The Carbanak cyber group may be the most successful group of bank robbers of all time. Kaspersky went live with a report on a multi-year, multi-bank, multi-country cyber scheme perpetrated by Carbanak that has potentially netted as much as $1B.
In true form of hackers from most recent APTs (advanced persistent threats), these attackers were technical, patient, methodical and silent. They spent months doing recon online observing employees via webcams and key logs. They learned employee habits so they could imitate their behavior in order to shift money without notice.
The threat of the APT looms large over all industries, and there is still little that can be done to prevent it. The reality is that highly sophisticated cyber crime groups or state-sponsored actors will usually find a way in eventually.
It's not surprising to find out that organizations in the enterprise are investing more heavily in incident response and damage control. Its also not surprising that higher echelons of leadership are considerably more interested in cyber security. In the not-too-distant future, one of the metrics a CEO may be measured by is the efficacy of his or her security strategy.
Cyber security is now a matter of national security. In his statement at the Cybersecurity and Consumer Protection Summit in Santa Clara, President Obama said, as clear as day, that the private sector will be expected to hold up their end of the bargain. "The federal government cannot, nor would Americans want it to, provide cyber security for every private network," the White House said in a statement. "Therefore, the private sector plays a crucial role in our overall national network defense." President Obama signed an executive order regarding this on the spot.
The stark reality is that the challenges to network defense are vast. Many companies in the enterprise made the decision to push their networks online without planning for the security implications. However, there was little choice as this is simply the reality in a world where consumers demand convenience and have little patience for outdated models.
This places security leaders in the unenviable position of trying to play catch-up to the velocity of digital business. Even having a clear picture of what they're responsible for securing is no longer a given. For instance, after signing up with RiskIQ, customers are finding, on average, 40% more digital assets than they originally believed they had.
Often in the very first meeting, our engineers are able to share a vast world of web and mobile assets that were previously unknown to the customer. The problem is their customers can't tell the difference between which digital assets are managed by outsiders. This is very dangerous.
This all ties back to the old adage that you can't defend what you don't know about. Meanwhile, hanging in the balance of each decision that you make is the security of the data your company stores, including the privacy of your customers and employees.
If you're concerned that parts of your network are exposed in ways you don't have visibility into, then you're ahead of most of your peers. The question is: What are you going to do about it?
