How does the evolution of attack tools affect existing systems? What steps should an organization take to remain vigilant of these new methods for compromising systems?

The evolution of malware and attack tools from the Morris worm in 1988, Melissa (1999), and ILoveYou virus (2000), to sophisticated Ransomware and IoT DDoS attacks (Mirai botnet in October 2016) has been staggering, and only growing in power and resilience with each day. This evolution affects the existing systems in the following ways-

  • Hackers are mostly ahead of the security experts – and the gap is constantly widening
  • Hackers seem to find new vulnerabilities faster than “experts” can fix old ones
  • Existing systems are open to being exploited at any given time, with a completely new line of attack
  • New lines of attack give systems no time to recover
  • Incident response plans and mitigation techniques may prove ineffective against a completely unexpected zero-day attack
  • Protecting a system is defensive at best, and this protection can break under an aggressive direct attack

In order to protect itself again new lines of attack an organization must-

  • Keep all it systems up-to-date and patched
  • Infuse a “culture of security”2 in the organization
  • Have security policies in place
  • Diligently follow security guidelines (similar to those outlined by NIST) and implement best practices
  • Have mitigation techniques and incident response plans which expect the unexpected
  • Be vigilant of the trends in the industry and the security risks
  • Invest in educating and nurturing their security employees through regular training sessions, certification boot camps, and conferences
  • Invest in in-house research, or buy COT security products from companies which have security research labs
  • Be part of the dialog and research initiated by organization like OWASP, (ISC)2, SANS Institute, IEEE, etc.
  • Consider security insurance and risk transference
  • Conduct bug bounty programs inviting ethical hackers and security researchers to find flaws in the system for a reward.