Many computer users and other entities have systems that utilize some form of security. Therefore, there often arises a need to prevent all but selected authorized persons from being able to carry out some defined transaction or to gain access to electronic equipment or other system, facility or data. Preventing unauthorized clearance or access typically involves devices which limit access to the subject data, facility, or transaction to those who possess a unique physical device, such as a key or who know a fixed or predictable (hereinafter “fixed”) secret code. In at least some cases, relying on a fixed code or unique physical device as the means to control such selective clearance or access can mean that would-be unauthorized users need only obtain possession of the fixed code or unique device to gain such clearance or access. Typical instances of fixed codes include card numbers, user numbers or passwords issued to customers of computer data retrieval services.
So-called phising or phishing attacks are a substantial threat for all kinds of transactions based on a secure and authenticated access to a server. Economically important types of transactions are so called e-banking, e-voting, e-healthcare and further electronic services. A phishing attack usually comprises the use of social engineering, to fool the user to exchange secret data, e.g. log-on data, with the attacker. The user undertaking such a log-on procedure believes he communicates and exchanges data with the correct provider. The attacker, a man-in-the-middle, uses the transmitted authentication data thereafter or simultaneously to affect a log-on procedure with the service provider under the identity of the attacked authorized user. Following the log-on procedure the attacker than misuses the user's rights. Within this meaning a phishing attack is a classical so called man-in-the-middle attack, which cannot be fend off easily through pure cryptographic measures. It may not be a very successful measure trying simply to elucidate the users because it is sufficient that only a very small portion of the users fall for such a social engineering mislead.
In phishing cases in which a specific user is targeted by name, it is known as “spear phishing”. Upon receiving such a message, the user, believing it to have been sent from the recognized institution or provider, opens a link to a Web page as directed and enters a login name and password. The stolen information is then used to illegally obtain money (for example from a user's bank account) and/or to otherwise illegally obtain a financial or other advantage. Various solutions have been proposed in an attempt to block such illegal activity and the concomitant financial losses which arise. For example, U.S. patent application No. 2006/0174119 describes a method for storing the sensitive information of the user; however, the user must select the data to protect as the method does not operate automatically. Also the user sensitive data can be retrieved from the repository where it is stored, as it is not masked or blocked. The method also cannot handle complex web forms or sophisticated forms of fraud.
Other proposed solutions focus upon the link contained in the e-mail, comparing such links to a list of known or suspected phishing web sites; such solutions are provided by most known web browsers and toolbars nowadays. U.S. patent application No. 2005/0289148 describes a method for identifying suspected patterns in an email message that may indicate that the email is a spoof or phishing email, followed by warning the user about it. Access to the site is blocked or the user is warned that the web site is dangerous. Links may be analyzed when contained in an e-mail message or upon a request of the user to access a web site associated with the link.
Large enterprises are entities that have a significant reliance on an information technology (IT) infrastructure for their core business operations, and they have a corresponding significant investment in that infrastructure. They include public utilities; financial companies; transportation and logistics providers; local, state, and national governments; and global energy companies. They share the following characteristics, in varying degrees:
Dispersed or distributed operations. The diversity of their operations includes geographical and/or functional distribution. The IT infrastructure supporting the distributed operations is usually a combination of owned and leased. Responsibility for security and operations of the infrastructure is correspondingly distributed (shared).
Critical assets or operations that warrant protection. Large enterprises have significant assets of operations that warrant protection beyond what the industry generally considers “ordinary measures.” The value of those assets may be assessed in dollars (financial networks and data), intellectual value (“intellectual property”), public necessity (utilities and critical infrastructure), and state/national security. Disruption of these critical assets or operations will generally yield cascading negative effects across a wide geopolitical and business landscape.
Full-time, 24×7 operations or the resources to accommodate them. Because of the distributed nature of the operation and the critical need to protect it, large enterprises can provide continuous monitoring and protection services. These may be routine coverage or surge capacity to meet a 24×7 requirement, and it may be a combination of indigenous and contracted capability. This framework proposes certain levels of investment in human capital that a smaller enterprise may find difficult to justify. Implementation of this framework within an enterprise also may not be optimal for an otherwise large enterprise that outsources critical protection functions, such as network monitoring, forensics and analysis, and incident response.
Some characteristics, not limited to large enterprises, are common to entities with a large user population and functional organization including:
Combined operations and security responsibilities. In this context, “operations” refers to the health and functioning of the IT infrastructure (network). Security refers to the protection measures associated with ensuring infrastructure and data availability, integrity, and authentication. Many organizations today levy the responsibility for security on the same IT staff tasked with ensuring the network operates effectively. Consequently, staffs must make decisions balancing security with ease of use (convenience) when it comes to operations of the network.
Range of user experience and skills. Larger enterprises are likely to have a broad range of familiarity and skill among its user population. This translates into potential trade-offs—sometimes significant ones—when it comes to implementing security policies and training programs. Also, depending on the enterprise, users include a mix of internal users and external customers (clients)—additionally compounding the skill/experience variables, and possibly introducing attack vectors that favor sophisticated threats.
Varying levels of interest and involvement by leadership and management. In the context of network security/defense, this refers to how network-savvy and involved the leadership is in decision making. It also refers to the level at which they are involved—ranging from strategic decisions-only, to developing the necessary policies and personally directing response actions. These factors dictate the required levels of autonomy—and associated levels of trust—that an enterprise comfortably places upon its IT staff.
The cyber threat environment that today's large enterprises typically must navigate has changed rapidly over time. Running through each phase has been the constant threat that someone with access to the internal network—either witting or unwitting—can hold an enterprise hostage and create discord that is equal parts damaging and difficult to trace.
A recent phase in threat evolution is a more advanced, persistent threat. It is characterized by greater sophistication and skill, rapid collaboration, and increasingly structured relationships to overwhelm complex network security mechanisms—oftentimes from the inside. Their motivation is becoming increasingly profit-focused, and their modus operandi includes persistence and stealth. It includes possible state-sponsored actors whose effects contribute to long-term influence and exploitation campaigns, as well as devastating effects to facilitate military action. Their signatures include the use of zero-day exploits, distributed agent networks, advanced social engineering techniques such as spear phishing, and long-term data mining and exfiltration. Their flexibility and robust kitbag of tools and techniques makes the advanced threats particularly difficult to successfully defeat with today's technology-heavy network security focus.