As the Bay Area gears up for Super Bowl 50, the security industry is getting ready for its own Super Bowl of sorts. The RSA Conference — which marks its 25th year — kicks off in San Francisco on Feb. 29.
Top of mind for industry insiders is how companies can best protect themselves against an increasingly sophisticated enemy intent on attacking bigger and more lucrative targets.
Crimes in cyberspace will cost the global economy $445 billion in 2016 — more than the market cap of Microsoft ($411 billion), Facebook ($314 billion) or ExxonMobil ($332 billion) — according to an estimate from the World Economic Forum's 2016 Global Risks Report.
The threat of state-sponsored attacks aimed at taking down critical infrastructure continues to plague experts, but many believe the bigger threat is posed toward U.S. business interests.
"U.S. companies are definitely under pressure, and I think it's related in large part to nation-state attacks," said John Haller, a cybersecurity researcher in the CERT division of the Carnegie Mellon University Software Engineering Institute.
The 2014 Sony hack is the poster child for what happens when an isolated nation-state goes after a North American enterprise. (U.S. government officials have hinted that North Korea was behind the attack.)
"This is not science fiction. It's a multibillion-dollar business of stealing intellectual property," said John Stewart, senior vice president, chief security and trust officer at Cisco. "We have got to be able to protect ourselves just that much better."
The hackers of today are far more skilled, organized and well funded than ever before. As such, they are getting better at finding weaknesses, penetrating security barriers and enacting more damaging attacks once inside a company. Though tried-and-tested schemes — such as stealing and reselling credit card numbers — continue to be staples of the criminal underground, the thieves are expanding their enterprises.
Hackers are increasingly using encryption and ransomware to exhort money from victims and evade detection. It is not uncommon for them to spend months inside a company, siphoning off information and setting up so-called back doors. These secret passageways can then be revisited or sold to other criminals with different capabilities. Hackers will then use that property to attack the corporation's customers or supply chain.
"For example, if I hack into a major law firm and then realize that this law firm has direct communication channels with the Fortune 50, then I can leapfrog from this law firm into all of those entities," said Tom Kellermann, chief security officer at cybersecurity vendor Trend Micro. Kellermann will take the stage at the RSA Conference to address this very issue, which he said is becoming more common.
The five-day conference — the industry's biggest annual event — features keynotes from Symantec CEO Michael Brown, VMWare CEO Pat Gelsinger, Palo Alto Networks CEO Mark McLaughlin, Intel senior vice president and general manager Chris Young and Cisco Security Business Group vice president and chief architect Martin Roesch, among others.
On the expo floor, more than 500 vendors will employ a slew of tactics to rise above the collective cacophony of cybersecurity sales pitches. (Last year's booths featured a juggling sales rep and someone slinging discs into a shredder, according to one attendee.)
There are almost 30 different tracks, including several covering how to navigate the thorny issues surrounding government and privacy, as well as two dedicated to hackers and threats, examining the growing underground economy, new classes of vulnerability and exploitation techniques.
Hacker business models are also evolving. "If there is a way to make money illegally and through electronic techniques as the means, there is going to be somebody that thinks it up," said Stewart.
One example is the use of stolen financial information to undercut an acquisition target's market value in order to later acquire the company at a fire-sale price. This tactic has been associated with Chinese hackers, said experts.
"If they are successful, they could drain the full value of the company — that's easily in the millions," said Rich Mason, president and chief security officer of cybersecurity consulting firm Critical Infrastructure.
The Silicon Valley of hackers is in Eastern Europe. Trend Micro identified Russian-speaking cyber militias as the group behind the Christmas takedown of the Kiev power grid and, more recently, the Kiev airport. Kellermann pointed to Operation Pawn Storm — an ongoing cyber-espionage campaign — to illustrate the variety of methods Russian hackers are using to attack U.S. military, embassy and defense-contractor personnel and U.S. allies, including NATO.
They include spear-phishing emails; fake Outlook Web Access login pages to steal credentials (U.S. defense contractor ACADEMI, formerly Blackwater, was targeted using this method, according to Trend Micro); the creation of iOS malware to steal information, such as messages, contact lists, geo-location, pictures and voice recordings; and the exploitation of well-known software security vulnerabilities.
"U.S. corporations have already felt the wrath of patriotic Russian hackers," said Kellermann. "It's dramatically escalated ever since we leveraged economic sanctions against Russia."
Like start-ups, hackers operate in cells and leverage a personal network of contacts to monetize their illicit product. Within each cell are members with different areas of expertise, ranging from technical, to marketing, to supply-chain management.
Though information about these criminals is hard to come by, an independent study titled Flipping the Economics of Attacks, released Tuesday by the Ponemon Institute and sponsored by Palo Alto Networks, revealed some interesting data about hackers in general. The study surveyed more than 10,000 self-proclaimed hackers in the U.S., Germany and the U.K.
Among the findings: Technically proficient attackers are spending an average of $1,367 for specialized tool kits to execute attacks; 63 percent of respondents claim the use of such kits has increased over the past two years; and 64 percent say the tools are highly effective. The study also found that, on average, these attackers earn just $28,744 per year, which boils down to $40.75 an hour, about a quarter of the average cybersecurity professionals salary.
When it comes to making money, the market for stolen information on the dark Web is well-established and easy to access.
Cybercriminals rely on so-called bulletproof hosts — cloud service providers — and anonymous payment systems. Both are complicit in providing the infrastructure underlying the hacker community. These marketplaces are every bit as unforgiving as legal marketplaces, and reputation is key.
"They have a code, said Kellermann. "If you do not provide a service or a good when promised, you do not provide money when promised, they will turn on you."
Of course, it's not just giant corporations increasingly coming under fire. Hackers are targeting small- and medium-size businesses, which typically employ weaker cybersecurity protections and often have relationships with larger companies. Home Depot and Target are examples of a third party being used to get into the company network. In Target's case the weakness came via a small HVAC contractor in Pittsburgh.
"The smaller companies just can't buy the same capability, whether it's in terms of the human capital or whether it's in terms of really having the processes to deal with it," said Haller. "Knowing who to trust and understand the capability of your business partners is a real problem."
SMBs are improving their security approach, in part by outsourcing, which was up 23 percent in 2015 from 14 percent the prior year, according to Cisco's Annual Security Report published Jan. 19. The report also found that just 45 percent of organizations worldwide are confident in their security position in the face of today's more sophisticated, bold and resilient attack campaigns.
In response to the myriad cyberthreats they face, companies are slowly becoming more sophisticated in the way they approach cybersecurity. Executives are no longer solely focused on securing the corporate perimeter with firewalls and antivirus software. They are also investing in tools to mitigate the impact of a successful hack attack.
"Big banks all know this, but more mainstream organizations have forgotten this. We are trying to remind them that 'No, you cannot stop all breaches. Yes, you have to prepare,'" said Dr. Anton Chuvakin, a security and risk-management analyst with Gartner.
This topic is the focus of at least two keynotes at RSA. On March 2, Cisco Security Business Group vice president and chief architect Martin Roesch will talk about how companies can evaluate the various security solutions on the market to maximize protection. The following day, Symantec CEO Michael Brown will focus on the tools companies need to extend security beyond their four walls to the supply chain and customer ecosystem.
Recognizing that breaches can and do happen, companies should focus on protecting the company's "crown jewels" —assets deemed most valuable, said experts. "We look at it as a system of concentric circles, saying harden your most critical systems first, put all your bells and whistles on them to prevent them from compromising, and then build out from there," said Mason.
Zurich Insurance works with customers to tailor insurance products, make sure they have robust cybersecurity processes and procedures in place and to figure out which vendors to employ. While just a couple of years ago certain industries were consumed solely with meeting contractual requirements, that is starting to change.
"It's not just about satisfying a requirement or meeting hurdles from a regulatory standout, but actually looking at what my exposure is in this area and making sure that it's properly addressed," said Lori Bailey Global head of special lines within Zurich General Insurance.
"One piece of that could be insurance, but there are a number of other measures that can be taken, such as making sure that you have a proper business continuity or incident response plan in place," she said.
Experts agreed that the way in which companies respond when disaster strikes — no matter what the threat is — is key to success. For example, when the 2011 tsunami hit Japan, it took down some financial institutions that were then unable to serve their customers. By contrast, others seamlessly transitioned to backup sites to continue operations.
It is key to have tested processes in place to respond to any security threat or breach, said Haller.
In general, experts agree that thwarting the "bad guys" requires greater cooperation among the "good guys." The ability to identify emerging threats and to decide which cybersecurity vendors to employ is vastly improved when information is shared.
The data backs this up: The Ponemon report found that 39 percent of hacks were thwarted when the targeted organization engaged in the sharing of threat intelligence with its peers. In addition, 55 percent of respondents cited threat intelligence sharing as the most likely tool for preventing or curtailing successful attacks.
That is why the Cyber Threat Alliance was founded in 2014 by Palo Alto Networks and Fortinet. It is now composed of a group of leading cybersecurity providers to share intelligence and conduct research to combat hacking. Today, partners include Intel's McAfee and Symantec.
At the same time, vendors are working more closely with government agencies. The Cybersecurity Information Sharing Act, which passed in December 2015, aims to make that easier. The law allows companies to directly share information with the Department of Defense, including the National Security Agency (NSA), without fear of being sued.
(According to the Washington Post, citing current and former officials, the NSA is in the midst of a reorganization, merging its offensive and defensive organizations to better address the current threat landscape.)
Of course, in the post-Snowden era, global corporations must walk a fine line when it comes to sharing information with the U.S. government, as battles around privacy, encryption and regulatory oversight continue to bubble below the surface.