I am approaching the four-year mark of my professional experience working in IT security, and it has been interesting to look back over how much has changed and over what has been happening in security in the last four years. This post offers some observations.
First, the good
It seems like there is positive momentum in the recent efforts --- and results achieved --- by law enforcement in arresting, prosecuting and convicting hacktivists and cyber criminals. Cases in point:
- Cody Kretsinger (online name "Recursion") was sentenced last week by a Los Angeles court to one year in prison for his role in a LulzSec attack on Sony Pictures.
- A 24-year-old Australian (online name Aush0k) was arrested this month for leading a cyber attack on an Australian government website. He faces up to 10 years in prison.
- In January, the FBI announced the unsealing of indictments against three men - a Russian, a Latvian and a Romanian --- who were the creators and executive managers of the Gozi malware enterprise. They face 60 to 95 years in prison if convicted. The U. S. district attorney for New York called Gozi "one of the most financially destructive computer viruses in history." And with the managers of the Gozi criminal enterprise under arrest, attacks using Gozi malware have fallen dramatically. Don Jackson of our CTU team, who discovered and named Gozi in 2007, predicts that the malware will eventually disappear through attrition.
Until this year, people and organizations in the U.S. generally have been reluctant to name names and attribute cyber attacks to specific nation states, even when the evidence about the attack sources has been very strong. This year, that changed. The report by the New York Times on the attacks on and compromise of its IT assets by threat actors in China with ties to the People's Liberation Army, as well as other reports from credible security leaders and firms, brought a new level of directness to the issue of cyber espionage by Chinese threat actors.
The U.S. government stepped up its direct criticism of China regarding cyber espionage as well.
Not to be overly optimistic …. there may be some good things coming out of this. For instance:
The New York Times reported April 25th that "China's leadership appears to have heard the Obama administration's admonitions that it will not tolerate the practice of cyber attacks aimed at intellectual property and gaining commercial secrets from American businesses, American officials say. The Chinese agreed during a recent visit of Secretary of State John Kerry to join a 'cyber working group' with the Americans. 'There has to be some kind of code of conduct established,' General Dempsey said."
On the other hand, many negative trends are growing, such as:
- The increasing sophistication of cyber criminals and their tactics
- The growth of mobile devices and the BYOD trend, which present great risks and a larger attack surface that can be exploited. Our CTU team has written extensively about this issue, including the growing attacks that exploit vulnerabilities in the Android OS.
- The use of cyber attacks to achieve "political objectives," such as attacks by Wikileak sympathizers and the previously-mentioned LulzSec group
- The use of DDoS attacks as a diversionary tactic by criminals, who execute rapid-fire financial fraud (via ACH transfers) while a company's security or IT employees are focused on DDoS mitigation
How fast things change in information security risk management.
Consider these three trending topics: APT (Advanced Persistent Threat), "Chinese cyber attacks," and cyber threats. APT first showed up as a search term with measurable volume on Google in January 2010, Chinese cyber attacks first showed up in November 2009 and cyberthreats first registered after August 2007, according to Google Trends.
It's a challenging, fascinating, risky, complicated, dynamic, important field in which to work. Hats off to all the info security people and unsung heroes who are fighting the bad guys.