Familiarity breeds contempt. Could that be why, as technology becomes more prevalent than ever within business, security is in some ways getting worse, not better? Guy Clapperton reports
Years ago nobody would have thought computer security would still be an issue by the second decade of the 21st century. Of course there were a few miscreant types who insisted on hacking, writing viruses and indulging in other sorts of malware, but the tech companies were on to it, and surely it would be stamped out sooner rather than later?
Of course this hasn’t happened. Security is as much an issue as it ever was, possibly more so; Mike Smart, product and solutions director for Europe, the Middle East and Africa (EMEA) at SafeNet, believes the problem hasn’t changed but attitudes have.
“We’ve seen some changes in the ways cybercriminals have targeted specific organisations like RSA, and they’ve been a bit more clever in the ways they’ve targeted the identity and authentication levels of the internet itself,” he says. “In general malware is growing but nowhere near as fast as before.”
What’s really different, he adds, is that people are taking the threats less seriously – not that they don’t think they exist, but they don’t take action. “We’ve become hardened to it,” he says.
People of all seniority levels regularly break IT rules and regulations
This is reflected in findings from Quest Software. Kevin Norlin, general manager and vice president (EMEA), comments that the attitude is cemented by “millennials” who reject the idea of central control of technology anyway, but also by senior executives.
“Our own research has shown that 42 per cent of professionals regularly compromise data security, not out of malice as often portrayed in the media, but in the want of an easier life,” he says. “People of all seniority levels within organisations regularly break IT rules and regulations on a daily basis causing serious concerns for the organisation around data security and access to privileged data. Employees are often positioned as ‘intentional rulebreakers’ which is largely inaccurate as many aren’t aware of the tight restrictions around accessing and sharing data inside and outside the organisation.”
A related issue is that people often consider third party technology a better way of getting a job done than leaving it internal, whether this is through the cloud or by other means, so the whole enterprise – and any risks – become distributed rather than controllable centrally. Intruder prevention and detection becomes a new science and notions of securing the perimeter of a business network alter as the perimeter itself becomes so moveable.
The amount of computers and particularly servers within an enterprise has changed as part of this evolution. Steve Watts, founder of tokenless authentication specialist SecurEnvoy, suggests getting too attached to the physical changes is a red herring.
“Security isn’t about the number of appliances racked and stacked, nor is it about pushing excessive amounts of applications into a single device sometimes referred to as a UTM, it’s about protecting the identity of the user and the integrity of the enterprises data,” he says. “How that is achieved, via local virtualisation or through hosted cloud services shouldn’t be the weakness in the link.”
One element that mustn’t be overlooked is the internal politics and simple inertia of the staff, says SecurEnvoy’s Mr Watts. “Key to a security deployment is the user acceptance, if it’s too much of an overhead then the user will be annoyed by the change or find shortcuts,” he says.
“Utilising existing infrastructure is key to current spending restrictions and for end user acceptance, so to avoid costly mistakes and ensuring the end users identity isn’t compromised then tokenless authentication is the way forward in a virtualised era.”
Consumerisation is an idea that brings with it opportunities for savings but, as Professor John Walker, a member of ISACA’s London chapter security advisory group and director of TPAC development for CAMM, points out, a whole new raft of risks as well.
“Just imagine the average iPad 2 user who may be connected into the iCloud. Or what about the Android user who is connecting directly into the Google Cloud, and then there is the Microsoft Office 2010 user who uses the ‘send & save’ function accommodated by, in this case, the Microsoft Cloud?”
Like it or not, the implication of “consumerisation” may be that company data could end up in storage belonging to some unknown service provider.
The nature of the consumer devices themselves is an issue as well, he says. Frankly, they’re just not designed to be ultra-secure – without a business-user in mind, why should they be?
“When we look to the smartphone, we start to realise (at last) here is the most beneficial target for the cybercriminal, coming together with the commercial vox-populous computing Martini moment - anytime, anyplace, anywhere, making these small hand held computers one of the easy targets of our time - with the average device probably running on an old version of the OS [operating system], and more than likely out of or close to the edge of the most recent patches,” he says.
There are answers as well as problems, of course. Rigorous use of VPNs into private networks should insulate a business against many of the issues thrown up by a geographically disparate computing environment as the physical location won’t mean a distance from a secure perimeter, for example. Contractually ensuring staff only use smartphones and other devices with an updated and constantly patched operating system will also be beneficial.
The other issue is of course the cloud. This is where organisations with an IT department of their own have a huge advantage in that they will have a bank of expertise to scrutinise any service level agreements in place. Too often the small and medium-sized business community is left with a vague understanding of what’s permissible and what isn’t, and the result can be a pretty woolly security implementation.
The IT landscape is changed. It was ever thus, but the amount of security we are now placing in other people’s hands has become considerable. As long as the new parameters (or perimeters) are understood and catered for, there should be no reason for a business to become more vulnerable.
EVOLVING LANDSCAPE OF THREATS
The technology area is a very different beast from how it looked a few years ago. SafeNet’s Mike Smart comments that external IT is much more of an issue than it was. By this he means anything from cloud, outsourcing, partner networks or consumer devices. “All of those things are now being added to the network to deliver extra value to the IT service in general.”
Information is becoming portable and distributed, which is a challenge to the larger organisation. Amitai Schulman, chief technology officer of Imperva, elieves the old means of protecting an enterprise needs an entirely new approach. “Rather than directing resource at ensuring zero infections (which is futile) organisations must invest in defences around their data repositories,” he says. “Being able to identify abusive access to data and distinguish between normal data usage and malicious access is key to avoiding data loss. Yet, protecting enterprise data in the cloud remains a problem with no proper solution yet.”
Steve Watts, co-founder of SecurEnvoy, adds that the old-fashioned tokens used to secure networks are now looking, well, old-fashioned. “Utilising the growing acceptance of tokenless authentication rather than more outdated costly tokens, SecurEnvoy suggests that with mobile phone ownership growing at a faster rate than the population, that the ideal method for authentication should be via the mobile phone,” he says.
“Everyone carries a mobile, we treasure these devices and use it as our personal assistant, such acceptance would allow anyone, anytime access while proving the individual’s identity is challenged and not compromised.”
Such a short time ago this sort of suggestion would have looked like science fiction; in an age in which companies like Starbucks are introducing ways of people using their phones as wallets it seems a great deal less fanciful.
This isn’t to say that the older threats have ended. Trojans, phishing and good old fashioned virus attacks are still around. The older security suites and antivirus products shouldn’t go away just yet.
Yaron Dycian, vice president of products at Trusteer, comments on infected computers: “Trusteer’s cybercrime intelligence team are monitoring an increased level of malware borne APT attacks on enterprise assets,” he says. “Criminals use malware to access enterprise resources by remotely controlling infected computers inside the network and by bypassing remote authentication tools such as OTP [one-time password] tokens. Criminals then use this to steal sensitive corporate information and financial data.
“Criminals are naturally targeting the endpoint because it’s the weakest link where current technological solutions are inept and human errors are the easiest to exploit. Effective defence-in-depth protections must be based on an thorough understanding of criminal MOs and the technologies they use.”
This is new technology exploiting old tricks – taking over a computer is nothing new.