Threat vectors changing for information security

April 11, 2012
Experts discuss industry trends at SecureWorld Expo

As security threats and technologies have evolved over the years, the line between physical and IT security has also begun to blur. Indeed, CSOs and CISOs at many organizations now wear dual hats as their duties have become more intertwined.

In many ways, the threats posed to businesses from cyberspace can be just as damaging, if not more than a physical security incident. Security managers have to prepare for everything from hackers trying to break into the corporate network to employees potentially leaking sensitive data on the Internet with their smartphones.

"We need to start thinking and acting differently," said eBay CISO Dave Cullinane in a keynote speech at the SecureWorld Expo in Atlanta on Tuesday. "It's a very transformational time."

According to Cullinane, the information security threats facing today's businesses are numerous and include an explosion in the development of malware and the proliferation of mobile devices. He said the key to mitigating these threats is for organizations to finally come together and share information on attacks, which is what increasingly sophisticated hackers have been doing for years.

"We've got to stop doing this to ourselves. Our adversaries are making a ton of money," said Cullinane "We have to start re-thinking security."

Changing the way businesses think about security, however, must begin with a thorough understanding of what is a constantly evolving threat landscape. The following are a few trends that were highlighted at the expo.

Risk and the Cloud

Over the past several years, the security industry has been abuzz over the evolution of cloud services. The ability to shift some of the infrastructure costs of enterprise-wide access control and video surveillance onto a service provider is appealing to many organizations. However, for IT security professionals, pushing data to the cloud poses a completely different set of security challenges.

Though the control responsibilities between cloud service providers and end users increase or decrease depending on the level of service offering (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service or Business Process-as-a-Service), end users still bear responsibility for protecting their data, according to Ben Halpert, director, IT risk leader – CIT information security and risk management at McKesson Corporation.

"You own 100 percent of the risk," Halpert told attendees in a session at the expo on Tuesday.

This need to weigh the risks in moving data to the cloud has become paramount as more companies have indicated a willingness to use it in some capacity. In fact, according to a CDW Cloud Computing Tracking Poll cited by Halpert, 28 percent of U.S. companies are currently using cloud computing.

Halpert suggests that companies thinking about leveraging the technology need to have cloud infrastructure architects on staff that are well-versed in cloud security and redundancy. He noted the recent Amazon cloud outage and the numerous businesses that were knocked offline because they failed to have the proper backup systems in place.

"If you're going to the cloud, you need to have a plan in place," Halpert said.

Of course, taking the extra steps necessary to make the cloud more secure will make the technology less appealing to some organizations. "When you do it the right way, the savings are not as great," said Halpert.

The Rise of "Hacktivisim"

While financial motives primarily drove hacking attacks throughout the 90s and much of the 2000s, Carl Herberger, vice president of security solutions at Radware, says there has been a significant shift towards "hacktivism" over the last two to three years.

Hacktivism attacks are those perpetrated by individuals or groups such as "Anonymous" that are "ideologically-based" and seek change from a particular entity - be it a company, politician or government agency.

"When motivations change in mass... it changes the way in which we as a security people do our jobs," Herberger said.

One big difference between acts of hacktivism and those for financial gain is that the individual or organization targeted is usually put on notice.

"Because it's ideological, they usually file their grievance ahead of time," explained Herberger.

In addition to a rise in hacktivism, Herberger said that other trends include more organizations being under a DoS (denial-of-service) threat, cyber attackers employing multi-vulnerability attack campaigns and servers not necessarily being the first network solution to fail in an attack.

"They're hitting you like a military would hit you from land, sea and air," he said.

To combat these threats, Herberger recommends that businesses; assess their DDoS (distributed-denial-of-service) vulnerabilities; look beyond large attacks; secure potential bottlenecks and anticipate which network devices or entry points could fail first; be aware of all threat surfaces, including mobile devices; watch for blended attacks and what's happening on the network; and, plan ahead.

Securing Mobile Devices

The proliferation of mobile devices and employees utilizing their own smartphones and tablets for business has opened a virtual Pandora's Box of security challenges for organizations. How can security policies be implemented on a personal phone without being overly restrictive? What are the repercussions should an employee's phone or tablet be ordered turned over as evidence in criminal or civil litigation? These are just a few of the questions that frequently arise regarding the security of mobile devices.

In an attempt to address these concerns, several leading experts on this topic took part in a roundtable discussion at the expo including; Andrew Warnick, pre sales engineer at Good Technology; Brigitte Murad, account executive for AirWatch; and Joe Bennett, CISO at CredAbility.

According to a recent CompTIA survey of 500 business and IT professionals, only 22 percent of U.S. companies have a formal mobility policy in place. As more businesses see the cost savings and productivity benefits of having bring-your-own-device (BYOD) policies in the workplace, Warnick said that securing those devices needs to become a primary concern.

"It's important to let (your employees) know what you're going to manage and what you're not going to manage," said Warnick, speaking about creating awareness for the importance of mobile device policies in organizations.

On the other hand, Bennett said that it's important to relate to these policies to employees on a personal level if a company wants a mobile security awareness program to be successful.

"Your users aren't worried about security. They're worried about getting their jobs done," he said.

In crafting a mobility policy, the panelists agreed that it's also necessary to decide which devices to support and not support. Murad warned against allowing all devices to be compatible with the corporate network because they all have a variety of inherent vulnerabilities that the organization would have to guard against.

"I caution you against opening the floodgates to any and all devices," she said.

IT Security's Role in Organizational Resilience

When it comes to mitigating risks across a company, it's important to look at an entire organization rather than as individual silo or department. That was the message delivered to attendees by Alan Nutes, senior manager of security and incident management at Newell Rubbermaid.

Essentially, according to Nutes, crisis management, business continuity and organizational resilience have become one in the same and IT security professionals need to take a company-wide focus when it comes to their roles in mitigating security threats.

Natural disaster resulted in more than $200 billion in property damage alone in the U.S. in 2011 and Nutes said that IT security can play a pivotal role in helping an organization adopt policies and standards to stave off these threats.

"What we've got to stop doing is building these silos. What we've got to do is look at it from a risk management and resilience standpoint," he said. "You can't function in your own little world. You've got to think of the organization as a whole. "