15 Dec 11. This was the year in which we came to accept the fact that we could not depend on our defenses to protect us from cyber intrusions. The cybersecurity focus began to shift more to response and mitigation as we realized that compromise is a fact of life.
“If someone really has you in their sights, they’ve got you,” Tim Roxey,
director of risk assessment at the North American Electric Reliability Corp., said in August when NERC announced that it had issued two threat alerts to power distributors. A group of C-level executives participating in a Washington discussion of cybersecurity in September agreed that despite the number of headlines generated by recent high-profile breaches, the instances of advanced persistent threats reported in the press are only the tip of an iceberg and organizations should assume that they already have been or will be breached. The conclusion was, if you can be sure that you have no malware lurking in your network, you either have nothing in your network worth stealing or you don’t know what is going on. There were not necessarily more breaches in 2011 than in previous years, but the persistent drumbeat of high-profile or just embarrassing incidents made it clear how difficult it is to defeat the bad guys in an asymmetrical game in which the defense must maintain a perfect score. For a while the most serious threats shifted away from brute force attacks relying on extensive botnet resources to more sophisticated and targeted attacks that crept in under the radar. The attackers bided their time, picked their targets and crafted blended threats that relied on clever social engineering as well as technology to land big phish and infiltrate systems. But just as we thought APTs were the only thing we had to worry about, the smash-and-grab artists of LulzSec and Anonymous reminded us that low-tech attacks against known vulnerabilities in websites also could expose a lot of sensitive information. (Source: GCN)