Perimeter defence is dead
"Perimeter defence is dead," said Patrick Gray, security analyst and producer of the Risky Business security podcast, at ITWeb Security Summit 2015, in Midrand.
Traditional security solutions such as intrusion detection systems are proving less and less effective, he explained. Threat monitoring systems can either return a deluge of false alarms or miss necessary alerts entirely, he added.
Furthermore, even the most complex defence strategies can be bypassed with social engineering, Gray continued. While employees are becoming wise to simple processes like phishing attacks, social engineering can also be more calculated and difficult to recognise, he said. He cited the example of a senior engineer with whom a cyber attacker cultivated a three-month friendship over Facebook, eventually tricking him into downloading malware once she had gained his trust.
While reliable security is growing more difficult to achieve, cyber attacks are becoming easier to execute, he added, noting many well-documented cyber attacks were accomplished with "garden-variety malware" at the hands of small groups of hackers rather than large, powerful agencies.
"I don't know how you can comprehensively deal with the state of play at the moment," Gray confessed, suggesting organisations aim to mitigate cyber attacks rather than hope to avoid them.
Yet, most of the major cyber attacks making international news appear to be attempts to wreak havoc rather than cause lasting destruction, said Gray, quoting US president Barack Obama's reference to the Sony Pictures hack in November as "cyber vandalism" rather than "cyber warfare".
"The targets in these cases weren't really meaningful targets," Gray said. "It's one thing to hack into Sony, but what about really damaging attacks? You've got to ask why nobody is trying to blow up power plants or bring down dams."
Noting that many national industrial control systems have flimsy security, Gray said attacks on these systems are less likely because hackers are deterred by the lasting consequences such an attack would bring about.
Whereas a company security administrator does not have the resources to identify and punish cyber criminals, high-profile intelligence agencies do, and would prioritise an attack more closely resembling warfare, Gray noted.
"But, what is to stop a group of people who have no fear of consequences attacking critical infrastructure when we've proved that hacking is an easy thing to do?"