Threat vectors changing for information security

Experts discuss industry trends at SecureWorld Expo

One big difference between acts of hacktivism and those for financial gain is that the individual or organization targeted is usually put on notice.

"Because it's ideological, they usually file their grievance ahead of time," explained Herberger.

In addition to a rise in hacktivism, Herberger said that other trends include more organizations being under a DoS (denial-of-service) threat, cyber attackers employing multi-vulnerability attack campaigns and servers not necessarily being the first network solution to fail in an attack.

"They're hitting you like a military would hit you from land, sea and air," he said.

To combat these threats, Herberger recommends that businesses; assess their DDoS (distributed-denial-of-service) vulnerabilities; look beyond large attacks; secure potential bottlenecks and anticipate which network devices or entry points could fail first; be aware of all threat surfaces, including mobile devices; watch for blended attacks and what's happening on the network; and, plan ahead.

Securing Mobile Devices

The proliferation of mobile devices and employees utilizing their own smartphones and tablets for business has opened a virtual Pandora's Box of security challenges for organizations. How can security policies be implemented on a personal phone without being overly restrictive? What are the repercussions should an employee's phone or tablet be ordered turned over as evidence in criminal or civil litigation? These are just a few of the questions that frequently arise regarding the security of mobile devices.

In an attempt to address these concerns, several leading experts on this topic took part in a roundtable discussion at the expo including; Andrew Warnick, pre sales engineer at Good Technology; Brigitte Murad, account executive for AirWatch; and Joe Bennett, CISO at CredAbility.

According to a recent CompTIA survey of 500 business and IT professionals, only 22 percent of U.S. companies have a formal mobility policy in place. As more businesses see the cost savings and productivity benefits of having bring-your-own-device (BYOD) policies in the workplace, Warnick said that securing those devices needs to become a primary concern.

"It's important to let (your employees) know what you're going to manage and what you're not going to manage," said Warnick, speaking about creating awareness for the importance of mobile device policies in organizations.

On the other hand, Bennett said that it's important to relate to these policies to employees on a personal level if a company wants a mobile security awareness program to be successful.

"Your users aren't worried about security. They're worried about getting their jobs done," he said.

In crafting a mobility policy, the panelists agreed that it's also necessary to decide which devices to support and not support. Murad warned against allowing all devices to be compatible with the corporate network because they all have a variety of inherent vulnerabilities that the organization would have to guard against.

"I caution you against opening the floodgates to any and all devices," she said.

IT Security's Role in Organizational Resilience

When it comes to mitigating risks across a company, it's important to look at an entire organization rather than as individual silo or department. That was the message delivered to attendees by Alan Nutes, senior manager of security and incident management at Newell Rubbermaid.

Essentially, according to Nutes, crisis management, business continuity and organizational resilience have become one in the same and IT security professionals need to take a company-wide focus when it comes to their roles in mitigating security threats.

Natural disaster resulted in more than $200 billion in property damage alone in the U.S. in 2011 and Nutes said that IT security can play a pivotal role in helping an organization adopt policies and standards to stave off these threats.

"What we've got to stop doing is building these silos. What we've got to do is look at it from a risk management and resilience standpoint," he said. "You can't function in your own little world. You've got to think of the organization as a whole. "