Holding back the tidal wave of cybercrime

Holding back the tidal wave of cybercrime

FEATURE Holding back the tidal wave of cybercrime Maria Eriksen-Jensen >Àˆ>Ê ÀˆŽÃi˜‡i˜Ãi˜]Ê-iV՘ˆ> 7…>ÌiÛiÀÊ̅iˆÀʍœLÊ̈̏i]Ê̅œÃiÊÀi뜘ÈLiÊvœÀ...

509KB Sizes 1 Downloads 62 Views

FEATURE

Holding back the tidal wave of cybercrime Maria Eriksen-Jensen

>Àˆ>Ê ÀˆŽÃi˜‡i˜Ãi˜]Ê-iV՘ˆ> 7…>ÌiÛiÀÊ̅iˆÀʍœLÊ̈̏i]Ê̅œÃiÊÀi뜘ÈLiÊvœÀÊ/ÊÃiVÕÀˆÌÞʈ˜Ê>˜ÊœÀ}>˜ˆÃ>̈œ˜Ê all have one thing in common – the complexity of their task is increasing as ÃiVÕÀˆÌÞÊ̅Ài>ÌÃÊLiVœ“iÊiÛiÀʓœÀiÊ>}}ÀiÃÈÛi°Ê7ˆÌ…ˆ˜Ê̅ˆÃÊVœ˜ÌiÝÌ]Ê̜`>Þ½ÃÊ/Ê security professional is expected to solve problems and manage risk, often with >Ê̈}…ÌÊLÕ`}ḭʘ`Ê>Ê>ÀiÊ>Ü>ÀiʜvÊ̅iÊ«œÌi˜Ìˆ>Ê`>“>}iÊ̅>ÌÊ>˜Ê/ÊÃiVÕÀˆÌÞÊ LÀi>V…ÊV>˜Ê…>ÛiʘœÌʍÕÃÌʜ˜Ê̅iÊÀ՘˜ˆ˜}ʜvÊ̅iˆÀÊVœ“«>˜ÞÊLÕÌʜ˜ÊˆÌÃʈ“>}i]Ê reputation and therefore its revenue. While the scale of cybercrime is increasingly being recognised by business and governments, what to do about it is not quite so clear cut. Everyone who uses the Internet – now estimated at 31% of the Earth’s population – is a potential victim of cybercrime. In 2011, the UK Government estimated that cybercrime costs the country’s economy £27bn a year – £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens – and these costs could actually be much higher.1 In 2012, The World Economic Forum claimed that cybercrime is one of the biggest risks to global financial and political stability. While the UK government investment of £650m over four years, starting in 2011, in the National Cyber Security Programme to bolster the UK’s cyber defences is a welcome step, organisations need to do as much as they can themselves to ensure they are as protected as possible.2 An analysis of data from 2006 to 2011 shows that the software industry is still unable to reduce the number of vulnerabilities in software.3 None of the top 20 software vendors managed to reduce the number of vulnerabilities in their products over this period. Identifying and remediating vulnerabilities in deployed products therefore remains a critical task for organisations and private users in order to manage the risks of security breaches and system compromise. 10

Computer Fraud & Security

Software vulnerability There are, of course, many solutions that companies turn to in order to help secure their digital assets. But something that many organisations overlook is how to get – and keep – control of the fundamental root cause of security problems, and that is the underlying vulnerability of the software. Organisations are often unaware of a breach until they are advised by law enforcement that corporate or customer data has been stolen. That is not a good way to find out. The old truism that knowledge is power applies very much here – reliable vulnerability intelligence, coupled with the technical skills to know how to circumvent a potential problem, is vital.

“With the plethora of software programs used in organisations today, cyber-criminals are having a field day” Many business managers still believe that software vendors take all possible steps to make their software secure. And while most do a great deal of testing, many products on release – and even into maturity – still contain flaws that allow cyber-criminals to gain access to the entire infrastructure of any organisation. And, contrary to widespread belief, it is not mainly Microsoft programs that are to be blamed for these flaws. With the plethora of software programs

used in organisations today, including company phones or laptops used both professionally and privately by employees, cyber-criminals are having a field day. The trend to Bring Your Own Device (BYOD) into the workplace is on the increase. Cisco recently published a study of 600 US IT and business leaders that found that as many as 95% of the organisations now allow employee-owned devices in the workplace in some shape or form. According to the study, “by 2014, the average number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in 2012.”4 While full marks can be given to employers for being so flexible, this trend to merging the private and workplace worlds brings with it some serious security concerns. Secunia’s publicly available software analysis regarding the security of PCs is derived from the 6.1 million private users worldwide using the Secunia Personal Software Inspector (PSI), and includes data on the share of vulnerable software found on private PCs. The PSI data from 2011 tells us that three of the most popular programs on private PCs in the UK remain unpatched on onethird of the PCs – even though they are vulnerable, and even though patches are available. For example: UÊ /…iÀiÊ >ÀiÊ xnÊ ÛՏ˜iÀ>LˆˆÌˆiÃÊ ˆ˜Ê -Õ˜Ê Java 6 – 63% of PC users in the UK have it installed on their PCs, and 57% of those haven’t patched it. UÊ /…iÀiÊ >ÀiÊ ÓÈÊ ÛՏ˜iÀ>LˆˆÌˆiÃÊ ˆ˜Ê ««iÊ QuickTime 7 – 56% of PC users in the UK have it installed on their PCs, and 49% of those haven’t patched it. March 2013

FEATURE It is easy to see that the combination of private users who do not update their software and who are bringing their own device to work is a dangerous mix. And as the Cisco study says, it is not just the physical device that employees are bringing to work but also their own applications – including social networks, cloud-based email and instant messaging. And so the digital behaviour employees adopt in private, with the IT security risks it involves, is now mingling with the corporate IT infrastructure. This is just one more headache for the IT team. Because so many users don’t update the software on their own PCs, it is very difficult for the IT department to know what to patch.

Identifying the vulnerable To protect endpoints that are connected to the corporate IT infrastructure from vulnerabilities, it is essential to identify the vulnerable software, prioritise it and patch it. A patch remediates the root cause of the problem, and thereby eliminates a large number of attacks. This is done by applying the patches issued as security updates by software vendors, and while most corporations with IT teams on board can be expected to have a patch strategy (of varying degrees of efficiency, of course) patch management routines and resources are not something we should expect from end users or smaller businesses. Most private individuals and even small businesses believe it is too timeconsuming and too complex to update their software and do not make it a priority. Many believe that, once they have updated their Microsoft programs when prompted by the company, they have done all that they need to. The problem is that, on average, a private PC in the UK has 72 programs on it – only 27 of those are from Microsoft, and 45 are from third-party vendors. But third-party software is where 78% of all vulnerabilities are found.

March 2013

Figure 1: Annual costs to business of customer data loss through cybercrime. Source: Detica/Cabinet Office.

While Microsoft issues automatic updates to its programs, we know from Secunia’s data that this only covers 34% of the programs installed on the average UK PC – the third-party vendors accounting for 66% of the programs have their own update mechanisms. This means that, unless they are employing a tool that does it automatically for them, the average UK user has to master 23 different update mechanisms to patch the software on their PC – and not only master the update mechanism, but actually perform the updates on an on-going basis, to keep their PCs secure from vulnerabilities.

“Vulnerable software on endpoints is one of the most popular attack vectors with hackers – an attack vector that is likely to become more and more common” The lack of endpoint security is among the biggest corporate security threats. And vulnerable software on these endpoints is one of the most popular attack vectors with hackers – an attack vector that is likely to become more and more common. Essentially, business and private endpoints are very rewarding targets for cyber-criminals. This is because, being extremely dynamic environments with numerous programs and plug-ins installed, they are very difficult to secure.

Together with unpredictable usage patterns, this makes them formidable targets that are difficult to defend. Endpoints are where the most valuable data is found to be the least protected. And by definition, endpoints have access to all data needed to conduct an organisation’s business. Every endpoint represents a valuable target for cybercriminals, even if no sensitive data is present. The endpoints’ computing power and bandwidth provide valuable resources – for example, as an infection point, proxy or for distributed passwordcracking services. Cyber-criminals often use off-theshelf malware construction kits that do not even require any coding expertise in their efforts to sabotage computer programs. These criminals have refined the malware manufacturing and development process to systematically bypass them. Security patches, if used correctly, can be a very effective way to overcome the many limitations of traditional defence mechanisms. Intelligent patching can lower risk levels by up to 80% and maximise operational efficiency. However, timely patching of the software portfolio of any organisation is difficult, because it is like chasing a continually moving target.

The strategic approach The answer lies in a strategic approach. The implementation of a patching strategy Computer Fraud & Security

11

FEATURE

Figure 2: Vulnerabilities (CVEs) for the top 20 vendors in 2011, and average for 2006-2010. Source: Secunia Yearly Report 2011.

has to be integrated with an organisation’s software management and operating system release strategy. To achieve the desired level of security, an organisation must establish processes for the regular monitoring and correction of issues, ensuring that the risk is minimised and that it is compliant with specific regulations. A recent white paper from Secunia tracked a representative endpoint comprising the operating system (Windows XP) and a software portfolio with the industry’s top 50 most prevalent programs.5 The portfolio on this representative endpoint had programs from 14 different vendors installed: 26 programs from Microsoft and 24 programs from third parties (non-Microsoft). To measure the number of vulnerabilities per host, data gathered from over 6 million users of Secunia’s free scanner, which identifies and patches insecure programs on endpoints, was used, which uncovered that vulnerabilities in third-party programs by far outnumber vulnerabilities in the operating system or Microsoft programs. The sheer complexity of patching will undoubtedly leave a large number of systems incompletely patched – and thus vulnerable. This complexity in keeping an endpoint fully patched has a measurable 12

Computer Fraud & Security

effect on security. Creators of malicious software and botnet agents are using a broad spectrum of tools and techniques that can easily bypass traditional anti-virus technologies. As discussed above, the common perception that the operating system and Microsoft products are the primary attack vector and that traditional defence methods provide sufficient security against vulnerabilities is incorrect.

“Knowing what to patch is crucial in light of limited security resources – intelligent patch prioritisation pays off considerably” Timely patching should be considered as a primary security measure. However, a ‘one approach fits all’ strategy no longer works, and the ever-evolving threat landscape is causing the goal posts to continually move. The main dilemma is identifying the critical programs worth patching to achieve the largest reduction in risk.

Bad investment From a security perspective, it is a bad investment to only deploy a patch for a

program with vulnerabilities that are ‘not critical’ or ‘less critical’, while programs with ‘highly critical’ vulnerabilities remain unpatched. It is not just the most popular and widely used programs – the ‘usual suspects’ – that should be monitored with caution. Today’s attacks typically use a large number of different exploits to open up attacks against a wide range of vulnerable programs – thus lessprevalent programs are not ruled out by cyber-criminals and can also lead to compromise. The challenge is to identify which vulnerability to patch at which time. Knowing what to patch is crucial, given that security resources are limited – intelligent patch prioritisation pays off considerably. If risk requirements demand that at least 80% of the risk of unpatched programs has to be remediated, this can be achieved by either patching the top 12 most critical programs or by patching the top 37 most prevalent programs per year. It is not the amount invested in IT security that is of importance for achieving optimal risk reduction with the same or fewer resources – rather, it is the type of technology and its capabilities that matter. According to Secunia’s most recent Yearly Report into IT breaches, the share of third-party vulnerabilities on a typical endpoint increased from 45% in 2006 to 78% in 2011 – by far outnumbering the 12% of vulnerabilities found in operating systems or the 10% of vulnerabilities discovered in Microsoft programs. The report shows that the number of endpoint vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years – more than half of which were rated by Secunia as either ‘highly’ or ‘extremely’ critical. Many businesses are not doing enough to help themselves. By not addressing errors in software installed on typical endpoints, organisations and individuals are in effect leaving their back doors wide open for cyber-criminals to enter and compromise their most sensitive data. One problem often lies with the company’s

March 2013

FEATURE security strategy. The programs that an organisation perceives as top priorities to patch as opposed to the programs that cyber-criminals target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations consider business-critical. Many organisations will focus on patching the top layer – business-critical programs – only. Cyber-criminals, however, will target all programs and only need one vulnerable program to compromise the host. The Secunia Yearly Report revealed that, for an organisation with over 600 programs installed in its network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. Therefore identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources. Some 72% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch endpoints is in the hands of all end users and organisations.

Resilient vulnerabilities Vulnerabilities are resilient. Despite the number of vulnerabilities decreasing in 2011 in general, the five-year trend identified that none of the top 20 producers of software (commercial or open source) managed to decrease the number of vulnerabilities in their products. Complexity is the worst enemy of security. The software portfolio installed on an average endpoint comprises programs from 24 different vendors (26 Microsoft programs and 47 third-party programs). It therefore involves 24 different update mechanisms to keep a typical endpoint secure (one Microsoft update and 23 additional update mechanisms). The complexity involved in staying secure has a measurable effect on security levels. March 2013

Figure 3: How IT departments are responding to the Bring Your Own Device (BYOD) trend. Source: Cisco IBSG Horizons Study.

Rare programs are also risky. It’s not just the usual suspects that are at risk – uncommon programs can also be exposed to cyber-criminal attack. Analysing the market share against exploit availability demonstrates that all programs are at risk. An example of a recent vulnerability that hit the headlines was a zero-day flaw in Internet Explorer where Microsoft offered free security software on its website (the Enhanced Mitigation Experience Toolkit, EMET) while it figured out how to fix the flaw affecting IE versions 7, 8 and 9 and which could be exploited on XP, Vista and Windows 7. While relatively uncommon, zero-day vulnerabilities can cause havoc. In this case, although hackers had already targeted the flaw to take remote control of computers before it became public knowledge, companies that received information about the vulnerability early were able to disable IE and then direct users to use a different browser until a patch was available. As zero-day vulnerabilities are those that have not yet been discovered by anyone but the hacker, and therefore do not yet have

a patch from the vendor, vulnerability intelligence is essential to ensure that appropriate steps are taken to avoid the pitfalls.

Reduced privileges One way in which organisations try to limit the danger posed by cybercriminals is by reducing privileges for user accounts as a key security best practice to prevent misuse and successful exploitation of endpoint systems. The reasoning behind this is twofold. First, malware requires administrative access to successfully exploit and compromise a system. Second, users without administrative access are prevented from bypassing the organisation’s security policy as they cannot install and run unauthorised programs on their own. This strategy, on its own, however, is flawed. Unfortunately, user accounts with reduced privileges do not provide complete protection from attack, misuse or compromise. While reducing privileges for end users can be regarded Computer Fraud & Security

13

FEATURE as part of an effective security strategy, it cannot be solely relied on. Organisations need to be aware of the limitations of this approach in order to prevent them from getting a false sense of security that could lead to under-investing in complementary security layers. Whatever the organisation, its personnel work on their endpoints to carry out daily tasks. Irrespective of the privileges permitted on their systems, they need and have access to all businessrelevant data and internal networks required in order to get their work done. Even when working with reduced privileges, any program or process running with the same set of privileges also has full access to all this data. This means that information valuable to cybercriminals is present regardless of users’ privileges and justifies the cyber-criminals’ interest and investment in finding ways to compromise end users’ systems. The number and complexity of preinstalled programs and plug-ins found on typical endpoints alone provide plenty of opportunities for attack and compromise. Running as a non-admin user mainly helps to limit what a user can install and configure on the system, but does not prevent an attacker from gaining control of the user’s account. A single exploitable vulnerability in one of the many installed programs (or plug-ins) is all cybercriminals need to run their malware in the context of the local user. Furthermore, as the user has access to the internal network, the malware can use the user’s account to relay attacks against other systems. The fact that many programs do not need to be installed or require administrative privileges to be run on an endpoint is often overlooked. For example, there is a growing list of so-called ‘portable applications’ – programs that do not require installation. This represents an enormous opportunity for cyber-criminals and also helps explain why up to 9% of the endpoints in large enterprises were found to be bot infected, despite the implementation of best-of-breed security policies and perimeter protection.6 Many 14

Computer Fraud & Security

of the vulnerabilities are of the ‘privilege escalation’ type that allows the attacker to gain elevated privileges, thereby nullifying the protection sought in restrictive user permissions. Exploiting this type of vulnerability allows an attacker to escape the stringent permissions of the user and execute its code with administrator or system privileges. In addition, there are many ways in which users can bypass restrictive user rights to run and install programs on their own. There is a rich body of step-by-step instructions on the Internet that shows users how to bypass user restrictions to run their own programs.

Exploitation strategies Over recent years, and in the face of more restricted environments, cyber-criminals have developed successful technologies and strategies to make exploitation and system compromise independent of administrative access on endpoints. An increasing number of recent exploits and malware do not require modifying a system file or the registry – just running in memory is sufficient to access and steal sensitive information or infect other internal systems. For example, hijacking browser traffic or communicating with an external host for data exfiltration does not require administrative access. Malware does not even need to be persistent and survive a reboot. A couple of minutes on the endpoint are enough for malware to identify and steal most of the sensitive data, and for it to spread further. Additionally, today’s endpoints are typically left powered on for extended periods of time between reboots, thereby decreasing the need of the malware to take extensive action and privileges to stay persistent. While limiting users’ privileges on endpoints is a recommended and effective means to reduce the risk of host exploitation and limits the capabilities of malware upon successful compromise, it should not be seen as a replacement for vulnerability management and

expedited patching of software, nor is it a replacement for anti-virus or other protection technologies. A thorough process to identify vulnerable programs, including programs not authorised by the organisation, paired with effective patch management is an absolute must to reduce the window of exposure and eliminate the root cause of potential compromise. A breakdown of vulnerabilities by origin reveals the driver behind this trend. Because vulnerabilities in third-party programs by far outnumber vulnerabilities in the operating system or vulnerabilities in Microsoft programs, timely patching of all Microsoft programs and the operating system does not disrupt cyber-criminals’ opportunities at all. There remain plenty of opportunities for system compromise in third-party program vulnerabilities. Furthermore, cyber-criminals do not need precious zero-day exploits at all – at any given time there will always be a large number of systems present with numerous unpatched programs.

“Creators of malicious software and botnet agents have developed and used a broad spectrum of tools and techniques to create ‘one of a kind’ packages” Traditionally, organisations perceive the operating system and Microsoft products to be the primary attack vector, thereby largely ignoring third-party programs in their risk matrixes. Thus, the prioritisation of patching most Microsoft products and perhaps a few third-party products is often an established strategy. This strategy may have proved effective in the past to achieve the desired level of risk. However, data shows that the dynamics of the threat environment over the last five years result in an increasing gap of unmitigated risk if the patching strategy remains unchanged. Since the mass adoption of firewalls, organisations’ main defence against cyberthreats relies mostly on technologies such March 2013

FEATURE as anti-virus and intrusion detection/ prevention systems. However, creators of malicious software and botnet agents have developed and used a broad spectrum of tools and techniques to create ‘one of a kind’ packages that can easily bypass traditional anti-virus technologies. Knowledge of the malware development process is helpful in understanding the limitations of current defence technologies. The key process is the automated generation of new, obfuscated variants of malware on a massive scale followed by quality assurance, to ensure that only malware that is not detected is deployed. The result is a stealthy threat that evades signature-based detection systems, static analysis tools, behavioural monitoring environments, and sandbox technologies. Recent research and independent testing repeatedly confirms the scale of new virus variants and the limitations of anti-virus and malware detection technologies.

Arms race These numbers clearly demonstrate the on-going arms race between cybercriminals and defence technologies trying to keep up. In a context of limited security resources, it is imperative to utilise patching techniques optimally in order to achieve the desired level of risk compliance. The numerous vulnerabilities constantly found in the diverse software portfolio of any organisation represent the main security threat. In light of the limitations of antivirus and other defence technologies, and the effectiveness of patches to remediate the root cause of compromise, controlled and timely patching of the infrastructure in order to minimise the business risk should be considered as a primary security measure. For typical organisations, patching all programs is operationally and economically prohibitive. Furthermore, identifying and patching the right programs to achieve the largest reduction in risk is a significant March 2013

challenge. Identifying the critical programs worth patching is similar to chasing a moving target. While some programs are vulnerable in several consecutive years, many programs are only vulnerable in some years while not in others. Programs with low prevalence are also frequently found to be considered critical in some years.

“Knowing what to patch is crucial in the light of limited security resources. A considerable increase in security with limited resources is entirely possible” Today’s attacks typically use a large number of different exploits to open up attacks against a wide range of vulnerable programs. Different exploits are tried in sequence until one succeeds in compromising a vulnerable program – a process that is fully automated. New exploits are simply loaded as plug-ins, thereby ensuring that attackers can quickly and easily adapt to diverse target environments. Thus, less prevalent programs can also lead to compromise as these are not ruled out by cybercriminals. So, knowing what to patch is crucial in the light of limited security resources. A considerable increase in security with limited resources is entirely possible, but requires the identification of the most critical programs. The dynamics of a software portfolio, paired with the rapid changes in the threat environment, imply a dynamic approach to ensure that organisations patch what is most critical from the risk compliance perspective. The continued manual tracking of the criticality of vulnerabilities affecting all programs used in an organisation is cost prohibitive. However, solutions exist to automate this task and the cost of such solutions has to be weighed against the increase in security that can be achieved with fewer resources.

Essential testing Testing security patches before deployment is a crucial step to identify and prevent potential issues or incompatibilities introduced by the patch. However, extensive testing that considerably delays the deployment of critical security patches leads to an increased risk of system compromise. Research shows that the availability of exploit material increases to over 90% within days of vulnerability disclosure. From the risk-management perspective, the cost of testing paired with the increased risk of compromise while available patches are delayed, versus the cost of recovering from a failed patch times the risk of a failed patch, has to be weighed up. The risk of a patch that causes incompatibilities or disrupts existing business processes after patch deployment drives the commitment of resources into testing. Assuming that the testing of patches identifies potential issues with a patch with 100% certainty, the cost of testing is justified by the averted cost of recovering from a failed patch. Testing can start with the availability of a patch. Upon the availability of a patch the vulnerability is made public and the availability of exploit material increases significantly, which in turn increases the probability of a compromised PC. Furthermore, the cost of compromise and recovery from compromise is typically higher and raises more questions the longer a patch is available but not deployed. Thus, the true cost of testing increases with the increased risk of compromise. The cost of recovery from a failed patch certainly depends on the type of program being patched. If, for example, there are issues with a patch of server software on which many services depend, the cost of recovery can become high, as compatibility issues are likely. This makes rolling back the patch and recovering from the issue extremely difficult, therefore, extensive testing is more than justified. However, if a patch for a typical desktop program,

Computer Fraud & Security

15

FEATURE for example, has issues, the damage is usually minimal and a rollback is easy and quickly completed. Furthermore, there are alternative programs to provide the functionality. Thus, for many programs, the cost of recovery does not justify the expenditure and additional risk of extensive testing. This is especially true as the delayed rollout of the patch poses a considerable risk. Programs on endpoints are especially at risk of compromise with the many attack vectors and the activity of the end users. Server software, on the other hand, is typically better protected as the server does not surf the Internet, receive mails or open different types of documents. It is therefore advisable to reconsider the testing procedures and take the different types of programs, and their potential options to recover from a failed patch, into consideration. It is likely that, for many programs, the achieved reduction in risk through expedited rollout of security patches more than pays off when compared with the rather small risk of recovering from a patch with issues. Furthermore, the resources saved from this strategy can help to speed up the testing of more complex programs.

Business-critical priorities Due to increasing security threats and complex regulatory requirements, compliance and security are now recognised as business-critical priorities. Approaching this challenge holistically will add value to any organisation if the process is applied consistently and subsequently provides a transparent overview of the level of security that is present in the organisation. Patching is a necessity and a fact of life, regardless of platforms, programs or security tools. The following question therefore arises – how can an organisation balance the need to patch systems with the risks it faces and the need for stability within the organisation? 16

Computer Fraud & Security

The answer lies in the implementation of a patching strategy integrated with an organisation’s software management and operating system release strategy. To achieve the desired level of security, the organisation must establish processes for the regular monitoring and correction of issues, ensuring that the risk is minimised.

“It is important to know the potential targets, the capabilities and limitations of traditional defences, and where to effectively complement defences” It is common knowledge that deploying patches is a complex process that is difficult to master and maintain. However, by using an integrated risk management process that holistically focuses on the criticality of the risks, organisations will be able to achieve higher long-term business value. Nowadays, organisations have to be compliant with a growing body of diverse regulatory frameworks while investments in compliance do not necessarily reduce the right risks in order to defend against cyber-attacks. To reduce cyber-risks with limited resources, it is important to know the potential targets, the capabilities and limitations of traditional defences, and where to effectively complement defences. Security patches are a primary and effective means to escape the arms race with cyber-criminals, as patches remediate the root cause of compromise. No single approach will win the war against cyber-criminals. A holistic approach to security is required, with tactics such as restriction of user access, deployment of effective anti-virus and firewall solutions but vitally important, a strategic approach to patching. While cyber-criminals will not be totally disarmed in the near future, intelligent use of the above techniques will do a great deal to keep an organisation and its precious data secure.

About the author Maria Eriksen-Jensen is VP of business development and marketing at Secunia. She has the dual responsibility of conducting business development, aligned with the strategy of Secunia, as well as developing the marketing unit and the marketing activities for external communication. She holds a BSc in international business and an MSc in finance and strategic management from Copenhagen Business School. Secunia (www. secunia.com), headquartered in Copenhagen, Denmark, provides vulnerability intelligence, vulnerability assessment and patch management solutions designed to protect critical information assets.

References 1. ‘The Cost of Cyber Crime’. Detica/

2.

3.

4.

5.

6.

Office of Cyber Security and Information Assurance, Cabinet Office. Accessed Feb 2013. www. cabinetoffice.gov.uk/sites/default/files/ resources/the-cost-of-cyber-crime-fullreport.pdf. ‘Chloe Smith speaks at Cyber Security Summit’. Gov.uk, 6 Nov 2012. Accessed Feb 2013. www. cabinetoffice.gov.uk/news/chloesmith-speaks-cyber-security-summit. ‘Secunia Yearly Report 2011’. Secunia. Accessed Feb 2013. http://secunia. com/company/2011_yearly_report/. ‘Cisco Study: IT Saying Yes to BYOD’. Cisco, 16 May 2012. Accessed Feb 2013. http://newsroom. cisco.com/release/854754/CiscoStudy-IT-Saying-Yes-To-BYOD. Frei, Stefan; Birkvald, Brian. ‘How to Secure a Moving Target with Limited Resources’. Secunia, 29 Jun 2011. Accessed Feb 2013. http://secunia. com/?action=fetch&filename=Sec unia_How_to_Secure_a_Moving_ Target_with_Limited_Resources.pdf. Frei, Stefan. ‘Cyber-criminals Do Not Need Administrative Users’. Secunia, 7 Apr 2011. Accessed Feb 2013. http://secunia.com/?action=fetch&fil ename=Secunia_Cyber-criminals_do_ not_need_administrative_users.pdf. March 2013