KuppingerCole Analysts' View on Cyber Security



A preview of the KuppingerCole Digital Risk & Security Awareness Study

Martin Kuppinger

270 IT Security experts took part in the recent KuppingerCole digital risk and security awareness study. The results of this study will be published in December 2014.

The results of the survey are not unexpected: 85.6% of the participants have seen an increase in the number of cyber security threats over the past 12 months. Analyzing the causes of this increase shows that there are three main reasons for this changing perception.

  1. 58.7% of the respondents indicated that there is more publicly available information about cyber-attacks, resulting in a change in the perception of the threats to their organizations.
  2. Another important factor affecting the perception of these threats is due to information exchanges between industry peers. 53.4% named this as one of the reasons for the change.
  3. However, only 40.9% indicated that analysis of risks and threats leads to a significant increase in threat awareness.

These numbers lead to the following conclusions: Digital Threats and Risks at last have become a topic that is now widely discussed and this is helping to increase awareness. Only 33.3% found that their own risk and threat analysis was able to substantiate the perceived threat into hard fact. While we do not expect that such analysis would lead to a decrease in threat awareness, it would allow organizations to better understand threats and risks and thus lead to better planning of their countermeasures. We strongly recommend investing in an ongoing risk and threat analysis process to help protect your organization.

The sources of attack which cause the most concern were also researched as part of this study. These results show that attack by organized crime leads for 46.6% of respondents, insiders follow for 29.4%, while nation-state were only a concern to 11.3%. At the other end, politically motivated attacks were only of concern for 8.6%, and others at 4.1% are rarely the biggest concerns. Note the question asked about the single biggest concern, therefore insider attacks are still most likely to be considered a severe threat in most organizations.

It is also interesting to look at some of the details. More than 50% of the respondents giving nation-state attacks as their biggest threat are involved in critical infrastructures, while more than 40% came to this conclusion because their intellectual property is a likely target of nation-state industrial espionage.

Overall, these survey results show that organizations are well aware of the digital security threats that they face.

To get the full details of the many aspects covered by this study go to www.kuppingercole.com/reports in December to download your copy of the full document.



Know Your Enemy

Amar Singh

At a recent seminar I was asked a question on how and where do we begin preparing for a cyber attack. Another individual who interrupted my answer insisted that controls was the way to go. He said something that sounded like “I got all my 20 controls under control, implemented and monitored. I am fine."

Although I partially agree with the answer that controls are important and must be implemented correctly. Oh, they also must be monitored regularly. However, I am of the opinion that the better way to begin the journey of setting up an effective cyber security posture is to begin by understanding your enemy. Put another way, for those who don’t believe in the concept of enemies and adversaries, begin by understanding the threat actors relevant to your business.

Note: I know, some of my readers may be thinking “He completely forgot about the R (risk) word.” Understanding your threats and threat actors should go hand in hand with an effective risk management program.

ISACA describes four main types of Attackers:

  • The Unsophisticated Attacker: More often called script kiddy, this individual is a rookie, a newbie and primarily attacking blindly. A pure opportunist.
  • The Sophisticated Attacker: Able and more mature then the script kiddy this individual has time and will attack specific targets. Motivated.
  • Criminal or Corporate Espionage type attacker: Organised elements intent on defrauding your business. These criminals are often assisted by a grieved former or current employee.
  • State Sponsored Advanced Attackers: The most serious, well trained, superbly organised and capable, these attackers are sponsored and backed, directly or indirectly, by nation states. You are only in their crosshairs because you have something they want.

Hold on - there is the Fifth Attacker?

Although technically, the privileged insider can be slotted into any one of the above categories it deserves its own classification as very often it is the employee or groups of them that end up causing the biggest disruption and damage to the business that is their employer. Reasons range from bribery, job dissatisfaction or loss of employment.

The privileged attacker is a special kind of attacker as he/she is well versed with the culture, the technology, the technical architecture and most importantly has the explicit trust of his/her employers. In most small to medium organisations the privileged user or groups of them end up taking on multiple roles such as the 'IT guy', 'the email guy', 'the laptop does not work call him now guy'. You get the point.

In addition and in almost all instances this privileged user has the administrative user details including passwords to all the critical systems and that is why this type of user is also sometimes called the 'god user' or 'superuser'.

Did I forget the Hacktivist?

I have not forgotten about the “hacktivist” or cyber activist. The hacktivist can be from anyone of the five attackers described above. More often than not, the unsophisticated and the slightly more able ones fit the hacktivist bill. Needless to add that the insider is often the cause of many unreported attacks.

What's Next?

We could be here all day talking about what is next. Most organisations readily dismiss the nation threat, correctly, I must add. To their detriment, however, they also completely ignore the other threat actors. There is a constant phrase I hear from many small and medium enterprises. “Why would they want to attack us? We only produce widgets.” However, it is important companies take a realistic, pragmatic and practical approach when discussing their attackers. Most nation states are not after the run off the mill company producing widgets. Yes, if you are a defence contractor for example, you need to put the nation attacker at the top.

You Will Be Attacked!

The reality is, regardless of size and product, your company can and will be attacked. If you are “cyber boring” you will be attacked so that the attackers can use your IT systems as a launchpad for another target.

You will be attacked just because someone, on planet Earth, disagrees with your product, your service or even your geographic location. Activists are passionate about their cause and belief system and will go to any lengths to “teach them a lesson".

Remember the insider attacker? An employee with a grievance who has super user rights to your IT systems can be far more dangerous than a nation state attacker. Why? Well an insider already knows your systems, your loopholes and has all the access necessary to cause maximum damage.

Know your attackers so you can start planning on how to best defend your organisation.

Related KuppingerCole Research

Related KuppingerCole Podcasts

Upcoming KuppingerCole Events