Today, IT security is moving to the forefront of the technology conversation, but there are only two kinds of SME businesses in this world: defenders or victims. Furthermore, there are different kinds of victim, such as aware or unaware, willing or unwilling.
This week, ASIO released its annual report and observes that there has been an increase in “hostile cyber espionage activity against Australian Government and private sector systems”.
By now we all know that on the web we are all vulnerable, but I found it illuminating to hear about the mindset of attackers at last week’s AISA conference where Adobe’s chief security officer, Brad Arkin, was speaking.
He explained that attackers seek to minimise the cost of their exploit development costs. Hacking is not easy; it is just easier than what an honest person would call a real job. These people are smart but lazy, and have a different moral code that goes something like ‘I will take what those rich people have but are too lazy to protect’.
So they look for the easiest prey for their exploits. As the software companies create patches to lock out the known exploits, the hackers move on to other bugs in other tools.
When software developers create blockages that are time consuming to get around, the cost of developing an exploit goes up. That forces the hackers to move on. These are not just spotty-faced kids with laptops in their bedrooms; they are often sophisticated criminals with teams of people working for them in squalid conditions.
Arkin shared the story of the bear. If you are out for a walk with a friend and a ferocious bear attacks, you don’t have to outrun the bear. You just have to outrun your friend.
What he is getting at is that if your systems are up to date with patching and protection, the cybercriminal will move on to find a more exposed victim.
Arkin went on to explain that exploit development has an upfront cost. Once an exploit is created it only takes tweaks to keep it fresh and these are cheap. So software companies need to deliver major steps forward in their patches to really change the game on the hackers.
He said Adobe had to change its mindset to stay ahead of the hackers. They went on a fuzz and fix methodology. With this approach of finding their own flaws and fixing them, thousands of problems in Version 9 were fixed. Version 10 was much better but got a big attack, which was a surprise to Adobe. Version 11 introduced sandboxing to make it harder for the hackers. With this, they outran the bear.
The message is clear: If you are not managing patching across your application suite, you are leaving the door open to the hacker community and are thus a willing victim, even if you have not yet noticed the attacks.
ASIO is now warning that foreign hackers, some of them government-funded in their own country, are now hacking Australian computers looking for IP that will help their nation to develop faster. It is up to every business owner to ensure the right measures are being taken to protect IP, privacy and any identity material of staff, suppliers or customers.
Are you doing enough? Have you invested in protecting your company’s IP? Do you really trust your current IT team to have the required specialist knowledge to ensure your safety? Should you get them the help they need?
David Markus is the founder of Combo – the IT services company that is known for solving business problems with IT. How can we help?
Comments