The speed, stealth and sophistication with which
organised, professional cybercriminals are able to
steal personal and company data was a recurring theme at
Infosecurity Europe 2009 from the very start.
Cybercriminals are using
increasingly sophisticated social engineering techniques to
lure users into installing malware. And the
insider threat is also on the increase, for reasons ranging
from ignorance and lack of commitment to revenge and
financial need in the
economic downturn.
This shift in gear is threatening to overwhelm most
organisations, according to research by security risk assessment
firm, Qualys.
Analysis of 72 million critical vulnerabilities out of 680
million found on 80 million IP addresses showed 80% of
code exploits are being used in
less than 10 days of the vulnerability's public release.
"Five years ago, it was taking cybercriminals up to 60 days to
reach the 80% level," says Wolfgang Kandek, CTO at Qualys.
Organisations are not getting in faster in patching known
vulnerabilities. They are still taking around 30 days, but 40% are
taking much longer to be fixed, the study found.
Wolfgang Kandek says something has got to change, and he
believes outsourcing IT security services could provide the
answer.
Outsourcing also makes sense as a way of enabling organisations
to deal with the human factor in security, where many are also
failing, says
David
Lacey, independent security researcher.
"IT security managers typically do not understand the psychology
of IT users well enough to be able to manage risk effectively and
lack the skills to change user behaviour," David Lacey says.
Cloud computing promises to become the most financially
attractive means of
delivering technology-based IT security services, says
Kandek
The IT security industry has not missed the business
opportunity, with a marked swing on the exhibition floor to
services, many using the cloud-based model.
"Infosec used to be all about product, but this year, easily a
third of suppliers are selling services," says Bruce Schneier,
chief security technology officer at BT.
This is an indication that the security industry is maturing as
customers begin to care less about the details than about the end
result, Bruce Schneier says.
Guy Bunker, chief architect in the data management group at
Symantec, agrees the move to IT security services is
inevitable.
"Security is now about putting protection around data and that
is not as simple as it used to be," Guy Bunker says.
The cloud offers business benefits such as lower cost and
increased flexibility, but Bunker has
reservations.
Organisations should be absolutely sure they have
asked all the right questions to ascertain the true level of
risk before signing up to this model, he says.
The technological and psychological skills required to tackle a
ruthlessly committed and well organised network of cybercriminals
are rapidly exceeding the resources of most organisations.
Few will have an alternative to IT security services if current
trends continue, but Bunker says
cloud computing still has a long way to go before it will be a
mature, safe delivery method.
Infosec 2009: an essential guide for IT professionals
>>