McAfee's latest report on advanced persistent threats, which detailed vulnerabilities in least 72 companies over a five-year period, has caused quite a stir. The conclusions are so stark, some have questioned whether McAfee is scaremongering in order to push more product.
Allow me to come to McAfee's defense. For one thing, the report is the first I've seen that collates the company type, location, and possible length of compromise for each victimized business. More important, I completely agree with the gist of the argument, as articulated by Dmitri Alperovitch, McAfee VP of Threat Research. Think your company has escaped advanced persistent threats? Think again:
...I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know...What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth...
This shouldn't be a surprise to InfoWorld readers. We've stated the same thing for at least a year, if not longer. So has Forbes magazine and security expert and HBGary founder, Greg Hoglund, who gave the same message in his recent ISSA presentation. To quote slide 5, "You are already owned. They are stealing right now as you sit in that chair." You cannot find an independent, reputable computer security expert who will disagree.
The irony is that this horrifically successful mass intrusion did not require overly sophisticated attacks. Company defenses fall because hardly anyone covers the basics properly. Every documented case of advanced persistent threat exploitation that I've read about or been involved with has been the result of unpatched or misconfigured software, elevated user accounts that were not needed, and/or poor end-user training.
We know how to significantly minimize malicious hacking using existing protocols. We just need the right people to sit down in a room, agree on basic procedures and values in a few database tables, and get global agreement to put the new plan into place. The new could be integrated with the old. But in a few months' time, we could make it significantly harder for cyber criminals to ply their trade (see "Fixing the Internet would be easy -- if we tried").
As a longtime security professional, I continue to be dismayed that basically the entire world is easy to hack -- yet we, as defenders, aren't doing anything about it. Sure, we continue to talk about it. It's generated national headline after national headline, consuming the airwaves for weeks on end. But very little has changed.
I often wonder how bad it would have to be. What tipping point event would have to happen for the world to do something different and fight the cyber attackers? Are we close yet?
This article, "Why McAfee's dire security report rings true," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.