Cyberthreats come in the form of malicious software code, hacking attacks, waves of denial-of-service attacks, and insidious corporate espionage. All are designed to provide financial or political benefit to criminals and are still multiplying at a phenomenal rate, according to a new report released today from Aite Group—Cyberthreats: Multiplying Like Tribbles.
Aite Group's research report, which draws analogies between cyberthreats and the rapidly multiplying furry little Tribbles of Star Trek lore, focuses on two of the most lucrative targets for the organisations behind the attacks: financial institutions and merchants.
The research shows that threats are escalating more quickly than banks or businesses can deploy defenses against them. With more than 150,000 unique new strains of malware deployed each day in Q1 2013, it’s very difficult for the good guys to keep pace.
The username/password combination as an authenticator is now officially broken, Aite Group finds. Myriad database breaches over the last year compromised tens of millions of usernames and passwords; combined with the fact that consumers reuse these passwords across the Internet, the sole relevant use for this combination is now that of a database look-up mechanism.
The key challenge in defending against the onslaught of attacks is that there are so many different players and attack vectors.
International organised crime rings are in search of financial gain; nation-states, individuals, and crime rings are engaged in espionage against governments and businesses; and hacktivists aim to get into the headlines. The dividing lines between the players and their causes are not now clear.
"Threats are escalating more quickly than banks or businesses can deploy their defenses, so rather than bulletproof security, organisations should focus on ways to make the cost of breaching their security more expensive than the underlying data that could be obtained," says Julie Conroy, research director in Retail Banking at Aite Group.
Conroy notes that merchants need to take steps to eliminate the sensitive data from their environments altogether through technologies such as tokenisation or point-to-point encryption.
"As fast as the threats are moving, security needs to be built with the assumption that the endpoint is already compromised—or will be soon," he adds.