Attackers who go after specific vulnerabilities at specific companies can have a particularly disastrous impact, the SANS report says. It's a trend other organizations have noticed. In mid-July, the Department of Energy Computer Incident Advisory Capability issued a warning about it. "We're seeing more-targeted attacks both within and outside of the DOE," the bulletin said.
IT managers are noticing, too. "The coordination of attacks over the last few years seems to be increasing," says Mark Richmond, network systems engineer for the U.S. District Court, Eastern District of California. "There are cooperative arrangements between various groups, formal or informal, that seem to be facilitating the use of networks and computers for criminal activities." Richmond says he has the situation in hand. "We limit access to our systems beyond the point of inconvenience," he says. "We use a private network. We're gated to the Internet in very narrow gates that are very tightly controlled, partly because of security concerns and partly to protect the performance that we need to get our work done."
With more coordinated attacks, Richmond says he limits network access to a point beyond inconvenience.
Fear of such attacks is changing consumer behavior. Two recent studies, one by the Pew Internet & American Life Project and the other by Consumer Reports WebWatch, find that more than 90% of Internet users say they have adjusted their online behavior out of fear of cybercrime. The Consumer Reports WebWatch study indicates that fully a quarter of U.S. Internet users have stopped buying things online. Fear of online victimization also could curtail the growth of electronic bill presentment and payment, which offer companies significant savings over paper-payment processing.
Targeted attacks don't typically get reported, unless there's a breach of customer data covered under disclosure laws such as California's. Tight-lipped companies hope to avoid bad publicity and prevent scaring more online consumers, under the theory that what they don't know won't deter them. But silence also makes it harder for security professionals to make the case for increased investment in security.
The SANS report should put pressure on software companies. It highlights the need to harden the presentation and application layers as a means to reduce cybersecurity events, says Howard Schmidt, former chief security officer for Microsoft and, later, eBay. "The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code, as well as vulnerability testing of integrated, deployed applications via Web front ends," he says, via E-mail.
The U.S. Air Force offers one example of how to ramp up the pressure: Demand a security service-level agreement. Late last year, the Air Force contracted with Microsoft and Dell to simplify acquisitions, cybersecurity, patching, and configuration. The contract is worth an estimated $500 million over six years. The result is supposed to be that the Air Force always has an up-to-date version of Windows, including all the latest patches.
Paller from SANS points to that deal, plus similar ones between the Department of Energy and Oracle and between Sandia National Laboratories and Sun Microsystems, and suggests that large organizations have the leverage to improve security for themselves, and ultimately for everyone, by holding vendors more accountable.
Companies, in general, are better prepared to deal with security issues than they were a few years ago and are better at responding to security alerts and patching systems. But criminal hackers are better prepared, too. Pescatore of Gartner puts it well: "The good news is the termites are no longer eating the bottom floor of your house. The bad news is they're eating the top floor."