Page 22 - CDM Cyber Warnings February 2014
P. 22
A recent study conducted by the Ponemon Institute paints authentication system, criminals were able to compromise
a dire picture of our cyber security readiness. According to RSA customers including Lockheed Martin that rely on
the 2013 Cost of Cyber Crime Study, both frequency and SecureID tokens to protect their most sensitive data and
time it takes to resolve cyber-attacks continues to rise for networks. In another example, 300,000 Verizon customer
the fourth consecutive year, increasing the cost of records were posted on the Internet. A forensic
cybercrime by 78 percent to an average of $2.6 million per investigation later revealed that none of Verizon�s systems
year and doubling the time it takes to resolve attacks. Even were breached, but that the data had been stolen from a
more concerning is a new technique being used by hackers third-party marketing firm that was part of the company�s
to mount targeted attacks against an organization�s IT supply chain.
supply chain. By shifting their focus to the weakest link in
an organization's IT infrastructure, criminals are exploiting Another example of the risk associated with supply chain
third-party software to gain �backdoor� access to IT cyber-attacks is illustrated by the U.S. Department of
systems. This approach allows hackers to compromise Homeland Security (DHS), which warned employees that
organizations from an angle they normally don� t expect. As their data may have been compromised after a vulnerability
a result, enterprises need to monitor and manage IT security was uncovered in software used by a DHS vendor to process
risks downstream in their supply chain. personnel security investigations. The latest example of
supply chain attacks was the data breach of Adobe, which
“Hackers turned their warned customers that attackers had illegally accessed
source code for several of its products. By gaining access to
focus to the weakest link the source code, attackers could gain insight into otherwise
unknown vulnerabilities, enabling them to unleash zero-day
by exploiting the supply attacks against Adobe�s customers or in the worst case
scenario even inject malware into the code. These are only
chain to gain “back- a few of many examples, in which hackers are mounting
targeted attacks against an organization� s supply chain.
door” access to IT sys-
Playing Hide and Seek
tems” As it relates to supply chain attacks, the range of possible
breach scenarios is vast, and protecting against them all is
The Shift in Attack Vectors challenging, if not impossible. At the end of the day, you
In the past, hackers were primarily exploiting vulnerabilities don�t directly control the security measures of your
in their victim�s network and cyber defense systems to suppliers and can only indirectly influence them or raise
extract data or disrupt business continuity. By improving awareness of shortcomings by conducting vendor risk
their defenses against direct network attacks, organizations assessments.
have been able to counter these efforts and improve their
resilience against cyber-attacks. However, since early 2011
the security industry has seen a shift in attack vectors, as
hackers turned their focus to the weakest link by exploiting
the supply chain to gain �backdoor � access to IT systems.
One of the most damaging and memorable supply chain
attacks to date remains the RSA SecureID token breach.
Using stolen data about the company�s SecurID
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 22