft. Over the last week or so, Kaspersky Lab released details about Carbanak, a form of malware that cyber-criminals have supposedly used to steal millions of dollars from more than 100 banks worldwide.
Then it announced that the NSA might have planted highly sophisticated spyware deep into the hard drives of computers used by banks and foreign governments all over the world, including Russia, Pakistan, China and Afghanistan. It appears that the malicious programs are designed to spy on military organizations, Islamic groups, energy firms and other businesses. Kaspersky reported that the malware has common characteristics with Stuxnet, the worm that The New York Times claims was developed by the U.S. and Israel to cripple industrial machinery in Iran.
It’s pretty clear that you will be reading a lot more about all of this in the days, weeks and months to come. And even if Kaspersky has overhyped the risk, it’s still a flashing red light for CIOs and others who run today’s businesses. The cyber-security environment is evolving–some might say devolving–rapidly. The threats seem to be multiplying faster than bacteria in a petri dish and becoming tougher to recognize and root out. Digital security firm Comparitech, which tracks malware and offers a Breach Level Index, reports that reports that more than 11 billion data records have been lost or stolen since 2005.
All of which raises an important question: If governments are in an arms race to develop sophisticated malware and cyber-spying capabilities, can hackers and cyber-criminals be far behind? A number of experts, including Bruce Schneier, have publicly stated that once governments and sophisticated hackers introduce malware, it quickly spreads and winds up in widespread use. Stealing and replicating code is business normal for hackers, and government entities.
Unfortunately, there are no easy answers to these security threats. The problem is going to continue to get worse before it gets any better. CIOs, CSO, CISOs and other executives need to take security a lot more seriously. Among other things, this means using encryption a lot more aggressively, rethinking authentication methods and passwords, and turning to more advanced methods to detect potential problems. This includes fingerprinting technology that runs independent of a network and identifies tampering and malicious activity in key systems, including minute code changes. This can identify when a piece of code–such as a Stuxnet–changes from dormant to active.
It’s a Brave New World.