What lurks beneath
The tide is rising when it comes to security threats. Fleur Doidge heads off on a phishing trip
Surfing the web sets the average user adrift in a sea of strange creatures. There may be few jellyfish, rare corals and bright anemones - but there are certainly sharks, sea urchins, blowfish, worms and octopuses, as well as many phish of different sizes, shapes and colours.
We're talking, of course, about IT security. Threat forecasts remain as perennial and relentless as the ocean itself - every year, without fail, the waters rise. Must resellers and their customers drown?
You shall have a fishy on a little dishy,
You shall have a haddock when the boat comes in.
- Traditional English folk song
Seafaring mythology and folklore has long paid tribute to the treacherous nature of the ocean. Naiads, mermaids, tritons, sea witches and krakens populated the awestruck imaginations of sailors who could not explain the phenomena they experienced.
The sea is vast - like the internet - and no one knows exactly what creatures dwell therein. And like the internet, the sea remains a source of wealth; plumbing the depths can still result in a good living.
When you look beneath the reflective surface of the sea or the internet, the abyss teems with slippery threats. For the technology provider, the profits may be about navigating phenomena such as the multi-armed distributed denial of service (DDoS) attacks of modern botnets, sometimes comprising millions of compromised PCs.
The UK government ‘listening station' has seen a tsunami of threat in recent years. At times, Facebook alone has admitted to experiencing 600,000 attacks a day. The Raspberry Pi Foundation was nearly sunk in March by a kraken-like botnet comprising about a million end points.
It is now common to hear of organisations taken out for hours or days as a result of the deluge of DDoS - partly because of the tide of automation that has made it easy for hackers to launch a storm of attacks. Yet few organisations as yet really think cyberwarfare might take down their systems, or those of partners, trawling for intellectual property or confidential data.
According to the National Audit Office (NAO), the cost of cybercrime to the UK over the past two years has swelled to between £18bn and £27bn. An extra £650m has been infused into the National Cyber Security Programme to 2015 in the belief that business, government and the public must remain constantly alert to the waves of risk if they are to detect and resist cyberthreats.
"Among progress reported so far, the Serious Organised Crime Agency has repatriated more than 2.3 million items of compromised card payment details to the financial sector in the UK and internationally since 2011, preventing a potential economic loss of more than £500m," the NAO says. "In the past year, moreover, the public reported to Action Fraud more than 46,000 incidents of cybercrime, amounting to £292m worth of attempted fraud."
Clearly this is one area where singing sea shanties and hoping for better weather might not be sufficient.
Into the deep
For the NAO, the UK's strategy must include ensuring individuals know how to protect themselves from crime online; protecting critical national infrastructure from cyberattack; and developing strong working relationships with other countries, businesses and organisations around the world. These are all areas where the IT channel might successfully see their ship come in.
What sort of undersea world will the more adventurous VAR, Jacques Cousteau-like, find if it does decide on a deep dive? Phish of many varieties are everywhere; while savvy internet users can often avoid their socially engineered seductions and colourful blandishments, targeted spear-phishing is also on the rise - and harder to filter from the legitimate communications sloshing about in the average inbox.
Russell Poole, head of security at VAR Pervasive Networks, agrees the past couple of years have seen a rising sea of risk threatening to capsize many organisational security strategies. Worryingly, he confirms that UK customers are seeing individuals within companies specifically targeted.
"We do quite a lot of security screens and analyses of networks and it does take a while to back-track and see exactly what has happened within an organisation," he says.
"But, invariably, it is a targeted attack of a high-level executive or of someone with a specific kind of access. If you can do a little social engineering by having a look at someone's Facebook or LinkedIn pages, you can make something interesting enough to tempt the user - it might spoof a rugby club of which they are a member, for example."
Poole says the deluge of DDoS that companies are experiencing need not even be from IT-savvy cybercriminals in Russia or elsewhere, as botnets can now be rented by the hour or the day by anyone, such as a disgruntled former employee or a competitor, perhaps.
If spear-phishing fails, a watering-hole attack may follow. This is where sites that targets are likely to visit - those of local schools or clubs, for example - are hacked and malware is served to anyone who sails by. The criminals then sieve out their targets, and proceed from there.
Malware passed on may signal a command-and-control beachhead instructing it further - perhaps to enter the network and collect data, such as Trojan.Naid or another advanced persistent threat, such as Stuxnet. Some can lie dormant for years, only causing problems long after the original infection.
Advanced targeted attacks have been made by nation states to dredge up classified or competitive information. And beyond those, there remain the relatively familiar streams of worms, viruses and so on with which to get on board.
Floating the possibilities
David Caughtry, director at Computerlinks, says this surging, changeable ocean of risk means the channel must work to stay afloat. The channel becomes a conduit for information as well as product. And firms that cannot afford to invest in proper DDoS denial, for instance, may need the outsourcing options explained.
"For me, it always comes back to the customer's appetite for risk. What are the risks, and what are the important things within the business? The channel needs to be mindful of that when educating and deploying solutions," he confirms.
The skerries and whirlpools of cyberthreat offer a great opportunity for intrepid tech providers brave enough to navigate them, says Caughtry. We are not drowned yet.
In fact Yaki Faitelson, chief executive at vendor Varonis, reckons the flood of hack attacks is primarily down to a lack of basic controls - suggesting juicy prey might still be easily netted even by the non-specialist channel.
"In our survey on data protection, only 19 per cent of organisations reported that they monitor all access activity across common data stores, and 27 per cent reported that they audit no access activity. No wonder organisations have a difficult time spotting intrusions," he says.