Information security in 2012 reflects constant change

22 Dec 2012

Covering the area of information security for any length of time makes one trend very clear: the types of threat may change from one year to the next but the extent of the problem never seems to diminish. Change is constant as attackers adjust their tactics to stay one step ahead of their pursuers.

So it proved in 2012. While there were marginally fewer security incidents reported in Ireland this year – a mere 3pc, in fact – that was offset by a growth in hacking, denial of service attacks and the emergence of ransomware.

The findings came from Ireland’s voluntary computer emergency response team IRISSCERT, which released the figures at its annual cybercrime conference in November. Hacking incidents tripled, from five attacks in 2011 to 15 so far in 2012. Denial of service rates doubled to 12, averaging one per month – and that’s just the reported attacks.

Give us your money

Ransomware was a new and unwelcome guest, featuring in reports for the first time in 2012. Aimed mainly at small companies, it involves attackers breaking into servers on the victim’s network and infecting it with malicious software that encrypts the data stored on it.

Then when an employee tries to access that information, they are told they have to pay a fee – sometimes up to €3,000 – to get their data back. In this type of scam, attackers also overwrite the victim’s backups, shutting off the option of restoring to a previous version of the data.

In the middle of the year, Deloitte issued its own first Irish Information Security and Cybercrime Survey, continuing the previous work of ISSA and UCD. It found almost a third of Irish organisations experienced between one and five large security breaches during 2011. The cost of each incident was estimated at €41,875 on average.

Security (non-) response

Just six out of 10 organisations polled said they were partially ready to respond to an incident and had no specialist systems in place to detect when they occur, while 68pc said they took no further action after discovering an internal or external breach. “That means they found an issue and decided to do nothing,” said Jared Carstensen, manager of Deloitte’s Enterprise Risk Services group.  

At least Deloitte acknowledged that with a small sample set, its data might not be reflecting a true picture of the extent of the problem. Officials said that putting a cost to the threat was designed to help security pros make a case to their board for more help. Good luck with that.

No such problems for Norton, which announced its latest cybercrime report for 2012 in September. It calculated that around 556m adults were affected by cybercrime in the previous 12 months – an eyebrow-raising 9pc of the world’s entire population.

Globally, data breaches remained plentiful. A couple of the high-profile victims included LinkedIn and eHarmony, as well as Twitter. A handy Halloween-themed infographic published on the last day of October listed some of the scarier cyber attacks seen during 2012.

Secure career choice

Unsurprisingly, with all of this activity, the information security sector kept the jobs fairy well stocked with magic dust: several companies announced new operations in Ireland – such as Mandiant, which announced 60 jobs, or Xtralis which initially set up with 10 jobs, anticipated to grow to 50.

Others expanded an existing base, like Integrity Solutions, which created 25 new posts this year, while Ward Solutions announced 20 additional jobs.

One upshot of all this activity is that information security is increasingly looking like a solid career choice. In fact, if anything, the sector is facing a problem of under-supply: it’s telling that the main purpose of the stand Amazon sponsored at this year’s Irish Cyber Crime conference was to recruit security experts.

As the year drew to a close, there was good news for Vordel, one of the founding members of the indigenous cluster group InfoSecurity Ireland (ISI) and a relative veteran of Ireland’s tech scene, having been formed back in the late Nineties.

The company was acquired by the French business software group Axway in a cash deal that some sources speculated could be worth between €40m and €50m. In 2011, fellow ISI founder Norkom was snapped up by BAE – proof that Ireland is producing international-class security companies.

Hacktivism and espionage

Hacktivism was a headline story in 2011, thanks to the activities of Lulzsec and Anonymous. There was less headline-grabbing activity in 2012 but there were still a number of isolated incidents.

In April, hackers associating themselves with the Anonymous collective targeted three UK government websites, bringing them down in a denial of service attack. The attacks were in protest of the government’s extradition policies.

Web attacks mirrored real-world events. In November, government websites in Israel were attacked 44m times, following that country’s strikes on Gaza. Initial reports suggested that just one of these attacks had been successful.

This year, The New York Times published a story naming Israel and the US as the developers of Stuxnet, which experts consider to be the first official cyber weapon. In 2012, the legacy of Stuxnet – which was first discovered in 2010 – was built upon with the discovery of Flame.

Once again, aimed at infecting systems in countries in the Middle East, including Iran, Flame is more powerful than Stuxnet, according to anti-virus firm Kaspersky Lab.

The Russian company said Flame’s purpose was to carry out cyberespionage. CEO Eugene Kaspersky said: “The risk of cyberwarfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide … Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

The Middle East wasn’t the only front for a seeming cyber cold war. In October, US lawmakers stepped in to try and prevent US telcos doing business with Chinese hardware manufacturers such as ZTE and Huawei after the US House of Representatives’ Intelligence Committee published a report alleging Chinese state influence on those companies which it claimed poses a threat to US national security.

A look ahead

Since it’s common to finish year in review pieces with a look to the future, here’s our prediction of sorts. With ITU discussions on the internet’s future taking place as this article was being written, it’s a likely bet that cyberwar – whatever that loaded term means – is likely to figure in 2013.

Keep watch for plenty of vested interests putting forward their arguments. For useful counterbalance on the debate, we recommend following security figures like Marcus Ranum, Mikko Hypponen, Eugene Kaspersky and Bruce Schneier. All have offered plenty of thought-provoking material to challenge conventional wisdom and their voices deserve to be heard as the volume rises in this particular discussion.

Here’s to a peaceful 2013, in cyberspace and elsewhere.

IT security image via Shutterstock

Gordon Smith was a contributor to Silicon Republic