BOSTON – It is far too easy for financially motivated cybercriminals and nation-state sponsored cyberattackers to hack into corporate networks to steal data, according to Kaspersky Lab CEO Eugene Kaspersky who is calling on enterprises to take bold measures to protect intellectual property.
The more expensive data you have in your network the more resources you have to allocate for security.
Eugene Kaspersky, CEO, Kaspersky Lab
Speaking to a group of reporters at a Boston restaurant, Kaspersky explained that enterprises are failing to put the right mixture of security technologies and policies in place to make hacking difficult for cybercriminal operations. Corporate networks containing highly sensitive data should employ military-grade standards and even consider disconnecting or isolating systems from the Internet altogether to solve the problem of targeted attacks, Kaspersky said.
"If they have enough resources, sooner or later they will get in, so the right way of security in the enterprise environment is to make the attack as complicated as possible," Kaspersky said.
Stolen credentials, weak system configurations and poorly maintained patching at corporate endpoints are leading to intellectual property theft on a grand scale, say Kaspersky and other experts, who are trying to figure out new ways to plug the data leakage holes. Meanwhile financially motivated cybercriminals continue to target the low-hanging fruit, using application vulnerabilities to hop onto desktop and laptop systems and ultimately steal credit card data and drain bank accounts. Kaspersky said he sees no end in sight. In fact, the shaky global economy is helping create new cybercriminals every day, he said.
"Our major markets are Western Europe and the United States and unfortunately I don't think that the situation in Europe will be recovering soon. Also there is some not some positive scenarios for the American economy," Kaspersky said. "I'm expecting that there will be more and more criminals in this setting if this economic situation is in bad times; typically that's a good time for crime. I'm expecting we'll have more work to do and less growth than there was in the past."
Consumer systems that have the latest patches and antivirus with updated malware signatures are well protected, Kaspersky said. Enterprises however need to take additional steps, employing more than traditional endpoint security. Automated vulnerability scanning, patch management and application monitoring could help detect and contain potential problems and make it more difficult for attackers to leap from system to system.
Kaspersky Lab CEO
Hardened operating system will give industrial control system manufacturers a more secure platform for their software.
Even disconnecting the most critical networks from the Internet will not offer 100% protection, Kaspersky said. As Stuxnet proved, all it takes is a malicious thumb drive to infect a system disconnected from the Internet. "But it makes it much more difficult to get information out of there," Kaspersky said.
"It would be a very, very slow process."
Kaspersky also advocated regular security training for employees to help reduce the risk of social engineering attacks. He said multiple backup systems are also important with one backup system maintained off the network.
"The more expensive data you have in your network the more resources you have to allocate for security," Kaspersky said.
Proactive defense, targeting cybercriminals
Some experts in the United States are advocating an offensive security strategy, tracking down cybercriminal operations and taking back stolen data. Kaspersky said his firm would like to go on the offensive, shutting down cybercriminal operations by wiping infections from servers and other systems, but legally, the security industry can't take that offensive action. Restrictions protect privacy and prevent innocent people and companies from data loss, he said.
"It's a good idea, but it's forbidden," Kaspersky said. "If by international treaty or if national police ask us to assist them with technical information, we'll assist them, but we don't want to be in conflict with different regulations in different countries."
Going on the offense may be effective against financially motivated cybercriminals, which use automated tools to attack on a wide scale, but it may not have much of an impact on targeted attacks, which are much more difficult for enterprises to defend against, Kaspersky said. Enterprises are better off focusing on adding layers of security protection, addressing vulnerabilities, probing for network weaknesses and training employees to detect social engineering attacks.